UNDERSTANDING

COMPUTER SECURITY

ORUNSOLU ABDUL ABIODUN (PhD)

OLAIYA YINKA
CHAPTER ONE
BASIC SECURITY ESSENTIALS
1.1 WHY SECURITY CONCERNS COMPUTERS
When the thought of developing Personal Computers (PCs) has conceived, more
efforts were put into its efficiency and usability. Security problems were not
considered. The machine was developed out of curiosity to simplify complex
calculations and increase speed of execution. Even when there were needs to
make computers more advanced and capable of more complex operations,
hardware and its associated software were focused on greater sophistication and
capabilities. Security issues around computing technology did not warrant any
serious attention.

No sooner than the efficiency of the machine was acceptable by humanity, that it
became the major storage media of most sensitive information about individuals,
businesses, large corporations, government etc., With this development, criminals
shifted attention to exploit the loopholes in the design of the machine to access
sensitive information without genuine authorization. In the beginning, computer
security was about regulating access to where the machines were installed and
used. Thus, security was all about preventing the theft of computing equipment
and its associated devices such as hard disks, monitor, floppy disks etc. However,
with the advent of networking and internet which promote seamlessly sharing of
sensitive information, the computer security issues become more complex. In
addition, the associated risks from criminals become so huge that the negligence
of simple security rule expose both professional and amateur users to graver
consequences. This has led to high incidences of security breach on personal and
corporate data.

Faced with these unholy consequences, maintaining security with computing

devices and technology is vital for individuals, businesses and governments.
Prevention of security breach on confidential data (e.g. Password, BVN, NIN, Bank
account number, social security number etc.) becomes an essential requirement
for determining a secured communication. This is very important as sensitive data
stored on the computer or network may be misused or hacked by con artists to
create embarrassing situations for the genuine owner. For instance, a computer
criminal can modify and change a program source code and use your pictures or
email accounts to create derogatory contents such as pornographic images and
offensive e-chat on social media. In addition, intruders may use another person’s
computers for attacking other computers or websites for creating havoc.
Therefore, the protection of personal and corporate data is necessary and the
need for computer security arises.

1.2 EVOLUTION OF COMPUTER SECURITY THREATS

One of the first recorded computer security threats actually did not come from a
human. In 1945, Rear Admiral Grace Hopper found a moth among the relays of a
Navy computer and called it a ‘bug’. From this, the term “debugging” was coined
to denote removal of defects that prevent correct operation of computer system.
By 1960s, the exploitation of computer networks began by humans as witnessed
in AT&T where hundreds of people were caught obtaining free phone calls
through the use of tone-producing “blue boxes.” Later in the 1970s, another way
to make free phone calls by using a blue box and plastic toy whistle were found by
John Draper.

By late 1970s, computer threats took on another form with the advent of the first
computer worm (i.e., a self-replicating malicious program that propagates
through loopholes or flaws in a network). A decade later, computer viruses were
created. By 1988, damage became widespread as a worm disabled around 6,000
computers connected to the Advanced Research Projects Agency Network. And
by 1990, the first self-modifying viruses were created.

By mid-1990s, viruses went international as the first Microsoft Word-based virus

using macro commands spread all over the world. In 1998, hackers took control of
more than 500 governments, military, and private computer systems with the
“Solar Sunrise” attacks. Two years later, other hackers were able to crash
Amazon, Yahoo and eBay’s websites. In 2001, the Code Red worm ended up
causing $2 billion in damage by infecting Microsoft Windows NT and Windows
2000 server software. The security incidences on computers and networks
became compounded with advent of phishing attacks during the same time.
In the mid-2000s, as people connected to the Internet like never before,
widespread infection rates exploded as well. The Storm Worm virus in 2007 and
the Koobface virus in 2008 used emails and social media to spread rapidly,
infecting millions of computers. In 2012, the Heartbleed bug was discovered,
which took advantage of a flaw in the OpenSSL security software library to access
sensitive data like passwords. And in 2013 one of the most infamous attacks
occurred, when hackers gained access to retail giant Target’s servers, leading to
the theft of 70 million customer records. In the late 2010 up to 2020, security
breaches occasioned by key loggers attacks, spear phishing, Voice over IP attacks,
ransomware and corona virus phishing affected critical infrastructure in
healthcare, manufacturing and blue-chips companies. These security breaches on
computer and its networks continue due to a number of factors such as:
a) Increased internet connectivity across the globe for individuals and
businesses
b) Storage of many valuable assets on online media and cloud platforms
c) Availability of sophisticated attack tools and strategies to hackers from
online black market
d) Low risk of getting caught due to some smart path-erasing software
e) Inadequate legislations for prosecuting cybercriminals
f) Complexity of computer-related crimes
g) Ignorance of most computer users in terms of security issues
h) Inherent sense of greed and emotions in humans when responding to
online messages.

1.3 MAJOR MOTIVES FOR COMPUTER SECURITY THREATS

There are many reasons which propel criminals to commit computer crime. This
crime often resulted in tarnished image or reputation for organizations or
individuals, loss of sensitive business secret and international legal battles or fees.
In most cases, the following are major motives for computer security threats:
a) Financial gain: Criminals are motivated towards committing computer
attacks to make quick and easy money. For instance, access to a victim’s
 Bank Verification Number (BVN) gives criminals the needed impetus to
fraudulently make transactions.

b) Revenge: Some individuals try to take revenge with other

person/organization/society or religion by defaming its reputation or
bringing economical or physical loss. This is often perpetuated by
individuals gaining access to victim’s account (e.g., email messages or
sensitive images) and later publishing such personal information for public
consumption on the Internet.

c) Fun: In some rare cases, amateur criminal performs computer crime for fun
in order to test the sophistication of the trending attack tools. The success
of such fun-game provides the criminals the skills to launch more
dangerous attacks. For instance, a Port Knocking tool can create a secret
backdoor method of getting through firewall protected ports for criminals
to detect unprotected ports on a network.

d) Recognition: Computer criminals sometime hack the so-called highly

secured networks like defense sites or networks for recognition. The fame-
loving criminals perpetuated such damage and later publish the
susceptibility of the network. In some cases, blue-chips industries and
defense authority invite criminals to launch attacks on a newly-developed
network or software to evaluate their trustworthiness.

e) Anonymity: Many time the anonymity that a cyber space provide motivates
the person to commit cybercrime as compared to real world. It is much
easier to get away with criminal activity in a cyber-world than in the real
world. There is a strong sense of anonymity than can draw otherwise
respectable citizens to abandon their ethics in pursuit personal gain.

f) Cyber Espionage: At times the government itself is involved in cyber

trespassing to keep eye on other person/network/country. The reason
could be politically, economically socially motivated. This reason is
responsible for many trade frictions between America, China and Russia
with different fines on blue-chips companies operating in these countries.
 In some cases, such cyber espionage has been blamed to be responsible for
election interference in some major US presidential election.

1.4 BASIC COMPUTER SECURITY TERMINOLOGIES

As there are many potential threats to computers, devices and data, it is
important to understand some basic computer security terminologies associated
with safety procedures to reduce the likelihood of them affecting our computing
resources.
The followings are some of the common terminologies related to computer
security
a) Data Backup: This is a procedure that involves saving copies of important
data to another device or virtual storage. By regularly backing up
important data, the users can easily recover most, if not all of their data in
case of accidental or malicious deletion, power surges, disk corruption or
physical damage from fall, fire or flood. It is a good computer practice to
back up important data separately from the original data. In this way,
physical disaster affecting the original data cannot destroy the backup in
the safe location.

b) Social Networking: This is the practice of using dedicated websites, online

platforms and applications to interact with other users or find people with
similar interests to one’s own. Social networking allows individuals to
maintain contact, interact and collaborate with professional colleagues,
business owners, peers, family and friends. Examples of social networking
sites are Facebook, WhatsApp, Twitter, Instagram, Telegram, Snapchat
etc. However, there are security risks associated with using these social
networking apps. These potential security risks include cyber bullying,
identity theft, ransomware attacks, phishing, child pornography etc.

c) Disaster Recovery: This is the capability or ability of an organization to

regain access and functionality to its Information Technology
infrastructure after events like natural disaster, cyber-attacks or
disruption etc. have occurred. The primary goal of DR is to enable the
organization or business owners to regain use of critical systems, sensitive
data and hardware as soon as possible after a disaster occurs. This
 process is often spelt out in a document called Disaster Recovery Plan
(DRP)

d) Antivirus Protection: This is a method in which a program or software

designed to detect/remove viruses and other kinds of malicious software
are installed on a computer device. The main function of antivirus
protection is to scan, detect, prevent and remove any existential threat to
the computer system either from physical device or from online activities.
Common antivirus programs include Norton, McAfee, Kaspersky etc.
Antivirus protection comes under different shades such as malware
signature antivirus, system monitoring antivirus and machine learning
antivirus.

e) Internet Security: This is a term that describes security for activities and
transactions made over the internet. The term encompasses larger ideas
of cyber security and computer security involving topics like browser
security, online behavior, social media security, network security etc. The
main benefit of internet security is that it provides functions that limit
access to fraudulent activities online. An example of internet security is an
online system that prevents credit card numbers from being stolen on a
shopping website. The most common network security risks are phishing,
computer viruses, malware/ransomware, rogue security software and
denial of service attack

f) Credit Card Frauds: This is a term that describe a situation when

unauthorized users gain access to an individual’s credit card information
in order to make purchases, other transactions or open new accounts.
The purpose may be to obtain good or services or make payment through
another person’ account without their consent or permission. A few
examples of credit card fraud include account takeover fraud, new
account fraud, cloned cards and cards-not-present schemes. Although,
credit cards are more secure than ever, with regulations and security
communities coming up with innovative security approaches, the social
engineering fraud is however, providing hackers with countermeasure to
defeat these innovations.
CHAPTER TWO
OVERVIEW OF COMPUTER SECURITY
2.1 DEFINITION OF COMPUTER SECURITY
The meaning of the term computer security has evolved in recent years. Before
the problem of data security became widely publicized in the media, most
people’s idea of computer security focused on the physical machine. Traditionally,
computer facilities have been physically protected for three reasons:
a) To prevent theft of or damage to the hardware
b) To prevent theft of or damage to the information
c) To prevent disruption of service

Computer security, the protection of computer systems and information from

harm, theft, and unauthorized use. Computer hardware is typically protected by
the same means used to protect other valuable or sensitive equipment, namely,
serial numbers, doors and locks, and alarms. The protection of information and
system access, on the other hand, is achieved through other tactics, some of them
quite complex.
The security precautions related to computer information and access address four
major threats:
(1) theft of data, such as that of military secrets from government computers;
(2) vandalism, including the destruction of data by a computer virus;
(3) fraud, such as employees at a bank channeling funds into their own accounts;
and
(4) invasion of privacy, such as the illegal accessing of protected personal financial
or medical data from a large database.
The most basic means of protecting a computer system against theft, vandalism,
invasion of privacy, and other irresponsible behaviors is to electronically track and
record the access to, and activities of, the various users of a computer system.
This is commonly done by assigning an individual password to each person who
has access to a system. The computer system itself can then automatically track
the use of these passwords, recording such data as which files were accessed
under particular passwords and so on. Another security measure is to store a
system’s data on a separate device, or medium, such as magnetic tape or disks,
that is normally inaccessible through the computer system. To enhanced security,
data is often encrypted so that it can be deciphered only by holders of a singular
encryption key.

Computer security is not about hardware and software alone as many businesses
or individuals believe that procuring enough computing equipment is a way to
creating secure infrastructure. This is because no computing product or
combination of devices can create a secure computing environment by itself.
Security is a process and all computing devices are only as secure as the
individuals who configure/maintain them. Thus, adequate training, time and
support should be provided for individual tasked with the management of
computer security in any organization.

2.2 THE SOFTWARE CRISIS

In the past, computer security was about physical protection of hardware devices
from damage, theft and disruption of service. As the technology becomes
advanced, computer criminals shifted their focus from hardware devices to
software. This is because hardware devices are becoming cheaper while their
associated software contain sensitive information about individuals or businesses
or corporation owing them e.g. bank alert on mobile phone. While the hackers
are mounting attacks on sensitive software, computer and software vendors
rarely take enough meaningful security measures into their software design.
Security, if considered at all, usually come behind other attributes such as:
 a) Functions: What does it do?
b) Price: What does it cost?
c) Performance: How fast does it run?
d) Compatibility: Does it work with earlier products?
e) Reliability: Will it perform its intended function?
f) Human Interface: How easy is it to use?
g) Availability: How often will it break?
h) .....
i) ……
j) Security

This kind of attribute itemization in software design often lead to software crisis.
Software crisis is a situation in which adequate security attention is not attached
to various components of software during development phases. This is one of the
problems of the traditional System Analysis and Design (SAD). A good software
security attribute should consider both Security Function and Security Assurance.

Security Function is used to measure what protection features are provided in a

software while Security Assurance is a measure of the foolproof of protection
features in a software.

2.3 BASIC TERMINOLOGY IN DEFINING COMPUTER SECURITY

a) Assets: Things we want to protect. It may be any data, device or other
components that support information-related activities e.g. confidential
information, hardware (such as servers and switches), and software (e.g.
mission critical applications and support systems). Assets should be
protected from illicit access, use, disclosure, alteration, destruction and
theft, which can result in loss to an organization.

b) Threats: Events that can happen to assets (e.g. loss of confidentiality). It is

also anything (manmade or act of nature) that has the potential to cause
harm. It is a possible danger that might exploit a vulnerability to breach
security and cause possible harm. A threat can either be intentional (e.g.
 intelligent attempt by individual hacker or criminal within an organization)
or accidental (e.g. wrong response to login activity, natural disaster,
possibility of a computer malfunctioning).

c) Attacks: Attempts to realize threats. An attack can be active or passive. An

active attack attempts to alter system resources or affect its operation
while a passive attack attempts to learn or make use of information from
the system.

d) Vulnerabilities: Weaknesses of systems which make attacks possible. It is

also a weakness which allows an attacker to reduce a system’s information
assurance. Vulnerability is the intersection of three elements namely
i. A system flaw
ii. Attacker access to the flaw
iii. Attacker capability to exploit the flaw
To exploit vulnerability, an attacker must have at least one applicable tool or
technique that can connect to a system weakness. Vulnerability is also known as
the attack surface.

e) Risk: A measure of the likelihood of occurrence of an attack. It is also the

likelihood that something bad will happen that causes harm to an
informational asset (or the loss of the asset).

f) Impact: A measure of how serious an attack would be

Based on these terminologies, Computer security is concerned with
i. Analyzing risk and impact of threats
ii. Protecting assets against attacks
iii. Overcoming vulnerabilities
iv. Mitigating risks
v. Reducing impacts of attacks

2.4 ELEMENTS OF COMPUTER SECURITY

There are three elements of computer security namely prevention, detection and
response. Security equation can be represented as:

protection/ security= prevention+(detection+response)

1. Prevention: This is the first element of computer security. Prevention is

concern with measures that hinder or obstruct the exploitation of
vulnerabilities. Organizations should emphasize preventative measures
over detection and response. It is easier, more efficient and much more
cost-effective to prevent a security breach than to detect or respond to
one. For example, if one attempts to break into a host over the Internet and
that host is not connected to the Internet, the attack has been prevented.
Typically, prevention involves implementation of mechanisms that users
cannot override and that are trusted to be implemented in a correct,
unalterable way, so that the attacker cannot defeat the mechanism by
changing it. Examples of preventive measures are access controls, firewalls,
encryptions

2. Detection: This is the second element of CS. Detection is concern with

measures that discover something malicious that was hidden or disguised
within a software system or information system. Once preventative
measures are implemented, procedures need to be put in place to detect
potential problems or security breaches. Detection mechanisms accept that
an attack will occur; the goal is to determine that an attack is under way, or
has occurred, and report it. Typical detection mechanisms monitor various
aspects of the system, looking for actions or information indicating an
attack. The resource protected by the detection mechanism is continuously
or periodically monitored for security problems. Examples of detective
measures are audit logs, intrusion detection system, honey pots etc.

3. Response: This is the third element of CS. Response is concern with

measures that reply or respond or identify security vulnerabilities with
appropriate corrective actions. Response has two forms. The first is to stop
an attack and to assess and repair any damage caused by that attack. As an
example, if the attacker deletes a file, one recovery mechanism would be to
restore the file from backup tapes. In practice, recovery is far more
complex, because the nature of each attack is unique. Thus, the type and
 extent of any damage can be difficult to characterize completely. In a
second form of response, the system continues to function correctly while
an attack is under way. This type of response is quite difficult to implement
because of the complexity of computer systems. It draws on techniques of
fault tolerance as well as techniques of security and is typically used in
safety-critical systems. It differs from the first form of response, because at
no point does the system function incorrectly. Examples of security
response are computer forensic, incident response applications, backups
etc.

2.5 CONCEPT OF SECURITY GOALS

Security goals represent the main objectives of information system. It also
defined as desirable ability of an information system or desirable property of
information system. Unlike other physical systems, the security goals of a
computer information system are Confidentiality, integrity and availability
(known as the CIA triad), which is a model designed to guide policies for
information security within an organization. The elements of the triad are
considered the three most crucial components of security.

In this context, confidentiality is a set of rules that limits access to

information, integrity is the assurance that the information is trustworthy and
accurate, and availability is a guarantee of reliable access to the information by
authorized people.

Confidentiality:
Human lives revolve around creation of information which may be sensitive or
non-sensitive. Every human being wants their sensitive information to be
protected against unauthorized disclosure or access. Confidentiality is
synonymous to privacy, which means information must be reserved and not
accessible to the public. Confidentiality applies to both storage and transmission
of information. Measures undertaken to ensure confidentiality are designed to
prevent sensitive information from reaching the wrong people, while making
sure that the right people can in fact get it: Access must be restricted to those
authorized to view the data in question.

Common methods for ensuring confidentiality are data encryption methods,

biometric verification, passwords, security tokens etc.
Integrity:
Information needs to be changed constantly to reflect current transactions and
events e.g. account balance must be updated upon deposit or withdrawal.
Integrity implies that changes need to be done only by authorized entities and
through authorized mechanisms. Integrity involves maintaining the consistency,
accuracy, and trustworthiness of data over its entire life cycle. Data must not be
changed in transit, and steps must be taken to ensure that data cannot be altered
by unauthorized people.

Common methods for ensuring integrity are File Permission controls, user access
controls, checksums etc.

In general, preservation of data integrity has three goals:

i. Prevent data modification by unauthorized parties
ii. Prevent unauthorized data modification by authorized parties
iii. Maintain internal and external consistency (i.e. data reflects the real
world)

Availability
Information is useless if is not available on demand to authorized entities.
Availability, in the context of a computer system, refers to the ability of a user to
access information or resources in a specified location and in the correct format.
When a system is regularly non-functioning, information availability is affected
and significantly impacts users. In addition, when data is not secured and easily
available, information security is affected, i.e., top secret security clearances.
Another factor affecting availability is time. If a computer system cannot deliver
information efficiently, then availability is compromised. Data availability must
be ensured by storage, which may be local or at an offsite facility. In the case of
an offsite facility, an established business continuity plan should state the
availability of this data when onsite data is not available. At all times, information
must be available to those with clearance.

2.6 SECURITY REQUIREMENTS

Security goals guide system development, but they are not precise enough to be
requirements. A security goal typically describes what is never to happen
in any situation; a good security requirement would describe what is to happen
in a particular situation.
Therefore, define a security requirement as a constraint on a functional
requirement. The constraint must contribute to satisfaction of a security goal.
Whereas security goals proscribe broad behaviors of a system, security
requirements prescribe specific behaviors of a system. Like a good functional
requirement, a good security requirement is testable.

Security requirements ideally specify what the system should do in specific

situations, not how it should be done. However, requirements may contain more
detail about the "what" that goals do, because requirements must be testable.

The following table summarizes the differences noted above between security
goals and security requirements.

Goals Requirements
are broad in scope are narrow in scope
apply to individual functional
apply to entire system
requirements
state desires state constraints
are not testable are testable
say nothing about might begin to provide
design/implementation design/implementation details

2.6 ADVANTAGES OF COMPUTER SECURITY EDUCATION

a. Enhance individual protection against risks and vulnerabilities

b. Contribute to security in workplaces
c. Enhance the quality and safety of interpersonal and business transactions
d. Improve overall security consciousness in the internet users
CHAPTER THREE
CONCEPT OF NETWORK SECURITY
3.1 EVOLUTION OF NETWORK SECURITY
A computer network is an interconnection of two or more computers linked
together using communication channels (e.g. wired or wireless) to allow for
sharing of resources such as data, information, hardware devices (e.g. printers),
internet connection etc. Computer network may be a Local Area Network, Wide
Area Network, Wireless Local Area Network, Virtual Private Network etc. In all
these network types, computing devices are connected primary to share
resources with other device near or far locations. In most cases, devices are
connected to a network through network cable connections or wireless access
points. Since any user can connect an unsecured device (such as mobile phone) to
an unsecured network and can gain access to the resources/data on such
network. This can lead to security compromises for the network devices such as
servers. Thus, security-related activities become a central focus of most networks.
In fact, one of the key roles of a network administrator (i.e. a staff responsible for
the maintenance of a network) is to provide for security functions such as
managing authentication, monitoring and installing relevant security updates and
dealing with network intrusions. These challenges come from the security
implications of connecting to a network which may include:
a) Unauthorized data access
A malicious user or hacker gains access to the network and read/write its
unprotected resources such as data or information. As a result, sensitive or
confidential data are made available to wrong individuals who can use
them for negative purposes such as identity theft, demanding ransom
(ransomware attack), cyberbullying etc.
 b) Privacy violation
There is always possibility of others accessing another person’s device
when connecting to most networks. This situation often leads to individuals
having their private information being exposed to hackers. Malicious End-
User License Agreement (EULA) in most application installation can lead to
privacy violation.

c) Malware attacks
The interconnection of different devices on the network easily allows for
malicious software (malware) propagation to unprotected device or
another network.

3.2 NETWORK SECURITY AND TYPES

Network security is a set of rules and configurations designed to protect the
integrity, confidentiality and accessibility of computer networks and data using
both software and hardware technologies. Every organization, regardless of size,
industry or infrastructure, requires a degree of network security solutions in place
as attackers that are always trying to find and exploit security loopholes
(vulnerabilities). These network security lapses can exist in data (e.g. lack of data
validation techniques), applications, users’ account, devices, location, wireless
connections etc. For this reason, there are many network security management
tools and applications in use today that address individual threats and exploits
and also regulatory non-compliance.

Basically, network security consists of physical, technical and administrative. Here

is a brief description of the different types of network security and how each
control works.

a) Physical Network Security

Physical security controls are designed to prevent unauthorized personnel
from gaining physical access to network components such as routers,
cabling cupboards and so on. Controlled access, such as locks, biometric
authentication and other devices, is essential in any organization to achieve
physical network security.
 b) Technical Network Security
Technical security controls protect data that is stored on the network or
which is in transit across, into or out of the network. Protection is twofold;
it needs to protect data and systems from unauthorized personnel, and it
also needs to protect against malicious activities from employees. Firewalls,
access control methods, antivirus protection, passwords, encryptions etc.
are common technical approaches to network security.

c) Administrative Network Security

Administrative security controls consist of security policies and processes
that control user behavior, including how users are authenticated, their
level of access and also how IT staff members implement changes to the
infrastructure. For example, you could grant administrators full access to
the network but deny access to specific confidential folders or prevent their
personal devices from joining the network.

Other areas of network security include wireless and home network security,
Bluetooth security, smart phone security and OS security.

A. Wireless and Home Security

Wireless networks are one of the convenient methods through which users and
homes are connected to other networks and internet. Depending on wireless
network settings, some connections are unsecured and other are secured
networks. Unsecured networks are ones that do not required any form of
authentication to connect any device to the wireless resources. Usually, such
network connection in public places harbors potential risks such as eavesdropping
attacks, network hijacking, man-in-middle attack etc. On the other hand, secured
networks often required authentication such as passwords by the network
administrator before connection is established. One of the example of secured
network is Virtual Private Network (VPN). The Virtual private networks create a
connection to the network from another endpoint or site. For example, users
working from home would typically connect to the organization's network over a
VPN. Data between the two points is encrypted and the user would need to
authenticate to allow communication between their device and the network.
Common types of wireless security options include:

i. Wired Equivalent Privacy (WEP)

WEP is a type of security standard used by wireless networks. It is still used to
support older devices, but its use is no longer recommended. WEP uses a network
key to encrypt information sent from one computer to another across a network.
The encrypted information sent using this standard is relatively easy to crack.

ii. Wi-Fi Protected Access (WPA)

WPA encrypts information that is exchanged between two connected devices and
it also ensures that the network security key is not easily obtained. WPA also
authenticates users and only authorizes these authenticated users to connect to
the wireless networks and exchange data with other devices on that network.
There are two types of WPA authentication: WPA and WPA2. WPA is designed to
work with all wireless network adapters. WPA2 is more secure than WPA, but it
might not work with older routers or access points and some older network
adapters.

iii. Media Access Control (MAC) Address Filtering

Each network interface controller (network adapter) has a unique 48-bit
hardware identifier (MAC address). This value can be set into the allowed filter list
of the wireless point’s security setting, thus only connection from these devices is
allowed. However, a hacker could set a valid address on his device to connect and
gain access to the network. Also, it may be difficult to maintain a list of permitted
MAC addresses.

iv. Service Set Identifier (SSID) hiding

Each wireless access point has a Service Set Identifier (SSID) which is broadcasted
without restrictions to allow wireless devices to search and identify the wireless
networks that are available. Wireless devices use this SSID to create a connection
through the access point to the wireless network. Hiding the SSID makes this
access point invisible to every device. Without knowing the SSID, a person will not
be able to connect to the network; only a person who knows the hidden SSID can
set up a connection to the wireless network. However, software utilities can be
used to reveal hidden SSIDs.

B. Bluetooth Security
Bluetooth is a wireless technology which employs a radio frequency to share data
over a short distance without the need of wires or cables. Bluetooth is very
popular on laptops, mobile devices, peripherals etc. where it is used to share or
connect with other Bluetooth-enabled devices. Since this sharing is sometimes
susceptible to a variety of wireless and networking attacking such as Denial of
Service (DoS) attacks, eavesdropping, message modification, man-in-the-middle
attacks, resource misappropriation etc., Bluetooth security becomes a central
focus. For example, Bluetooth hacking can take place when a hacker uses their
own Bluetooth connection to gain access to another person’s mobile devices.
Other Bluetooth specific-attacks are Bluejacking (i.e. sending of unsolicited
messages to Bluetooth-enabled device with harmful intent), Bluesnarfing (i.e.
forcing a connection with Bluetooth-enabled device to gain access to data such as
contact list, calendar, gallery etc.), Bluesmack (i.e. a Bluetooth Denial of service
attack where devices are overwhelmed with malicious requests) etc.

Bluetooth security is a term which describe services or methods that protect or

enforce exclusivity in Bluetooth connection to only specified devices. There are
three basic means of providing Bluetooth security:
i. Authentication: In this process the identity of the communicating devices
is verified. User authentication is not part of the main Bluetooth security
elements of the specification.
ii. Confidentiality: This process prevents information being eavesdropped by
ensuring that only authorized devices can access and view the data.
iii. Authorization: This process prevents access by ensuring that a device is
authorized to use a service before enabling it to do so.

The following tips are essential for safe Bluetooth usage

i. Once Bluetooth pairing process is completed with another device, the
device’s “discoverable” mode should be turned off.
 ii. Use strong passkey that is randomly generated when pairing Bluetooth
devices and never enter passkeys when unexpectedly prompted for
them
iii. Refrain from transmitting sensitive information using the Bluetooth-
enabled device as it might be sniffed.
iv. Remove lost or stolen devices from device lists.
v. Avoid receiving or accepting attachments or applications on your mobile
devices as random. Always check that all pairing or requests are initiated
by your device or from known sources.

C. Smartphone/Mobile device Security

A mobile device is a portable small handheld digital device such as mobile phone,
tablet, smart sensors etc. Mobile devices are now commonly connected with the
Internet and are used by individuals as online storage devices. Due to the
sensitive nature of these stored data (e.g. business information, bank details,
social security number, NIN, BVN etc.), a number of security features and apps
can be activated on mobile devices to provide protection. This protection
becomes necessary because mobile devices are usually effectively utilized when
connecting to Internet or other connections. Therefore, smartphone/mobile
device security describes software tools that are provided by the manufacturers
of mobile phones or third party apps that ensure users’ privacy while
guaranteeing protection of sensitive resources e.g. apps, documents, Internet
connection etc.

The following steps are important in keeping mobile devices secure:

i. Use a graphical password or PIN
Enable a relatively strong pattern password to restrict access to mobile
devices. In addition, a passcode or password can also be enabled to provide
a two-factor authentication especially if your device is highly sensitive. This
kind of protection prevents unauthorized individuals from getting access to
your device.

ii. Manage your connections

Mobile devices often provide a number of connection options such as Wi-
Fi, Bluetooth, Flight mode, hotspot/tethering, mobile networks, data usage
 etc. Proper management of these connection types is very important in
keeping mobile devices secure and safe. Therefore, users should have a
good understanding of how these connections works and what security
options are available for each connection type. Users can locate the
connection options by navigating to Settings on their mobile devices and
explore the useful security information for safe use of their devices. For
instance, turning off wireless and Bluetooth connections can restrict
authorized access to your mobile device.

iii. Back up content

It is a good practice to regularly backup sensitive data on mobile devices to
another device or virtual online storage (e.g. Google Drive, OneDrive) in
order to ensure prompt restoration after unforeseen events such as
attacks, theft, physical damage etc.

iv. Manage apps installation and sharing

Apps are common sources of threat to mobile devices. Therefore, adequate
attention should be ensured when installing and sharing apps. Ensure that
your apps are installed from trusted sources as apps from unofficial source
are often backdoor for hackers to exploit your devices. The following risks
are associated with apps from unknown sources:
a. Apps from unknown sources can exploit the technical support and
security controls on your device e.g. they can enable download from
unknown sources in your devices’ app management.
b. These apps can share your sensitive data in an online black market as
they automatically gain permission to your contacts, images and
location without your knowledge
c. These apps can slow down the performance of your application and
devices as necessary quality tested are not found in such apps.
d. Apps from unknown sources may come with detriment hidden costs
for the user by logging individuals to unauthorized background
services that can waste the resources of mobile devices.

D. Operating System Security

Operating systems (OS) are programs that control the computer, manage
storage, schedule computing tasks and responsible for communication with
 other devices such as routers, keyboards, CPU etc. Basically, the computer’s
OS manages its memory, processes and all its software and hardware.
Therefore, the security of OS is essentially related to the safe use of computers
for any task or job.

Operating system security is the process of ensuring OS availability, confidentiality

and integrity. It also involves measures taken to protect the operating system
from threats such as viruses, worms, malware and remote hacker intrusions.

Threats to Operating System

There are various threats to the operating system. Some of them are as follows:

i. Malware
It contains viruses, worms, Trojan horses, and other dangerous software.
These are generally short code snippets that may corrupt files, delete the
data, replicate to propagate further, and even crash a system.

ii. Network Intrusion

Network intruders are classified as masqueraders, misfeasors, and
unauthorized users. A masquerader is an unauthorized person who gains
access to a system and uses an authorized person's account. A misfeasor is
a legitimate user who gains unauthorized access to and misuses programs,
data, or resources. A rogue user takes supervisory authority and tries to
evade access constraints and audit collection.

iii. Buffer Overflow

It is also known as buffer overrun. It is the most common and dangerous
security issue of the operating system. It is defined as a condition at an
interface under which more input may be placed into a buffer and a data
holding area than the allotted capacity, and it may overwrite other
information. Attackers use such a situation to crash a system or insert
specially created malware that allows them to take control of the system.

OS Security Methods
To ensure OS security, the following methods can be employed:

i. Authentication
OS is responsible for implementing security system where every users and
their associated programs are identified. This process is called
authentication and it can be achieved by using Username/Password, user
attribution, One Time passwords etc.

ii. Firewalls
OS provides for Firewalls which are security programs that monitor all the
incoming and outgoing traffic. Firewalls ensures local security by providing
definition for allowable traffic within a computer system to protect network
system or local systems from any network-based security threat.

iii. Monitor OS security policies and procedures

OS policy defines the procedures for ensuring that the operating system
maintains a specific level of security that handle all preventative activities.
OS policy may include the followings:
a. Installing and updating anti-virus software
b. Ensure the systems are updated regularly
c. Implementing user management policies to protect user accounts and
privileges
d. Installing a firewall and provides definitions for all incoming and
outgoing traffic.

An example of OS security in Windows 10 OS is the Windows Defender which

provides anti-virus protection. The protection system offers the following
types of scans:
 Quick scan – This searches for viruses in locations where they are most
likely to occur
 Full scan – This searches the entire computer for viruses but will be
time-consuming and affect the system’s performance when it is running
 Custom scan – This allows users to choose which files and location
where scanning is to be restricted to.
  Window Defender Offline scan – This helps to find difficult to remove
malicious software

Windows Defender Security Center is a central location to view status and

manage security features such as firewalls and antivirus

CHAPTER FOUR
VULNERABILITY MANAGEMENT
4.1 OVERVIEW OF VULNERABILITY MANAGEMENT
Since flaws or weaknesses are inherent characteristics of any design, be it
software or hardware, it is important that such weaknesses are continuously
given attention to prevent exploitation by computer criminals or hackers. In some
cases, what is exploited as a system’s weakness may be a deliberate design issue
created by software vendors’/hardware manufacturers for maintenance or
administrative purposes. For instance, a programmer may sometimes install a
backdoor (i.e. a method of bypassing normal security mechanisms or
authentication) so that the program can be accessed for troubleshooting or other
purposes without disrupting the software. Whether installed as an
administrative/maintenance tool or unanticipated weakness, there are always
computer criminals/hackers looking for system’s vulnerability to exploit. When
flaws are exploited, hackers can take control of the systems or servers, record
users’ keystroke on the keyboard, steal authentication details, conduct
unauthorized financial transactions, initiate identity theft etc. Hence,
vulnerability management is a central issue in computer security.

Vulnerability management is the practice of identifying, classifying, remediating,

and mitigating system flaw. This practice generally refers to software
vulnerabilities in computing systems.

4.2 SOURCES OF VULNERABILITIES IN COMPUTER SYSTEMS

Vulnerabilities are found in software due to a number of factors. These factors
range from computer language support to programmer’s unanticipated scenarios.
For instance, a programmer may use C++ to develop a web application without
much validation support. In this case, the problem of dangling pointers in C++ can
be exploited by hackers while inadequate validation support may crash the
application due to unformatted data in the system’s database. The window of
vulnerability is the time from when the security hole was introduced or
manifested in deployed software, to when access was removed, a security fix was
available/deployed, or the attacker was disabled. Common types of software
flaws that lead to vulnerabilities include:
a. Input validation errors are errors which occur when programs is
susceptible to incorrect data processing activities due to absence of validation
constraints or check routines e.g. Format string attacks, SQL injection, Code
injection, E-mail injection, Directory traversal, Cross-site scripting in web
applications, HTTTP header injection, HTTP response splitting etc.
b. Privilege-confusion bugs are computer program that innocently fool some
other programs into misusing their authority which sometimes results to privilege
escalation. A privilege escalation is the act of exploiting design flaw in an
operating system or software application to gain elevated access to resources that
are normally protected from an application or user e.g. Click jacking, Cross-site
request forgery, FTP bounce attack, Jail breaking, session fixation, keystroke
logging etc.
c. Race conditions: A race condition or race hazard is the behavior of an
electronic or software system where the output is dependent on the sequence or
timing of other uncontrollable events. It becomes a bug when events do not
happen in the order the programmer intended e.g. time of check to time of use
bugs, symlink races etc.
d. Memory safety violations are violations in which program executions are
not memory safe. Memory safety is a concern in software development that aims
to avoid software bugs that cause security vulnerabilities dealing with random-
access memory (RAM) access e.g. buffer overflows, dangling pointers, stack
overflow, allocation failures, wild pointers, null pointer accesses, invalid free
memory error, double free memory error etc.

4.3 VULNERABILITY ASSESSMENT

A vulnerability assessment is a systematic review of security weaknesses in an
information system. Vulnerability assessment evaluates if the system is
susceptible to any known vulnerabilities, assigns severity levels to those
vulnerabilities, and recommends remediation or mitigation, if and whenever
needed. There are several types of vulnerability assessments which include:
1. Host assessment – The assessment of critical servers, which may be
vulnerable to attacks if not adequately tested or not generated from a
tested machine image.
2. Network and wireless assessment – The assessment of policies and
practices to prevent unauthorized access to private or public networks and
network-accessible resources.
3. Database assessment – The assessment of databases or big data systems
for vulnerabilities and misconfigurations, identifying rogue databases or
insecure dev/test environments, and classifying sensitive data across an
organization’s infrastructure.
4. Application scans – The identifying of security vulnerabilities in web
applications and their source code by automated scans on the front-end or
static/dynamic analysis of source code.

4.3 SECURITY SCANNING PROCESS IN VULNERABILITIES ASSESSMENT

To fix flaws in computing systems, a security scanning process is often employed.
Scanning is a security method used to identify weakness in a computer system. In
a typical vulnerabilities assessment, the security scanning process usually consists
of four steps namely testing, analysis, assessment and remediation (Fig. 4a).
Fig. 4a. Security scanning process

1. Vulnerability identification (testing)

The objective of this step is to draft a comprehensive list of an application’s
vulnerabilities. Security analysts test the security health of applications, servers or
other systems by scanning them with automated tools, or testing and evaluating
them manually. Analysts also rely on vulnerability databases, vendor vulnerability
announcements, asset management systems and threat intelligence feeds to
identify security weaknesses.

2. Vulnerability analysis
The objective of this step is to identify the source and root cause of the
vulnerabilities identified in step one.
It involves the identification of system components responsible for each
vulnerability, and the root cause of the vulnerability. For example, the root cause
of a vulnerability could be an old version of an open source library. This provides a
clear path for remediation – upgrading the library.

3. Risk assessment
The objective of this step is the prioritizing of vulnerabilities. It involves security
analysts assigning a rank or severity score to each vulnerability, based on such
factors as:
a. Which systems are affected.
 b. What data is at risk.
c. Which business functions are at risk.
d. Ease of attack or compromise.
e. Severity of an attack.
f. Potential damage as a result of the vulnerability.

4. Remediation
The objective of this step is the closing of security gaps. It’s typically a joint effort
by security staff, development and operations teams, who determine the most
effective path for remediation or mitigation of each vulnerability.
Specific remediation steps might include:
a. Introduction of new security procedures, measures or tools.
b. The updating of operational or configuration changes.
c. Development and implementation of a vulnerability patch.
Vulnerability assessment cannot be a one-off activity. To be effective,
organizations must operationalize this process and repeat it at regular intervals.

4.4 VULNERABILITY ASSESSMENT TOOLS

Vulnerability assessment tools are designed to automatically scan for new and
existing threats that can target your application. Types of tools include:
a. Web application scanners that test for and simulate known attack
patterns.
b. Protocol scanners that search for vulnerable protocols, ports and
network services.
c. Network scanners that help visualize networks and discover warning
signals like stray IP addresses, spoofed packets and suspicious packet
generation from a single IP address.
It is a best practice to schedule regular, automated scans of all critical IT systems.
The results of these scans should feed into the organization’s ongoing
vulnerability assessment process.
4.5 WHAT DOES VULNERABILITY SCANNING MEAN?
Vulnerability scanning is a security technique used to identify security weaknesses
in a computer system. Vulnerability scanning can be used by individuals or
network administrators for security purposes, or it can be used by hackers
attempting to gain unauthorized access to computer systems.
The downside of vulnerability scanning is that it can inadvertently result in
computer crashes during the actual scan if the operating system views the
vulnerability scan as invasive. Vulnerability scanners range from very expensive
enterprise-level products to free open-source tools.
Types of vulnerability scanners include:
i. Port Scanner: Probes a server or host for open ports
ii. Network Enumerator: A computer program used to retrieve
information about users and groups on networked computers

iii. Network Vulnerability Scanner: A system that proactively scans for

network vulnerabilities

iv. Web Application Security Scanner: A program that communicates with

a Web application to find potential vulnerabilities within the application
or its architecture
CHAPTER FIVE
CONCEPT OF COMPUTER ATTACKS
5.1 OVERVIEW OF COMPUTER ATTACK
In computer and computer networks, an attack is any attempt to destroy, expose,
alter, disable, steal or gain unauthorized access to or make unauthorized use of
an asset. An attack can be active or passive. An active attack attempts to alter
system resources or affect their operation. In this way, active attack compromises
the Integrity or Availability of a system. On the other hand, a passive attack
attempts to learn or make use of information from the system but does not affect
system resources (i.e. it compromises Confidentiality).
Similarly, an attack can be perpetrated by an insider or from outside the
organization.
An inside attack is an attack initiated by an entity inside the security perimeter,
i.e., an entity that is authorized to access system resources but uses them in a
way not approved by those who granted the authorization.
An outside attack is initiated from outside the perimeter, by an unauthorized or
illegitimate user of the system. In the Internet, potential outside attackers range
from amateur hackers to organized criminals, international terrorists, cyber
espionage and hostile governments.

5.2 TAXONOMY OF COMPUTER ATTACKS

The concept of taxonomy of computer attacks describes the science or the
techniques used to make a classification for various attacks in computer and its
associated devices. The numbers of computer attacks are numerous and newer
attacks are recorded every moment. The threat of computer attacks has now
become sophisticated with the incidence of internet-based attacks called cyber-
attacks.

Essentially, the taxonomy of security attacks is often based on the concept of CIA
(Figure 5a). The CIA describes the goals of a secured system and anything that
threatened the triad results in attacks on the computer system.

Security Attacks

Attacks on Confidentiality Attacks on Integrity Attacks on Availability

Snooping Attacks
Traffic Analysis
Dumpster attack
Modification Attacks Denial of Service Attacks
Masquerading (Spoofing)
Man-in-the-Middle Attacks
Replay Attacks
Repudiation Attacks

Fig 5a. Taxonomy of Computer Attacks

A. Attacks on Confidentiality
These are classes of attacks that learn or monitor a system or a network or any
information system without altering the operations of the infrastructure upon
which the attacks are directed. In this way, the benign user may not know that the
system is being monitored by an external entity. Generally, these classes of
attacks are passive in nature. Some examples of attacks on Confidentiality are
described as follows:

i. Snooping
This is an unauthorized access to another person's or company's data.
Snooping can include casual observance of an e-mail that appears on
another's computer screen or watching what someone else is typing.
More sophisticated snooping uses software programs to remotely
monitor activity on a computer or network device. In addition, hackers
employ malicious keyloggers program to monitor keystrokes, capture
passwords and login information. Although snooping has a negative
connotation in general, in computer technology snooping can refer to
any program or utility that performs a monitoring function. For instance,
corporations sometimes snoop on employees legitimately to monitor
their use of business computers and track Internet usage; governments
may snoop on individuals to collect information and avert crime and
terrorism. In addition, a snoop server may be used to capture network
traffic for analysis, and the snooping protocol monitors information on a
computer bus to ensure efficient processing.

ii. Traffic Analysis

This is the process of intercepting and examining messages in order
to deduce information from patterns in communication. It can be
performed even when the messages are encrypted and cannot
be decrypted. In general, the greater the number of messages observed,
or even intercepted and stored, the more can be inferred from the
 traffic. Traffic analysis can be performed in the context of military
intelligence, counter-intelligence, or pattern-of-life analysis, and is a
concern in computer security.

B. Attacks on Integrity
These are attacks that inserts a malicious message into a legitimate
communication or disrupts or affects the working of an information system.
Attacks of integrity often result in active attacks in which the operation of the
system or network is significantly affected. In worst scenarios, these attacks
destroy useful data or bring down an entire computer infrastructure for days.
Thus, both individuals and cooperate organizations should be on guard to prevent
this class of attack.

i. Modification Attacks
Modification attacks involve the deletion, insertion, or alteration of
information in an unauthorized manner that is intended to appear genuine
to the user. These attacks can be very hard to detect. The motivation of this
type of attack may be to plant information, change grades in a class, alter
credit card records, or something similar. Website defacements are a
common form of modification attacks.

ii. Masquerading
This attack is also called spoofing. It is an attack that uses a fake identity,
such as a network identity, to gain unauthorized access to personal
computer information through legitimate access identification.
Masquerade attacks can be perpetrated using stolen passwords and logons,
by locating gaps in programs, or by finding a way around the authentication
process. The attack can be triggered either by someone within the
organization or by an outsider if the organization is connected to a public
network.
iii. Replay Attack
This is also known as playback attack which is a form of network attack in
which a valid data transmission is maliciously or fraudulently repeated or
delayed. This is carried out either by the originator or by an adversary who
intercepts the data and retransmits it.

iv. Man-in-the-middle Attack

This attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA)
requires an attacker to have the ability to both monitor and alter or inject
messages into a communication channel. One example is
active eavesdropping, in which the attacker makes independent
connections with the victims and relays messages between them to make
them believe they are talking directly to each other over a private
connection, when in fact the entire conversation is controlled by the
attacker. The attacker must be able to intercept all relevant messages
passing between the two victims and inject new ones.

v. Repudiation Attack
This is an attack in which one of the parties involved in a communication
later denied the knowledge of the transaction.
 C. Attacks on Availability
This is another class of active attacks in which access to information resources
(e.g. customers’ details on a bank website, citizen’s information on government
website etc.) on a network or local machine or a server or Internet is disrupted.
The motivation for this class of attack is to deny users access to information
infrastructure, thereby resulting in loss of trust in computerized systems and low
usability.

i. Denial-of-Service (DoS)
This attack prevents or attempts to block access to authorized resources
by legitimate users. For example, an attacker may try to bring down an
e-commerce website to prevent or deny usage by legitimate customers
in a typical DoS. This is often achieved by using a large group of
compromised systems called Zombies or multiple computerized systems
by hackers which overloads the target infrastructure with requests
beyond the computing capacity of the system. This type of attack is
called Distributed Denial of Service attacks (DDoS). These attacks can
deny access to information, applications, systems, or communications.
DoS attacks generally take one of two forms. They either flood
system/web services or crash them.

Examples of DoS Attacks

1. Ping broadcast
This often involves a ping request packet that is sent to a broadcast
network address where there are many hosts. The source address is shown
in the packet to be the IP address of the computer to be attacked. If the
 router to the network passes the ping broadcast, all computers on the
network will respond with a ping reply to the attacked system. The attacked
system will be flooded with ping responses which will cause it to be unable
to operate on the network for some time, and may even cause it to lock up.
The attacked computer may be on someone else's network. One
countermeasure to this attack is to block incoming traffic that is sent to a
broadcast address.

2. Smurf
An attack where a ping request is sent to a broadcast network address with
the sending address spoofed so many ping replies will come back to the
victim and overload the ability of the victim to process the replies.

3. Teardrop
A normal packet is sent. A second packet is sent which has a fragmentation
offset claiming to be inside the first fragment. This second fragment is too
small to even extend outside the first fragment. This may cause an
unexpected error condition to occur on the victim host which can cause a
buffer overflow and possible system crash on many operating systems.
Prevention tips for DoS attacks
The golden rule for attack prevention in computer security is: The earlier you can
identify an attack-in-progress, the quicker you can contain the damage. The
followings are some prevention tips for mitigating Dos attacks:

i. Method 1: Get help recognizing attacks

Software security organization often use technology or anti-DDoS services
to help defend themselves. These can help you recognize between
legitimate spikes in network traffic and a DDoS attack.

ii. Method 2: Contact your internet service provider

If you find your network or system is under attack, you should notify your
Internet Service Provider as soon as possible to determine if your traffic can
 be rerouted. Having a backup ISP is a good idea, too. Also, consider services
that can disperse the massive DDoS traffic among a network of servers.
That can help render an attack ineffective.

iii. Method 3: Investigate black hole routing

Internet service providers can use “black hole routing.” It directs excessive
traffic into a null route, sometimes referred to as a black hole. This can help
prevent the targeted website or network from crashing. The drawback is
that both legitimate and illegitimate traffic is rerouted in the same way.

iv. Method 4: Configure firewalls and routers

Firewalls and routers should be configured to reject bogus traffic.
Remember to keep your routers and firewalls updated with the latest
security patches.

v. Method 5: Consider front-end hardware

Application front-end hardware is sometimes integrated into the network
before traffic reaches a server can help analyze and screen data packets.
The hardware classifies the data as priority, regular, or dangerous as they
enter a system. It can also help block threatening data.

5.3 ATTACKS TOOLS

Attack tools are malicious computer programs designed to covertly test network
for weak spots. These tools range from simple password-stealing malware and
keystroke recorders to methods of implanting sophisticated parasitic software
strings that copy data streams coming in from customers who want to perform an
ecommerce transaction. Some of the more widely used tools include these:
i. Wireless sniffers are used locate wireless signals within a certain
range. They can siphon off the data being transmitted over the
signals.
ii. Packet sniffers are used passively analyze data packets moving into
and out of a network interface, and utilities capture data packets
passing through a network interface.
 iii. Port scanners are utilities send out successive, sequential connection
requests to a target system’s ports to see which one responds or is
open to the request. Some port scanners allow the cracker to slow
the rate of port scanning—sending connection requests over a longer
period of time—so the intrusion attempt is less likely to be noticed.
These devices’ usual targets are old, forgotten “back doors,” or ports
inadvertently left unguarded after network modifications.
iv. Port knocking are used to create a secret back-door method of
getting through firewall-protected ports—a secret knock that enables
them to quickly access the network. Port-knocking tools find these
unprotected entries and implant a Trojan horse that listens to
network traffic for evidence of that secret knock.
v. Keystroke loggers are spyware utilities planted on vulnerable
systems that record a user’s keystrokes.
vi. Remote administration tools programs embedded on an
unsuspecting user’s system that allows the cracker to take control of
that system.
vii. Network scanners explore networks to see the number and kind of
host systems on a network, the services available, the host’s
operating system, and the type of packet filtering or firewalls being
used.
viii. Password crackers sniff networks for data streams associated with
passwords and then employ a brute-force method of peeling away
any encryption layers protecting those passwords.
Progress Test 5
1. Discuss the relevance of CIA in the classification of security attacks
2. Compare and contrast the concept of eavesdropping and snooping
attacks
3. Define attacks and give the taxonomy of different attacks types
4. Differentiate between inside and outside attacks
 5. Explain how network assets contribute to the prevalence of security
attacks

CHAPTER SIX
CONCEPT OF CYBER ATTACKS
6.1 OVERVIEW OF CYBER ATTACKS
A cyber-attack defines an attempt to gain illegitimate access to a computer,
computing system or computer network with the motive to disrupt the system or
cause damage. Cyber-attacks usually aim to disable, disrupt, destroy or control
computer systems or to alter, block, delete, manipulate or steal the data held
within these systems. Any individual or group can launch a cyber-attack from
anywhere by using one or more various attack strategies.
People who are involve in cyber-attacks are generally called as cybercriminals.
Often referred to as bad actors, threat actors and hackers, they include
individuals who act alone, drawing on their computer skills to design and execute
malicious attacks. They can also belong to a criminal syndicate, working with
other threat actors to find weaknesses or problems in the computer systems --
called vulnerabilities -- that they can exploit for criminal gain.
Government-sponsored groups of computer experts also launch cyber-attacks.
They're identified as nation-state attackers, and they have been accused of
attacking the information technology (IT) infrastructure of other governments, as
well as nongovernment entities, such as businesses, nonprofits and utilities.
In fact, most organizations take months to identify an attack underway and then
contain it.

6.2 MOTIVATIONS FOR CYBER ATTACKS

The motivations or intents for cyber-attacks are numerous. The main reasons for
conducting cyber-attacks include:
i. Financial gain.
Cybercriminals launch most cyber-attacks, especially those against
commercial entities, for financial gain. These attacks often aim to steal
sensitive data, such as customer credit card numbers or employee personal
information, which the cybercriminals then use to access money or goods
using the victims' identities.
ii. Disruption and revenge.
Cybercriminals sometimes conduct attacks specifically to stifle chaos,
confusion, discontent, frustration or mistrust. They could be taking such
action as a way to get revenge for acts taken against them. They could be
aiming to publicly embarrass the attacked entities or to damage the
organizations' reputations. These attacks are often directed at government
entities but can also hit commercial entities or nonprofit organizations. In
 some cases, attackers called hacktivists, might launch cyber-attacks as a
form of protest against a targeted entity, business or government
institutions

iii. Cyberwarfare
Cyberwarfare is often motivated by governments around the world against
other countries as part of ongoing political, economic and social disputes.
In fact, government sometimes acknowledge the conduct of this attack
against their foes.

6.3 FORMS OF CYBER ATTACKS

Cyber-attacks often use various techniques depending on whether the bad actors
are attacking a targeted or untargeted entity. Thus, there are two forms of cyber-
attacks namely untargeted attack and targeted attack.

i. Untargeted attack
This is a form of cyber-attack where cybercriminals try to break into as many
devices or systems as possible by looking for vulnerabilities in software
code. The intent for this is to enable them to gain access without being
detected or blocked. In some cases, this form of attack employs a phishing
attack, emailing large numbers of people with socially engineered messages
crafted to entice recipients to click a link that will download malicious code.
ii. Targeted attack
In a targeted attack, the cybercriminals are going after a specific
organization, and the methods used vary depending on the attack's
objectives. Hackers also use spear-phishing campaigns in a targeted attack,
crafting emails to specific individuals who, if they click included links, would
download malicious software designed to subvert the organization's
technology or the sensitive data it holds.
6.4 COMMON TYPES OF CYBER ATTACKS

Cyber criminals sometimes develop software tools to conduct their attacks, and
they frequently share them in so-called dark web. Cyber-attacks often happen in
stages, starting with hackers surveying or scanning for vulnerabilities or access
points, initiating the initial compromise and then executing the full attack --
whether it's stealing valuable data, disabling the computer systems or both.

Although, cyber-attacks are emerging phenomenon, the most commonly types of

cyber-attack involve the following:

i. Malware

This is malicious software that attacks information systems.

Ransomware, spyware and Trojans are examples of malware.
Depending on the type of malicious code, malware could be used by
hackers to steal or secretly copy sensitive data, block access to files,
disrupt system operations or make systems inoperable.

ii. Phishing

Phishing is an online fraudulent act that uses social engineering to

deceive Internet users and acquire their sensitive data or critical online
information. Social engineering techniques intend to acquire
unsuspecting users’ identity or sensitive confidential information
through the use of spoofed emails, fake websites, dubious online
adverts/promos, fake SMS from service providers, spear phishing etc.

iii. SMiShing

SMS phishing or smishing is an evolution of the phishing attack

methodology via text (technically known as Short Message Service, or
SMS). Hackers send socially engineered texts that download malware
when recipients click on them.

iv. Man-in-the-middle

MitM occur when attackers secretly insert themselves between two

parties, such as individual computer users and their financial
institutions. Depending on the actual attack details, this type of attack
 may be more specifically classified as a man-in-the-browser
attack, monster-in-the-middle attack or machine-in-the-middle attack.
MitM is also sometimes called an eavesdropping attack.

v. DDoS

This attack takes place when hackers bombard an organization's servers

with large volumes of simultaneous data requests, thereby making the
servers unable to handle any legitimate requests.

vi. SQL injection

SQL injection occurs when hackers insert malicious code into servers
using the Structured Query Language programming language to get the
server to reveal sensitive data.

vii. Zero-day exploit

This attack happens when hackers first exploit a newly identified

vulnerability in IT infrastructure.

viii. Domain name system (DNS) tunneling

DNS tunneling is a sophisticated attack in which attackers establish and

then use persistently available access into their targets' systems.

ix. Drive-by Download

Drive-by download, occurs when an individual visits a website that, in

turn, infects the unsuspecting individual's computer with malware.

x. Credential-based attacks

This attack occurs when hackers steal the credentials that IT workers
use to access and manage systems and then use that information to
 illegally access computers to steal sensitive data or otherwise disrupt
an organization and its operations.

xi. Credential stuffing

In this attack, cybercriminals use compromised login credentials (such

as an email and password) to gain access to other systems.

xii. Brute-force attack

This attack occurs when hackers employ trial-and-error methods to

crack login credentials such as usernames, passwords and encryption
keys, hoping that the multiple attempts pay off with a right guess.

6.5 DISTRUBUTED DENIAL of SERVICE ATTACK

Distributed Denial-of-Service (DDoS) Attack is a cybercrime in which the attacker
floods a server with internet traffic to prevent users from accessing connected
online services and sites.

Motivations for carrying out a DDoS vary widely, as do the types of individuals
and organizations eager to perpetrate this form of cyberattack. Some attacks are
carried out by disgruntled individuals and hacktivists wanting to take down a
company's servers simply to make a statement, have fun by exploiting cyber
weakness, or express disapproval.

Other distributed denial-of-service attacks are financially motivated, such as a

competitor disrupting or shutting down another business's online operations to
steal business away in the meantime. Others involve extortion, in which
perpetrators attack a company and install hostageware or ransomware on their
servers, then force them to pay a large financial sum for the damage to be
reversed.

DDoS attacks are on the rise, and even some of the largest global companies are
not immune to being "DDoS'ed". The largest attack in history occurred in
February 2020 to none other than Amazon Web Services (AWS), overtaking an
earlier attack on GitHub two years prior. DDoS ramifications include a drop in
legitimate traffic, lost business, and reputation damage.

As the Internet of Things (IoT) continues to proliferate, as do the number of

remote employees working from home, and so will the number of devices
connected to a network. The security of each IoT device may not necessarily
keep up, leaving the network to which it is connected vulnerable to attack. As
such, the importance of DDoS protection and mitigation is crucial.

A distributed denial-of-service attack is a subcategory of the more general denial-

of-service (DoS) attack. In a DoS attack, the attacker uses a single internet
connection to barrage a target with fake requests or to try and exploit a
cybersecurity vulnerability. DDoS is larger in scale. It utilizes thousands (even
millions) of connected devices to fulfill its goal. The sheer volume of the devices
used makes DDoS much harder to fight.

A. How DDoS Attacks Work

A DDoS attack aims to overwhelm the devices, services, and network of its
intended target with fake internet traffic, rendering them inaccessible to or
useless for legitimate users.

B. Botnets
Botnets are the primary way distributed denial-of-service-attacks are carried out.
The attacker will hack into computers or other devices and install a malicious
piece of code, or malware, called a bot. Together, the infected computers form a
network called a botnet. The attacker then instructs the botnet to overwhelm
the victim's servers and devices with more connection requests than they can
handle.

C. What is DDOS Attack: Attack Symptoms and How to Identify

One of the biggest issues with identifying a DDoS attack is that the symptoms are
not unusual. Many of the symptoms are similar to what technology users
encounter every day, including slow upload or download performance speeds,
the website becoming unavailable to view, a dropped internet connection,
unusual media and content, or an excessive amount of spam.
Further, a DDoS attack may last anywhere from a few hours to a few months, and
the degree of attack can vary.

D. Types of DDoS Attacks

Different attacks target different parts of a network, and they are classified
according to the network connection layers they target. A connection on the
internet is comprised of seven different “layers," as defined by the Open Systems
Interconnection (OSI) model created by the International Organization for
Standardization. The model allows different computer systems to be able to
"talk" to each other.
i. Volume-Based or Volumetric Attacks
This type of attack aims to control all available bandwidth between the victim and
the larger internet. Domain name system (DNS) amplification is an example of a
volume-based attack. In this scenario, the attacker spoofs the target's address,
then sends a DNS name lookup request to an open DNS server with the spoofed
address.

When the DNS server sends the DNS record response, it is sent instead to the
target, resulting in the target receiving an amplification of the attacker’s initially
small query.

ii. Protocol Attacks

Protocol attacks consume all available capacity of web servers or other
resources, such as firewalls. They expose weaknesses in Layers 3 and 4 of the OSI
protocol stack to render the target inaccessible.

A SYN flood is an example of a protocol attack, in which the attacker sends the
target an overwhelming number of transmission control protocol (TCP)
handshake requests with spoofed source Internet Protocol (IP) addresses. The
targeted servers attempt to respond to each connection request, but the final
handshake never occurs, overwhelming the target in the process.

iii. Application-Layer Attacks

These attacks also aim to exhaust or overwhelm the target's resources but are
difficult to flag as malicious. Often referred to as a Layer 7 DDoS attack—referring
to Layer 7 of the OSI model—an application-layer attack targets the layer where
web pages are generated in response to Hypertext Transfer Protocol (HTTP)
requests.

A server runs database queries to generate a web page. In this form of attack,
the attacker forces the victim's server to handle more than it normally does. An
HTTP flood is a type of application-layer attack and is similar to constantly
refreshing a web browser on different computers all at once. In this manner, the
excessive number of HTTP requests overwhelms the server, resulting in a DDoS.

E. DDoS Attack Prevention

Even if you know what is a DDoS attack, it is extremely difficult to avoid attacks
because detection is a challenge. This is because the symptoms of the attack may
not vary much from typical service issues, such as slow-loading web pages, and
the level of sophistication and complexity of DDoS techniques continues to grow.

Further, many companies welcome a spike in internet traffic, especially if the

company recently launched new products or services or announced market-
moving news. As such, prevention is not always possible, so it is best for an
organization to plan a response for when these attacks occur.

F. DDoS Mitigation
Once a suspected attack is underway, an organization has several options to
mitigate its effects.

i. Risk Assessment
Organizations should regularly conduct risk assessments and audits on their
devices, servers, and network. While it is impossible to completely avoid a DDoS,
a thorough awareness of both the strengths and vulnerabilities of the
organization's hardware and software assets goes a long way. Knowing the most
vulnerable segments of an organization's network is key to understanding which
strategy to implement to lessen the damage and disruption that a DDoS attack
can impose.
ii. Traffic Differentiation
If an organization believes it has just been victimized by a DDoS, one of the first
things to do is determine the quality or source of the abnormal traffic. Of course,
an organization cannot shut off traffic altogether, as this would be throwing out
the good with the bad.

As a mitigation strategy, use an Anycast network to scatter the attack traffic

across a network of distributed servers. This is performed so that the traffic is
absorbed by the network and becomes more manageable.

iii. Black Hole Routing

Another form of defense is black hole routing, in which a network administrator
—or an organization's internet service provider—creates a black hole route and
pushes traffic into that black hole. With this strategy, all traffic, both good and
bad, is routed to a null route and essentially dropped from the network. This can
be rather extreme, as legitimate traffic is also stopped and can lead to business
loss.

iv. Rate Limiting

Another way to mitigate DDoS attacks is to limit the number of requests a server
can accept within a specific time frame. This alone is generally not sufficient to
fight a more sophisticated attack but might serve as a component of a
multipronged approach.

v. Firewalls
To lessen the impact of an application-layer or Layer 7 attack, some organizations
opt for a Web Application Firewall (WAF). A WAF is an appliance that sits
between the internet and a company's servers and acts as a reverse proxy. As
with all firewalls, an organization can create a set of rules that filter requests.
They can start with one set of rules and then modify them based on what they
observe as patterns of suspicious activity carried out by the DDoS.

vi. DDoS Protection Solution

A fully robust DDoS protection solution includes elements that help an
organization in both defense and monitoring. As the sophistication and
complexity level of attacks continue to evolve, companies need a solution that
can assist them with both known and zero-day attacks. A DDoS protection
solution should employ a range of tools that can defend against every type of
DDoS attack and monitor hundreds of thousands of parameters simultaneously.

6.6 SQL INJECTION

SQL injection (SQLi) is a web security vulnerability that allows an attacker to
interfere with the queries that an application makes to its database. It generally
allows an attacker to view data that they are not normally able to retrieve. This
might include data belonging to other users, or any other data that the
application itself is able to access. In many cases, an attacker can modify or
delete this data, causing persistent changes to the application's content or
behavior.

In some situations, an attacker can escalate an SQL injection attack to

compromise the underlying server or other back-end infrastructure, or perform a
denial-of-service attack.

A successful SQL injection attack can result in unauthorized access to sensitive

data, such as passwords, credit card details, or personal user information. Many
high-profile data breaches in recent years have been the result of SQL injection
attacks, leading to reputational damage and regulatory fines. In some cases, an
attacker can obtain a persistent backdoor into an organization's systems, leading
to a long-term compromise that can go unnoticed for an extended period.

A. SQL injection examples

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques,
which arise in different situations. Some common SQL injection examples
include:

Retrieving hidden data, where you can modify an SQL query to return additional
results.
Subverting application logic, where you can change a query to interfere with the
application's logic.
UNION attacks, where you can retrieve data from different database tables.
Examining the database, where you can extract information about the version
and structure of the database.
Blind SQL injection, where the results of a query you control are not returned in
the application's responses.

B. Blind SQL injection vulnerabilities

Many instances of SQL injection are blind vulnerabilities. This means that the
application does not return the results of the SQL query or the details of any
database errors within its responses. Blind vulnerabilities can still be exploited to
access unauthorized data, but the techniques involved are generally more
complicated and difficult to perform.

Depending on the nature of the vulnerability and the database involved, the
following techniques can be used to exploit blind SQL injection vulnerabilities:

i. You can change the logic of the query to trigger a detectable difference in
the application's response depending on the truth of a single condition.
This might involve injecting a new condition into some Boolean logic, or
conditionally triggering an error such as a divide-by-zero.
ii. You can conditionally trigger a time delay in the processing of the query,
allowing you to infer the truth of the condition based on the time that the
application takes to respond.
iii. You can trigger an out-of-band network interaction, using OAST
techniques. This technique is extremely powerful and works in situations
where the other techniques do not. Often, you can directly exfiltrate data
via the out-of-band channel, for example by placing the data into a DNS
lookup for a domain that you control.

C. How to detect SQL injection vulnerabilities

The majority of SQL injection vulnerabilities can be found quickly and reliably
using Burp Suite's web vulnerability scanner.
SQL injection can be detected manually by using a systematic set of tests against
every entry point in the application. This typically involves:

i. Submitting the single quote character ' and looking for errors or other
anomalies.
ii. Submitting some SQL-specific syntax that evaluates to the base (original)
value of the entry point, and to a different value, and looking for systematic
differences in the resulting application responses.
iii. Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for
differences in the application's responses.
iv. Submitting payloads designed to trigger time delays when executed within
an SQL query, and looking for differences in the time taken to respond.
v. Submitting OAST payloads designed to trigger an out-of-band network
interaction when executed within an SQL query, and monitoring for any
resulting interactions.

D. How to prevent SQL injection?

Most instances of SQL injection can be prevented by using parameterized queries
(also known as prepared statements) instead of string concatenation within the
query.
Parameterized queries can be used for any situation where untrusted input
appears as data within the query, including the WHERE clause and values in an
INSERT or UPDATE statement. They can't be used to handle untrusted input in
other parts of the query, such as table or column names, or the ORDER BY clause.
Application functionality that places untrusted data into those parts of the query
will need to take a different approach, such as white-listing permitted input
values, or using different logic to deliver the required behavior.

For a parameterized query to be effective in preventing SQL injection, the string

that is used in the query must always be a hard-coded constant, and must never
contain any variable data from any origin. Do not be tempted to decide case-by-
case whether an item of data is trusted, and continue using string concatenation
within the query for cases that are considered safe. It is all too easy to make
mistakes about the possible origin of data, or for changes in other code to violate
assumptions about what data is tainted.
6.7 PHISHING ATTACK

Phishing is an online fraudulent act that uses social engineering and technical
subterfuge to deceive Internet users and acquire their sensitive data or critical
online information. Social engineering techniques intend to acquire unsuspecting
users’ identity or sensitive confidential information through the use of spoofed
emails, fake websites, dubious online adverts/promos, fake SMS from service
providers or online companies, spear phishing etc. The ultimate goal of phisher
using the method is to urge users to click on a link which redirects users to a
phishing website with the look and feel of the known benign website. In this way,
the user is tricked to divulge financial or personal data such as credit card
numbers, answer to security questions, passwords, PIN etc. using a sense of
urgency or emotion. The common targets in social engineering schemes include
big corporations, financial institutions, payment companies, military and
government agencies who have a large number of users or subscribers.

Phishing Process
Basically, a typical phishing attack begins with an unauthenticated message
crafted by phishers. Other ways a phisher may start an attack include short
message services, social media sites, online advertisements, online promos,
online blogs, instant messaging services etc. These messages arrived at the client
or user’s machine in the form of email, e-advert, SMS, websites etc. with brand
logos and call centre number of a known company. One of the core features of
these messages is their deceptive view which may not be easily identified even to
an experienced IT-expert. The user falls for a phish by actively following the
instruction in the message through performing a click action or download action.
In the end, the user’s actions result in the execution of phishers’ payload. A
payload is the functional part of a phisher’s code where their malicious intention
is achieved.
Table 1: Evolution of phishing incidences from 1996-2020
S/ Year Events
N

1 1996 Term “phishing” was first used

2 1997 Media declared the evolution of a new attack called phishing

3 1998 Attackers started using message and newsgroups

4 1999 Use of mass mailing to escalate the phishing attacks

5 2000 First use of key loggers for targeting login credentials

6 2001 Use of URLs to direct victim to a fake site

7 2002 Use of screen loggers

8 2003 Use of IM and IRC

9 2004 Evolution of pharming attacks using DNS redirection

10 2005 Spear phishing came into vogue

11 2006 Phishing based on Voice over IP was first used.

12 2007 More than $3 billion lost to phishing scams

13 2009 Symantec hosted services blocked phishing attacks affecting large numbers
of organizations worldwide.

14 2010 Facebook attracted more phishing attacks than Google and IRS

15 2012 6 billion unique malware samples were identified.

16 2013 Red October operation attacked more than 69 countries

17 2014 750,000 malicious emails were sent using IoT devices

18 2015 Spear phishing reached its peak in manufacturing and wholesale industries.

19 2017 Emergence of W-2 phishing affecting more than 76% of global organizations

20 2018 Ransomware using phishing email becomes increasingly being used by

hackers
21 2019 Critical infrastructure became target of ransomware-based phishing attacks

22 2020 Emergence of Corona-virus phishing attacks using fake health info by

mimicking reputable organization such as World Health Organization

a. Website phishing: This is a kind of phishing attack in which a malicious

website assumes the functionalities of a legitimate website in order to
deceive internet users to obtain their sensitive personal information. It
typically involves the use of weblink manipulation, browser
vulnerabilities, Java Scripts etc.
b. Email Phishing: Email phishing is a kind of phishing attack which involves
the forgery of an email header so that the message appears to have
originated from a legitimate source. The goal is to get the recipients to
open and possibly even respond to, a solicitation through tricks such as
“verify your account” or “confirm your password” etc. Email phishing is
possible because the Simple Mail Transfer Protocol does not provide a
mechanism for address authentication in email communication.

c. Spear Phishing: This is an email spoofing attack that targets specific

organization or individual through customized greeting where the name
of the victim is usually mentioned, seeking unauthorized access to
sensitive information. This kind of phishing attack becomes easier
nowadays as more and more personal information is publicly available
at online social networks. The success of spear phishing depends on
three things:
i. The source of spear phishing appears to be a known, credible and
trusted individual or organization
ii. There is information within the message that supports its validity
and credibility.
iii. The request of spear phishing seems to have a logical basis or
established tradition
d. Fake promo/adverts: Fraudsters sometimes create an advertisement on
Google AdWords for keywords relating to the website they are
mimicking. Sometimes, these fake advertisements appear as the first
 result at the top of the search page, which lead unsuspecting users to a
phishing website. Also, phishers spoofed genuine news website and
create fake news to discredit individual, sow discord, harvest users’
credentials or to generate profit
e. SMS phishing/Smishing: This a form of phishing attack conducted via
SMS in an attempt to entice a victim into revealing personal information
via a link that leads to a phishing website.
f. Blog/Forum phishing: This is a form of a phishing attack in which
malicious links are embedded into a blog or forum.
g. VOIP phishing: This involves making phone calls to a user and asks the
user to dial a number or request for a piece of particular information.
This is mostly done with a fake caller ID
h. Instant messaging or chat phishing: This is the use of a malicious link in
an instant message for the purpose of conducting a phishing attack.
On the other hand, the technical subterfuge methods use a variety of malicious
programs which are installed on the victims’ computer unknowingly. It uses
methods such as DNS poisoning, content injection, host file poisoning etc.
a. DNS poisoning: This a type of attack that exploits vulnerabilities in the
domain name system to divert Internet traffic away from legitimate
servers to phishing or fake ones.
b. Content Injection: This is the technique where a phisher modifies a part
of the content on the page of a reliable website. This is done to mislead
the user to go to a page outside the legitimate website where the user
is then asked to enter personal information.
c. Host File poisoning: This refers to a method in which new entries are
injected for a website into a machine’s host file which causes
redirection to another website where user’s credentials are captured by
the phishers.
d. Keylogger/Tab nabbing: This is a technique in which the user’s input is
unknowingly recorded by a crimeware installed by phisher after user
may have navigated through a fake page.
e. False search engine optimization: Some phishing attacks involve search
engines which direct an unsuspecting user to certain online shopping
sites where the cost of product/services are comparatively lower.
f. Session Hijacking: This is an attack where a phisher exploits a web
session control mechanism to steal information from a user. In a simple
form, a phisher can use a sniffer to intercept relevant information so
that he can access the Web server illegally.
g. System reconfiguration attack: This is a kind of phishing attack where a
user receives a message asking to reconfigure the computer settings
with a web address which appears to be a trusted source. It can either
be achieved using pharming or proxy attack. In pharming attack, the
host file of the victim’s system is altered so that the target address is
redirected to some other malicious location. In a proxy attack, Internet
traffic is passed from a victim’s machine to a server where a phisher is
able to extract personal confidential information.
h. Ransomware: This is a malicious software which denies access to a
device or file after a user may have opened a phishing email containing
such programs until a ransom is paid.

verify your
account
message

You have your

won a free account is
ticket
Email suspend

Phishing
email confirm
header your
forgery password

Figure 4: Email Phishing Tactic

 Figure 5. A typical spear-phishing email

A. Anti-Phishing Solutions
There has been a great volume of research works in the area of fighting phishing
attacks. The proposed solutions usually come as either user awareness training
programme on phishing related activities or phishing detection or phishing
prevention. While the user training is about creating awareness about phishing
activities and its associated menace, the other two methods are about software-
based solutions.

i. User training schemes

User training awareness programme intends to educate users through emails,
games and other mediums so that users themselves can identify phishing attacks
targeted at them without influence from any sources. The idea is to encourage
anti-phishing behaviour that mitigates the inherent sense of emotion, greed and
urgency in users when tempted with phishing messages. Although, this method
increases the level of user’s awareness about phishing menace, a large population
of unsuspecting users are a novice to the working of certain browser icons such as
favicons, SSL certificates etc. which are used to communicate the authenticity of
online communication. Thus, complete reliance on this method can be greatly
harmful to the survival of online brands and their subscribers.
ii. Phishing Prevention schemes
Phishing prevention schemes are methods that stop phishing attacks through the
provision of an extra layer of security in an online authentication system. The
basic advantage of this method is that it reduces the chances of phishing attacks
from getting to their targets. Phishing prevention methods include watermarking
techniques, external authentication devices techniques, picture password-based,
dynamic security skin-based, RFID techniques, the smartcard-based.

iii. Phishing detection schemes

Phishing detection schemes are methods that identify phishing scams in an online
communication system. This is usually done through a web browser on the client-
side or through specific software at the host or through a middleware service.
Most phishing detection schemes are usually classified as search engine
optimization based, list-based (e.g. blacklists or whitelists), visual similarity
approach, DNS based, heuristics approach, machine learning-based etc. These
techniques are usually better than user training schemes as they required minimal
user training to understand the workings of the solutions. This is because access
to suspicious websites is usually blocked or users are strongly notified that the
website is fake. In addition, changes to program setup or support for particular
hardware are often not involved in this method as common to most preventive
approaches.

6.8 CYBER ATTACKS PREVENTION TIPS

There is no guaranteed way for any government, individuals or organization to
prevent or eliminate a cyber-attack, but there are numerous cybersecurity best
practices that can follow to reduce the likelihood of cyber threats.

Cyber-attacks are sometimes mitigated or reduced or prevented by relying on a

combination of skilled security professionals, processes and technology.
Prevention approach in cyber-attacks typically involves three broad categories of
defensive action:
 i. preventing attempted attacks from actually entering the organization's IT
systems;

ii. detecting intrusions; and

iii. disrupting attacks already in motion -- ideally, at the earliest possible time.

Best practices include the following:

i. implementing perimeter defenses, such as firewalls, to help block

attack attempts and to block access to known malicious domains;

ii. adopting a zero trust framework, which requires every attempt to

access an organization's network or systems -- whether it comes from
an internal user or from another system -- to verify it can be trusted.

iii. using software to protect against malware, namely antivirus software,

thereby adding another layer of protection against cyber-attacks;

iv. having a patch management program to address known software

vulnerabilities that could be exploited by hackers;

v. setting appropriate security configurations, password policies and

user access controls;

vi. maintaining a monitoring and detection program to identify and alert

to suspicious activity;

vii. instituting a threat hunting program, where security teams using

automation, intelligent tools and advanced analyses actively look for
suspicious activity and the presence of hackers before they strike.

viii. creating incident response plans to guide reaction to a breach; and

ix. training and educating individual users about attack scenarios and
how they as individuals have a role to play in protecting the
organization.
CHAPTER SEVEN
UNDERSTAND SECURITY MECHANISMS AND METHODS
7.1 DEFINITION OF SECURITY MECHANISM
A Security mechanism is a security device or tool or software on the computer
which acts to enforce selected security policies for the various users on the
system. It also denotes a technical tool or technique that is used to implement a
security service. A mechanism might operate by itself, or in conjunction with
others, to provide a particular service. Examples of security mechanisms include
access control lists, cryptography, and digital signatures.

7.2 COMPONENTS OF SECURITY MECHANISM

A. Authentication
Authentication identifies who is requesting network services. The
term authentication usually refers to authenticating users but can also refer to
authenticating devices or software processes. For example, some routing
protocols support route authentication, whereby a router must pass some criteria
before another router accepts its routing updates.
Most security policies state that to access a network and its services, a user must
enter a login ID and password that are authenticated by a security server. To
maximize security, one-time (dynamic) passwords can be used. With one-time
password systems, a user's password always changes. This is often accomplished
with a security card, also called a Smartcard. A security card is a physical device
about the size of a credit card. The user types a personal identification number
(PIN) into the card. The PIN is an initial level of security that simply gives the user
permission to use the card. The card provides a one-time password that is used to
access the corporate network for a limited time. The password is synchronized
with a central security card server that resides on the network. Security cards are
commonly used by telecommuters and mobile users. They are not usually used
for LAN access.
Authentication is traditionally based on one of three proofs:
i. Something the user knows: This usually involves knowledge of a unique
secret that is shared by the authenticating parties. To a user, this secret
appears as a classic password, a PIN, or a private cryptographic key.
ii. Something the user has: This usually involves physical possession of an
item that is unique to the user. Examples include password token cards,
security cards, and hardware keys.
iii. Something the user is: This involves verification of a unique physical
characteristic of the user, such as a fingerprint, retina pattern, voice, or
face.

Many systems use two-factor authentication, which requires a user to have two
proofs of identity. An example is an access control system that requires a security
card and a password. With two-factor authentication, a compromise of one factor
does not lead to a compromise of the system. An attacker could learn a password,
but the password is useless without the security card. Conversely, if the security
card is stolen, it cannot be used without the password.

B. Authorization
Whereas authentication controls who can access network
resources, authorization says what they can do after they have accessed the
resources. Authorization grants privileges to processes and users. Authorization
lets a security administrator control parts of a network (for example, directories
and files on servers).
Authorization varies from user to user, partly depending on a user's department
or job function. For example, a policy might state that only Human Resources
employees should see salary records for people they don't manage.
Security experts recommend use of the principle of least privilege in the
implementation of authorization. This principle is based on the idea that each
user should be given only the minimal necessary rights to perform a certain task.
Therefore, an authorization mechanism should give a user only the minimum
access permissions that are necessary. Explicitly listing the authorized activities of
each user with respect to every resource is difficult, so techniques are used to
simplify the process. For example, a network manager can create user groups for
users with the same privileges.

C. Accounting (Auditing)
To effectively analyze the security of a network and to respond to security
incidents, procedures should be established for collecting network activity data.
Collecting data is called accounting or auditing.
For networks with strict security policies, audit data should include all attempts to
achieve authentication and authorization by any person. It is especially important
to log "anonymous" or "guest" access to public servers. The data should also log
all attempts by users to change their access rights.
The collected data should include user- and hostnames for login and logout
attempts, and previous and new access rights for a change of access rights. Each
entry in the audit log should be timestamped.
The audit process should not collect passwords. Collecting passwords creates a
potential for a security breach if the audit records are improperly accessed.
Neither correct nor incorrect passwords should be collected. An incorrect
password often differs from the valid password by only a single character or
transposition of characters.
A further extension of auditing is the concept of security assessment.
With security assessment, the network is examined from within by professionals,
trained in the vulnerabilities exploited by network invaders. Part of any security
policy and audit procedure should be periodic assessments of the vulnerabilities
in a network. The result should be a specific plan for correcting deficiencies, which
might be as simple as retraining staff.
D. Data Encryption
Encryption is a process that scrambles data to protect it from being read by
anyone but the intended receiver. An encryption device encrypts data before
placing it on a network. A decryption device decrypts the data before passing it to
an application. A router, server, end system, or dedicated device can act as an
encryption or decryption device. Data that is encrypted is called ciphered data (or
simply encrypted data). Data that is not encrypted is called plain text or clear text.
Encryption is a useful security feature for providing data confidentiality. It can also
be used to identify the sender of data. Although authentication and authorization
should also protect the confidentiality of data and identify senders, encryption is
a good security feature to implement in case the other types of security fail.
There are performance tradeoffs associated with encryption, however, as
mentioned in the "Analyzing Security Tradeoffs" section earlier in the chapter.
Encryption should be used when a customer has analyzed security risks and
identified severe consequences if data is not kept confidential and the identity of
senders of data is not guaranteed. On internal networks and networks that use
the Internet simply for web browsing, email, and file transfer, encryption is
usually not necessary. For organizations that connect private sites via the
Internet, using virtual private networking (VPN), encryption is recommended to
protect the confidentiality of the organization's data.
Encryption has two parts:
 An encryption algorithm is a set of instructions to scramble and unscramble
data.
 An encryption key is a code used by an algorithm to scramble and
unscramble data.
Children sometimes play with encryption by using a simple algorithm such as "find
the letter on the top row and use the letter on the bottom row instead," and a key
that might look something like the following table:

In this example, LISA is encrypted as WTFI. The key shows only uppercase letters,
but there are many other possibilities also, including lowercase letters, digits, and
so on. Most algorithms are more complex than the one in the children's example
to avoid having to maintain a key that includes a value for each possible
character.
The goal of encryption is that even if the algorithm is known, without the
appropriate key, an intruder cannot interpret the message. This type of key is
called a secret key. When both the sender and receiver use the same secret key, it
is called a symmetric key. The Data Encryption Standard (DES) is the best known
example of a symmetric key system. DES encryption is available for most routers
and many server implementations.
Although secret keys are reasonably simple to implement between two devices,
as the number of devices increases, the number of secret keys increases, which
can be hard to manage. For example, a session between Station A and Station B
uses a different key than a session between Station A and Station C, or a session
between Station B and Station C, and so on. Asymmetric keys can solve this
problem.

E. Packet Filters
Packet filters can be set up on routers, firewalls, and servers to accept or deny
packets from particular addresses or services. Packet filters augment
authentication and authorization mechanisms. They help protect network
resources from unauthorized use, theft, destruction, and DoS attacks.
A security policy should state whether packet filters implement one or the other
of the following policies:
 Deny specific types of packets and accept all else
 Accept specific types of packets and deny all else
The first policy requires a thorough understanding of specific security threats and
can be hard to implement. The second policy is easier to implement and more
secure because the security administrator does not have to predict future attacks
for which packets should be denied. The second policy is also easier to test
because there is a finite set of accepted uses of the network. To do a good job
implementing the second policy requires a good understanding of network
requirements. The network designer should work with the security administrator
to determine what types of packets should be accepted.
The second policy in its packet filters, which is called access control lists (ACL).
ACLs let you control whether network traffic is forwarded or blocked at interfaces
on a router or switch. ACL definitions provide criteria that are applied to packets
that enter or exit an interface. Typical criteria are the packet source address, the
packet destination address, or the upper-layer protocol in the packet
F. Firewalls
A firewall is a device that enforces security policies at the boundary between two
or more networks. A firewall can be a router with ACLs, a dedicated hardware
appliance, or software running on a PC or UNIX system. Firewalls are especially
important at the boundary between the enterprise network and the Internet.
A firewall has a set of rules that specifies which traffic should be allowed or
denied. A static stateless packet-filter firewall looks at individual packets and is
optimized for speed and configuration simplicity. A stateful firewall can track
communication sessions and more intelligently allow or deny traffic. For example,
a stateful firewall can remember that a protected client initiated a request to
download data from an Internet server and allow data back in for that
connection. A stateful firewall can also work with protocols, such as active (port-
mode) FTP, that require the server to also open a connection to the client.
Another type of firewall is a proxy firewall. Proxy firewalls are the most advanced
type of firewall but also the least common. A proxy firewall acts as an
intermediary between hosts, intercepting some or all application traffic between
local clients and outside servers. Proxy firewalls examine packets and support
stateful tracking of sessions. These types of firewalls can block malicious traffic
and content that is deemed unacceptable.

7.3 INTRUSION DETECTION AND PREVENTION SYSTEMS

An intrusion detection system (IDS) detects malicious events and notifies an
administrator, using email, paging, or logging of the occurrence. An IDS can also
perform statistical and anomaly analysis. Some IDS devices can report to a central
database that correlates information from multiple sensors to give an
administrator an overall view of the real-time security of a network. An intrusion
prevention system (IPS) can dynamically block traffic by adding rules to a firewall
or by being configured to inspect (and deny or allow) traffic as it enters a firewall.
An IPS is an IDS that can detect and prevent attacks.
There are two types of IDS devices:
i. Host IDS: Resides on an individual host and monitors that host. It also
monitors the inbound and outbound packets from a device and alerts the
user or administrator if suspicious activity is detected. It takes a snapshot of
existing system files and matches it to the previous snapshot. If the critical
system files were modified or deleted, an alert is sent to the administrator
to investigate.
ii. Network IDS: Monitors all network traffic that it can see, watching for
predefined signatures of malicious events. A network IDS is often placed on
a subnet that is directly connected to a firewall so that it can monitor the
traffic that has been allowed and look for suspicious activity.

In the past a major concern with both IDS and IPS devices was the volume of false
alarms that they tended to generate. A false alarm occurs when an IDS or IPS
reports a network event as a serious problem when it actually isn't a problem.
This false-alarm problem has been ameliorated by sophisticated software and
services on modern IPS devices. Cisco IPS solutions, for example, include anomaly
detection that learns about typical actual network traffic on a customer's network
and alarms only upon deviation from that traffic. Cisco also supports reputation
filtering and global correlation services so that an IPS can keep up-to-date on
global security trends and more accurately deny traffic from networks known to
be currently associated with botnets, spam, and other malware.

A. The Intrusion Triangle

Intrusion Triangle is used to explain certain criteria which must exist before
intrusion can occur on a computer installation or infrastructure. The triangle is
presented in the Figure below. The three “legs” or points of the triangle are
shown
 i. Motive: An intruder must have a reason to want to breach the security of
your network (even if the reason is “just for fun”); otherwise, he/she
won’t bother.
ii. Means: An intruder must have the ability (either the programming
knowledge, or, in the case of “script kiddies,” the intrusion software
written by others), or he/she won’t be able to breach your security.
iii. Opportunity: An intruder must have the chance to enter the network,
either because of flaws in your security plan, holes in a software program
that open an avenue of access, or physical proximity to network
components; if there is no opportunity to intrude, the would-be hacker
will go elsewhere.

B. Intrusion Detection Tools

One of the best intrusion detection tool is Snort. It is software based, but is an
opensource so it is free and easy to configure. It has a real time signature based
network – IDS, which notifies the system administrators or attacks like port
scanners, DDOS attacks, CGI attacks, backdoors, OS finger printing.
The other IDS are −
i. BlackICE Defender
ii. CyberCop Monitor
iii. Check point RealSecure
iv. Cisco Secure IDS
 v. Vanguard Enforcer
vi. Lucent RealSecure

C. Common IDS terminologies

i. Burglar Alert/Alarm: A signal suggesting that a system has been or is
being attacked.
ii. Detection Rate: The detection rate is defined as the number of intrusion
instances detected by the system (True Positive) divided by the total
number of intrusion instances present in the test set.
iii. False Alarm Rate: defined as the number of 'normal' patterns classified as
attacks (False Positive) divided by the total number of 'normal' patterns.
iv. True Positive: A legitimate attack which triggers IDS to produce an alarm.
v. False Positive: An event signaling IDS to produce an alarm when no attack
has taken place.
vi. False Negative: When no alarm is raised when an attack has taken place.
vii. True Negative: An event when no attack has taken place and no detection
is made.
viii. Clandestine user: A person who acts as a supervisor and tries to use his
privileges so as to avoid being captured.

Progress Test 7
1. Discuss the concept of user authentication, authorization and
identification as it relates to network assets
2. Discuss the concept of intrusion detection systems
3. What is the relevance of digital signature in computer security
detection
4. Why do we set up access control systems?
5. Discuss the limitations of IDS
CHAPTER EIGHT
UNDERSTAND NETWORK SECURITY ARCHITECTURE
8.1 OVERVIEW OF SECURITY ARCHITECTURE
Network security architecture consists of the policies and practices adopted to
prevent and monitor unauthorized access, misuse, modification, or denial of
a computer network and network-accessible resources. Network security involves
the authorization of access to data in a network, which is controlled by the
network administrator. Network security covers a variety of computer networks,
both public and private, that are used in everyday jobs; conducting transactions
and communications among businesses, government agencies and individuals.
Networks can be private, such as within a company, and others which might be
open to public access. The most common and simple way of protecting a network
resource is by assigning it a unique name and a corresponding password.

8.2 Network Security Design

Following a structured set of steps when developing and implementing network

security will help you address the varied concerns that play a part in security
design. Many security strategies have been developed in a haphazard way and
have failed to actually secure assets and to meet a customer's primary goals for
security. Breaking down the process of security design into the following steps
will help you effectively plan and execute a security strategy:

1. Identify network assets.

2. Analyze security risks.

 3. Analyze security requirements and tradeoffs.

4. Develop a security plan.

5. Define a security policy.

6. Develop procedures for applying security policies.

7. Develop a technical implementation strategy.

8. Achieve buy-in from users, managers, and technical staff.

9. Train users, managers, and technical staff.

10.Implement the technical strategy and security procedures.

11.Test the security and update it if any problems are found.

12.Maintain security.

8.3 Identifying Network Assets

Network assets can include network hosts (including the hosts' operating systems,
applications, and data), internetworking devices (such as routers and switches),
and network data that traverses the network. Less obvious, but still important,
assets include intellectual property, trade secrets, and a company's reputation.

A. Analyzing Security Risks

Risks can range from hostile intruders to untrained users who download Internet
applications that have viruses. Hostile intruders can steal data, change data, and
cause service to be denied to legitimate users. Denial-of-service (DoS) attacks
have become increasingly common in the past few years.

B. Analyzing Security Requirements and Tradeoffs

In general, security requirements boil down to the need to protect the following
assets:
  The confidentiality of data, so that only authorized users can view sensitive
information

 The integrity of data, so that only authorized users can change sensitive
information

 System and data availability, so that users have uninterrupted access to

important computing resources

Security also affects network performance. Security features such as packet filters
and data encryption consume CPU power and memory on hosts, routers, and
servers. Encryption can use upward of 15 percent of available CPU power on a
router or server. Encryption can be implemented on dedicated appliances instead
of on shared routers or servers, but there is still an effect on network
performance because of the delay that packets experience while they are being
encrypted or decrypted.

Another tradeoff is that security can reduce network redundancy. If all traffic
must go through an encryption device, for example, the device becomes a single
point of failure. This makes it hard to meet availability goals.

Security can also make it harder to offer load balancing. Some security
mechanisms require traffic to always take the same path so that security
mechanisms can be applied uniformly. For example, a mechanism that
randomizes TCP sequence numbers (so that hackers can't guess the numbers)
won't work if some TCP segments for a session take a path that bypasses the
randomizing function due to load balancing.

C. Developing a Security Plan

One of the first steps in security design is developing a security plan. A security
plan is a high-level document that proposes what an organization is going to do to
meet security requirements. The plan specifies the time, people, and other
resources that will be required to develop a security policy and achieve technical
implementation of the policy. As the network designer, you can help your
customer develop a plan that is practical and pertinent. The plan should be based
on the customer's goals and the analysis of network assets and risks.

A security plan should reference the network topology and include a list of
network services that will be provided (for example, FTP, web, email, and so on).
This list should specify who provides the services, who has access to the services,
how access is provided, and who administers the services.

One of the most important aspects of the security plan is a specification of the
people who must be involved in implementing network security:

 Will specialized security administrators be hired?

 How will end users and their managers get involved?

 How will end users, managers, and technical staff be trained on security
policies and procedures?

For a security plan to be useful, it needs to have the support of all levels of
employees within the organization. It is especially important that corporate
management fully support the security plan. Technical staff at headquarters and
remote sites should buy into the plan, as should end users.

D. Developing a Security Policy

A security policy is a formal statement of the rules by which people who are given
access to an organization's technology and information assets must abide.

A security policy informs users, managers, and technical staff of their obligations
for protecting technology and information assets. The policy should specify the
mechanisms by which these obligations can be met. As was the case with the
security plan, the security policy should have buy-in from employees, managers,
executives, and technical personnel.

Developing a security policy is the job of senior management, with help from
security and network administrators. The administrators get input from
managers, users, network designers and engineers, and possibly legal counsel. As
a network designer, you should work closely with the security administrators to
understand how policies might affect the network design.

After a security policy has been developed, with the engagement of users, staff,
and management, it should be explained to all by top management. Many
enterprises require personnel to sign a statement indicating that they have read,
understood, and agreed to abide by a policy.

A security policy is a living document. Because organizations constantly change,

security policies should be regularly updated to reflect new business directions
and technological shifts. Risks change over time also and affect the security policy.

E. Components of a Security Policy

In general, a policy should include at least the following items:

I. An access policy that defines access rights and privileges. The access policy
should provide guidelines for connecting external networks, connecting
devices to a network, and adding new software to systems. An access policy
might also address how data is categorized (for example, confidential,
internal, and top secret).

II. An accountability policy that defines the responsibilities of users,

operations staff, and management. The accountability policy should specify
an audit capability and provide incident-handling guidelines that specify
what to do and whom to contact if a possible intrusion is detected.

III. An authentication policy that establishes trust through an effective

password policy and sets up guidelines for remote-location authentication.

IV. A privacy policy that defines reasonable expectations of privacy regarding

the monitoring of electronic mail, logging of keystrokes, and access to
users' files.

V. Computer-technology purchasing guidelines that specify the requirements

for acquiring, configuring, and auditing computer systems and networks for
compliance with the policy.
 F. Developing Security Procedures

Security procedures implement security policies. Procedures define configuration,

login, audit, and maintenance processes. Security procedures should be written
for end users, network administrators, and security administrators. Security
procedures should specify how to handle incidents (that is, what to do and who to
contact if an intrusion is detected). Security procedures can be communicated to
users and administrators in instructor-led and self-paced training classes.

Progress Test 5

1. What is the difference between a security plan and a security policy? How
do these two relate to each other?

2. People who are new to security often assume that security simply means
encryption. Why is this a naive assumption? What are some other aspects
of security that are just as important as encryption?
CHAPTER NINE
UNDERSTAND INFORMATION SECURITY POLICY
9.1 OVERVIEW OF SECURITY POLICY
An information security policy (ISP) is a set of rules that guide individuals who
work with IT assets. Information Security Policies serve as the backbone of any
mature information security program.

Simplified, information security policies must exist in order to direct and evaluate
the information security programs of the utility companies. Without information
security policies, violations or deviations from documented information security
policies cannot be identified and remediated.
It maintains confidentiality, availability, integrity, and asset values. A security
policy also protects the corporate from threats like unauthorized access, theft,
fraud, vandalism, fire, natural disasters, technical failures, and accidental damage.
Additionally, it protects against cyber-attack, malicious threats, international
criminal activity foreign intelligence activities, and terrorism.
The following are the goals of security policies:
To maintain an outline for the management and administration of network
security
To protect an organization’s computing resources
To eliminate legal liabilities arising from workers or third parties
To prevent wastage of company’s computing resources
To prevent unauthorized modifications of the data
To scale back risks caused by illegal use of the system resource
To differentiate the user’s access rights
To protect confidential, proprietary data from theft, misuse, and unauthorized
disclosure
9.2 Types of Security Policies
The four major forms of security policy are as following:
i. Promiscuous Policy:
This policy doesn’t impose any restrictions on the usage of system
resources. A user will access any web site, transfer any application, and
access a laptop or a network from a foreign location. whereas this may be
helpful in company businesses wherever people that travel or work branch
offices need to access the structure networks, several malwares, virus, and
Trojan threats are present on the internet and because of free net access,
this malware will return as attachments while not the data of the user.
ii. Permissive Policy:
Policy begins wide-open and only the known dangerous services/attacks or
behaviors are blocked. as a result of solely proverbial attacks and exploits
are blocked. This policy ought to be updated often to be effective.

iii. Prudent Policy:

A prudent policy starts with all the services blocked. The administrator
permits safe and necessary services singly. It logs everything, like system and
network activities. It provides most security whereas permitting only
proverbial however necessary dangers.
iv. Paranoid Policy:
A paranoid policy forbids everything. There’s a strict restriction on all use of
company computers, whether or not it’s system usage or network usage.
There’s either no net association or severely restricted net usage. Because of
these to a fault severe restrictions, users typically try and notice ways that
around them.

9.3 Examples of Security Policies:

Given below square measure samples of security policies that organizations use
worldwide to secure their assets and vital resources.

i. Access management Policy:

 Access management policy outlines procedures that facilitate in protective
the structure resources and also the rules that management access to
them. It permits organizations to trace their sets.

ii. Remote-Access Policy:

A remote-access policy contains a collection of rules that define authorized
connections. It defines who will have remote access, the access medium
and remote access security controls. This policy is critical in larger
organizations during which networks are geographically unfold, and people
during which employees work from home.

iii. Firewall-Management Policy:

A firewall-management policy defines a standard to handle application
traffic, like net or e-mail. This policy describes the way to manage, monitor,
protect, and update firewalls within the organization. It identifies network
applications, vulnerabilities related to applications, and creates an
application-traffic matrix showing protection strategies.

iv. Network-Connection Policy:

A network-connection policy defines the set of rules for secure network
connectivity, including standards for configuring and extending any part of
the network, policies related to private networks, and detailed information
about the devices attached to the network. It protects against unauthorized
and unprotected connections that allow hackers to enter into the
organization’s network and affect data integrity and system integrity. It
permits only authorized persons and devices to connect to the network and
defines who can install new resources on the network, as well as approve
the installation of new devices, and document network changes, etc.

9.4 Key elements in a security policy

Some of the key elements of an organizational information security policy
include the following:
i. statement of the purpose;
ii. statement that defines who the policy applies;
iii. statement of objectives, which usually encompasses the CIA triad;
 iv. authority and access control policy that delineates who has access to
which resources;
v. data classification statement that divides data into categories of
sensitivity -- the data covered can range from public information to
information that could cause harm to the business or an individual if
disclosed;
vi. data use statement that lays out how data at any level should be handled
-- this includes specifying the data protection regulations, data backup
requirements and network security standards for how data should be
communicated, with encryption, for example;
vii. statement of the responsibilities and duties of employees and who will
be responsible for overseeing and enforcing policy;
viii. security awareness training that instructs employees on security best
practices -- this includes education on potential security threats, such as
phishing, and computer security best practices for using company
devices; and
ix. effectiveness measurements that will be used to assess how well security
policies are working and how improvements will be made.
CHAPTER TEN
SECURITY SYSTEM DEVELOPMENT LIFE CYCLE
10.1 OVERVIEW OF SECURITY SYSTEM DEVELOPMENT LIFE CYCLE
Each of the phases of the SDLC should include consideration of the security of
the system being assembled as well as the information it uses. This means that
each implementation of a system is secure and does not risk compromising the
confidentiality, integrity, and availability of the organization’s information assets
security of software applications and databases has become as important as the
software and data itself. Security forms a major aspect of the business
development process.

10.2 STAGES OF SECURITY SYSTEM DEVELOPMENT LIFE CYCLE

Security System Development Life Cycle is defined as the series of processes and
procedures in the software development cycle, designed to enable development
teams to create software and applications in a manner that significantly reduces
security risks, eliminating security vulnerabilities and reducing costs.
Each of the example SDLC phases includes a minimum set of security steps
needed to effectively incorporate security into a system during its development

i. Investigation/Analysis Phases
Security categorization—defines three levels (i.e., low, moderate, or high) of
potential impact on organizations or individuals should there be a breach of
security (a loss of confidentiality, integrity, or availability). Security categorization
standards assist organizations in making the appropriate selection of security
controls for their information systems.
Preliminary risk assessment—results in an initial description of the basic security
needs of the system. A preliminary risk assessment should define the threat
environment in which the system will operate.

ii. Logical/Physical Design Phases

Risk assessment—analysis that identifies the protection requirements for the
system through a formal risk assessment process. This analysis builds on the
initial risk assessment performed during the Initiation phase, but will be more in-
depth and specific.
Security functional requirements analysis—analysis of requirements that may
include the following components: (1) system security environment (i.e.,
enterprise information security policy and enterprise security architecture) and
(2) security functional requirements
Security assurance requirements analysis—analysis of requirements that
address the developmental activities required and assurance evidence needed to
produce the desired level of confidence that the information security will work
correctly and effectively. The analysis, based on legal and functional security
requirements, will be used as the basis for determining how much and what
kinds of assurance are required.
Cost considerations and reporting—determines how much of the development
cost can be attributed to information security over the life cycle of the system.
These costs include hardware, software, personnel, and training.
Security planning—ensures that agreed upon security controls, planned or in
place, are fully documented. The security plan also provides a complete
characterization or description of the information system as well as attachments
or references to key documents supporting the agency’s information security
program (e.g., configuration management plan, contingency plan, incident
response plan, security awareness and training plan, rules of behavior, risk
assessment, security test and evaluation results, system interconnection
agreements, security authorizations/ accreditations, and plan of action and
milestones).
Security control development—ensures that security controls described in the
respective security plans are designed, developed, and implemented. For
information systems currently in operation, the security plans for those systems
may call for the development of additional security controls to supplement the
controls already in place or the modification of selected controls that are
deemed to be less than effective.
Developmental security test and evaluation—ensures that security controls
developed for a new information system are working properly and are effective.
Some types of security controls (primarily those controls of a non-technical
nature) cannot be tested and evaluated until the information system is deployed
—these controls are typically management and operational controls.
Other planning components—ensures that all necessary components of the
development process are considered when incorporating security into the life
cycle. These components include selection of the appropriate contract type,
participation by all necessary functional groups within an organization,
participation by the certifier and accreditor, and development and execution of
necessary contracting plans and processes.

iii. Implementation Phase

Inspection and acceptance—ensures that the organization validates and verifies
that the functionality described in the specification is included in the
deliverables.
System integration—ensures that the system is integrated at the operational site
where the information system is to be deployed for operation. Security control
settings and switches are enabled in accordance with vendor instructions and
available security implementation guidance.
Security certification—ensures that the controls are effectively implemented
through established verification techniques and procedures and gives
organization officials confidence that the appropriate safeguards and
countermeasures are in place to protect the organization’s information system.
Security certification also uncovers and describes the known vulnerabilities in the
information system.
Security accreditation—provides the necessary security authorization of an
information system to process, store, or transmit information that is required.
This authorization is granted by a senior organization official and is based on the
verified effectiveness of security controls to some agreed upon level of assurance
and an identified residual risk to agency assets or operations.

iv. Maintenance and Change Phase

Configuration management and control—ensures adequate consideration of the
potential security impacts due to specific changes to an information system or its
surrounding environment. Configuration management and configuration control
procedures are critical to establishing an initial baseline of hardware, software,
and firmware components for the information system and subsequently
controlling and maintaining an accurate inventory of any changes to the system.
Continuous monitoring—ensures that controls continue to be effective in their
application through periodic testing and evaluation. Security control monitoring
(i.e., verifying the continued effectiveness of those controls over time) and
reporting the security status of the information system to appropriate agency
officials is an essential activity of a comprehensive information security program.
Information preservation—ensures that information is retained, as necessary, to
conform to current legal requirements and to accommodate future technology
changes that may render the retrieval method obsolete.
Media sanitization—ensures that data is deleted, erased, and written over as
necessary.
Hardware and software disposal—ensures that hardware and software is
disposed of as directed by the information system security officer.

Steps common to both the

systems development life cycle
and the security systems Steps unique to the security systems
Phases development life cycle development life cycle
●
Phase 1: ●
Outline project scope and Management defines project
Investigation goals processes and goals and documents
●
Estimate costs these in the program security policy
●
Evaluate existing
resources
●
Analyze feasibility
Phase 2: ●
Assess current system ●
Analyze existing security policies
Analysis against plan developed in Phase and programs
1 ●
Analyze current threats and
●
Develop preliminary controls
system requirements ●
Examine legal issues
●
Study integration of new ●
Perform risk analysis
system with existing system
 ●
Document findings and
update feasibility analysis
Phase 3: Logical ●
Assess current business ●
Develop security blueprint
Design needs against plan developed in ●
Plan incident response actions
Phase 2 ●
Plan business response to
●
Select applications, data disaster
●
Determine feasibility of
support, and structures
continuing and/or outsourcing the
●
Generate multiple project
solutions for consideration
●
Document findings and
update feasibility analysis
Phase 4: ●
Select technologies to ●
Select technologies needed to
Physical Design support solutions developed in support security blueprint
Phase 3 ●
Develop definition of successful
●
Select the best solution solution
●
Decide to make or buy ●
Design physical security
components measures to support techno logical
●
Document findings and solutions
update feasibility analysis ●
Review and approve project
Phase 5: ●
Develop or buy software ●
Buy or develop security
Implementation ●
Order components solutions
●
Document the system ●
At end of phase, present tested
●
Train users package to management for
●
Update feasibility analysis approval
●
Present system to users
●
Test system and review
performance
Phase 6: ●
Support and modify ● Constantly monitor, test,
Maintenance system during its useful life modify, update, and repair to meet
and ●
Test periodically for changing threats
Change
compliance with business needs
●
Upgrade and patch as
necessary
CHAPTER ELEVEN
UNDERSTAND INCIDENSE RESPONSE SYSTEM
11.1 WHY INCIDENSE RESPONSE SYSTEM?
Incident response (IR) is a set of information security policies and procedures that
you can use to identify, contain, and eliminate cyberattacks. The goal of incident
response is to enable an organization to quickly detect and halt attacks,
minimizing damage and preventing future attacks of the same type.

11.2 PHASES OF THE INCIDENT RESPONSE LIFECYCLE

There are six steps to incident response. These six steps occur in a cycle each time
an incident occurs. The steps are:
i. Preparation of systems and procedures
ii. Identification of incidents
iii. Containment of attackers and incident activity
iv. Eradication of attackers and re-entry options
v. Recovery from incidents, including restoration of systems
vi. Lessons learned and application of feedback to the next round of
preparation
Preparation
During your first preparation phase, you review existing security measures and
policies to determine effectiveness. This involves performing a risk assessment to
determine what vulnerabilities currently exist and the priority of your assets.
Information is then applied to prioritizing responses for incident types. It is also
used, if possible, to reconfigure systems to cover vulnerabilities and focus
protection on high-priority assets.
This phase is where you refine existing policies and procedures or write new ones
if you are lacking. These procedures include a communication plan and
assignment of roles and responsibilities during an incident.

Identification of threats
Using the tools and procedures determined in the preparation phase, teams work
to detect and identify any suspicious activity. When an incident is detected, team
members need to work to identify the nature of the attack, its source, and the
goals of the attacker.
During identification, any evidence collected needs to be protected and retained
for later in-depth analysis. Responders should document all steps taken and
evidence found, including all details. This can help you more effectively prosecute
if an attacker is identified.
During this phase, after an incident is confirmed, communication plans are also
typically initiated. These plans inform security members, stakeholders,
authorities, legal counsel, and eventually users of the incident and what steps
need to be taken.

Containment of threats
After an incident is identified, containment methods are determined and enacted.
The goal is to advance to this stage as quickly as possible to minimize the amount
of damage caused.
Containment is often accomplished in sub-phases:
Short term containment—immediate threats are isolated in place. For example,
the area of your network that an attacker is currently in may be segmented off.
Or, a server that is infected may be taken offline and traffic redirected to a
failover.
Long term containment—additional access controls are applied to unaffected
systems. Meanwhile, clean, patched versions of systems and resources are
created and prepared for the recovery phase.

Elimination of threats
During and after containment, the full extent of an attack is made visible. Once
teams are aware of all affected systems and resources, they can begin ejecting
attackers and eliminating malware from systems. This phase continues until all
traces of the attack are removed. In some cases, this may require taking systems
off-line so assets can be replaced with clean versions in recovery.
Recovery and restoration
In this phase, teams bring updated replacement systems online. Ideally, systems
can be restored without loss of data but this isn’t always possible.
In the latter case, teams must determine when the last clean copy of data was
created and restore from it. The recovery phase typically extends for a while as it
also includes monitoring systems for a while after an incident to ensure that
attackers don’t return.

Feedback and refinement

The lessons learned phase is one in which your team reviews what steps were
taken during a response. Members should address what went well, what didn’t,
and make suggestions for future improvements. Any incomplete documentation
should also be wrapped up in this phase.

11.3 What Is an Incident Response Plan (IRP)?

An IRP is a set of documented procedures detailing the steps that should be taken
in each phase of incident response. It should include guidelines for roles and
responsibilities, communication plans, and standardized response protocols.
Within your IRP it is important to use clear language and define any ambiguous
terms. One set of terms that are frequently confused is event, alert, and incident.
When using these terms in your plan, it can help to restrict use as follows:

Event—a change in system settings, status, or communication. Examples include

server requests, permissions update, or the deletion of data. There are three basic
types of events:
i. Normal—a normal event does not affect critical components or require
change controls prior to the implementation of a resolution. Normal
events do not require the participation of senior personnel or
management notification of the event.
ii. Escalation – an escalated event affects critical production systems or
requires that implementation of a resolution that must follow a change
control process. Escalated events require the participation of senior
personnel and stakeholder notification of the event.
iii. Emergency – an emergency is an event which may
1. impact the health or safety of human beings
2. breach primary controls of critical systems
3. materially affect component performance or because of impact to
component systems prevent activities which protect or may affect
the health or safety of individuals
4. be deemed an emergency as a matter of policy or by declaration
by the available incident coordinator
Alert—a notification triggered by an event. Alerts can warn of suspicious events
or of normal events that need your attention. For example, the use of an unused
port vs storage resources running low.
Incident—an event that puts your system at risk. For example, theft of credentials
or installation of malware.

11.4 Incident Response Frameworks

Incident response frameworks are developed to help organizations create
standardized response plans. These frameworks are typically developed by large
organizations with a significant amount of security expertise and experience. Two
of the best known of these frameworks are those developed by NIST and SANS.

11.5 The NIST Incident Response Framework

The National Institute of Standards and Technology (NIST) is a U.S. government
agency dedicated to advancements in technology. As part of their cybersecurity
efforts, they developed the NIST incident response framework. This framework is
comprehensive, including details of how to create an IRP, an incident response
team, a communication plan, and training scenarios.

This framework has four official steps which condense the 6 phases of incident
response into the following:
i. Preparation
ii. Detection and Analysis
iii. Containment, Eradication, and Recovery
iv. Post-Incident Activity
The reason for this condensation is that NIST believes that containment,
eradication, and recovery are all overlapping phases. For example, as you contain
threats within your systems, you should not wait to eradicate issues until all
threats are found. Rather, you should contain and eliminate threats as soon as
possible, even if other threats remain.
Likewise, recovery is not a strict step, rather a process that depends on the
priority and content of the assets being recovered. For example, you may choose
to hold off on recovering high priority assets until an attack is fully eliminated to
keep your data more secure.

11.6 Incident response team

An incident response team is a team responsible for enacting your IRP. This team
is sometimes also referred to as a computer security incident response team
(CSIRT), cyber incident response team (CIRT), or a computer emergency response
team (CERT).
The security incident coordinator manages the response process and is
responsible for assembling the team. The coordinator will ensure the team
includes all the individuals necessary to properly assess the incident and make
decisions regarding the proper course of action. The incident team meets
regularly to review status reports and to authorize specific remedies. The team
should utilize a pre-allocated physical and virtual meeting place
The key duties of your CSIRT are to prevent, manage, and respond to security
incidents. This can involve researching threats, developing policies and
procedures, and training end users in cybersecurity best practices.

11.7 Incident Response Team Models

According to the NIST framework, there are three different models of CSIRT you
can apply:
i. Central—the team consists of a centralized body that manages IR for the
whole organization.
ii. Distributed—multiple teams exist and coordinate efforts as needed.
Typically, each team is responsible for a specific part of the IT
infrastructure, physical location, or department.
iii. Coordinated—a central team serves as a command center or knowledge
base for distributed teams. Central teams often take care of system
monitoring and can alert and assist distributed teams as needed.
Knowing which model is best for your organization can be a challenge. To help
you decide, you can again refer to the NIST guidelines which provide some
considerations to help:
i. What availability do you need? —you need to decide whether you want to
have 24/7 response availability and what level of availability. For example,
is it enough that teams can respond remotely or do they need to be on-site.
Preferably your team is available in real-time and in-person.
 ii. What level of staffing do you want? —you should decide whether you want
full-time staff dedicated to your team or whether shifts of part-time staff
are sufficient. Part-time staff are best for boosting team response during an
incident. Full-time staff are best for ensuring that your response is
organized, consistent, and immediate.
iii. How much expertise is needed? —the more expertise you have on your
team, the more effective it can be. However, many organizations do not
have a high level of security expertise in-house. If this is the case, you may
want to have external experts available to assist your in-house team during
response activities.
iv. What is your budget? —your IR budget plays a large role in limiting the
above aspects. When putting your team together, you need to be realistic
about the budget that is needed and how money is best allocated.

11.8 What are Incident Response Services?

Incident response (IR) services are managed services that can replace or
supplement in-house teams. These services usually work on retainer with a
monthly cost and a set range of services. The benefit of these services is that they
typically offer a higher level of expertise than is available in-house and can
provide 24/7 monitoring and response. This service usually includes a service level
agreement (SLA) ensuring confidentiality and response.
Additional benefits of managed services include:
Incident response preparation and planning—services can help you review IT
systems and develop IRPs suited to your specific needs.
Incident triage and classification—services can monitor for security events,
identify incidents, and classify threats.
Initial response—services can perform initial response steps or even come on-site
to assist in-house responders.
Post-breach assessment—services can help teams perform root-cause analyses
and provide evaluations of response efforts and effectiveness.
11.9 Incident Response Automation
Effective incident response is time-sensitive and relies on teams quickly
identifying threats and initiating IRPs. Unfortunately, most teams are not capable
of investing all alerts in real-time to determine if something is an incident. This
can lead to incidents being missed entirely or only being caught after significant
damage has occurred.
Automating parts of your incident response can help avoid this oversight or delay.
It can be used to:
i. Quickly triage alerts and identify incidents
ii. Compile and centralize relevant data for incident investigations
iii. Perform incident response tasks and processes, such as isolating affected
areas or blocking IP addresses

CHAPTER TWELVE
UNDERSTAND CRYPTOGRAPHY
12.1 OVERVIEW OF CRYPTOGRAPHY
Cryptography is the act of secret writing. Cryptography is the art of secret writing.
It is the practice and study of techniques for secure communication in the
presence of third parties (called adversaries). Cryptography is an indispensable
tool for protecting information in computer systems.

12.2 APPLICATIONS OF CRYPTOGRAPHY

Modern cryptography exists at the intersection of the disciplines of mathematics,
computer science, and electrical engineering
Today, cryptography is everywhere for secure communication. Applications of
cryptography include
i. ATM cards
ii. User authentication
iii. electronic commerce
iv. Web communication protocol
 v. Military intelligence communication
vi. Content protection

12.3 BASIC TERMINOLOGY IN CRYPTOGRAPHY

It provides the services of integrity checking and authentication through a process
called encryption and decryption. In cryptography, a message in its original form
is called a PLAINTEXT i.e. message that make sense to the sender, the receiver
and the attacker.
CIPHER TEXT: It is a disguise information or message generated from a plaintext. A
ciphertext only make sense to the sender and the receiver of the message.
However, an attacker will experience some sense of difficulty in breaking the
ciphertext.
encryption decryption
Plaintext Ciphertext Plaintext
DECRYPTION: is a method/algorithm/process through which a message in
disguised form (ciphertext) is turn into a plaintext.

ENCRYPTION: is a method/algorithm/process through which a plaintext is turned

to a ciphertext.

12.4 CONSTRUCTION OF CRYPTOGRAPHIC ALGORITM

Cryptography involve at least two major items (encryption and decryption)

a. Algorithm
b. Key

Algorithm: is a set of mathematical rules that dictates how encryption and

decryption can be performed.

Key: is a secret value or number or set of alphabets through which an algorithm

performs encryption and decryption. A key can be constructed from a range of
value called KEYSPACE. The larger the keyspace, the more available keys for
encryption and decryption and the more secure the system.

a b c d e

+ 0 1 2 3 4

a 0 0 1 2 3 4

b 1 1 2 3 4 0

c 2 2 3 4 0 1

d 3 3 4 0 1 2

e 4 4 0 1 2 3

From the table using +key (2,3)

a ------------ 0+2 = 2 c

d ------------ 3+2 = 0 a

e ------------ 4+2 = 1 b

ade ciphertext is cab

c ------------- 2+3 = 0 a

a ------------- 0+3 = 3 d

b ------------- 1+3 = 4 e

From the table using +key (1,4)

a -------------- 0+1 = 1 b

d -------------- 3+1 = 4 e

e -------------- 4+1 = 0 a

ade ciphertext is bea

b -------------- 1+4 = 0 a

e --------------- 4+4 = 3 d

a --------------- 0+4 = 4 e

12.5 COMPUTATIONAL DIFFICULTY

This is a measure of strength of a cryptosystem. A cryptosystem is a system that

provide encryption and decryption algorithm and can be created through
hardware component or program code in an application.

The security of a cryptographic scheme depends on how much work it is for the
hackers to break it. If the best possible scheme will take 5 hundred years to break
using all of the computers in the world, then it can be considered reasonably
secure. The followings are often considered in computational difficulty:

1. Algorithm
2. Secrecy of the key
3. Length of the key
4. Initialization vector
5. Their interaction

The KERCHOFF’S principle illustrates the concept of computational difficulty by

using certain assumptions.

In cryptography, Kerckhoffs' principle was stated that a cryptosystem should be

secure even if everything about the system, except the key, is public knowledge.
It was reformulated by Claude Shannon as "the enemy knows the system". In
that form it is called Shannon's maxim. The measure of strength is related to
principle that is called Kerchkhoff’s rule which states that:

1. A system must be practically indecipherable (it means the system should

not be broken)
2. The algorithm must not be secret and may fall into the hand or enemy or
attacker without inconveniency
3. The key must be communicable and retainable without the help of written
note.
4. The key must be portable
5. The algorithm or the key must not require/involve mental strain and long
series of rules.

Given the algorithm and the ciphertext, CT, of message m, then the following
assumptions hold for secure cryptographic system

i. assumption #1: attacker cannot recover secret key

ii. assumption #2: attacker cannot recover all of plaintext

Kerckhoffs' principle /Shannon’s idea:

CT should reveal no “info” about PT

12.6 CRYPTANALYSIS
Cryptanalysis is the term used for the study of methods for obtaining the meaning
of encrypted information without access to the key i.e., it is the study of how to
crack encryption algorithms or their implementations.
A. A ciphertext (CT)-only attack is one in which the cryptanalyst obtains a
sample of ciphertext, without the plaintext associated with it. This data is
relatively easy to obtain in many scenarios, but a successful ciphertext-only
attack is generally difficult, and requires a very large ciphertext sample. CT
uses the following methods
I. Brute-force attack: In this method, the attack tries all the key within the key
space to guess a ciphertext
II. Statistical attack: The attack uses the frequency distributions of letters in a
language to guess ciphertext
III. Pattern attack: In this case, a ciphertext may create sequence or
arrangement that may assist in guessing the plaintext

Statistical Brute- Pattern

CT attack
attack force attack

B.A known-plaintext attack is one in which the cryptanalyst obtains a sample of

ciphertext and the corresponding plaintext as well.
C.A chosen-plaintext attack is one in which the cryptanalyst is able to choose a
quantity of plaintext and then obtain the corresponding encrypted ciphertext.

D.A chosen-ciphertext attack is one in which cryptanalyst may choose a piece of

ciphertext and attempt to obtain the corresponding decrypted plaintext. This
type of attack is generally most applicable to public-key cryptosystems.
 Known- Chosen-
plaintext plaintext

Ciphertext
Chosen-
(CT)-only
ciphertext
attack
Cryptanalysis
attacks

12.7 GOALS OF CRYPTOSYSTEM

A cryptosystem is a system that provide encryption and decryption algorithm and

can be created through hardware component or program code in an application.
It provides four basic services/goal, which are:

1 Confidentiality
2 Authenticity
3 Integrity
4 Non-Repudiation

12.8 TYPES OF CRYPTOGRAPHY

There are two major type of cryptography or cryptosystem:

1. Secret key cryptosystem also called Private key cryptosystem or Symmetric

key cryptosystem
2. Public key cryptosystem also called Asymmetric key cryptosystem

Secret key cryptography: is a system that uses a single key for the process of
encryption and decryption.
Public key cryptography: is a type of system that uses two keys called public key
(encryption key) and a private key (decryption key).

Secret key

encryption (a)
Plaintext Ciphertext

decryption (a)
Ciphertext Plaintext

Both encryption and decryption are sharing a single key

public key (a)

Plaintext Ciphertext

private key (e)

Ciphertext Plaintext

Single key cryptography is also called conventional cryptography and is a system

where a single key is used for the purpose of encryption and decryption. It can be
used for the following operation:

1. Transmission over insecure channel

2. Secure storage on insecure media
3. For authentication
4. For integrity check.
There are two major types of secret key cryptography, which are:

1. Substitution cipher
2. Transposition cipher
Substitution cipher: this is a kind of cryptography in which a plaintext is replaced
by a corresponding ciphertext. This can be mono-alphabetic or poly-alphabetic.
Sometimes, additive or multiplicative algorithm may be applied on substitution
cipher to make them more secure. In this way, the concept of modular arithmetic
is very important.

Application of substitution cipher can be found in:

1. Caesar’s cipher
2. Affine cipher

12.9 MATHEMATICS OF CRYPTOGRAPHY

Cryptography is based on some specific areas of mathematics, including number

theory, linear algebra and algebraic structures. The various operations such as
addition, subtraction, division and multiplications over the set of natural numbers
𝛧 can be used to produce cryptographic algorithms. Whereas, the elements of Ζ
can function as key space and key

Let Z ={……−2,−1, 0, 1, 2,…..} be set of integers

In cryptography, we are interested in three binary operations which can be

applied to Z. A binary operations takes two inputs and creates one output.

Cryptographic algorithms are designed around computational hardness

assumptions of these mathematics, making such algorithms hard to break in
practice by any adversary.

It is theoretically possible to break such a system, but it is infeasible to do so by

any known practical means.

These schemes are therefore termed computationally secure e.g., improvements

in integer factorization algorithms, and faster computing technology require these
solutions to be continually adapted.
Three common binary operations defined for integers in cryptography are

i. addition,
ii. subtraction
iii. and multiplication.

Modular arithmetic is basically doing addition (and other operations) not on a

line, as you usually do, but on a circle -- the values "wrap around", always staying
less than a fixed number called the modulus.

To find, for example, 39 modulo 7, you simply calculate 39/7 (= 5 4/7) and take
the remainder. In this case, 7 divides into 39 with a remainder of 4. Thus, 39
modulo 7 = 4. Note that the remainder (when dividing by 7) is always less than 7.
Thus, the values "wrap around," as you can see below:

0 mod 7=0

1 mod 7=1

7 mod 7=0

2 mod 7=2

8 mod 7=1

3 mod 7=3

4 mod 7=4 1

0 mod 7=3

5 mod 7=5 etc.

An additive algorithm is a system that use addition operation in a particular
module e.g.

a+b modn= t

if t<n

k= n-t

Additive cipher

Key generation: a key is a pair of value that return 0 under addition operation in a
particular modulo. This pair of value is referring to as encryption key and
decryption key respectively. E.g. how many keys are present in (+, mod 4)
algorithm

a b c d

+ 0 1 2 3 keys

0 0 1 2 3 0,0

1 1 2 3 1 1,3

2 2 3 0 1 2,2

3 3 0 1 2 3,1

Generators: numbers that produce the set. There are four generators in mode 4
i.e. 0,1,2,3
Want to send a message “ade fe de”

P V key C V +4 P

a 0 +2 2 c 2+4 0 a

d 3 +2 5 f 5+4 3 d

e 4 +2 0 a 0+4 4 e

f 5 +2 1 b 1+4 5 f

e 4 +2 0 a 0+4 4 e

d 3 +2 5 f 5+4 3 d

e 4 +2 0 a 0+4 4 e

(mode 7)

C: y o u a r e c

P: a b c d e f g

+ 0 1 2 3 4 5 6 keys

0 0 1 2 3 4 5 6 0,0

1 1 2 3 4 5 6 0 1,6

2 2 3 4 5 6 0 1 2,5

3 3 4 5 6 0 1 2 3,4

4 4 5 6 0 1 2 3 4,3
5 5 6 0 1 2 3 4 5,2

6 6 0 1 2 3 4 5 0,1

Using key 6,1 with additive

a 0+6 = 6 in cipher c ----- 6+1 = 0 a

d 3+6 = 2 in cipher u ----- 2+1 = 3 d

e 4+6 = 3 in cipher a ----- 3+1 = 4 e

d 3+6 = 2 in cipher u ----- 2+1 = 3 d

e 4+6 = 3 in cipher a ----- 3+1 = 4 e

CAESAR’S CIPHER

A Caesar’s cipher is also called a shift cipher and it is one of the simplest and most
widely known encryption techniques. It is a type of substitution cipher in which
each letter in plaintext is replaced by a letter at a different position in the
alphabet.

Plain: A B C D E………. Z

Cipher: E F G H I………...D

The encryption of Caesar cipher can be represented using modulo arithmetic

thereby transforming numbers into letters using modulo 26.
Mathematically, Caesar cipher equal:

E(x) = (x+n) mod 26

Where x = numeral value of each alphabet

n = is an encryption key

MULTIPLICATIVE CIPHER

A multiplicative cipher is a cryptographic algorithm that uses multiplication

operation in a particular modulo. In multiplicative cipher, two numbers a & b are
inverse of each other if the condition below holds:

a × b ≡1 modn

e.g. mod6

x 1 2 3 4 5 key

1 1 2 3 4 5 1,1

2 2 4 0 2 4 ---

3 3 0 3 0 3 ---

4 4 2 0 4 2 ---

5 5 4 3 2 1 5,5

In multiplicative
 a × b ≡1 mod 267 × b≡ 1 mod 26b ≡1 modn b ≡7−1 mod 26

GREATEST COMMON DIVISOR (GCD)

GCD is used to find when two numbers are co-prime in a particular modulo. Two
numbers are co-prime if a particular no and its modulo n returns a GCD of 1

Fact 1: GCD of (a,0) = a

Fact 2: GCD of (a,b) = gcd (b,r)

Where r is the remainder of dividing a by b

Fact 3: gcd (a,1) = 1

A number has an inverse if an only if fact 3 holds when calculating gcd.

e.g. using mod6

gcd (6,3)

gcd (3,0) = 3.

gcd (6,5)

gcd (5,1) = 1.

Note: 6 and 5 are co-prime because 5 has an inverse

gcd (6,4)

gcd (4,2)

gcd (2,0) = 2.

gcd (6,2)
gcd (2,0) = 2.

In mod26, to check if 7 has an inverse

gcd (26,7)

gcd (7,5)

gcd (5,2)

gcd (2,1) = 1. Note: 7 has an inverse in mod26, so 26&7 are co-prime.

EXTENDED EUCLIDEAN ALGORITHM

It is used to calculate the multiplicative inverse of a particular key in a particular

modulo when the two values are co-prime. In Euclidean algorithm, the
relationship below holds:

t = t1 – (qxt2).

A table in mod26

q r1 r2 r t1 t2 t

3 26 7 5 0 1 -3

1 7 5 2 1 -3 4

2 5 2 1 -3 4 -11

2 2 1 0 4 -11 26
-11mod26

26-11 = 15

axb = 1mod26

7x15 = 1mod26

Therefore, 15 is the value of inverse of 7.

TRANSPOSITION CIPHER

This is a method of encryption by which the position held by unit of plaintext are
shifted according to a regular system, so that the ciphertext constitutes a
permutation of the plaintext. Transposition cipher can either be key or keyless.

Meet me today

M e m t d y
memtdy

e t e o a m
eteoam

m e m t d y

e t e o a m
123456 123456

Memtdy eteoam 1 2 3 4 5 6

2 4 3 1 6 5

Etmmyd toeema

123456 123456

ASSYMETRIC CRYPTOGRAPHY

This is called public key cryptography as it requires two separate key called
private and public key. The private key is a confidential key for decrypting
messages created by a public key from a particular user. Both the private key and
the public key are mathematically related and they can be demonstrated by the
following cryptosystem.

1. RSA
2. Elgamal
3. ECC
4. Diffie Hellman
5. DSS
CHAPTER THIRTEEN
CYBERSECURITY AND INTERNATIONAL LEGISLATION
13.1 WHAT IS CYBERSECURITY?
Cybersecurity is the practice of protecting systems, networks, and programs from
digital attacks. These cyberattacks are usually aimed at accessing, changing, or
destroying sensitive information; extorting money from users; or interrupting
normal business processes.

Implementing effective cybersecurity measures is particularly challenging today

because there are more devices than people, and attackers are becoming more
innovative.

13.1 What is cybersecurity all about?

A successful cybersecurity approach has multiple layers of protection spread

across the computers, networks, programs, or data that one intends to keep safe.
In an organization, the people, processes, and technology must all complement
one another to create an effective defense from cyber-attacks.

i. People
Users must understand and comply with basic data security principles like
choosing strong passwords, being wary of attachments in email, and backing
up data. Learn more about basic cybersecurity principles.

ii. Processes
Organizations must have a framework for how they deal with both attempted
and successful cyber-attacks. One well-respected framework can guide you. It
explains how you can identify attacks, protect systems, detect and respond to
threats, and recover from successful attacks.

iii. Technology
Technology is essential to giving organizations and individuals the computer
security tools needed to protect themselves from cyber-attacks. Three main
entities must be protected: endpoint devices like computers, smart devices,
and routers; networks; and the cloud. Common technology used to protect
these entities include next-generation firewalls, DNS filtering, malware
protection, antivirus software, and email security solutions.

13.2 Why is cybersecurity important?

In today’s connected world, everyone benefits from advanced cyber defense

programs. At an individual level, a cybersecurity attack can result in everything
from identity theft, to extortion attempts, to the loss of important data like family
photos. Everyone relies on critical infrastructure like power plants, hospitals, and
financial service companies. Securing these and other organizations is essential to
keeping our society functioning.

13.3 International legislative responses and cooperation

Information security laws and regulations control how data is stored and used.
Learn about information security and breach notification law, information and
privacy laws, and business compliance.

Laws & Regulations

A law is a rule that is enacted by the judicial system of the country. These rules
are created by the lawmakers. A law is enforceable by the country's judicial
system, and the lawbreaker can be prosecuted in court.

A regulation is the process, or body, responsible for ensuring that the law is put
into effect. A regulation explains the details necessary, whether technical,
operational, or legal, to put the law into effect.

Information security laws and regulations govern the acquiring, transmitting, and
storing of information (meaningful data). Why all this protection? You see, the
rapid advancement of technology and the unprecedented growth of the internet
has increased the field of exposure of data as a whole.

The list of electronic crimes is as unlimited as the imaginations of those who use
technology in harmful and dangerous ways. Technology has served the world's
convenience, everything from the comfort of your home or device (banking,
shopping, working, etc.)

This convenience has exposed businesses and corporations to limitless threats.

Because of this, information has become an extremely valuable asset, which could
be deliberately destroyed, stolen, exposed, or illegally sold. Different countries
have different laws governing information.

The Cybersecurity Law also provides elaborate regulations and definitions on legal
liability. For different types of illegal conduct, the Law sets a variety of
punishments, such as fines, suspension for rectification, revocation of permits and
business licenses, and others. The Law accordingly grant cybersecurity and
administration authorities with rights and guidelines to carry out law enforcement
on illegal acts.
International responses

G8: Group of Eight (G8) is made up of the heads of eight industrialized countries:
the U.S., the United Kingdom, Russia, France, Italy, Japan, Germany, and Canada.
In 1997, G8 released a Ministers' Communiqué that includes an action plan and
principles to combat cybercrime and protect data and systems from unauthorized
impairment. G8 also mandates that all law enforcement personnel must be
trained and equipped to address cybercrime, and designates all member
countries to have a point of contact on a 24 hours a day/7 days a week basis.

United Nations: In 1990 the UN General Assembly adopted a resolution dealing

with computer crime legislation. In 2000 the UN GA adopted a resolution on
combating the criminal misuse of information technology. In 2002 the UN GA
adopted a second resolution on the criminal misuse of information technology.

ITU: The International Telecommunication Union (ITU), as a specialized agency

within the United Nations, plays a leading role in the standardization and
development of telecommunications and cybersecurity issues. The ITU was the
lead agency of the World Summit on the Information Society (WSIS). In 2003,
Geneva Declaration of Principles and the Geneva Plan of Action were released,
which highlights the importance of measures in the fight against cybercrime. In
2005, the Tunis Commitment and the Tunis Agenda were adopted for the
Information Society.

Council of Europe: Council of Europe is an international organisation focusing on

the development of human rights and democracy in its 47 European member
states. In 2001, the Convention on Cybercrime, the first international convention
aimed at Internet criminal behaviors, was co-drafted by the Council of Europe
with the addition of USA, Canada, and Japan and signed by its 46 member states.
But only 25 countries ratified later. [8] It aims at providing the basis of an effective
legal framework for fighting cybercrime, through harmonization of cybercriminal
offences qualification, provision for laws empowering law enforcement and
enabling international cooperation.

Regional responses

APEC: Asia-Pacific Economic Cooperation (APEC) is an international forum that

seeks to promote promoting open trade and practical economic cooperation in
the Asia-Pacific Region. In 2002, APEC issued Cybersecurity Strategy which is
included in the Shanghai Declaration. The strategy outlined six areas for co-
operation among member economies including legal developments, information
sharing and co-operation, security and technical guidelines, public awareness, and
training and education.

OECD: The Organisation for Economic Co-operation and Development (OECD) is

an international economic organisation of 34 countries founded in 1961 to
stimulate economic progress and world trade. In 1990, the Information,
Computer and Communications Policy (ICCP) Committee created an Expert Group
to develop a set of guidelines for information security that was drafted until 1992
and then adopted by the OECD Council. In 2002, OECD announced the completion
of "Guidelines for the Security of Information Systems and Networks: Towards a
Culture of Security".

European Union: The coat of arms of the European Cybercrime Centre. In 2001,
the European Commission published a communication titled "Creating a Safer
Information Society by Improving the Security of Information Infrastructures and
Combating Computer-related Crime". In 2002, EU presented a proposal for a
“Framework Decision on Attacks against Information Systems”. The Framework
Decision takes note of Convention on Cybercrime, but concentrates on the
harmonisation of substantive criminal law provisions that are designed to protect
infrastructure elements.

Commonwealth: In 2002, the Commonwealth of Nations presented a model law

on cybercrime that provides a legal framework to harmonise legislation within the
Commonwealth and enable international cooperation. The model law was
intentionally drafted in accordance with the Convention on Cybercrime.

ECOWAS: The Economic Community of West African States (ECOWAS) is a

regional group of west African Countries founded in 1975 it has fifteen member
states. In 2009, ECOWAS adopted the Directive on Fighting Cybercrime in
ECOWAS that provides a legal framework for the member states, which includes
substantive criminal law as well as procedural law.

GCC: In 2007, the Arab League and Gulf Cooperation Council (GCC) recommended
at a conference seeking a joint approach that takes into consideration
international standards.

The CyberCrime Act 2015 of Nigeria

Cybercrime can be defined as crimes in which a computer is the object of the

crime or is used as a tool to commit an offence. Offenders may use computer
technology to access personal or commercial information or use the internet for
exploitive or malicious purposes.

Nigeria has shown a growing awareness of the need to strengthen cybersecurity.

It initiated the registration of GSM users in 2011 and in 2014 the Central Bank of
Nigeria (CBN) launched a centralised biometric identification system for the
banking industry, tagged Bank Verification Number (BVN).

The Cybercrimes Act 2015 is the first legislation in Nigeria that deals specifically
with cybersecurity. Passed in May 2015, it gives effect to the 2011 ECOWAS
Directive on fighting cybercrime and is broad in its scope.

The Act recognises the role of financial institutions as stakeholders in the cyber
security framework and the term ‘financial institution’ is defined in s.58 of the act
as including: “any individual, body, association or group of persons, whether
corporate or unincorporated which carries on the business of investment and
securities, a discount house, finance company and money brokerage..., insurance
institutions, debt factorisation and conversion firms, dealer, clearing and
settlement companies, legal practitioners, hotels, casinos, bureau de change,
supermarkets and such other businesses as the Central Bank or appropriate
regulatory authorities may, from time to time, designate”.

The principal responsibilities placed on financial institutions are contained in Part

IV of the Act. Section 37(1) places a duty to verify the identity of customers
carrying out electronic financial transactions, requiring the customers to present
documents bearing their names, addresses and other relevant information before
issuing ATMs, credit or debit cards and other related electronic devices. Failure to
do so attracts a fine upon conviction.

Section 38 requires service providers to keep all traffic data and subscription for a
period of at least two years. Further, service providers are required to turn over
such information to law enforcement agencies and failure to comply with either
attracts a fine of 7m naira.

Section 39 requires service providers, upon a court order, to assist competent

authorities with the collection or recording of content and/or traffic data
associated with specified communications. Under s.40 they are required to
provide assistance to law enforcement agencies in identifying offenders, tracing
proceeds of offences and the cancellation of services used to commit offences.

Section 21 creates a responsibility to report to the National Computer Emergency

Response Team (CERT), any attacks, intrusions or other disruptions liable to
hinder the functioning of another system or network. The section further
empowers CERT to propose isolation of affected systems and networks.
Additionally, failure to report any such incident within seven days is an offence
rendering the offender liable to be denied internet services and a mandatory fine.

The National Cyber-Security Fund is created by s.44 of the act. It is an account to

be maintained with the Central Bank of Nigeria (CBN) and administered by the
NSA. It is to be funded, inter alia, by a 0.005 levy on all transactions by businesses
specified in the second schedule to the Act which are as follows: (i) GSM service
providers and all telecommunication companies; (ii) internet service providers;
(iii) banks and other financial institutions; (iv) insurance companies; and (v) the
Nigerian stock exchange.

OFFENCES AND PENALTIES

From the foregoing analysis, what is central to this ACT is to outline the rudiments
of the cyber-criminal offences and what obtains as regards to penalties and
punishment which include among others:

i. Offences against critical national information infrastructure

ii. Unlawful access to a computer

iii. Registration of cybercafé

iv. System interference

v. Intercepting electronic messages, emails, electronic money transfers

vi. Willful misdirection of electronic messages

vii. Unlawful interceptions

viii. Computer related fraud

ix. Theft of electronic devices

x. Unauthorized modification of computer system, network data and system

interference

xi. Electronic signature

xii. Cyber terrorism

xiii. Fraudulent issuance of e-instruction

xiv. Reporting of cyber threats

xv. Identity theft and impersonation

xvi. Child pornography and related offences

 xvii. Cyber stalking

xviii. Cyber squatting

xix. Racists and xenophobic offences

xx. Attempt, conspiracy, aiding and abetting

xxi. Importation and fabrication of e-tools

xxii. Breach of confidence by service providers

xxiii. Manipulation of ATM/POS Terminals

xxiv. Employees responsibility

xxv. Phishing, spamming and spreading of computer virus

xxvi. Electronic card-related fraud

xxvii. Use of fraudulent device or attached e-mails and websites

Progress Test 13

1. Discuss the importance of international law in managing the threat

of cybersecurity.
2. Discuss the scope of the Cybercrime Act 2015 of Nigeria