CHAPTER 1

INTRODUCTION AND
SECURITY THREATS
3. Difference between Virus and
Worm
Virus Worm

A virus is a piece of code that attaches itself to legitimate program A worm is a malicious program that spread automatically.

Virus modifies the code. Worm does not modifies the code

Virus does not replicate itself Worm replicate itself

Virus is a destructive in nature Worm is non-destructive in nature

Aim of virus is to infect the code or program stored on computer Aim of worm is to make computer or network unusable
system

Virus can infect other files Worm does not infect other files but it occupies memory space
replication.

Virus may need a trigger for execution Worm does not need any trigger
4. Difference Intruders & Insiders
INTRUDERS INSIDERS

Intruders are authorized or unauthorized users who are trying to Insiders are authorized users who try to access system or
access the system or network. network for which he is unauthorized.

Intruders are hackers or crackers. Insiders are not hackers.

Intruders are illegal users. Insiders are legal users.

Intruders are less dangerous than Insiders Insiders are more dangerous than Intruders.

Intruders do not have access to system Insiders have easy access to the system because they are
authorized users

Many security mechanisms are used to protect system from Intruders. There is no such mechanism to protect system from Insider
5. Avenue of Attack
A particular computer system is attacked: either it is specifically targeted by the attacker, or
it is an opportunistic target.
In the first case, the attacker has chosen the target not because of the hardware or software
the organization is running but for another reason, perhaps a political reason
Second type of attack, an attack against a target of opportunity, is conducted against a site
that has software that is vulnerable to a specific exploit.
6. The steps in attack (General Process)

A. Profiling – information about the organization is gathered. These information include:

IP address, phone numbers, and what network the organization maintains.
B. Ping sweep – determining active targets by sending “ping” to the target machine.
C. Port scan - identify which ports are open, thus giving an indication of which services
may be running on the target machine.
D. Find possible vulnerabilities and develop list of targets – further research is
conducted to develop these list. The attacker is ready to take next step: an actual attack
on the target.
7. Security Basics

■ Confidentiality ensures that computer-related assets are accessed only by authorized

parties. Confidentiality is sometimes called secrecy or privacy.
■ Integrity means that assets can be modified only by authorized parties or only in
authorized ways.
■ Availability means that assets are accessible to authorized parties at appropriate times.
Legitimate access should not be prevented.
Security basics – Contd…

Relationship between confidentiality, integrity, and availability.

8. Active and Passive Attacks
Main aim of a security system is to detect and prevent such security attacks. Security attacks
have been classified as passive attacks and active attacks.
Passive Attacks: Passive attacks are kind of a read only attack where attacker is usually
interested in just gathering information without disruption of computer system’s operations
and service.
■ involves monitoring and analysis of data transmission to gain some meaningful
information
■ analysis of traffic where raw data is studied and analyzed to deduce interesting patterns
out - of it.
■ silent in nature and show no immediate and visible signs of attack, hence, very difficult
to detect.
■ Threat to confidentiality
Contd…

Active Attacks: Involves alteration of data or disruption of normal working of a system.

– tries to change the system resources or affect their operation.
– Threat to integrity and availability
– prevention of these attacks is quite difficult because of a broad range of potential
physical, network and software vulnerabilities.
– emphasizes on the detection of the attack and recovery from any disruption or
delay caused by it.
9. Common Types of Attacks
Password-Based Attacks: attacker tries to find a valid user account. After gaining access to
your network with a valid account, an attacker can do any of the following:
 Obtain lists of valid user and computer names and network information.
 Modify server and network configurations, including access controls and routing
tables.
 Modify, reroute, or delete your data.
Denial-of-Service Attack: prevents normal use of your computer or network by valid users.
After gaining access to your network, the attacker can do any of the following:
 Randomize the attention of your internal Information Systems staff so that they do
not see the intrusion immediately
 Send invalid data to applications or network services, which causes abnormal
termination or behavior.
 Flood a computer or the entire network with traffic until a shutdown.
 Block traffic, which results in a loss of access to network resources
Types of Attacks Contd…
Man-in-the-Middle Attack: occurs when someone between you and the person with whom
you are communicating is actively monitoring, capturing, and controlling your
communication transparently.
Sniffer Attack: A sniffer is an application or device that can read, monitor, and capture
network data exchanges and read network packets. Using a sniffer, an attacker can do any of
the following:
 Analyze your network and gain information to eventually cause your network to
crash or to become corrupted.
 Read your communications.
Spoofing: making data look like it has come from a different source. You are supposed to
fill in the source with your own address, but there is nothing that stops you from filling in
another system’s address
Types of Attacks Contd…
There are several forms of spoofing.
1. Spoofing E-Mail
2. IP address Spoofing
3. Spoofing and Trusted Relationships
4. Spoofing and Sequence Numbers
1. Email Spoofing
E-mail spoofing is where you send a message with a From address different than your own.
2. Identity Spoofing (IP Address Spoofing)
An attacker might use special programs to construct IP packets that appear to originate from
valid addresses inside the corporate intranet. The attacker can modify, reroute, or delete your
data.
Types of Attacks Contd…
Distributed Denial of Service attack (DDOS)
– The goal of a DDOS attack is to deny the use of or access to a specific service or
system
– overwhelm the target with traffic from many different systems.
Replay Attacks - attacker captures a portion of a communication between two parties and
retransmits it at a later time. For example, an attacker might replay a series of commands
and codes used in a financial transaction
TCP/IP Hijacking – the attacker takes control of an already existing session between a
client and a server.
– the attacker may decide to attack the user’s system and perform a denial of service
attack on it, taking it down so that the user, and the system, will not notice the extra
traffic
Types of Attacks Contd…

Phishing Attack - This type of attack use social engineering techniques to steal confidential
information - the most common purpose of such attack targets victim's banking account
details and credentials.
– Phishing attacks tend to use schemes involving spoofed emails send to users that
lead them to malware infected websites designed to appear as real on-line banking
websites.
Malware : Viruses and Logic Bombs
■ Malware includes computer viruses, computer worms, ransomware, Trojan-
horses, keyloggers, most rootkits, spyware, dishonest adware, and other malicious software.
■ Viruses can be divided into two types based on their behavior when they are executed:
Nonresident viruses
■ Nonresident viruses can be thought of as consisting of a finder module and a replication
module. The finder module is responsible for finding new files to infect. For each new
executable file the finder module encounters, it calls the replication module to infect that file
Resident viruses
■ Resident viruses contain a replication module that is similar to the one that is employed by
nonresident viruses. The virus loads the replication module into memory when it is executed
instead and ensures that this module is executed each time the operating system is called to
perform a certain operation.
Malware: contd…
■ Viruses can be classified according to their origin, techniques, types of files they infect,
where they hide, the kind of damage they cause, the type of operating system, or
platform they attack.
Memory Resident Virus
■ These viruses fix themselves in the computer memory and get activated whenever the
OS runs and infects all the files that are then opened.
■ It can corrupt files and programs that are opened, closed, copied, renamed, etc
■ Protection is possible due by installing an antivirus program.
Direct Action Viruses
■ located in the root directory of the hard disk
■ When a specific condition is met, the virus will go into action and infect files in the
directory or folder that are specified in the AUTOEXEC.BAT file path.
Malware: contd…
Boot Sector Virus - affects the boot sector of a hard disk. This is a crucial
part of the disk, in which information of the disk itself is stored along with a
program that makes it possible to boot (start) the computer from the disk.
– It hides in the memory until DOS accesses the floppy disk
Macro Virus - Macro viruses infect files that are created using certain
applications or programs that contain macros, like .doc, .xls, .pps, .mdb, etc.
These mini-programs make it possible to automate series of operations so
that they are performed as a single action, thereby saving the user from
having to carry them out one by one
– automatically infect the file that contains macros, and also infects the
templates and documents that the file contains.
– It is referred to as a type of e-mail virus.
Malware: contd…

■ Logic Bombs - are small programs or sections of a program triggered by some event
such as a certain date or time, a certain percentage of disk space filled, the removal of a
file, and so on.
– For example, a programmer could establish a logic bomb to delete critical sections
of code if he/she is terminated from the company.
– are most commonly installed by insiders with access to the system.
– undetected until launched, the results can be destructive, and your entire data can
be deleted!