Chapter Two: Computer Threats

2.1 Malicious Code

Malicious code or rogue programs or malware (short for MALicious softWARE) is the
general name for programs or program parts planted by an agent with malicious intent to cause
unanticipated or undesired effects. The agent is the program’s writer or distributor. Malicious
intent distinguishes this type of code from unintentional errors, even though both kinds can
certainly have similar and serious negative effects. This definition also excludes coincidence, in
which minor flaws in two benign programs combine for a negative effect. Most faults found in
software inspections, reviews, and testing do not qualify as malicious code; their cause is usually
unintentional. However, unintentional faults can in fact invoke the same responses as intentional
malevolence; a benign cause can still lead to a disastrous effect. Let us see types of malware:

I. Virus: A virus is a program that can replicate itself and pass on malicious code to other
non-malicious programs by modifying them. The term ‘virus’ was coined because the
affected program acts like a biological virus: It infects other healthy subjects by attaching
itself to the program and either destroying the program or coexisting with it. Because viruses
are insidious, we cannot assume that a clean program yesterday is still clean today.
Moreover, a good program can be modified to include a copy of the virus program, so the
infected good program itself begins to act as a virus, infecting other programs. The infection
usually spreads at a geometric rate, eventually overtaking an entire computing system and
spreading to other connected systems. So in short a Virus is a code with malicious purpose;
intended to spread.
A virus can be either transient or resident. A transient virus has a life span that depends on
the life of its host; the virus runs when the program to which it is attached executes, and it
terminates when the attached program ends. A resident virus locates itself in memory; it can
then remain active or be activated as a stand-alone program, even after its attached program
ends.
II. Worm: A worm is a program that spreads copies of itself through a network. The primary
difference between a worm and a virus is that a worm operates through networks, and a virus
can spread through any medium (but usually uses a copied program or data files).

Page 1 of 14
Computer Security
 Additionally, the worm spreads copies of itself as a stand-alone program, whereas the virus
spreads copies of itself as a program that attaches to or embeds in other programs. Worm
programs, sometimes called ‘crawlers’ seek out machines on which they can install small
pieces of code to gather such data. The code items report back to collection points, telling
what connectivity they have found.
III. Trojan Horse: Trojan horse is malicious code that, in addition to its primary effect, has a
second, non-obvious, malicious effect. It slips inside a program undetected and produces
unwelcome effects later on. As an example of a computer Trojan horse, consider a login
script that solicits a user’s identification and password, passes the identification information
on to the rest of the system for login processing, but also retains a copy of the information for
later, malicious use. In this example, the user sees only the login occurring as expected, so
there is no reason to suspect that any other, unwelcome action took place.
IV. Spyware: Spyware is malicious software that enters a user’s computer, gathers data from the
device and user, and sends it to third parties without their consent. A commonly
accepted spyware definition is a strand of malware designed to access and damage a device
without the user’s consent. Spyware collects personal and sensitive information that it sends
to advertisers, data collection firms, or malicious actors for a profit. Attackers use it to track,
steal, and sell user data, such as internet usage, credit card, and bank account details, or steal
user credentials to spoof their identities.

Beyond the above terminology, there is much similarity in types of malicious code. Types of
malware differ widely in their operation, transmission and objective. Many other types of
malicious code are shown in the following table.

Virus Code that causes malicious behavior and propagates copies of itself to other programs

Trojan Horse Code that contains unexpected, undocumented, additional functionality

Code that propagates copies of itself through a network; impact usually degrades
Worm
performance

Rabbit Code that replicates itself without limit to exhaust resources

Logic bomb Code that triggers action when a predetermined condition occurs

Time bomb Code that triggers action when a predetermined time occurs

Page 2 of 14
Computer Security
 Dropper Transfer agent code only to drop other malicious code, such as virus or Trojan horse

Hostile mobile code

Code communicated semi-autonomously by programs transmitted through the web
agent

Script attack,
Malicious code communicated in JavaScript, ActiveX, or another scripting language,
JavaScript, Active
downloaded as part of displaying a web page
code attack

RAT (Remote
Trojan horse that, once planted, gives access from remote location
Access Trojan)

Spyware Program that intercepts and covertly communicates data on the user or user’s activity

Bot Semi-autonomous agent, under control of a controller; not necessarily malicious

Zombie Code or entire computer under control of a (usually remote) program

Code that changes browser settings, disallows access to certain sites, or redirects
Browser hijacker
browser to others

Rootkit Code installed in “root” or most privileged section of operating system; hard to detect

Trapdoor or Code feature that allows unauthorized access to a machine or program; bypasses
backdoor normal access control and authentication

Program containing a set of tests for vulnerabilities; not dangerous itself, but each
Tool or toolkit
successful test identifies a vulnerable host that can be attached

Scareware Not code; false warning of malicious code attack

2.2 Class of Attacks

I. Reconnaissance Attack: Reconnaissance is the practice of covertly discovering and
collecting information about a system. This method is often used in ethical hacking or
penetration testing. Like many computer security terms, reconnaissance derives from
military language, where it refers to a mission with the goal of obtaining information
from enemy territory. It generally works in seven general steps:
1. Collect initial information
2. Determine the network range
3. Identify active machines
4. Find access points and open ports
5. Fingerprint the operating system

Page 3 of 14
Computer Security
 6. Discover services on ports
7. Map the network
Using these steps, an attacker will aim to gain the information about a network: File
permissions, running network services, OS platform, Trust relationships, User account
information.
One of the most common techniques involved with reconnaissance is port scanning,
which sends data to various TCP and UDP ports on a device and evaluates the response.
There are two main types of reconnaissance: active and passive reconnaissance.
With active reconnaissance, hackers interact directly with the computer system and
attempt to obtain information through techniques like automated scanning or manual
testing and tools like ping and netstat. Active recon is generally faster and more accurate,
but riskier because it creates more noise within a system and has a higher chance of being
detected.
Passive reconnaissance gathers information without directly interacting with systems,
using tools such as Wireshark and Shodan and methods such as OS fingerprinting to gain
information.
II. Access Attack: Access attacks require intrusion capabilities. These can consist of
anything as simple as gaining an account holder’s credentials, to plugging foreign
hardware directly into the network infrastructure. Access attacks are carried out through
Logical or Physical Access.
Logical access attacks, such as exploitation through brute force attacks or testing
passwords on the network using “rainbow tables” or dictionary attacks tend to create a lot
of traffic on the network. It is for this reason that most logical access attacks are usually
attempted only after sufficient reconnaissance or credentials have been obtained.
Physical access is either access to the infrastructure itself or access to the people. One
form of physical attack is a Social engineering, which is very dangerous and hard to
defend against simply because of its insidious effectiveness. The easiest type of social
engineering attack involves sending out phishing emails designed to hook someone as a
leverage point that enables an attacker to begin strategically maneuvering into the
company. This can happen in a variety of ways, but could include someone internal to the

Page 4 of 14
Computer Security
 company opening an email that contains a malicious application that helps the attacker
achieve access.
III. Denial of Service (DoS) Attack: Denial of Service (DoS) means that the information
exchange has been prevented due to some form of interference. This can happen from a
natural disaster event, such as an electrical failure, or a flood of packets that clogs the
network’s ability to function. So DoS can be malicious, and a true incident. While the
power failure is very apparent, imagine a company boasting a new advertised event, then
on the day of the event the servers cannot handle the inbound network traffic and result in
failure. Fortunately, both can be mostly preventable with the proper implementation of
protective measures. To achieve a malicious denial of service against an entire network,
the attacker usually needs ample computer power on the attacking side as well. This can
be achieved using a collection of networked devices that may or may not be aware of
their involvement. This would be referred to as a botnet, and it can bring swift
devastation to network traffic without any warning through a process called a Distributed
Denial of Service (DDoS) attack. Essentially, the linked computers all generate packets
into the network simultaneously. A typical modern computing resource can only perform
one action at a time, so flooding the network with these packets generates a need to
respond, and if the network cannot keep up with the responses, then the network simply
cannot function. Another type of DoS attack aims to entirely crash a system. This full
failure can cause temporary or permanent damage to a network. The purpose is to make
the network inoperable.

2.3 Program Flaws

Program flaw is a part of a program that can cause the system to violate its security requirements.
Finding security problems resulting from program flaws, demands some knowledge of system
security requirements.
I. Buffer Overflows: Buffers are memory storage regions that temporarily hold data while
it is being transferred from one location to another. A buffer overflow (or buffer overrun)
occurs when the volume of data exceeds the storage capacity of the memory buffer. As a
result, the program attempting to write the data to the buffer overwrites adjacent memory
locations.

Page 5 of 14
Computer Security
 For example, a buffer for log-in credentials may be designed to expect username and
password inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2
bytes more than expected), the program may write the excess data past the buffer
boundary. Buffer overflows can affect all types of software. They typically result from
malformed inputs or failure to allocate enough space for the buffer. If the transaction
overwrites executable code, it can cause the program to behave unpredictably and
generate incorrect results, memory access errors, or crashes.

Buffer Overflow Example

Attackers exploit buffer overflow issues by overwriting the memory of an application.

This changes the execution path of the program, triggering a response that damages files
or exposes private information. For example, an attacker may introduce extra code,
sending new instructions to the application to gain access to IT systems. If attackers
know the memory layout of a program, they can intentionally feed input that the buffer
cannot store, and overwrite areas that hold executable code, replacing it with their own
code. For example, an attacker can overwrite a pointer (an object that points to another
area in memory) and point it to an exploit payload, to gain control over the program.

II. Time-of-Check to Time-of-Use (TOCTOU): TOCTOU attacks fall under the category
of a race condition (which occurs when two or more operations that should be done in
sequence are attempted simultaneously). A hacker is able to access a file and make
harmful changes between the time of check (first time the program accesses the file) and
the time of use (when the software uses the file). The opportunity window is very short
due to that near simultaneous overlap.

Page 6 of 14
Computer Security
 TOCTOU can be recognized when shared files that multiple users can access are
susceptible to TOCTOU issues. A file that has been corrupted could cause a system crash
or corrupt data related to the file.

III. Incomplete mediation: Mediation is checking the process of intervening to confirm an

actor’s authorization before it takes an intended action. In computer security it has
become common to use access control triple (AAA) that describes what subject can
perform what operation on what object. Verifying that the subject is authorized to
perform the operation on an object is called mediation. A scenario called incomplete
mediation occurs when a program accept an erroneous data and process it. Incomplete
mediation is a security problem which attackers exploit to cause security problems.
Consider the following url:
http://www.somesite.com/subpage/userinput.asp?parm1=(808)5551212&parm2=2015Jan17

The parameters parm1 and parm2 look like a telephone number and a date, respectively.
Probably the client’s (user’s) web browser enters those two values in their specified
format for easy processing on the servers side. But what would happen if parm2 were
submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many?
Something in the program or the system with which it communicates would likely fail.
As with other kinds of programming errors, one possibility is that the system would fail
catastrophically, with a routine’s failing on a data type error as it tried to handle a month
named “Min” or even a year (like 1800) that was out of expected range. Another
possibility is that the receiving program would continue to execute but would generate a
very wrong result. (For example, imagine the amount of interest due today on a billing
error with a start date of 1 Jan 1800) Then again, the processing server might have a
default condition, deciding to treat 1Aardvark2Many as 21July 1951. The possibilities are
endless.
2.4 Controls to protect against program flaws
There are several techniques that can prove useful in finding and fixing security flaws in
programs. For this course we will look at three types of controls: developmental, operating
system, and administrative.

Page 7 of 14
Computer Security
2.4.1 Developmental Controls
Software development is a collaborative effort, involving people with different skill sets who
combine their expertise to produce a working product. Many controls can be applied during
software development to hunt out and fix problems. Here are the practices that should be
considered during software development.

 Modularity: Dividing a task into subtasks. This division is done on a logical or

functional basis. Each component performs a separate, independent part of the task. The
goal is to have each component meet four conditions: Single-purpose, Small, Simple and
Independent.
 Encapsulation: Encapsulation hides a component's implementation details, but it does
not necessarily mean complete isolation. Many components must share information with
other components, usually with good reason. However, this sharing is carefully
documented so that a component is affected only in known ways by others in the system.
 Information Hiding: Developers who work where modularization is stressed can be sure
that other components will have limited effect on the ones they write. Thus, we can think
of a component as a kind of black box, with certain well-defined inputs and outputs and a
well-defined function. Other components' designers do not need to know how the module
completes its function; it is enough to be assured that the component performs its task in
some correct manner. Information hiding is desirable, because developers cannot easily
and maliciously alter the components of others if they do not know how the components
work.
 Hazard Analysis: Hazard analysis is a set of systematic techniques intended to expose
potentially hazardous system states. In particular, it can help us expose security concerns
and then identify prevention or mitigation strategies to address them. Hazard analysis
hunts out likely causes of problems so that we can then apply an appropriate technique
for preventing the problem or softening its likely consequences. Thus, it usually involves
developing hazard lists, as well as procedures for exploring "what if" scenarios to trigger
consideration of non obvious hazards.
 Testing: Testing is a process activity that homes in on product quality: making the
product failure free or failure tolerant. Each software problem (especially when it relates

Page 8 of 14
Computer Security
 to security) has the potential not only for making software fail but also for adversely
affecting a business or a life.
 Good Design: modularity, information hiding, and encapsulation are characteristics of
good design. Several design-related process activities are particularly helpful in building
secure software:
o Using a philosophy of fault tolerance

o Having a consistent policy for handling failures

o Capturing the design rationale and history

o Using design pattern

 Configuration Management: When software are being developed, it is important to

know who is making which changes to what and when:
o corrective changes: maintaining control of the system's day-to-day functions
o adaptive changes: maintaining control over system modifications
o perfective changes: perfecting existing acceptable functions
o preventive changes: preventing system performance from degrading to
unacceptable levels
We want some degree of control over the software changes so that one change does not
inadvertently undo the effect of a previous change. And we want to control what is often
a proliferation of different versions and releases. For instance, a product might run on
several different platforms or in several different environments, necessitating different
code to support the same functionality. Configuration management is the process by
which we control changes during development and maintenance, and it offers several
advantages in security.

2.4.2 Operating System Controls

An operating system actually implements the security functions for general objects of
unspecified types, such as files, devices, or lists, memory objects, databases, or sharable tables.
In principle, in operating systems, A subject is permitted to access an object in a particular mode,
and only such authorized accesses are allowed. Operating systems provide functionalities to

Page 9 of 14
Computer Security
ensure security access into resources through the implementation of the access control
mechanisms. The best noticeable example can be related to the access control function is audit: a
log of which subject accessed which object when and in what manner. Let us techniques used in
operating systems to control program flaws:

 Virtual Machine: An important operating system security technique is virtualization,

providing the appearance of one set of resources by using different resources. If you
present a plate of cookies to a group of children, the cookies will likely all disappear. If
you hide the cookies and put them out a few at a time you limit the children’s access.
Operating systems can do the same thing. Virtualization is implemented by creating
virtual machines. Virtual machines are machines that are created virtually with
configured services specific to the user requirements.
 Sandbox: A concept similar to virtualization with a protected environment in which a
program can run and not endanger anything else on the system. So a sandbox is an
environment from which a process can have only limited, controlled impact on outside
resources. A good example of a sandbox is how applets are executed in java. The
designers of Java intended the system to run code, called applets, downloaded from
untrusted sources such as the Internet. Java trusts locally derived code with full access to
sensitive system resources (such as files). It does not, however, trust downloaded remote
code; for that code Java provides a sandbox, limited resources that cannot cause negative
effects outside the sandbox.
 Honeypot: A honeypot is a fake environment intended to attract an attacker. Usually
employed in a network, a honeypot shows a limited (safe) set of resources for the
attacker; meanwhile, administrators monitor the attacker’s activities in real time to learn
more about the attacker’s objectives, tools, techniques, and weaknesses, and then use this
knowledge to defend systems effectively. So, honeypot is a system to attract an attacker
into an environment that can be both controlled and monitored.

Page 10 of 14
Computer Security
2.5 Program Security Defenses
2.5.1 Software development controls and Testing techniques
Testing is a process activity that homes in on product quality: making the product failure free or
failure tolerant. Each software problem (especially when it relates to security) has the potential
not only for making software fail but also for adversely affecting a business or a life.

Testing usually involves several stages. First, each program component is tested on its own,
isolated from the other components in the system. Such testing, known as module testing,
component testing, or unit testing, verifies that the component functions properly with the types
of input expected from a study of the component's design. Unit testing is done in a controlled
environment whenever possible so that the test team can feed a predetermined set of data to the
component being tested and observe what output actions and data are produced. In addition, the
test team checks the internal data structures, logic, and boundary conditions for the input and
output data.

When collections of components have been subjected to unit testing, the next step is ensuring
that the interfaces among the components are defined and handled properly. Indeed, interface
mismatch can be significant security vulnerability. Integration testing is the process of
verifying that the system components work together as described in the system and program
design specifications.

Once we are sure that information is passed among components in accordance with the design,
we test the system to ensure that it has the desired functionality. A function test evaluates the
system to determine whether the functions described by the requirements specification are
actually performed by the integrated system. The result is a functioning system.

The function test compares the system being built with the functions described in the developers'
requirements specification. Then, a performance test compares the system with the remainder
of these software and hardware requirements. It is during the function and performance tests that

Page 11 of 14
Computer Security
security requirements are examined, and the testers confirm that the system is as secure as it is
required to be.

When the performance test is complete, developers are certain that the system functions
according to their understanding of the system description. The next step is conferring with the
customer to make certain that the system works according to customer expectations. Developers
join the customer to perform an acceptance test, in which the system is checked against the
customer's requirements description. Upon completion of acceptance testing, the accepted system
is installed in the environment in which it will be used. A final installation test is run to make
sure that the system still functions as it should. However, security requirements often state that a
system should not do something.

The objective of unit and integration testing is to ensure that the code implemented the design
properly; that is, that the programmers have written code to do what the designers intended.
System testing has a very different objective: to ensure that the system does what the customer
wants it to do. Regression testing, an aspect of system testing, is particularly important for
security purposes. After a change is made to enhance the system or fix a problem, regression
testing ensures that all remaining functions are still working and performance has not been
degraded by the change.

Each of the types of tests listed here can be performed from two perspectives: black box and
clear box (sometimes called white box). Black-box testing treats a system or its components as
black boxes; testers cannot "see inside" the system, so they apply particular inputs and verify that
they get the expected output. Clear-box testing allows visibility. Here, testers can examine the
design and code directly, generating test cases based on the code's actual construction. Thus,
clear-box testing knows that component

2.5.2 Database Management System Security

Database security refers to the range of tools, controls, and measures designed to establish and
preserve database confidentiality, integrity, and availability.

Page 12 of 14
Computer Security
Database security must address and protect the following:

 The data in the database

 The database management system (DBMS)

 Any associated applications
 The physical database server and/or the virtual database server and the underlying
hardware
 The computing and/or network infrastructure used to access the database

Because databases are nearly always network-accessible, any security threat to any component
within or portion of the network infrastructure is also a threat to the database, and any attack
impacting a user’s device or workstation can threaten the database. Thus, database security must
extend far beyond the confines of the database alone. When evaluating database security in your
environment to decide on your team’s top priorities, consider each of the following areas:
 Physical security: Whether your database server is on-premise or in a cloud data center,
it must be located within a secure, climate-controlled environment. (If your database
server is in a cloud data center, your cloud provider will take care of this for you.)
 Administrative and network access controls: The practical minimum number of users
should have access to the database, and their permissions should be restricted to the
minimum levels necessary for them to do their jobs. Likewise, network access should be
limited to the minimum level of permissions necessary.
 End user account/device security: Always be aware of who is accessing the database
and when and how the data is being used. Data monitoring solutions can alert you if data
activities are unusual or appear risky. All user devices connecting to the network housing
the database should be physically secure (in the hands of the right user only) and subject
to security controls at all times.
 Encryption: ALL data—including data in the database, and credential data—should be
protected with best-in-class encryption while at rest and in transit. All encryption keys
should be handled in accordance with best-practice guidelines.

Page 13 of 14
Computer Security
  Database software security: Always use the latest version of your database management
software, and apply all patches as soon as they are issued.
 Application/web server security: Any application or web server that interacts with the
database can be a channel for attack and should be subject to ongoing security testing and
best practice management.
 Backup security: All backups, copies, or images of the database must be subject to the
same (or equally stringent) security controls as the database itself.
 Auditing: Record all logins to the database server and operating system, and log all
operations performed on sensitive data as well. Database security standard audits should
be performed regularly.

Page 14 of 14
Computer Security