Chapter 1

NETWORK SECURITY OVERVIEW

Text Book: Jie Wang
By: Purvi Tandel
 • MISSION AND DEFINITIONS
• COMMON ATTACK AND
DEFENSE MECHANISMS
Topics • ATTACKER PROFILES
• BASIC SECURITY MODEL
Mission and Definition
The tasks of network security are to provide confidentiality, integrity, nonrepudiation, and
availability of useful data that are transmitted in public networks or stored in networked computers.

Any object that can be processed or executed by computers is data.

Examples: source code, executable code, files in various formats, email messages, digital music, digital
graphics, and digital video are each considered data.

Data should be read, written, or modified only by legitimate users. That is, unauthorized individuals
or organizations are not allowed to have access to data.
Data is sometimes referred to as information or messages.
Each piece of data has two possible states,
1) transmission state and
2) the storage state.
Mission and Definition

Security Services:

Confidentiality
Integrity
Authentication
Availability
Access Control
Nonrepudiation
Mission and Definition
Data in the transmission state is simply data in the process of being delivered to a network destination.
Data in the storage state is that which is stored in a local computer or in a storage device.

Confidentiality in transmission state:

In this case, confidentiality means that data during transmission cannot be read by any unauthorized user.
Integrity in transmission state:
Integrity means that data during transmission cannot be modified or fabricated by any unauthorized user.
Confidentiality in storage state:
Confidentiality means that data stored in a local device cannot be read by any unauthorized user through a
network.
Integrity in storage state:
Integrity means that data stored in a local device cannot be modified or fabricated by any unauthorized
user through a network.
Mission and Definition
Data nonrepudiation means that a person who owns the data has no way to convince other people
that he or she does not own it.
Data availability means that attackers cannot block legitimate users from using available resources
and services of a networked computer.
For example, a computer system infected with a virus should be able to detect and disinfect the virus
without much delay, and a server hit by denial of service attacks should still be able to provide
services to its users.

Access Control means the prevention of unauthorized use of a resource.

Authentication means the assurance that the communicating entity is the one that it claims to be.
Common Attack and Defence
Mechanisms
1. Eavesdropping
2. Cryptanalysis
3. Password Pilfering
4. Identity Spoofing
5. Buffer Overflow Exploitation
6. Repudiation
7. Intrusion
8. Traffic Analysis
9. Denial of Service Attacks
10. Malicious Software
 Eavesdropping Guessing
Physical
Cryptanalysis Social Engineering Impersonation
Password Dictionary Attacks Phishing
Pilfering
Password Sniffing
Rainbow Tables
Man-in-the-middle
Attacks
Message Replays SYN Flooding
Identity Spoofing
Network Spoofing
TCP Hijacking
Common
attacks Buffer-Overflow
Exploitations ARP Spoofing
Repudiation
Intrusion IP Scans and Port Scans
Traffic Analysis
DoS Attacks
Denial of
Service Attacks DDoS Attacks
Spam Mail Viruses and
Worms
Trojan Horses
Malicious
Software Logic Bombs
and Backdoors
Spyware
Eavesdropping
Eavesdropping is an old and effective method for stealing private information.
In network communications, the eavesdroppers may intercept data from network traffic using a
networking device and a packet sniffer.

A packet sniffer, or network sniffer, is a program for monitoring incoming network traffic.
When connecting a router to the Internet, for example, one can use a packet sniffer to capture all the
IP packets going through that router. TCPdump and Wireshark (formerly known as Ethereal) are
network sniffers widely used today, which are available as free downloads.
For example, the eavesdropper may try to compromise a router on the path and install a packet sniffer
in it to intercept the IP packets he is after. The eavesdropper may also use an ARP spoofing technique
to reroute IP packets to his sniffer without compromising a router.
Eavesdropping
Eavesdropping in wireless communications is easier. In this case, the attacker simply needs to place a
receiver with the same radio frequency of the wireless network within the communication range
of the network.

Defense/protection against eavesdropping:

Encrypt the data
(even if the eavesdropper is able to intercept the encrypted data, he is still not able to obtain the
original data without knowing the decryption key.)
Both symmetric key and asymmetric key encryption can be used
Cryptanalysis
Cryptanalysis is the art and science of finding useful information from ciphertext data without
knowing the decryption keys.
For example, in a substitution cipher that substitutes plaintext letters with ciphertext letters, if a
ciphertext message reveals a certain statistical structure, then one may be able to decipher it. To
obtain a statistical structure of the data, one may calculate the frequency of each character in the
ciphertext data and compare it against the known statistical frequency of each character in the
language used in the plain text. For example, in the English language, the letter “e” has the highest
frequency. Thus, in a substitution cipher, the character that has the highest frequency in the ciphertext
data is likely to correspond to the plaintext letter “e”. This analysis can be further extended to
common phrases.
Defense/protection against Cryptanalysis:
Modern encryption algorithms
Using longer keys makes brute force attacks impractical
Stronger encryption algorithms, it is equally important to distribute and manage keys safely and to
implement encryption algorithms without exploitable loopholes
Password Pilfering
The most widely used authentication mechanism is in the form of user names and user passwords.
User names are public information, but user passwords must be kept secret.

Common methods for pilfering user passwords:

guessing,
social engineering,
Pharming,
Dictionary attacks,
side-channel attacks,
and password sniffing.

Phishing attacks and pharming attacks have become the most common form of mass social
engineering attacks in recent years.
Password Pilfering - Guessing
Guessing is the simplest method to acquire a password illegitimately. The attacker may get lucky if users
use short passwords or if they forget to change the default passwords created for them. Also, users have a
tendency to use the same passwords.

10 most common passwords used by users:

1. 123456
2. password Defence: Use uncommon and
3. 12345678 strong passwords

4. qwerty
5. abc123
6. 123456789
7. 111111
8. 1234567
9. iloveyou
10. adob123
Password Pilfering – Social Engineering
Social engineering is a method of using social skills to pilfer secret information from the victims.
For example, attackers may try to impersonate people with authority or organizations of reputation to trick
unvigilant users to reveal their user names and user passwords to the attackers. Impersonation may be
carried out either in person or in an electronic form. Phishing and pharming are common electronic forms
of social engineering attacks in recent years, targeted at a large number of people.

There are other forms of social engineering attacks. For example, attackers may try to collect recycled
papers from the recycle bins in a corporation’s office building, hoping to find useful login information.
Attackers may also make a Web browser pop up a window asking for user login information.
1) Physical Impersonation: Physical impersonation means that the attacker pretends to be a different
person to delude the victim.
2) Phishing: Phishing attacks are mass social engineering attacks that take advantage of people with a
tendency to trust authorities.
Password Pilfering – Social Engineering
Phishing:
Even if you do not plan to enter any information on the bogus Website, clicking the link in the phishing
email may already compromise your computer, for modern phishing techniques make it possible to embed
exploits in a Web page, and the exploits will be activated when you open the Web page.

To avoid Users may look at the following three things to detect abnormalities:
(1) the “From” address, which may look odd;
(2) the URL links the phishers want them to click on, which may be similar to but definitely different from
the real site (e.g., a URL that looks like Citicard is in reality not the Citibank’s real site); and
(3) the look and feel of the Website if the user fails to identify any abnormality

Defense/protection against Phishing:

Anti-phishing extensions
Email scanners
Pharming
Pharming attacks use Web technologies to redirect
users from the URLs they want to visit to a URL
specified by the attacker, including changing DNS
setting or the hosts file on the victim’s computer,
where DNS stands for domain-name service.

Attacks that change DNS settings are also referred

to as DNS poisoning. If an DNS-poisoning attack is
launched from an insecure home router or
wireless access point, it is also referred to as a
drive-by pharming.
Pharming
Key difference between pharming vs. phishing is that pharming requires an
attacker to gain unauthorized access to a system, while phishing only requires
successful social engineering.

Defense against pharming attacks:

DNS software and the host’s files have not been compromised
and the URL they are visiting is the right one before doing anything else.
Dictionary Attacks
In a dictionary attack, the attacker utilizes a wordlist in the hopes that the user's
password is a commonly used word (or a password seen in previous sites).

In early versions of UNIX and Linux operating systems, user names and the
corresponding encrypted user passwords stored in the passwd file were ASCII
strings that could be read by users. In later versions of UNIX and Linux operating
systems, however, the encrypted user passwords of the system are no longer stored
this way. Instead, they are stored in a file named shadows under directory / etc,
which is an access-restricted system file.

In the Windows NT/XP operating system, for another example, the user names and
the encrypted user passwords are stored in the system's registry in a file named
SAM. They can be read using special tools, e.g. pwdump.
Dictionary Attacks
Dictionary attacks take advantage of the way some people use dictionary words, names, and
dates as passwords. These attacks find user passwords from their encrypted forms.
A typical dictionary attack proceeds as follows:
1. Obtain information of user names and the corresponding encrypted passwords. This was
done, for example, in early versions of Linux or Linux by getting a copy of the / etc/passwd
file. In Windows XP, it can be done using pwdump to read the system registry.
2. Run the encryption routine used by the underlying system on all dictionary words, names,
and dates. Compute the encrypted hash for each dictionary word, each name, and each date.
3. Compare each output obtained from Step 2 with the encrypted passwords obtained from
Step 1. If a match presents, a user password is found. In other words, suppose w is a word
and Wi = crypt (w) is the output of the encryption routine crypt on input w. Suppose u and
Pu are a pair of user name and encrypted password of user u. If Wi = Pu, then w is user u's
password or is equivalent to user u’s password, for w may not be unique.
Dictionary Attacks
Step 2 is computationally intensive, for there are many words, names, and dates.
To avoid carrying out this costly computation each time an encrypted hash is given,
one would want to pre-compute Step 2 and store the results (i.e. password-hash
pairs) m one table, so that one only needs to do a table lookup to find the
corresponding plaintext password from the given encrypted hash. But such a table
Will be humongous. Constructing a Rainbow table helps to reduce the table size
and make the computation at Step 2 manageable.
Dictionary Attacks
Rainbow Table:
Let h be a cryptographic hash function that, on an 8-character password, generates a
16-character long hash value. Then we may define r as follows: For any 8-character
string w, function r on input h(w) returns the last eight characters of h(w). Function
r may also return the first eight characters of h(w) or any combination of eight
characters selected from h(w). Note that r is not an inverse function of h.

Creating a Table
Here, the hash of a string is taken and then reduced to create a new string, which is
reduced again, repeatedly. For example, let’s create a table of the most common
password, 12345678, using MD5 hash function on first 8 characters:
Dictionary Attacks
Rainbow Table:
Creating a Table
• First we take the string and pass it through md5 hash function.
hashMD5(12345678) = 25d55ad283aa400af464c76d713c07ad
• We reduce the hash by taking only the first 8 characters. Then, we re-hash it.
hashMD5(25d55ad2) = 5c41c6b3958e798662d8853ece970f70

• This is repeated until enough hashes in output chain. This represents one
chain, which starts from the first plain text and ends at the last hash.
• After obtaining enough chains, we store them in a table.
Dictionary Attacks
Defense against dictionary attacks:
use a technique called salting.
Salting involves adding a unique and random string, known as a salt, to each
password before hashing. The salt value is then stored alongside the hashed
password.
Password Sniffing
Password sniffers are software programs, used to capture remote login
information such as user names and user passwords.
Common network applications such as Telnet, FTP, SMTP, and POP3 often require
users to type 10 their user names and passwords for authentication, making it
possible for a password sniffer to intercept useful login information.

For remote logins, however, one may use special programs (e.g. SSH) to encrypt all
messages, thus making it more difficult to sniff user passwords.
SSH and other programs that encrypt login information such as HTTPS,
however, are still vulnerable to password sniffing attacks. For example, Cain & Abel,
a password recovery tool for the Microsoft Operating Systems, is a network sniffing
tool that can capture and crack encrypted passwords using dictionary, brute-force,
and cryptanalysis attacks.
Password Protection against
mentioned attacks:
1. Use long passwords, with a combination of letters, capital letters, digits, and other characters such
as $, #, &, %. This rule makes guessing attacks and dictionary attacks difficult to perform.
2. Do not reveal your passwords to anyone you do not know. Do not submit to anyone who acts as if
he has authority.
3. Change passwords periodically and do not reuse old passwords. This rule helps defend users
against patient and persistent attackers who may keep on running dictionary attacks on all possible
strings formed using the first rule, and hope that they may get lucky. Attackers may also keep records
of old passwords they have Identified.
4. Do not use the same password for different accounts. Thus, even If a user's password for a
particular account is compromised, the user's other accounts would still be safe.
5. Do not use remote login software that does not encrypt user passwords and other important
personal information. This practice makes password sniffing difficult.
6. Shred all discarded papers using a good paper shredder.
7. Avoid entering any information in any popup window, and avoid clicking on links in
suspicious emails. Instead, go to the legitimate Website directly using the true URL address, and
follow the directions here. This practice helps counter password sniffing and reduce the chance of
being caught by phishers.
Other User-Authentication Methods
against mentioned attacks:
Authentication using user passwords is so far the most widely used authentication
method.

3 methods:
1) secret password (user names and user passwords)
2) biometrics of unique biological features, e.g. fingerprints and retinas
3) authenticating items, e.g. passes and certificates of identification. (Kerberos)
Identity Spoofing:
Identity spoofing attacks allow attackers to impersonate a victim without using the
victim’s password.

Common Identity spoofing attacks Include

1) man-in-the-middle attacks,
2) message replays,
3) network spoofing, and
4) software exploitation attacks.
Identity Spoofing - Man-in-the-middle
Attacks :
In a man-in-the-middle attack, the attacker tries to compromise a network device
(or install one of his own) between two or more users. Using this device, the attacker
can intercept, modify, or fabricate data transmitted between users. The attacker
will then forward them as if they have not been touched by the attacker.

For example, the attacker may Intercept an IP packet sent by user A, modifies its
payload, and then send the modified packet to user B as If It comes from user A. This
way, both users may still believe that they are directly talking to each other, Without
realizing that the confidentiality and integrity of the IP packets they receive have
already been compromised.
Identity Spoofing - Man-in-the-middle
Attacks :

Defense against Man-in-the-middle attacks:

Encrypting and authenticating IP packets
Identity Spoofing – Network Spoofing:
IP spoofing is one of the major network spoofing techniques.
It consists of SYN flooding, TCP hijacking, and ARP spoofing. ARP spoofing is also
referred to as ARP poisoning.
SYN flooding:
In a SYN flooding attack, the attacker fills the target computer's TCP buffer with a
large volume of SYN control packets, making the target computer unable to
establish communications with other computers
Identity Spoofing – Network Spoofing:
SYN flooding:
In a SYN flooding attack, the attacker fills the target computer's TCP buffer with a
large volume of SYN control packets, making the target computer unable to
establish communications with other computers
Identity Spoofing – Network Spoofing:
TCP hijacking:
TCP/IP hijacking is a type of man-in-the-middle attack. The intruder can determine
the IP addresses of the two session participants, make one of them inaccessible
using a DoS attack, and connect to the other by spoofing the network ID of the
former.
Identity Spoofing – Network Spoofing:
TCP hijacking:
Suppose computer V is a company computer and user A is an employee of that company and
is going to log on to computer V from home. User A's computer sends a SYN control packet to
V and now suppose that an attacker intercepts this packet. The attacker then uses the SYN
flooding attack to mute computer V, so that V cannot complete the three-way handshake
protocol with user A's computer.
If the attacker can predict the correct TCP sequence number for the ACK packet which is
supposed to be sent to A from the muted computer V, then the attacker can craft an ACK
packet and send it to user A's computer. The crafted ACK packet uses the correct TCP
sequence number and V's IP address as the source IP address.
User A's computer receives the ACK packet and verifies that it has the correct TCP sequence
number. It then sends an ACK packet to the attacker to complete the three-way handshake
procedure with the attacker. Thus, the TCP connection that user A’s computer has
established is with the attacker, instead of with V.
Defense against TCP hijacking:
To stop TCP hijacking, It IS Important to use software (e.g. TCP wrappers) that checks IP
addresses at the TCP layer.
Identity Spoofing – Network Spoofing:
ARP Spoofing:
In an ARP spoofing attack, the attacker
changes the legitimate MAC address of
an IP address to a different MAC address
chosen by the attacker.

Defense against ARP spoofing:

strengthen checking procedures of MAC
addresses and domain names, and make
sure that the source IP address and the
destination address In an IP packet have
not been changed during transmissions.
Buffer-Overflow Exploitations:
Buffer overflow, also referred to as buffer The following is a simple C program that
overrun, is a common software flaw. A writes a buffer of eight bytes with a
buffer is a set of contiguous memory string str of 34 bytes, causing It to
locations allocated to a process. The size of overflow.
the buffer is fixed in its declaration in the
program. A buffer overflow occurs if the int main ()
process writes more data into the {
buffer than it can hold. char buffer[8];
char *str - "This is a test of buffer
overflow.";
strcpy(buffer, str);
printf("%s", buffer);
}
Buffer-Overflow Exploitations:
Listed below are general steps of this type of attack:
1. Find a program that is vulnerable to buffer overflows. For example,
programs that use string-based functions (e.g. strcpy () and strcat ( ) )
are vulnerable, for they do not check bounds. These functions would
copy as many characters as possible until a NULL byte is encountered.
2. figure out the address of the attacker's code.
3. Determine the number of bytes that is long enough to overwrite the
return address.
4. Overflow the buffer that rewrites the original return address of the
function call with the address of the attacker's code.

Defense against this attack:

close the doors of overflow.
That is, one should always add statements to check bounds when
dealing with buffers in a program. Avoid using string functions that do
not check bounds.
Repudiation:
In some situations, the owner of the data may not want to admit ownership of the
data to evade legal consequences. He may argue that he has never sent or received
the data in question. Repudiation is straightforward If the data has not been
authenticated.
Even if the data has been authenticated, repudiation is still possible when the
underlying authentication methods or the communication protocols contain
loopholes.

Defense against this attack:

Using secure encryption and authentication algorithms can help prevent repudiation
attacks.
Intrusion:
Intrusion in network security means that an illegitimate user, i.e. the intruder, gains
access to someone else's computer systems. The intruder may turn a victim's
computer into his own server which may result in stolen computing resources and
network bandwidth from the victim. The intruder may also steal useful information
residing in the victim's computer.
Defense against this attack:
Closing TCP and UDP ports that may be exploited by Intruders can also help reduce
intrusions.

IP Scans and Port Scans:

Attackers use IP scans to search for potential targets and use port scans to IdentIfy
open ports that are vulnerable in the targets.
Traffic Analysis:
The purpose of traffic analysis is to determine who is talking to whom by
analyzing IP packets. Even if the payload of the IP packet is encrypted, the attacker
may still obtain useful information from analyzing IP headers. An IP header contains
the source IP address and the destination IP address, which reveal who is sending
messages to whom. If its payload (i.e. the encapsulated TCP packet) is not encrypted,
the port numbers can also be obtained. This information can be used to learn which
application program is used to read the message
Defense against this attack:
encrypt IP headers
Traffic Analysis:
Denial of Service Attacks:
The goal of denial-of-service attacks is to block legitimate users from getting
services they can normally get from servers. Such attacks often force the target
computer to process a large number of useless things, hoping to consume all its
critical resources.

DOS attack:
SYN flooding is a typical and effective technique used by DoS attacks. The smurf
attack is another typical type of DoS attack, where smurf is the name of the
software used to execute the attack. It sends an excessive number of messages to
the target computer and crashes it by consuming all its resources.
Denial of Service Attacks:

Smurf attack
Denial of Service Attacks:
DDOS attack:
A typical DDoS attack Proceeds according to the following sequence:
1. Compromise as many networked computers as possible. This may be achieved
using Trojan horses.
2. Install special software in the compromised computers to carry out a DoS attack
at a certain time later. Such software is called zombie software and such a
computer is called a zombie computer or simply a zombie. A collection of
zombies is also called a zombie army, which is now typically called a botnet.
3. Issue an attack command to every zombie computer to launch a DoS attack on
the same target at the same time.
Denial of Service Attacks:
Denial of Service Attacks:
Spam Mail:
Spam mails are uninvited email messages, which may be commercial messages or
phlshll1g messages. While not intended to bring the user's computer out of service,
spam mails do consume computing resources.

Spamming also occurs in Web search engines, Instant Messaging, blogs, mobile
phone messaging, and other network applications.

Defense against attack:

Spam filters are software solutions to detect and block spam mails from reaching
the user's mailbox
Malicious Software:
Software intended to harm computers is malicious software. Malicious software is
also referred to as malware.

Common forms of malicious software include

virus, worms,
Trojan horses,
logic bombs, backdoors, and
spyware.
Malicious Software – Virus and Worms:
A computer virus is a piece of software that can reproduce Itself. However, a Virus
is not a stand-alone program. In other words, It must attach Itself to another
program or another file. A program or file that contains a virus is called an
infected host. An uninfected host is also called a healthy host.

A computer worm is also a piece of software that can reproduce itself. Unlike a
virus, a worm is a stand-alone program. In other words, It does not need a host to
live in. A worm can execute Itself at any time It wishes. When executed, a worm
may do harm to the system where It resides or replicate Itself to other systems
through networks.

Defense against them:

virus scans to detect, quarantine, and delete infected hosts and worms
Malicious Software – Virus and Worms:
Defense against them:
virus scans to detect, quarantine, and delete infected hosts and worms

• Do not download software (e.g. games) from un-trusted Websites or other

sources.
• Do not open any executable file given to you by someone you do not know.
• Make sure software patches are installed and up to date.
Malicious Software – Trojan Horses:
Trojan horses are software programs that appear to do one thing, but secretly also
perform other tasks.

When they are executed by the user, the hidden functions contained in them which
now have the user's access rights do harmful things secretly.

Defense against them:

Virus scans can also detect, quarantine, and delete Trojan horses.
Malicious Software – Logic Bombs and
Backdoors:
Logic bombs are subroutines or instructions embedded in a program. Their
execution are triggered by conditional statements.

Backdoors are secret entrance points to a program. They are often Inserted by
software developers to provide a shortcut to enter a password-protected
program when attempting to modify or debug code. These backdoors which
avoid the typical password entrances of normal users may later be discovered and
used by attackers. Attackers who compromise network systems have been known
to insert their own backdoors so that they can more easily re-enter later.
Malicious Software – Spyware:
Spyware is a type of software that installs itself on the user's computer.

Browser Hijacking:
Browser hijacking is a technique that changes the settings of the user's
browsers. It may replace the user's default Website with a different Website
selected by the attacker. Or It may stop the user from visiting the websites he or she
wants to Visit.

Zombieware:
Zombleware is software that takes over the user's computer and turns It into a
zombie for launching DDoS attacks or into a relay which carries out harmful
activities such as sending spam email or spreading viruses. Therefore, the purpose
of zombieware is to hijack computers.
Attacker Profiles

1. Hackers
2. Script Kiddies
3. Cyber Spies
4. Vicious Employees
5. Cyber Terrorists
6. Hypothetical Attackers
Hackers:
Hackers are people with special knowledge of computer systems. They are
interested in subtle details of software, algorithms, and system configurations.
Hackers are an elite group of well-trained and highly motivated people.

Black-Hat Hackers:
Black-hat hackers are people who hack computing systems for their own
benefit.

White-Hat Hackers:
White-hat hackers are hackers who have high moral standards. They hack
computing systems for the purpose of searching for security loopholes and
developing solutions.
Hackers:
Grey-Hat Hackers:
Grey-hat hackers are hackers who wear a white hat most of the time, but may also
wear a black hat once in a while.

For example, when they discover attacks, instead of reporting the incidents to law
enforcement, grey-hat hackers may take the matter in their own hands and strike
the attackers back themselves.
Script Kiddies:
Script kiddies are people who use scripts and programs developed by black-hat
hackers to attack other people's computers. Such scripts and programs are often
referred to as hacking tools. Script kiddie is a derogatory term. It is used to indicate
that script kiddies only know how to copy and use a hacking tool. They do not
understand how it works, and they are not capable of writing any hacking tool
themselves.
Cyber Spies:
Collecting Intelligence through Intercepted network communications is the Job of
cyber spies. Countries have intelligence agencies and military organizations which
have intelligence units. They intercept network communications and decipher
encrypted messages. The National Security Agency (NSA) and the Central
Intelligence Agency (CIA), for example, are the two largest Intelligence agencies of
the United States government.
Vicious Employees:
Vicious employees are people who intentionally breach security to harm their
employers. They may plant logic bombs or open backdoors in programs they help
develop. They may act as script kiddies to attack company computers to get the
attentions of their employers. They may also act as cyber spies to collect and sell
company secrets for money.
Cyber Terrorists:
Terrorists are extremists who do not hesitate to use extreme means to destroy
public property and take innocent life. Cyber terrorists are terrorists who use
computer and network technologies to carry out their attacks and produce public
fear. Attacks by cyber terrorists have not been reported yet. However, If they did
attack, cyber terrorists would be extremely harmful.
Hypothetical Attackers:
The hypothetical attackers are black-hat hackers, script kiddies, greedy cyber spies
who are willing to betray their countries or organizations for monetary benefits,
and vicious employees.

Attackers of these four kinds may be wicked, but they are not terrorists. Cyber
terrorists, on the other hand, are the die-hard enemies, and so they may need to be
dealt with using a different set of measures not addressed in this book.
Basic
Security
Model: