Cyber Security
Cyber Security
Lecture 1
1
Course Load and Evaluation
• A mix between theory and practical work
• 6 Marked labs and final Coursework (build book)
Lab Assignments (6 @ 5% each) 30.0%
Project + Presentation 15.0%
Midterm Exam 25.0%
Final Exam 30.0%
Total 100.0%
2
Laptop Requirements
Hardware requirements:
▪ Laptop (i5 or i7) with Windows 10 Pro (allow virtualization in
Bios)
▪ RAM 8 GB
▪ Disk – at least 100GB free space
3
Optional textbooks:
1. Cyber Security Essentials, James Graham Richard Howard Ryan Olson, CRC
press, Taylor and Francis Group, ISBN 9780429106637, 2011
4. CompTIA Security+ study Guide, Mike Chapple and David Seidl, Sybex, Eighth
Edition, ISBN 9781119736257, 2021
4
Computer Security
- It is the protection of the computer system from the theft
or damage to either software, hardware or to the
information present on the system.
- It is involves the process of safeguarding against the
intruders from gaining access to your systems or its
resources for malicious purposes.
5
Internet Security
▪ Internet security usually involves the protection of the user’s
data from the unauthorized access and damage when
connected to the Internet.
6
What is cookies?
▪ A cookie is the information which is provided by a web server
to a web client, then sent back unchanged by the browser
each time it accesses that server.
▪ When this website has revisited, the browser sends the
information back so as to recognize the user.
▪ This is invisible to the user and also is intended for improving
the internet browsing experience.
7
Difference between Data and Information
Data Information
▪ It is a collection of facts, could be ▪ How you understand those facts in
metrics, numbers, words context (such as measured
▪ data is unorganized temperature over a year)
▪ It is not useful on its own ▪ Information is organized
▪ Ex:19042021 ▪ Useful in its own
▪ It is raw input values ▪ Ex: 19 April 2012
▪ Data term is broad terminology ▪ Information is output of processing
▪ Information is subset from data
Note:
Information security specialist, their goal is to make classification of the
data based on the data sensitivity but the cybersecurity specialist is to
secure the data in general whether it is information or raw data
8
What do you know about Information Security?
▪ Information Security, is a concept that predates modern
computers
▪ People encrypted messages before any computer was created
(started with the military and then they introduced to the
world)
▪ In the WWII, they invented a machine that called the Enigma,
which basically secure the message between the troops so
that the enemy will not know
▪ This machine used a substitution which replace the letter
with another letters and the other guys on the other side of
the same army will know the message (shuffled letter) exactly.
This machine represents the start of information security.
9
What is security? Security could be define as:
10
Layers of Security
Physical Security: it involves the safeguarding of the personnel or hardware
and software components, networks and data from natural physical
conditions and events or threats, which might cause damage to an
organization
Network Security: which would be summed up as the protection of the
networks and their services from unauthorised modification our destruction.
System Security: is to protect the system and the information from any sort
of threat such as unauthorized access or corruption or being misused.
Application Security: this would cover the software are generally being used
or even the hardware or any sort of procedural steps that could be taken
care of for protecting the application
User Security: is to ensure that authenticated and an authorized user is only
allowed to log in and perform any sort of functionalities he's authorized to
do.
11
if we have a company and we want to build a secure system, we have to
have a guard, a camera on the entrance and so on, in general we have layers
of security:
▪ Physical security (door, locks, motion detection
devices…)
▪ Personal security (a guard on a gate)
▪ Operations security (checking people who go
in/out of the company, must be checked)
▪ Communication security ( the communication
between the employee or with outside the
company has to be secure)
▪ Network security (having Firewall, antivirus, IDP,
scanning device, black list)
▪ Information security (the main and final layer is the
information) IT
12
What is Information Security?
▪ Information security is a set of practices designed to keep
personal data secure from unauthorized access and
alteration during storing or transmitting from one place
to another.
▪ Information security is designed and implemented to
protect the print, electronic and other private, sensitive
and personal data from unauthorized persons. It is used
to protect data from being misused, disclosure,
destruction, modification, and disruption.
Reasons behind the need of Information Security
▪ Protects the organization's ability to function.
▪ Enables the safe operation of applications implemented on
the organization's IT systems. In addition to Safeguards the
technology the organization uses.
▪ Protects the data that organization collects and uses.
▪ Preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or
destruction of information
▪ We need information security to reduce the risk of
unauthorized information disclosure, modification, and
destruction.
▪ We need information security to reduce risk to a level
that is acceptable to the business (risk management).
Security isn’t about security.
It’s about mitigating risk at some cost.
16
What are the different loss that would be caused due to security
breaches (attacks):
▪ Financial loss, is the most common loss in banks and bigger
organizations
▪ Resource Unavailability, once the attacker gain an access to the system
or the victim machine he would make sure that the resources will be
unavailable to the legitimate user.
▪ Identity theft , a concept when the attacker tries to steal the user
credential and try to impersonate that user identity as the victim itself.
▪ Data loss, once the attacker compromise the system he would try to
steal the data or perform an attack to cause loss of the data
▪ Loss of trust, once bigger organizations get compromised, users/people
will loss trust in such organization in terms of security, safeguarding
their assets
▪ Resources Misuse, when an attacker compromised the victim machine,
first he would misuse the resources that he got access to.
17
Basic information security terminologies
Threat: An event or an action that has got the ability to compromise
the system or violate the system security.
Exploit : a way to breach the security of a machine through a
loophole (patch) or a vulnerability
Attacker: any individual who compromises the security of a machine
illegitimately in order to steal, manipulate or to cause destruction of
the data
Attack: the action that is performed by an attacker that would
potentially harm the system or the information stored in it
Vulnerability: it is defined as the existence of a loophole (patch) or
weakness in the design or the implementation that could lead to
undesirable, unexpected event that would compromise the machine
Data theft: the action of information stealing from the victim’s
machine.
Risk : is the situation that involves exposure to some type of danger
18
19
20
Security triad (C I A)
There are three key objectives that are the main of any computer security:
▪ Confidentiality: Information is disclosed only to authorized parties
whether the data in rest or transit
▪ It is the most aspect of CIA triad when it comes to security;
▪ It is one which is attacked most often
▪ Cryptography and encryption methods are examples to ensure confidentiality.
▪ Integrity: Information remains accurate and unchanged in transit and at
rest and only authorized parties can change it-(it is in its original form)
▪ One type of security attack is to intercept some important data and make changes to it before
sending it.
▪ Availability: Authorized parties have timely and uncompromised access
(the data is available 24/7), so it is to ensure that the information is
accessible to authorized persons when it when required without any sort
of a delay.
▪ Some attacker try to deny access to the appropriate user, for example, by breaking the website
for a particular search engine
21
Security triad (C I A)
22
Elements of Security
There are other characteristics of the information security
which
▪ Authenticity: is the quality of being genuine or original
rather than a reproduction. Information is authentic when it
is the information that was originally created, placed,
stored or transferred (is the identification and assurance of
the information's origin).
▪ Non repudiation: is to make sure that any person or an
individual or a communication cannot deny that the
authenticity of the signature on a particular document.
▪ Authorization: access control permissions
23
What are the risks that are put into the domestic users?
E-mail attacks: the victim would be susceptible to attacks such as phishing or
spamming or any other sort of scams.
Malware attack: it's quite well known that e-mails are the biggest carriers of
the malwares. So henceforth it falls under the second attacks that the domestic
users are susceptible.
Denial of attacks: is the availability of a service for a legitimate user because
when an attacker wants to compromise or compromise that machine or that IP
address it would bombard that particular IP with enormous amount of packets
that the service goes down.
Identity theft : it involves an attacker to impersonate the targeted victim and
try to use it for personal gain.
Packet sniffing: this would involves the attacker to intercept and try to get
some information out of the communications that so one of the things that
could be secured.
24
What is the things to be secured?
▪ Hardware, basically that would include your storage devices all
your hard disks on your laptops or your smartphones for that
matter.
▪ Software, Then you would have to make sure that your security
software is as well, from the operating system to all other
applications that come under it.
▪ Information(DB): has to be secured right from the personal
identification credentials such as the credit card details or any sort
of health related detail or banking details
▪ Communication, securing the communication from your instant
messaging or any sort of browsing activities or your mails or any
activities that you perform on social media
25
Components of information system
Applications and
written codes
https://www.eacademy.lk/p/computer-based-information-systems.html
26
Reasons of having vulnerable system:
▪ Low security awareness
▪ No implementation of security systems
▪ Default settings for applications and software
▪ Not following the standard security guidelines
▪ Insecure online activity
27
Aspects of security standards/security architecture
X.800 standards
▪ The OSI security architecture is useful to managers as a way of organizing the task
of providing security
▪ It is based on attacks, mechanisms and services
28
▪ Security attack: any action that compromises the security of
information owned by an organization
▪ Security mechanism: a process or a device incorporating such
a process that is designed to detect , prevents or recover from
a security attack
▪ Security services: a processing or communication service that
is provided by a system to give a specific kind of protection to
resources
•The services are intended to counter security attacks and to make use of one or more
security mechanisms to provide services
29
Security Security
Authentication mechanism
services
Non-
Access control
repudiation
Detect
Prevent
Security
Recover attacks
Integrity Confidentiality
30
Attacks Classifications
Attacks can be classified into:
▪ Passive attack: it attempts to learn or make use of information from the system
but doesn't affect system resources
• Passive attack types:
- Sniffing/Eavesdropping/snooping: secretly listening to the private
conversation of others without consent
- Traffic Analysis: intercepting and examining messages in order to deduce
information from patterns
31
▪ Passive attacks countermeasures:
- Hard to detect because they do not have any alternation of the data
- The message traffic is sent/received in an apparently normal fashion and
neither the sender nor the receiver is a ware that a third party has read
the messages or observed the traffic pattern.
- It is possible to prevent the success of these attacks by means of
encryption
- The emphasis in dealing with passive attacks is on prevention rather
than detection.
32
▪ Active attack: it attempts to alter system resources or affect their
operations. Involve modification of data stream or the creation of
false alarm changing
33
▪ Active attacks countermeasures:
- Present the opposite characteristics of passive attacks
- Difficult to detect, measures are available to prevent their success
- It is quite difficult to prevent active attacks absolutely because of the
wide variety of potential physical, software and network vulnerabilities
34
Active attacks Passive attacks
Objective The attack tries to change the The attack tries to read or make
system resources or affect their use of information from the system
operation but does not influence system
resources
Modification in information Occurs Does not modify or take a place
and operations
Harm/effect to the system There are many (Always causes There are few or none
damage to the system)
Attack awareness The entity (person/thing) gets The entity (person/thing) is
informed about the attack unaware of this attack
CIA threat Integrity and availability Mostly Confidentiality
35
A masquerade takes place when one entity pretends to be a different entity
(following Figure a). A masquerade attack usually includes one of the other
forms of active attack. For example, authentication sequences can be
captured and replayed after a valid authentication sequence has taken
place, thus enabling an authorized entity with few privileges to obtain extra
privileges by impersonating an entity that has those privileges.
36
Reply: involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect(Figure b)
37
Modification of messages: simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce
an unauthorized effect (Figure c). For example, a message meaning "Allow
John Smith to read confidential file accounts" is modified to mean "Allow
Fred Brown to read confidential file accounts."
38
Denial of service: prevents or inhibits the normal use or management of
communications facilities (Figure d). This attack may have a specific target;
for example, an entity may suppress all messages directed to a particular
destination (e.g., the security audit service). Another form of service denial is
the disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance.
39
What are the basic security guidelines?
▪ Use of strong passwords
▪ Use of Antivirus
▪ Regular backing up of your important files and documents
▪ Using Encryptions and digital signatures
▪ Using Firewalls and intrusion detection systems
▪ Regularly updating your OS and other applications
▪ Not revealing too much information online (social networking
sites)
▪ Awareness of the present world security scenario and new
attacks
40
So how do you make your system secure?
▪ Data access controls, you need to implement the access controls, this would
involve you're going to monitor the system activities or activities that happen onto
your system and all such as who is accessing what kind of file or what kind of data.
▪ System Access controls, This is to make sure that only the authorized users get
access to the files that are on access.
▪ Systems and security administration: Make sure that you always perform regular
check and based on the security administration tasks such as rather on figuring
the system settings or implementing any sort of policies put end to security as
such.
41
Why Successful Attacks happen?
▪ Widespread vulnerabilities lack of vendor support, old
devices(no updates)
▪ Configuration issues weak configurations, misconfigurations
▪ Poorly designed software Improper input handling, race
condition
▪ Hardware limitations resource exploitation
42
How would the attacker do an attack?
▪ Phishing
It involves the fake sites created by fraudsters, who would trick
the victims in giving out their information
▪ Social Engineering
It is known as the art of manipulating the human emotions and
behaviour for getting critical or sensitive information
▪ Hacking
The attacker would be able to get most of the personal
information pertaining to the victim if they would be successful in
compromising the victim’s system or the smart phone
▪ Personal Data Theft
The information like credit cards, driver’s license, bills or any other
sensitive information would be obtained from a stolen wallet or
smart phone
43
The fraud that you’re suspectable to are:
▪ Credit cards fraud
▪ Financial fraud
▪ Frauds related to government documents
44
Why is security become so important?
The business has to adhere to regulations, guidelines and standards:
▪ Payment Card Industry Data Security Standard (PCI DSS)
requirements on companies that process payment cards
▪ Health Insurance Portability and Accountability Act (HIPAA),
Gramm-Leach-Bliley Act requires financial institutions (GLBA), …,
many more
▪ Audits have changed the economics of risk and create an
“impending event”
▪ Hackers may attack you but auditors will show up
▪ Disclosure laws mean that the consequences of failure have
increased
UNDERSTANDING SECURITY
▪ Security is:
• To be free from danger is the goal
• The process that achieves that freedom
▪ As security is increased, convenience is often decreased
• The more secure something is, the less convenient it may become to use
46
Difference between Information
security and cybersecurity
48
How to apply security ?
We can apply security by deploying some of the basic security controls such as:
1. Establish policies, communicate it, get management support, enforce it on all
2. Raise users' awareness
3. Apply Strong Authentication
4. Regularly updates and patch servers, clients, network
5. Apply Physical security, secure ports of the data centre, racks, servers
6. Use Antimalware, restrict removable media, lock BIOS, apply drive encryption
7. Control Internet traffic, implement DLP to prevent data leakage
8. Implement Firewalls, WAF, DNS Security, Log collection and analysis, Monitoring
9. Control corporate devices (Such as laptops, mobiles)
10. Security review and Audits
All the above controls required cost, resources to operate and time to implement
and some points may not fit with all business types.
49
How much security is enough ?
▪ Security is relative term, it vary based on nature of business, or instance,
security requirements for E-Commerce business is different than Healthcare
business and Marketing agencies.
▪ Good Security is what can decrease risk to an acceptable level without
affecting system usability and functionality.
▪ Security controls need to be justified and exist to decrease the level of certain
risk, that's why understanding IT Risk is important.
Security Usability
50
51
Understanding Computer Attack
A hacker is someone who likes to tinker with software or electronic
systems. Hackers enjoy exploring and learning how computer systems
operate. They like discovering new ways to work electronically.
An attack is an action taken against a target with the intention of doing
harm (destroy, expose, alter, disable, steal or gain an access or make
unauthorized use of an asset
Hacker
52
Ethical Hacking
In general, hacking is the act of finding the possible entry points that exist
in a computer system or a computer network and finally entering into them.
It is usually done to gain unauthorized access to a computer system or a
computer network, either to harm the systems or to steal sensitive
information available on the computer
53
Recently, hacker has taken on a new meaning; someone who maliciously
breaks into systems for personal gain. Technically, they are criminals
(criminal hackers). Crackers break into (crack) systems with malicious
intent. They are out for personal gain: fame, profit, and even revenge.
They modify, delete, and steal critical information, often making other
people miserable.
Hackers can be divided into three groups:
▪ White Hat Good guys, ethical hackers
▪ Black Hat Bad guys, malicious hackers
▪ Gray Hat Good or bad hacker; depends on the situation
White Black
Hat Hat
Gray
Hat
54
White Hat Hackers
White hats are the good guys, the ethical hackers who use their
hacking skills for defensive purposes. White-hat hackers are usually
security professionals with knowledge of hacking and the hacker
toolset and who use this knowledge to locate weaknesses and
implement countermeasures.
White-hat hackers are prime candidates for the exam. White hats
are those who hack with permission from the data owner. It is
critical to get permission prior to beginning any hacking activity.
This is what makes a security professional a white hat versus a
malicious hacker who cannot be trusted.
55
Black Hat Hackers
They are the bad guys: the malicious hackers or crackers who use their
skills for illegal or malicious purposes. They break into or otherwise
violate the system integrity of remote systems, with malicious intent.
Having gained unauthorized access, black-hat hackers destroy vital data,
deny legitimate users service, and just cause problems for their targets.
Black-hat hackers and crackers can easily be differentiated from white-
hat hackers because their actions are malicious. This is the traditional
definition of a hacker and what most people consider a hacker to be.
56
Gray Hat Hackers
Gray hats are hackers who may work offensively or defensively, depending on the
situation. This is the dividing line between hacker and cracker. Gray-hat hackers may
just be interested in hacking tools and technologies and are not malicious black
hats. Gray hats are self-proclaimed ethical hackers, who are interested in hacker
tools mostly from
a curiosity standpoint. They may want to highlight security problems in a system or
educate victims so they secure their systems properly. These hackers are doing their
“victims” a favor. For instance, if a weakness is discovered in a service offered by an
investment bank, the hacker is doing the bank a favor by giving the bank a chance
to rectify the vulnerability.
Many self-proclaimed ethical hackers are trying to break into the security field as
consultants. Most companies don’t look favorably on someone who appears on
their doorstep with confidential data and offers to “fix” the security holes “for a
price.” Responses range from “thank you for this information, we’ll fix the problem”
to calling the police to arrest the self-proclaimed ethical hacker.
57
Types of security breaches
https://www.kaspersky.com/resource-center/threats/what-is-a-security-breach
58
Data Breach Statistics
▪ Security breaches have increased by 11% since 2018 and 67% since 2014. (Accenture)
▪ Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
▪ The average time to identify a breach in 2019 was 206 days. (IBM)
▪ The average lifecycle of a breach was 314 days (from the breach to containment). (IBM)
▪ 64% of Americans have never checked to see if they were affected by a data breach.
(Varonis)
▪ The cost of a breach in the healthcare industry went up 42% since 2020. For the 12th year
in a row, healthcare had the highest average data breach cost of any industry.
▪ 56% of Americans don’t know what steps to take in the event of a data breach. (Varonis)
▪ The average cost of a data breach is $3.92 million as of 2019. (Security Intelligence)
▪ 83% of enterprise workloads will move to the cloud by the year 2020. (Forbes)
Cybersecurity Facts and Stats
▪ Cyberattacks are the fastest growing crime globally.
▪ There is a hacker attack every 39 seconds.
▪ Total cost of cybercrime globally has added up to over $1
trillion in 2018.
▪ Approximately $6 trillion is expected to be spent globally on
cybersecurity by 2021.
▪ 95% of cybersecurity breaches are due to human error.
Summary
▪ We need information security to reduce risk to a level that is
acceptable to the business (management).
▪ Cyber Security is protecting the confidentiality, integrity and
availability of information.
▪ Enforcing Role and Responsibilities of a Security Professionals
one of the important guidelines in information security
▪ Monitoring network usage to ensure compliance with security
policies.
- Keeping up to date with developments in It security standards and threats.
- Performing penetration tests to find any flaws.
- Collaborating with management and the IT department to improve
security.
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
Winter 2023
Lecture 2
1
Cybersecurity threat characteristics
▪ Internal/external security threats
▪ Level of sophistication
▪ Resources/funding
▪ Intent/motivation
2
Cybersecurity threat actors
▪ Script kiddies
▪ Hacktivist/hackers
▪ Criminal syndicates (organized crime)
▪ Nation states/Advanced Persistent Threat (APT)
▪ Insiders
▪ Competitors
3
Cybersecurity threat actors
▪ Script kiddies: a derogatory term for people who use hacking techniques
but have limited skills. Often such attackers may rely almost entirely on
automated tools they download from the Internet.
4
▪ Criminal syndicates (organized crime): organized groups seeking to steal money,
identities, or corporate secrets. The criminal networks are usually run by a small
number of experienced online criminal networks who do not commit crimes
themselves but act as entrepreneurs
▪ Nation states/Advanced Persistent Threat (APT): an attack in which unauthorized
persons (groups)gain access to a network using advanced exploitation techniques
and stays there undetected for a long period of time. The intention of an APT
attack is to steal data (such as others’ political, economic, military and commercial
infrastructure.)rather than to cause damage to the network or organization.
▪ Insiders: internal employees seeking to cause damage to their organization. For
example employees may be bribed or coerced into stealing data before moving to
a new job
▪ Competitors: outside organizations seeking to commit corporate espionage for
financial or market gain. They may steal new product research or list of current
customers to gain a competitive advantage.
5
Q: Your company’s website has been defaced by an organization that doesn’t
agree with your corporate policies. What type of treat actor typically does
this?
A. Script kiddies
B. Hacktivist
C. Organized crime
D. Insiders
6
Threat vectors
Threat actors targeting an organization need some means to gain access to
that organization's information or system. Threat vectors are the means
that threat actors use to obtain that access, for example:
7
Threat data and intelligence
▪ It is a set of activities and resources available to security professionals to
learn about changes in the threat environment.
▪ Threat intelligence information can be used for predictive analysis to
identify likely risks to the organization
Threat intelligence sources :
- Open Source INTelligence (OSINT) that can gather from publicly available sources to
commercial services that provide close-source intelligence information.
- An increasing number of products and services have the ability to consume threat feed data,
allowing you to leverage it throughout your infrastructure and systems.
8
Threat feeds often include technical details about the threat such as:
▪ IP address,
▪ Hostnames and domains,
▪ Email addresses, urls,
▪ File hashes and file paths ,
▪ CVE (Common Vulnerabilities and Exposure list) numbers.
Vulnerability data bases are also an essential part of an organization's
threat intelligence program, reports of vulnerabilities would help
directly an organization’s defensive efforts, but the also provide
valuable insights into the types of exploit being discovered by
researchers.
9
▪ Open Source INTelligence (OSINT) is threat intelligence that
is acquired from publicly available sources.
▪ Closed-Source intelligence related to commercial security
vendors, government organizations other security centric
organizations, they do their own information gathering and
research and they may use custom tools, analysis models, or
use a proprietary methods to gather, create and maintain
their threat feed.
10
Threat maps
Threat maps: provide a geographic view of threat intelligence. It provide
insights into cybersecurity threat landscape. For example:
11
Assessing Threat Intelligence:
It required a set of common factors to assess the threat:
- Is it timely?
- Is the information accurate? Can we rely on what it says and how likely
is it that the assessment is valid? Does it relay on a single source or
multiple? How often are these sources correct?
- Is the information relative?
Note: confidence score is a common way to summarized the
threat intelligence assessment
12
Attacks using malware
Malicious software (malware): it is term for a wide range of
software that refers to a wide variety of damaging or annoying
software. Malware could be inserted into a
system/devices/networks/users with the intent of compromising
the confidentiality, integrity, or availability of the victim’s
information, applications, operating system or to annoy/disrupt
the victim
▪ Enters a system without the owner’s knowledge or consent
▪ Uses a threat vectors to deliver a malicious ”payload” that performs a
harmful function once it is invoked
▪ It can gather information and provide illegal access
13
Rootkits
Spyware Trojans
Crimeware Worms
14
Malware can be classified by the using of the primary trait that
the malware possesses:
▪ Circulation mechanism
▪ Infection
▪ Concealment
▪ Payload capabilities
15
▪ Circulation mechanism; propagates and spreads rapidly to other systems to
impact a large as possible number of users, (what are the means by which a virus
finds and infect new files, spreads or propagates, enabling it to replicate in a
system):
• Viruses: they require end-user activation and can activate at a specific time
or date. It is easy to detect it by virus scanner
- Computer virus; reproduce itself
- Program virus; infect an exe file
- Macro; series of instructions that can be grouped together as a single
command
- Armored virus; avoid detection
Note: virus and malware are not interchangeable terms. A virus is only one type
of malware.
16
Virus infection method
Appender infection virus appends itself to end of a file
- One basic type of infection is the Appender infection
- The virus first attaches itself to the end of the infected file
- It then inserts, at the beginning of the file, a jump instruction that points
to the end of the file, which is the beginning of the virus code
- When the program is launched, the jump instruction redirects control to the virus
Most viruses today go to great lengths to avoid detection (called an armored virus),
some armored virus infection techniques include:
– Swiss cheese infection viruses inject themselves into executable code
• Virus code is “scrambled” to make it more difficult to detect
– Split infection virus splits into several parts
• Parts placed at random positions in host program
• The parts may contain unnecessary “garbage” doe to mask their true purpose
– Mutation, some viruses can mutate or change
• An oligomorphic virus changes its internal code to one of a set of number of
predefined mutations whenever executed
• A polymorphic virus completely changes from its original form when executed
• A metamorphic virus can rewrite its own code and appear different each time it is
executed
17
2, then
18
❖ Viruses perform two actions:
– Unloads a payload to perform a malicious action
– Reproduces itself by inserting its code into another file on the same computer
19
Worm
- It is malicious program that uses a
computer network to replicate
▪ Sends copies of itself to other network devices
- Worms may:
▪ Consume resources or
▪ Leave behind a payload to harm infected systems
20
Action Virus Worm
What does it do? inserts malicious code Exploits a vulnerability in
into a program or data file an application or OS
How does it spread to User transfers infected Uses a network to travel
other computers? files to other devices from one computer to
another
Does it infect a file Yes No
Does there need to be Yes No
user action for it to
spread?
21
Virus Worm
22
▪ Infection
the event/condition that determines when the payload is
activated or delivered (how it embeds itself into a system),
examples of this malware are:
- Trojans,
- Ransomware,
- Crypto-malware
23
Trojans
Trojan is an executable program that does something other than
advertised
– Contain hidden code that launches an attack
– Sometimes made to appear as data file
Example
– User downloads “free calendar program”
• Program scans system for credit card numbers and passwords
• Transmits information to attacker through network
24
Ransomware
This malware is designed to hold a computer
system or the data it contains captive until a
payment is made (prevents a user’s device from
properly operating until a fee is paid).
▪ It usually works by encrypting data in the
computer with a key unknown to the user.
▪ Some other versions of ransomware can take
advantage of specific system vulnerabilities to
lock down the system.
▪ It is spread by a downloaded file or some
software vulnerability.
25
Crypto-malware
This malware is a more malicious form of ransomware where threat actors
encrypt all files on the device so that none of them could be opened.
26
▪ Concealment
- It means hide and avoid detection by concealing its presence from
scanners:
▪ Example: Rootkit; is a set of software tools used by an attacker to hide actions
of other types of malicious software
- May alter or replace operating system files with modified versions
that are specifically designed to ignore malicious activity
▪ Users can no longer trust their computer that contains a Rootkit
▪ The Rootkit is in charge and hides what is occurring on the computer
27
▪ Payload capabilities
It means what actions the malware performs, besides spreading. The payload may
involve damage or may involve benign but noticeable activity.
- for example: spyware, logic bombs, backdoor, boot zombie, key logger
28
▪ Collect data
Different types of malware are designed to collect important data from the
user’s computer and make it available at the attacker. This type of malware
includes:
▪ Spyware
▪ Adware
29
▪ Adware; is a program that delivers advertising content in manner unexpected
and unwanted by the user
– Typically displays advertising banners and pop up ads
– May open new browser windows randomly
30
▪ Delete data
▪ The payload of other types of malware deletes data on the
computer
31
Modify System Security
▪ Backdoor gives access to a computer, program, or
service that circumvents normal security to give
program access
✓ When installed on a computer, they allow the
attacker to return at a later time and bypass security
settings
32
Launch Attacks
▪ Bot or zombie, an infected computer that is under the
remote control of an attacker
▪ Groups of zombie computers are gathered into a logical
computer network called a botnet under the control of the
attacker ( bot herder)
▪ Infected zombie computers wait for instructions through a
command and control (C&C) structure from bot herders
✓A common C&C mechanism used today is HTTP, which is
more difficult to detect and block
33
Defending Against Attacks
▪ Layering
▪ Limiting
▪ Diversity
▪ Obscurity
▪ Simplicity
34
Most Common Types of Malware Attacks
Below are a few common types of malware:
▪ Spyware
▪ Adware
▪ Bot (like a robot)
▪ Ransomware
▪ Rootkit
▪ Virus
▪ Trojan horse
▪ Worms
▪ Man-In-The-Middle (MitM)
▪ Man-In-The-Mobile (MitMo).
35
36
The following are common malware symptoms:
▪ There is an increase in CPU usage.
▪ There is a decrease in computer speed.
▪ The computer freezes or crashes often.
▪ There is a decrease in Web browsing speed.
▪ There are unexplainable problems with network connections.
▪ Files are modified.
▪ Files are deleted.
▪ There is a presence of unknown files, programs, or desktop
icons.
▪ There are unknown processes running.
▪ Programs are turning off or reconfiguring themselves.
▪ Email is being sent without the user’s knowledge or consent
37
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 3
1
Social Engineering Attacks
2
Social Engineering:
▪ The art of manipulating people so that they give up
confidential information or break standard security
practices.
3
Facts about Social Engineering Attacks
▪ Everyone is a potential target! (relying on the weaknesses of
individuals to gather information and create patterns)
▪ It’s often easier for cybercriminals to manipulate a human than a
computer network or system (It focus on the human side of
information security).
▪ Attacks can be relatively low-tech, low-cost, and easy to execute.
▪ A social engineering attack may occur:
✓ over the phone,
✓ by e-mail,
✓ or by a visit.
▪ The intent is to acquire access information, such as user IDs and
passwords.
4
Social Engineering Attacks
▪ using social engineering techniques, security
professionals and attackers can accomplish different
tasks ranging from acquiring information to gaining an
access to systems, building and networks.
5
Social Engineering Life Cycle
1. Prepare the Attack
• Identify the victim(s)
• Gather background information
• Select attack method(s)
2. Establish a Relationship
• Engage the target
• Spin a story
• Take control of the interaction
3. Obtain Information
• Expand the foothold
• Execute the attack
• Disrupt business and/or steal data
4. Close the Interaction
• Remove any traces of malware
• Bring the attack to a natural end
6
1. Preparing the
4. Closing the Exit Investigation ground for the
interaction ideally
attack
without arousing
suspicion Social
Engineering
Life Cycle
Play Hook
3. Obtaining the 2. Deceiving the
information over a victim to gain a
period of time foothold
7
Social Engineering attacks can involve two approaches:
▪ Psychological procedures
▪ Physical procedures
8
Psychological Approaches
▪ The goal of those approaches is to persuade the victim to
provide information or take an action
▪ Attackers use a variety of techniques to gain trust without
moving quickly:
▪ Provide a reason
▪ Project confidence
▪ Make them laugh
9
Psychological Approaches procedures
➢ Impersonation - attacker pretends to be someone else:
✓ Help desk support technician
✓ Repairperson
✓ IT support
✓ Manager
✓ Trusted third party
✓ Fellow employee
10
▪ Attackers impersonate co-workers, police officers,
bankers, tax authorities, or charitable
organizations.
▪ An attacker builds a credible story (pretext) that
leaves little room for doubt on the part of their
target.
▪ A false sense of trust is developed with the target.
▪ A pretexter may ask a series of questions designed
to gather personally identifiable information.
▪ Obtain Sensitive Information such as:
• social security number, mothers maiden name, place or date of
birth or account numbers.
11
➢ Phishing; A type of attack often used to steal user data,
including login credentials, personally identifiable information
or credit card numbers. It occurs when an attacker sending an
email claiming to be from legitimate source or poses as a
trusted entity, tricks a victim into opening an email or instant
message.
12
▪ Spear phishing – targets specific users
▪ Whaling – targets the “big fish”
▪ Vishing (Voice phishing) – instead of using email, uses a
telephone call instead
▪ Smishing (text phishing)
13
Phishing forms in more details
Spear Phishing
Sense of Urgency
• Act fast because the super deals are only for a limited time.
• Your account will be suspended unless you update your personal details immediately.
Hyperlinks
• Click here to claim your offer.
• Click here to change your login credentials.
Attachments
• Often contain ransomware, malware or other viruses.
Phishing Email
Phishing Email
Phishing attack
18
➢ Spam; unwanted, unsolicited e-mail sent in bulk/junk
✓ It represents the primary vehicles for distribution of malware
✓ Sending a spam is a profitable business; as it cost spammers very little to
send millions of spam messages
Filter/Classifier
Image spam
19
20
➢ Hoaxes; a false warning, usually claiming to come from the
IT department
▪ Attackers try to get victims to change configuration
settings on their computers that would allow the attacker
to compromise the system
▪ Attackers may also provide a telephone number for the
victim to call for help, which will put them in direct contact
with the attacker
21
➢ Watering hole attack; a malicious attack that is directed
toward a small group of specific individuals who visit the
same website (is a designed attack that target specific
groups)
▪ For example; major executives working for a manufacturing company
may visit a common website, such as a parts supplier to the
manufacturer
22
Physical (in-person)Procedures
▪ The most common physical procedures are:
✓ Dumpster diving
✓ Tailgating
✓ Shoulder surfing
23
▪ Dumpster diving; digging through trash to find information
that can be useful in an attack
▪ One of an electronic variation of dumpster diving is to use
Google’s search engine to look for documents and data
posted online
Called Google dork.
• Google dorking is a hacking technique that makes use of Google's advanced
search services to locate valuable data or hard-to-find content. Google
dorking is also known as "Google hacking."
24
▪ Tailgating; following behind an authorized individual
through an access door
• An employee could cooperate with an unauthorized
person to allow him to walk in with him (called
piggybacking)
25
➢ Shoulder surfing involves looking over a person's shoulder
to gather personal information while the victim is unaware.
This is especially effective in crowded places where a
person uses a computer, smartphone or ATM
26
What is Baiting?
32
▪ A popular payload of malware is software that will allow the
infected computer to be placed under the remote control of
an attacker (known as a bot)
– Multiple bot computers can be used to created a botnet
▪ Social engineering is a means of gathering information for an
attack from individuals
▪ Types of social engineering approaches include phishing,
dumpster diving, and tailgating..etc
▪ The best method of minimizing social engineering attacks is
user education and positive verification of the identity of the
person committing the attack.
33
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 4
1
Fundamentals of Cryptography
2
Cipher & Data security: is the sciences and study of methods of
protecting data in computer and communication systems form
unauthorized disclosure and modification.
Internet
DATA
DATA
Firewall Firewall
encryption decryption
3
Cryptography can provide protection to data as that data
resides in any of three states:
- Data in-use –data actions being performed by “endpoint
devices” e.g. printing a report from desktop computer
- Data at-rest –data this is stored on electronic media
(disk encryption) e.g. USB,HDD
- Data in-transit –actions that transmit the data across a
network e.g. email sent across the Internet
4
Cryptography can provide five basic protections:
✓ Confidentiality prevents the unauthorized accidental or
malicious use or disclosure of information
✓ Integrity safeguards the accuracy, completeness and
correctness of information
✓ Availability ensures that authorized users have reliable and
timely access to information and computer systems when
required
✓ Non-Repudiation is when the “data owner” can’t challenge
that something isn’t valid
✓ Encryption (obfuscation), the practice of obscuring
(hiding)the meaning of a piece of information
5
Cryptology
1. Cryptography; converting messages (scrambling messages) into
"gibberish" that can be converted back to message
2. Cryptanalysis (breaking secret codes).
Cryptology
Cryptography Cryptanalysis
6
Cryptology
Cryptography Cryptanalysis
7
Cryptography Basic Terminology
▪ Plaintext - original message, unencrypted readable text
▪ Ciphertext - coded message, the encrypted text which is formed
after the encryption algorithms
▪ Cipher - algorithm for transforming plaintext to ciphertext
▪ Key – secret info used in cipher, known only to sender/receiver;
the key that is used to encrypt/decrypt the data and called
encryption key
▪ Encipher (encrypt) - convert plaintext to ciphertext
▪ Decipher (decrypt) - recover plaintext from ciphertext
Key
8
Cryptography Basic Terminology
Keyspace : Set of all possible keys of a cipher
Keyspace size:
- Size of the set of all possible keys of a cipher
- Usually given as power of 2 (rounded up)
Example: Caesar
Keyspace={0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,2
0, 21,22,23,24,25}
Keyspace size: 26 ≈ 𝟐𝟓
Note: it is common to express the keyspace size as a power of 2, so 26 is rounded up to the nearest power of 2, which is
2^5 (32). Therefore, the keyspace size for the Caesar cipher is approximately 2^5.
9
Cryptography Process
10
We could have the following Parties (players):
▪ Alice: sender of an encrypted ,message , she need (an encryption algorithm
and a key)
▪ Bob: intended receiver of encrypted message
▪ Eve: passive attacker
▪ Mallory: active attacker
Eve/Mallory
(cryptoanalysis)
Key Key
Encryption Decryption
Alice Bob
11
General Approaches to Cryptanalysis Attack
▪ Cryptanalytic attack: this type of attack exploits the
characteristics of the algorithm to attempt to deduce a
specific plain text or to deduce the key being used.
12
Three types of classical cryptography ciphers:
1. Substitution ciphers
- Replace letters by other letter for example:
- Caesar cipher,
- Simple Monoalphabetic Substitution Cipher (MASC) cipher,
- Vigenère cipher, a polyalphabetic cipher.
2. Transposition cipher
- Change the order of the plain text letters for example
Scytale, columnar transposition
3. Composed ciphers
- Combination of substitution and transposition for example,
ADFGVX, Granite
13
Substitution Technique : Caesar Cipher
Substitution ciphers are based on the principle of replacing each character
with another character in order to hide the actual meaning of the message.
There are a number of different types of substitution cipher:
▪ Simple substitution: replace each character of ordered plaintext alphabet with the
corresponding character of an ordered cipher alphabet
▪ Direct Standard alphabet: shift the letters of the alphabet to the right by k
positions, then modulo the size of the alphabet
- Caesar cipher involves replacing each letter of the alphabet with letter
standing three places further down the alphabet (𝐾=3).
14
Simple substitution: replace each character of ordered plaintext alphabet
with the corresponding character of an ordered cipher alphabet
(where each letter is mapped to a different letter of the alphabet)
▪ It is necessary to change each of the 26 letters in the standard alphabet
to a different letter in the replacement alphabet. For example, let’s
imagine we are trying to encrypt “Hello World!” by using the
substitution alphabet, the message would become “NRQQS USJQO!”
Mapped letters
Plain text:
Hello World!
Cipher text:
NRQQS USJQO!
15
▪ ROT-13 ("rotate by 13 places") is a simple letter substitution cipher that
replaces a letter with the 13th letter after it in the alphabet. ROT-13 is
a special case of the Caesar cipher.
16
Caesar Cipher
𝐶= 𝐸 (𝑃) = (𝑃+𝐾) 𝑚𝑜𝑑 𝑛 , where n is the size of the alphabet.
𝑃=𝐷 (𝐶) = (𝐶−𝐾) 𝑚𝑜𝑑 𝑛
Example: (Caser method) use k=3
Plaintext: Ali
Encipher process: (P+K) mod 26
Answer:
A=0
0+3 mod 26 = 3 = D
L=11
11+3 mod 26=14=O
I=8
8+3 mod 26=11= L
17
Cipher text: DOL
Decipher process: (C-K) mod 26
Sol:
D=3
3-3 mod 26=0=A
O=14
14-3mod26=11=L
L=11
11-3mod26=8=I
18
Transposition cipher
▪ Transposition cipher is one which the order of characters
is changed to obscure the message, an example is Scytale.
A scytale-
https://en.wikipedia.org/wiki/Scytale
19
Example: Encrypt the following plain text:
Meet at three pm today at the usual location.
Use rows of 6 characters.
Answer:
▪ Fill the message row by row.
▪ Then read column by column to get the cipher text:
1 2 3 4 5 6
M E E T A T
Cipher text:
T H R E E P
MTMASC EHTTUA EROTAT TEDHLI AEAELO TPYUON
M T O D A Y
A T T H E U
S U A L L O
C A T I O N
20
Example : decrypt the following cipher text,
AES EAO OIT VUI NNN NEE RLC FTE INV LER LS
Use row of length 4 characters.
Answer: 1 2 3 4
▪ How many row I need? :Total letters/4
A T E L
No. of rows= total no. of letters/ no. of chars
= 32/4= 8 rows E V E N
▪ First fill column by column S U R V
▪ then read by row to get the plain text: E I L L
A N C E
AT ELEVEN SURVEILLANCE ON FRONT LINES
O N F R
O N T L
I N E S
Note: FOR DECRYPT, FILL COLUMN BY COLOUNM AND THEN READ BY ROW.
21
Example : encrypt the following plain text,
AT FOUR SURVEILLANCE ON ENEMY CAMP
Key : MAINE
22
Example: Decrypt the following cipher text:
NAC SMT NAA AOT KEP AOT BC
Key: plan
1 2 3 4
Answer: N T O A
▪ total number no. of column = no. of letters in the key A N T O
▪ Total no. of rows= total no. of letters/no. of column
C A K T
20/4=5 ROWS
S A E B
▪ Write the index of each letter as it is (no order) M A P C
Pla n
4 2 1 3 (a come first in alphabetical order and so on)
▪ Re-write the table according to (4 2 1 3) 1 2 3 4
▪ Read row by row to get the plain text: A T N O
AT NOON ATTACK BASE CAMP O N A T
T A C K
B A S E
C A M P
23
Cryptology
Cryptography Cryptanalysis
24
Types of Encryption
▪ Private (Secret) key
– Symmetric
▪ Public key
– Asymmetric
▪ Hash
– One way transformation (can’t decrypt it)
NIST: The National Institute of Standards and Technology is an agency of the United States Department of Commerce whose mission is to
promote American innovation and industrial competitiveness
25
A fundamental difference in cryptographic algorithms is the amount of data
processed at a time
▪ Stream cipher takes one character and replaces it with another (substitution
cipher)
▪ Block cipher manipulates an entire block of plaintext at one time
▪ Sponge function takes as input a string of any length and returns a string of any
requested variable length
26
Hash Algorithms
▪ Creates a unique “digital fingerprint” of a set of data and
is commonly called hashing
▪ This fingerprint, called a digest (sometimes called a
message digest or hash ), represents the contents
▪ Its contents cannot be used to reveal original data set
▪ Is primarily used for comparison purposes
27
Secure hashing algorithm characteristics:
▪ Fixed size
- Short and long data sets have the same size hash
▪ Unique
- Two different data sets cannot produce the same hash
▪ Original
- It should be impossible to produce a data set that has desired or pre-defined
set.
▪ Secure
- Resulting hash cannot be reversed to determine original plaintext
28
Example of hashing
▪ Bank customer has PIN of 93542
▪ Number is hashed and result stored on card’s magnetic
stripe
▪ User inserts card in ATM and enters PIN
▪ ATM hashes the pin using the same algorithm that was
used to store PIN on the card
▪ If two values match, user may access ATM
29
Why do we use Hash? Keep Original Data Confidential
▪ Passwords are commonly hashed
▪ Password files actually contain hash of your password (not
the password itself)
– When you log in, the computer hashes your password
and compares the hash value to the hash value of the
password that’s on file
30
Hash Algorithms
31
Hash Function
▪ One-way encryption – can’t decrypt
– Has no key
– Hashing creates a fixed length message digest
32
Why do we use Hash? Keep Data Integrity
You could try test when changing one little letter, then the entire
hash value changes
– Example of diffusion
▪ Spreads the change throughout the ciphertext
33
Common Hash Algorithms
▪ MD5 – Message Digest (MD) algorithms
• Produces a 128-bit hash value from an arbitrary-length message
• Replaces MD2 and MD4
▪ Secure Hash Algorithm (SHA) algorithm
• more secure than MD
• No weakness identified
• SHA-1 produces a 160-bit hash value
• SHA-2 describes five algorithms: SHA-1 plus SHA-224, SHA-256, SHA-
384, and SHA-512 which can produce hash values that are 224, 256, 384,
or 512 bits in length, respectively
▪ Hashes are vulnerable to collision attacks
• At this time, there is no obvious successor to MD5 and SHA-1 that could
be put into use quickly
34
COMPARISON OF ENCRYPTION AND HASHING
RACE : R&D in Advanced Communications Technologies. // an org. that is affiliated with EU European Union.
35
Encryption Hashing
A two-way function that takes in A one way method of hiding
plaintext data and turns it into sensitive data
ciphertext
Reversable Unreversible
Asymmetric and symmetric Hashing
Use cases Use cases
▪ Data in transit and rest ▪ Compare large amount of data
▪ Databases ▪ Mapping data
▪ Authentication methods ▪ Digital signature
▪ Passwords
AES,DES, RSA SHA-1,SHA-2
36
Modern Cryptographic Algorithms
Cryptology
Cryptography Cryptanalysis
37
There are two classes of key-based encryption algorithms:
▪ Symmetric (one secret/private-key) algorithm
▪ Asymmetric (public-key) algorithm
38
Message Integrity
4 5
3 Cipher text
4
6
2 Mac address
7
https://en.wikipedia.org/wiki/Message_authentication_code
39
Symmetric algorithms can be divided into:
▪ Stream ciphers ; can encrypt a single bit of plaintext at a
time : bit message: 10101010101000011, each bit will be
encrypted at a time( slow process) and there is no definite
length for a key as it depends on the message length.
▪ Block ciphers; block ciphers take a number of bits (typically
64 bits in modern ciphers), and encrypt them as a single
unit. 10101010 10100001 10000111 01, each time one
block is encrypted, when we have less than 8 bit we use
padding and it could be anything (0000000 or 111111) to
make sure the block is 8 bit.
40
Modern symmetric encryption algorithms examples
▪ Block ciphers encrypt blocks of fixed length (e.g.64/128 bit).
Available in CrypTool are DES (ECB), DES (CBC), Triple DES (ECB),
Triple DES (CBC), Rijndael (AES), MARS, RC2, RC6, Serpent, Twofish, DESX,
DESL and DESXL.
41
▪ Stream ciphers encrypt messages bit by bit and an example
of this class is RC4.
- Because of its ease of use and speed of operation, the RC4 stream
cipher is one of the most popular stream ciphers. It employs key sizes
of 64 bits or 128 bits. Typically, it is utilized in protocols like Secure
Socket Layer (SSL), Transport Layer Security (TLS), and IEEE 802.11
wireless LAN standard.
- In this category CrypTool provides RC4.
42
https://www.javatpoint.com/block-cipher-vs-stream-cipher
43
Symmetric Cryptographic Algorithms
Symmetric cryptographic algorithms :
use the same single key to encrypt and decrypt a document
▪ Original cryptographic algorithms were symmetric
▪ Also called private key cryptography (the key is kept private between
sender and receiver)
44
Symmetric Ciphers
use the same key at
Alice both ends Bob
Plaintext
E Ciphertext D Plaintext
Symmetric Encryption
45
Symmetric Cryptographic Algorithms
Data Encryption Standard (DES)
– Based on product originally designed in early 1970s
– Uses a 56 bit key and is a block cipher
46
Advanced Encryption Standard (AES)-Block Cipher
▪ AES performs 3 steps on every block (128 bits) of plaintext.
▪ Within step 2, multiple rounds are performed depending
upon the key size:
- a 128 bit key performs 10 rounds,
- 192 bit key performs 12 rounds,
- and a 256 bit key, known as AES 256, uses 14 rounds.
47
Asymmetric Cryptographic Algorithms
▪ Asymmetric ciphers (public-key cryptography) permit the
encryption key to be public (it can even be published in a
newspaper), allowing anyone to encrypt with the key,
whereas only the proper recipient (who knows the
decryption key) can decrypt the message. The encryption
key is also called the public key and the decryption key the
private key or secret key.
48
Asymmetric Cryptographic Algorithms
Weakness of symmetric algorithms
- Distributing and maintaining a secure single key among
multiple users distributed geographically
▪ Asymmetric cryptographic algorithms;
- Also known as public key cryptography
- Uses two mathematically related keys
- Public key available to everyone and freely distributed
- Private key known only to individual to whom it belongs
49
Asymmetric Cryptographic Algorithms
50
Common asymmetric
cryptographic algorithms
- RSA (Three developers :Rivest , Shamir, Adleman)
- Most common asymmetric cryptography algorithm
- Uses two large prime numbers
51
How this cryptography works?
1. Alice: She has key pair: Alice private key and Alice public key and the
second part I told you that public key can be shared with the outside
world , Alice will have Bob’s public key
2. Bob: he has key pair: Bob’s private key and Bob’s public key Alice public
key
3. Now Alice wants to send him a message: ”Call me right now”; : Here
Alice will send the message with Bob’s public key and pass it to the
encrypt function ( the encryption function will take the message and bob
public key then we got the cipher text
4. When bob receive the cipher text will pass it to the decryption function
and also pass Bob’s private key to get the original text.
5. In this group of algorithm sharing the public key is a problem as someone
is sitting in between Alice and bob communication channel, Eve could
have bob’s public key and pretend she is Bob. So that, to solve this
problem we can have both cryptography types The asymmetric and
symmetric algorithms
52
Classification of Cryptosystems
53
Summary:
▪ Generally, symmetric algorithms are much faster to
execute on a computer than asymmetric ones.
▪ In practice they are often used together, so that a public-
key algorithm is used to encrypt a randomly generated
encryption key, and the random key is used to encrypt the
actual message using a symmetric algorithm. This is
sometimes called hybrid encryption.
54
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 5
1
Cryptographic Algorithms
2
Symmetric Key Cryptography has Several Weaknesses:
▪ Key distribution is a major problem.
Before beginning communication with a symmetric key protocol,
parties must have a safe way to exchange the secret key. It is
frequently necessary to employ an offline key distribution
method if a secure electronic channel is not available.
3
▪ The algorithm is not scalable.
Symmetric key encryption makes it incredibly challenging for big
groups to communicate. Only by sharing a private key among all
potential user combinations could the group's members have
secure, private communication.
4
The Major Strength of Symmetric Key Cryptography
▪ The ability of symmetric key cryptography to work quickly
is one of its main advantages.
▪ Faster than asymmetric techniques by a factor of 1,000 to
10,000 is symmetric key encryption.
▪ Symmetric key cryptography easily lends itself to
hardware implementations due to the complex
mathematics involved, providing the opportunity for even
faster processes.
5
The Major Weakness of Asymmetric Key/Public Key
Cryptography
6
Major Strengths of Asymmetric Key Cryptography:
▪ The addition of new users requires the generation of only one
public-private key pair. This same key pair is used to communicate
with all users of the asymmetric cryptosystem. This makes the
algorithm extremely scalable.
▪ Users can be removed far more easily from asymmetric systems.
Asymmetric cryptosystems provide a key revocation (invalidation)
mechanism that allows a key to be canceled, effectively removing a
user from the system.
▪ Key regeneration is required only when a user's private key is
compromised. If a user leaves the community, the system
administrator simply needs to invalidate that user's keys. No other
keys are compromised and therefore key regeneration is not
required for any other user.
7
▪ Asymmetric key encryption can provide integrity, authentication,
and nonrepudiation. If a user does not share his/her private key
with other individuals, a message signed by that user can be shown
to be accurate and from a specific source and cannot be later
repudiated.
▪ Key distribution is a simple process.
Users who want to participate in the system simply make their
public key available to anyone with whom they want to
communicate. There is no method by which the private key can be
derived from the public key.
▪ No pre-existing communication link needs to exist. Two individuals
can begin communicating securely from the start of their
communication session. Asymmetric cryptography does not require
a pre-existing relationship to provide a secure mechanism for data
exchange.
8
Symmetric and Asymmetric Cryptography Comparison
The following table compares the symmetric and asymmetric
cryptography systems.
Symmetric Asymmetric
• Single shared key • Key pairs sets
• Not scalable • scalable
• Fast • Slow
• Bulk encryption • Small blocks of data , digital
signatures and certificates
• Confidentiality, integrity • Confidentiality, integrity,
authentication and
nonrepudiation
9
Key Management
Key Management forms the basis of all data security. Data is
encrypted and decrypted via encryption keys, which means the
loss or compromise of any encryption key would invalidate the
data security measures put into place. Keys also ensure the safe
transmission of data across an Internet connection.
10
Public Key Distribution Techniques
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.
11
1- Public Announcement of Public Keys:
12
2. Public available directory
▪ Maintaining a publicly available dynamic directory of public
keys.
▪ Maintenance and distribution of the public directory would
have to be the responsibility of some trusted entity or
organization.
13
3. Public-key authority
▪ Each participant reliably knows a public key for the authority,
with only the authority knowing the corresponding private key.
▪ Stronger security for public-key distribution can be achieved by
providing tighter control over the distribution of public keys
from the directory.
14
1. A sends a time stamped message to the public-key authority containing a
request for the current public key of B.
2. The authority responds with a message that is encrypted using the
authority's private key, PRauth. Thus, A is able to decrypt the message using
the authority's public key. Therefore, A is assured that the message
originated with the authority.
3. A stores B's public key and also uses it to encrypt a message to containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this
transaction uniquely.
4. B retrieves A's public key from the authority in the same manner a A
retrieved B's public key.
5. At this point, public keys have been securely delivered to A and B, and they
may begin their protected exchange. However, two additional steps are
desirable:
▪ B sends a message to A encrypted with PUa and containing A's nonce
generated by B (N2). Because, only B could have decrypted message (3),
the presence of NI in message (6) assures A that the correspondent is B.
▪ A returns N2, encrypted using B's public key, to assure B that its
correspondent is A.
15
3. Public-key authority - cont’d
The message includes the following:
- B’s public key, Pub which A can use to encrypt messages
destined for B
- The original request
- The original time stamp, so A can determine that this is not
an old message from the authority containing a key other
than B’s current public key corresponding earlier request and
to verify that the original request was not altered before
reception by the authority.
16
4. Public-Key Certificates
▪ A public key certificate is a digitally signed document that serves to
validate the sender's authorization and name.
▪ The certification authority confirms that the sender's name is the one
associated with the public key in the document. A user ID packet,
containing the sender's unique identifier, is sent after the certificate
packet.
17
Asymmetric Encryption - RSA
▪ RSA makes use of an expression with exponentials. Plain text
is encrypted in blocks with each block having a binary value
less than some number n
▪ That is the block size must be less than or equal to
in practice, the block size is i bits, where
for example a block of size =n then the size must be <=
▪ Encryption and decryption are of the following form, for
some plain text block M and cipher text block C
𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑛
𝑀= 𝐶 𝑑 𝑚𝑜𝑑 𝑛 = (𝑀)𝑒∗𝑑 mod n
C : cipher text
M: Message
e: a prime no.
n: no. of bits
d: prime no.
18
Asymmetric Encryption - RSA
▪ Choose two large prime numbers p & q
▪ Compute n=p*q and z=(p-1)(q-1) same as Ø(n)
▪ Choose prime number e, less than n, which has no common factor
(other than 1) with z
▪ Find number d, such that (e*d – 1) is exactly divisible by z Keys are
generated using n, d, e
▪ Public key is (n,e)
▪ Private key is (n, d)
▪ Encryption: c = me mod n
▪ m is plain text
▪ c is cipher text
▪ Decryption: m = cd mod n
▪ Public key is shared and the private key is hidden
RSA
Algorithm
20
Facts About Numbers
Prime number p:
◦ p is an integer
◦ p2
◦ The only divisors of p are 1 and p
Examples
◦ 2, 7, 19 are primes
◦ -3, 0, 1, 6 are not primes
Prime decomposition of a positive integer n:
n = p1e1 … pkek
Example:
◦ 200 = 23 52
Fundamental Theorem of Arithmetic
The prime decomposition of a positive integer is unique
10/1/2023 CRYPTOGRAPHY 21
Asymmetric Encryption - RSA
P=5 & q=7
n=5*7=35 and z=(4)*(6) = 24 same as Ø(n)
Choose e = 5
d = 29 , (29x5 –1) is exactly divisible by 24
Keys generated are
◦ Public key: (35,5)
◦ Private key is (35, 29)
Encrypt the word love using (c = me mod n)
◦ Assume that the alphabets are between 1 & 26
l 12 (12 ^5)=248832 17
o 15 759375 15
v 22 5153632 22
e 5 3125 10
Asymmetric Encryption - RSA
17 481968572106750915091411825223072000 17 l
15 12783403948858939111232757568359400 15 o
22 852643319086537701956194499721110000000 22 v
10 100000000000000000000000000000 10 e
Asymmetric Encryption - Weaknesses
▪ Efficiency is lower than Symmetric Algorithms
- A 1024-bit asymmetric key is equivalent to 128-bit
symmetric key
▪ Potential for eavesdropping attack during transmission of
key
▪ It is problematic to get the key pair generated for the
encryption
Asymmetric Encryption – Encryption Protocols
Pretty Good Privacy (PGP)
▪ Used to encrypt e-mail using session key encryption
▪ Combines RSA, Triple DES, and other algorithms
Bob’s Cipher
Public Key
(DES)
Alice and Bob
Bob’s Session Key Generate Same
Private Key Session Key!
Alice’s Cipher
Public Key
(DES)
Asymmetric Encryption – Key Agreement contd.
Diffie-Hellman is the first key agreement algorithm
▪ Invented by Whitfield Diffie & Martin Hellman
▪ Provided ability for messages to be exchanged securely
without having to have shared some secret information
previously
▪ starting of public key cryptography which allowed keys to be
exchanged in the open
▪ No exchange of secret keys
▪ Man-in-the middle attack avoided
Diffie-Hellman Mathematical Analysis
28
1. Each of Alice and Bob has to have a global elements which are publicly available to
any one in the communication channel. So we have one element as a prime
number p and another element called g (generator) which is the primitive root of
prime number p
2. Any user will have 2 keys. Alice and Bob will generate the private key first:
3. Both numbers should be chosen by themselves and should be secret the only
condition is to be less then the prime number, then the public key should be
calculated using the following formulas:
4. After calculating the public key for each of them, they both share the public key
30
Example: Choose prime p=61 , generator g, a primitive of
61=6
Alice Bob
Chooses private key 𝑋𝐴 =50 Chooses private key 𝑋𝐵 =39
Calculate public key 𝑌𝐴 = 𝑔 𝑋𝐴 mod p Calculate public key 𝑌𝐵 = 𝑔 𝑋𝐵 mod p
31
Strength of D_H discrete logarithm problem:
▪ If we take the establish of public key we have:
Y= 𝑔 𝑋 mod p
Given a prime number p, generator g, and x, it should be easy
to calculate y.
Y= 650 mod 61=14
32
D-H Key exchanger in real life
▪ Implemented in security protocols such as :
- Transport layer security,
- IP security (IPsec) ,
- secure shell,
- PGP
▪ Secure our connection to a website , to remotely access
another computer and for sending encrypted emails.
▪ Generally implemented along with some means
authentication such as RSA
33
Digital Signature
It is exactly what it sounds like a modern alternative to sign
documents with paper and pen. It uses an advanced
mathematical technique to check the authenticity and integrity
of digital messages and documents.
34
Digital Signature
▪ The objective of digital signature is to determine authenticity
of a document and data
▪ Uses public key cryptography mechanism
▪ Helpful to authenticate long distance official communication
channels,
Comparison
h
H#
35
▪ Asymmetric key algorithms also provide support for digital
signature technology. Basically, if Bob wants to assure
other users that a message with his name on it was
actually sent by him, he first creates a message digest by
using a hashing algorithm. Bob then encrypts that digest
using his private key. Any user who wants to verify the
signature simply decrypts the message digest using Bob's
public key and then verifies that the decrypted message
digest is accurate.
36
37
Steps of the algorithm:
1. Bob creates a digest for a memo after creating it.
2. Bob uses his private key to encrypt the digest. The digital signature for
the memo is contained in this encrypted digest.
3. Bob SENDS the digital signature and the memo to Alice.
4. After receiving them, Alice uses Bob's public key to decrypt the digital
signature, exposing the digest. (Because only Bob's public key is capable
of decrypting the digest created with his private key, if she is unable to
decrypt the digital signature, she may be certain that it did not originate
from him.)
5. After using the same hash algorithm as Bob, Alice hashes the memo and
compares the output to the digest she obtained from Bob. The message
has not altered since he signed it, so long as they are equal, Alice can be
sure. If the digests differ, Alice will be aware that the message has been
altered since it was signed.
38
Digital Signature
▪ Digital Signature Algorithm (DSA) usually implement the
asymmetric encryption in order to simulate the security
properties of a signature in digital instead of using the
written format
▪ There are two keys involved in this process, a private key
for signing the messages and a public key for verifying the
signatures
▪ The digital signatures are mostly used in the electronic
signature implementation
39
What is Digital Signature Algorithm (DSA)?
▪ It functions on the framework of modular exponential and
discrete logarithmic problems which are difficult to
compute as a force brute system
▪ It provides the message authentication
▪ It provides data integrity verification and nonrepudiation
40
Applications for cryptography
Cryptography can be applied through:
1. Software:
• File and File System Cryptography
-Files can be encrypted or decrypted one at a time using
encryption software.
• Windows systems use the Pretty Good Privacy (PGP)
- Asymmetric cryptography scheme, which is widely used
for files and emails.
- GNU Privacy Guard (GNuPG) is an open-source program
that works with Linux, UNIX, and Windows.
41
▪ Operating System Encryption
• Microsoft Windows Encrypting File System (EFS)
- Cryptography system for Windows
- Uses NTFS file system
- Tightly integrated with the file system
- Encryption and decryption are transparent to the user
42
2. Hardware
▪ Software encryption may be attacked in order to take
advantage of its flaws.
▪ Hardware could include cryptography
- Provides higher degree of security
- Can be applied to USB devices and standard hard drives
43
Trusted Platform Module (TPM)
- A chip on a computer’s motherboard that provides cryptographic services
- Includes a true random number generator
- Entirely done in hardware so it cannot be subject to software attack
- Prevents computer from booting if files or data have been altered
- Prompts for password if hard drive moved to a new computer
44
Hardware Security Module (H S M)
• A secure cryptographic processor
• Includes an onboard key generator and key storage facility
• Performs accelerated symmetric and asymmetric encryption
• Can provide services to multiple devices over a LAN
• These modules traditionally come in the form of a plug in card or an external
device that attaches directly to a computer or network server.
HSM device
45
▪ USB device encryption:
Encrypted hardware-based flash drivers can be used
- Will not connect a computer until correct password has been provided
- Automatic encryption is applied to all data copied to the drive.
- Tamper resistant external cases
- Administrators can remotely control and track activity on the devices
- Stolen drives can be remotely disabled
46
Cryptographic attacks
▪ Brute force
▪ Frequency analysis
▪ Known plain text
▪ Chosen plain text
▪ Related key attack
▪ Birthday attack
▪ Rainbow tables, hashing and salting
▪ Exploiting weak keys
▪ Exploiting human error
47
Summary
The activity of converting data into a safe format while it is being
sent or stored is known as cryptography.
▪ A cryptographic algorithm's strength is determined by a
number of elements:
- the key's secrecy.
- The challenge of trying every key or attempting to guess the key (a key
search). Longer keys are typically more challenging to guess or locate.
- The challenge of reversing the encryption algorithm without the
encryption key (breaking the encryption algorithm).
- the presence (or absence) of back doors, or other techniques that
make it simpler to decode a file without the key.
48
▪ Confidentiality, integrity, authentication, non-repudiation, and
obfuscation (hidden) can all be provided via cryptography.
▪ Hashing creates a unique digital fingerprint that represents
contents of original material
- Used only for comparison
▪ Symmetric cryptography employs a single key to encrypt and
decrypt a message, while hashing provides a distinct digital
fingerprint that represents the contents of the original
material.
- Block ciphers and stream ciphers
49
▪ Asymmetric cryptography
- Public key cryptography
- Uses two keys: public key and private key
50
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 6
1
Administering a Secure Network
2
Administering a Secure Network
Basic concepts of computer networks and protocols
▪ NETWORK FUNDAMENTALS,
▪ OSI MODEL,
▪ SECURE COMMUNICATION
3
Computer Architecture
▪ Central processing unit, where all mathematical and logical operations
are implemented.
▪ Input/output ports; are used for passing instructions/data to or from the
computer
▪ Memory and data storage
4
Network Communication
▪ Protocols;
• Rules for communication
• Essential for proper communication between network
devices
▪ Open Systems Interconnection (OSI) Reference Model (an
abstract framework/theoretical model )
5
Transmission Control Protocol/Internet
Protocol (TCP/IP)
▪ Most common protocol suite used for local area networks
and the Internet
▪ Comprises several protocols that all function together
6
Open Systems Interconnection (OSI)
Reference Model
▪ OSI divides the communication functions used by two hosts into 7 layers
separate layers
▪ TCP/IP has its own stack of protocols that correspond to the OSI layers
Homework: Find the port number for each of the mentioned protocols
https://www.meridianoutpost.com/resources/articles/well-known-tcpip-ports.php
7
OSI and Internet Network Models
Process
H to H
Internet
working
N.W
access
8
Representation of OSI model peer layer logical channels
9
OSI Model Data Names
10
11
Physical layer
User
Application
Presentation
Session
Transport
Network
Data Link
Physical
Media
9V 11
6V 10
3V 01
0V 00
Why Does A Network Need Clock Information?
When transmitting information in serial form the
receiver needs to know when to look at the incoming
data stream to determine the value of the next data
bit
Data link layer
User
Application
Presentation
Session
Transport
Network
Data Link
Physical
Media
15
Network layer
User
Application
Presentation
Session
Transport
Network
Data Link
Physical
Media
16
Transport layer
User
Application
Presentation
Session
Transport
Network
Data Link
Physical
Media
17
Session Layer
User
Application
Presentation
Session
Transport
Simplex: One way communication
Network Half Duplex Two way
communication, but only one
Data Link direction can send data at a time
Full Duplex Two ways
Physical communication, in which data
can be sent in both directions
simultaneously
Media
• Synchronisation of data exchange
• Operates between applications
• Establishes and terminates transfer
18
Presentation Layer
User
Application
Presentation
Session
Transport
Network
Data Link
Physical
Media
19
Application Layer
User
Application
Presentation
Session
Transport
Network
Data Link
Physical
Media
• User interface
• User application
20
21
OSI layers and TCP/IP stack
22
The TCP Life Cycle
Establishing connection oriented communication using a three
way handshake:
▪ Host A sends an initial sequence number in its first packet to
Host B
• Called a SYN packet
▪ Host B receives SYN packet responds with SYN ACK with an
initial sequence number for Host B
• Includes an acknowledgement number that is one more than the initial
sequence number
▪ Host A sends an ACK packet to Host B
• Increases Host B’s sequence number by one
Host B
23
24
TCP- Three way handshake
25
Why Use Networks?
Stand alone computer
▪ Not connected to other computers
▪ Uses local software and data
Network
▪ Group of computers and devices
▪ Connected by transmission media
Advantages of networks
▪ Device sharing by multiple users
▪ Saves money and time
▪ Central network management
26
How networks are used?
Functions provided by a network
▪ E mail
▪ Printer sharing
▪ File sharing
▪ Internet access and Web site delivery
▪ Remote access capabilities
▪ Voice (telephone) and video services
▪ Network management
27
Network Models Types
28
Peer to peer
Direct computer communication
• Equal authority
Individual resource sharing
• May share resources
• May prevent access to resources
Traditional model
• Two or more general purpose computers:
- Capable of sending and receiving information to and from every other computer
▪ Advantages ▪ Disadvantages
- Simple configuration - Not flexible
- Less expensive - Not necessarily secure
- Compared to other network - Not practical for large installations
models
29
Client/Server Networks
Server
• Central computer
• Facilitates communication and resource sharing
Clients
• Personal computers
• Also known as workstations
30
Server Requirements
Network operating system
• Manages resources and client data
• Access by authorized users is ensured
• Limits user access to files
• Restricts user access to the network
• Sets guidelines for computer communication
• Application to clients is provided
Server examples
•UNIX, Linux, Microsoft Server 2016 R2, MAC OS X Server
31
Elements Common to Client/Server Networks
Segment
• Group of nodes
• Uses same communications channel for traffic
•Backbone
• Connects segments and significant shared devices
• “A network of networks”
•Topology
• Computer network physical layout
• Ring, bus, star or hybrid formation
32
Network Topologies
33
Advantages/Disadvantages of Network Topologies
34
Virtual Network
Connections
35
Virtualization
Virtual machine and virtual network
36
What is Virtualization?
Virtualization is the process of creating a software-based, or
virtual representation of something, such as virtual
applications, servers, storage and networks. It is the single
most effective way to reduce IT expenses while boosting
efficiency and agility for all size businesses.
37
▪ Virtual box is a free and open source hosted hypervisor for
x86 virtualization, developed by Oracle Corporation. It
supports the creation and management of guest virtual
machines.
▪ A virtual machine monitor, or hypervisor, is software that
builds and manages virtual machines (VMs). Through
virtual resource sharing, a hypervisor enables a single host
computer to handle a number of guest virtual machines
(VMs).
38
Type 1 Type 2
39
Virtualization
▪ VM appears to user no different than physical computer:
▪ Running the same software
▪ Host
▪Physical computer
▪ Guest
▪Virtual machines
▪ Hypervisor
▪Manages virtual machines
40
Oracle Virtual Box
▪ A free and open-source hosted hypervisor for x86
virtualization, developed by Oracle Corporation. It supports
the creation and management of guest virtual machines
▪ Originally created by Innotek GmbH from Germany
▪ Sun Microsystems acquired Innotek in 2008
▪ Oracle Corporation acquired Sun in January 2010 and re-
branded the product as "Oracle VM VirtualBox“
41
Advantages of virtualization
▪ Efficient use of resources
▪ Cost and energy savings
▪ Fault and threat isolation
▪ Simple backups, recovery, and replication
Disadvantages of virtualization
▪ Compromised performance
▪ Increased complexity
▪ Increased licensing costs
▪ Single point of failure
42
Why Use a Hypervisor?
▪ There is no distinction between the real and virtualized
environments from the perspective of a VM.
▪ Guest machines are unaware that they were generated in a
virtual environment by the hypervisor or that they share
available processing power.
▪ The hypervisor allows VMs to function as typical computing
instances, this fact makes the hypervisor useful for companies
planning to:
- utilize their computer resources as efficiently as possible. The CPU and memory
of a single server running many virtual environments are fully used.
- Improve the mobility of IT. The VMs may be simply moved to different systems
and are independent of the host hardware.
43
Virtual appliance includes:
▪ Image of operating system, software, hardware
specifications, and application configuration
▪ Most commonly virtual servers
Popular functions
▪ Firewall
▪ E-mail solutions
▪ Network management
▪ Remote access
44
Network Connection Modes
Each of the networking adapters can be separately configured to operate in
one of the following modes:
▪ Bridged
- VNIC accesses physical network using host machine’s NIC
- Obtains own IP address, default gateway, and netmask from DHCP
server on physical LAN
▪ NAT
- VNIC relies on host to act as NAT device (it takes the IP address from
the host)
- Obtains IP addressing information from host
- Virtualization software acts as a DHCP server
- Default network connection type in VMware, VirtualBox, and KVM
▪ Host-only
- VMs on one host can exchange data with each other and the host
Cannot communicate with nodes beyond the host
- Never receive or transmit data with host’s physical NIC
Note: in our labs, we need to use either NAT or Host only.
45
Network Connection Modes
•Bridge mode:
•Virtual NIC accesses physical network using host machine's NIC
•It obtains own IP address,
•It also obtains default gateway, and netmask from the DHCP server on physical LAN
Host
IP: 192.168.1.132 IP: 192.168.1.133
VM1 VM2
VNIC1 VNIC2
Virtual Switch
Physical NIC
IP: 192.168.1.131
Physical N.W
DHCP
server 46
▪ You may open the Network and Sharing centre in Control Panel, click Change
Adapter settings from the left panel, and then proceed to create a Network
Bridge.
▪ You must choose at least two LAN or
High-Speed Internet connections that
aren't being utilized by Internet
Connection Sharing in order to
construct a Network Bridge. Choose
the minimum of two and a maximum
of more network connections you
wish to add to the bridge.
47
Network Connection Modes
Network Address Translation (NAT) mode
• Is used when you share your internet connection of your physical interface.
• it obtains IP addressing information from the host
• The virtualization software acts as a DHCP server in this case
VM1 VM2
VNIC1 VNIC2
Virtual Switch
Physical N.W
48
Host only
▪ In this mode , VMs on the host can talk to each other and
with their host but they can not communicate with any
other computers beyond.
▪ This connection mode is useful when we set up an isolated
private virtual network.
▪ When we can have cyber attack experiment, in this mode
we can avoid leaking out packets into our normal network
▪ VMs on one host can exchange data with each other and the
host
▪ VMs Never receive or transmit data with host's physical NIC
▪ Virtual machines cannot communicate with nodes beyond
the host
49
The difference between NAT, Bridge, and Host-Only Network Modes?
50
Network Connection Types
Each of the networking adapters can be separately configured to operate in
one of the following modes:
▪ Bridged
- The virtual Network Interface Card (vNIC) accesses physical network
using host machine’s NIC
- Obtains own IP address, default gateway, and netmask from DHCP
server on physical LAN
▪ NAT
- vNIC relies on host to act as NAT device
- Obtains IP addressing information from host
- Virtualization software acts as a DHCP server
- Default network connection type in VMware, VirtualBox, and KVM
▪ Host-only
- VMs on one host can exchange data with each other and the host
- Cannot communicate with nodes beyond the host
- Never receive or transmit data with host’s physical NIC
51
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 8
1
Networking and Server Attacks
2
Networking Based Attacks
A number of attacks that target a network or a
process that relies on a network; can be classified
under the following categories:
▪ Interception-based attacks
▪ Poisoning attacks (Attacks using poisoning)
3
▪ Three of the most typical Interception-based attacks
(interception attacks) include:
4
Man-in-the-Middle Attacks (MITM)
- Two computers are sending and receiving data with a
computer between them
- An “Interception” of legitimate communication and
fabricating a fictitious response to the sender could be
occur
- A MITM could occur between two users, however, many
MITM attacks are between a user and a server
- the Objective of this attack is to make a service unusable,
usually by overloading the server or network
For example,
- Consume host resources:
• TCP SYN floods
• ICMP ECHO (ping) floods
- Consume bandwidth
• UDP floods
• ICMP floods
5
Man-in-the-Middle Attacks (MITM)
6
Attacks by “Man In The Middle" can occur in a variety of ways:
▪ Internet Protocol (IP) Spoofing
▪ Domain Name System Spoofing(DNS cache poisoning)
▪ HTTP Spoofing
▪ Secure Sockets Layer Hijacking(SSL stripping)
▪ Email Hijacking
7
IP Spoofing
▪ All devices that connect to the internet have an IP Address
8
Man in the Browser (MITB)
▪ This attack intercepts communication between parties to
steal or manipulate the data
- Occurs between a browser and the underlying computer
▪ A MITB attack usually begins with a Trojan infecting the
computer and installing an “extension” into the browser
configuration
- When the browser is launched the extension is activated
- Extension waits for a specific webpage in which a user enters
information such as account number and password for a financial
institution
- When users click “Submit” the extension captures all the data from
the fields on the form
- May even modify some of the data
9
Man in the Browser (MITB)
10
Man in the Browser (MITB)
11
MITB Attack Features:
▪ Most MITB attacks are distributed through a Trojan browser extension
making it difficult to recognize that malicious code has been installed
▪ An infected MITB browser might remain dormant for months until triggered
by the user visiting a targeted website
▪ MITB software resides exclusively within the web browser, making it
difficult for standard anti-malware software to detect it
12
Replay Attack
Attacker makes copy of transmission before sending it to the
original recipient:
- uses a copy for a later use, such as saving login information.
13
Poisoning Attacks
▪ Poisoning is the act of introducing a substance that harms
or destroys
▪ Three types of attacks inject “poison” into a normal
network process to facilitate an attack:
- Address Resolution Protocol (ARP) poisoning
- DNS poisoning
- Privilege escalation
14
ARP Poisoning
▪ If the IP address for a device is known but the MAC
address is not, the sending computer sends an ARP packet
to determine the MAC address
▪ MAC addresses are stored in an ARP cache for future
reference
▪ All computers that “hear” the ARP reply also cache the
data
▪ It relies upon MAC spoofing, which is imitating another
computer by means of changing the MAC address
15
16
DNS poisoning
▪ Domain Name System is the current basis for name
resolution to IP address
▪ DNS poisoning substitutes DNS addresses to redirect a
computer to another device
▪ Two locations for DNS poisoning
- Local host table
17
DNS Posing/Spoofing
▪ DNS refers to “Domain Name Server/System”. The DNS
system converts names to IP Addresses.
▪ When Spoofing a DNS, A person forced to a fake website
that looks just like the real one they are supposed to be
seeing.
▪ The goal of the attacker is to divert traffic or retrieve login
credentials.
18
19
Privilege Escalation
▪ Access rights
- Privileges to access hardware and software resources that are granted to users
▪ Privilege escalation
- Exploiting a software vulnerability to gain access to resources that the user
normally would be restricted from accessing
▪ Two types of privilege escalation:
- When a lower privilege user accesses functions restricted to higher privilege
users (sometimes called vertical privilege escalation)
- When a user with restricted privilege accesses different restricted functions of a
similar user ( horizontal privilege escalation)
20
Server Attacks
▪ A compromised server can provide threat actors with its
privileged contents or provide an opening for attacking any
of the devices that access that server
21
Denial of Service (DoS)
▪ Denial of Service (DoS)
- A deliberate/intentional attempt to prevent authorized users
from accessing a system by overwhelming it with requests
▪ Most DoS attacks today are distributed denial of service
(DDoS)
- Using hundreds or thousands of devices flooding the server with
requests
▪ Smurf attack
- An attacker broadcasts a network request to all computers on
the network but changes the address from which the request
came from (called IP spoofing)
- Appears as if victim’s computer is asking for response from all
computers on the network
- All computers send a response to the victim’s computer so that
it is overwhelmed
22
Denial of service (DoS)
▪ DNS amplification attack
- Flood a victim by redirecting valid responses to it
- Uses publicly accessible and open DNS servers to flood a system with
DNS response traffic
▪ SYN flood attack
- Takes advantage of procedures for initiating a session
▪ In a SYN flood attack against a web server:
- The attacker sends SYN segments in IP packets to the server
- Attacker modifies the source address of each packet to computer
addresses that do not exist or cannot be reached
23
Distributed DoS
▪ The handlers are usually very high volume servers
◦ Easy to hide the attack packets
24
Distributed DoS
Attacker
Handler Handler
Victim
25
Web Server Application Attacks
▪ It is more challenging to secure online applications than
it is to secure traditional systems.
▪ Attacks known as "zero day attacks" take use of
vulnerabilities that were not previously discovered,
leaving victims with no time to protect themselves.
▪ Traditional network security devices can block traditional
network attacks, but cannot always block web
application attacks
- Many network security devices ignore the content of HTTP traffic
26
▪ Several different web application attacks, focus on user
input and there Two forms of those attacks:
- Cross-site attacks
- Attacks using injection
27
Cross-site Attacks
▪ In a cross-site scripting (XSS) attack
- The threat actor takes advantage of web applications that accept user input
without any validating it before presenting it back to the user
▪ When victim visits injected Web site:
- Malicious instructions are sent to victim’s browser
▪ Some XSS attacks are designed to steal information(that
could be any information could be stored in the browser
cache like session tokens ,cookies, so that the attacker can
impersonate that user to that site) :
- Retained by the browser when visiting specific sites
▪ An XSS attack requires a website meets two criteria:
- Accepts user input without validating it
- Uses the input in a response back to the user
28
Cross-site Attacks
29
Cross-site request forgery
30
Injection Attacks
▪ Introduce new input to exploit a vulnerability. One of the
most common injection attacks, called SQL injection,
inserts statements to manipulate a database server
▪ What is SQL (Structured Query Language)?
- Used to view and manipulate data stored in relational database
31
Hijacking
▪ Several server attacks are the result of threat actors
“commandeering” a technology and then using it for an attack
▪ Common hijacking attacks include:
- Session hijacking
- URL hijacking
- Domain hijacking
- Clickjacking
32
▪ Session Hijacking
- Attacker attempts to impersonate a user by stealing or guessing session
token
- Session token is a random string assigned (basically this is the cookies)
to an interaction between user and web application
• An attacker can attempt to obtain the session token:
- By using XSS or other attacks to steal the session token cookie from the
victim’s computer
- Eavesdropping on the transmission (MIM)
- Guessing the session token
33
▪ URL hijacking (also called typo squatting)
- Users are directed to a fake look-alike site filled with ads for which the
attacker receives money for traffic generated to the site
- Attackers purchase the domain names of sties that are spelled
similarly to actual sites
- Example: goggle.com misspelling or google.net incorrect domain.
- Earlier Error Message : HTTP Error404 Not Found.
- But now, user will be directed to these fake look alike sites
- Threat actors are also registering domain names that are one bit
different (called bit squatting)
34
▪ Domain hijacking; occurs when a domain pointer that
links a domain name to a specific web server is changed
by a threat actor
- When a domain is hijacked
- A threat actor gains access to the domain control panel and redirects the
registered domain to a different physical web server
35
Clickjacking
▪ Hijacking a mouse click
▪ The user is tricked into clicking a link that is other than what
it appears to be
▪ Clickjacking often relies upon threat actors who craft a zero-
pixel IFrame
- IFrame (short for inline frame) is an HTML element that allows for
embedding another HTML document inside the main document
- Sometimes IFrame is called user interface redress attack or UI,
- You will not be able to see it because the attacker has put another
layer of the website in front of the actual site and then the victim will
interact with the malicious site
- A zero-pixel IFrame is virtual invisible to the naked eye
36
Overflow Attacks
▪ Designed to “overflow” areas of memory with instructions
from the attacker
▪ Types of overflow attacks:
- Buffer overflow attacks
- Integer overflow attacks
37
Buffer overflow attacks
- Occur when a process attempts to store data in RAM
beyond the boundaries of a fixed-length storage buffer
- Extra data overflows into adjacent memory locations
38
▪ An integer overflow is the condition that occurs when the
result of an arithmetic operation exceeds the maximum
size of the integer type used to store it
▪ In an integer overflow attack:
- An attacker changes the value of a variable to something outside the range
that the programmer had intended by using an integer overflow
▪ This type of attack could be used in the following
situations:
- An attacker could use an integer overflow attack to create a buffer
overflow situation
- A large positive value in a bank transfer could be wrapped around by
an integer overflow attack to become a negative value
• Could reverse flow of money
39
Advertising Attacks
Several attacks attempt to use ads or manipulate the advertising system
▪ Two of the most common:
- Malvertising
- Ad fraud
40
Malvertising
▪ Threat actors use third-party advertising networks to distribute
malware to unsuspecting users who visit a well-known site
- Known as malvertising or a poisoned ad attack
41
▪ Ad fraud
- Threat actors manipulate pre-roll ads to earn ad
revenue that is directed back to them
42
Browser Vulnerabilities
▪ Web browser additions have introduced vulnerabilities in
browsers that access servers
▪ These additions are:
- Extensions
- Plug-ins
- Add-ons
43
Scripting Code
▪ Adding dynamic content
- Web server downloads a “script” or series of instructions in the form
of computer code that commands the browser to perform specific
actions
▪ JavaScript is the most popular scripting code
- JavaScript instructions are embedded inside HTML documents
▪ There are different defense mechanisms intended to prevent
JavaScript programs from causing serious harm
▪ However, there are security concerns
- A malicious JavaScript program could capture and remotely transmit
user information without the user’s knowledge or authorization
44
▪ Extensions expand the normal capabilities of a web
browser; For a specific webpage
▪ Most extensions are written in JavaScript
- So that the browser can support dynamic actions
▪ Extensions are browser dependent
- An extension that works in Google Chrome will not function in
Microsoft Edge
45
▪ Plug-in; Adds new functionality to a web browser so users can play
music, view videos, or display special graphical images
▪ A single plug-in can be used on different web browsers
▪ One common plug-in supports Java
- Java can be used to create a separate program called a Java applet
▪ Most widely used plug-ins for web browsers:
- Java, Adobe Flash player, Apple QuickTime, and Adobe Acrobat Reader
46
▪ Add-ons
- Add a greater degree of functionality to the web browser
▪ Add-ons can do the following:
- Create additional web browser toolbars
- Change browser menus
- Be aware of other tabs open in the same browser
- Process the content of every webpage that is loaded
▪ Due to the risks associated with extensions, plug-ins, and
add-ons
- Efforts are being made to minimize them
- Some web browsers now block plug-ins
- HTML5 standardizes sound and video formats so that plug-ins like
Flash are no longer needed
47
48
Summary
▪ Some attacks are designed to intercept network
communications; e.g; Man-in-the-middle and replay
attacks
▪ Some types of attacks inject “poison” into a normal
network process to facilitate an attack
▪ Whereas some attacks are directed at the network itself,
other attacks are directed at network servers
- Denial of service, DNS amplification attack, and SYN flood attack are
examples
▪ A cross-site scripting (XSS) attack is focused not on
attacking a web application server, but on using the server
to launch other attacks on computers that access it
49
▪ Several server attacks are the result of threat actors
“commandeering” a technology and then using it for an
attack
▪ Some attacks can target either a server or a client by
“overflowing” areas of memory with instructions from the
attacker
▪ Most websites today rely heavily upon advertising revenue
- Several attacks attempt to use ads or manipulate the advertising
system
▪ To provide enhanced features, virtually all websites today
allow scripting code to be downloaded from the web server
into the user’s web browser
50
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 9
1
Network Boundary (F.W/IPS) Defense
Firewall Types/Architectures
Intrusion Prevention Systems (IPS)
Part 1
2
Introduction to Firewall Security
What Is a Firewall?
▪ A firewall is a system that enforces an access control policy
between two networks; such as your private LAN and the
unsafe/untrusted public Internet.
▪ The firewall determines which inside services can be
accessed from the outside, and vice versa.
▪ The firewall can be thought of as a pair of mechanisms:
- one to block traffic, and
- one to permit traffic.
▪ A firewall is more than the locked front door to your
network; it’s your security guard as well.
3
Introduction to Firewall Security
▪ A firewall could be a hardware or software system that prevents
unauthorized access to or from a network.
▪ It can be implemented in both hardware or software, or a
combination of both.
▪ Firewalls are frequently used to prevent unauthorized Internet
users from accessing private networks connected to the Internet.
▪ All data entering or leaving the intranet pass through the firewall,
which examines each packet, and blocks those that do not meet
the specified security criteria.
4
How do firewalls work?
A firewall that protects an entire network is typically a separate
hardware device. These hardware firewalls are usually located
outside the network security perimeter as the first line of
defense.
5
General features of Firewalls
- Port Control
- Network Address Translation
- Application monitoring
- Packet filtering
6
Viruses and Firewalls
- In general, firewalls can not protect against viruses,
- An anti-virus software is needed for that purpose,
- However, may security suites such as MacAfee and Norton
offer the complete protection other have limited virous
protection features.
7
Firewall Types
▪ Hardware firewalls are integrated into the router that
sits between a computer and the Internet
▪ Software firewalls are programs installed on individual
servers. They intercept each connection request and
then determine whether the request is valid or not
8
What is a Hardware Firewall?
▪ It is a physical device or a set of physical devices which act as the
first line of defence for a computer network. A very basic hardware
firewall example is a router that is normally used in most of the
households with Wi-Fi Fibernet connections
▪ It is just a software firewall running on a dedicated piece of
hardware
▪ It is a barrier to keep destructive forces away from your devices
9
Hardware Firewall, What it does!
▪ It is a hardware device that filters the information coming
through the internet connection into your private network
or computer system.
▪ Any incoming packet of information is flagged by the
filters, it is not allowed through(denied)
10
Software Firewalls
▪ Firewalls that are only software operate on a machine that
is also capable of other tasks. This category includes the
majority of personal firewalls designed to protect a single
machine.
▪ The purpose of a personal firewall is to safeguard your
computer while it is connected to the Internet, not to turn
your computer into a standalone firewall.
▪ There are several software-based business firewalls as
well.
11
Windows personal firewall settings
12
Software firewalls vs Hardware firewalls
▪ Software firewalls inherit all vulnerabilities of the OS on
which they run.
▪ Software firewall architectures are well known, it is easier
to exploit its vulnerabilities (e.g. Buffer overflow).
▪ Software firewalls often have better performance: they
benefit of rapid advances and low prices in PC hardware.
13
Firewall Layer of Operation
1. Network Layer:
- Makes decision based on the source, destination address
and port in individual IP packets
- Based on routers
- Has the ability to perform static and dynamic packet
filtering and stateful inspection
Static Packet Filtering
- It looks at a minimal information in the packets (such as IP
headers: source and dest. address) to allow or block traffic
between specific service port
• It offers little protection
14
Dynamic Packet Filtering
- It maintains a connection table in order to monitor
requests and replies:
• tracking of TCP connections, beginning with the "three-way handshake" (SYN,
SYN/ACK, ACK)
Stateful Inspection
- Compares certain key parts of the packet to a DB of
trusted information. Incoming information is compared to
outgoing information characteristics and if the
comparison leads to a reasonable math then the
information is allowed.
Note:
- static or stateless firewalls; make decision based on variables like IP/ MAC/ port no.
- Dynamic/stateful firewalls; make decisions based on a whole picture.
15
2. Application layer
- They are generally, hosts running proxy servers which
perform logging and auditing of traffic through the network
- Logging and access control are done through software
components
Proxy services
- Application that maintains traffic between a protected network and the
internet
- Able to understand the application protocol being utilized and
implemented protocol specific security
- Application protocols include FTP,HTTP..etc
Port scans
- When hackers remotely spy on your computers to see what software
and services you have, the most common tool is port scan (network
scanning: Nmap).
- Proper configuration and maintain the firewall could restrict such
access.
16
Types of Firewall Techniques
Different firewalls have different methods of inspecting packets
for acceptance or rejection
17
Packet Filtering Firewall Mechanism
▪ In this firewall type, there are security rules that block traffic
based on IP address and IP protocol
▪ Work at the network level of the OSI model (transport and
network layers of the TCP/IP stack)
▪ Packets can be filtered (permitted or denied) based on a
wide range of criteria:
- Source IP address
- Destination IP address
- Protocol Type (IP, TCP, UDP, ICMP, ESP, etc.)
- Source Port
- Destination Port
18
19
Packet filtering is implemented as a rule-list:
A important aspect to consider is the rule-list. Rule-list always parsed from top to
bottom. To avoid having a preceding, more comprehensive rule invalidate a
particular rule, more detailed rules should always be near the head of the rule list.
Moreover, an implicit "deny any" rule that frequently cannot be eliminated
typically resides at the bottom of a rule-list. Hence, rule-lists that exclusively
include deny statements will stop all traffic.
20
Packet Filtering Firewall Functions
▪ Forward the packet(s) on to the intended destination
▪ Reject the packet(s) and notify the sender
▪ Drop the packet(s) without notifying the sender.
▪ Log accepted and/or denied packet information
▪ NAT - Network Address Translation
21
NAT (Network Address Translation)
▪ Public IP addresses are rare.
▪ Instead of reserving 256 addresses for 100 workstations, we
can hide those 100 workstations behind a single address.
▪ With regards to this, the IETF has reserved three address
ranges, one for each IPv4 class: :
- Class A - 10.x.x.x (10.0.0.0 - 10.255.255.255)
- Class B - 172.16-31.x.x (172.16.0.0 - 172.31.255.255)
- Class C - 192.168.x.x (192.168.0.0 - 192.168.255.255)
NAT is used:
- to translate between private addresses and public addresses.
- To allow devices configured with a private address to be
stamped with a public address, thus allowing those devices to
communicate across the Internet.
- to perform a public-to public address translation, or a private-to-
private address translation as well.
22
NAT Basic Principle
▪ Use private addresses in the internal network and
one/several public addresses to communicate with the
Internet.
▪ When a packet leaves the internal network, we replace its
source address by a public address.
▪ When a packet arrives from the Internet, we replace its
public destination by a private address.
▪ We use a translation table to store the relations between
internal and external addresses.
23
Packet Filtering Firewall Mechanism
Advantage:
▪ Packet filtering firewalls is low cost and low impact on
network performance
▪ Usage and best suited for Smaller Networks.
Disadvantage:
▪ Filter rules are sometimes difficult to test
▪ Packet filtering can degrade router performance
▪ It’s also Vulnerable to Spoofing in some cases (attackers
can “tunnel” malicious traffic through allowed ports on the
filter.)
24
Stateful Firewalls Mechanism
▪ Stateful inspection, also known as dynamic packet filtering, is a
firewall technology that monitors the state of active
connections and uses this information to determine which
network packets to allow through the firewall.
▪ Stateful inspection monitors communications packets over a
period of time and examines both incoming and outgoing
packets.
▪ In a firewall that uses stateful inspection, the network
administrator can set the parameters to meet specific needs. In
a typical network, ports are closed unless an incoming packet
requests connection to a specific port and then only that port is
opened. This practice prevents port scanning, a well-known
hacking technique.
25
Stateful Inspection Firewall Functions
▪ Keeps a record of the state of a connection
▪ Makes decisions based on the connection and conditions
▪ It combines the aspects of the other three types of firewalls
▪ It filters packets at the network layer, determine whether
session packets are legitimate and evaluate contents of
packets at the application layer
26
Application Proxy Firewalls
▪ Application Proxy firewalls offer more security than other
types of firewalls, but at the expense of speed and
functionality, as they can limit which applications the
network supports.
▪ In application proxy firewall, computers establish a
connection to the proxy, which serves as an intermediary,
and initiate a new network connection on behalf of the
request. This prevents direct connections between systems
on either side of the firewall and makes it harder for an
attacker to discover where the network is, because they
don't receive packets created directly by their target
system
27
▪ Application level gateways, also called proxies, are similar
to circuit-level gateways except that they are application
specific
▪ Gateway that is configured to be a web proxy will not
allow any ftp, telnet or other traffic through
▪ Operate on the application protocol level
28
Application Proxy firewalls
29
Application Proxy Firewalls Drawbacks
▪ Requires modification to client software application
▪ Some client software applications don’t accommodate the
use of a proxy
▪ Some protocols aren’t supported by proxy servers
▪ Some proxy servers may be difficult to configure and may
not provide all the protection you need.
30
Circuit-level gateway
▪ Circuit level gateways work at the session layer of the OSI
model, or the TCP layer of TCP/IP
▪ Monitor TCP handshaking between packets to determine
whether a requested session is legitimate.
31
General Performance
32
The Benefits of Firewall Security
▪ Monitors Traffic
A firewall monitors all of the traffic entering your computer network. A two-way firewall does
double duty and monitors the traffic exiting your network as well. Often, provide summaries to
the administrator about what type/volume of traffic has been processed through it.
▪ Blocks Trojans
A firewall helps block Trojan horses. These types of intruders latch onto the computer files, and
when the file sends out a file, they go along for the ride to do more damage at the destination.
A firewall blocks them from the outset, before they have a chance to infect your computer.
▪ Stops Hackers
Having a firewall keeps hackers out of your network. Without firewall security, a hacker could
get a hold of your computer and make it a part of what’s called a botnet, which is a large group
of computers used to conduct an illicit activity, such as spreading viruses. Also individuals, who
you may not suspect, such as neighbors, can also take advantage of an open Internet
connection you may have. A firewall prevents them.
▪ Stops Keyloggers
Having firewall security will reduce the risk of keyloggers monitoring you. A keylogger is
spyware software that cybercriminals try to put on your computer so they can target your
keystrokes. After they can identify what you're typing in and where, they can use that
information to do the same thing. This knowledge can help them log in to your private online
accounts.
33
Summary-Firewall Security
▪ Can be software-based or hardware-based
▪ Both types inspect packets and either accept or deny entry
▪ Hardware firewalls tend to be more expensive and more
difficult to configure and manage
▪ Software firewalls running on a device provide protection to
that device only
▪ All modern OSs include a software firewall, usually called a
host-based firewall
34
Several types of firewalls include:
▪ Network firewalls,
▪ Host-based firewalls, and
▪ Application-based firewalls.
35
Key Terms
▪ Private network: In IP networking, a private network is a network
that uses private IP address space. Both the IPv4 and the IPv6
specifications define private IP address ranges. These addresses
are commonly used for local area networks in residential, office,
and enterprise environments. A private network is any network
to which access is restricted.
36
Key Terms
▪ VLANs: A virtual LAN is any broadcast domain that is partitioned and
isolated in a computer network at the data link layer. Virtual local area
network (VLAN) is a logical group of workstations, servers and
network devices that appear to be on the same LAN despite their
geographical distribution. The purpose of implementing a VLAN is to
improve the performance of a network or apply appropriate security
features.
▪ DMZ or demilitarized zone is a physical or logical subnetwork that
contains and exposes an organization's external-facing services to an
untrusted, usually larger, network such as the Internet. DMZs are
intended to function as a sort of buffer zone between the public
internet and the private network. Deploying the DMZ between two
firewalls means that all inbound network packets are screened using a
firewall or other security appliance before they arrive at the servers
the organization hosts in the DMZ.
37
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 10
1
Network Boundary Defense
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Part2
2
What is an Intrusion ?
▪ An intrusion can be defined as any set of actions that attempt to
compromise the integrity, confidentiality or availability of a resource.
[Heady R. 1990]
5
Intrusion Detection System (IDS)
▪ It is a device or software application that monitors a network
or systems for malicious activity or policy violations.
▪ It comprises three logical components:
✓ Sensors: collect data
✓ Analyzers: determine if intrusion has occurred
✓ User interface: view output or control system behaviour
▪ It can detect attack as it occurs
▪ Inline (means directly connected to the network) IDS
- Connected directly to the network and monitors the flow of
data as it occurs
▪ Passive IDS
- Connected to a port on a switch, which receives a copy of
network traffic
6
IDS Principles
Assumption: intruder behavior differs from legitimate users
- Expect overlap as shown
- for legit users:
Observe major deviations from past history
- Problems of:
• false positives
• false negatives
• must compromise
11
Signature/Heuristic Detection
▪ Uses a set of known malicious data patterns or attack rules
that are compared with current behavior
▪ Also known as misuse detection
▪ Can only identify known attacks for which it has patterns or
rules (signature)
• Very similar to anti-virus (requires frequent updates)
• Rule-based penetration identification
- rules identify known penetrations/weaknesses
- often by analyzing attack scripts from Internet (CERTs)
Example of Rules in A Signature Detection IDS
14
Disadvantages of Signature-based IDS
▪ Databases to constantly be updated to matches patterns that
are not in the database.
▪ The system can only detect known attacks only.
▪ Even slight variations on known attack are likely to be missed
by signature based systems.
▪ If someone develops a new attack, there will be no
protection.
▪ “Only as strong as its rule set.”
▪ Another problem occurs when an attacker will try to modify
a basic attack in such a way that it will not match the known
signature of that attack. For example, the attacker may
convert lowercase to uppercase letters
15
Intrusion Detection System Types
▪ Host based Intrusion Detection System (HIDS)
▪ Network based Intrusion Detection System (NIDS)
▪ Application Protocol based Intrusion Detection System (APIDS)
16
Host based IDS (HIDS)
▪ It refers to intrusion detection that takes place on a single
host system; specialized software to monitor system
activity to detect suspicious behavior
▪ Currently, HIDS involves installing an agent on the local
host that monitors and reports on the system configuration
and application activity.
▪ Some common abilities of HIDS systems include log
analysis, event correlation, integrity checking, policy
enforcement, rootkit detection, and alerting. They often
also have the ability to baseline a host system to detect
variations in system configuration.
17
Advantages of Host based Intrusion Detection Systems:
- Verifies success or failure of an attack
- Monitors System Activities
- Detects attacks that a network based IDS fail to detect
- Does not require additional hardware
- Lower entry cost
18
Network-Based IDS (NIDS)
▪ A Network-based Intrusion Detection System (NIDS) is used
to monitor and analyze network traffic to protect a system
from network-based threats. A NIDS reads all inbound
packets and searches for any suspicious patterns.
▪ When threats are discovered, based on its severity, the
system can take action such as :
• notifying administrators, or
• barring the source IP address from accessing the network.
19
Advantages of NIDS:
- Lower cost of ownership
- Easier to deploy
- Detect network based attacks
- Retaining evidence
- Real Time detection and quick response.
- Detection of failed attacks
20
Application Protocol based Intrusion Detection System
(APIDS)
21
The functions of an IDS include:
▪ Intrusion detection
▪ Evidence gathering on invasive behaviour
▪ Automatic reaction (such as connection termination and warning message)
▪ Security policy
▪ Interaction with system tools
▪ Security policy management
22
Comparison between Firewalls and IDS
▪ IDS and firewall both are related to network security but an
IDS differs from a firewall as a firewall looks outwardly for
intrusions in order to stop them from happening.
▪ In order to prevent intrusion, firewalls limit access across
networks, and if an attack originated from within the
network, it is undetectable. After an intrusion has really
occurred, an IDS characterizes it and then raises an alert.
23
Detection/Monitoring Methods of IDS
▪ Anomaly based monitoring
• Compares current detected behavior with baseline
▪ Signature based monitoring
• Looks for well known attack signature patterns
▪ Behavior based monitoring
• Detects abnormal actions by processes or programs
• Alerts user who decides whether to allow or block activity
▪ Heuristic monitoring /to find or to discover
• Uses experience based techniques
24
Intrusion Prevention System (IPS)
▪ An intrusion prevention system (IPS) is a network security and threat
prevention tool.
▪ Intrusion prevention aims to build a proactive network security
strategy so that possible attacks may be quickly discovered and
countered.
▪ Intrusion prevention systems are thereby used to examine network
traffic flows in order to find malicious software and to prevent
vulnerability exploits.
25
▪ IPS or intrusion prevention system, is the next level of security
technology with its capability to provide security at all system levels from
the operating system kernel to network data packets.
▪ It provides policies and rules for network traffic along with an IDS for
alerting system or network administrators to suspicious traffic, but
allows the administrator to provide the action upon being alerted.
▪ Where IDS informs of a potential attack, an IPS makes attempts to stop
it.
▪ Another huge leap over IDS, is that IPS has the capability of being able to
prevent known intrusion signatures, but also some unknown attacks due
to its database of generic attack behaviors.
▪ Thought of as a combination of IDS and an application layer firewall for
protection, IPS is generally considered to be the "next generation" of IDS.
26
▪ IPS and IDS work best when integrated with additional and existing
security solutions.
▪ IDS is considered a passive detection monitoring system while IPS is
an active prevention system
▪ Currently, there are two types of IPSs that are similar in nature to IDS.
They consist of host-based intrusion prevention systems (HIPS)
products and network-based intrusion prevention systems (NIPS).
27
Why use an IDPS?
Intrusion detection:
- Primary purpose to identify and report an intrusion
- Can quickly contain attack and prevent/mitigate loss or
damage
- Detect and deal with preambles to attacks
▪ Data collection allows the organization to examine what
happened after an intrusion and why.
▪ Can help management with quality assurance and
continuous improvement
28
Comparison between Firewalls and IDS
Firewalls Intrusion Detection System (IDS)
29
Ref:https://ipwithease.com/firewall-vs-ips-vs-ids/
30
Security Information and Event Management
(SIEM) Software
31
Security Information and Event Management
(SIEM)
▪ SIEM solutions provide a holistic view of what is happening on a
network in real-time and help IT teams to be more proactive in the
fight against security threats.
▪ What is unique about SIEM solutions is that they combine Security
Event Management (SEM); which carries out analysis of event and log
data in real-time to provide event correlation, threat monitoring and
incident response - with Security Information Management (SIM) which
retrieves and analyses log data and generates a report. For the
organization that wants complete visibility and control over what is
happening on their network in real-time, SIEM solutions are critical.
▪ SIEM software works by collecting log and event data that is generated
by host systems, security devices and applications throughout an
organization's infrastructure and collating it on a centralized platform.
32
▪ From antivirus events to firewall logs, SIEM software identifies this data
and sorts it into categories, such as malware activity, failed and
successful logins and other potentially malicious activity.
▪ When the software identifies activity that could signify a threat to the
organization, alerts are generated to indicate a potential security issue.
These alerts can be set as either low or high priority using a set of pre-
defined rules. For example, if a user account generates 20 failed login
attempts in 20 minutes, this could be flagged as suspicious activity, but
set at a lower priority as it is most likely to be a user that has forgotten
their login details. However, if an account experiences 120 failed login
attempts in 5 minutes this is more likely to be a brute-force attack in
progress and flagged as a high severity incident.
SIEM Features
▪ Aggregation ; combines data from multiple sources
▪ Correlation ; searches data acquired through aggregation
to look for common characteristics of multiple attacks
coming from specific source
▪ Automated alerting and triggers; can inform of critical
issues
▪ Time synchronization; can show the order of events
▪ Event duplication; help filter multiple alerts into a single
alarm
▪ SIEM logs; records of events to be retained for future
analysis.
34
35
36
37
Benefits of SIEM include:
• Increased efficiency
• Preventing potential security threats
• Reducing the impact of security breaches
• Reducing costs
• Better reporting, log analysis and retention
• IT compliance Because SIEM solutions are able to collect
event logs from multiple applications and devices, they allow IT
staff to identify, review and respond to potential security
breaches faster. Identifying a threat in its early stages ensures
that the organization suffers only minor impact if any at all.
A SIEM product can be:
- A separate device
- Software that runs on a computer
- A service that is provided by a third party
SIEM TOOLS
▪ SolarWinds Security Event Manager.
▪ Micro Focus ArcSight ESM.
▪ SolarWinds Threat Monitor.
▪ Splunk Enterprise Security.
▪ LogRhythm NextGen SIEM.
▪ IBM QRadar.
▪ AlienVault Unified Security Management.
▪ Sumo Logic.
▪ In summary, SIEM allows IT teams to see the bigger picture
by collecting security event data from multiple sources in
one place. A single alert from an antivirus filter may not be
a cause of panic on its own, but if traffic anomaly alerts are
received from the firewall at the same time, this could
signify that a severe breach is in progress. SIEM collects all
of these alerts in a centralized console, allowing fast and
thorough analysis.
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023
Lecture 11
1
Vulnerability Scanning and
Penetration Testing
2
Vulnerability Scanning
3
Vulnerability Scanning
▪ Vulnerability scanners are automated tools that scan hosts
and networks for known vulnerabilities (weaknesses)
▪ Creates a report for potential exposures
▪ An organized approach to the testing, identification, analysis
and reporting of potential security issues on a network
▪ Every time a computer connects to the Internet, there is a
risk of a hacker taking advantage of some new vulnerability.
▪ Attackers use vulnerability scan too
4
What is Vulnerability Scan?
▪ Vulnerability Scan: is an automated software search through a
system for known security weakness and report it
▪ It creates reports for potential exposures and should be compared
against baseline scans.
▪ They are utilized in the identification and detection of
vulnerabilities arising from mis-configurations or flawed
programming within a network-based asset such as a firewall,
router, web server, application server, etc.
▪ The modern vulnerability scanner often has the ability to customize
vulnerability reports as well as the installed software, open ports,
certificates and other host information that can be queried as part
of its workflow.
5
Methods for Performing Vulnerability Scan
➢ Credentialed (Non-intrusive) Vulnerability Scan :
▪ Uses only available information to hypothesis the status of
the vulnerability (could be through social engineering)
▪ Provides credentials (user name and password) to the
scanners tests for additional internal vulnerabilities can be
performed. It is a safer version of the vulnerability scanner
➢ Non-credentialed (Intrusive) Vulnerability Scan:
▪ It monitors the network and see any vulnerabilities that an
attacker would easily find ,do not use credentials
▪ It is an attempt actually penetrate the system to perform a
simulated attack.
6
▪ Vulnerability exploit: is a code that takes
advantages of a software vulnerability or security
flaw
▪ Exploit: allows an intruder to remotely access a
network and gain elevated privileges
7
Intrusive and Non-intrusive Vulnerability Scans
9
Vulnerability Scanning
10
What is Vulnerability Assessment?
▪ A vulnerability assessment is:
- the process of identifying, quantifying, and prioritizing (or
ranking) the vulnerabilities in a system
- Examples of systems for which vulnerability assessments
are performed include, but are not limited to, information
technology systems, energy supply systems, water supply
systems, transportation systems, and communication
systems.
- Such assessments may be conducted on behalf of a range
of different organizations, from small businesses up to
large regional infrastructures.
11
Elements of Vulnerability Assessment
▪ Asset identification
▪ Threat evaluation
▪ Vulnerability evaluation
▪ Risk assessment
▪ Risk mitigation
12
▪ Asset Identification: is the process of inventorying (make a complete list of
assets) with economic value
• Identify what needs to be protected. Examples of common assets could be:
- People
- Physical assets
- Data
- Hardware
- Software
13
▪ Threat evaluation
- List potential threats that come from threat agents
- A threat agent is any person or thing with the power to carry out a threat
against an asset
▪ Threat modeling
- Goal: understand attackers and their methods
14
▪ Vulnerability evaluation
- Finding the current weaknesses
- knowledge of current organization security
- Every asset should be viewed in light of each threat and catalog each
vulnerability
▪ Risk assessment
- finding damage that would result from an attack;
- Assess the probability that the vulnerability is a risk to organization
15
Vulnerability impact scale
16
▪ Risk mitigation
- Figure out what to do about risks
- Figure out how much risk can be tolerated
17
Vulnerability Assessment Tools
▪ Port Scanners
• TCP/IP communication; involves information exchange between one
system’s program and another system’s corresponding program
• TCP/IP divides port numbers into three categories:
- Well known port numbers (0-1023) ; reserved for most universal
applications
- Registered port numbers (1024-49151); other applications not as
widely used
- Dynamic and private port numbers (49152-65535); Available for
any application to use
• Port number
- A unique identifier for applications and services
- 16 bits in length
18
Vulnerability Assessment Tools
19
▪ Protocol analyzers
- Hardware or software that captures packets; to decode and
analyze contents
- Also known as sniffers
▪ Common uses for protocol analyzers
- Used by network administrators for troubleshooting
- Characterizing network traffic
- Security analysis
20
Vulnerability Assessment Tools
▪ Vulnerability scanners term is a generic term for a range
of products that look for vulnerabilities in
networks/systems and most of them maintain a database
that categorizes and describes the vulnerabilities they can
detect
▪ A vulnerability scanner can:
- Alert when new systems are added to network
- Detect when an application is compromised
- Detect when an internal system begins to port scan other systems
- Detect which ports are served and which ports are browsed for each
individual system
- Identify which applications and servers host or transmit sensitive data
- Maintain a log of all interactive network sessions
- Passively determine the type of OS of each active system
- Track all client and server application vulnerabilities
- Track which systems communicate with other internal systems
21
Vulnerability Assessment Tools
▪ Honeypots and Honeynets
- Honeypot: a computer protected by minimal security
• Intentionally configured with vulnerabilities
• Contains bogus data files
Aim : to trick attackers into revealing their techniques
• Can then be determined if actual production systems could thwart
such an attack
- Honeynet: a network set up with one or more honeypots
• Set up with intentional vulnerabilities
22
Vulnerability Scanners- Benefits
▪ Very good at checking for hundreds (or thousands ) of
potential problems quickly
▪ It can be automated to run weekly, monthly, quarterly, etc.
▪ It is Affordable
▪ Identifying lack of security controls (lack of up-to-date
patches or Antivirus software )
▪ Passively testing security controls (testing doesn’t interfere
with normal operations
23
Vulnerability Scanners- Drawbacks
▪ A vulnerability scanning tool will not find nearly all
vulnerabilities
▪ Cannot find vulnerabilities that are not in the database
▪ Constant updates required
24
Types of Vulnerability Scanner
▪ Port scanner (Nmap, Nessus )
▪ Network vulnerability scanner (Nessus,OpenVas, INFRA scan)
▪ Web application security scanner (N-Stalker, Promisec, Acunetix,
OWASP ZAP, Nikto2)
▪ Database security scanner (MSSQL,Nmap,Zenmap)
▪ Host based vulnerability scanner(TARA,WebTrends)
▪ ERP security scanner (ERPScan SAP,Onapsis)
▪ Single vulnerability tests (Nexus)
25
Vulnerabilities Scanner (Free/ Commercial)
Free
Nessus – www.nessus.org
SAINT - www.wwdsi.com/saint
VLAD - razor.bindview.com/tools
SARA- www.arc.com/sara
N-Stalker -www.nstalker.com
Commercial
CyberCop Scanner:
www.mcafeeb2b.com/services/cybercop-asap.asp
ISS internet scanner: www.iss.net
Qualy’s QualysGuard: Subscription based, www.qualys.com
26
▪ In the lab we used Nessus which is a vulnerability scanner looking for
weakness in the network and associated with the CVE number and this
CVE is the main source to vulnerability
▪ The vulnerability allows an attacker to access sensitive information,
such as passwords, private keys, and other data, from the memory of a
vulnerable server. This is accomplished by sending a specially crafted
heartbeat message to the server, causing it to return a portion of its
memory contents to the attacker.
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=
overview&search_type=all&cve_id=CVE-2014-0195&isCpeNameSearch=false
MITRE ATT&CK
https://attack.mitre.org/
https://attack.mitre.org/techniques/T1189/
https://attack.mitre.org/groups/G0007/
https://attack.mitre.org/techniques/T1133/
28
Penetration Testing
29
Penetration Testing
▪ Designed to exploit the system weakness
▪ Relies on tester’s skill and knowledge
▪ Conducted by independent contractor
▪ Tests are conducted outside the security perimeters
▪ End result: penetration test report; which is a short
analysis of how the attack was successful and what
damage to the data
30
Penetration Testing
▪ The practice of examining an application or infrastructure
for vulnerabilities in an effort to exploit those flaws is
known as penetration testing, pen testing, or ethical
hacking.
▪ It is an attack on a computer with the intention of figuring
out security weaknesses.
▪ It performed by sys admin(s) or a trusted agents
31
How Penetration Test is Different from Hacking?
▪ Black hackers violate computer security for malicious or
personal gain
▪ White hackers break security for non- malicious purposes,
usually when performing authorized security tests
▪ Grey hackers rationalize that they are acting moral when
they are not for example, breaking into systems for fun then
emailing the system admin to let him know that there is a
security hole
32
Penetration Testing Goals
- Figure out network or application vulnerabilities
- Determine feasibility of particular set of attack vectors
- Determine how much a successful attack would have an
impact on operations and business.
- Check the network defences' capacity.
33
What is the Difference Between Penetration Testing &
Vulnerability Assessment?
34
▪ A vulnerability assessment will often cover a much wider range
of targets and offer a comprehensive list of known
vulnerabilities identified and ranked with a The Common
Vulnerability Scoring System (CVSS) score. Moreover, there is
always a chance for false positives because a vulnerability
assessment does not confirm data.
▪ The Common Vulnerability Scoring System (CVSS) is a
Vulnerability security metric (method) used to supply a
qualitative measure of severity. CVSS is not a measure of risk.
▪ The purpose of CVSS is to provide a way to capture the
principal characteristics of a vulnerability and produce a
numerical score reflecting its severity.
▪ Two common uses of CVSS are calculating the severity of
vulnerabilities discovered on one's systems and as a factor in
prioritization of vulnerability remediation activities.
https://nvd.nist.gov/vuln-metrics/cvss#:~:text=The%20Common%20Vulnerability%20Scoring%20System,Base%2C%20Temporal%2C%20and%20Environmental.
35
Vulnerability Scanning vs. Penetration Testing
▪ Two important vulnerability assessment procedures
✓ Vulnerability scanning
✓ Penetration scanning
▪ The two activities are similar and are often confused with each other
37
▪ A vulnerability scan searches system for known security
weakness and reports findings
▪ Penetration testing designed to exploit any discovered
system weaknesses
▪ Standard techniques used to mitigate and deter attacks
such as, proper configuration of controls, and hardening
and reporting.
38
Amazon Web Service
(AWS)
AWS has an extensive, reliable, and secure global cloud infrastructure with over 175 services for
a wide range of use cases.
AWS Services
Compute
Storage
Database
Analytics
Networking and Content delivery
Developer Tools
Business Applications
Management and Governance
Machine Learning
Internet of Things
Security, Identity, and Compliance
AWS Benefits
On-demand access to over 175 services cloud-based services
No upfront capital expenses or commitments
The ability to try a lot of experiments
Not having to live with the collateral damage of failed experiments
Pay-as-you-go pricing
Toolbox of high-end services
AWS Regions
AWS has the concept of a Region, which is a
physical location around the world where data
centers are clustered together.
A group of logical data centers is called an
Availability Zone.
Each AWS Region consists of multiple, isolated, and
physically separate Availability Zones within a
geographic
AWS Availability Zone
An Availability Zone is a zoned area within a Region that can
harbor one or more data centers (typically three). Availability
Zones house all the hardware devices that AWS offers.
With their own power infrastructure, the Availability Zones are
physically separated by a meaningful distance (up to 100 km or
60 miles) from any other Availability Zone in the Region.
Availability Zones are interconnected with high-bandwidth, low-
latency networking, to provide low-latency networking between
zones that is sufficient to accomplish synchronous replication
(same time replication).
AWS Edge
Edge locations are connected to the AWS Regions
through the AWS network across the globe. They link
with tens of thousands of networks for improved origin
fetches and dynamic content acceleration.
Edge locations cache copies of your content for faster
delivery to users at any location. They support AWS
services like Amazon Route 53 and Amazon CloudFront.
AWS has over 200 edge locations that are placed in 90
cities, across 47 countries.
AWS Global Infrastructure Benefits
Performance
◦ The AWS Global Infrastructure offers high-performing, low latency cloud infrastructure with virtually
unlimited capacity, which provides high availability.
Availability
◦ Availability Zones are designed for physical redundancy and to provide resilience. They provide
uninterrupted performance, even in the event of power outages, internet Availability downtime, floods,
and other natural disasters.
Security
◦ The infrastructure is monitored 24/7 to help ensure the confidentiality, integrity, and availability of AWS
customers' data. Customers can build on the most secure global infrastructure and know that they
always own their data. They can encrypt their data, move it, and manage retention.
AWS Global Infrastructure Benefits
(Cont…)
Reliability
◦ The AWS Global Infrastructure is designed and built for redundancy and reliability, from regions to
networking links to load balancers to routers to firmware.
Scalability
◦ With the AWS Global Infrastructure, companies can be flexible and take advantage of the conceptually
infinite scalability of the cloud. Companies can quickly get resources as they need them, deploying
hundreds or even thousands of servers in minutes.
Low Cost
◦ The AWS Global Infrastructure provides the industry’s most extensive data center footprint. As a result,
more customers can benefit from cloud economics and reduce the Total Cost of Ownership (TCO) of
their overall IT infrastructure
AWS Well-Architected Framework
Operational Excellence
Operational Excellence is the ability to run and monitor systems to deliver business value and to
continually improve supporting processes and procedures.
Design principles for operational excellence in the cloud include performing operations as code,
annotating documentation, anticipating failure, and frequently processing.
Security
The Security pillar is the ability to protect information, systems, and assets while delivering
business value through risk assessments and mitigation strategies.
When considering the security of your architecture, apply these best practices:
◦ Automate security best practices when possible.
◦ Apply security at all layers.
◦ Protect data in transit and at rest.
Reliability
Reliability is the ability of a system to:
◦ Recover from infrastructure or service disruptions
◦ Dynamically acquire computing resources to meet demand
◦ Mitigate disruptions such as transient network issues or misconfigurations
◦
Amazon Simple Storage Service - S3
AWS Lambda
Amazon DynamoDB
AWS
Amazon Web Services
AWS
Cloud service provider with largest Market share
Over 200 services
[1]
AWS Regions and Availability Zones
Region Ex : North Virginia, Sydney
Region has an identifier Ex North Virginia – US-East-1
Region has multiple Availability Zones Ex US-East-1a, US-East-1b, US-East-1c
Zones in a Regions are interconnected with low latency Network
Each Region has at least two availability zones
[1]
Communicating and Managing AWS Cloud
AWS Management Console - GUI
https://console.aws.amazon.com
AWS CLI - Have to download and install
AWS SDK – To communicate with AWS programmatically
AWS Cloud Shell - Browser based shell
AWS Organization
[1]
AWS Disk
EBS (Elastic Block Storage)
Used as boot disk for EC2
File Store
EFS – Elastic File store
NFS file system to use with
AWS Cloud services
On-premises resources
AWS Storage
S3 (Simple Storage Service)
S3 storage classes
S3 Standard
Data redundantly across multiple devices in multiple facilities
Sustain loss of 2 facilities concurrently & 99.99% availability
S3 Standard IA
when data is accessed less frequently but requires rapid access
Cheaper than S3 Standard
Sustain loss of 2 facilities concurrently & 99.99% availability
S3 one zone-infrequent access
Cheap but redundancy around only one zone (While others 3)
S3 Glacier
Cheapest storage class, used for archive
Auto Scaling
EC2 instances are scales out and scales in automatically
Auto Scaling Group
Maximum number of instances
Minimum Number of Instances
Load Balancing
Desktop as a service
Can bring existing licenses
Virtual Network
AWS VPC
Subnets
Elastic IP
AWS Functions
Paas
Lambda
[1]
Amazon Elastic Beanstalk
PaaS
Web applications and services
Scalable
Users
User Groups
Roles
Policies
AWS Firewall
NACL
Associated with Subnet
Stateless
Security Groups
Assigned for an EC2
Stateful
References
[1] “AWS Documentation.” AWS. https://docs.aws.amazon.com/index.html (accessed Mar. 18,
2023).
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning. https://www.linkedin.com/learning/ccsk-cert-
prep-3-managing-cloud-security-and-risk/risk-treatments-and-cloud-shared-
responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
Moving cloud Introduces New Security
Risks
Outsourcing IT resources from a Third Party
Loss of full control
Lock in with Cloud Vendor
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning. https://www.linkedin.com/learning/ccsk-cert-
prep-3-managing-cloud-security-and-risk/risk-treatments-and-cloud-shared-
responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
Potential attacks to cloud - Data Breach
Confidentiality breach
Harm to customers, business
Regulatory and legal consequences
Possible protection methods
Staff training
Auditing
Encryption of stored data and data in transit
Incident response plans
Confidentiality
Integrity
Availability
Security – AAA
Authentication
Authorization
Accounting
Security Services for Cloud
Infrastructure
Identity and Access Management
Encryption
Directory
Network Security
Data Security
App Security
Encryption (Cryptography)
Symmetric Encryption
Same Key is used for both encryption and decryption
This Key is known as secret Key
Ex : AES, DES
Asymmetric Encryption
Different keys are used in encryption and decryption
Keys are known as Public Key and Private Key
Keys are very long
Encryption and Decryption Processes typically needs very heavy processing load
Mostly used in authentication or to exchange secret key for symmetric encryption
Ex. RSA
Example in Cloud : Keys given to login to compute resources
Cloud Protection Strategies
Encrypt data in store
Encrypt data in flight
Protect keys
Create strong passwords
Setup Multi Factor Authentication (MFA)
Regular Backups
Implement suitable high availability strategies
Cloud Risk Management
Common Cloud Risks & Management strategies
Increased Cost
Shutdown or delete unnecessary resources
Budget alerts for spending limits
Account Safety, Lease Privileged cloud accounts
Unauthorized account usage can increase cost tremendously
Waste on unused resources
Maintaining proper asset inventory, Regular cloud resource naming, Resource grouping
IAM misconfigurations
Week passwords
Unnecessary privileges
Missing patches
Open Security Group and Network Access Control rules
Allow only specific IP Addresses and ports
Lack of encryption strategies – Data at Rest and Data in Transit
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning. https://www.linkedin.com/learning/ccsk-cert-
prep-3-managing-cloud-security-and-risk/risk-treatments-and-cloud-shared-
responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
Risk Management in Cloud computing
Risk Acceptance (Cost or complication is expensive than added security)
No encryption in transfers inside VPC
Risk Avoidance
Avoid moving to cloud for a very critical data
Risk Mitigation
Backup or data
Snapshot of VMs
Implementing security groups
Risk Transference
Going for IAAS to PAAS or PASS to SASS with SLA
Cyber Risk Insurance
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
Shared Responsibility Model
Who is responsible for the security? Provider / User
Cloud offering model decides
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
Cloud Security Framework (CSF)
Defines architecture, policies and controls to secure cloud
environment
Some Cloud security Frameworks
NIST (National Institute of Standards and Technology) CSF
CSA (Cloud Security Alliance)
CCM (Cloud Control Matrix)
Cloud Control Matrix (CCM)
CSA Framework
lists cloud security controls and maps them to multiple
security and compliance standards.
The CCM can also be used to document security
responsibilities.
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
CSIQ (the Consensus Assessment Initiative Questionnaire)
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
CSA Security Trust Assurance and Risk
(STAR) Registry
CSA (Cloud Security Alliance) Maintains a Registry
Certifications for cloud service providers
How they have implemented necessary security controls
[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
Cloud Data Breaches – Recent Case Studies
[1] “Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.” Cloud Security Alliance.
https://cloudsecurityalliance.org/artifacts/security-guidance-v4/ (accessed Feb. 26, 2023).
[2] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-and-
cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
[3] D. West. “Cybersecurity Awareness: Cloud Security.” LinkedIn Learning.
https://www.linkedin.com/learning/cybersecurity-awareness-cloud-security/avoiding-security-
misconfigurations?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
Cloud
computing
Introduction: Changing The Network Architecture
Consolidation Virtualization Automation
Improved Utilization, Improved Flexibility, Policy-based Adaptive
Efficiency Responsiveness Infrastructure
Dynamic Service
Automation
Agility Static
Provisioning Semi-Automated
Storage Provisioning
Virtualization
Application
Network Virtualization
Virtualization
Server
Branch Infrastructure Virtualization
Consolidation Data Center
Storage Consolidation
Consolidation Server
Consolidation
Time
Cloud Computing vs.
Data Center
Data center: Typically a data storage and
processing facility run by an in-house IT
department or leased offsite.
Cloud computing: Typically an off-
premise service that offers on-demand
access to a shared pool of configurable
computing resources. These resources
can be rapidly provisioned and released
with minimal management effort.
Cloud Computing and
Virtualization
The terms “Cloud computing” and
“virtualization” are often used
interchangeably; however, they mean
different things. Virtualization is the
foundation of Cloud computing. Without
it, Cloud computing, as it is most-widely
implemented, would not be possible.
Cloud computing separates the
application from the hardware.
Virtualization separates the OS from the
hardware.
Cloud Computing
• Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources
• Networks, servers, storage, applications, and
services that can be rapidly provisioned and
released with minimal management effort or
service provider interaction.
providers rely heavily on virtualization to
deliver their services
can reduce operational costs by using
resources more efficiently
Cloud Computing
Enables access to organizational data
anywhere and at any time
Streamlines the organization’s IT operations
by subscribing only to needed services
Eliminates or reduces the need for onsite IT
equipment, maintenance, and management
Reduces cost for equipment, energy,
physical plant requirements, and personnel
training needs
Enables rapid responses to increasing data
volume requirements
Cont’d
On-demand self-service
A consumer can unilaterally provision computing capabilities automatically
without requiring human interaction with each service’s provider.
Broad network access
Capabilities are available over the network and accessed through standard
mechanisms that promote use by heterogeneous thin or thick client platforms
(e.g., mobile phones, laptops, and PDAs).
Resource pooling
The provider’s computing resources can be pooled to serve multiple consumers
using a multi-tenant model, with different physical and virtual resources
dynamically assigned and reassigned according to consumer demand. There is a
sense of location independence in that the customer generally has no control or
knowledge over the exact location of the provided resources but may be able to
specify location at a higher level of abstraction (e.g., country, state, or
datacenter). Examples of resources include storage, processing, memory, network
bandwidth, and virtual machines.
Essential Characteristics - Cont.
Rapid elasticity.
‒ Capabilities can be rapidly and elastically provisioned.
‒ In some cases done automatically to quickly scale out and
rapidly released to quickly scale in.
Measured Service.
‒ Cloud systems can automatically control and optimize resource
use by leveraging a metering capability at some level of
abstraction appropriate to the type of service
‒ e.g., storage, processing, bandwidth, and active user
accounts.
Cloud Models
Public clouds: Cloud-based applications and services offered in a
public cloud are made available to the general population. Services
may be free or are offered on a pay-per-use model, such as paying
for online storage. The public cloud uses the Internet to provide
services.
Private clouds: Cloud-based applications and services offered in a
private cloud are intended for a specific organization or entity, such
as the government. A private cloud can be set up using the
organization’s private network, though this can be expensive to build
and maintain. A private cloud can also be managed by an outside
organization with strict access security.
Hybrid clouds: A hybrid cloud is made up of two or more clouds
(example: part custom, part public), where each part remains a
distinctive object, but both are connected using a single architecture.
Individuals on a hybrid cloud would be able to have degrees of
access to various services based on user access rights.
Custom (Community) clouds: These are clouds built to meet the
needs of a specific industry, such as healthcare or media. Custom
clouds can be private or public.
Cloud Models
Examples of Public Cloud Service
Providers
Amazon Web Services (AWS)
Provides offering in the cloud for organizations requiring
computing power, storage & other services.
According to Amazon, AWS allows users to “take
advantage of Amazon.com’s global computing
infrastructure,” which is the heart of Amazon’s retail
business & transactional enterprise.
Offers the following services:
‒ Elastic Compute Cloud (EC2)
‒ Simple Storage Service (S3)
‒ Simple Query Service (SQS)
‒ CloudFront
‒ SimpleDB
Google
• Google App Engine allows building & hosting web applications
on the Google infrastructure:
‒ Supported programming languages are Python & Java
(more?).
‒ Free up to a certain level of used resources, after which fees are
charged for additional storage, bandwidth, or CPU cycles
required by the application.
• Google Apps offers business emails and collaboration:
‒ Includes several applications with similar functionality to
traditional office suites, including Gmail, Google Calendar, Talk,
Docs, and Sites.
‒ Has a number of security & compliance products to provide
email security & compliance for existing email structures.
‒ Standard Edition is free and offers the same amount of storage
as regular Gmail accounts.
‒ Premier Edition is based on a per-user license model &
associated storage level.
Windows Azure
• Part of Microsoft’s strategy of lessening its emphasis on the
desktop and shifting more resources to web-based
products.
• Provides an OS that serves as a runtime for the apps
• Provides a set of services that allows development,
management, and hosting of managed apps at Microsoft
data centers
• Azure Services Platform includes the following services:
‒ .NET Services
‒ SQL Services
‒ Windows Live Services
• Pricing is based on a consumption model including
compute time, storage, API calls, etc.
Salesforce.com & Force.com
• Salesforce.com offers cloud-based CRM solution which
includes Sales, Marketing, Service, and Partners. Pricing is
on a per-user basis, with different rates and support
packages posted online.
• Force.com allows developers to create add-on apps that
integrate into the main Salesforce.com apps, and are
hosted on Salesforce.com’s cloud infrastructure.
‒ Apps are built using Apex, a proprietary programming
language for the platform
‒ Pricing is on a per-developer basis, with different support
packages allowed for varied levels of storage, API calls,
etc.
• AppExchange is a directory of apps built for
Salesforce.com by third-party developers, which users can
purchase and add-on to their Salesforce environment.
RightScale
• Provides services in the cloud to assist organizations in managing
cloud deployments offered by other Cloud Service Providers
(CSPs), including vendors such as AWS, FlexiScale, and GoGrid.
• Pricing is based on a number of editions from Developer through
Enterprise level, with associated features & server times.
• RightScale Cloud Management Platform allows organizations to
manage & maintain their cloud deployments through one web-
based management platform, while at the same time take
advantage of offerings by more than one CSPs, which includes
the following:
‒ Cloud Management Environment
‒ Cloud Ready ServerTemplates
‒ Adaptable Automation Engine
‒ Multi-Cloud Engine
Cloud Foundry (VMware)
• A VMware-led open source project that provides a platform for building,
deploying and running cloud apps
• Supported languages including Spring for Java developers, Rails and
Sinatra for Ruby developers, Node.js & other JVM languages/frameworks
including Groovy, Grails & Scala.
• Supported Application Services include RabbitMQ, MongoDB, MySQL &
Redis.
• Includes the following:
‒ CloudFoundry.com – a complete hosted platform environment (a
commercial service, currently still in beta & can be accessed for free)
‒ CloudFoundry.org – an open source project where developers and
community members can collaborate & contribute to the project
‒ Micro Cloud Foundry – a complete version of Cloud Foundry that runs in
a virtual machine on a developer’s Mac or PC (a full instance that
provides the flexibility of local development while preserving options for
future deployment & scaling of apps).
(Some) Other Cloud Service Providers