CYBERSPACE SECURITY

Dr. Ameera Al-Karkhi

PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 1

1
 Course Load and Evaluation
• A mix between theory and practical work
• 6 Marked labs and final Coursework (build book)
Lab Assignments (6 @ 5% each) 30.0%
Project + Presentation 15.0%
Midterm Exam 25.0%
Final Exam 30.0%
Total 100.0%

2
 Laptop Requirements

Hardware requirements:
▪ Laptop (i5 or i7) with Windows 10 Pro (allow virtualization in
Bios)
▪ RAM 8 GB
▪ Disk – at least 100GB free space

3
 Optional textbooks:

1. Cyber Security Essentials, James Graham Richard Howard Ryan Olson, CRC
press, Taylor and Francis Group, ISBN 9780429106637, 2011

2. Information Security: The Complete Reference, Rhodes-Ousley, Mark, McGraw-

Hill, Second Edition, ISBN 9780071784351, Information Security Management:
Concepts and Practice

3. Roadmap to Information Security for IT and Infosec Managers, Whitman,

Michael E. and Herbert J. Mattord, ISBN 9781435480308, 2011

4. CompTIA Security+ study Guide, Mike Chapple and David Seidl, Sybex, Eighth
Edition, ISBN 9781119736257, 2021

4
 Computer Security
- It is the protection of the computer system from the theft
or damage to either software, hardware or to the
information present on the system.
- It is involves the process of safeguarding against the
intruders from gaining access to your systems or its
resources for malicious purposes.

5
 Internet Security
▪ Internet security usually involves the protection of the user’s
data from the unauthorized access and damage when
connected to the Internet.

▪ Most of the times implementing a proper browser configuration

would help in protecting the personal information preventing
malware infection and prevent damage caused due to a cyber
attack.

6
 What is cookies?
▪ A cookie is the information which is provided by a web server
to a web client, then sent back unchanged by the browser
each time it accesses that server.
▪ When this website has revisited, the browser sends the
information back so as to recognize the user.
▪ This is invisible to the user and also is intended for improving
the internet browsing experience.

7
 Difference between Data and Information
Data
▪ It is a collection of facts, could be
metrics, numbers, words
▪ data is unorganized
▪ It is not useful on its own
▪ Ex:19042021
▪ It is raw input values
▪ Data term is broad terminology
Information
▪ How you understand those facts in
context (such as measured
temperature over a year)
▪ Information is organized
▪ Useful in its own
▪ Ex: 19 April 2012
▪ Information is output of processing
▪ Information is subset from data

Note:
Information security specialist, their goal is to make classification of the
data based on the data sensitivity but the cybersecurity specialist is to
secure the data in general whether it is information or raw data

8
What do you know about Information Security?
▪ Information Security, is a concept that predates modern
computers
▪ People encrypted messages before any computer was created
(started with the military and then they introduced to the
world)
▪ In the WWII, they invented a machine that called the Enigma,
which basically secure the message between the troops so
that the enemy will not know
▪ This machine used a substitution which replace the letter
with another letters and the other guys on the other side of
the same army will know the message (shuffled letter) exactly.
This machine represents the start of information security.

As we know the development of security which is related to the evolution of the

internet, for more details about this watch the following video that is give you the
history of internet and why we need security
https://www.youtube.com/watch?v=9hIQjrMHTv4

9
What is security? Security could be define as:

It is the quality or state of being secure- to be free from danger

Information security, involves the protection of information and its

critical components, including systems and hardware that use, store
and transmit that information. we have to protect/secure everything
related to the information such as the system software that store the
information, hardware, info during the store, and during transmit
As we know the information could be stored in the system or a hardware
(disk) or could be transmitted over the internet.

10
 Layers of Security
Physical Security: it involves the safeguarding of the personnel or hardware
and software components, networks and data from natural physical
conditions and events or threats, which might cause damage to an
organization
Network Security: which would be summed up as the protection of the
networks and their services from unauthorised modification our destruction.
System Security: is to protect the system and the information from any sort
of threat such as unauthorized access or corruption or being misused.
Application Security: this would cover the software are generally being used
or even the hardware or any sort of procedural steps that could be taken
care of for protecting the application
User Security: is to ensure that authenticated and an authorized user is only
allowed to log in and perform any sort of functionalities he's authorized to
do.

11
if we have a company and we want to build a secure system, we have to
have a guard, a camera on the entrance and so on, in general we have layers
of security:
▪ Physical security (door, locks, motion detection
devices…)
▪ Personal security (a guard on a gate)
▪ Operations security (checking people who go
in/out of the company, must be checked)
▪ Communication security ( the communication
between the employee or with outside the
company has to be secure)
▪ Network security (having Firewall, antivirus, IDP,
scanning device, black list)
▪ Information security (the main and final layer is the
information) IT

12
 What is Information Security?
▪ Information security is a set of practices designed to keep
personal data secure from unauthorized access and
alteration during storing or transmitting from one place
to another.
▪ Information security is designed and implemented to
protect the print, electronic and other private, sensitive
and personal data from unauthorized persons. It is used
to protect data from being misused, disclosure,
destruction, modification, and disruption.
 Reasons behind the need of Information Security
▪ Protects the organization's ability to function.
▪ Enables the safe operation of applications implemented on
the organization's IT systems. In addition to Safeguards the
technology the organization uses.
▪ Protects the data that organization collects and uses.
▪ Preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or
destruction of information
▪ We need information security to reduce the risk of
unauthorized information disclosure, modification, and
destruction.
▪ We need information security to reduce risk to a level
that is acceptable to the business (risk management).
 Security isn’t about security.
It’s about mitigating risk at some cost.

16
What are the different loss that would be caused due to security
breaches (attacks):
▪ Financial loss, is the most common loss in banks and bigger
organizations
▪ Resource Unavailability, once the attacker gain an access to the system
or the victim machine he would make sure that the resources will be
unavailable to the legitimate user.
▪ Identity theft , a concept when the attacker tries to steal the user
credential and try to impersonate that user identity as the victim itself.
▪ Data loss, once the attacker compromise the system he would try to
steal the data or perform an attack to cause loss of the data
▪ Loss of trust, once bigger organizations get compromised, users/people
will loss trust in such organization in terms of security, safeguarding
their assets
▪ Resources Misuse, when an attacker compromised the victim machine,
first he would misuse the resources that he got access to.

17
 Basic information security terminologies
Threat: An event or an action that has got the ability to compromise
the system or violate the system security.
Exploit : a way to breach the security of a machine through a
loophole (patch) or a vulnerability
Attacker: any individual who compromises the security of a machine
illegitimately in order to steal, manipulate or to cause destruction of
the data
Attack: the action that is performed by an attacker that would
potentially harm the system or the information stored in it
Vulnerability: it is defined as the existence of a loophole (patch) or
weakness in the design or the implementation that could lead to
undesirable, unexpected event that would compromise the machine
Data theft: the action of information stealing from the victim’s
machine.
Risk : is the situation that involves exposure to some type of danger

18
19
20
 Security triad (C I A)
There are three key objectives that are the main of any computer security:
▪ Confidentiality: Information is disclosed only to authorized parties
whether the data in rest or transit
▪ It is the most aspect of CIA triad when it comes to security;
▪ It is one which is attacked most often
▪ Cryptography and encryption methods are examples to ensure confidentiality.
▪ Integrity: Information remains accurate and unchanged in transit and at
rest and only authorized parties can change it-(it is in its original form)
▪ One type of security attack is to intercept some important data and make changes to it before
sending it.
▪ Availability: Authorized parties have timely and uncompromised access
(the data is available 24/7), so it is to ensure that the information is
accessible to authorized persons when it when required without any sort
of a delay.
▪ Some attacker try to deny access to the appropriate user, for example, by breaking the website
for a particular search engine

21
Security triad (C I A)

22
 Elements of Security
There are other characteristics of the information security
which
▪ Authenticity: is the quality of being genuine or original
rather than a reproduction. Information is authentic when it
is the information that was originally created, placed,
stored or transferred (is the identification and assurance of
the information's origin).
▪ Non repudiation: is to make sure that any person or an
individual or a communication cannot deny that the
authenticity of the signature on a particular document.
▪ Authorization: access control permissions

23
What are the risks that are put into the domestic users?
E-mail attacks: the victim would be susceptible to attacks such as phishing or
spamming or any other sort of scams.
Malware attack: it's quite well known that e-mails are the biggest carriers of
the malwares. So henceforth it falls under the second attacks that the domestic
users are susceptible.
Denial of attacks: is the availability of a service for a legitimate user because
when an attacker wants to compromise or compromise that machine or that IP
address it would bombard that particular IP with enormous amount of packets
that the service goes down.
Identity theft : it involves an attacker to impersonate the targeted victim and
try to use it for personal gain.
Packet sniffing: this would involves the attacker to intercept and try to get
some information out of the communications that so one of the things that
could be secured.

24
What is the things to be secured?
▪ Hardware, basically that would include your storage devices all
your hard disks on your laptops or your smartphones for that
matter.
▪ Software, Then you would have to make sure that your security
software is as well, from the operating system to all other
applications that come under it.
▪ Information(DB): has to be secured right from the personal
identification credentials such as the credit card details or any sort
of health related detail or banking details
▪ Communication, securing the communication from your instant
messaging or any sort of browsing activities or your mails or any
activities that you perform on social media

25
 Components of information system

Rules and policies Physical devices

Rules and policies

Applications and
written codes

Information and data

Networks

https://www.eacademy.lk/p/computer-based-information-systems.html

26
Reasons of having vulnerable system:
▪ Low security awareness
▪ No implementation of security systems
▪ Default settings for applications and software
▪ Not following the standard security guidelines
▪ Insecure online activity

27
 Aspects of security standards/security architecture
X.800 standards
▪ The OSI security architecture is useful to managers as a way of organizing the task
of providing security
▪ It is based on attacks, mechanisms and services

more details: https://www.itu.int/rec/T-REC-X.800/_page.print

28
▪ Security attack: any action that compromises the security of
information owned by an organization
▪ Security mechanism: a process or a device incorporating such
a process that is designed to detect , prevents or recover from
a security attack
▪ Security services: a processing or communication service that
is provided by a system to give a specific kind of protection to
resources
•The services are intended to counter security attacks and to make use of one or more
security mechanisms to provide services

29
 Security Security
Authentication mechanism
services

Non-
Access control
repudiation
Detect

Prevent
Security
Recover attacks
Integrity Confidentiality

30
 Attacks Classifications
Attacks can be classified into:
▪ Passive attack: it attempts to learn or make use of information from the system
but doesn't affect system resources
• Passive attack types:
- Sniffing/Eavesdropping/snooping: secretly listening to the private
conversation of others without consent
- Traffic Analysis: intercepting and examining messages in order to deduce
information from patterns

31
▪ Passive attacks countermeasures:
- Hard to detect because they do not have any alternation of the data
- The message traffic is sent/received in an apparently normal fashion and
neither the sender nor the receiver is a ware that a third party has read
the messages or observed the traffic pattern.
- It is possible to prevent the success of these attacks by means of
encryption
- The emphasis in dealing with passive attacks is on prevention rather
than detection.

32
▪ Active attack: it attempts to alter system resources or affect their
operations. Involve modification of data stream or the creation of
false alarm changing

• Active attack types:

- Spoofing/masquerade: technique used by an entity pretends to be a
different/legitimate entity (someone) to exploit the system
- Reply: capture of a data unit and its subsequent retransmission to produce an
authorized effect
- Modification of messages: some portion of a legitimate message is altered or
that messages are delayed or recorded to produce an unauthorized effect
- Denial of services: attempt to make a machine resource unavailable to its
intended users

33
▪ Active attacks countermeasures:
- Present the opposite characteristics of passive attacks
- Difficult to detect, measures are available to prevent their success
- It is quite difficult to prevent active attacks absolutely because of the
wide variety of potential physical, software and network vulnerabilities

34
 Active attacks Passive attacks

Objective
Modification in information
and operations
Harm/effect to the system
Attack awareness
CIA threat
The attack tries to change the
system resources or affect their
operation
Occurs
There are many (Always causes
damage to the system)
The entity (person/thing) gets
informed about the attack
Integrity and availability
The attack tries to read or make
use of information from the system
but does not influence system
resources
Does not modify or take a place
There are few or none
The entity (person/thing) is
unaware of this attack
Mostly Confidentiality

Emphasis is at Detection Prevention

Examples DoS Port scan

Reply Release of messages
Message modification Eavesdropping
Masquerade

35
A masquerade takes place when one entity pretends to be a different entity
(following Figure a). A masquerade attack usually includes one of the other
forms of active attack. For example, authentication sequences can be
captured and replayed after a valid authentication sequence has taken
place, thus enabling an authorized entity with few privileges to obtain extra
privileges by impersonating an entity that has those privileges.

36
Reply: involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect(Figure b)

37
Modification of messages: simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce
an unauthorized effect (Figure c). For example, a message meaning "Allow
John Smith to read confidential file accounts" is modified to mean "Allow
Fred Brown to read confidential file accounts."

38
Denial of service: prevents or inhibits the normal use or management of
communications facilities (Figure d). This attack may have a specific target;
for example, an entity may suppress all messages directed to a particular
destination (e.g., the security audit service). Another form of service denial is
the disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance.

39
What are the basic security guidelines?
▪ Use of strong passwords
▪ Use of Antivirus
▪ Regular backing up of your important files and documents
▪ Using Encryptions and digital signatures
▪ Using Firewalls and intrusion detection systems
▪ Regularly updating your OS and other applications
▪ Not revealing too much information online (social networking
sites)
▪ Awareness of the present world security scenario and new
attacks

40
So how do you make your system secure?
▪ Data access controls, you need to implement the access controls, this would
involve you're going to monitor the system activities or activities that happen onto
your system and all such as who is accessing what kind of file or what kind of data.

▪ System Access controls, This is to make sure that only the authorized users get
access to the files that are on access.

▪ System design, which would basically include different security implementations

being brought up into the actual software design such as privilege isolation or any
sort of such secure system designs.

▪ Systems and security administration: Make sure that you always perform regular
check and based on the security administration tasks such as rather on figuring
the system settings or implementing any sort of policies put end to security as
such.

41
Why Successful Attacks happen?
▪ Widespread vulnerabilities lack of vendor support, old
devices(no updates)
▪ Configuration issues weak configurations, misconfigurations
▪ Poorly designed software Improper input handling, race
condition
▪ Hardware limitations resource exploitation

42
How would the attacker do an attack?
▪ Phishing
It involves the fake sites created by fraudsters, who would trick
the victims in giving out their information
▪ Social Engineering
It is known as the art of manipulating the human emotions and
behaviour for getting critical or sensitive information
▪ Hacking
The attacker would be able to get most of the personal
information pertaining to the victim if they would be successful in
compromising the victim’s system or the smart phone
▪ Personal Data Theft
The information like credit cards, driver’s license, bills or any other
sensitive information would be obtained from a stolen wallet or
smart phone

43
The fraud that you’re suspectable to are:
▪ Credit cards fraud
▪ Financial fraud
▪ Frauds related to government documents

44
 Why is security become so important?
The business has to adhere to regulations, guidelines and standards:
▪ Payment Card Industry Data Security Standard (PCI DSS)
requirements on companies that process payment cards
▪ Health Insurance Portability and Accountability Act (HIPAA),
Gramm-Leach-Bliley Act requires financial institutions (GLBA), …,
many more
▪ Audits have changed the economics of risk and create an
“impending event”
▪ Hackers may attack you but auditors will show up
▪ Disclosure laws mean that the consequences of failure have
increased
 UNDERSTANDING SECURITY
▪ Security is:
• To be free from danger is the goal
• The process that achieves that freedom
▪ As security is increased, convenience is often decreased
• The more secure something is, the less convenient it may become to use

46
 Difference between Information
security and cybersecurity

▪ Cybersecurity is a practice used to provide security from

online attacks, while information security is a specific
discipline that falls under cybersecurity.
▪ Information security is focusing on network and App
code.
 Cybersecurity
is the collection of measures and practices taken to protect
computers, networks, programs, or systems from
cyberattacks. Such attacks can take the form of malware,
denial of service, theft of data, unauthorized access, or
tampering of data, and any number of other malicious
actions.

48
How to apply security ?
We can apply security by deploying some of the basic security controls such as:
1. Establish policies, communicate it, get management support, enforce it on all
2. Raise users' awareness
3. Apply Strong Authentication
4. Regularly updates and patch servers, clients, network
5. Apply Physical security, secure ports of the data centre, racks, servers
6. Use Antimalware, restrict removable media, lock BIOS, apply drive encryption
7. Control Internet traffic, implement DLP to prevent data leakage
8. Implement Firewalls, WAF, DNS Security, Log collection and analysis, Monitoring
9. Control corporate devices (Such as laptops, mobiles)
10. Security review and Audits

All the above controls required cost, resources to operate and time to implement
and some points may not fit with all business types.

49
How much security is enough ?
▪ Security is relative term, it vary based on nature of business, or instance,
security requirements for E-Commerce business is different than Healthcare
business and Marketing agencies.
▪ Good Security is what can decrease risk to an acceptable level without
affecting system usability and functionality.
▪ Security controls need to be justified and exist to decrease the level of certain
risk, that's why understanding IT Risk is important.

Security Usability

50
51
 Understanding Computer Attack
A hacker is someone who likes to tinker with software or electronic
systems. Hackers enjoy exploring and learning how computer systems
operate. They like discovering new ways to work electronically.
An attack is an action taken against a target with the intention of doing
harm (destroy, expose, alter, disable, steal or gain an access or make
unauthorized use of an asset

Hacker

The computer here is an

This is the target; it could be a
active tool to conduct
single computer/system
attack

52
 Ethical Hacking
In general, hacking is the act of finding the possible entry points that exist
in a computer system or a computer network and finally entering into them.
It is usually done to gain unauthorized access to a computer system or a
computer network, either to harm the systems or to steal sensitive
information available on the computer

53
Recently, hacker has taken on a new meaning; someone who maliciously
breaks into systems for personal gain. Technically, they are criminals
(criminal hackers). Crackers break into (crack) systems with malicious
intent. They are out for personal gain: fame, profit, and even revenge.
They modify, delete, and steal critical information, often making other
people miserable.
Hackers can be divided into three groups:
▪ White Hat Good guys, ethical hackers
▪ Black Hat Bad guys, malicious hackers
▪ Gray Hat Good or bad hacker; depends on the situation
White Black
Hat Hat

Gray
Hat

54
White Hat Hackers
White hats are the good guys, the ethical hackers who use their
hacking skills for defensive purposes. White-hat hackers are usually
security professionals with knowledge of hacking and the hacker
toolset and who use this knowledge to locate weaknesses and
implement countermeasures.
White-hat hackers are prime candidates for the exam. White hats
are those who hack with permission from the data owner. It is
critical to get permission prior to beginning any hacking activity.
This is what makes a security professional a white hat versus a
malicious hacker who cannot be trusted.

55
Black Hat Hackers
They are the bad guys: the malicious hackers or crackers who use their
skills for illegal or malicious purposes. They break into or otherwise
violate the system integrity of remote systems, with malicious intent.
Having gained unauthorized access, black-hat hackers destroy vital data,
deny legitimate users service, and just cause problems for their targets.
Black-hat hackers and crackers can easily be differentiated from white-
hat hackers because their actions are malicious. This is the traditional
definition of a hacker and what most people consider a hacker to be.

56
Gray Hat Hackers
Gray hats are hackers who may work offensively or defensively, depending on the
situation. This is the dividing line between hacker and cracker. Gray-hat hackers may
just be interested in hacking tools and technologies and are not malicious black
hats. Gray hats are self-proclaimed ethical hackers, who are interested in hacker
tools mostly from
a curiosity standpoint. They may want to highlight security problems in a system or
educate victims so they secure their systems properly. These hackers are doing their
“victims” a favor. For instance, if a weakness is discovered in a service offered by an
investment bank, the hacker is doing the bank a favor by giving the bank a chance
to rectify the vulnerability.
Many self-proclaimed ethical hackers are trying to break into the security field as
consultants. Most companies don’t look favorably on someone who appears on
their doorstep with confidential data and offers to “fix” the security holes “for a
price.” Responses range from “thank you for this information, we’ll fix the problem”
to calling the police to arrest the self-proclaimed ethical hacker.

57
 Types of security breaches

There many types of data breaches such as:

▪ An exploit attacks a system vulnerability, such as old
version of operating system.
▪ Password guessing; weak passwords can be cracked or
guessed.
▪ Malware attacks, such as phishing emails can be used to
gain entry.
▪ Social engineering can also be used to gain access. For
instance, an intruder phones an employee claiming to be
from the company's IT helpdesk and asks for the
password in order to 'fix' the computer.

https://www.kaspersky.com/resource-center/threats/what-is-a-security-breach
58
 Data Breach Statistics
▪ Security breaches have increased by 11% since 2018 and 67% since 2014. (Accenture)
▪ Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
▪ The average time to identify a breach in 2019 was 206 days. (IBM)
▪ The average lifecycle of a breach was 314 days (from the breach to containment). (IBM)
▪ 64% of Americans have never checked to see if they were affected by a data breach.
(Varonis)
▪ The cost of a breach in the healthcare industry went up 42% since 2020. For the 12th year
in a row, healthcare had the highest average data breach cost of any industry.
▪ 56% of Americans don’t know what steps to take in the event of a data breach. (Varonis)
▪ The average cost of a data breach is $3.92 million as of 2019. (Security Intelligence)
▪ 83% of enterprise workloads will move to the cloud by the year 2020. (Forbes)
 Cybersecurity Facts and Stats
▪ Cyberattacks are the fastest growing crime globally.
▪ There is a hacker attack every 39 seconds.
▪ Total cost of cybercrime globally has added up to over $1
trillion in 2018.
▪ Approximately $6 trillion is expected to be spent globally on
cybersecurity by 2021.
▪ 95% of cybersecurity breaches are due to human error.
 Summary
▪ We need information security to reduce risk to a level that is
acceptable to the business (management).
▪ Cyber Security is protecting the confidentiality, integrity and
availability of information.
▪ Enforcing Role and Responsibilities of a Security Professionals
one of the important guidelines in information security
▪ Monitoring network usage to ensure compliance with security
policies.
- Keeping up to date with developments in It security standards and threats.
- Performing penetration tests to find any flaws.
- Collaborating with management and the IT department to improve
security.
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
Winter 2023

Lecture 2

1
 Cybersecurity threat characteristics
▪ Internal/external security threats
▪ Level of sophistication
▪ Resources/funding
▪ Intent/motivation

2
 Cybersecurity threat actors

▪ Script kiddies
▪ Hacktivist/hackers
▪ Criminal syndicates (organized crime)
▪ Nation states/Advanced Persistent Threat (APT)
▪ Insiders
▪ Competitors

3
 Cybersecurity threat actors
▪ Script kiddies: a derogatory term for people who use hacking techniques
but have limited skills. Often such attackers may rely almost entirely on
automated tools they download from the Internet.

▪ Hacktivist/hackers: person who uses hacking techniques to accomplish

some social activist or political goal/change. Usually seeking to deface
websites for example:
▪ Breaking into a website and changing the contents on the site to make a political statement
▪ Disabling a website belonging to a bank because the bank stopped accepting payments that were
deposited into accounts belonging to the hacktivists

4
▪ Criminal syndicates (organized crime): organized groups seeking to steal money,
identities, or corporate secrets. The criminal networks are usually run by a small
number of experienced online criminal networks who do not commit crimes
themselves but act as entrepreneurs
▪ Nation states/Advanced Persistent Threat (APT): an attack in which unauthorized
persons (groups)gain access to a network using advanced exploitation techniques
and stays there undetected for a long period of time. The intention of an APT
attack is to steal data (such as others’ political, economic, military and commercial
infrastructure.)rather than to cause damage to the network or organization.
▪ Insiders: internal employees seeking to cause damage to their organization. For
example employees may be bribed or coerced into stealing data before moving to
a new job
▪ Competitors: outside organizations seeking to commit corporate espionage for
financial or market gain. They may steal new product research or list of current
customers to gain a competitive advantage.

5
Q: Your company’s website has been defaced by an organization that doesn’t
agree with your corporate policies. What type of treat actor typically does
this?
A. Script kiddies
B. Hacktivist
C. Organized crime
D. Insiders

6
 Threat vectors
Threat actors targeting an organization need some means to gain access to
that organization's information or system. Threat vectors are the means
that threat actors use to obtain that access, for example:

▪ Email and social media

▪ Direct access
▪ Wireless networks
▪ Removable media
▪ Cloud
▪ Third party risks

7
 Threat data and intelligence
▪ It is a set of activities and resources available to security professionals to
learn about changes in the threat environment.
▪ Threat intelligence information can be used for predictive analysis to
identify likely risks to the organization
Threat intelligence sources :
- Open Source INTelligence (OSINT) that can gather from publicly available sources to
commercial services that provide close-source intelligence information.
- An increasing number of products and services have the ability to consume threat feed data,
allowing you to leverage it throughout your infrastructure and systems.

8
Threat feeds often include technical details about the threat such as:
▪ IP address,
▪ Hostnames and domains,
▪ Email addresses, urls,
▪ File hashes and file paths ,
▪ CVE (Common Vulnerabilities and Exposure list) numbers.
Vulnerability data bases are also an essential part of an organization's
threat intelligence program, reports of vulnerabilities would help
directly an organization’s defensive efforts, but the also provide
valuable insights into the types of exploit being discovered by
researchers.

9
▪ Open Source INTelligence (OSINT) is threat intelligence that
is acquired from publicly available sources.
▪ Closed-Source intelligence related to commercial security
vendors, government organizations other security centric
organizations, they do their own information gathering and
research and they may use custom tools, analysis models, or
use a proprietary methods to gather, create and maintain
their threat feed.

10
Threat maps
Threat maps: provide a geographic view of threat intelligence. It provide
insights into cybersecurity threat landscape. For example:

Real-time attack trackers:

▪ FireEye, offers public threat map: Cyber Threat Map,
▪ Kaspersky Cyberthreat Real-time Map

11
Assessing Threat Intelligence:
It required a set of common factors to assess the threat:
- Is it timely?
- Is the information accurate? Can we rely on what it says and how likely
is it that the assessment is valid? Does it relay on a single source or
multiple? How often are these sources correct?
- Is the information relative?
Note: confidence score is a common way to summarized the
threat intelligence assessment

12
 Attacks using malware
Malicious software (malware): it is term for a wide range of
software that refers to a wide variety of damaging or annoying
software. Malware could be inserted into a
system/devices/networks/users with the intent of compromising
the confidentiality, integrity, or availability of the victim’s
information, applications, operating system or to annoy/disrupt
the victim
▪ Enters a system without the owner’s knowledge or consent
▪ Uses a threat vectors to deliver a malicious ”payload” that performs a
harmful function once it is invoked
▪ It can gather information and provide illegal access

13
 Rootkits

Spyware Trojans

Crimeware Worms

Adware Malware Viruses

14
Malware can be classified by the using of the primary trait that
the malware possesses:
▪ Circulation mechanism
▪ Infection
▪ Concealment
▪ Payload capabilities

15
▪ Circulation mechanism; propagates and spreads rapidly to other systems to
impact a large as possible number of users, (what are the means by which a virus
finds and infect new files, spreads or propagates, enabling it to replicate in a
system):
• Viruses: they require end-user activation and can activate at a specific time
or date. It is easy to detect it by virus scanner
- Computer virus; reproduce itself
- Program virus; infect an exe file
- Macro; series of instructions that can be grouped together as a single
command
- Armored virus; avoid detection

Note: virus and malware are not interchangeable terms. A virus is only one type
of malware.

16
Virus infection method
Appender infection virus appends itself to end of a file
- One basic type of infection is the Appender infection
- The virus first attaches itself to the end of the infected file
- It then inserts, at the beginning of the file, a jump instruction that points
to the end of the file, which is the beginning of the virus code
- When the program is launched, the jump instruction redirects control to the virus

Most viruses today go to great lengths to avoid detection (called an armored virus),
some armored virus infection techniques include:
– Swiss cheese infection viruses inject themselves into executable code
• Virus code is “scrambled” to make it more difficult to detect
– Split infection virus splits into several parts
• Parts placed at random positions in host program
• The parts may contain unnecessary “garbage” doe to mask their true purpose
– Mutation, some viruses can mutate or change
• An oligomorphic virus changes its internal code to one of a set of number of
predefined mutations whenever executed
• A polymorphic virus completely changes from its original form when executed
• A metamorphic virus can rewrite its own code and appear different each time it is
executed

17
 2, then

Appender infection Split infection Swiss cheese infection

18
❖ Viruses perform two actions:
– Unloads a payload to perform a malicious action
– Reproduces itself by inserting its code into another file on the same computer

❖ Examples of virus actions

– Cause a computer to repeatedly crash
– Erase files from or reformat hard drive
– Turn off computer’s security settings

❖ Viruses cannot automatically spread to another computer

– Relies on user action to spread
❖ Viruses are attached to files
❖ Viruses are spread by transferring infected files

19
Worm
- It is malicious program that uses a
computer network to replicate
▪ Sends copies of itself to other network devices
- Worms may:
▪ Consume resources or
▪ Leave behind a payload to harm infected systems

Examples of worm actions:

▪ Can delete computer files
▪ Allowing remote control of a computer by an attacker

20
 Action Virus Worm
What does it do? inserts malicious code Exploits a vulnerability in
into a program or data file an application or OS
How does it spread to User transfers infected Uses a network to travel
other computers? files to other devices from one computer to
another
Does it infect a file Yes No
Does there need to be Yes No
user action for it to
spread?

21
 Virus Worm

Can not be spread to other Once it’s entered a system, usually

computers unless an infected file is via a network connection or as a
replicated and actually sent to the downloaded file, it can then run,
other computer. self-replicate and propagate
without a triggering event.
Files such as .com,.exe or .sys or a Typically does not modify any
combination of them are corrupted. stored programs.
Can not easily removed from Can easily removed from system.
system.

22
▪ Infection
the event/condition that determines when the payload is
activated or delivered (how it embeds itself into a system),
examples of this malware are:
- Trojans,
- Ransomware,
- Crypto-malware

23
Trojans
Trojan is an executable program that does something other than
advertised
– Contain hidden code that launches an attack
– Sometimes made to appear as data file

Example
– User downloads “free calendar program”
• Program scans system for credit card numbers and passwords
• Transmits information to attacker through network

Special type of Trojan:

– Remote access Trojan (R A T) gives the threat actor unauthorized
remote access to the victim’s computer by using specially configured
communication protocols

24
Ransomware
This malware is designed to hold a computer
system or the data it contains captive until a
payment is made (prevents a user’s device from
properly operating until a fee is paid).
▪ It usually works by encrypting data in the
computer with a key unknown to the user.
▪ Some other versions of ransomware can take
advantage of specific system vulnerabilities to
lock down the system.
▪ It is spread by a downloaded file or some
software vulnerability.

In this example, a ransomware computer infection

uses the color schemes and icons same that
legitimate windows software have, source Microsoft
security intelligence report

25
Crypto-malware
This malware is a more malicious form of ransomware where threat actors
encrypt all files on the device so that none of them could be opened.

26
▪ Concealment
- It means hide and avoid detection by concealing its presence from
scanners:
▪ Example: Rootkit; is a set of software tools used by an attacker to hide actions
of other types of malicious software
- May alter or replace operating system files with modified versions
that are specifically designed to ignore malicious activity
▪ Users can no longer trust their computer that contains a Rootkit
▪ The Rootkit is in charge and hides what is occurring on the computer

27
▪ Payload capabilities
It means what actions the malware performs, besides spreading. The payload may
involve damage or may involve benign but noticeable activity.
- for example: spyware, logic bombs, backdoor, boot zombie, key logger

Primary payload capabilities are to:

– Collect data
– Delete data
– Modify system security settings
– Launch attacks

28
▪ Collect data
Different types of malware are designed to collect important data from the
user’s computer and make it available at the attacker. This type of malware
includes:
▪ Spyware
▪ Adware

▪ Spyware-software that gathers information without user consent

- Uses the computer’s resources for the purposes of collecting and
distributing personal or sensitive information
- An example of spyware; Keylogger -captures and stores each keystroke
that a user types on the computer’s keyboard and has two types as a :
- Hardware device, it is inserted between the computer keyboard connection and USB port
- Software keyloggers are programs installed on the computer that silently capture information
- Attacker searches the captured text for any useful information such as
passwords, credit card numbers, or personal information

29
▪ Adware; is a program that delivers advertising content in manner unexpected
and unwanted by the user
– Typically displays advertising banners and pop up ads
– May open new browser windows randomly

▪ Users disapprove of adware because:

✓ Adware can display objectionable content
✓ Frequent popup ads can interfere with a user’s productivity
✓ Popup ads can slow a computer or even cause crashes and the loss of data
✓ Unwanted advertisements can be a nuisance (inconvenience)

30
▪ Delete data
▪ The payload of other types of malware deletes data on the
computer

▪ Logic bomb computer code that lies dormant until it is triggered by

a specific logical event
✓ Difficult to detect before it is triggered
✓ Often embedded in large computer programs that are not routinely
scanned

31
Modify System Security
▪ Backdoor gives access to a computer, program, or
service that circumvents normal security to give
program access
✓ When installed on a computer, they allow the
attacker to return at a later time and bypass security
settings

32
Launch Attacks
▪ Bot or zombie, an infected computer that is under the
remote control of an attacker
▪ Groups of zombie computers are gathered into a logical
computer network called a botnet under the control of the
attacker ( bot herder)
▪ Infected zombie computers wait for instructions through a
command and control (C&C) structure from bot herders
✓A common C&C mechanism used today is HTTP, which is
more difficult to detect and block

33
 Defending Against Attacks
▪ Layering
▪ Limiting
▪ Diversity
▪ Obscurity
▪ Simplicity

34
 Most Common Types of Malware Attacks
Below are a few common types of malware:
▪ Spyware
▪ Adware
▪ Bot (like a robot)
▪ Ransomware
▪ Rootkit
▪ Virus
▪ Trojan horse
▪ Worms
▪ Man-In-The-Middle (MitM)
▪ Man-In-The-Mobile (MitMo).

35
36
The following are common malware symptoms:
▪ There is an increase in CPU usage.
▪ There is a decrease in computer speed.
▪ The computer freezes or crashes often.
▪ There is a decrease in Web browsing speed.
▪ There are unexplainable problems with network connections.
▪ Files are modified.
▪ Files are deleted.
▪ There is a presence of unknown files, programs, or desktop
icons.
▪ There are unknown processes running.
▪ Programs are turning off or reconfiguring themselves.
▪ Email is being sent without the user’s knowledge or consent

37
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 3

1
 Social Engineering Attacks

▪ Describe the types of psychological social

engineering attacks
▪ Explain physical social engineering attacks

2
Social Engineering:
▪ The art of manipulating people so that they give up
confidential information or break standard security
practices.

▪ Or it is a process where an attacker attempts to acquire

information about your network and system by talking
to people in the organization.

3
 Facts about Social Engineering Attacks
▪ Everyone is a potential target! (relying on the weaknesses of
individuals to gather information and create patterns)
▪ It’s often easier for cybercriminals to manipulate a human than a
computer network or system (It focus on the human side of
information security).
▪ Attacks can be relatively low-tech, low-cost, and easy to execute.
▪ A social engineering attack may occur:
✓ over the phone,
✓ by e-mail,
✓ or by a visit.
▪ The intent is to acquire access information, such as user IDs and
passwords.

4
 Social Engineering Attacks
▪ using social engineering techniques, security
professionals and attackers can accomplish different
tasks ranging from acquiring information to gaining an
access to systems, building and networks.

5
 Social Engineering Life Cycle
1. Prepare the Attack
• Identify the victim(s)
• Gather background information
• Select attack method(s)
2. Establish a Relationship
• Engage the target
• Spin a story
• Take control of the interaction
3. Obtain Information
• Expand the foothold
• Execute the attack
• Disrupt business and/or steal data
4. Close the Interaction
• Remove any traces of malware
• Bring the attack to a natural end

6
 1. Preparing the
4. Closing the Exit Investigation ground for the
interaction ideally
attack
without arousing
suspicion Social
Engineering
Life Cycle

Play Hook
3. Obtaining the 2. Deceiving the
information over a victim to gain a
period of time foothold

7
Social Engineering attacks can involve two approaches:
▪ Psychological procedures
▪ Physical procedures

8
Psychological Approaches
▪ The goal of those approaches is to persuade the victim to
provide information or take an action
▪ Attackers use a variety of techniques to gain trust without
moving quickly:
▪ Provide a reason
▪ Project confidence
▪ Make them laugh

✓ The psychological procedures often involve:

• Impersonation,
• phishing,
• spam,
• hoaxes,
• and watering hole attacks

9
 Psychological Approaches procedures
➢ Impersonation - attacker pretends to be someone else:
✓ Help desk support technician
✓ Repairperson
✓ IT support
✓ Manager
✓ Trusted third party
✓ Fellow employee

▪ Attacker will often impersonate a person with authority

because victims generally resist saying “no” to anyone in
power

10
▪ Attackers impersonate co-workers, police officers,
bankers, tax authorities, or charitable
organizations.
▪ An attacker builds a credible story (pretext) that
leaves little room for doubt on the part of their
target.
▪ A false sense of trust is developed with the target.
▪ A pretexter may ask a series of questions designed
to gather personally identifiable information.
▪ Obtain Sensitive Information such as:
• social security number, mothers maiden name, place or date of
birth or account numbers.

11
➢ Phishing; A type of attack often used to steal user data,
including login credentials, personally identifiable information
or credit card numbers. It occurs when an attacker sending an
email claiming to be from legitimate source or poses as a
trusted entity, tricks a victim into opening an email or instant
message.

✓ Tries to trick user into giving private information

✓ The emails and fake websites are difficult to distinguish from
those that are legitimate

12
▪ Spear phishing – targets specific users
▪ Whaling – targets the “big fish”
▪ Vishing (Voice phishing) – instead of using email, uses a
telephone call instead
▪ Smishing (text phishing)

▪ About 91% of all attacks start with phishing

https://blog.knowbe4.com/bid/252429/91-of-cyberattacks-begin-with-spear-phishing-email

▪ 95% of cybersecurity breaches are due to human error

13
Phishing forms in more details
Spear Phishing

• Similar to phishing, spear phishing is an email or electronic

communications scam targeted towards a specific individual,
organization or business (targets specific users)
Whaling

• An attacker tries to target the “big fish”

Vishing (Voice Phishing)

• An attacker calls their target and uses an automated recording
designed to generate fear. The recording will ask the target to call a
number to resolve the issue.

Smishing (SMS/text Phishing)

• An attacker tries to trick you into giving them your private

information by sending you a text message.
Common Signs of Phishing
Too Good To Be True
• Eye-catching or attention-grabbing offers designed to attract people’s attention
immediately. For instance, a claim that you have won an iPhone, a lottery, or some
other prize.

Sense of Urgency
• Act fast because the super deals are only for a limited time.
• Your account will be suspended unless you update your personal details immediately.

Hyperlinks
• Click here to claim your offer.
• Click here to change your login credentials.

Attachments
• Often contain ransomware, malware or other viruses.
Phishing Email
Phishing Email
Phishing attack

18
➢ Spam; unwanted, unsolicited e-mail sent in bulk/junk
✓ It represents the primary vehicles for distribution of malware
✓ Sending a spam is a profitable business; as it cost spammers very little to
send millions of spam messages

▪ Filters look for specific words and block the email

▪ Image spam; uses graphical images of text in order to avoid
text-based filters
– Often contains nonsense text so it appears legitimate

Filter/Classifier

Image spam

19
20
➢ Hoaxes; a false warning, usually claiming to come from the
IT department
▪ Attackers try to get victims to change configuration
settings on their computers that would allow the attacker
to compromise the system
▪ Attackers may also provide a telephone number for the
victim to call for help, which will put them in direct contact
with the attacker

21
➢ Watering hole attack; a malicious attack that is directed
toward a small group of specific individuals who visit the
same website (is a designed attack that target specific
groups)
▪ For example; major executives working for a manufacturing company
may visit a common website, such as a parts supplier to the
manufacturer

22
Physical (in-person)Procedures
▪ The most common physical procedures are:
✓ Dumpster diving
✓ Tailgating
✓ Shoulder surfing

23
▪ Dumpster diving; digging through trash to find information
that can be useful in an attack
▪ One of an electronic variation of dumpster diving is to use
Google’s search engine to look for documents and data
posted online
Called Google dork.
• Google dorking is a hacking technique that makes use of Google's advanced
search services to locate valuable data or hard-to-find content. Google
dorking is also known as "Google hacking."

24
▪ Tailgating; following behind an authorized individual
through an access door
• An employee could cooperate with an unauthorized
person to allow him to walk in with him (called
piggybacking)

25
➢ Shoulder surfing involves looking over a person's shoulder
to gather personal information while the victim is unaware.
This is especially effective in crowded places where a
person uses a computer, smartphone or ATM

26
 What is Baiting?

▪ Involves offering something physically

or digitally attractive to a target in
exchange for login information or
private data.
 Baiting Techniques
Free Media Download
Attackers distribute malicious download links on the internet that
offer free music, movies, or video games in exchange for the
victim's login information.

Unusually Low-Priced Product

Attackers promote products at unreasonably low prices on an online
store they set up in the hopes that customers would try to make a
purchase and expose their credit or debit card information.

Compromised USB Drive

A USB device that has been infected can be used to introduce
malware, link you to phishing sites, or grant a hacker access to your
computer.
 Defend Against Pretexting!

How to Avoid Pretexting Scams

• Never give out personal information over the phone or

online unless you are the one who made the contact.
• Be aware, that legitimate organizations will never contact
you via phone requesting personal information.
• If you are approached by somebody you don’t know who is
requesting personal information about you or somebody you
know, end the conversation immediately. Let the individual
know you want to contact their organization and verify
their identity and motive first.
 Defend Against Phishing!

How to Avoid Phishing Scams

• Do not respond to communication you are unfamiliar with.
• Do not call any phone numbers listed in an email, text
message, or instant message.
• Do not click on any links in an email message and do not open
any attachments contained in a suspicious email.
• Do not enter personal information in any pop-up screens.
Legitimate organizations don’t ask for personal information
using pop-up screens. Instead, contact the supposed
organization and verify.
• If in doubt, delete the email or message.
 Defend Against Baiting!

How to Avoid Baiting Scams

• Think twice before clicking unfamiliar hyperlinks while
browsing the web.
• Use reputable retailers when shopping for products or services.
• Do not click on any hyperlinks that offer free music, movie, or
video game downloads.
• Avoid any hyperlinks your search engine returns that are
classified as ads.
• Do not insert any USB drives into your computer that you find
laying around. Turn it into your organizations security team.
Summary of malware and social engineering attacks
▪ Malware is malicious software that enters a computer system
without the owner’s knowledge or consent
▪ Malware that spreads include computer viruses and worms
▪ Ransomware prevents a user’s device from properly and fully
functioning until a fee is paid
▪ A rootkit can hide its presence or the presence of other malware on
the computer by accessing lower layers of the OS
▪ Different types of malware are designed to collect data from the
user’s computer and make it available to the attacker
– Spyware, keylogger, and adware
▪ A logic bomb is computer code that is typically added to a
legitimate program but lies dormant (suspended)until triggered by
a specific logical event
▪ A backdoor gives access to a computer, program, or service that
avoid any normal security protections

32
▪ A popular payload of malware is software that will allow the
infected computer to be placed under the remote control of
an attacker (known as a bot)
– Multiple bot computers can be used to created a botnet
▪ Social engineering is a means of gathering information for an
attack from individuals
▪ Types of social engineering approaches include phishing,
dumpster diving, and tailgating..etc
▪ The best method of minimizing social engineering attacks is
user education and positive verification of the identity of the
person committing the attack.

33
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 4

1
Fundamentals of Cryptography

2
Cipher & Data security: is the sciences and study of methods of
protecting data in computer and communication systems form
unauthorized disclosure and modification.

Internet

DATA
DATA

Firewall Firewall
encryption decryption

3
Cryptography can provide protection to data as that data
resides in any of three states:
- Data in-use –data actions being performed by “endpoint
devices” e.g. printing a report from desktop computer
- Data at-rest –data this is stored on electronic media
(disk encryption) e.g. USB,HDD
- Data in-transit –actions that transmit the data across a
network e.g. email sent across the Internet

4
Cryptography can provide five basic protections:
✓ Confidentiality prevents the unauthorized accidental or
malicious use or disclosure of information
✓ Integrity safeguards the accuracy, completeness and
correctness of information
✓ Availability ensures that authorized users have reliable and
timely access to information and computer systems when
required
✓ Non-Repudiation is when the “data owner” can’t challenge
that something isn’t valid
✓ Encryption (obfuscation), the practice of obscuring
(hiding)the meaning of a piece of information

5
 Cryptology
1. Cryptography; converting messages (scrambling messages) into
"gibberish" that can be converted back to message
2. Cryptanalysis (breaking secret codes).
Cryptology

Cryptography Cryptanalysis

Classic Modern Classic Modern

Substitution Transposition Symmetric Asymmetric

6
 Cryptology

Cryptography Cryptanalysis

Classic Modern Classic Modern

Substitution Transposition Symmetric Asymmetric

7
 Cryptography Basic Terminology
▪ Plaintext - original message, unencrypted readable text
▪ Ciphertext - coded message, the encrypted text which is formed
after the encryption algorithms
▪ Cipher - algorithm for transforming plaintext to ciphertext
▪ Key – secret info used in cipher, known only to sender/receiver;
the key that is used to encrypt/decrypt the data and called
encryption key
▪ Encipher (encrypt) - convert plaintext to ciphertext
▪ Decipher (decrypt) - recover plaintext from ciphertext

Plain text Cipher Cipher text

Key

8
 Cryptography Basic Terminology
Keyspace : Set of all possible keys of a cipher
Keyspace size:
- Size of the set of all possible keys of a cipher
- Usually given as power of 2 (rounded up)

Example: Caesar
Keyspace={0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,2
0, 21,22,23,24,25}
Keyspace size: 26 ≈ 𝟐𝟓

Note: it is common to express the keyspace size as a power of 2, so 26 is rounded up to the nearest power of 2, which is
2^5 (32). Therefore, the keyspace size for the Caesar cipher is approximately 2^5.

9
Cryptography Process

10
We could have the following Parties (players):
▪ Alice: sender of an encrypted ,message , she need (an encryption algorithm
and a key)
▪ Bob: intended receiver of encrypted message
▪ Eve: passive attacker
▪ Mallory: active attacker

Eve/Mallory
(cryptoanalysis)

Key Key

Encryption Decryption

Alice Bob

11
 General Approaches to Cryptanalysis Attack
▪ Cryptanalytic attack: this type of attack exploits the
characteristics of the algorithm to attempt to deduce a
specific plain text or to deduce the key being used.

▪ Brute-force attack: the attacker tries every possible key on

a pieces of cipher text until an intelligible translation into
plain text is obtained. On an average half of all possible
keys must be tried to achieve

12
Three types of classical cryptography ciphers:
1. Substitution ciphers
- Replace letters by other letter for example:
- Caesar cipher,
- Simple Monoalphabetic Substitution Cipher (MASC) cipher,
- Vigenère cipher, a polyalphabetic cipher.
2. Transposition cipher
- Change the order of the plain text letters for example
Scytale, columnar transposition
3. Composed ciphers
- Combination of substitution and transposition for example,
ADFGVX, Granite

13
 Substitution Technique : Caesar Cipher
Substitution ciphers are based on the principle of replacing each character
with another character in order to hide the actual meaning of the message.
There are a number of different types of substitution cipher:
▪ Simple substitution: replace each character of ordered plaintext alphabet with the
corresponding character of an ordered cipher alphabet
▪ Direct Standard alphabet: shift the letters of the alphabet to the right by k
positions, then modulo the size of the alphabet
- Caesar cipher involves replacing each letter of the alphabet with letter
standing three places further down the alphabet (𝐾=3).

14
Simple substitution: replace each character of ordered plaintext alphabet
with the corresponding character of an ordered cipher alphabet
(where each letter is mapped to a different letter of the alphabet)
▪ It is necessary to change each of the 26 letters in the standard alphabet
to a different letter in the replacement alphabet. For example, let’s
imagine we are trying to encrypt “Hello World!” by using the
substitution alphabet, the message would become “NRQQS USJQO!”

Mapped letters
Plain text:
Hello World!
Cipher text:
NRQQS USJQO!
15
▪ ROT-13 ("rotate by 13 places") is a simple letter substitution cipher that
replaces a letter with the 13th letter after it in the alphabet. ROT-13 is
a special case of the Caesar cipher.

an example of weak encryption

16
 Caesar Cipher
𝐶= 𝐸 (𝑃) = (𝑃+𝐾) 𝑚𝑜𝑑 𝑛 , where n is the size of the alphabet.
𝑃=𝐷 (𝐶) = (𝐶−𝐾) 𝑚𝑜𝑑 𝑛
Example: (Caser method) use k=3

Plaintext: Ali
Encipher process: (P+K) mod 26
Answer:
A=0
0+3 mod 26 = 3 = D
L=11
11+3 mod 26=14=O
I=8
8+3 mod 26=11= L

Cipher text: DOL

17
Cipher text: DOL
Decipher process: (C-K) mod 26
Sol:
D=3
3-3 mod 26=0=A
O=14
14-3mod26=11=L
L=11
11-3mod26=8=I

18
 Transposition cipher
▪ Transposition cipher is one which the order of characters
is changed to obscure the message, an example is Scytale.

A scytale-
https://en.wikipedia.org/wiki/Scytale

▪ One modern transposition cipher is done by writing the

message in rows and then forming the encrypted
message from the text in columns

19
Example: Encrypt the following plain text:
Meet at three pm today at the usual location.
Use rows of 6 characters.

Answer:
▪ Fill the message row by row.
▪ Then read column by column to get the cipher text:
1 2 3 4 5 6
M E E T A T
Cipher text:
T H R E E P
MTMASC EHTTUA EROTAT TEDHLI AEAELO TPYUON
M T O D A Y
A T T H E U
S U A L L O
C A T I O N

20
 Example : decrypt the following cipher text,
AES EAO OIT VUI NNN NEE RLC FTE INV LER LS
Use row of length 4 characters.

Answer: 1 2 3 4
▪ How many row I need? :Total letters/4
A T E L
No. of rows= total no. of letters/ no. of chars
= 32/4= 8 rows E V E N
▪ First fill column by column S U R V
▪ then read by row to get the plain text: E I L L
A N C E
AT ELEVEN SURVEILLANCE ON FRONT LINES
O N F R
O N T L
I N E S

Note: FOR DECRYPT, FILL COLUMN BY COLOUNM AND THEN READ BY ROW.

21
Example : encrypt the following plain text,
AT FOUR SURVEILLANCE ON ENEMY CAMP
Key : MAINE

Answer: no. of rows = no of letters/no of letters in

key = 29/5 ≈ 30
1 2 3 4 5
▪ no. of columns = no. of letters in the key
A T F O U
MA I N E
1 2 3 4 5 ➔ 5 columns R S U R V
▪ Alphabetical order - letters of the key: AEIMN E I L L A
-> key is : 2,5,3,1,4 N C E O N
E N E M Y
if you have a cell empty replace it with A C A M P A
(Padding IS A)

▪ Read each column according to the ordered key:

TSICNA UVANYA FULEEM ARENEC ORLOMP

22
Example: Decrypt the following cipher text:
NAC SMT NAA AOT KEP AOT BC
Key: plan
1 2 3 4
Answer: N T O A
▪ total number no. of column = no. of letters in the key A N T O
▪ Total no. of rows= total no. of letters/no. of column
C A K T
20/4=5 ROWS
S A E B
▪ Write the index of each letter as it is (no order) M A P C
Pla n
4 2 1 3 (a come first in alphabetical order and so on)
▪ Re-write the table according to (4 2 1 3) 1 2 3 4
▪ Read row by row to get the plain text: A T N O
AT NOON ATTACK BASE CAMP O N A T
T A C K
B A S E
C A M P

23
 Cryptology

Cryptography Cryptanalysis

Classic Modern Classic Modern

Substitution Transposition Symmetric Asymmetric

24
 Types of Encryption
▪ Private (Secret) key
– Symmetric
▪ Public key
– Asymmetric
▪ Hash
– One way transformation (can’t decrypt it)

NIST: The National Institute of Standards and Technology is an agency of the United States Department of Commerce whose mission is to
promote American innovation and industrial competitiveness

25
A fundamental difference in cryptographic algorithms is the amount of data
processed at a time
▪ Stream cipher takes one character and replaces it with another (substitution
cipher)
▪ Block cipher manipulates an entire block of plaintext at one time
▪ Sponge function takes as input a string of any length and returns a string of any
requested variable length

Three categories of cryptographic algorithms

▪ Hash algorithms
▪ Symmetric cryptographic algorithms
▪ Asymmetric cryptographic algorithms

26
 Hash Algorithms
▪ Creates a unique “digital fingerprint” of a set of data and
is commonly called hashing
▪ This fingerprint, called a digest (sometimes called a
message digest or hash ), represents the contents
▪ Its contents cannot be used to reveal original data set
▪ Is primarily used for comparison purposes

Hashing is intended to be one way in that its digest cannot

be reversed to reveal the original set of data

27
Secure hashing algorithm characteristics:
▪ Fixed size
- Short and long data sets have the same size hash
▪ Unique
- Two different data sets cannot produce the same hash
▪ Original
- It should be impossible to produce a data set that has desired or pre-defined
set.
▪ Secure
- Resulting hash cannot be reversed to determine original plaintext

28
Example of hashing
▪ Bank customer has PIN of 93542
▪ Number is hashed and result stored on card’s magnetic
stripe
▪ User inserts card in ATM and enters PIN
▪ ATM hashes the pin using the same algorithm that was
used to store PIN on the card
▪ If two values match, user may access ATM

29
Why do we use Hash? Keep Original Data Confidential
▪ Passwords are commonly hashed
▪ Password files actually contain hash of your password (not
the password itself)
– When you log in, the computer hashes your password
and compares the hash value to the hash value of the
password that’s on file

30
 Hash Algorithms

Message Digest 5 (MD5)

▪ Earliest Hash algorithm-
▪ 4 versions : MD2 (creates 128 bit hash), MD 4, MD 5,
MD 6.
▪ Mostly well known is MD5
▪ Serious weaknesses have been identified in MD5 and no
longer considered suitable for use.

MD5 Encryption tool:

https://www.md5online.org/md5-encrypt.html

31
 Hash Function
▪ One-way encryption – can’t decrypt
– Has no key
– Hashing creates a fixed length message digest

▪ Primary use is for message integrity

– By comparing hash values, you can see if message sent =
message received

32
Why do we use Hash? Keep Data Integrity
You could try test when changing one little letter, then the entire
hash value changes
– Example of diffusion
▪ Spreads the change throughout the ciphertext

33
Common Hash Algorithms
▪ MD5 – Message Digest (MD) algorithms
• Produces a 128-bit hash value from an arbitrary-length message
• Replaces MD2 and MD4
▪ Secure Hash Algorithm (SHA) algorithm
• more secure than MD
• No weakness identified
• SHA-1 produces a 160-bit hash value
• SHA-2 describes five algorithms: SHA-1 plus SHA-224, SHA-256, SHA-
384, and SHA-512 which can produce hash values that are 224, 256, 384,
or 512 bits in length, respectively
▪ Hashes are vulnerable to collision attacks
• At this time, there is no obvious successor to MD5 and SHA-1 that could
be put into use quickly

34
 COMPARISON OF ENCRYPTION AND HASHING

RACE : R&D in Advanced Communications Technologies. // an org. that is affiliated with EU European Union.
35
 Encryption Hashing
A two-way function that takes in A one way method of hiding
plaintext data and turns it into sensitive data
ciphertext
Reversable Unreversible
Asymmetric and symmetric Hashing
Use cases Use cases
▪ Data in transit and rest ▪ Compare large amount of data
▪ Databases ▪ Mapping data
▪ Authentication methods ▪ Digital signature
▪ Passwords
AES,DES, RSA SHA-1,SHA-2

36
 Modern Cryptographic Algorithms

Cryptology

Cryptography Cryptanalysis

Classic Modern Classic Modern

Substitution Transposition Symmetric Asymmetric

37
There are two classes of key-based encryption algorithms:
▪ Symmetric (one secret/private-key) algorithm
▪ Asymmetric (public-key) algorithm

The difference is that symmetric algorithms use the same key

for encryption and decryption (or the decryption key is easily
derived from the encryption key), whereas asymmetric
algorithms use a different key for encryption and decryption,
and the decryption key cannot be derived from the
encryption key.

38
 Message Integrity

4 5

3 Cipher text

4
6

2 Mac address
7

Note: Message Authentication Code (MAC) algorithm

https://en.wikipedia.org/wiki/Message_authentication_code
39
Symmetric algorithms can be divided into:
▪ Stream ciphers ; can encrypt a single bit of plaintext at a
time : bit message: 10101010101000011, each bit will be
encrypted at a time( slow process) and there is no definite
length for a key as it depends on the message length.
▪ Block ciphers; block ciphers take a number of bits (typically
64 bits in modern ciphers), and encrypt them as a single
unit. 10101010 10100001 10000111 01, each time one
block is encrypted, when we have less than 8 bit we use
padding and it could be anything (0000000 or 111111) to
make sure the block is 8 bit.

40
 Modern symmetric encryption algorithms examples
▪ Block ciphers encrypt blocks of fixed length (e.g.64/128 bit).
Available in CrypTool are DES (ECB), DES (CBC), Triple DES (ECB),
Triple DES (CBC), Rijndael (AES), MARS, RC2, RC6, Serpent, Twofish, DESX,
DESL and DESXL.

Electronic Codebook(ECB) Cipher Block Chaining(CBC)

41
▪ Stream ciphers encrypt messages bit by bit and an example
of this class is RC4.
- Because of its ease of use and speed of operation, the RC4 stream
cipher is one of the most popular stream ciphers. It employs key sizes
of 64 bits or 128 bits. Typically, it is utilized in protocols like Secure
Socket Layer (SSL), Transport Layer Security (TLS), and IEEE 802.11
wireless LAN standard.
- In this category CrypTool provides RC4.

42
https://www.javatpoint.com/block-cipher-vs-stream-cipher
43
 Symmetric Cryptographic Algorithms
Symmetric cryptographic algorithms :
use the same single key to encrypt and decrypt a document
▪ Original cryptographic algorithms were symmetric
▪ Also called private key cryptography (the key is kept private between
sender and receiver)

Common algorithms include:

▪ Data Encryption Standard (DES)
▪ Triple Data Encryptions Standard (Triple-DES)
▪ Advanced Encryption Standard (AES)

44
 Symmetric Ciphers
use the same key at
Alice both ends Bob

Plaintext
E Ciphertext D Plaintext

Symmetric Encryption

45
 Symmetric Cryptographic Algorithms
Data Encryption Standard (DES)
– Based on product originally designed in early 1970s
– Uses a 56 bit key and is a block cipher

Triple Data Encryption standard (3DES)

– Designed to replace DES
– Uses 3 rounds of encryption (56*3)
– Ciphertext of first round becomes input for second iteration
– Most secure versions use different keys used for each round

46
Advanced Encryption Standard (AES)-Block Cipher
▪ AES performs 3 steps on every block (128 bits) of plaintext.
▪ Within step 2, multiple rounds are performed depending
upon the key size:
- a 128 bit key performs 10 rounds,
- 192 bit key performs 12 rounds,
- and a 256 bit key, known as AES 256, uses 14 rounds.

• Within each round, bytes are substituted and rearranged,

and then special multiplication is performed based on the
new arrangement.
• To date, no attacks have been successful against AES.

47
 Asymmetric Cryptographic Algorithms
▪ Asymmetric ciphers (public-key cryptography) permit the
encryption key to be public (it can even be published in a
newspaper), allowing anyone to encrypt with the key,
whereas only the proper recipient (who knows the
decryption key) can decrypt the message. The encryption
key is also called the public key and the decryption key the
private key or secret key.

48
 Asymmetric Cryptographic Algorithms
Weakness of symmetric algorithms
- Distributing and maintaining a secure single key among
multiple users distributed geographically
▪ Asymmetric cryptographic algorithms;
- Also known as public key cryptography
- Uses two mathematically related keys
- Public key available to everyone and freely distributed
- Private key known only to individual to whom it belongs

49
Asymmetric Cryptographic Algorithms

50
 Common asymmetric
cryptographic algorithms
- RSA (Three developers :Rivest , Shamir, Adleman)
- Most common asymmetric cryptography algorithm
- Uses two large prime numbers

- Elliptical Curve Cryptography (ECC)

- ECC Elliptic Curve Cryptography is faster than RSA, for example If we talk
about RSA with 2046 key size , and compared to ECC with key size 256 , and
suppose you go to a coffee shop , it might take 5-10 mins to process the
payment but with ECC 256 will be very fast.

51
How this cryptography works?
1. Alice: She has key pair: Alice private key and Alice public key and the
second part I told you that public key can be shared with the outside
world , Alice will have Bob’s public key
2. Bob: he has key pair: Bob’s private key and Bob’s public key Alice public
key
3. Now Alice wants to send him a message: ”Call me right now”; : Here
Alice will send the message with Bob’s public key and pass it to the
encrypt function ( the encryption function will take the message and bob
public key then we got the cipher text
4. When bob receive the cipher text will pass it to the decryption function
and also pass Bob’s private key to get the original text.
5. In this group of algorithm sharing the public key is a problem as someone
is sitting in between Alice and bob communication channel, Eve could
have bob’s public key and pretend she is Bob. So that, to solve this
problem we can have both cryptography types The asymmetric and
symmetric algorithms

52
Classification of Cryptosystems

53
Summary:
▪ Generally, symmetric algorithms are much faster to
execute on a computer than asymmetric ones.
▪ In practice they are often used together, so that a public-
key algorithm is used to encrypt a randomly generated
encryption key, and the random key is used to encrypt the
actual message using a symmetric algorithm. This is
sometimes called hybrid encryption.

54
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 5

1
Cryptographic Algorithms

2
Symmetric Key Cryptography has Several Weaknesses:
▪ Key distribution is a major problem.
Before beginning communication with a symmetric key protocol,
parties must have a safe way to exchange the secret key. It is
frequently necessary to employ an offline key distribution
method if a secure electronic channel is not available.

▪ Symmetric key cryptography does not implement

nonrepudiation.
With the shared secret key, any communicating party can encrypt
and decode communications, thus the origin of a given message
cannot be verified.

3
▪ The algorithm is not scalable.
Symmetric key encryption makes it incredibly challenging for big
groups to communicate. Only by sharing a private key among all
potential user combinations could the group's members have
secure, private communication.

▪ Keys must be regenerated often.

All keys that a participant is aware of must be destroyed if they
leave the group.

4
The Major Strength of Symmetric Key Cryptography
▪ The ability of symmetric key cryptography to work quickly
is one of its main advantages.
▪ Faster than asymmetric techniques by a factor of 1,000 to
10,000 is symmetric key encryption.
▪ Symmetric key cryptography easily lends itself to
hardware implementations due to the complex
mathematics involved, providing the opportunity for even
faster processes.

5
The Major Weakness of Asymmetric Key/Public Key
Cryptography

▪ The major weakness is its slow speed of operation. For

this reason, many applications that require the secure
transmission of large amounts of data use public key
cryptography to establish a connection and then
exchange a symmetric secret key. The remainder of the
session then uses symmetric cryptography.

6
Major Strengths of Asymmetric Key Cryptography:
▪ The addition of new users requires the generation of only one
public-private key pair. This same key pair is used to communicate
with all users of the asymmetric cryptosystem. This makes the
algorithm extremely scalable.
▪ Users can be removed far more easily from asymmetric systems.
Asymmetric cryptosystems provide a key revocation (invalidation)
mechanism that allows a key to be canceled, effectively removing a
user from the system.
▪ Key regeneration is required only when a user's private key is
compromised. If a user leaves the community, the system
administrator simply needs to invalidate that user's keys. No other
keys are compromised and therefore key regeneration is not
required for any other user.

7
▪ Asymmetric key encryption can provide integrity, authentication,
and nonrepudiation. If a user does not share his/her private key
with other individuals, a message signed by that user can be shown
to be accurate and from a specific source and cannot be later
repudiated.
▪ Key distribution is a simple process.
Users who want to participate in the system simply make their
public key available to anyone with whom they want to
communicate. There is no method by which the private key can be
derived from the public key.
▪ No pre-existing communication link needs to exist. Two individuals
can begin communicating securely from the start of their
communication session. Asymmetric cryptography does not require
a pre-existing relationship to provide a secure mechanism for data
exchange.

8
Symmetric and Asymmetric Cryptography Comparison
The following table compares the symmetric and asymmetric
cryptography systems.
Symmetric Asymmetric
• Single shared key • Key pairs sets
• Not scalable • scalable
• Fast • Slow
• Bulk encryption • Small blocks of data , digital
signatures and certificates
• Confidentiality, integrity • Confidentiality, integrity,
authentication and
nonrepudiation

9
 Key Management
Key Management forms the basis of all data security. Data is
encrypted and decrypted via encryption keys, which means the
loss or compromise of any encryption key would invalidate the
data security measures put into place. Keys also ensure the safe
transmission of data across an Internet connection.

▪ One of the major roles of public key encryption has been to

address the problem of key distribution

We need to think about:

▪ how do we distribute the public keys
▪ The use of public key encryption to distribute secrete keys

10
 Public Key Distribution Techniques

Distributing the sender's and receiver's public and private keys

in cryptography is a time-consuming process. If a third party
(forger or eavesdropper) has access to the key, the entire
security mechanism is considered ineffective. It is therefore
required to safeguard the key exchange.

1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.

11
1- Public Announcement of Public Keys:

▪ The public key is public;

▪ Example RSA, any participant can send his or her public key
to any other participant or broadcast the key;
▪ Its major weakness is forgery, anyone can create a key
claiming to be someone else and broadcast it

Uncontrolled Public Key Distribution

12
2. Public available directory
▪ Maintaining a publicly available dynamic directory of public
keys.
▪ Maintenance and distribution of the public directory would
have to be the responsibility of some trusted entity or
organization.

Public Key Publication

13
3. Public-key authority
▪ Each participant reliably knows a public key for the authority,
with only the authority knowing the corresponding private key.
▪ Stronger security for public-key distribution can be achieved by
providing tighter control over the distribution of public keys
from the directory.

14
1. A sends a time stamped message to the public-key authority containing a
request for the current public key of B.
2. The authority responds with a message that is encrypted using the
authority's private key, PRauth. Thus, A is able to decrypt the message using
the authority's public key. Therefore, A is assured that the message
originated with the authority.
3. A stores B's public key and also uses it to encrypt a message to containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this
transaction uniquely.
4. B retrieves A's public key from the authority in the same manner a A
retrieved B's public key.
5. At this point, public keys have been securely delivered to A and B, and they
may begin their protected exchange. However, two additional steps are
desirable:
▪ B sends a message to A encrypted with PUa and containing A's nonce
generated by B (N2). Because, only B could have decrypted message (3),
the presence of NI in message (6) assures A that the correspondent is B.
▪ A returns N2, encrypted using B's public key, to assure B that its
correspondent is A.

15
3. Public-key authority - cont’d
The message includes the following:
- B’s public key, Pub which A can use to encrypt messages
destined for B
- The original request
- The original time stamp, so A can determine that this is not
an old message from the authority containing a key other
than B’s current public key corresponding earlier request and
to verify that the original request was not altered before
reception by the authority.

16
4. Public-Key Certificates
▪ A public key certificate is a digitally signed document that serves to
validate the sender's authorization and name.

▪ The document consists of a specially formatted block of data that

contains:
- The name of the certificate holder
- The holder's public key,
- The digital signature of a certification authority (CA) for authentication.

▪ The certification authority confirms that the sender's name is the one
associated with the public key in the document. A user ID packet,
containing the sender's unique identifier, is sent after the certificate
packet.

17
 Asymmetric Encryption - RSA
▪ RSA makes use of an expression with exponentials. Plain text
is encrypted in blocks with each block having a binary value
less than some number n
▪ That is the block size must be less than or equal to
in practice, the block size is i bits, where
for example a block of size =n then the size must be <=
▪ Encryption and decryption are of the following form, for
some plain text block M and cipher text block C
𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑛
𝑀= 𝐶 𝑑 𝑚𝑜𝑑 𝑛 = (𝑀)𝑒∗𝑑 mod n
C : cipher text
M: Message
e: a prime no.
n: no. of bits
d: prime no.

18
 Asymmetric Encryption - RSA
▪ Choose two large prime numbers p & q
▪ Compute n=p*q and z=(p-1)(q-1) same as Ø(n)
▪ Choose prime number e, less than n, which has no common factor
(other than 1) with z
▪ Find number d, such that (e*d – 1) is exactly divisible by z Keys are
generated using n, d, e
▪ Public key is (n,e)
▪ Private key is (n, d)
▪ Encryption: c = me mod n
▪ m is plain text
▪ c is cipher text
▪ Decryption: m = cd mod n
▪ Public key is shared and the private key is hidden
 RSA
Algorithm

20
 Facts About Numbers

Prime number p:
◦ p is an integer
◦ p2
◦ The only divisors of p are 1 and p
Examples
◦ 2, 7, 19 are primes
◦ -3, 0, 1, 6 are not primes
Prime decomposition of a positive integer n:
n = p1e1  …  pkek
Example:
◦ 200 = 23  52
Fundamental Theorem of Arithmetic
The prime decomposition of a positive integer is unique

10/1/2023 CRYPTOGRAPHY 21
 Asymmetric Encryption - RSA
P=5 & q=7
n=5*7=35 and z=(4)*(6) = 24 same as Ø(n)
Choose e = 5
d = 29 , (29x5 –1) is exactly divisible by 24
Keys generated are
◦ Public key: (35,5)
◦ Private key is (35, 29)
Encrypt the word love using (c = me mod n)
◦ Assume that the alphabets are between 1 & 26

Plain Text Numeric Representation me Cipher Text (c = me mod n)

l 12 (12 ^5)=248832 17

o 15 759375 15

v 22 5153632 22

e 5 3125 10
 Asymmetric Encryption - RSA

Decrypt the word love using (m = cd mod n)

▪ n = 35, d=29
▪ E.g.: M= (17^29) mod 35 = 12

Cipher cd (m = me mod n) Plain Text

Text

17 481968572106750915091411825223072000 17 l

15 12783403948858939111232757568359400 15 o

22 852643319086537701956194499721110000000 22 v

10 100000000000000000000000000000 10 e
 Asymmetric Encryption - Weaknesses
▪ Efficiency is lower than Symmetric Algorithms
- A 1024-bit asymmetric key is equivalent to 128-bit
symmetric key
▪ Potential for eavesdropping attack during transmission of
key
▪ It is problematic to get the key pair generated for the
encryption
 Asymmetric Encryption – Encryption Protocols
Pretty Good Privacy (PGP)
▪ Used to encrypt e-mail using session key encryption
▪ Combines RSA, Triple DES, and other algorithms

Secure Socket Layer(SSL) and Transport Layer Socket(TLS)

▪ Used for securing TCP/IP Traffic
▪ Mainly designed for web use to provide security between
web browsers and web servers
 Asymmetric Encryption – Key Agreement
Key agreement is a method to create secret key by exchanging only public keys.
Example
- Bob sends Alice his public key
- Alice sends Bob her public key
- Bob uses Alice’s public key and his private key to generate a session key
- Alice uses Bob’s public key and her private key to generate a session key
- Using a key agreement algorithm both will generate same key
- Bob and Alice do not need to transfer any key
Alice’s
Private Key

Bob’s Cipher
Public Key
(DES)
Alice and Bob
Bob’s Session Key Generate Same
Private Key Session Key!

Alice’s Cipher
Public Key
(DES)
 Asymmetric Encryption – Key Agreement contd.
Diffie-Hellman is the first key agreement algorithm
▪ Invented by Whitfield Diffie & Martin Hellman
▪ Provided ability for messages to be exchanged securely
without having to have shared some secret information
previously
▪ starting of public key cryptography which allowed keys to be
exchanged in the open
▪ No exchange of secret keys
▪ Man-in-the middle attack avoided
Diffie-Hellman Mathematical Analysis

28
 1. Each of Alice and Bob has to have a global elements which are publicly available to
any one in the communication channel. So we have one element as a prime
number p and another element called g (generator) which is the primitive root of
prime number p

2. Any user will have 2 keys. Alice and Bob will generate the private key first:

3. Both numbers should be chosen by themselves and should be secret the only
condition is to be less then the prime number, then the public key should be
calculated using the following formulas:

4. After calculating the public key for each of them, they both share the public key

Primitive root modulo n

https://en.wikipedia.org/wiki/Primitive_root_modulo_n#:~:text=Examples,-For%20example%2C%20if&text=The%20order%20of%201%20is,the%20primitive%20roots%20modulo%2014.
29
Select private key Select private key
𝑋𝐴 <p 𝑋𝐵 <p

Calculate public key Calculate public key

𝑌𝐴 = 𝑔 𝑋𝐴 mod p 𝑌𝐵 = 𝑔 𝑋𝐵 mod p

Shared secret key Shared secret key

𝑋
𝑋
K= 𝑌𝐵 𝐴 𝑚𝑜𝑑 𝑝 K= 𝑌𝐴 𝐵 𝑚𝑜𝑑 𝑝

30
 Example: Choose prime p=61 , generator g, a primitive of
61=6
Alice Bob
Chooses private key 𝑋𝐴 =50 Chooses private key 𝑋𝐵 =39
Calculate public key 𝑌𝐴 = 𝑔 𝑋𝐴 mod p Calculate public key 𝑌𝐵 = 𝑔 𝑋𝐵 mod p

Calculate public key 𝑌𝐴 = 𝑔 𝑋𝐴 mod 61 Calculate public key 𝑌𝐵 = 𝑔 𝑋𝐵 mod 61

= 650 mod 61 = 639 mod 61
= 14 = 53

Calculate shared secret key Calculate shared secret key

K= 𝑌𝐵𝑋𝐴 𝑚𝑜𝑑 𝑝 = 5350 mod 61 K= 𝑌𝐴𝑋𝐵 𝑚𝑜𝑑 𝑝 = 1439 mod 61
K=60 K=60

31
Strength of D_H discrete logarithm problem:
▪ If we take the establish of public key we have:
Y= 𝑔 𝑋 mod p
Given a prime number p, generator g, and x, it should be easy
to calculate y.
Y= 650 mod 61=14

▪ The reverse process is very difficult especially for large

prime numbers
14= 6? mod 61
Computationally impossible: it would be very hard to find out
the exponent, that it will take thousands of years to check all
the possibilities

32
 D-H Key exchanger in real life
▪ Implemented in security protocols such as :
- Transport layer security,
- IP security (IPsec) ,
- secure shell,
- PGP
▪ Secure our connection to a website , to remotely access
another computer and for sending encrypted emails.
▪ Generally implemented along with some means
authentication such as RSA

33
 Digital Signature
It is exactly what it sounds like a modern alternative to sign
documents with paper and pen. It uses an advanced
mathematical technique to check the authenticity and integrity
of digital messages and documents.

Digital signature uses the following two techniques:

▪ Hashing (to check the integrity)
▪ Asymmetric cryptography (to check the authenticity)

34
 Digital Signature
▪ The objective of digital signature is to determine authenticity
of a document and data
▪ Uses public key cryptography mechanism
▪ Helpful to authenticate long distance official communication
channels,

Message + E Message D Message H#

h h

Comparison
h
H#

Private Key Public Key

Encryption Encryption

35
▪ Asymmetric key algorithms also provide support for digital
signature technology. Basically, if Bob wants to assure
other users that a message with his name on it was
actually sent by him, he first creates a message digest by
using a hashing algorithm. Bob then encrypts that digest
using his private key. Any user who wants to verify the
signature simply decrypts the message digest using Bob's
public key and then verifies that the decrypted message
digest is accurate.

36
37
Steps of the algorithm:
1. Bob creates a digest for a memo after creating it.
2. Bob uses his private key to encrypt the digest. The digital signature for
the memo is contained in this encrypted digest.
3. Bob SENDS the digital signature and the memo to Alice.
4. After receiving them, Alice uses Bob's public key to decrypt the digital
signature, exposing the digest. (Because only Bob's public key is capable
of decrypting the digest created with his private key, if she is unable to
decrypt the digital signature, she may be certain that it did not originate
from him.)
5. After using the same hash algorithm as Bob, Alice hashes the memo and
compares the output to the digest she obtained from Bob. The message
has not altered since he signed it, so long as they are equal, Alice can be
sure. If the digests differ, Alice will be aware that the message has been
altered since it was signed.

38
 Digital Signature
▪ Digital Signature Algorithm (DSA) usually implement the
asymmetric encryption in order to simulate the security
properties of a signature in digital instead of using the
written format
▪ There are two keys involved in this process, a private key
for signing the messages and a public key for verifying the
signatures
▪ The digital signatures are mostly used in the electronic
signature implementation

39
 What is Digital Signature Algorithm (DSA)?
▪ It functions on the framework of modular exponential and
discrete logarithmic problems which are difficult to
compute as a force brute system
▪ It provides the message authentication
▪ It provides data integrity verification and nonrepudiation

40
 Applications for cryptography
Cryptography can be applied through:
1. Software:
• File and File System Cryptography
-Files can be encrypted or decrypted one at a time using
encryption software.
• Windows systems use the Pretty Good Privacy (PGP)
- Asymmetric cryptography scheme, which is widely used
for files and emails.
- GNU Privacy Guard (GNuPG) is an open-source program
that works with Linux, UNIX, and Windows.

41
▪ Operating System Encryption
• Microsoft Windows Encrypting File System (EFS)
- Cryptography system for Windows
- Uses NTFS file system
- Tightly integrated with the file system
- Encryption and decryption are transparent to the user

▪ Full Disk Encryption (FDE)

- Protects all data on a hard drive
- Example: BitLocker drive encryption software that is included
in Microsoft Windows
- BitLocker encrypts the entire system volume, including the
Windows Registry
- Prevents attackers from accessing data by booting from
another OS or placing the hard drive in another computer

42
2. Hardware
▪ Software encryption may be attacked in order to take
advantage of its flaws.
▪ Hardware could include cryptography
- Provides higher degree of security
- Can be applied to USB devices and standard hard drives

▪ Hardware encryption options include:

- Trusted platform module (TPM)
- Hardware security model (HSM)

43
Trusted Platform Module (TPM)
- A chip on a computer’s motherboard that provides cryptographic services
- Includes a true random number generator
- Entirely done in hardware so it cannot be subject to software attack
- Prevents computer from booting if files or data have been altered
- Prompts for password if hard drive moved to a new computer

Cryptographic processor: TPM

44
Hardware Security Module (H S M)
• A secure cryptographic processor
• Includes an onboard key generator and key storage facility
• Performs accelerated symmetric and asymmetric encryption
• Can provide services to multiple devices over a LAN
• These modules traditionally come in the form of a plug in card or an external
device that attaches directly to a computer or network server.

HSM device

45
▪ USB device encryption:
Encrypted hardware-based flash drivers can be used
- Will not connect a computer until correct password has been provided
- Automatic encryption is applied to all data copied to the drive.
- Tamper resistant external cases
- Administrators can remotely control and track activity on the devices
- Stolen drives can be remotely disabled

▪ Self Encrypting Drives (SEDs)

- Self encrypting hard disk drives protect all files stored on them
- The drive and host device perform authentication process during initial power up
- If authentication fails, the drive can be configured to deny access or even delete
encryption keys so all data is permanently unreadable

46
 Cryptographic attacks
▪ Brute force
▪ Frequency analysis
▪ Known plain text
▪ Chosen plain text
▪ Related key attack
▪ Birthday attack
▪ Rainbow tables, hashing and salting
▪ Exploiting weak keys
▪ Exploiting human error

47
 Summary
The activity of converting data into a safe format while it is being
sent or stored is known as cryptography.
▪ A cryptographic algorithm's strength is determined by a
number of elements:
- the key's secrecy.
- The challenge of trying every key or attempting to guess the key (a key
search). Longer keys are typically more challenging to guess or locate.
- The challenge of reversing the encryption algorithm without the
encryption key (breaking the encryption algorithm).
- the presence (or absence) of back doors, or other techniques that
make it simpler to decode a file without the key.

48
▪ Confidentiality, integrity, authentication, non-repudiation, and
obfuscation (hidden) can all be provided via cryptography.
▪ Hashing creates a unique digital fingerprint that represents
contents of original material
- Used only for comparison
▪ Symmetric cryptography employs a single key to encrypt and
decrypt a message, while hashing provides a distinct digital
fingerprint that represents the contents of the original
material.
- Block ciphers and stream ciphers

49
▪ Asymmetric cryptography
- Public key cryptography
- Uses two keys: public key and private key

▪ Cryptography can be applied through hardware or

software:
- Hardware encryption cannot be exploited like software cryptography

50
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 6

1
Administering a Secure Network

2
 Administering a Secure Network
Basic concepts of computer networks and protocols

▪ NETWORK FUNDAMENTALS,
▪ OSI MODEL,
▪ SECURE COMMUNICATION

3
 Computer Architecture
▪ Central processing unit, where all mathematical and logical operations
are implemented.
▪ Input/output ports; are used for passing instructions/data to or from the
computer
▪ Memory and data storage

4
 Network Communication

▪ Protocols;
• Rules for communication
• Essential for proper communication between network
devices
▪ Open Systems Interconnection (OSI) Reference Model (an
abstract framework/theoretical model )

5
 Transmission Control Protocol/Internet
Protocol (TCP/IP)
▪ Most common protocol suite used for local area networks
and the Internet
▪ Comprises several protocols that all function together

6
 Open Systems Interconnection (OSI)
Reference Model
▪ OSI divides the communication functions used by two hosts into 7 layers
separate layers
▪ TCP/IP has its own stack of protocols that correspond to the OSI layers

▪ TCP/IP subprotocols are services that support a number of network

functions:
- HTTP(Hypertext Transfer protocol)
- DNS (Domain Name System)
- DHCP(Dynamic Host Configuration Protocol)
- FTP (File Transport Protocol)
- SNMP(Simple Network Management Protocol)
- Telnet
- IMNP, STMP, POP

Homework: Find the port number for each of the mentioned protocols
https://www.meridianoutpost.com/resources/articles/well-known-tcpip-ports.php

7
 OSI and Internet Network Models

Process

H to H

Internet
working

N.W
access

7 layers 5 layers 4 layers

8
Representation of OSI model peer layer logical channels

9
OSI Model Data Names

10
11
 Physical layer
User

Application
Presentation
Session
Transport
Network
Data Link
Physical

Media

• Transmission of data bits

• Does not interpret meaning of bits
• Describes electrical interface
• Describes mechanical interface
• Describes media characteristics
12
 Representing Data
There are a number of ways of representing binary data

VOLTAGE 0=low voltage 1=high voltage

LIGHT 0=no light 1=light
FREQUENCY 0=low frequency 1=high frequency
TRANSITION 0=negative drop 1=positive rise
Multiple levels can be used to represent multiple bit

9V 11
6V 10
3V 01
0V 00
Why Does A Network Need Clock Information?
When transmitting information in serial form the
receiver needs to know when to look at the incoming
data stream to determine the value of the next data
bit
 Data link layer
User

Application
Presentation
Session
Transport
Network
Data Link
Physical

Media

• Defines frame structures

• Network dependent addressing
• Error checking and control

15
 Network layer
User

Application
Presentation
Session
Transport
Network
Data Link
Physical

Media

• Internetworking and routing

• Global addressing

16
 Transport layer
User

Application
Presentation
Session
Transport
Network
Data Link
Physical

Media

• End to end control

• Only implemented in end stations
• Network independent reliability

17
 Session Layer
User

Application
Presentation
Session
Transport
Simplex: One way communication
Network Half Duplex Two way
communication, but only one
Data Link direction can send data at a time
Full Duplex Two ways
Physical communication, in which data
can be sent in both directions
simultaneously

Media
• Synchronisation of data exchange
• Operates between applications
• Establishes and terminates transfer

18
 Presentation Layer
User

Application
Presentation
Session
Transport
Network
Data Link
Physical

Media

• Determines data representation

• Provides data syntax conversion
• Data compression
• Encryption

19
 Application Layer
User

Application
Presentation
Session
Transport
Network
Data Link
Physical

Media

• User interface
• User application

20
21
OSI layers and TCP/IP stack

22
The TCP Life Cycle
Establishing connection oriented communication using a three
way handshake:
▪ Host A sends an initial sequence number in its first packet to
Host B
• Called a SYN packet
▪ Host B receives SYN packet responds with SYN ACK with an
initial sequence number for Host B
• Includes an acknowledgement number that is one more than the initial
sequence number
▪ Host A sends an ACK packet to Host B
• Increases Host B’s sequence number by one

Host B

23
24
TCP- Three way handshake

25
Why Use Networks?
Stand alone computer
▪ Not connected to other computers
▪ Uses local software and data

Network
▪ Group of computers and devices
▪ Connected by transmission media

Advantages of networks
▪ Device sharing by multiple users
▪ Saves money and time
▪ Central network management

26
How networks are used?
Functions provided by a network
▪ E mail
▪ Printer sharing
▪ File sharing
▪ Internet access and Web site delivery
▪ Remote access capabilities
▪ Voice (telephone) and video services
▪ Network management

27
 Network Models Types

Client/server Peer to peer

28
Peer to peer
Direct computer communication
• Equal authority
Individual resource sharing
• May share resources
• May prevent access to resources
Traditional model
• Two or more general purpose computers:
- Capable of sending and receiving information to and from every other computer

▪ Advantages ▪ Disadvantages
- Simple configuration - Not flexible
- Less expensive - Not necessarily secure
- Compared to other network - Not practical for large installations
models

29
Client/Server Networks

Server
• Central computer
• Facilitates communication and resource sharing

Clients
• Personal computers
• Also known as workstations

Central resource sharing controlled by server

• Sharing data, storage space, devices
• No direct sharing of client resources

30
 Server Requirements
Network operating system
• Manages resources and client data
• Access by authorized users is ensured
• Limits user access to files
• Restricts user access to the network
• Sets guidelines for computer communication
• Application to clients is provided

Server examples
•UNIX, Linux, Microsoft Server 2016 R2, MAC OS X Server

Server features relative to clients

A server needs More memory, processing, storage capacity
Equipped with special hardware (Provides network management functions)

Disadvantages relative to peer-to-peer networks

Complicated design and maintenance

31
 Elements Common to Client/Server Networks

Segment
• Group of nodes
• Uses same communications channel for traffic

•Backbone
• Connects segments and significant shared devices
• “A network of networks”

•Topology
• Computer network physical layout
• Ring, bus, star or hybrid formation

32
Network Topologies
33
Advantages/Disadvantages of Network Topologies

34
Virtual Network
Connections

35
Virtualization
Virtual machine and virtual network

36
 What is Virtualization?
Virtualization is the process of creating a software-based, or
virtual representation of something, such as virtual
applications, servers, storage and networks. It is the single
most effective way to reduce IT expenses while boosting
efficiency and agility for all size businesses.

37
▪ Virtual box is a free and open source hosted hypervisor for
x86 virtualization, developed by Oracle Corporation. It
supports the creation and management of guest virtual
machines.
▪ A virtual machine monitor, or hypervisor, is software that
builds and manages virtual machines (VMs). Through
virtual resource sharing, a hypervisor enables a single host
computer to handle a number of guest virtual machines
(VMs).

38
Type 1 Type 2

39
 Virtualization
▪ VM appears to user no different than physical computer:
▪ Running the same software
▪ Host
▪Physical computer
▪ Guest
▪Virtual machines
▪ Hypervisor
▪Manages virtual machines

40
 Oracle Virtual Box
▪ A free and open-source hosted hypervisor for x86
virtualization, developed by Oracle Corporation. It supports
the creation and management of guest virtual machines
▪ Originally created by Innotek GmbH from Germany
▪ Sun Microsystems acquired Innotek in 2008
▪ Oracle Corporation acquired Sun in January 2010 and re-
branded the product as "Oracle VM VirtualBox“

41
Advantages of virtualization
▪ Efficient use of resources
▪ Cost and energy savings
▪ Fault and threat isolation
▪ Simple backups, recovery, and replication

Disadvantages of virtualization
▪ Compromised performance
▪ Increased complexity
▪ Increased licensing costs
▪ Single point of failure

42
 Why Use a Hypervisor?
▪ There is no distinction between the real and virtualized
environments from the perspective of a VM.
▪ Guest machines are unaware that they were generated in a
virtual environment by the hypervisor or that they share
available processing power.
▪ The hypervisor allows VMs to function as typical computing
instances, this fact makes the hypervisor useful for companies
planning to:
- utilize their computer resources as efficiently as possible. The CPU and memory
of a single server running many virtual environments are fully used.
- Improve the mobility of IT. The VMs may be simply moved to different systems
and are independent of the host hardware.

43
Virtual appliance includes:
▪ Image of operating system, software, hardware
specifications, and application configuration
▪ Most commonly virtual servers

Popular functions
▪ Firewall
▪ E-mail solutions
▪ Network management
▪ Remote access

44
 Network Connection Modes
Each of the networking adapters can be separately configured to operate in
one of the following modes:
▪ Bridged
- VNIC accesses physical network using host machine’s NIC
- Obtains own IP address, default gateway, and netmask from DHCP
server on physical LAN
▪ NAT
- VNIC relies on host to act as NAT device (it takes the IP address from
the host)
- Obtains IP addressing information from host
- Virtualization software acts as a DHCP server
- Default network connection type in VMware, VirtualBox, and KVM
▪ Host-only
- VMs on one host can exchange data with each other and the host
Cannot communicate with nodes beyond the host
- Never receive or transmit data with host’s physical NIC
Note: in our labs, we need to use either NAT or Host only.

45
 Network Connection Modes
•Bridge mode:
•Virtual NIC accesses physical network using host machine's NIC
•It obtains own IP address,
•It also obtains default gateway, and netmask from the DHCP server on physical LAN
Host
IP: 192.168.1.132 IP: 192.168.1.133

VM1 VM2
VNIC1 VNIC2

Virtual Switch

Physical NIC
IP: 192.168.1.131

Physical N.W

DHCP
server 46
▪ You may open the Network and Sharing centre in Control Panel, click Change
Adapter settings from the left panel, and then proceed to create a Network
Bridge.
▪ You must choose at least two LAN or
High-Speed Internet connections that
aren't being utilized by Internet
Connection Sharing in order to
construct a Network Bridge. Choose
the minimum of two and a maximum
of more network connections you
wish to add to the bridge.

▪ The bridge between an Internet connection and a network connection is never

a good idea since it establishes an unsecured connection between your
network and the Internet. This might open up access to your network to
anyone on the Internet, which is bad from a security perspective.

47
 Network Connection Modes
Network Address Translation (NAT) mode
• Is used when you share your internet connection of your physical interface.
• it obtains IP addressing information from the host
• The virtualization software acts as a DHCP server in this case

IP: 10.1.1.129 IP: 10.1.1.128

VM1 VM2
VNIC1 VNIC2

Virtual Switch

Private network DHCP

services
Physical NIC
IP: 192.168.1.131
Host External network

Physical N.W

48
Host only
▪ In this mode , VMs on the host can talk to each other and
with their host but they can not communicate with any
other computers beyond.
▪ This connection mode is useful when we set up an isolated
private virtual network.
▪ When we can have cyber attack experiment, in this mode
we can avoid leaking out packets into our normal network

▪ VMs on one host can exchange data with each other and the
host
▪ VMs Never receive or transmit data with host's physical NIC
▪ Virtual machines cannot communicate with nodes beyond
the host

49
The difference between NAT, Bridge, and Host-Only Network Modes?

external network Communication Communication

Network Mode Functionality Internet Acess
Access with host between VMs
shares the hosts's
address and Limited (through
NAT yes outgoing only yes
network external network)
connection
Connects VM
directly to the
Bridge physical network Yes Yes Yes Yes
with its own IP
address
creates a private
network between
Host-only host and VMs No No Yes yes
isolated from the
external network

50
 Network Connection Types
Each of the networking adapters can be separately configured to operate in
one of the following modes:
▪ Bridged
- The virtual Network Interface Card (vNIC) accesses physical network
using host machine’s NIC
- Obtains own IP address, default gateway, and netmask from DHCP
server on physical LAN
▪ NAT
- vNIC relies on host to act as NAT device
- Obtains IP addressing information from host
- Virtualization software acts as a DHCP server
- Default network connection type in VMware, VirtualBox, and KVM
▪ Host-only
- VMs on one host can exchange data with each other and the host
- Cannot communicate with nodes beyond the host
- Never receive or transmit data with host’s physical NIC

51
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 8

1
Networking and Server Attacks

2
 Networking Based Attacks
A number of attacks that target a network or a
process that relies on a network; can be classified
under the following categories:
▪ Interception-based attacks
▪ Poisoning attacks (Attacks using poisoning)

3
▪ Three of the most typical Interception-based attacks
(interception attacks) include:

- Man-in-the-Middle Attacks (MITM)

- Man-in-the-browser attacks
- Reply attacks

4
 Man-in-the-Middle Attacks (MITM)
- Two computers are sending and receiving data with a
computer between them
- An “Interception” of legitimate communication and
fabricating a fictitious response to the sender could be
occur
- A MITM could occur between two users, however, many
MITM attacks are between a user and a server
- the Objective of this attack is to make a service unusable,
usually by overloading the server or network
For example,
- Consume host resources:
• TCP SYN floods
• ICMP ECHO (ping) floods
- Consume bandwidth
• UDP floods
• ICMP floods

5
Man-in-the-Middle Attacks (MITM)

MITM attack intercepting public key between two users

6
Attacks by “Man In The Middle" can occur in a variety of ways:
▪ Internet Protocol (IP) Spoofing
▪ Domain Name System Spoofing(DNS cache poisoning)
▪ HTTP Spoofing
▪ Secure Sockets Layer Hijacking(SSL stripping)
▪ Email Hijacking

7
 IP Spoofing
▪ All devices that connect to the internet have an IP Address

▪ When something or someone impersonates a reliable

source, this is called spoofing.

▪ Attackers "spoof" users' IP addresses and pretend to be a

website or a known individual in order to trick users into
disclosing critical information.

8
 Man in the Browser (MITB)
▪ This attack intercepts communication between parties to
steal or manipulate the data
- Occurs between a browser and the underlying computer
▪ A MITB attack usually begins with a Trojan infecting the
computer and installing an “extension” into the browser
configuration
- When the browser is launched the extension is activated
- Extension waits for a specific webpage in which a user enters
information such as account number and password for a financial
institution
- When users click “Submit” the extension captures all the data from
the fields on the form
- May even modify some of the data

9
Man in the Browser (MITB)

10
 Man in the Browser (MITB)

▪ Malware that installs itself on a victim's browser to

capture data transmitted between the user and a
particular website is known as a "Man-in-the-Browser"
attack.

▪ This type of cybercrime frequently targets online financial

organizations.

11
MITB Attack Features:
▪ Most MITB attacks are distributed through a Trojan browser extension
making it difficult to recognize that malicious code has been installed
▪ An infected MITB browser might remain dormant for months until triggered
by the user visiting a targeted website
▪ MITB software resides exclusively within the web browser, making it
difficult for standard anti-malware software to detect it

12
 Replay Attack
Attacker makes copy of transmission before sending it to the
original recipient:
- uses a copy for a later use, such as saving login information.

Replay attack defence techniques

- Both parties can agree to produce a random key that is good for a short
time or for a particular procedure
- Employ Use timestamps in all messages and reject any message that fall
outside of a normal window of time

13
 Poisoning Attacks
▪ Poisoning is the act of introducing a substance that harms
or destroys
▪ Three types of attacks inject “poison” into a normal
network process to facilitate an attack:
- Address Resolution Protocol (ARP) poisoning
- DNS poisoning
- Privilege escalation

14
 ARP Poisoning
▪ If the IP address for a device is known but the MAC
address is not, the sending computer sends an ARP packet
to determine the MAC address
▪ MAC addresses are stored in an ARP cache for future
reference
▪ All computers that “hear” the ARP reply also cache the
data
▪ It relies upon MAC spoofing, which is imitating another
computer by means of changing the MAC address

15
16
 DNS poisoning
▪ Domain Name System is the current basis for name
resolution to IP address
▪ DNS poisoning substitutes DNS addresses to redirect a
computer to another device
▪ Two locations for DNS poisoning
- Local host table

- External DNS server

17
 DNS Posing/Spoofing
▪ DNS refers to “Domain Name Server/System”. The DNS
system converts names to IP Addresses.
▪ When Spoofing a DNS, A person forced to a fake website
that looks just like the real one they are supposed to be
seeing.
▪ The goal of the attacker is to divert traffic or retrieve login
credentials.

18
19
 Privilege Escalation
▪ Access rights
- Privileges to access hardware and software resources that are granted to users
▪ Privilege escalation
- Exploiting a software vulnerability to gain access to resources that the user
normally would be restricted from accessing
▪ Two types of privilege escalation:
- When a lower privilege user accesses functions restricted to higher privilege
users (sometimes called vertical privilege escalation)
- When a user with restricted privilege accesses different restricted functions of a
similar user ( horizontal privilege escalation)

20
 Server Attacks
▪ A compromised server can provide threat actors with its
privileged contents or provide an opening for attacking any
of the devices that access that server

▪ Typical server attacks include:

- Denial of service (DoS)
- Web server application attacks
- Hijacking
- Overflow attacks
- Advertising attacks
- Exploiting browser vulnerabilities

21
 Denial of Service (DoS)
▪ Denial of Service (DoS)
- A deliberate/intentional attempt to prevent authorized users
from accessing a system by overwhelming it with requests
▪ Most DoS attacks today are distributed denial of service
(DDoS)
- Using hundreds or thousands of devices flooding the server with
requests
▪ Smurf attack
- An attacker broadcasts a network request to all computers on
the network but changes the address from which the request
came from (called IP spoofing)
- Appears as if victim’s computer is asking for response from all
computers on the network
- All computers send a response to the victim’s computer so that
it is overwhelmed

22
 Denial of service (DoS)
▪ DNS amplification attack
- Flood a victim by redirecting valid responses to it
- Uses publicly accessible and open DNS servers to flood a system with
DNS response traffic
▪ SYN flood attack
- Takes advantage of procedures for initiating a session
▪ In a SYN flood attack against a web server:
- The attacker sends SYN segments in IP packets to the server
- Attacker modifies the source address of each packet to computer
addresses that do not exist or cannot be reached

23
 Distributed DoS
▪ The handlers are usually very high volume servers
◦ Easy to hide the attack packets

▪ The agents are usually home users with DSL/Cable

◦ Already infected and the agent installed

▪ Very difficult to track down the attacker

24
 Distributed DoS

Attacker

Handler Handler

Agent Agent Agent Agent Agent

Victim

25
 Web Server Application Attacks
▪ It is more challenging to secure online applications than
it is to secure traditional systems.
▪ Attacks known as "zero day attacks" take use of
vulnerabilities that were not previously discovered,
leaving victims with no time to protect themselves.
▪ Traditional network security devices can block traditional
network attacks, but cannot always block web
application attacks
- Many network security devices ignore the content of HTTP traffic

26
▪ Several different web application attacks, focus on user
input and there Two forms of those attacks:
- Cross-site attacks
- Attacks using injection

27
 Cross-site Attacks
▪ In a cross-site scripting (XSS) attack
- The threat actor takes advantage of web applications that accept user input
without any validating it before presenting it back to the user
▪ When victim visits injected Web site:
- Malicious instructions are sent to victim’s browser
▪ Some XSS attacks are designed to steal information(that
could be any information could be stored in the browser
cache like session tokens ,cookies, so that the attacker can
impersonate that user to that site) :
- Retained by the browser when visiting specific sites
▪ An XSS attack requires a website meets two criteria:
- Accepts user input without validating it
- Uses the input in a response back to the user

28
 Cross-site Attacks

▪ Cross-Site Request Forgery (XSRF)

- This attack uses the user’s web browser settings to
impersonate that user
▪ If a user is currently authenticated on a website and is
tricked into loading another webpage
- The new page inherits the identity and privileges of the
victim to perform an undesired function on the
attacker’s behalf; such as changing the security
questions, or password to impersonate that user.

29
Cross-site request forgery

30
 Injection Attacks
▪ Introduce new input to exploit a vulnerability. One of the
most common injection attacks, called SQL injection,
inserts statements to manipulate a database server
▪ What is SQL (Structured Query Language)?
- Used to view and manipulate data stored in relational database

▪ Forgotten password example:

- Attacker enters fictitious e-mail address that included a single quotation mark as
part of the data
- Response lets attacker know whether input is being validated
- Attacker enters email field in SQL statement
- Statement is processed by the database for example:
SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’
- Result: All user email addresses will be displayed

31
 Hijacking
▪ Several server attacks are the result of threat actors
“commandeering” a technology and then using it for an attack
▪ Common hijacking attacks include:
- Session hijacking
- URL hijacking
- Domain hijacking
- Clickjacking

32
▪ Session Hijacking
- Attacker attempts to impersonate a user by stealing or guessing session
token
- Session token is a random string assigned (basically this is the cookies)
to an interaction between user and web application
• An attacker can attempt to obtain the session token:
- By using XSS or other attacks to steal the session token cookie from the
victim’s computer
- Eavesdropping on the transmission (MIM)
- Guessing the session token

33
▪ URL hijacking (also called typo squatting)
- Users are directed to a fake look-alike site filled with ads for which the
attacker receives money for traffic generated to the site
- Attackers purchase the domain names of sties that are spelled
similarly to actual sites
- Example: goggle.com misspelling or google.net incorrect domain.
- Earlier Error Message : HTTP Error404 Not Found.
- But now, user will be directed to these fake look alike sites
- Threat actors are also registering domain names that are one bit
different (called bit squatting)

34
▪ Domain hijacking; occurs when a domain pointer that
links a domain name to a specific web server is changed
by a threat actor
- When a domain is hijacked
- A threat actor gains access to the domain control panel and redirects the
registered domain to a different physical web server

35
 Clickjacking
▪ Hijacking a mouse click
▪ The user is tricked into clicking a link that is other than what
it appears to be
▪ Clickjacking often relies upon threat actors who craft a zero-
pixel IFrame
- IFrame (short for inline frame) is an HTML element that allows for
embedding another HTML document inside the main document
- Sometimes IFrame is called user interface redress attack or UI,
- You will not be able to see it because the attacker has put another
layer of the website in front of the actual site and then the victim will
interact with the malicious site
- A zero-pixel IFrame is virtual invisible to the naked eye

36
 Overflow Attacks
▪ Designed to “overflow” areas of memory with instructions
from the attacker
▪ Types of overflow attacks:
- Buffer overflow attacks
- Integer overflow attacks

37
Buffer overflow attacks
- Occur when a process attempts to store data in RAM
beyond the boundaries of a fixed-length storage buffer
- Extra data overflows into adjacent memory locations

▪ An attacker can overflow the buffer with a new address

pointing to the attacker’s malware code

38
▪ An integer overflow is the condition that occurs when the
result of an arithmetic operation exceeds the maximum
size of the integer type used to store it
▪ In an integer overflow attack:
- An attacker changes the value of a variable to something outside the range
that the programmer had intended by using an integer overflow
▪ This type of attack could be used in the following
situations:
- An attacker could use an integer overflow attack to create a buffer
overflow situation
- A large positive value in a bank transfer could be wrapped around by
an integer overflow attack to become a negative value
• Could reverse flow of money

39
 Advertising Attacks
Several attacks attempt to use ads or manipulate the advertising system
▪ Two of the most common:
- Malvertising
- Ad fraud

40
 Malvertising
▪ Threat actors use third-party advertising networks to distribute
malware to unsuspecting users who visit a well-known site
- Known as malvertising or a poisoned ad attack

▪ An ad that contains malware redirects visitors who receive it to

the attacker’s webpage that then downloads Trojans and
ransomware onto the user’s computer
▪ Preventing malvertising is difficult
- Website operators are unaware of the types of ads that are being
displayed
- Users have a false sense of security going to a “mainstream” website
- Turning off ads that support plug-ins such as Adobe Flash often disrupts
the user’s web experience

41
▪ Ad fraud
- Threat actors manipulate pre-roll ads to earn ad
revenue that is directed back to them

42
 Browser Vulnerabilities
▪ Web browser additions have introduced vulnerabilities in
browsers that access servers
▪ These additions are:
- Extensions
- Plug-ins
- Add-ons

43
 Scripting Code
▪ Adding dynamic content
- Web server downloads a “script” or series of instructions in the form
of computer code that commands the browser to perform specific
actions
▪ JavaScript is the most popular scripting code
- JavaScript instructions are embedded inside HTML documents
▪ There are different defense mechanisms intended to prevent
JavaScript programs from causing serious harm
▪ However, there are security concerns
- A malicious JavaScript program could capture and remotely transmit
user information without the user’s knowledge or authorization

44
▪ Extensions expand the normal capabilities of a web
browser; For a specific webpage
▪ Most extensions are written in JavaScript
- So that the browser can support dynamic actions
▪ Extensions are browser dependent
- An extension that works in Google Chrome will not function in
Microsoft Edge

45
▪ Plug-in; Adds new functionality to a web browser so users can play
music, view videos, or display special graphical images
▪ A single plug-in can be used on different web browsers
▪ One common plug-in supports Java
- Java can be used to create a separate program called a Java applet
▪ Most widely used plug-ins for web browsers:
- Java, Adobe Flash player, Apple QuickTime, and Adobe Acrobat Reader

46
▪ Add-ons
- Add a greater degree of functionality to the web browser
▪ Add-ons can do the following:
- Create additional web browser toolbars
- Change browser menus
- Be aware of other tabs open in the same browser
- Process the content of every webpage that is loaded
▪ Due to the risks associated with extensions, plug-ins, and
add-ons
- Efforts are being made to minimize them
- Some web browsers now block plug-ins
- HTML5 standardizes sound and video formats so that plug-ins like
Flash are no longer needed

47
48
 Summary
▪ Some attacks are designed to intercept network
communications; e.g; Man-in-the-middle and replay
attacks
▪ Some types of attacks inject “poison” into a normal
network process to facilitate an attack
▪ Whereas some attacks are directed at the network itself,
other attacks are directed at network servers
- Denial of service, DNS amplification attack, and SYN flood attack are
examples
▪ A cross-site scripting (XSS) attack is focused not on
attacking a web application server, but on using the server
to launch other attacks on computers that access it

49
▪ Several server attacks are the result of threat actors
“commandeering” a technology and then using it for an
attack
▪ Some attacks can target either a server or a client by
“overflowing” areas of memory with instructions from the
attacker
▪ Most websites today rely heavily upon advertising revenue
- Several attacks attempt to use ads or manipulate the advertising
system
▪ To provide enhanced features, virtually all websites today
allow scripting code to be downloaded from the web server
into the user’s web browser

50
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 9

1
Network Boundary (F.W/IPS) Defense
Firewall Types/Architectures
Intrusion Prevention Systems (IPS)
Part 1

2
 Introduction to Firewall Security
What Is a Firewall?
▪ A firewall is a system that enforces an access control policy
between two networks; such as your private LAN and the
unsafe/untrusted public Internet.
▪ The firewall determines which inside services can be
accessed from the outside, and vice versa.
▪ The firewall can be thought of as a pair of mechanisms:
- one to block traffic, and
- one to permit traffic.
▪ A firewall is more than the locked front door to your
network; it’s your security guard as well.

3
 Introduction to Firewall Security
▪ A firewall could be a hardware or software system that prevents
unauthorized access to or from a network.
▪ It can be implemented in both hardware or software, or a
combination of both.
▪ Firewalls are frequently used to prevent unauthorized Internet
users from accessing private networks connected to the Internet.
▪ All data entering or leaving the intranet pass through the firewall,
which examines each packet, and blocks those that do not meet
the specified security criteria.

4
 How do firewalls work?
A firewall that protects an entire network is typically a separate
hardware device. These hardware firewalls are usually located
outside the network security perimeter as the first line of
defense.

5
General features of Firewalls
- Port Control
- Network Address Translation
- Application monitoring
- Packet filtering

Additional firewall Features

- Data encryption
- Reporting/logging
- Email virus protection
- Pop-up Ad blocking

6
Viruses and Firewalls
- In general, firewalls can not protect against viruses,
- An anti-virus software is needed for that purpose,
- However, may security suites such as MacAfee and Norton
offer the complete protection other have limited virous
protection features.

7
 Firewall Types
▪ Hardware firewalls are integrated into the router that
sits between a computer and the Internet
▪ Software firewalls are programs installed on individual
servers. They intercept each connection request and
then determine whether the request is valid or not

8
 What is a Hardware Firewall?
▪ It is a physical device or a set of physical devices which act as the
first line of defence for a computer network. A very basic hardware
firewall example is a router that is normally used in most of the
households with Wi-Fi Fibernet connections
▪ It is just a software firewall running on a dedicated piece of
hardware
▪ It is a barrier to keep destructive forces away from your devices

Enterprise Hardware firewall

https://www.thegioifirewall.com/san-pham/juniper-srx-3400/

9
 Hardware Firewall, What it does!
▪ It is a hardware device that filters the information coming
through the internet connection into your private network
or computer system.
▪ Any incoming packet of information is flagged by the
filters, it is not allowed through(denied)

10
 Software Firewalls
▪ Firewalls that are only software operate on a machine that
is also capable of other tasks. This category includes the
majority of personal firewalls designed to protect a single
machine.
▪ The purpose of a personal firewall is to safeguard your
computer while it is connected to the Internet, not to turn
your computer into a standalone firewall.
▪ There are several software-based business firewalls as
well.

11
Windows personal firewall settings

12
 Software firewalls vs Hardware firewalls
▪ Software firewalls inherit all vulnerabilities of the OS on
which they run.
▪ Software firewall architectures are well known, it is easier
to exploit its vulnerabilities (e.g. Buffer overflow).
▪ Software firewalls often have better performance: they
benefit of rapid advances and low prices in PC hardware.

13
 Firewall Layer of Operation
1. Network Layer:
- Makes decision based on the source, destination address
and port in individual IP packets
- Based on routers
- Has the ability to perform static and dynamic packet
filtering and stateful inspection
Static Packet Filtering
- It looks at a minimal information in the packets (such as IP
headers: source and dest. address) to allow or block traffic
between specific service port
• It offers little protection

14
Dynamic Packet Filtering
- It maintains a connection table in order to monitor
requests and replies:
• tracking of TCP connections, beginning with the "three-way handshake" (SYN,
SYN/ACK, ACK)

Stateful Inspection
- Compares certain key parts of the packet to a DB of
trusted information. Incoming information is compared to
outgoing information characteristics and if the
comparison leads to a reasonable math then the
information is allowed.
Note:
- static or stateless firewalls; make decision based on variables like IP/ MAC/ port no.
- Dynamic/stateful firewalls; make decisions based on a whole picture.

15
2. Application layer
- They are generally, hosts running proxy servers which
perform logging and auditing of traffic through the network
- Logging and access control are done through software
components
Proxy services
- Application that maintains traffic between a protected network and the
internet
- Able to understand the application protocol being utilized and
implemented protocol specific security
- Application protocols include FTP,HTTP..etc
Port scans
- When hackers remotely spy on your computers to see what software
and services you have, the most common tool is port scan (network
scanning: Nmap).
- Proper configuration and maintain the firewall could restrict such
access.

16
 Types of Firewall Techniques
Different firewalls have different methods of inspecting packets
for acceptance or rejection

▪ Packet filtering Firewall

▪ Stateful Multilayer Firewall
▪ Application Proxy Firewall
▪ Circuit-level gateway Firewall

17
 Packet Filtering Firewall Mechanism

▪ In this firewall type, there are security rules that block traffic
based on IP address and IP protocol
▪ Work at the network level of the OSI model (transport and
network layers of the TCP/IP stack)
▪ Packets can be filtered (permitted or denied) based on a
wide range of criteria:
- Source IP address
- Destination IP address
- Protocol Type (IP, TCP, UDP, ICMP, ESP, etc.)
- Source Port
- Destination Port

18
19
Packet filtering is implemented as a rule-list:

A important aspect to consider is the rule-list. Rule-list always parsed from top to
bottom. To avoid having a preceding, more comprehensive rule invalidate a
particular rule, more detailed rules should always be near the head of the rule list.
Moreover, an implicit "deny any" rule that frequently cannot be eliminated
typically resides at the bottom of a rule-list. Hence, rule-lists that exclusively
include deny statements will stop all traffic.

20
 Packet Filtering Firewall Functions
▪ Forward the packet(s) on to the intended destination
▪ Reject the packet(s) and notify the sender
▪ Drop the packet(s) without notifying the sender.
▪ Log accepted and/or denied packet information
▪ NAT - Network Address Translation

21
 NAT (Network Address Translation)
▪ Public IP addresses are rare.
▪ Instead of reserving 256 addresses for 100 workstations, we
can hide those 100 workstations behind a single address.
▪ With regards to this, the IETF has reserved three address
ranges, one for each IPv4 class: :
- Class A - 10.x.x.x (10.0.0.0 - 10.255.255.255)
- Class B - 172.16-31.x.x (172.16.0.0 - 172.31.255.255)
- Class C - 192.168.x.x (192.168.0.0 - 192.168.255.255)
NAT is used:
- to translate between private addresses and public addresses.
- To allow devices configured with a private address to be
stamped with a public address, thus allowing those devices to
communicate across the Internet.
- to perform a public-to public address translation, or a private-to-
private address translation as well.

22
 NAT Basic Principle
▪ Use private addresses in the internal network and
one/several public addresses to communicate with the
Internet.
▪ When a packet leaves the internal network, we replace its
source address by a public address.
▪ When a packet arrives from the Internet, we replace its
public destination by a private address.
▪ We use a translation table to store the relations between
internal and external addresses.

23
 Packet Filtering Firewall Mechanism
Advantage:
▪ Packet filtering firewalls is low cost and low impact on
network performance
▪ Usage and best suited for Smaller Networks.
Disadvantage:
▪ Filter rules are sometimes difficult to test
▪ Packet filtering can degrade router performance
▪ It’s also Vulnerable to Spoofing in some cases (attackers
can “tunnel” malicious traffic through allowed ports on the
filter.)

24
 Stateful Firewalls Mechanism
▪ Stateful inspection, also known as dynamic packet filtering, is a
firewall technology that monitors the state of active
connections and uses this information to determine which
network packets to allow through the firewall.
▪ Stateful inspection monitors communications packets over a
period of time and examines both incoming and outgoing
packets.
▪ In a firewall that uses stateful inspection, the network
administrator can set the parameters to meet specific needs. In
a typical network, ports are closed unless an incoming packet
requests connection to a specific port and then only that port is
opened. This practice prevents port scanning, a well-known
hacking technique.

25
 Stateful Inspection Firewall Functions
▪ Keeps a record of the state of a connection
▪ Makes decisions based on the connection and conditions
▪ It combines the aspects of the other three types of firewalls
▪ It filters packets at the network layer, determine whether
session packets are legitimate and evaluate contents of
packets at the application layer

26
 Application Proxy Firewalls
▪ Application Proxy firewalls offer more security than other
types of firewalls, but at the expense of speed and
functionality, as they can limit which applications the
network supports.
▪ In application proxy firewall, computers establish a
connection to the proxy, which serves as an intermediary,
and initiate a new network connection on behalf of the
request. This prevents direct connections between systems
on either side of the firewall and makes it harder for an
attacker to discover where the network is, because they
don't receive packets created directly by their target
system

27
▪ Application level gateways, also called proxies, are similar
to circuit-level gateways except that they are application
specific
▪ Gateway that is configured to be a web proxy will not
allow any ftp, telnet or other traffic through
▪ Operate on the application protocol level

28
 Application Proxy firewalls

▪ Application Gateways “Understand” the protocol and can be configured to

allow or deny specific protocol operations.
▪ Typically, proxy servers sit between the client and actual service. Both the
client and server talk to the proxy rather than directly with each other.

29
 Application Proxy Firewalls Drawbacks
▪ Requires modification to client software application
▪ Some client software applications don’t accommodate the
use of a proxy
▪ Some protocols aren’t supported by proxy servers
▪ Some proxy servers may be difficult to configure and may
not provide all the protection you need.

30
 Circuit-level gateway
▪ Circuit level gateways work at the session layer of the OSI
model, or the TCP layer of TCP/IP
▪ Monitor TCP handshaking between packets to determine
whether a requested session is legitimate.

31
General Performance

32
 The Benefits of Firewall Security
▪ Monitors Traffic
A firewall monitors all of the traffic entering your computer network. A two-way firewall does
double duty and monitors the traffic exiting your network as well. Often, provide summaries to
the administrator about what type/volume of traffic has been processed through it.
▪ Blocks Trojans
A firewall helps block Trojan horses. These types of intruders latch onto the computer files, and
when the file sends out a file, they go along for the ride to do more damage at the destination.
A firewall blocks them from the outset, before they have a chance to infect your computer.
▪ Stops Hackers
Having a firewall keeps hackers out of your network. Without firewall security, a hacker could
get a hold of your computer and make it a part of what’s called a botnet, which is a large group
of computers used to conduct an illicit activity, such as spreading viruses. Also individuals, who
you may not suspect, such as neighbors, can also take advantage of an open Internet
connection you may have. A firewall prevents them.
▪ Stops Keyloggers
Having firewall security will reduce the risk of keyloggers monitoring you. A keylogger is
spyware software that cybercriminals try to put on your computer so they can target your
keystrokes. After they can identify what you're typing in and where, they can use that
information to do the same thing. This knowledge can help them log in to your private online
accounts.

33
 Summary-Firewall Security
▪ Can be software-based or hardware-based
▪ Both types inspect packets and either accept or deny entry
▪ Hardware firewalls tend to be more expensive and more
difficult to configure and manage
▪ Software firewalls running on a device provide protection to
that device only
▪ All modern OSs include a software firewall, usually called a
host-based firewall

34
Several types of firewalls include:
▪ Network firewalls,
▪ Host-based firewalls, and
▪ Application-based firewalls.

Firewall actions on a packet

▪ Allow (let packet pass through)
▪ Drop(prevent the packet from passing into the network and
send no response to sender)
▪ Reject (prevent the packet from passing into the network but
send a message to the sender)

35
Key Terms
▪ Private network: In IP networking, a private network is a network
that uses private IP address space. Both the IPv4 and the IPv6
specifications define private IP address ranges. These addresses
are commonly used for local area networks in residential, office,
and enterprise environments. A private network is any network
to which access is restricted.

▪ Public Network : A public data network is a network established

and operated by a telecommunications administration, or a
recognized private operating agency, for the specific purpose of
providing data transmission services for the public. A public
network is a network to which anyone can connect. The best, and
perhaps only pure, example of such a network is the Internet.

36
Key Terms
▪ VLANs: A virtual LAN is any broadcast domain that is partitioned and
isolated in a computer network at the data link layer. Virtual local area
network (VLAN) is a logical group of workstations, servers and
network devices that appear to be on the same LAN despite their
geographical distribution. The purpose of implementing a VLAN is to
improve the performance of a network or apply appropriate security
features.
▪ DMZ or demilitarized zone is a physical or logical subnetwork that
contains and exposes an organization's external-facing services to an
untrusted, usually larger, network such as the Internet. DMZs are
intended to function as a sort of buffer zone between the public
internet and the private network. Deploying the DMZ between two
firewalls means that all inbound network packets are screened using a
firewall or other security appliance before they arrive at the servers
the organization hosts in the DMZ.

37
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 10

1
 Network Boundary Defense
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Part2

2
 What is an Intrusion ?
▪ An intrusion can be defined as any set of actions that attempt to
compromise the integrity, confidentiality or availability of a resource.
[Heady R. 1990]

Three classes of intruder:

- Masquerader; illegitimate user penetrates the system using a legitimate
user’s account
- Misfeasor; legitimate user misuses his/her privileges, accessing
resources that is not authorized
- Clandestine user; privileged user uses supervisory control to suppress
audit control
 Example of Intrusion
▪ Web server defacement
▪ Guessing/cracking passwords
▪ Copying databases containing credit card numbers
▪ Viewing sensitive data without authorization
▪ Running a packet sniffer
▪ Using an unsecured modem to access internal network
▪ Impersonating an executive to get information
▪ Using an unattended workstation
▪ Remote root compromise
 What is Intrusion Detection System?
▪ An Intrusion Detection System (IDS) must identify,
preferably in real time, unauthorized use, misuse and
abuse of computer systems
▪ It is a reactive, rather than proactive, form of system
defense.

5
 Intrusion Detection System (IDS)
▪ It is a device or software application that monitors a network
or systems for malicious activity or policy violations.
▪ It comprises three logical components:
✓ Sensors: collect data
✓ Analyzers: determine if intrusion has occurred
✓ User interface: view output or control system behaviour
▪ It can detect attack as it occurs
▪ Inline (means directly connected to the network) IDS
- Connected directly to the network and monitors the flow of
data as it occurs
▪ Passive IDS
- Connected to a port on a switch, which receives a copy of
network traffic

6
 IDS Principles
Assumption: intruder behavior differs from legitimate users
- Expect overlap as shown
- for legit users:
Observe major deviations from past history
- Problems of:
• false positives
• false negatives
• must compromise

valid user identified as intruder intruder not identified

loose vs tight interpretation:

catch more (false +) or catch less (false -)
 Detection Techniques

▪ Anomaly (behavior) detection

▪ Signature/heuristic detection
 Anomaly (behavior) Detection
▪ Involves the collection of data relating to the behavior of
legitimate users over a period of time
▪ Current observed behavior is analyzed to determine
whether this behavior is that of a legitimate user or that of
an intruder
 Anomaly Detection
Threshold detection
- checks excessive event occurrences over time
- alone a crude and ineffective intruder detector
- must determine both thresholds and time intervals
- lots of false positive/false negative may be possible
Profile based
- characterize past behavior of users/groups
- then detect significant deviations
- based on analysis of audit records: gather metrics
Advantages of Anomaly Based Detection
▪ New threats can be detected without having to worry about database
being up to date
▪ Very little maintenance once system is installed it continues to learn
about network activity and continues to build its profiles.
▪ The longer the system is in use the more accurate it can become at
identifying threats.

Disadvantages of Anomaly Based Detection

▪ The network can be in an unprotected state as the system builds its
profile.
▪ If malicious activity looks like normal traffic to the system it will never
send an alarm.
▪ False positives can become cumbersome with an anomaly based
setup. Normal usage such as checking e-mail after a meeting has the
potential to signal an alarm.

11
 Signature/Heuristic Detection
▪ Uses a set of known malicious data patterns or attack rules
that are compared with current behavior
▪ Also known as misuse detection
▪ Can only identify known attacks for which it has patterns or
rules (signature)
• Very similar to anti-virus (requires frequent updates)
• Rule-based penetration identification
- rules identify known penetrations/weaknesses
- often by analyzing attack scripts from Internet (CERTs)
 Example of Rules in A Signature Detection IDS

▪ Users should not be logged in more than one session

▪ Users do not make copies of system, password files
▪ Users should not read in other users’ directories
▪ Users must not write other users’ files
▪ Users who log after hours often access the same files they
used earlier
 Advantages of Signature-based IDS
▪ Simplicity,
▪ Excellent ability to detect known attacks.
▪ Low alarm rates: All it has to do is to look up the list of known
signatures of attacks and if it finds a match report it.
▪ Signature based is very accurate and Efficiency (provided the
number of signatures is not excessive).
▪ Speed; the systems are fast since they are only doing a
comparison between what they are seeing and a predetermined
rule.
▪ Another major benefit is that the warning that is issued is specific.
With a specific warning, an administrator can quickly determine
whether the suspected attack is real or a false alarm and, if it is
real, respond appropriately.

14
 Disadvantages of Signature-based IDS
▪ Databases to constantly be updated to matches patterns that
are not in the database.
▪ The system can only detect known attacks only.
▪ Even slight variations on known attack are likely to be missed
by signature based systems.
▪ If someone develops a new attack, there will be no
protection.
▪ “Only as strong as its rule set.”
▪ Another problem occurs when an attacker will try to modify
a basic attack in such a way that it will not match the known
signature of that attack. For example, the attacker may
convert lowercase to uppercase letters

15
 Intrusion Detection System Types
▪ Host based Intrusion Detection System (HIDS)
▪ Network based Intrusion Detection System (NIDS)
▪ Application Protocol based Intrusion Detection System (APIDS)

16
 Host based IDS (HIDS)
▪ It refers to intrusion detection that takes place on a single
host system; specialized software to monitor system
activity to detect suspicious behavior
▪ Currently, HIDS involves installing an agent on the local
host that monitors and reports on the system configuration
and application activity.
▪ Some common abilities of HIDS systems include log
analysis, event correlation, integrity checking, policy
enforcement, rootkit detection, and alerting. They often
also have the ability to baseline a host system to detect
variations in system configuration.

17
Advantages of Host based Intrusion Detection Systems:
- Verifies success or failure of an attack
- Monitors System Activities
- Detects attacks that a network based IDS fail to detect
- Does not require additional hardware
- Lower entry cost

18
 Network-Based IDS (NIDS)
▪ A Network-based Intrusion Detection System (NIDS) is used
to monitor and analyze network traffic to protect a system
from network-based threats. A NIDS reads all inbound
packets and searches for any suspicious patterns.
▪ When threats are discovered, based on its severity, the
system can take action such as :
• notifying administrators, or
• barring the source IP address from accessing the network.

19
Advantages of NIDS:
- Lower cost of ownership
- Easier to deploy
- Detect network based attacks
- Retaining evidence
- Real Time detection and quick response.
- Detection of failed attacks

20
 Application Protocol based Intrusion Detection System
(APIDS)

▪ It is like a host-based IDS designed to monitor a specific

application (similar to antivirus software designed
specifically to monitor your mail server).
▪ An application-based IDS is extremely accurate in detecting
malicious activity for the applications it protects. However,
this type of specialized IDS may fail to detect attacks not
specifically targeted at that application.
▪ Hackers have also been known to shut down application-
based IDS systems.

21
The functions of an IDS include:
▪ Intrusion detection
▪ Evidence gathering on invasive behaviour
▪ Automatic reaction (such as connection termination and warning message)
▪ Security policy
▪ Interaction with system tools
▪ Security policy management

An IDS is unable to address the following flaws/weaknesses :

▪ Vulnerabilities at the application level
▪ Weaknesses in the policy definition
▪ Back doors into applications
▪ Identification and authentication system flaws

22
 Comparison between Firewalls and IDS
▪ IDS and firewall both are related to network security but an
IDS differs from a firewall as a firewall looks outwardly for
intrusions in order to stop them from happening.
▪ In order to prevent intrusion, firewalls limit access across
networks, and if an attack originated from within the
network, it is undetectable. After an intrusion has really
occurred, an IDS characterizes it and then raises an alert.

23
 Detection/Monitoring Methods of IDS
▪ Anomaly based monitoring
• Compares current detected behavior with baseline
▪ Signature based monitoring
• Looks for well known attack signature patterns
▪ Behavior based monitoring
• Detects abnormal actions by processes or programs
• Alerts user who decides whether to allow or block activity
▪ Heuristic monitoring /to find or to discover
• Uses experience based techniques

24
 Intrusion Prevention System (IPS)
▪ An intrusion prevention system (IPS) is a network security and threat
prevention tool.
▪ Intrusion prevention aims to build a proactive network security
strategy so that possible attacks may be quickly discovered and
countered.
▪ Intrusion prevention systems are thereby used to examine network
traffic flows in order to find malicious software and to prevent
vulnerability exploits.

25
▪ IPS or intrusion prevention system, is the next level of security
technology with its capability to provide security at all system levels from
the operating system kernel to network data packets.
▪ It provides policies and rules for network traffic along with an IDS for
alerting system or network administrators to suspicious traffic, but
allows the administrator to provide the action upon being alerted.
▪ Where IDS informs of a potential attack, an IPS makes attempts to stop
it.
▪ Another huge leap over IDS, is that IPS has the capability of being able to
prevent known intrusion signatures, but also some unknown attacks due
to its database of generic attack behaviors.
▪ Thought of as a combination of IDS and an application layer firewall for
protection, IPS is generally considered to be the "next generation" of IDS.

26
▪ IPS and IDS work best when integrated with additional and existing
security solutions.
▪ IDS is considered a passive detection monitoring system while IPS is
an active prevention system
▪ Currently, there are two types of IPSs that are similar in nature to IDS.
They consist of host-based intrusion prevention systems (HIPS)
products and network-based intrusion prevention systems (NIPS).

27
 Why use an IDPS?
Intrusion detection:
- Primary purpose to identify and report an intrusion
- Can quickly contain attack and prevent/mitigate loss or
damage
- Detect and deal with preambles to attacks
▪ Data collection allows the organization to examine what
happened after an intrusion and why.
▪ Can help management with quality assurance and
continuous improvement

Principles of information security, 5th addition

28
 Comparison between Firewalls and IDS
Firewalls Intrusion Detection System (IDS)

Acts as a barrier controlling Monitors network traffic and

traffic based on rules. system activities for suspicious
behaviour.
Focuses on preventing
Focuses on detecting and alerting
unauthorized access and
about potential security breaches.
protecting the network.
Can be hardware or software Can be host-based or network-
based. based.
Typically deployed at
Placed at various network points.
network perimeter

29
Ref:https://ipwithease.com/firewall-vs-ips-vs-ids/
30
Security Information and Event Management
(SIEM) Software

31
 Security Information and Event Management
(SIEM)
▪ SIEM solutions provide a holistic view of what is happening on a
network in real-time and help IT teams to be more proactive in the
fight against security threats.
▪ What is unique about SIEM solutions is that they combine Security
Event Management (SEM); which carries out analysis of event and log
data in real-time to provide event correlation, threat monitoring and
incident response - with Security Information Management (SIM) which
retrieves and analyses log data and generates a report. For the
organization that wants complete visibility and control over what is
happening on their network in real-time, SIEM solutions are critical.
▪ SIEM software works by collecting log and event data that is generated
by host systems, security devices and applications throughout an
organization's infrastructure and collating it on a centralized platform.

32
▪ From antivirus events to firewall logs, SIEM software identifies this data
and sorts it into categories, such as malware activity, failed and
successful logins and other potentially malicious activity.
▪ When the software identifies activity that could signify a threat to the
organization, alerts are generated to indicate a potential security issue.
These alerts can be set as either low or high priority using a set of pre-
defined rules. For example, if a user account generates 20 failed login
attempts in 20 minutes, this could be flagged as suspicious activity, but
set at a lower priority as it is most likely to be a user that has forgotten
their login details. However, if an account experiences 120 failed login
attempts in 5 minutes this is more likely to be a brute-force attack in
progress and flagged as a high severity incident.
 SIEM Features
▪ Aggregation ; combines data from multiple sources
▪ Correlation ; searches data acquired through aggregation
to look for common characteristics of multiple attacks
coming from specific source
▪ Automated alerting and triggers; can inform of critical
issues
▪ Time synchronization; can show the order of events
▪ Event duplication; help filter multiple alerts into a single
alarm
▪ SIEM logs; records of events to be retained for future
analysis.

34
35
36
37
Benefits of SIEM include:
• Increased efficiency
• Preventing potential security threats
• Reducing the impact of security breaches
• Reducing costs
• Better reporting, log analysis and retention
• IT compliance Because SIEM solutions are able to collect
event logs from multiple applications and devices, they allow IT
staff to identify, review and respond to potential security
breaches faster. Identifying a threat in its early stages ensures
that the organization suffers only minor impact if any at all.
A SIEM product can be:
- A separate device
- Software that runs on a computer
- A service that is provided by a third party
SIEM TOOLS
▪ SolarWinds Security Event Manager.
▪ Micro Focus ArcSight ESM.
▪ SolarWinds Threat Monitor.
▪ Splunk Enterprise Security.
▪ LogRhythm NextGen SIEM.
▪ IBM QRadar.
▪ AlienVault Unified Security Management.
▪ Sumo Logic.
▪ In summary, SIEM allows IT teams to see the bigger picture
by collecting security event data from multiple sources in
one place. A single alert from an antivirus filter may not be
a cause of panic on its own, but if traffic anomaly alerts are
received from the firewall at the same time, this could
signify that a severe breach is in progress. SIEM collects all
of these alerts in a centralized console, allowing fast and
thorough analysis.
CYBERSPACE SECURITY
Dr. Ameera Al-Karkhi
PhD., PEng. Computer Engineering
Subject Code: ENGI59116
2023

Lecture 11

1
Vulnerability Scanning and
Penetration Testing

2
Vulnerability Scanning

3
 Vulnerability Scanning
▪ Vulnerability scanners are automated tools that scan hosts
and networks for known vulnerabilities (weaknesses)
▪ Creates a report for potential exposures
▪ An organized approach to the testing, identification, analysis
and reporting of potential security issues on a network
▪ Every time a computer connects to the Internet, there is a
risk of a hacker taking advantage of some new vulnerability.
▪ Attackers use vulnerability scan too

4
 What is Vulnerability Scan?
▪ Vulnerability Scan: is an automated software search through a
system for known security weakness and report it
▪ It creates reports for potential exposures and should be compared
against baseline scans.
▪ They are utilized in the identification and detection of
vulnerabilities arising from mis-configurations or flawed
programming within a network-based asset such as a firewall,
router, web server, application server, etc.
▪ The modern vulnerability scanner often has the ability to customize
vulnerability reports as well as the installed software, open ports,
certificates and other host information that can be queried as part
of its workflow.

5
 Methods for Performing Vulnerability Scan
➢ Credentialed (Non-intrusive) Vulnerability Scan :
▪ Uses only available information to hypothesis the status of
the vulnerability (could be through social engineering)
▪ Provides credentials (user name and password) to the
scanners tests for additional internal vulnerabilities can be
performed. It is a safer version of the vulnerability scanner
➢ Non-credentialed (Intrusive) Vulnerability Scan:
▪ It monitors the network and see any vulnerabilities that an
attacker would easily find ,do not use credentials
▪ It is an attempt actually penetrate the system to perform a
simulated attack.

6
▪ Vulnerability exploit: is a code that takes
advantages of a software vulnerability or security
flaw
▪ Exploit: allows an intruder to remotely access a
network and gain elevated privileges

7
 Intrusive and Non-intrusive Vulnerability Scans

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition

8
 How Vulnerability Scanners Work
▪ Similar to virus scanning software
▪ Contain a database of vulnerability signatures that the tool
searches for on a target system
▪ A vulnerability scanner collects all of the information from
network and then scans for network system ports,
identifying any password breaches and determines if there
are any missing security fixes
▪ Not only identifies the vulnerability but also offer advice on
how to repair them.

9
Vulnerability Scanning

10
 What is Vulnerability Assessment?
▪ A vulnerability assessment is:
- the process of identifying, quantifying, and prioritizing (or
ranking) the vulnerabilities in a system
- Examples of systems for which vulnerability assessments
are performed include, but are not limited to, information
technology systems, energy supply systems, water supply
systems, transportation systems, and communication
systems.
- Such assessments may be conducted on behalf of a range
of different organizations, from small businesses up to
large regional infrastructures.

11
 Elements of Vulnerability Assessment

▪ Asset identification
▪ Threat evaluation
▪ Vulnerability evaluation
▪ Risk assessment
▪ Risk mitigation

12
▪ Asset Identification: is the process of inventorying (make a complete list of
assets) with economic value
• Identify what needs to be protected. Examples of common assets could be:
- People
- Physical assets
- Data
- Hardware
- Software

• After an inventory of the assets has been taken, it is important to determine

each item’s relative value
Factor’s to consider in determining value:
- Asset’s criticality to organization’s goals
- How much revenue asset generates
- How difficult to replace asset
- Impact of asset unavailability to the organization

13
▪ Threat evaluation
- List potential threats that come from threat agents
- A threat agent is any person or thing with the power to carry out a threat
against an asset

▪ Threat modeling
- Goal: understand attackers and their methods

▪ Attack tree; provides visual representation of potential attacks and drawn as

an inverted tree structure

Attack tree for logging to a restricted account

14
▪ Vulnerability evaluation
- Finding the current weaknesses
- knowledge of current organization security
- Every asset should be viewed in light of each threat and catalog each
vulnerability

▪ Risk assessment
- finding damage that would result from an attack;
- Assess the probability that the vulnerability is a risk to organization

15
 Vulnerability impact scale

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition

16
 ▪ Risk mitigation
- Figure out what to do about risks
- Figure out how much risk can be tolerated

Vulnerability assessment actions and steps

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition

17
 Vulnerability Assessment Tools
▪ Port Scanners
• TCP/IP communication; involves information exchange between one
system’s program and another system’s corresponding program
• TCP/IP divides port numbers into three categories:
- Well known port numbers (0-1023) ; reserved for most universal
applications
- Registered port numbers (1024-49151); other applications not as
widely used
- Dynamic and private port numbers (49152-65535); Available for
any application to use
• Port number
- A unique identifier for applications and services
- 16 bits in length

18
 Vulnerability Assessment Tools

Common Protocols, Communication Protocols and Ports

19
▪ Protocol analyzers
- Hardware or software that captures packets; to decode and
analyze contents
- Also known as sniffers
▪ Common uses for protocol analyzers
- Used by network administrators for troubleshooting
- Characterizing network traffic
- Security analysis

Protocol analyser/ Wireshark software

20
 Vulnerability Assessment Tools
▪ Vulnerability scanners term is a generic term for a range
of products that look for vulnerabilities in
networks/systems and most of them maintain a database
that categorizes and describes the vulnerabilities they can
detect
▪ A vulnerability scanner can:
- Alert when new systems are added to network
- Detect when an application is compromised
- Detect when an internal system begins to port scan other systems
- Detect which ports are served and which ports are browsed for each
individual system
- Identify which applications and servers host or transmit sensitive data
- Maintain a log of all interactive network sessions
- Passively determine the type of OS of each active system
- Track all client and server application vulnerabilities
- Track which systems communicate with other internal systems

21
 Vulnerability Assessment Tools
▪ Honeypots and Honeynets
- Honeypot: a computer protected by minimal security
• Intentionally configured with vulnerabilities
• Contains bogus data files
Aim : to trick attackers into revealing their techniques
• Can then be determined if actual production systems could thwart
such an attack
- Honeynet: a network set up with one or more honeypots
• Set up with intentional vulnerabilities

22
 Vulnerability Scanners- Benefits
▪ Very good at checking for hundreds (or thousands ) of
potential problems quickly
▪ It can be automated to run weekly, monthly, quarterly, etc.
▪ It is Affordable
▪ Identifying lack of security controls (lack of up-to-date
patches or Antivirus software )
▪ Passively testing security controls (testing doesn’t interfere
with normal operations

23
 Vulnerability Scanners- Drawbacks
▪ A vulnerability scanning tool will not find nearly all
vulnerabilities
▪ Cannot find vulnerabilities that are not in the database
▪ Constant updates required

24
 Types of Vulnerability Scanner
▪ Port scanner (Nmap, Nessus )
▪ Network vulnerability scanner (Nessus,OpenVas, INFRA scan)
▪ Web application security scanner (N-Stalker, Promisec, Acunetix,
OWASP ZAP, Nikto2)
▪ Database security scanner (MSSQL,Nmap,Zenmap)
▪ Host based vulnerability scanner(TARA,WebTrends)
▪ ERP security scanner (ERPScan SAP,Onapsis)
▪ Single vulnerability tests (Nexus)

25
 Vulnerabilities Scanner (Free/ Commercial)
Free
Nessus – www.nessus.org
SAINT - www.wwdsi.com/saint
VLAD - razor.bindview.com/tools
SARA- www.arc.com/sara
N-Stalker -www.nstalker.com
Commercial
CyberCop Scanner:
www.mcafeeb2b.com/services/cybercop-asap.asp
ISS internet scanner: www.iss.net
Qualy’s QualysGuard: Subscription based, www.qualys.com

26
▪ In the lab we used Nessus which is a vulnerability scanner looking for
weakness in the network and associated with the CVE number and this
CVE is the main source to vulnerability
▪ The vulnerability allows an attacker to access sensitive information,
such as passwords, private keys, and other data, from the memory of a
vulnerable server. This is accomplished by sending a specially crafted
heartbeat message to the server, causing it to return a portion of its
memory contents to the attacker.

Common Vulnerabilities and Exposures (CVE)

CVEdetails.com
https://www.cvedetails.com/cvss-score-charts.php

National vulnerability Database

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=
overview&search_type=all&cve_id=CVE-2014-0195&isCpeNameSearch=false

MITRE ATT&CK
https://attack.mitre.org/
https://attack.mitre.org/techniques/T1189/
https://attack.mitre.org/groups/G0007/
https://attack.mitre.org/techniques/T1133/

28
Penetration Testing

29
 Penetration Testing
▪ Designed to exploit the system weakness
▪ Relies on tester’s skill and knowledge
▪ Conducted by independent contractor
▪ Tests are conducted outside the security perimeters
▪ End result: penetration test report; which is a short
analysis of how the attack was successful and what
damage to the data

30
 Penetration Testing
▪ The practice of examining an application or infrastructure
for vulnerabilities in an effort to exploit those flaws is
known as penetration testing, pen testing, or ethical
hacking.
▪ It is an attack on a computer with the intention of figuring
out security weaknesses.
▪ It performed by sys admin(s) or a trusted agents

31
 How Penetration Test is Different from Hacking?
▪ Black hackers violate computer security for malicious or
personal gain
▪ White hackers break security for non- malicious purposes,
usually when performing authorized security tests
▪ Grey hackers rationalize that they are acting moral when
they are not for example, breaking into systems for fun then
emailing the system admin to let him know that there is a
security hole

32
 Penetration Testing Goals
- Figure out network or application vulnerabilities
- Determine feasibility of particular set of attack vectors
- Determine how much a successful attack would have an
impact on operations and business.
- Check the network defences' capacity.

33
 What is the Difference Between Penetration Testing &
Vulnerability Assessment?

▪ Both penetration testing and vulnerability assessments must

to be included in a company's security plan.
▪ Vulnerability Assessments should be performed frequently
across infrastructure and applications.
▪ A vulnerability assessment checks for known vulnerabilities
and security misconfigurations for which a plugin has been
developed in order to perform a specific check it is written to
detect.
▪ Dedicated software tools such as Nessus and Qualys are
commonly used. It doesn't concentrate on exploiting flaws,
the outcomes of connecting many flaws together, or have the
capacity to use information acquired carefully to develop an
original attack.

34
▪ A vulnerability assessment will often cover a much wider range
of targets and offer a comprehensive list of known
vulnerabilities identified and ranked with a The Common
Vulnerability Scoring System (CVSS) score. Moreover, there is
always a chance for false positives because a vulnerability
assessment does not confirm data.
▪ The Common Vulnerability Scoring System (CVSS) is a
Vulnerability security metric (method) used to supply a
qualitative measure of severity. CVSS is not a measure of risk.
▪ The purpose of CVSS is to provide a way to capture the
principal characteristics of a vulnerability and produce a
numerical score reflecting its severity.
▪ Two common uses of CVSS are calculating the severity of
vulnerabilities discovered on one's systems and as a factor in
prioritization of vulnerability remediation activities.
https://nvd.nist.gov/vuln-metrics/cvss#:~:text=The%20Common%20Vulnerability%20Scoring%20System,Base%2C%20Temporal%2C%20and%20Environmental.

35
 Vulnerability Scanning vs. Penetration Testing
▪ Two important vulnerability assessment procedures
✓ Vulnerability scanning
✓ Penetration scanning
▪ The two activities are similar and are often confused with each other

Vulnerability Scan and Penetration Test Features

36
 Summary
▪ Vulnerability assessment; a methodical evaluation of
exposure of assets to risk
▪ One tool used to assist in determining potential threats is a
process known as threat modeling
▪ Several techniques can be used in a vulnerability
assessment
▪ Port scanners, banner grabbing, protocol analyzers,
honeypots, and honeynets are used as assessment tools

37
▪ A vulnerability scan searches system for known security
weakness and reports findings
▪ Penetration testing designed to exploit any discovered
system weaknesses
▪ Standard techniques used to mitigate and deter attacks
such as, proper configuration of controls, and hardening
and reporting.

38
Amazon Web Service
(AWS)
AWS has an extensive, reliable, and secure global cloud infrastructure with over 175 services for
a wide range of use cases.
AWS Services
Compute
Storage
Database
Analytics
Networking and Content delivery
Developer Tools
Business Applications
Management and Governance
Machine Learning
Internet of Things
Security, Identity, and Compliance
AWS Benefits
On-demand access to over 175 services cloud-based services
No upfront capital expenses or commitments
The ability to try a lot of experiments
Not having to live with the collateral damage of failed experiments
Pay-as-you-go pricing
Toolbox of high-end services
AWS Regions
AWS has the concept of a Region, which is a
physical location around the world where data
centers are clustered together.
A group of logical data centers is called an
Availability Zone.
Each AWS Region consists of multiple, isolated, and
physically separate Availability Zones within a
geographic
AWS Availability Zone
An Availability Zone is a zoned area within a Region that can
harbor one or more data centers (typically three). Availability
Zones house all the hardware devices that AWS offers.
With their own power infrastructure, the Availability Zones are
physically separated by a meaningful distance (up to 100 km or
60 miles) from any other Availability Zone in the Region.
Availability Zones are interconnected with high-bandwidth, low-
latency networking, to provide low-latency networking between
zones that is sufficient to accomplish synchronous replication
(same time replication).
AWS Edge
Edge locations are connected to the AWS Regions
through the AWS network across the globe. They link
with tens of thousands of networks for improved origin
fetches and dynamic content acceleration.
Edge locations cache copies of your content for faster
delivery to users at any location. They support AWS
services like Amazon Route 53 and Amazon CloudFront.
AWS has over 200 edge locations that are placed in 90
cities, across 47 countries.
AWS Global Infrastructure Benefits
Performance
◦ The AWS Global Infrastructure offers high-performing, low latency cloud infrastructure with virtually
unlimited capacity, which provides high availability.

Availability
◦ Availability Zones are designed for physical redundancy and to provide resilience. They provide
uninterrupted performance, even in the event of power outages, internet Availability downtime, floods,
and other natural disasters.

Security
◦ The infrastructure is monitored 24/7 to help ensure the confidentiality, integrity, and availability of AWS
customers' data. Customers can build on the most secure global infrastructure and know that they
always own their data. They can encrypt their data, move it, and manage retention.
AWS Global Infrastructure Benefits
(Cont…)
Reliability
◦ The AWS Global Infrastructure is designed and built for redundancy and reliability, from regions to
networking links to load balancers to routers to firmware.

Scalability
◦ With the AWS Global Infrastructure, companies can be flexible and take advantage of the conceptually
infinite scalability of the cloud. Companies can quickly get resources as they need them, deploying
hundreds or even thousands of servers in minutes.

Low Cost
◦ The AWS Global Infrastructure provides the industry’s most extensive data center footprint. As a result,
more customers can benefit from cloud economics and reduce the Total Cost of Ownership (TCO) of
their overall IT infrastructure
AWS Well-Architected Framework
Operational Excellence
Operational Excellence is the ability to run and monitor systems to deliver business value and to
continually improve supporting processes and procedures.
Design principles for operational excellence in the cloud include performing operations as code,
annotating documentation, anticipating failure, and frequently processing.
Security
The Security pillar is the ability to protect information, systems, and assets while delivering
business value through risk assessments and mitigation strategies.
When considering the security of your architecture, apply these best practices:
◦ Automate security best practices when possible.
◦ Apply security at all layers.
◦ Protect data in transit and at rest.
Reliability
Reliability is the ability of a system to:
◦ Recover from infrastructure or service disruptions
◦ Dynamically acquire computing resources to meet demand
◦ Mitigate disruptions such as transient network issues or misconfigurations

Reliability also includes:

◦ Testing recovery procedures
◦ Scaling horizontally to increase aggregate system availability
◦ Automatically recovering from failure
Performance Efficiency
Performance Efficiency is the ability to use computing resources efficiently to meet system
requirements and to maintain that efficiency as demand changes and technologies evolve.
Evaluating the performance efficiency of your architecture includes experimenting more often,
using serverless architectures, and designing systems to be able to go global in minutes.
Cost Optimization
Cost Optimization is the ability to run systems to deliver business value at the lowest price point.
Cost optimization includes adopting a consumption model, analyzing and attributing
expenditure, and using managed services to reduce the cost of ownership.
Amazon Virtual Private Cloud (Amazon VPC)
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Relational Database Service
(Amazon RDS)
Amazon CloudWatch
Amazon Simple Notification Service
(Amazon SNS)
 AWS Identity and Access Management (IAM)

◦
Amazon Simple Storage Service - S3
AWS Lambda
Amazon DynamoDB
 AWS
Amazon Web Services
AWS
 Cloud service provider with largest Market share
 Over 200 services

[1]
AWS Regions and Availability Zones
 Region Ex : North Virginia, Sydney
 Region has an identifier Ex North Virginia – US-East-1
 Region has multiple Availability Zones Ex US-East-1a, US-East-1b, US-East-1c
 Zones in a Regions are interconnected with low latency Network
 Each Region has at least two availability zones

[1]
Communicating and Managing AWS Cloud
 AWS Management Console - GUI
 https://console.aws.amazon.com
 AWS CLI - Have to download and install
 AWS SDK – To communicate with AWS programmatically
 AWS Cloud Shell - Browser based shell
AWS Organization

 An account management service

 Consolidate multiple AWS accounts
 Account used to create AWS organization is
 Management account
 Other accounts added
 Member accounts
 Organization Units (OU) – Group multiple aws accounts
AWS Compute
 EC2 (Elastic Compute Cloud)

[1]
AWS Disk
 EBS (Elastic Block Storage)
 Used as boot disk for EC2
File Store
 EFS – Elastic File store
 NFS file system to use with
AWS Cloud services
On-premises resources
AWS Storage
 S3 (Simple Storage Service)
 S3 storage classes
 S3 Standard
 Data redundantly across multiple devices in multiple facilities
 Sustain loss of 2 facilities concurrently & 99.99% availability
 S3 Standard IA
 when data is accessed less frequently but requires rapid access
 Cheaper than S3 Standard
 Sustain loss of 2 facilities concurrently & 99.99% availability
 S3 one zone-infrequent access
 Cheap but redundancy around only one zone (While others 3)
 S3 Glacier
 Cheapest storage class, used for archive
Auto Scaling
 EC2 instances are scales out and scales in automatically
 Auto Scaling Group
 Maximum number of instances
 Minimum Number of Instances
Load Balancing

 Elastic Load Balancing (ELB)

 SSL implemented on Load balancer
 X.509 certificate is configured in Load Balancer
 No cryptographic load for EC2
Amazon WorkSpaces

 Desktop as a service
 Can bring existing licenses
Virtual Network
 AWS VPC
 Subnets
 Elastic IP
AWS Functions
 Paas
 Lambda

[1]
Amazon Elastic Beanstalk

 PaaS
 Web applications and services
 Scalable

 Supported development languages

 Java, .NET, PHP, Node.js, Python, Ruby, Go
 On Web servers such as
 Apache, Nginx, Passenger, IIS
Networking Services
 AWS Route 53 - Domain Name System (DNS)
 AWS Direct Connect - VPN to AWS
 AWS CloudFront - CDN (Content Delivery Network)
Database Service
 Relational Database Service
 Amazon RDS
 MySQL
 Oracle DB server
 NoSQL database service
 Amazon DynamoDB
 Data warehouse service
 Amazon Redshift
Other AWS Services

 AWS Machine learning

 Amazon Kinesis - Streaming
AWS SaaS
 Amazon WorkMail - email and calendaring service
 Email Service - Amazon's Simple Email Service (SES)
 AWS SNS – Simple Notification Service
 Can send email, SMS notifications
Identity Access Management (IAM)

 Users
 User Groups
 Roles
 Policies
AWS Firewall

 NACL
 Associated with Subnet
 Stateless

 Security Groups
 Assigned for an EC2
 Stateful
References
[1] “AWS Documentation.” AWS. https://docs.aws.amazon.com/index.html (accessed Mar. 18,
2023).

[2] S. Raj. “AWS Essential Training for Administrators.” LinkedIn Learning.

https://www.linkedin.com/learning/aws-essential-training-for-administrators/simplified-aws-
administration?autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).

[3] “AWS Tutorial.” Javapoint. https://www.javatpoint.com/aws-tutorial (accessed Mar. 18,

2023).

[4] “Amazon Web Services Tutorial.” Tutorialspoint.

https://www.tutorialspoint.com/amazon_web_services/index.htm (accessed Mar. 18, 2023).
 Cloud security
Set of Policies, Procedures and Technologies work together to secure cloud
infrastructure and data from cyber threats
 Cloud Security - Objectives

 Protecting Organizational assets in cloud infrastructure

 Protecting customers
 Compliance requirement

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning. https://www.linkedin.com/learning/ccsk-cert-
prep-3-managing-cloud-security-and-risk/risk-treatments-and-cloud-shared-
responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
 Moving cloud Introduces New Security
Risks
 Outsourcing IT resources from a Third Party
 Loss of full control
 Lock in with Cloud Vendor

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning. https://www.linkedin.com/learning/ccsk-cert-
prep-3-managing-cloud-security-and-risk/risk-treatments-and-cloud-shared-
responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
 Potential attacks to cloud - Data Breach
 Confidentiality breach
 Harm to customers, business
 Regulatory and legal consequences
 Possible protection methods
 Staff training
 Auditing
 Encryption of stored data and data in transit
 Incident response plans

[2] D. West. “Cybersecurity Awareness: Cloud Security.” LinkedIn Learning.

https://www.linkedin.com/learning/cybersecurity-awareness-cloud-security/avoiding-security-
misconfigurations?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
Potential attacks to cloud – Ransomware
Attacks
 Protection Methods
 Backups
 Incident response strategy
 Keep systems updated

[2] D. West. “Cybersecurity Awareness: Cloud Security.” LinkedIn Learning.

https://www.linkedin.com/learning/cybersecurity-awareness-cloud-security/avoiding-security-
misconfigurations?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
 Potential attacks to cloud – Account
Hijacking
 Prevention
 Access controls
 Use Least privilege strategy
 Only necessary APIs to be active

[2] D. West. “Cybersecurity Awareness: Cloud Security.” LinkedIn Learning.

https://www.linkedin.com/learning/cybersecurity-awareness-cloud-security/avoiding-security-
misconfigurations?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
 Potential attacks to cloud – Insider
Threat
 Employee awareness
 Employee permissions

[2] D. West. “Cybersecurity Awareness: Cloud Security.” LinkedIn Learning.

https://www.linkedin.com/learning/cybersecurity-awareness-cloud-security/avoiding-security-
misconfigurations?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
Security – CIA Triad

 Confidentiality
 Integrity
 Availability
Security – AAA

 Authentication
 Authorization
 Accounting
Security Services for Cloud
Infrastructure
 Identity and Access Management
 Encryption
 Directory
 Network Security
 Data Security
 App Security
Encryption (Cryptography)
 Symmetric Encryption
 Same Key is used for both encryption and decryption
 This Key is known as secret Key
 Ex : AES, DES

 Asymmetric Encryption
 Different keys are used in encryption and decryption
 Keys are known as Public Key and Private Key
 Keys are very long
 Encryption and Decryption Processes typically needs very heavy processing load
 Mostly used in authentication or to exchange secret key for symmetric encryption
 Ex. RSA
 Example in Cloud : Keys given to login to compute resources
Cloud Protection Strategies
 Encrypt data in store
 Encrypt data in flight
 Protect keys
 Create strong passwords
 Setup Multi Factor Authentication (MFA)
 Regular Backups
 Implement suitable high availability strategies
 Cloud Risk Management
Common Cloud Risks & Management strategies
 Increased Cost
 Shutdown or delete unnecessary resources
 Budget alerts for spending limits
 Account Safety, Lease Privileged cloud accounts
 Unauthorized account usage can increase cost tremendously
 Waste on unused resources
 Maintaining proper asset inventory, Regular cloud resource naming, Resource grouping

 IAM misconfigurations
 Week passwords
 Unnecessary privileges
 Missing patches
 Open Security Group and Network Access Control rules
 Allow only specific IP Addresses and ports
 Lack of encryption strategies – Data at Rest and Data in Transit

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning. https://www.linkedin.com/learning/ccsk-cert-
prep-3-managing-cloud-security-and-risk/risk-treatments-and-cloud-shared-
responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
 Risk Management in Cloud computing
 Risk Acceptance (Cost or complication is expensive than added security)
 No encryption in transfers inside VPC
 Risk Avoidance
 Avoid moving to cloud for a very critical data
 Risk Mitigation
 Backup or data
 Snapshot of VMs
 Implementing security groups
 Risk Transference
 Going for IAAS to PAAS or PASS to SASS with SLA
 Cyber Risk Insurance

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
Shared Responsibility Model
 Who is responsible for the security? Provider / User
 Cloud offering model decides

IaaS PaaS SaaS

Data Customer Customer Customer
Application Customer Customer Cloud Provider
Platform (Java VM, Libraries, DB server, Web server) Customer Cloud Provider Cloud Provider
Operating System Customer Cloud Provider Cloud Provider
Hardware Cloud Provider Cloud Provider Cloud Provider
Power, Cooling, Network Connection Cloud Provider Cloud Provider Cloud Provider
Physical Space Cloud Provider Cloud Provider Cloud Provider

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
Cloud Security Framework (CSF)
 Defines architecture, policies and controls to secure cloud
environment
 Some Cloud security Frameworks
 NIST (National Institute of Standards and Technology) CSF
 CSA (Cloud Security Alliance)
 CCM (Cloud Control Matrix)
 Cloud Control Matrix (CCM)
 CSA Framework
 lists cloud security controls and maps them to multiple
security and compliance standards.
 The CCM can also be used to document security
responsibilities.

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
 CSIQ (the Consensus Assessment Initiative Questionnaire)

 A standard template for cloud providers to document their security and

compliance controls
 Cloud providers document their security controls and features and publish
them using CSA CAIQ.

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
 CSA Security Trust Assurance and Risk
(STAR) Registry
 CSA (Cloud Security Alliance) Maintains a Registry
 Certifications for cloud service providers
 How they have implemented necessary security controls

[1] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-
and-cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed
Mar. 18, 2023).
Cloud Data Breaches – Recent Case Studies

1. Medibank Data Breach:

1. Australian police have linked “over 11,000 cybercrime incidents” to
the Medibank data breach. This incident highlights the impact of compromised
personal information and the importance of robust security measures1.
2. 2023 Thales Cloud Security Study:
1. Thales conducted an annual assessment on cloud security threats, trends, and
emerging risks based on a survey of nearly 3,000 IT and security professionals
across 18 countries.
2. Key findings:
 39% of businesses experienced a data breach in their cloud environment last year,
an increase from the previous year.
 Human error was reported as the leading cause of cloud data breaches.
 75% of businesses store more than 40% of their data in the cloud, and much of this
data is classified as sensitive.
 Despite the increase in sensitive data stored in the cloud, only 45% of it is encrypted.
 Multicloud adoption is on the rise, but managing data in the cloud remains complex2.
Contd..

3. Capital One and AWS Breach:

1. In July 2019, Capital One discovered that an AWS database used
for storing customer data was breached. A former AWS employee
was charged with stealing 140,000 Social Security
numbers and 80,000 bank account numbers in the breach3.
4. Raychat Cloud Database Breach:
1. In February 2021, Raychat, an online chat application, suffered a
large-scale cyber attack due to a cloud database configuration
breach. Hackers gained access to 267 million usernames, emails,
passwords, metadata, and encrypted chats. A targeted bot attack
subsequently erased all of the company’s data4.
Contd..

 These case studies underscore the critical need for

robust security practices and encryption when
handling sensitive data in cloud environments.
 Organizations must remain vigilant to protect
against data breaches and continuously improve
their security measures.
References

[1] “Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.” Cloud Security Alliance.
https://cloudsecurityalliance.org/artifacts/security-guidance-v4/ (accessed Feb. 26, 2023).
[2] D. Lachance. “CCSK Cert Prep: 3 Managing Cloud Security and Risk.” LinkedIn Learning.
https://www.linkedin.com/learning/ccsk-cert-prep-3-managing-cloud-security-and-risk/risk-treatments-and-
cloud-shared-responsibility?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
[3] D. West. “Cybersecurity Awareness: Cloud Security.” LinkedIn Learning.
https://www.linkedin.com/learning/cybersecurity-awareness-cloud-security/avoiding-security-
misconfigurations?autoSkip=true&autoplay=true&resume=false&u=2167290 (accessed Mar. 18, 2023).
Cloud
computing
Introduction: Changing The Network Architecture
Consolidation Virtualization Automation
Improved Utilization, Improved Flexibility, Policy-based Adaptive
Efficiency Responsiveness Infrastructure
Dynamic Service
Automation

Agility Static
Provisioning Semi-Automated
Storage Provisioning
Virtualization
Application
Network Virtualization
Virtualization
Server
Branch Infrastructure Virtualization
Consolidation Data Center
Storage Consolidation
Consolidation Server
Consolidation
Time
Cloud Computing vs.
Data Center
 Data center: Typically a data storage and
processing facility run by an in-house IT
department or leased offsite.
 Cloud computing: Typically an off-
premise service that offers on-demand
access to a shared pool of configurable
computing resources. These resources
can be rapidly provisioned and released
with minimal management effort.
Cloud Computing and
Virtualization
 The terms “Cloud computing” and
“virtualization” are often used
interchangeably; however, they mean
different things. Virtualization is the
foundation of Cloud computing. Without
it, Cloud computing, as it is most-widely
implemented, would not be possible.
 Cloud computing separates the
application from the hardware.
Virtualization separates the OS from the
hardware.
Cloud Computing
• Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources
• Networks, servers, storage, applications, and
services that can be rapidly provisioned and
released with minimal management effort or
service provider interaction.
 providers rely heavily on virtualization to
deliver their services
 can reduce operational costs by using
resources more efficiently
Cloud Computing
 Enables access to organizational data
anywhere and at any time
 Streamlines the organization’s IT operations
by subscribing only to needed services
 Eliminates or reduces the need for onsite IT
equipment, maintenance, and management
 Reduces cost for equipment, energy,
physical plant requirements, and personnel
training needs
 Enables rapid responses to increasing data
volume requirements
 Cont’d

 Cloud computing, with its “pay-as-you-

go” model, allows organizations to treat
computing and storage expenses more
as a utility rather than investing in
infrastructure. Capital expenditures are
transformed into operating expenditures.
Cloud Services
(National Institute of Standards and Technology (NIST) in
their Special Publication 800-145)

 Software as a Service (SaaS): The Cloud

provider is responsible for access to services,
such as email, communication, and virtual
desktops that are delivered over the Internet.
 Platform as a Service (PaaS): The Cloud provider
is responsible for access to the development
tools and services used to deliver the
applications.
 Infrastructure as a Service (IaaS): The Cloud
provider is responsible for access to the network
equipment, virtualized network services, and
supporting network infrastructure.
 Cont’d

 Cloud service providers have extended

this model to also provide IT support for
each of the Cloud computing services
(ITaaS).
 For businesses, ITaaS can extend IT's
capabilities without requiring investment
in new infrastructure, training new
personnel, or licensing new software.
These services are available on demand
and delivered economically to any
device anywhere in the world without
compromising security or function.
Cloud Service Models
(compared)
 Essential Characteristics

 On-demand self-service
A consumer can unilaterally provision computing capabilities automatically
without requiring human interaction with each service’s provider.
 Broad network access
Capabilities are available over the network and accessed through standard
mechanisms that promote use by heterogeneous thin or thick client platforms
(e.g., mobile phones, laptops, and PDAs).
 Resource pooling
The provider’s computing resources can be pooled to serve multiple consumers
using a multi-tenant model, with different physical and virtual resources
dynamically assigned and reassigned according to consumer demand. There is a
sense of location independence in that the customer generally has no control or
knowledge over the exact location of the provided resources but may be able to
specify location at a higher level of abstraction (e.g., country, state, or
datacenter). Examples of resources include storage, processing, memory, network
bandwidth, and virtual machines.
 Essential Characteristics - Cont.
 Rapid elasticity.
‒ Capabilities can be rapidly and elastically provisioned.
‒ In some cases done automatically to quickly scale out and
rapidly released to quickly scale in.

 Measured Service.
‒ Cloud systems can automatically control and optimize resource
use by leveraging a metering capability at some level of
abstraction appropriate to the type of service
‒ e.g., storage, processing, bandwidth, and active user
accounts.
Cloud Models
 Public clouds: Cloud-based applications and services offered in a
public cloud are made available to the general population. Services
may be free or are offered on a pay-per-use model, such as paying
for online storage. The public cloud uses the Internet to provide
services.
 Private clouds: Cloud-based applications and services offered in a
private cloud are intended for a specific organization or entity, such
as the government. A private cloud can be set up using the
organization’s private network, though this can be expensive to build
and maintain. A private cloud can also be managed by an outside
organization with strict access security.
 Hybrid clouds: A hybrid cloud is made up of two or more clouds
(example: part custom, part public), where each part remains a
distinctive object, but both are connected using a single architecture.
Individuals on a hybrid cloud would be able to have degrees of
access to various services based on user access rights.
 Custom (Community) clouds: These are clouds built to meet the
needs of a specific industry, such as healthcare or media. Custom
clouds can be private or public.
Cloud Models
Examples of Public Cloud Service
Providers
 Amazon Web Services (AWS)
 Provides offering in the cloud for organizations requiring
computing power, storage & other services.
 According to Amazon, AWS allows users to “take
advantage of Amazon.com’s global computing
infrastructure,” which is the heart of Amazon’s retail
business & transactional enterprise.
 Offers the following services:
‒ Elastic Compute Cloud (EC2)
‒ Simple Storage Service (S3)
‒ Simple Query Service (SQS)
‒ CloudFront
‒ SimpleDB
 Google
• Google App Engine allows building & hosting web applications
on the Google infrastructure:
‒ Supported programming languages are Python & Java
(more?).
‒ Free up to a certain level of used resources, after which fees are
charged for additional storage, bandwidth, or CPU cycles
required by the application.
• Google Apps offers business emails and collaboration:
‒ Includes several applications with similar functionality to
traditional office suites, including Gmail, Google Calendar, Talk,
Docs, and Sites.
‒ Has a number of security & compliance products to provide
email security & compliance for existing email structures.
‒ Standard Edition is free and offers the same amount of storage
as regular Gmail accounts.
‒ Premier Edition is based on a per-user license model &
associated storage level.
 Windows Azure
• Part of Microsoft’s strategy of lessening its emphasis on the
desktop and shifting more resources to web-based
products.
• Provides an OS that serves as a runtime for the apps
• Provides a set of services that allows development,
management, and hosting of managed apps at Microsoft
data centers
• Azure Services Platform includes the following services:
‒ .NET Services
‒ SQL Services
‒ Windows Live Services
• Pricing is based on a consumption model including
compute time, storage, API calls, etc.
 Salesforce.com & Force.com
• Salesforce.com offers cloud-based CRM solution which
includes Sales, Marketing, Service, and Partners. Pricing is
on a per-user basis, with different rates and support
packages posted online.
• Force.com allows developers to create add-on apps that
integrate into the main Salesforce.com apps, and are
hosted on Salesforce.com’s cloud infrastructure.
‒ Apps are built using Apex, a proprietary programming
language for the platform
‒ Pricing is on a per-developer basis, with different support
packages allowed for varied levels of storage, API calls,
etc.
• AppExchange is a directory of apps built for
Salesforce.com by third-party developers, which users can
purchase and add-on to their Salesforce environment.
 RightScale
• Provides services in the cloud to assist organizations in managing
cloud deployments offered by other Cloud Service Providers
(CSPs), including vendors such as AWS, FlexiScale, and GoGrid.
• Pricing is based on a number of editions from Developer through
Enterprise level, with associated features & server times.
• RightScale Cloud Management Platform allows organizations to
manage & maintain their cloud deployments through one web-
based management platform, while at the same time take
advantage of offerings by more than one CSPs, which includes
the following:
‒ Cloud Management Environment
‒ Cloud Ready ServerTemplates
‒ Adaptable Automation Engine
‒ Multi-Cloud Engine
 Cloud Foundry (VMware)
• A VMware-led open source project that provides a platform for building,
deploying and running cloud apps
• Supported languages including Spring for Java developers, Rails and
Sinatra for Ruby developers, Node.js & other JVM languages/frameworks
including Groovy, Grails & Scala.
• Supported Application Services include RabbitMQ, MongoDB, MySQL &
Redis.
• Includes the following:
‒ CloudFoundry.com – a complete hosted platform environment (a
commercial service, currently still in beta & can be accessed for free)
‒ CloudFoundry.org – an open source project where developers and
community members can collaborate & contribute to the project
‒ Micro Cloud Foundry – a complete version of Cloud Foundry that runs in
a virtual machine on a developer’s Mac or PC (a full instance that
provides the flexibility of local development while preserving options for
future deployment & scaling of apps).
(Some) Other Cloud Service Providers

 Workday – provides human resources & financial

management products
 ProofPoint – provides services related to securing
enterprise email infrastructure, with solutions for email
security, archiving, encryption & data loss prevention.
 GoGrid – provides cloud hosting that allows users to
build scalable cloud infrastructure in multiple data
centers using dedicated and cloud servers, elastic F5
hardware load balancing, and cloud storage with
total control through automation and self-service.