Chapter One:Overview

Cyber Security

1
What is a Cyber Security?

• A very wide-ranging term with no standard definition.

• It covers all aspects of ensuring the protection of citizens, businesses
and critical infrastructures from threats that arise from their use of
computers and the internet.
• ‘Cybersecurity is the body of technologies, processes and practices
designed to protect networks, computers, programs and data from
attack,damage or unauthorized’.

2
 What is a Cyber Space?
‘Cyberspace is a worldwide network of computers and the equipment
that connects them,which by its very design is free and open to the
public (the Internet)’

Internet-enabled crime
• Criminals see lower risks and high rewards from cyber crime than through‘physical’
crime
• Stealing confidential and national secrets by intelligence agencies and others now
involves illegally accessing digitized information.
• Nation states have the potential to disrupt an enemy’s economy and perhaps reach
their strategic objectives without risk to their armed forces
• There are fewer online barriers to anti- social behavior on the net than in face to face
interaction. 3
• Cybersecurity = security of cyberspace (information systems and

networks)

• Cybersecurity = security of information systems and networks with the

goal of protecting operations and assets

• Cybersecurity = security of information systems and networks in the face

of attacks,accidents and failures with the goal of protecting operations

and assets. 4
 Scope of cybersecurity
• Techniques of threat and attack analysis and mitigation

• Protection and recovery technologies, processes and procedures

for individuals, business and government

• Policies, laws and regulation relevant to the use of computers and

the Internet

Cybersecurity is a socio-technical systems problem

•Security problems almost always stem from a mix of technical, human
and organizational causes. 5
• Cyber security is most concerned with – Cyber attacks
• Cybersecurity all about protecting, repelling and recovering from
cyberattacks.

Cyber attack
•A malicious attempt, using digital technologies, to cause personal or property loss or
damage, and/or steal or alter confidential personal or organizational data.
Insider attacks
•Attacks to an organization carried out by someone who is inside that organization.
•Difficult to counter using technical methods as the insider may have valid credentials to access
the system.
External attacks
•Attacks to an organization carried out by an external agent.
•Requires either valid credentials or the exploitation of some vulnerability to gain access to
the systems. 6
 Threat Model
•Threat modeling is among the hardest tasks of a security
researcher
• Adversary resources and capabilities:
-Every power that the adversary has
-E.g. parts of the system observed, parts of the system that can be
influenced, parties they can corrupt

• Strategic Adversary:
-The adversary will chose to commit resources optimally to violate the
security properties
7
 Protection
• What is it that you want to protect?
- Defining assets
• What are the goals of the protection efforts?
- Security properties
• What do you want to protect against?
- Attack: any maliciously intended act against a system or a population of
systems; any action that violates a given security policy

8
 Threats vs Vulnerabilities
• Threats
- Define who might attack against what assets, using what
resources, with what goal in mind, when/where/why, and with
what probability
• Vulnerabilities
- Specific weakness in security that could be exploited by
adversaries with a wide range of motivations and interest in a lot
of different assets

9
• Example 1:
-Threat: Thieves could break into our facility and steal our
equipment
-Vulnerability: The lock we are using on the building doors is
easy to pick
• Example 2:
- Threat: Adversaries might install malware so they can steal
social security numbers for identity theft
- Vulnerability: My computer does not have up-to-date virus
signatures and/or has an insecure browser
10
 Harm vs Attack
• Harm
-Negative consequence of an actualized threat
-E.g., a stolen computer, modified or lost file, revealed private letter, or
denial of access
- Usually, harm occurs when a threat is realized against a vulnerability
• Attack
- An attempt by an adversary to cause harm to valuable assets, usually
by trying to exploit one or more vulnerabilities

11
 More definitions
• Threat Assessment
- Attempting to predict the threat
• Vulnerability Assessment
- Attempting to discover security vulnerability
• Risk
- The combination of the probability of an event and its
consequence
• Risk Management
- Attempting to minimize (security) hazards by deciding intelligently how to
deploy, modify, or re-assign security resources. 12
 Countermeasures
• Countermeasure (or control):
- A means to counter threats
- To protect against harm, we can neutralize the threat, close the
vulnerability, or both.
• Typical countermeasure involve:
- Prevention: blocking the attack or closing the vulnerability
- Dissuasion: making the attack harder but not impossible
- Deflection: making another target more attractive
- Mitigation: making its impact less severe
- Detection: either as it happens or some time after the fact
- Recovering from attack, making sure it doesn’t happen again 13
 Some Numbers
• Adware industry is worth $2 billion/year, malware industry is $105 billion/year
• 50%-80% of computers connected to Internet are infected with spyware
• 81% of emails is spam (Symantec report 2011)
90% of web applications are vulnerable (Cenzic 2009)
• 5.5 billion malware attacks in 2011 (Symantec 2011) 2012: 42%
increase in target attacks
• In UK, £1B lost on cybersecurity attacks every year 1 in 5
individuals affected
• Good news:
- Cyber Security market in 2011 was worth $63.7 billion, expected to grow to
about $120.1 billion by 2017
14
 Some reasons
• System and network administrators are not prepared
- Insufficient resources
- Lack of training
• Attackers leverage the availability of broadband connections
- Many connected home computers are vulnerable
- Collections of compromised home computers are “good“ weapons for
attacks
• High speed networking, powerful CPUs, always on

15
 Bugs and failure
•Hardware and software are developed by humans and therefore
are not perfect
• A human error may introduce a bug (or fault)
• When a fault gets triggered, it might generate a failure…
- If the fault is “security-related”, it is usually called a vulnerability
- When the vulnerability is triggered (exploited) can lead to the
compromise

16
 Changing Nature of the Threat
• Attackers are more prepared and organized
• Attacks are easy, low-risk and difficult to trace
• Increasingly sophisticated but also easy to use
• Source code is not required to find vulnerabilities
• The complexity of Internet-related applications and protocols
are increasing - and so is our dependency on them

17
 Insecure Software
• Technical factors
- Complexity of task, composition, changes
• Economic factors
- Open-source vs closed-source
- Security is not a feature
- Deadlines
- Insufficient funding/resources
• Human factors
- Mental models
- Social factors
- Poor risk analysis 18
SOURCES OF
SECURITYTHREATS

19
FACTORS

• Weakness in the network infrastructure and communication

protocols
• Rapid growth of cyberspace into a vital global communication and
business network
• International commerce and business transactions are
increasingly being performed
• Many national critical infrastructures are being connected
• The growth of hacker community
• The Insider effect
20
1. DESIGN PHILOSOPHY

• Growth of the Internet and cyberspace is based on an open architecture

• Not based on clear blueprints
• New developments and additions came about as reactions to the shortfalls and changing
needs of a developing infrastructure
• Lack of a comprehensive blueprint and the demand-driven design and development of
protocols are causing the ever present weak points and loopholes

• Developers of the network infrastructure and protocols also followed a policy to create
an interface that is user-friendly,efficient,and transparent

21
2. WEAKNESS IN NETWORK INFRASTRUCTURE
AND COMMUNICATION PROTOCOLS
• The Internet is a packet network that works by breaking data
• As packets are di-assembled, transmitted, and re-assembled, the security of each
individual packet and the intermediary transmitting elements must be granted
• Three-Way hand shake…..
• Half-open port remains open, an intruder can enter the system
• Packet transmissions between network elements can be intercepted and their contents
altered such as in initial sequence number attack

22
3. RAPID GROWTH OF CYBERSPACE

• Growth of Internet users and devices

• Brought in more and more users with varying ethical standards,added more services,and
created more responsibilities
• Ease use of and access to the Internet,and large quantities of personnel,business,and
military data stored on the Internet slowly turning into a massive security threat
• More and more people with dubious motives were also drawn to the Internet because of its
enormous wealth of everything

23
24 4.GROWTH OF HACKER COMMUNITY
25 5.VULNERABILITY IN OPERATING SYSTEM
PROTOCOL
• OS plays a crucial role in the security of the system in providing access to vital system
resources

• Software errors especially network operating systems errors

• Vulnerable OS can allow an attacker to take over a system and do anything that any
authorized super user can do

• Hackers look for OS identifying information like file extensions for expliots
 THE INTERNET IS FUNDAMENTALLY OPEN
Facts:
• We don’t know what’s on our own nets
• What’s on our nets is bad,and existing practices aren’t
finding everything
• Threat is in the“interior”
• Threat is faster than the response Global Internet
• “Boundaries” are irrelevant
• We don’t know what is on our partner’s nets nor on the
points of intersection
• Compromises occur despite defenses
• Depending on the motivation behind any particular
threat,it can be a nuisance,costly or mission threatening
6.THE INVISIBLE SECURITY THREAT – THE INSIDER
EFFECT
• The greatest threat to security in any enterprise is the guy down the hall
• Many company executives and security managers had for a long time neglected to deal
with the guys down the hall selling corporate secrets to competitors
• Company insiders intentionally or accidentally misusing information pose the greatest
information security threat to today’s internet-centric businesses

27
7. SOCIAL ENGINEERING

• The insider effect can also involve insiders unknowingly being part of of the security
threat through the power of social engineering
• Consists of an array of methods an intruder such as hackers can use to gain system
authorization through masquerading an an authorized user of the network.

• Can be carried out using a variety of methods including,physically impersonating an

individual known to access to the system,online,telephone,and even by writing

28
8. PHYSICAL THEFT

• Demand for information by businesses to stay competitive and nations to remain strong
heats up,theft is on the rise
• E.g Laptops,PDA ,mobile devices

29
SECURITYTHREAT
MOTIVES

30
1.TERRORISM

• Electronic terrorism is used to attack military installations,banking and many other

targets of interest based on politics,religion,and probably hate

• Cyber-terrorism is not only about obtaining information;it is also about instilling fear and
doubt and compromising the integrity of the data

31
2. MILITARY ESPIONAGE

• Countries competed for military spheres during the ColdWar

• Shift to gaining access to highly classified information for military or economical
advantages without spending a great deal of money on the effort

32
3. ECONOMIC ESPIONAGE

• Targets economic trade secrets (financial,business,scientific,technical,economical,or

engineering information) and

• all types of intellectual property including patters,plans,compilations,program devices,

formulas,designs,protoypes,methods,techniques,procedures,programs,and/or codes

33
4.TARGETING THE NATIONAL INFORMATION
INFRASTRUCTURE
• Foreign power-sponsored or foreign power-coordinated directed at a target country,
corporation, establishments, or persons
• Target specific facilities, personnel, information, or computer, cable, satellite, or
telecommunication systems
• Activities may include:
• Denial or disruption of systems, devices, etc.
• Un authorized monitoring of ….
• Unauthorized disclosure of propriety or classified information stored within or communicated
through
• Modification or manipulation of systems, operations and data

34
5.VENDETTA/REVENGE

• Unhappy with big business,multi-nationals,big governments,a million others

• Used as paybacks for what the attacker or attackers consider to be injustice done that
need to be avenged
• E.g.:political reasons,promotion denied,family,….

35
6. HATE

• Individual or individuals with a serious dislike of another person or group of persons

based on a string of human attributes:
• National origin,Gender,and Race or mundane ones such as the manner of speech one uses

36
7. NOTORIETY/ GREED/ IGNORANCE

• Especially young hackers try to break into a system to prove their competence and to
show off to their friends that they are intelligent or superhuman in order to gain respect

• Many intruders into company systems do so to gain financially from their acts
• A novice in computer security stumbles on an exploit or vulnerability and without
knowing or understanding it uses it to attack other systems

37
SECURITY THREAT MANAGEMENT

• A technique used to monitor an organization’s critical security systems in real-time to

review reports from the monitoring sensors such as the intrusion detection systems,
firewall,and other scanning sensors
• Reviews help to reduce false positives from the sensors,develop quick response
techniques for threat containment and assessment,correlate and escalate false positives

• Among the techniques:risk assessment and forensic analysis

38
• RiskAnalysis
• Security threats all targeting the same resource,each threat will cause a different risk
• Important to decide which threat to deal with first

• ForensicAnalysis
• Done after a threat has been identified and contained

39
SOMETYPES OF CYBERTHREATS
Type Motivation Target Method
Information Military or political Critical Attack, corrupt,
Warfare dominance infrastructure, exploit, deny,
political and conjoint with
military assets physical attack
Cyber Espionage Gain of intellectual Governments, Advanced
Property and companies, Persistent Threats
Secrets individuals
Cyber Crime Economic gain Individuals, Fraud, ID theft,
companies, extortion, Attack,
governments Exploit
Cracking Ego, personal Individuals, Attack, Exploit
enmity companies,
governments
Hactivism Political change Governments, Attack, defacing
Companeis
Cyber Terror Political change Innocent victims, Marketing, 40
recruiting command and
control, computer
based voilence
CYBER RISKSAREAN INCREASINGTHREATTO SOURCES OF
ENTERPRISE CAPABILITYAND BRAND COMPETITIVENESS
Extortion
Loss of intellectual
property/data
Potential for disruption
• As part of cyber conflict
(i.e. Estonia)
• As target of cyber protest
(i.e. anti-globalization)
Potential accountability for
misuse (i.e. botnets)
Potential for data corruption
Terrorism
Now
• Phishing and pharming driving increased
customer costs, especially for financial
services sector
• DDOS extortion attacks Now
• National security information/export controlled
information
• Sensitive competitive data
•Sensitive personal/customer data
Emerging
• eBusiness and internal administration
• Connections with partners
• Ability to operate and deliver core services Now
• Reputational hits; legal accountability
Future
• Impact operations or customers through data
• DDOS and poisoning attacks
41
• Focused attacks coordinated with physical
attacks Emerging
HOWTO IDENTIFYTHREATS ?

THREAT MODELLING PROCESS

1.IdentifyAssets
2.Create anArchitecture Overview
3. Decompose theApplication

4. Identify theThreats
5. Document theThreats

6. Rate theThreats
42
VULNERABILITIES

43
• Definition
• System vulnerabilities are weaknesses in the software or hardware on a server or a
client that can be exploited by a determined intruder to gain access to or shut down
a network
• System vulnerability as a condition,a weakness of or an absence of security
procedure,or technical,physical,or other controls that could be exploited by a
threat

• Vulnerabilities exist do not only in hardware and software that constitute

a computer system but also in policies and procedures, especially security
policies and procedures 44
• Vulnerability is a weakness which allows an attacker to reduce a system’s
information assurance

• It is the intersection of three elements:

• A system susceptibility or flaw
• Attacker access to the flaw, and
• Attacker capability to exploit the flaw

45
SOURCES OF VULNERABILITIES

• The frequency of attacks in the last several years, and the speed and spread of
these attacks indicate serious security vulnerability problems in our systems
• Most frequently mentioned sources
• Design flaws
• Poor security management
• Incorrect implementation
• Internet technology vulnerability
• Nature of intruder activity
• Difficulty of fixing vulnerabilities
• Limits in effective reaction solution
• Social engineering 46
1. DESIGN FLAWS

1.1 Human Factors

• poor software performance can be a result of:
• Memory lapses and attentional failures:
• Rush to finish
• Overconfidence and use of nonstandard or untested algorithms
• Malice
• Complacency

47
1.2 Software Complexity

• Complexity

• Difficult testing

• Ease of programming

• Misunderstanding of basic design specifications

48
1.3Trustworthy Software Sources
• Open source movement

4. Software Re-Use, Re-engineering, and Outlived Design

• Cutting down on the escalating development and testing costs
• Reducing time spent designing or coding
• Mismatch b/n re-used requirements and real situation

49
2.POOR SECURITY MANAGEMENT

• Little control over security implementation, admin. and monitoring

• Good Security Management
• A risk analysis will identify these assets, discover the threats that put them at risk, and
estimate the possible damage and potential loss a company could endure if any of these
threats become real
• Security policies and procedures to create, implement, and enforce security issues that
may include people and technology
• Standards and guidelines to find ways, including automated solution for creating, updating,
and tracking compliance of security policies across the organization
• Information classification to manage the search, identification, and reduction of system
vulnerabilities by establishing security configurations
50
• Security monitoring to prevent and detect intrusions, consolidate event logs
for future log and trend analysis, manage security events in real-time, manage
parameter security including multiple firewall reporting systems, and analyze
security events enterprise-wide
• Security education to bring security awareness to every employee of the
organization and teach them their individual security responsibility

51
3. INCORRECT IMPLEMENTATION

• Many security problems result form incorrect implementation of both

hardware and software

• Result of incompatible interfaces

• Incompatibility that results in bad or incomplete implementation

52
• Incompatibility in system interfaces may be cause by a variety of
conditions usually created by things such as:
• Too much detail
• Not enough understanding of the underlying parameters
• Poor communication during design
• Selecting the software or hardware modules before
• understanding the receiving software
• Ignoring integration issues
• Error in manual entry 53
4. INTERNET TECHNOLOGY VULNERABILITY

• Operating system vulnerabilities

• Port-based vulnerabilities

• Application software based errors

• System protocol software such as client and server browser

54
5. CHANGING NATURE OF HACKER TECHNOLOGIES
AND ACTIVITIES

• Hacker technology is flourishing

• Turnaround time vs.response time

• Factors:

• Ease of availability of hacker tools

• Ability of hackers to disguise their identity and location

• Automation of attack technology with further distance

55
6. DIFFICULTY OF FIXING VULNERABLE SYSTEMS

• Number of vulnerabilities rises

• System admins are facing chronic problems:

• the never-ending system maintenance,

• limited resources,and

• highly demanding management

56
7. LIMITS OF EFFECTIVENESS OF REACTIVE
SOLUTIONS

• Number of vulnerability

• The Internet connects more than a billion computers and devices

• Attack technology is now advanced and complex

• Internet users are dependent on the Internet

57
VULNERABILITY ASSESSMENT

• VulnerabilityAssessment Services

• Vulnerability Scanning

• VulnerabilityAssessment and PenetrationTesting

• ApplicationAssessment

58
SECURITYATTACK

59
ATTACK

• Four primary classes of attacks exist:

• Reconnaissance
• Access
• Denial of service
• Worms,viruses,andTrojan horses

60
ATTACK

1. Reconnaissance
• Is the unauthorized discovery and mapping of systems,services,or vulnerabilities.
• Also known as information gathering and,which precedes an actual access or denial-
of-service (DoS) attack.
• Analogous to a thief casing a neighborhood for vulnerable homes to break into
• such as an unoccupied residence,easy-to-open doors,or open windows
• Reconnaissance attacks can consist of the following:
• Packet sniffers,Port scans, Ping sweeps, Internet information queries

61
ATTACK

2. Access
• Ability for an unauthorized intruder to gain access to a device for which the
intruder does not have an account or a password
• Entering or accessing systems to which one does not have authority to access
• involves running a hack, script, or tool that exploits a known vulnerability of the system
or application being attacked
• Consist of the following:
• Password attacks, trust exploitation, Port redirection, Man-in-the-middle attacks,
Social engineering, Phishing
62
ATTACK

3. Denial of Service (DoS)

• Implies that an attacker disables or corrupts networks,systems,or services with the intent to
deny services to intended users
• DoS attacks involve either crashing the system or slowing it down to the point that it is unusable
• DoS can also be as simple as deleting or corrupting information which involves running a hack or
script.
• The attacker does not need prior access to the target because a way to access it is all that is
usually required
• DoS attacks are the most feared
• Example: Ping of death, SYN flood attack, Packet fragmentation and reassembly, E-mail bombs,
CPU hogging, Malicious applets, Misconfiguring routers, The chargen attack, Out-of-band
attacks such asWinNuke 63
ATTACK

4. Worms,Viruses,andTrojan Horses
• Malicious software is inserted onto a host to damage a system; corrupt a system;
replicate itself;or deny services or access to networks,systems or services.
• They can also allow sensitive information to be copied or echoed to other systems.
• Trojan horses can be used to ask the user to enter sensitive information in a commonly
trusted screen

64
CYBER ATTACK

• An illegal attempt to gain something from a computer system or network

• Types of cyber attack
• Cyber fraud

• Cyber spying

• Cyber stalking and bullying

• Cyber assault
• Cyber warfare
65
CYBERATTACK

• Cyber fraud
• Cyber attacks that are generally aimed at gaining monetary or related gains for the
perpetrator.
• Phishing attacks combined with fake websites to steal users’ personal details and, with
these,steal money from their accounts
• Fraudsters set up a fake website that looks like a bank website
• Emails are sent to large numbers of recipients with a link to this site and a message trying
to lure them to log on
• If the click on the link, their personal details are collected and then used by the fraudster
to access their legitimate site
66
CYBER ATTACK

• Cyber spying
• Cyber attacks aimed at gaining information for the perpetrator.
• One aim of cyber- spying may be to sell the information gained

• Cyber stalking and bullying

• Cyber attacks which are designed to frighten and intimidate individuals rather than
businesses or government
• Usually social media based – Facebook or Twitter

67
CYBER ATTACK

• Cyber assault
• Cyber-attacks aimed at causing damage to information or equipment that is being
attacked
• Damage may be physical damage to equipment,reputational damage or corruption
or deletion of important information
• Cyber bullying is also a form of cyber assault as its aim is to cause psychological
damage
• Related to cyber fraud in that some attacks such as Distributed Denial of Service
(DDOS) attacks may be precursors to attempts to extort money from those
affected by the attacks 68
CYBER ATTACK

• Cyber warfare and terriorim

• An extreme form of cyber-assault where at least one of the parties involved is a
nation state.
• These are much harder to validate as, for obvious reasons, neither the perpetrator
or the victim wish to release information
• Denial of service attacks – Government and critical infrastructure sites attacked by
DoS attacks with a view to taking them offline
• Malware – Malware introduced to target and damage government and infrastructure
facilitie

69
• The danger of cyber war and cyber terrorism
• Digital revolution and technology evolution
• Civilian (private/individual and public) as well as military life depend on digital infrastructure
and computer technology

• New type of battlefield for war and a new type of scene for terrorism

• Cyber war and Cyber terrorism:war and terror activity via Internet and information
systems
• Cyber terrorism:high-tech and without physical boundaries #the legal response:slow
and with obstacles
• Cyber war a military matter in the context of defense policy
70
CYBERATTACK

• Can be also classified into:

• Web-based attacks
• attacks on a website or web application
• System-based attacks
• Attacks that are intended to compromise a computer or a
computer network

71
WEB-BASEDATTACKS

• Injection attacks
• In this type of attacks, some data will be injected into a web applications to
manipulate the application and get required information
• Ex: SQL Injection, Code Injection, Log Injection, XML Injection etc.,
• SQL injection (SQLi) is most common type of injection attack
• In SQLi, customized string will be passed to web application further manipulating
query interpreter and gaining access to unauthorized information
• SQLi can be prevented upto some extent by proper validation of data and by
enforcing least privilege principle
72
WEB-BASED ATTACKS

• File inclusion attack

• A file inclusion vulnerability allows an attacker to access unauthorized
or sensitive files available on the web server or to execute malicious
files on the web server by making use of the include functionality
• It can be further classified into
• Local file inclusion
• Including local files available on the server
• Remote file inclusion
• Includes and executes malicious code on a remotely hosted file 73
WEB-BASED ATTACKS

• Cross-Site Scripting (XSS)

• This can be done by editing javascript in a webpage such that it will be executed in client browser
• It can be classified into
• Reflected XSS attack
• Stored XSS attack
• DOM-based XSS attack

• DNS Spoofing
• DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is
introduced into a Domain Name System (DNS) resolver's cache, causing the name server to
return an incorrect IP address, diverting traffic to the attacker's computer (or any other
computer)
74
WEB-BASED ATTACKS

• Denial of Service (DoS)

• DoS attack is an attempt to make a server or network resource unavailable to users
• This is generally done by flooding the server with communication requests
• DoS uses single system and single internet connection to attack a server
• Distributed Dos (DDoS) uses multiple systems and internet connections to flood a server with
requests, making it harder to counteract
• DoS can be classified into
• Volume based attacks
• goal is to saturate the bandwidth of the attacked site, and is measured in bits per second
• Protocal attacks
• consumes actual server resources, and is measured in packets per second
• Application layer attacks
• goal of these attacks is to crash the web server, and is measured in requests per second

75
WEB-BASED ATTACKS

• Brute force
• It is a trial and error method
• Generates large number of guesses and validate them to obtain actual data (passwords in
general)

• Dictionary attack
• Contains a list of commonly used passwords and validate them to get original password

• Buffer overflow
• Occurs when a program or process tries to store more data in a buffer (temporary data
storage area) than it was intended to hold
76
WEB-BASED ATTACKS

• Session hijacking
• Web applications uses cookies to store state and details of user sessions
• By stealing the cookies,and attacker can have access to all of user data

• URL interpretation
• By changing certain parts of a URL,one can make a web server to deliver web pages for which he
is not authorized to browse

• Social engineering
• It is a non-technical method that relies heavily on human interaction and often involves tricking
people into breaking normal security procedures
77
 WEB-BASED ATTACKS

• Man-in-the-middle attack
• Attacker intercepts the connection between client and server and acts as a bridge between them
• Attacker will be able to read,insert and modify the data in the intercepted communication

• Phishing
• Phishing is the attempt to acquire sensitive information,often for malicious reasons,by
masquerading as a trustworthy entity in an electronic communication
• Spear phishing
• targets specific organizations for confidential data

• Whaling
• the targets are high-ranking bankers,executives or others in powerful positions or job titles 78
SYSTEM-BASED ATTACKS

• Virus
• A computer virus is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed
• It can also execute instructions that cause harm to system

• Worm
• It works same as a computer virus
• Can spread into other systems in the network by exploiting the vulnerabilities
automatically
79
SYSTEM-BASED ATTACKS

• Trojan horse
• It appears to be a normal application, but when opened/executed some malicious
code will run in background
• These are generally spread by some form of social engineering

• Backdoors
• Backdoor is a method of bypassing normal authentication process
• The backdoor is written by the programmer who creates the code for the program
• It is often only known by the programmer

80
SYSTEM-BASED ATTACKS

• Bots
• Bot is an automated process that interacts with other network services
• Can be classified into
• Spyware
• Used to gather information of user without their knowledge

• Adware
• Mainly used for promotions of products
• Not so harmful

81
METHODS TO ASSIST IN CYBERATTACKS

• Spoofing
• In spoofing,one person successfully impersonates as another by falsifying the data
• Ex:IP spoofing,email spoofing etc.,

• Sniffing
• Sniffing a process of capturing and analyzing the traffic in a network

• Port scanning
• It is a method to probe a system for open ports
• Intruder can exploit the vulnerabilities of open ports
82
 Attack Methods
• Eavesdropping
- Get copies of information without authorization
• Masquerading
- Send messages with other‘s identity
• Message tampering
- Change content of message
• Replaying
- Store a message and send it again later, e.g. resend a payment message
• Exploiting
- Use bugs in software to get access to a host
• Combinations
- E.g., Man in the middle attack 83
 Security Overview
• Security issues at various stages of application life-cycle
- Mistakes, vulnerabilities, and exploits
- Avoidance, detection, and defense
• Architecture
- Security considerations when designing the application
• Implementation
- Security considerations when writing the application
• Operation
- Security considerations when the application is in production
84
The Security LIFE CYCLE
• Threats
• Policy
• Specification
• Design
• Implementation
• Operation and maintenance
85
 ARCHITECTURE AND DESIGN
- Validation of requirements (building the right model)
- Verification of design (building the model right)

Common problems
- Authentication and privileges
• Session replay
• Principle of least privilege
- Communication protocol design
• Sniffing, man-in-the-middle
• Session killing, hijacking
- Parallelism and resource access
• Race conditions
- Denial of service
86
IMPLEMENTATION
- Verification of implementation
- Classic vulnerabilities (often programming-language-specific)

Common problems
- Buffer overflows
• Static: stack-based buffer overflows
• Dynamic: heap-based buffer overflows
- Input validation
• URL encoding
• SQL injection
- Back doors
87
OPERATION
- decisions made after software is deployed
- often not under developer’s control
Common problems
- denial of service (DOS)
• network DOS
• distributed DOS, zombies
- administration problems
• weak passwords
• password cracking
• unsafe defaults
88
 SECURITY ARCHITECTURE

• What is a security architecture?

-A body of high-level design principles and decisions that allow a
programmer to say "Yes" with confidence and "No" with certainty.
-A framework for secure design, which embodies the four classic stages
of information security: protect, deter, detect, and react.
• Security is a measure of the architecture’s ability to
resist unauthorized usage
- At the same time, services need to be provided to legitimate users
89
 SECURITYARCHITECTURE FUNCTIONS:
• Provides consistent security services & configurations across systems
• Decrease security risks
• Improves maintainability of systems
• Offloads ad hoc application security from application teams
• Gives better service to customers/partners
• Single sign-on for web applications
• Simplified registration/approval processing
• Delegated administration
• Promote enterprise security management
• Consolidated security views and reporting
• Flexibility to accommodate new or redeployed systems
• Lowers security development and operational costs 90
 SECURITY AND DESIGN
•Systems are often designed without security in mind
-Developer is often more worried about solving the problem than
protecting the system
-Security is ignored because either the policy is generally not available,
or it is easier to ignore security issues

•Organizations and individuals want their technology to survive

attacks, failures and accidents
- Critical systems need to be survivable
91
SOME SECURITY MECHANISMS

• Encryption
 VPNs
• Checksums  Intrusion Detection
• Key management  Intrusion Response
 Virus scanners
• Authentication  Policy managers
• Authorization  Trusted hw
• Accounting
• Firewalls