Hindustan Institute of Management & Computer Studies

Cyber Security (BMC106)

Unit-2

Application Security
o Attackers not only targets server or operating system but also target client
application like browsers, multimedia program, document reader etc.
o Most common attack: phishing, malware

Vendor challenges for Application Security

 The availability of various OS platforms and different versions of
software applications.
 Application compatibility issue

User Challenges for Application Security

 Regular updates/upgrade the application
 Proper risk management
 Need to take specific measure to secure client-side application

Guidelines
• Provide incentives who find flaws,
• sharing knowledge with vendors,
• mitigation of attack,
• standardizing application,
• updating software to newer version

Database Security
o A database is individual records or groups of records to satisfy various
criteria.
o It is essential to first implement security within the organization, to make
sure the right people have access to right data.
o Without these security measures in place, someone must destroy the
valuable data or selling the company’s secrets to competitors, or someone
invading the privacy of others.

o Authentication
o Authorization
o SQL Injection

o Authentication
 To verify a username and a password, a smartcard, retina scan,
fingerprints and voice recognition. After a specified login name and
 password, SQL Server performs the authentication.
o Authorization
 The mechanism to determine what level of access a particular
authenticated user should have. Role-based security is a form of user-
level security where a server doesn’t focus on the individual user’s
identity but rather on a logical role, he is in. There are 3 types of role in
SQL:
 Fixed Server Roles
 Fixed Database Role
 Securable/Application Role.
o SQL Injection
• Technique whereby an intruder enters data that cause the application to
execute SQL statements not intended to be executed.

E-Mail Security
o Email security is a collective measure used to secure the access and content
of an email account or services.
o An email service provider implements email security to secure subscriber
email account and data from hackers.
o From an individual/end user standpoint, proactive email security measures
include: strong passwords, password rotation, spam filters, desktop-based
antivirus/anti-spam applications.
o A service provider also ensues email security by using strong password and
access control mechanism on an email server; encrypting and digital signing
email messages.
o These must be view as a part of total security agenda. The security of mail
flow is focused around the auditing and emailing of mails into and out of
the organization.
o There must be a plan for inevitable request to retouch data from backups
and archives.

Internet Security
o The Internet is a network of networks, connecting billions of computers
located on every continent.
o Internet Security encompasses browser security, the security of data
entered through a web form, and overall authentication and protection of
data sent via Internet Protocol.
o The untrusted network data is passed through external router, firewall, and
internal router. The network security perimeter is composed of outer
security perimeter and internal security perimeter network.
o Internet security relies on specific resources and standards for protecting
data that gets sent through the Internet.
 o This includes encryption, firewalls, anti-malware, anti-spyware and anti-
virus programs.
o The Internet Protocol security (IPSec) protocol suite provides a technique
of setting up a secure channel for protected data exchange between 2
devices such as two servers, two routers, a workstation and a server, or 2
gateways between different networks.
o IPSec use strong encryption and authentication methods, and although it
can be used to enable tunneled communication between two computers
(VPN).

Data Security Considerations

o Data security means maintaining its Confidentiality- Integrity-
Availability (CIA) properties.
o These data security considerations are as follow:
 Data Backup
 Archival
 Disposal

Data Backup Security

 Data Backup is primarily used for the purpose of data security against
any kind of accidents or loss of data due to some malicious activities. In
case of casualties resulting into loss of data, we can restore the original
data from your backup.
 Reasons of data loss: failure of hardware, failure in software / media,
hacking, virus, power failure, erroneous human activity etc.

Data Archival
 The process of separating active data from inactive data (Active Data:
frequently used, Inactive data: Less frequently used)
 Goal: reduce complexity, keep active parts of data
 Selection of archival solution depends on:
 Longevity of storage solution
 Manageability of storage solution (role-based)
 Intelligence of content (all data not equally worth)
 Optimization of total cost of ownership
 Type of available solution (scaling)

Data Disposal
 Data disposal is an act of permanently deleting or destroying the data stored
in a media. Sometimes we may require destroying the data permanently for
some security or compliance reasons.
 The National Institute of Standards and Technology (NIST) describe three
 primary ways in which data can be disposed.
 Overwriting hard drives (at least thrice)
 Degaussing hard drivers and backup tapes (demagnetized HDD)
 Destroying storage media

Data Disposal Process

Building a plan for disposal
Archiving important information
Cleaning storage media
Proper disposal with security constraints
Make sure no important data gets deleted

Security Technology
Firewall
• Firewall is a part of a computer system or network that is designed to
inspect incoming and outgoing network traffic.
• Block unauthorized access & permitting authorized communication,
Based on certain rule and criteria.
• Prevents from hacker and viruses from internet
• It is hardware, software or combination of both
• The hardware firewall is a physical piece of equipment that is kept
between the Internet and LAN network.
• The software firewall is a software program that is installed on your
computer. It also works in the same way as the hardware firewall
• E.g. broadband router, Norton Internet security, Kaspersky Internet
security etc.

Types of Firewall Techniques

• Packet Filter
• Inspects the packets of data, based on user defined rules.
• Application Level Gateway
• Apply security measures to specific application such as FTP,
TELNET
• Circuit Level Gateway
• Apply security mechanism after TCP/UDP connection, works at
 session layer of OSI layer
• Proxy Server
• Check all incoming and outgoing messages but hides the true
network address and interrupts all messages
Identify a Firewall
• Prior to hacking a system or a network, a hacker tries to know what
kind of firewall is implemented in it.
• There are three basic methods to identify the firewalls.
• Port Scanning
A port scanner checks a computer system running TCP/IP to
determine which TCP and UDP ports are open and listening
• Fire-walking
It helps in identifying a firewall and mapping the routers of a
network that exists behind a firewall. It is a method of
disguising port scans.
• Banner Grabbing
• Banners are messages sent by hackers to a target system that is
running and accepting the connection to check whether it is
patched or not.
• An example of grabbing for the SMTP service having the port
25 is as follows:
telnet mail.xvzcompany.org 25

Virtual Private Network (VPN)

• It is a private communication network
• It creates virtual tunnel through which data travels from one
computer to other over a public network such as internet.
• VPN Data
Data transferred through VPN is called payload.
• VPN Tunnel
It is a logical path for transmitting VPN data from one node to
other. VPN tunnel can be established one of the following 2 layer of
OSI reference model: data link layer (PPTP) and network layer
(IPSec)

Authentication Mechanism
• User Level Authentication (use PPP (point to point protocol)
for mutual authentication)
• Computer Level Authentication (use iKE (IPSec/L2TP protocol)
to exchange either their computer certificate or a predefined key)
• Data origin authentication and data Integrity (cryptography
 checksum)
• Data encryption: The data transmitted through VPN is encrypted
so that it reaches the destination intact.

Types of VPN tunneling

• Voluntary Tunneling
• The client directly sets up the connection with the server
• Compulsory Tunneling
• A connection is established between 2 VPN servers and
VPN access devices such as router

Types of VPN
• PPTP (point to point tunneling protocol) VPN
• Widely used protocol.
• Use VPN password to log on.
• No need of extra hardware or software.
• Do not use encryption.
• Site-to-site VPN
• No dedicated line for transmission.
• Routing, encryption and decryption is done by router.
• It can work with hardware- or software-based firewall
devices.
• L2TP (Layer Two Tunneling Protocol) VPN
• Similar to PPTP.
• It provides confidentiality and Integrity.
• IPSec
• It is designed for IP traffic.
• It is very secure.
• Need to install certain programs.
• Expensive and time consuming.
 • SSL(Secure Socket Layer)
• Creates secure session between browser and application
server.
• MPLS (Multi-Protocol Label Switching) VPN
• MPLS+ISP tuned VPN and very good site to site
connectivity.
• Hybrid VPN
• Combine feature of SSL, IPSec etc.
• highly flexible, very expensive.

Security Concerns in VPN

• There are two types of configuration vulnerabilities of VPN:
• Poor default configuration
• It sets the level of usability rather than security. Usually, the
IKE aggressive mode with Pre-Shared Keys (PSKs) is the
default authentication method for remote access VPNs.
• Poor guidance and documentation
• All VPN implementations do not provide appropriate direction
and certifications to the end users to take decisions about which
configuration to use.

Intrusion Detection System (IDS)

• IDS monitor network traffic for suspicious activity
• Functions of IDS: Anomaly detection and reporting
• Problem with IDS: Prone to false alarms or false positives

Components of IDS
• An IDS comprises Management console and sensors
• It has a database of attack signatures
• Sensors detect any malicious activity
• It also matches the malicious packet against the database
• If found a match, the sensor reports the malicious activity to the
management console
Techniques applied for IDS

Types of IDS
• Network Intrusion Detection System (NIDS)
• NIDS examines the traffic on a whole subnet. It compares with the
traffic passed by the attacks in existing database
• Network Node Intrusion Detection System (NNIDS)
• The traffic in NNIDS is only monitored on a single host unlike
NIDS
• Host Intrusion Detection System (HIDS)
• HIDS takes an Image of entire system’s file set and compares it to
the preceding picture
Overall classification of IDS

• Anomaly based IDS/ Behavior based IDS: Detects attack based on

behavior
• Misuse Detection/ Signature based IDS: Detects known attacks
• Centralized IDS: IDS are present on the centralized part of the
network and communicate with each other
• Distributed IDS: IDS present on the network operate in a
distributed manner and communicate with each other
• Active IDS: detect and prevents intrusion active IDS is also known as
IDPS
• Passive IDS: only detect intrusions

IDS Vs. IPS (Intrusion Prevention System)

Actions of IPS
• Notifying the administrator
• Filtering out the malicious data
• Blocking further data transfers from the address
• Reconnecting the network
Types of IPS

• NIPS (Network based IPS)

• NIPS detect suspicious traffic by monitoring the entire network

• WIPS (wireless IPS)

• WIPS checks for suspicious activity by reviewing wireless
networking protocols
• NBA (Network Behavior Analysis)
• NBA is network monitoring programs. It decreases the time
exhausted by network administrators in identifying and resolving
network issues
• HIPS (Host Based IPS)
• HIPS check for suspicious activity in single host

Access Control
• It regulates who and what can view or use resources in a computing
environment.
• It provides security feature through which system permits or revokes the
right to access any data and resource in a system.
• It includes
• File Permissions
• Program Permissions
• Data Rights Permissions
• Identification: Identify a user
• Authentication: Verify whether a user is valid or not

Types of Authentication:
Single factor and Multi factor

Types of Access Control

• Mandatory Access Control (MAC)
• MAC defines the accessibility of information in a consistent
manner.
• A security model in which access rights are regulated by a central
authority based on multiple levels of security.
 • Discretionary Access Control (DAC)
• DAC model offers flexibility related to the exchange of information
to the network users.
• An access control method in which owners or administrators of the
protected system, data or resource set the policies defining who or
what is authorized to access the resource.

• Role-Based Access Control

• RBAC models put control over the information access from the
viewpoint of organizational roles into perspective.
• A widely used access control mechanism that restricts access to
computer resources based on individuals or groups with defined
business functions.

• Rule-Based Access Control

• In it, the decision making is dependent on the settings that have been
saved into preconfigured security policies
• A security model in which the system administrator defines the rules
that to govern access to resource objects.

• Attribute-Based Access Control (ABAC)

• A methodology that manages access rights by evaluating a set of
rules, policies and relationships using the attributes of users
systems and conditions.

Security Threats
There are numerous threats to security of applications and data.
• Viruses
• A virus refers to piece of software that is designed and developed with
the purpose of infecting a computer system and performs illegal
operations.
• A virus infected system can hamper data stored on a hard drive, crash
the OS, or get spread on a network.
• Some of the ways by which a virus gets transmitted to a system are:
• On using infected media such as CDs or USB drives
• Through e-mails and accessing social websites

Some of the symptoms after virus attack in the system are as follows:
• Launch process of an application or a program gets slow
• Files either appears or disappears
• Size of the installed program gets changed automatically
• Interface of applications or programs might get change
• System gets shutdown or restart in an automatic manner
• Access to drives is restricted

Type of Virus
• Polymorphic
• Refers to the virus types that change from one form to another to
avoid being detected.
• A system infected by a polymorphic virus displays a message and
 deletes the files available on the system.
• This virus involves the process of mutation which consists of
encrypting its parts to avoid detection.
• Stealth
• Refers to a virus type that masks itself from application in order to
avoid being detected.
• The stealth virus gets attached to the boot sector of a hard disk.
• The infected file is of different size than the original.
• Retroviruses
• Refer to the virus types that bypass installed antivirus software.
• The retrovirus is capable of making direct attack on an antivirus.
• Multipartite
• Refers to a virus type that has the ability to react in multiple ways.
• The multipartite virus provides harm to a system in such a way that it
infects boot sector and executable files.
• Armored
• This virus type disables the virus debuggers or dissemblers from
examining critical virus elements, as it is written in such a way that
actual code designed to harm the computer is not directly visible.
• Companion
• Refers to a virus type that gets spread by attaching itself with other
programs.
• The companion virus when attached with genuine programs gets
saved with a different file extension and is saved in a temporary
directory of a computer.
• Phage
• Refers to a virus type that is responsible for modifications in other
applications and programs.
• The phage virus harms the system in such a way that the only option
to recover is to reinstall the infected programs.
• Macro Viruses
• Refer to the virus types that effect the enhancements available in
application programs.
• For example, macros feature of MS Word enables automatic spell
check of a document when it is opened.

• Trojan Horses
• Trojan horses can be defined as programs that are transmitted to a system
under disguise of any genuine application or program, such as an
attachment to a program or as part of an installation process.
• During installation either a backdoor is created or the original program
gets replaced by a Trojan horse.
• Due to difficulty in detection of a Trojan horse best preventive measure is
to backup data after installing new software. Another way to detect a
Trojan horse is performing a port scan on a system.

• Logic Bombs
• Logic bombs refer to programs or code snippets that are executed when a
pre-defined event occurs.
• These logic bombs display a message to user and occur at time when
 either the user is accessing the Internet or making use of a word processor
application.
• A logic bomb attack can be represented as shown:

• Worms
• Worms can be defined as threats that are self-sufficient to replicate
themselves and do not need any host application to get transmitted.
• They are also capable of delivering a virus to a system.
• Earlier the worms used to reside in the RAM of a target computer;
however nowadays they can make use of TCP/IP, e-mail, or Internet
services.

• Trapdoors
• Trapdoor attacks which are also known as back door have two different
meanings.
• Trapdoor attack defines troubleshooting and developer hooking into a
system, the back-door term is referred to as gaining access to a network.
• The trapdoor attack lets malicious user to enter illegal code at the time of
its execution.
• Trapdoor attack is primarily an access or a modification attack. However,
it requires a user ID and password to gain administrative privileges.

• E-mail Viruses
• E-mail virus is one of the most common, highly effective, and
potentially harmful programs forwarded as e-mail attachments to the e-
mail users.
• E-mail viruses normally get activated as soon as you open them.
• These viruses are seemed to cause a lot of potential damages, including
destruction of files on the computer system and re-mailing of the
attachment to all the contacts in the list of the recipient.
• You can defend yourself from e-mail viruses by taking the following
measures:
• Never opening attachments that are received from unknown
senders or the attachments that you have no knowledge about
• Having antivirus software installed on your system so that the
attachments can be scanned before you can open them
• Malicious Software
• A computer program is a sequence of symbols and instructions used to
achieve a desired functionality.
• It is termed malicious when the sequence of instructions is used to
intentionality have adverse effects on the computer system.
• Malicious code is a new kind of threat in the form of an auto-executable
application. It can be in the form of scripting languages such as Java
Applets, ActiveX controls or various new programming languages
designed to enhance Web pages.

Denial of Services Attack

• DoS attack refers to an attempt that restricts access to the computer
resources to its intended users or organizations.
• IP spoofing is almost used to defend against one of the most difficult
attacks known as DoS.
• An attacker is not concerned with the proper transmission of packets;
he/she is only concerned to occupy the resources and bandwidth.
• In addition, the attacker wishes to flood the victim with as many packets
as possible in a short span of time.
• To increase the effectiveness of attack, the attackers spoof source IP
addresses to make the process of tracing and stopping DoS as difficult as
possible.

Spoofing
• Spoofing means to provide false information about your identity to gain
unauthorized access to others computer systems.
• In a spoofing attack, one person or program successfully pretends as
another by falsifying data, thereby gaining an illegitimate advantage.

The different types of spoofing are as follows:

• IP Spoofing
• Refers to connection hijacking through a fake IP address. IP spoofing
is the action of masking a computer IP address so that it looks like it is
authentic.
• Content Spoofing
• Refers to a hacking technique used to trap a user on to a website that
looks genuine but is actually an elaborate copy.
• Hackers looking to spoof content use dynamic HTML and frames to
create a website with the expected URL and a similar appearance and
then prompt the user for personal information.
• Content spoofing is also common with e-mail alerts, account
notifications etc.
• Caller ID Spoofing
• Refers to the practice of causing the telephone network to display a
number on the recipient's caller ID display which is not that of the
actual originating station. The term is commonly used to describe
situations in which the motivation is considered malicious by the
speaker or writer. Just as e-mail spoofing can make it appear that a
message came from any e-mail address the sender chooses.
• Caller ID spoofing can make a call appear to have come from any
phone number the caller wishes.
 • E-mail Spoofing
• Refers to the forgery of an e-mail header so that the message appears
to have originated from someone or somewhere other than the actual
source. Distributors of spam often use spoofing in an attempt to get
recipients to open, and possibly even respond to their solicitations.

Antivirus Software
• Antivirus software can be referred to as an application that can be used as
a primary method for preventing malicious codes and viruses.
• The antivirus software is installed on a system and performs scan process
to detect for virus, Trojan horse, or worm.
• Antivirus also scans cookies for harmful threats.

The following are several approaches to deploy antivirus software on your

network:
• Placing antivirus client software on each client computer system in
your network and then an antivirus server automatically updates the
antivirus client's software on a regular basis.
• Installing antivirus software on your mail server to scan all incoming
mail for viruses and remove them before your system infection.

The following is the list of some of the top antivirus software:

• Quick Heal Total Security
• Norton Antivirus
• Avast Antivirus
• Avira Antivirus
• McAfee virus Scan Plus
• Trend Micro Antivirus Internet Security
• ESET NOD32 Antivirus
• BitDefender Antivirus
• Kaspersky Antivirus
• CA Antivirus Plus etc.