Internet security is a branch of computer security specifically

related to the Internet, often involving browser security but also

network security on a more general level as it applies to other
applications or operating systems on a whole. Its objective is to
establish rules and measures to use against attacks over the
Internet. The Internet represents an insecure channel for
exchanging information leading to a high risk of intrusion or
fraud, such as phishing. Different methods have been used to
protect the transfer of data, including encryption and from-the-
ground-up engineering.
Application security
 Applications used to access Internet resources
may contain security vulnerabilities such as
memory safety bugs or flawed authentication
checks. The most severe of these bugs can give
network attackers full control over the
computer. Most security applications and
suites are incapable of adequate defense
against these kinds of attacks.
 Application Security provide security of
running applications which is being
developed and deploy on a server. It
includes following fundamental
considerations:
 Knowing the application
 Secure the network, host and
application
 Follow SSDLC (Secure Software
Development Life Cycle)
Some action is also needful in
application Security like:
 Application firewall
 IP addresses
 Spyware
 Authorization
 Encryption and decryption
Database Security: For Database security some
important considerations are:

 1) Data stored in database

 2) Server is also secured
 3) Follow DBMS rule (codds rules)
 4) Follow other workflow rules of DBMS
But as a global existence of Database server, some
analysis is also there:

 1) Prevent unauthorized access

 2) Avoidance from crash
 3) Denial of wrong services
 4) Backup of database
 5) Migration is also required
Data Security & Backup:

 1) Remote backup
 2) Centralized backup
 3) Backup on demand
Internet Security considerations:
 1) Network secure
 2) Application secure
 3) Virus free
 4) Worm free
 5) Trojan free
 6) Port secure
 7) Protocol secure
 8) IP authentication
Electronic mail security:

 Email security is a term for describing different

procedures and techniques for protecting email
accounts, content, and communication against
unauthorized access, loss or compromise. Email is
often used to spread malware, spam
and phishing attacks.
important email security tips you
should put in practice.
 Pay attention to your email habits. ...
 Don't mix your email accounts. ...
 Choose a strong email password. ...
 Use different email passwords for
different email accounts. ...
 Change your email password often. ...
 Never give out your email password. ...
 Enable 2-factor authentication.
 Security Technology: Firewall
 A firewall is defined as software or hardware that
allows only those external users with specific
characteristics to access a protected network (or site).
 A firewall allows insiders to have full access to services
on the outside while granting access from the outside
on a selective basis, based on user names and
passwords, Internet IP address, or domain name.
 Example: A vendor could permit entry to its web site
on the firewall only to those users with specific
domain names belonging to companies that are in
long-term contracts to buy its products.
 Firewall

A firewall works by establishing a barrier between the

corporate network (secure network) and the external
Internet (untrusted network). This barrier shields
corporate networks from public network. A firewall is not
simply H/W or S/W, it is an approach to implementing a
security policy that defines the services and access to be
permitted to various users.
 Firewall
 Unauthorized Internet hosts can not directly access
computers inside the network, but authorized internal
users can still use internet services outside of the
network.
 Types of Firewalls
 The most widely used method of firewalling is to place
a computer or a router between the network and the
Internet, which will then control and monitor all
traffic between the outside world and the local
network.
 Types of Firewalls:
 1) Simple traffic logging systems: Such systems record
all network traffic flowing through the firewall in a file
or database for auditing purposes.
 2) IP Packet screening routers: The screening router
(also called a packet-filtering gateway) is the simplest
firewall. The screening router operates by filtering
information packets that pass through the firewall.
 Types of Firewalls
 3) Hardened Firewall Host: A hardened firewall host is a
stripped-down computer that has been configured for
increased security. Generally, these firewalls are configured
to protect against unauthenticated interactive log-ins from
the external world.
 Hardened firewall hosts offer specific security advantages:
 Concentration of security: All modified software and
logging is located on the firewall system rather than
distributed on many hosts.
 Information hiding: A firewall can “hide” names of internal
systems or e-mail address, thereby protecting information
from outside hosts.
 Centralized and simplified network services management:
Services such as FTP, e-mail, Gopher and similar services
are located on the firewall systems rather than being
maintained on many systems.
 Types of Firewalls
 4) Proxy Application Gateways: Firewalls can also be
created through software called a proxy service. The
host computer running the proxy service is referred to
as an application gateway. Application gateways sit
between the Internet and a company’s internal
network and provide middleman services (or proxy
services) to users on either side.
 Emerging Firewall Management Issues: Addressing
control issues will require serious thinking about
delegation of authority, organizational structure and
content management.
 Future of Firewall...

 1) It continue to avoid advance attack on IT

infrastructure.
 2) Client and server application always use this
security.
 3) Modern firewall scan some viruses also, which
provide greater security.
 Selecting a Firewall
 Characteristics you should be looking for in a
firewall:
 Security Assurance: Independent assurance
that the relevant firewall technology fulfills its
specifications and assurance that it is properly
installed. Is the firewall product certified by the
National Computer Security Association
(NCSA ) and Communications Security
Establishment (CSE) evaluation.
 Privilege Control : The degree to which the
product can impose user access restrictions.
 Authentication: What kind of access control does the
product provide?
 Does it support authorizations?
 What about authentication techniques? These techniques
include security features such as source / destination
computer network address authentication password
authentication, access control cards, and fingerprint
verification devices.
 Audit Capabilities: The ability of the product to monitor
network traffic, including unauthorized access attempts,
generate logs, and provide statistical reports and alarms.
 Flexibility: The firewall should be open enough to
accommodate the security policy of your company as well
as allow for changes in the future. A security policy should
very seldom change, but security procedures should always
be reviewed, especially in light of Internet and web-centric
new applications.
 Performance: A firewall should be fast enough so that
users wouldn’t feel the screening of packets. The
volume of data throughput and transmission speed
associated with the product should be reasonable
enough, consistent to your bandwidth to the internet.
 Scalability: The product should be able to adapt to
multi- platforms and instances within your protected
network. This includes OSs, machines and security
configurations.
 Ease of use: The firewall product should ideally have
a Graphical User Interface (GUI) which simplifies your
job when installing, configuring and managing it.
 Customer support: It is the extent to which a vendor
supports customer needs, such as providing prompt
access to technical experts for installation, use and
maintenance and comprehensive training course.
 Factors to consider in firewall design
 In general firewall should be able to support a “deny all
services except those specifically permitted” design policy.
 The firewall should be flexible, it should be able to
accommodate new services and needs if the security policy
of the organization changes.
 The firewall should contain advanced authentication
measures.
 The firewall should employ filtering techniques to permit
or deny services to specified host systems as needed.
 The IP filtering language should be flexible, user-friendly
to program and should filter many attributes as possible,
including source and destination IP address, protocol type,
source and destination TCP/UDP port and inbound and
outbound interface.
 The firewall should be developed in a manner
that its strength and correctness are verifiable.
It should be simple in design so that it can be
understood and maintained.
 The firewall and any corresponding operating
system should be updated with patches and
other bug fixes in a timely manner.
 Security Technology: VPNs
 A virtual private network (VPN) extends a private
network across a public network, and enables users
to send and receive data across shared or public
networks as if their computing devices were directly
connected to the private network.
 ("In the simplest terms, it creates a secure, encrypted
connection, which can be thought of as a tunnel,
between your computer and a server operated by the
VPN service.")
 Applications running across the VPN may therefore
benefit from the functionality, security, and
management of the private network.
 VPN
 VPNs may allow employees to securely access a
corporate intranet while located outside the
office. They are used to securely connect
geographically separated offices of an
organization, creating one cohesive network.
Individual Internet users may secure their
wireless transactions with a VPN, to circumvent
geo-restrictions and censorship, or to connect
to proxy servers for the purpose of protecting
personal identity and location.
 VPN

 A VPN is created by establishing a virtual

point-to-point connection through the use of
dedicated connections, virtual tunneling
protocols, or traffic encryption.
 VPN systems may be classified by
 The protocols used to tunnel the traffic
 The tunnel's termination point location, e.g., on the
customer edge or network-provider edge
 The type of topology of connections, such as site-to-
site or network-to-network
 The levels of security provided
 The OSI layer they present to the connecting network,
such as Layer 2 circuits or Layer 3 network connectivity
 The number of simultaneous connections
 The VPN security model provides
 Confidentiality such that even if the network
traffic is sniffed at the packet level (see network
sniffer and deep packet inspection), an attacker
would only see encrypted data. Sender
authentication to prevent unauthorized users
from accessing the VPN. Message integrity to
detect any instances of tampering with
transmitted messages
 Authentication
 Tunnel endpoints must be authenticated
before secure VPN tunnels can be established.
User-created remote-access VPNs may use
passwords, biometrics, two-factor
authentication or other cryptographic
methods. Network-to-network tunnels often
use passwords or digital certificates. They
permanently store the key to allow the tunnel
to establish automatically, without intervention
from the administrator.
 Basic VPN Requirement
 A VPN solution should provide at least all of the
following:
 1) User Authentication
 2) Address Management
 3) Data Encryption
 4) Key Management
 5) Multiprotocol support
 Tunneling Basics
 The encapsulated packets are then routed
between tunnel endpoints over the
internetwork. The logical path through which
the encapsulated packets travel through the
internetwork is called a tunnel.
Security Mechanisms are available through
VPN

 1) Authorization: VPN connections are only created

for users and routers that have been authorized.
 2) Authentication:
 (a) Machine – level authentication
 (b) User-level authentication
 3) Data Encryption
 4) Packet filtering
 VPN Management Issues

 1) How will they push for VPN technology.

 2) What will be implementation cost of VPN.
 3) Anything from current infrastructure can be
used or not
 4) Who will provide proper training to their
staff.
Intrusion Detection Systems (IDS)
 Host-based IDS: Monitors the characteristics of a single host and the events
occurring within that host for suspicious activity

 Network-based IDS: Monitors network traffic for particular segments and analyzes
network, transport, and application protocols to identify suspicious activity

IDS comprises three logical components:

 Sensors – to collect data. Input types: network packets, log files, sys. call traces
 Analyzers – receive input from sensors. Responsible for intrusion detection
 User interface – may be a manager, director,

Basic Principles:
 Early detection – very important to confine the damage
 An effective IDS can serve as a deterrent (thus discouraging intrusion
attempts)
 Intrusion detection enables data collection about intrusion techniques
which, in turn, can be used to strengthen intrusion prevention measures.
Intrusion Detection
 Assumption: the behavior of the intruder differs from the legitimate user.
 But, there is overlap. A loose interpretation of intruder may lead to false
positives ; on the other hand, a tight interpretation may lead to false
negatives (risky!)
Host-Based Intrusion Detection
 Can detect both external and internal intrusions which is not possible with
network-based IDSs or firewalls.

General approaches:
 Anomaly detection – Collect data related to the behavior of legitimate users over a
period of time. Then, apply statistical tests to determine if the observed behavior is not
legitimate
 Threshold detection: defines thresholds for the freq. of occurrence for various events
 Profile based: a profile of normal activity is developed for each user; used to detect
changes

 Signature detection: define a set of rules that applies to an intruder’s behavior

Signature-based IDS monitors packets in the network, and compares them with
pre-configured and pre-determined attack patterns, known as signatures

 Audit records
 Native audit records
 All OSs include accounting software that collects information on user activity
 Detection-specific audit records
 Generate audit records containing only that information required by the IDS
Disadvantage: two accounting packages run on the system
Malware Defense
Antivirus Approaches – (1) Detection (2) Identification (3) Removal

As virus arms race has evolved, antivirus software have grown more complex.
Two sophisticated ones are: Generic Decryption and Digital Immune System

Generic Decryption (GD)

Contains three essential parts:
• CPU emulator
– Instructions in an executable file are interpreted by the emulator rather than the
processor in a controlled environment. If the code includes a decryption routine,
it is also interpreted and the virus is exposed. Virus itself does the decryption for
the antivirus program (GD)
• Virus signature scanner
– Scan target code looking for known virus signatures
• Emulation control module
– Controls the execution of the target code. Periodically, it interrupts the
interpretation to scan the target code for virus signatures
Digital Immune System
 Developed by IBM (refined by Symantec) – general purpose emulation and
virus detection system
 Motivation: rising threat of Internet-based virus propagation
 Integrated mail systems (e.g. MS Outlook, Lotus Notes)
 Mobile-program system (e.g. Java and ActiveX allow programs to move on their own)

1. Each PC runs a
monitoring program to
detect unusual behavior

2. Encrypt the sample and

forward to VAM

3. Analyze the sample in a

safe environment via
emulation

4. Prescription is sent
back to Adm.Machine

5.-6. Forwarded to the

infected client as well as
the other PCs on the
same network

7. All subscribers receive

regular antivirus
updates
Behavior-Blocking Software
Rootkit Countermeasures
 Rootkits can be extraordinarily difficult to detect and neutralize,
particularly so for kernel-level rootkits.
 Many of the administrative tools that could be used to detect a rootkit
can be compromised by the rootkit itself

 There are always new rootkits and modified versions of existing rootkits
that display novel signatures. For these cases, a system needs to look for
behaviors that could indicate the presence of a rootkit, such as the
interception of system calls or a keylogger interacting with a keyboard
driver. Such behavior detection is far from straightforward. For example,
antivirus software typically intercepts system calls.

 Another approach is to conduct a file integrity check (e.g. freeware

RootkitRevealer from SysInternals). This package compares the results of a
system scan using APIs with the actual view of storage using instructions
that do not go through an API. Because a rootkit conceals itself by
modifying the view of storage seen by admin. calls, RootkitRevealer
catches the discrepancy.

 If a kernel-level rootkit is detected, an entire new OS install is needed.

 Access Control
 Discretionary access control (DAC)

Access Control
 based on the ID of the requestor. Traditional.

 Mandatory access control (MAC)

 compares security labels (of critical system
resources) with security clearances. Used in the
military. Unlike with DAC, users cannot override or
modify this policy, either accidentally or
intentionally

 Role-based access control (RBAC)

 based on the roles that users have within the
system. There are rules stating what accesses are
allowed to users in given roles. Widely used

Discretionary
access control
(DAC)
 Access Control

• A separate access control

Access Control module is associated with
each type of object

• An access attempt triggers

the following steps:
• S0 issues a request a for X
• A message (S0, a, X) is sent
to the controller for X
• Controller checks if a is in
A[S0, X]. If so, allows access,
otherwise a warning is issued
Role-Based Access Control (RBAC)

• Widespread commercial use

• A user may be assigned multiple
roles
• Each role has certain access rights
• A role can also be treated as an
object, hence it allows role
Threats and Attacks
Threats and Assets
Security Threats to Assets
 Communication Lines and Networks
Passive Attacks
 Release of message contents - a telephone conversation, an electronic
mail message, a transferred file, etc.

 Traffic analysis - encryption can mask the contents but message size,
transmission frequency, location and id of communicating hosts can
still be extracted
Communication Lines and Networks
Active Attacks
 Replay : passive capture of a data
unit and its retransmission to
produce an unauthorized effect

 Masquerade : one entity pretends

to be a different entity (e.g. try to
login as someone else)

 Modification of messages some

portion of a legitimate message is
altered, or messages are delayed or
reordered

 Denial of service prevents or

inhibits the normal use or
management of communications
facilities (Disable or overload with
messages)
Intruder Behavior Patterns
Hackers

Criminals

Insider attacks
Malicious Software (malware)
Backdoor (Trapdoor)
 Entry point into a program that allows someone who is aware of trapdoor to gain
access
Anyone watched the movie War Games ?
 used by programmers to be able to debug and test programs while skipping a
lengthy setup/authentication process during development
 Avoids necessary setup and authentication
 Ensures that there is a method of activating program if something wrong with the
authentication procedure

Logic Bomb
 Code embedded in a legitimate program that is set to “explode” when certain
conditions are met
 Presence or absence of certain files, particular day of the week, particular user running
application
• One of the oldest types of program threat, predating viruses and worms

Trojan Horse
 Useful program that contains hidden code that when invoked performs some
unwanted or harmful function
 Can be installed through software downloads, bundling, email attachments, websites
with executable content, etc. Trojan-type malware is on the rise, accounting for 83-
percent of the global malware.
 Viruses
Program that can “infect” other programs by modifying them in
such a way that the infected program can infect other programs
Virus Stages
• Dormant phase: Virus is idle
• Propagation phase: Virus places an identical copy of itself into other
programs or into certain system areas on the disk
• Triggering phase: Virus is activated to perform the function (usually
harmful)
• Execution phase: Function is performed
Macro Viruses
• macro - an executable program embedded in a word document or
other type of file
• Easily spread; platform independent; infects documents, not the
.exe
 Viruses
E-mail Virus
• Activated when recipient opens the e-mail attachment
(e.g. Melissa virus). A new version that came out in 1999
was activated by opening the e-mail itself.
• Sends itself to everyone on the mailing list of the
infected user

Classification by Target
 Boot sector infector - Infects boot record and spreads when
system is booted from the disk containing the virus
 File infector - Infects executable files
 Macro virus - Infects files with macro code that is interpreted
by an application
Classification by concealment strategy
Encrypted virus – a portion of the virus encrypts
its main body and stores the key with itself. When an
infected program is executed, the virus decrypt itself
and then replicates. At each replication, a different
random key is selected making the detection more
difficult.
Stealth - Designed to hide itself from detection by
antivirus software. May use compression
Polymorphic - Mutates with every infection,
making detection by the “signature” of the virus
impossible
Metamorphic – same as polymorphic, but rewrites
itself completely making the detection even more
difficult. May change functionality as well as
appearance.
Malicious Software (cont.)
Worms
Exhibits similar characteristics as an e-mail virus, but
worm does not need a host program and it is not
passive, it actively seeks out more machines to infect
via
Electronic mail facility: A worm mails a copy of itself to
other systems
Remote execution: A worm executes a copy of itself on
another system
Remote log-in: A worm logs on to a remote system as a
user and then copies itself from one system to the
other
Bots (Zombie or drone)
Program that secretly takes over another Internet-
attached computer and uses it to launch attacks
that are difficult to trace to the bot’s creator
planted on hundreds of computers belonging to
unsuspecting third parties and then used to
overwhelm a target Web site by launching an
overwhelming onslaught of Internet traffic
The collection of bots acting in a coordinated
manner is called botnet

Uses of Bots
DDoS (Distributed Denial of Service attacks),
spamming, sniffing traffic on a compromised
machine, keylogging, spreading new malware,
manipulating online polls/games/clicks for ads
(every bot has a distinct IP address), etc.
BOTS
Bots (Zombie or drone)
 Program that secretly takes over another Internet-attached computer and uses it to launch
attacks that are difficult to trace to the bot’s creator

Remote Control Facility

 A worm propagates and activates itself, whereas a bot is controlled from a central facility
 Once a communication path is established, the control module can activate the bots in
host machines (which are taken hostage). For greater flexibility, the control module can
instruct the bots to download a file from an internet site and execute it. This way, a bot can
be used for different kinds of attacks.
Constructing the Attack Network
3 things needed:
(1) attack software
(2) a large number of vulnerable machines
(3)locating these machines (scanning or fingerprinting).
Scanning is generally done in a nested (or recursive) manner.
Scanning strategies:
 Random – check random IP addresses for vulnerability (generates
suspicious internet traffic)
 Hit list – a long list is compiled a priori. Each infected machine is given
a partial list to infect
generates less internet traffic and therefore makes it more
difficult to detect.
 Topological – uses information contained on an infected machine to
find more hosts to scan
 Local subnet – if a host could be infected behind a firewall, that host
could be used to infect others on the same subnet (all behind the same
firewall).
**here ROOTKITS
Rootkit
 Malware which consists of a set of programs designed to take fundamental control of a
computer system and hide the fact that a system has been compromised

 Typically, rootkits act to obscure their presence on the system through subversion or
evasion of standard OS security mechanisms.

 Techniques used to accomplish this can include concealing running processes from
monitoring programs, or hiding files or system data from the OS

 Often, they are Trojans as well, thus fooling users into believing they are safe to run on
their systems.
 Rootkits may also install a "back door" in a system by replacing the login mechanism
(such as /bin/login) with an executable that steals a login combination, which is used to
access the system illegally.

 With root access, an attacker has complete control of the system to do anything

Rootkit Installation
 Usually via a Trojan horse. A user is induced to load a Trojan horse which then installs
the rootkit.
 Another means of rootkit installation is by hacker activity which is a rather lengthy
process.
Terminology of Malicious Programs
Terminology of Malicious Programs
 Denial of service attack
It is victim resource identification when
someone is interrupting, disturbing, scooping,
snapping, hacking in the network.
Their nature are as follows:
1) DDOS (Distributed Denial of Service)
2) By DNS server as a third party.
3) By http services.
4) Buffer overflow.
5) Ping of death (POD)
6) By hacking TCP
7) Volumetric DOS attack.