System Security:

The security of a computer system is a crucial task. It is a process of ensuring the confidentiality and
integrity of the OS. Security is one of most important as well as the major task in order to keep all the
threats or other malicious tasks or attacks or program away from the computer’s software system.
A system is said to be secure if its resources are used and accessed as intended under all the
circumstances, but no system can guarantee absolute security from several of various malicious
threats and unauthorized access.

The security of a system can be threatened via two violations:

Threat: A program that has the potential to cause serious damage to the system.

Attack: An attempt to break security and make unauthorized use of an asset.

Security violations affecting the system can be categorized as malicious and accidental
threats. Malicious threats, as the name suggests are a kind of harmful computer code or web script
designed to create system vulnerabilities leading to back doors and security breaches. Accidental
Threats, on the other hand, are comparatively easier to be protected against. Example: Denial of
Service DDoS attack.

Security can be compromised via any of the breaches mentioned:

Breach of confidentiality: This type of violation involves the unauthorized reading of data.

Breach of integrity: This violation involves unauthorized modification of data.

Breach of availability: It involves unauthorized destruction of data.

Theft of service: It involves the unauthorized use of resources.

Denial of service: It involves preventing legitimate use of the system. As mentioned before, such
attacks can be accidental in nature.

Security System Goal:

Henceforth, based on the above breaches, the following security goals are aimed:

Integrity:
The objects in the system mustn’t be accessed by any unauthorized user & any user not having
sufficient rights should not be allowed to modify the important system files and resources.

Secrecy:
The objects of the system must be accessible only to a limited number of authorized users. Not
everyone should be able to view the system files.

Availability:
All the resources of the system must be accessible to all the authorized users i.e. only one user/process
should not have the right to hog all the system resources. If such kind of situation occurs, denial of
service could happen. In this kind of situation, malware might hog the resources for itself & thus
preventing the legitimate processes from accessing the system resources.

Threats can be classified into the following two categories:

1|Page
Program Threats:
A program was written by a cracker to hijack the security or to change the behavior of a normal
process. In other words, if a user program is altered and further made to perform some malicious
unwanted tasks, then it is known as Program Threats.

System Threats:
These threats involve the abuse of system services. They strive to create a situation in which
operating-system resources and user files are misused. They are also used as a medium to launch
program threats.

Types of Program Threats:

Virus:
An infamous threat, known most widely. It is a self-replicating and malicious thread that attaches
itself to a system file and then rapidly replicates itself, modifying and destroying essential files
leading to a system breakdown.

Further, Types of computer viruses can be described briefly as follows:

– file/parasitic – appends itself to a file
– boot/memory – infects the boot sector
– macro – written in a high-level language like VB and affects MS Office files
– source code – searches and modifies source codes
– polymorphic – changes in copying each time
– encrypted – encrypted virus + decrypting code
– stealth – avoids detection by modifying parts of the system that can be used to detect it, like the read
system
call
– tunneling – installs itself in the interrupt service routines and device drivers
– multipartite – infects multiple parts of the system

Trojan horse:
A code segment that misuses its environment is called a Trojan Horse. They seem to be attractive and
harmless cover programs but are really harmful hidden programs that can be used as the virus carrier.
In one of the versions of Trojan, the User is fooled to enter confidential login details on an
application. Those details are stolen by a login emulator and can be further used as a way of
information breaches. One of the major as well as a serious threat or consequences of the Trojan horse
is that it will actually perform proper damage once installed or run on the computer’s system but at
first, a glance will appear to be useful software and later turns out to be maliciously unwanted one.

Another variance is Spyware, Spyware accompanies a program that the user has chosen to install and
download ads to display on the user’s system, thereby creating pop-up browser windows and when
certain sites are visited by the user, it captures essential information and sends it over to the remote
server. Such attacks are also known as Convert Channels.

Trap Door:
The designer of a program or system might leave a hole in the software that only he is capable of
using, the Trap Door works on similar principles. Trap Doors are quite difficult to detect as to analyze

2|Page
them, one needs to go through the source code of all the components of the system. In other words, if
we may have to define a trap door then it would be like, a trap door is actually a kind of a secret entry
point into a running or static program that actually allows anyone to gain access to any system without
going through the usual security access procedures.

Logic Bomb:
A program that initiates a security attack only under a specific situation. To be very precise, a logic
bomb is actually the most malicious program which is inserted intentionally into the computer system
and that is triggered or functions when specific conditions have been met for it to work.

Worm:
A computer worm is a type of malware that replicates itself and infects other computers while
remaining active on affected systems. A computer worm replicates itself in order to infect machines
that aren’t already infested. It frequently accomplishes this by taking advantage of components of an
operating system that are automatic and unnoticed by the user. Worms are frequently overlooked until
their uncontrolled replication depletes system resources, slowing or stopping other activities.

Types of System Threats –

Aside from the program threats, various system threats are also endangering the security of our
system:

1. Worm:
An infection program that spreads through networks. Unlike a virus, they target mainly LANs. A
computer affected by a worm attacks the target system and writes a small program “hook” on it. This
hook is further used to copy the worm to the target computer. This process repeats recursively, and
soon enough all the systems of the LAN are affected. It uses the spawn mechanism to duplicate itself.
The worm spawns copies of itself, using up a majority of system resources and also locking out all
other processes.

The basic functionality of the worm can be represented as:

2. Port Scanning:
It is a means by which the cracker identifies the vulnerabilities of the system to attack. It is an
automated process that involves creating a TCP/IP connection to a specific port. To protect the
identity of the attacker, port scanning attacks are launched from Zombie Systems, that is systems that

3|Page
were previously independent systems that are also serving their owners while being used for such
notorious purposes.

3. Denial of Service:
Such attacks aren’t aimed for the purpose of collecting information or destroying system files. Rather,
they are used for disrupting the legitimate use of a system or facility.
These attacks are generally network-based. They fall into two categories:
– Attacks in this first category use so many system resources that no useful work can be performed.

For example, downloading a file from a website that proceeds to use all available CPU time.
– Attacks in the second category involve disrupting the network of the facility. These attacks are a
result of the abuse of some fundamental TCP/IP principles.
the fundamental functionality of TCP/IP.

Security Measures Taken –

To protect the system, Security measures can be taken at the following levels:

Physical:
The sites containing computer systems must be physically secured against armed and malicious
intruders. The workstations must be carefully protected.

Human:
Only appropriate users must have the authorization to access the system. Phishing(collecting
confidential information) and Dumpster Diving(collecting basic information so as to gain
unauthorized access) must be avoided.

Operating system:
The system must protect itself from accidental or purposeful security breaches.

Networking System:
Almost all of the information is shared between different systems via a network. Intercepting these
data could be just as harmful as breaking into a computer. Henceforth, Network should be properly
secured against such attacks.

Usually, Anti Malware programs are used to periodically detect and remove such viruses and threats.
Additionally, to protect the system from Network Threats, a Firewall is also be used.

What is server security?

Server security focuses on the protection of data and resources held on the servers. It comprises tools
and techniques that help prevent intrusions, hacking and other malicious actions.

Server security measures vary and are typically implemented in layers. They cover:

the base operating system - focusing on security of critical components and services

hosted applications - controlling the content and services hosted on the server

network security - protecting against online exploits, viruses and attacks

Insecure servers are significant business risk and can cause many network security issues.

4|Page
How do I secure a server?

Securing large, complex servers can require specialist skills. However, any business using a server
should be aware of the risks and - at the very least - use basic cyber security measures.

Good management practices can help you improve your business' server and network security. If you
are not using a secure data centre to host your servers, you should:

keep them locked

monitor and restrict access to them

monitor server reports, such as security logs

assess their environment for other risks, eg temperature and fire

maintain stable power supply

As with regular desktop PCs, servers will need:

a firewall

regular backup and updates

reliable security software

reliable maintenance and support services

Network firewall security

A firewall is a piece of software or hardware that filters all incoming and outgoing traffic to your
business. Firewall devices can:

block malicious email relaying

prevent malware from being downloaded from untrusted websites

prevent access to blacklisted websites or unsecured services

Hardware firewall

Hardware firewall is a part of broadband routers. It protects your entire local network from
unauthorised external access and is usually effective even with minimal configuration.

Software firewall

Software firewall is an application installed on individual computers and devices. It is often part of the
operating system and usually needs greater configuration of settings and applications controls.

Server hardening

Regardless of what server software and operating system you run, their default configuration may not
be fully secure. You should take steps to increase server security - this process is known as server
hardening.

5|Page
Some common server hardening methods include:

using data encryption for communication

removing unnecessary software from servers

regularly updating operating systems, and applying security patches

using security extensions

enforcing strong password complexity to protect all user accounts

account locking after repeated login failures

using brute force and intrusion detection systems

backing up data and systems regularly

Using cloud as an alternative to servers

With new digital services now available on cloud platforms, many businesses are moving - or have
moved - parts of their infrastructure into the cloud. Potential cost savings and improved functionality
are what make the cloud so appealing.

With some cloud solutions, for example, Software as a Service (SaaS) or Platform as a Service
(PaaS), the cloud provider will typically be expected to configure and maintain servers for you,
including patching, security hardening, and implementing security functions like logging and
auditing.

OS Security:

Security refers to providing a protection system to computer system resources such as CPU, memory,
disk, software programs and most importantly data/information stored in the computer system. If a
computer program is run by an unauthorized user, then he/she may cause severe damage to computer
or data stored in it. So a computer system must be protected against unauthorized access, malicious
access to system memory, viruses, worms etc. We're going to discuss following topics in this chapter.

Authentication

One Time passwords

Program Threats

System Threats

Computer Security Classifications

Authentication

Authentication refers to identifying each user of the system and associating the executing programs
with those users. It is the responsibility of the Operating System to create a protection system which
ensures that a user who is running a particular program is authentic. Operating Systems generally
identifies/authenticates users using following three ways −

6|Page
Username / Password − User need to enter a registered username and password with Operating
system to login into the system.

User card/key − User need to punch card in card slot, or enter key generated by key generator in
option provided by operating system to login into the system.

User attribute - fingerprint/ eye retina pattern/ signature − User need to pass his/her attribute via
designated input device used by operating system to login into the system.

One Time passwords

One-time passwords provide additional security along with normal authentication. In One-Time
Password system, a unique password is required every time user tries to login into the system. Once a
one-time password is used, then it cannot be used again. One-time password are implemented in
various ways.

Random numbers − Users are provided cards having numbers printed along with corresponding
alphabets. System asks for numbers corresponding to few alphabets randomly chosen.

Secret key − User are provided a hardware device which can create a secret id mapped with user id.
System asks for such secret id which is to be generated every time prior to login.

Network password − Some commercial applications send one-time passwords to user on registered
mobile/ email which is required to be entered prior to login.

Program Threats

Operating system's processes and kernel do the designated task as instructed. If a user program made
these process do malicious tasks, then it is known as Program Threats. One of the common example
of program threat is a program installed in a computer which can store and send user credentials via
network to some hacker. Following is the list of some well-known program threats.

Trojan Horse − Such program traps user login credentials and stores them to send to malicious user
who can later on login to computer and can access system resources.

Trap Door − If a program which is designed to work as required, have a security hole in its code and
perform illegal action without knowledge of user then it is called to have a trap door.

Logic Bomb − Logic bomb is a situation when a program misbehaves only when certain conditions
met otherwise it works as a genuine program. It is harder to detect.

Virus − Virus as name suggest can replicate themselves on computer system. They are highly
dangerous and can modify/delete user files, crash systems. A virus is generatlly a small code
embedded in a program. As user accesses the program, the virus starts getting embedded in other
files/ programs and can make system unusable for user

System Threats

System threats refer to misuse of system services and network connections to put user in trouble.
System threats can be used to launch program threats on a complete network called as program attack.
A system threat creates such an environment that operating system resources/ user files are misused.
Following is the list of some well-known system threats.

7|Page
Worm − Worm is a process which can choked down a system performance by using system resources
to extreme levels. A Worm process generates its multiple copies where each copy uses system
resources, prevents all other processes to get required resources. Worms’ processes can even shut
down an entire network.

Port Scanning − Port scanning is a mechanism or means by which a hacker can detects system
vulnerabilities to make an attack on the system.

Denial of Service − Denial of service attacks normally prevents user to make legitimate use of the
system. For example, a user may not be able to use internet if denial of service attacks browser's
content settings.

Computer Security Classifications

As per the U.S. Department of Defence Trusted Computer System's Evaluation Criteria there are four
security classifications in computer systems: A, B, C, and D. this is widely used specifications to
determine and model the security of systems and of security solutions. Following is the brief
description of each classification.

S.N. Classification Type & Description

1 Type A

Highest Level. Uses formal design specifications and verification techniques. Grants a high degree of
assurance of process security.

2 Type B

Provides mandatory protection system. Have all the properties of a class C2 system. Attaches a
sensitivity label to each object. It is of three types.

B1 − Maintains the security label of each object in the system. Label is used for making decisions to
access control.

B2 − Extends the sensitivity labels to each system resource, such as storage objects, supports covert
channels and auditing of events.

B3 − Allows creating lists or user groups for access-control to grant access or revoke access to a given
named object.

3 Type C

Provides protection and user accountability using audit capabilities. It is of two types.

C1 − Incorporates controls so that users can protect their private information and keep other users from
accidentally reading / deleting their data. UNIX versions are mostly Cl class.

C2 − Adds an individual-level access control to the capabilities of a Cl level system.

8|Page
 4 Type D

Lowest level. Minimum protection. MS-DOS, Window 3.1 fall in this category.

What is packet sniffing?

Packet sniffing is a technique whereby packet data flowing across the network is detected and
observed. Network administrators use packet sniffing tools to monitor and validate network traffic,
while hackers may use similar tools for nefarious purposes.

What are packet sniffers?

Packet sniffers are applications or utilities that read data packets traversing the network within the
Transmission Control Protocol/Internet Protocol (TCP/IP) layer. When in the hands of network
administrators, these tools “sniff” internet traffic in real-time, monitoring the data, which can then be
interpreted to evaluate and diagnose performance problems within servers, networks, hubs and
applications.

When packet sniffing is used by hackers to conduct unauthorized monitoring of internet activity,
network administrators can use one of several methods for detecting sniffers on the network. Armed
with this early warning, they can take steps to protect data from illicit sniffers.

What is the difference between the term “sniffer” and “Sniffer?”

When spelled with a lowercase “s,” the term “sniffer” indicates the use of a packet sniffing tool for
either good or nefarious purposes. In the hands of authorized network administrators, a sniffer is
employed to maintain the unimpeded flow of traffic through a network. Conversely, in the hands of a
hacker, a sniffer may be used for unauthorized monitoring of the network.

When spelled with an upper case “S,” the term “Sniffer” refers to trademarked technology from
NETSCOUT. This branded sniffer enables network administrators to monitor bandwidth and ensure
that no single user is using too much available capacity.

Is the original Sniffer still available today?

9|Page
Network General Corporation (now known as Network Associates Inc.) introduced the Sniffer
Network Analyser in 1988. Since then, the Sniffer has passed through several hands, including
McAfee. In 2007, NETSCOUT acquired Network General, along with Sniffer. The first generation of
Sniffer read the message headers of data packets on the network. This monitoring tool provided
administrators with a centralized global view of all network activity, offering details such as the
addresses of senders and receivers, file sizes and other packet-related information.

How do hackers use packet sniffing?

Hackers will typically use one of two different methods of sniffing to surreptitiously monitor a
company’s network. In the case of organizations with infrastructure configured using hubs that
connect multiple devices together on a single network, hackers can utilize a sniffer to passively “spy”
on all the traffic flowing within the system. Passive sniffing, such as this, is extremely difficult to
uncover.

When a much larger network is involved, utilizing numerous connected computers and network
switches to direct traffic only to specific devices, passive monitoring simply won’t provide access to
all network traffic. In such a case, sniffing won’t be helpful for either legitimate or illegitimate
purposes. Hackers will be forced to bypass the constraints created by the network switches. This
requires active sniffing, which adds further traffic to the network, and in turn makes it detectable to
network security tools.

How to protect networks from illicit sniffers

There are several steps organizations can take to protect their networks from illicit sniffing activities.
The following defences can reduce the risk of exposure to hackers:

Do not use public Wi-Fi networks: Wi-Fi networks found in public spaces typically lack security
protocols to fully protect users. Hackers can easily sniff the entire network, gaining access to sensitive
data. Avoiding such networks is a wise security choice unless the user is accessing an encrypted VPN.

Rely on a trusted VPN connection: When accessing the internet remotely, always use a trusted Virtual
Private Network that encrypts the connection and masks all data from sniffers. Any sniffer attempting
to monitor traffic over a VPN will only see data that has been scrambled, making it useless to the
hacker.

Always deploy robust antivirus software: By installing effective antivirus software, organizations can
prevent malware from infiltrating the network and system. Robust antivirus tools will also uncover
sniffers present in the system and offer to delete them.

Look for secure HTTPS protocols before surfing the web: Before surfing the internet, look for the
“HTTPS” in the address bar of a website. Some sites only indicate “HTTP.” The additional “S” at the
end is an indication that the site adheres to more robust security protocols that encrypt
communications and will prevent sniffers used by hackers from seeing the data.

Don’t fall prey to social engineering tricks and traps: Hackers and cyber attackers will often employ
phishing emails and spoofed website to trick people into unwittingly downloading sniffers. Being
aware and cautious when browsing can prevent users from falling prey to nefarious tactics.

A denial-of-service (DoS) attack floods a server with traffic, making a website or resource
unavailable. A distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple

10 | P a g e
computers or machines to flood a targeted resource. Both types of attacks overload a server or web
application with the goal of interrupting services.

As the server is flooded with more Transmission Control Protocol/User Datagram Protocol
(TCP/UDP) packets than it can process, it may crash, the data may become corrupted, and resources
may be misdirected or even exhausted to the point of paralyzing the system.

What Is the Difference Between DoS Attacks and DDoS Attacks?

The principal difference between a DoS attack and a DDoS attack is that the former is a system-on-
system attack, while the latter involves several systems attacking a single system. There are other
differences, however, involving either their nature or detection, including:

Ease of detection/mitigation: Since a DoS comes from a single location, it is easier to detect its origin
and sever the connection. In fact, a proficient firewall can do this. On the other hand, a DDoS attack
comes from multiple remote locations, disguising its origin.

Speed of attack: Because a DDoS attack comes from multiple locations, it can be deployed much
faster than a DoS attack that originates from a single location. The increased speed of attack makes
detecting it more difficult, meaning increased damage or even a catastrophic outcome.

Traffic volume: A DDoS attack employs multiple remote machines (zombies or bots), which means
that it can send much larger amounts of traffic from various locations simultaneously, overloading a
server rapidly in a manner that eludes detection.

Manner of execution: A DDoS attack coordinates multiple hosts infected with malware (bots),
creating a botnet managed by a command-and-control (C&C) server. In contrast, a DoS attack
typically uses a script or a tool to carry out the attack from a single machine.

Tracing of source(s): The use of a botnet in a DDoS attack means that tracing the actual origin is
much more complicated than tracing the origin of a DoS attack.

Types of DoS Attacks and DDoS Attacks

DoS and DDoS attacks can take many forms and be used for various means. It can be to make a
company lose business, to cripple a competitor, to distract from other attacks, or simply to cause
trouble or make a statement. The following are some common forms taken by such attacks.

Teardrop Attack

A teardrop attack is a DoS attack that sends countless Internet Protocol (IP) data fragments to a
network. When the network tries to recompile the fragments into their original packets, it is unable
to.

For example, the attacker may take very large data packets and break them down into multiple
fragments for the targeted system to reassemble. However, the attacker changes how the packet is
disassembled to confuse the targeted system, which is then unable to reassemble the fragments into
the original packets.

Flooding Attack

11 | P a g e
A flooding attack is a DoS attack that sends multiple connection requests to a server but then does not
respond to complete the handshake.

For example, the attacker may send various requests to connect as a client, but when the server tries to
communicate back to verify the connection, the attacker refuses to respond. After repeating the
process countless times, the server becomes so inundated with pending requests that real clients
cannot connect, and the server becomes “busy” or even crashes.

IP Fragmentation Attack

An IP fragmentation attack is a type of DoS attack that delivers altered network packets that the
receiving network cannot reassemble. The network becomes bogged down with bulky unassembled
packets, using up all its resources.

Volumetric Attack

A volumetric attack is a type of DDoS attack used to target bandwidth resources. For example, the
attacker uses a botnet to send a high volume of request packets to a network, overwhelming its
bandwidth with Internet Control Message Protocol (ICMP) echo requests. This causes services to
slow down or even cease entirely.

Protocol Attack

A protocol attack is a type of DDoS attack that exploits weaknesses in Layers 3 and 4 of the OSI
model. For example, the attacker may exploit the TCP connection sequence, sending requests but
either not answering as expected or responding with another request using a spoofed source IP
address. Unanswered requests use up the resources of the network until it becomes unavailable.

Application-based Attack

An application-based attack is a type of DDoS attack that targets Layer 7 of the OSI model. An
example is a Slowloris attack, in which the attacker sends partial Hypertext Transfer Protocol (HTTP)
requests but does not complete them. HTTP headers are periodically sent for each request, resulting in
the network resources becoming tied up.

The attacker continues the onslaught until no new connections can be made by the server. This type of
attack is very difficult to detect because rather than sending corrupted packets, it sends partial ones,
and it uses little to no bandwidth.

Intrusion Detection System (IDS):

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity
and issues alerts when such activity is discovered. It is a software application that scans a network or a
system for the harmful activity or policy breaching. Any malicious venture or violation is normally
reported either to an administrator or collected centrally using a security information and event
management (SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm
filtering techniques to differentiate malicious activity from false alarms.

Although intrusion detection systems monitor networks for potentially malicious activity, they are
also disposed to false alarms. Hence, organizations need to fine-tune their IDS products when they

12 | P a g e
first install them. It means properly setting up the intrusion detection systems to recognize what
normal traffic on the network looks like as compared to malicious activity.

Intrusion prevention systems also monitor network packets inbound the system to check the malicious
activities involved in it and at once send the warning notifications.

Classification of Intrusion Detection System:

IDS are classified into 5 types:

Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network. It performs an observation of passing traffic on the
entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of a NIDS is installing it on the subnet where firewalls are located in order
to see if someone is trying to crack the firewall.

Host Intrusion Detection System (HIDS):

Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A HIDS
monitors the incoming and outgoing packets from the device only and will alert the administrator if
suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares
it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to
the administrator to investigate. An example of HIDS usage can be seen on mission-critical machines,
which are not expected to change their layout.

Protocol-based Intrusion Detection System (PIDS):

Protocol-based intrusion detection system (PIDS) comprises a system or agent that would consistently
resides at the front end of a server, controlling and interpreting the protocol between a user/device and
the server. It is trying to secure the web server by regularly monitoring the HTTPS protocol stream
and accept the related HTTP protocol. As HTTPS is un-encrypted and before instantly entering its
web presentation layer then this system would need to reside in this interface, between to use the
HTTPS.

Application Protocol-based Intrusion Detection System (APIDS):

Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally
resides within a group of servers. It identifies the intrusions by monitoring and interpreting the
communication on application-specific protocols. For example, this would monitor the SQL protocol
explicit to the middleware as it transacts with the database in the web server.

Hybrid Intrusion Detection System :

Hybrid intrusion detection system is made by the combination of two or more approaches of the
intrusion detection system. In the hybrid intrusion detection system, host agent or system data is
combined with network information to develop a complete view of the network system. Hybrid
intrusion detection system is more effective in comparison to the other intrusion detection system.
Prelude is an example of Hybrid IDS.

Detection Method of IDS:

Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns such as number of bytes
or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of the already

13 | P a g e
known malicious instruction sequence that is used by the malware. The detected patterns in the IDS
are known as signatures.

Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in system
but it is quite difficult to detect the new malware attacks as their pattern (signature) is not known.

Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown malware attacks as new malware are
developed rapidly. In anomaly-based IDS there is use of machine learning to create a trustful activity
model and anything coming is compared with that model and it is declared suspicious if it is not found
in model. Machine learning-based method has a better-generalized property in comparison to
signature-based IDS as these models can be trained according to the applications and hardware
configurations.

A host intrusion prevention system (HIPS) is an approach to security that relies on third-party
software tools to identify and prevent malicious activities.

Host-based intrusion prevention systems are typically used to protect endpoint devices. Once
malicious activity is detected, the HIPS tool can take a variety of actions, including sending an alarm
to the computer user, logging the malicious activity for future investigation, resetting the connection,
dropping malicious packets and blocking subsequent traffic from the suspect IP address. Some host
intrusion prevention systems allow users to send logs of malicious activity and fragments of
suspicious code directly to the vendor for analysis and possible identification.

Most host intrusion prevention systems use known attack patterns, called signatures, to identify
malicious activity. Signature-based detection is effective, but it can only protect the host device
against known attacks. It cannot protect against zero day attacks or signatures that are not already in
the provider's database.

A second approach to intrusion detection establishes a baseline of normal activity and then compares
current activity against the baseline. The HIPS looks for anomalies, including deviations
in bandwidth, protocols and ports. When activity varies outside of an acceptable range -- such as a
remote application attempting to open a normally closed port -- an intrusion may be in progress.
However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack,
so this approach amounts to an educated guess and the chance for false positives can be high.

A third common intrusion-detection method uses stateful inspection to assess the actual protocols
in packets traversing the network. The analysis is called stateful because the malware prevention tool
tracks the state of each protocol. For example, it understands how TCP and UDP packets can or
cannot carry DNS, SMTP, HTTP and other protocols -- and what values should or should not be
contained within each packet of each protocol. Stateful protocol analysis looks for deviations from
normal states of protocol content and can flag a possible attack when an unexpected deviation occurs.
Since stateful analysis is more aware of actual packet contents, the chances for false positives are
somewhat lower than statistical anomaly detection.

HIPS products often focus on just one of the three approaches, though multiple approaches are
sometimes used. For example, McAfee's Host Intrusion Prevention for Desktop and Dell's Managed I
Sensor Intrusion Prevention System (IPS) service are just two offerings that rely on multiple
approaches to intrusion prevention.

Information Security | Integrity

14 | P a g e
Integrity is the protection of system data from intentional or accidental unauthorized changes. The
challenges of the security program are to ensure that data is maintained in the state that is expected by
the users. Although the security program cannot improve the accuracy of the data that is put into the
system by users. It can help ensure that any changes are intended and correctly applied. An additional
element of integrity is the need to protect the process or program used to manipulate the data from
unauthorized modification. A critical requirement of both commercial and government data
processing is to ensure the integrity of data to prevent fraud and errors. It is imperative, therefore, no
user be able to modify data in a way that might corrupt or lose assets or financial records or render
decision making information unreliable. Examples of government systems in which integrity is crucial
include air traffic control system, military fire control systems, and social security and welfare
systems. Examples of commercial systems that require a high level of integrity include medical
prescription system, credit reporting systems, production control systems and payroll systems.

Protecting against Threats to Integrity: Like confidentiality, integrity can also be arbitrated by
hackers, masquerades, unprotected downloaded files, LANs, unauthorized user activities, and
unauthorized programs like Trojan Horse and viruses, because each of these threads can lead to
unauthorized changes to data or programs. For example, unauthorized user can corrupt or change data
and programs intentionally or accidentally if their activities on the system are not properly controlled.
Generally, three basic principles are used to establish integrity controls:

Need-to-know access: User should be granted access only on to those files and programs that they
need in order to perform their assigned jobs functions.

Separation of duties: To ensure that no single employee has control of a transaction from beginning to
end, two or more people should be responsible for performing it.

Rotation of duties: Job assignment should be changed periodically so that it becomes more difficult
for the users to collaborate to exercise complete control of a transaction and subvert it for fraudulent
purposes.

Integrity Models – Integrity models are used to describe what needs to be done to enforce the
information integrity policy. There are three goals of integrity, which the models address in various
ways:

Preventing unauthorized users from making modifications to data or programs.

Preventing authorized users from making improper or unauthorized modifications.

Maintaining internal and external consistency of data and programs.

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or
sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users
(i.e. employees, members, or account holders) of the service or resource they expected.

Victims of DoS attacks often target web servers of high-profile organizations such as banking,
commerce, and media companies, or government and trade organizations. Though DoS attacks do not

15 | P a g e
typically result in the theft or loss of significant information or other assets, they can cost the victim a
great deal of time and money to handle.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks
occur when the system receives too much traffic for the server to buffer, causing them to slow down
and eventually stop. Popular flood attacks include:

Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a
network address than the programmers have built the system to handle. It includes the attacks listed
below, in addition to others that are designed to exploit bugs specific to certain applications or
networks

ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping every
computer on the targeted network, instead of just one specific machine. The network is then triggered
to amplify the traffic. This attack is also known as the smurf attack or ping of death.

SYN flood – sends a request to connect to a server, but never completes the handshake. Continues
until all open ports are saturated with requests and none are available for legitimate users to connect
to.

Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In
these attacks, input is sent that takes advantage of bugs in the target that subsequently crash or
severely destabilize the system, so that it can’t be accessed or used.

An additional type of DoS attack is the Distributed Denial of Service (DDoS) attack. A DDoS attack
occurs when multiple systems orchestrate a synchronized DoS attack to a single target. The essential
difference is that instead of being attacked from one location, the target is attacked from many
locations at once. The distribution of hosts that defines a DDoS provides the attacker multiple
advantages:

He can leverage the greater volume of machine to execute a seriously disruptive attack

The location of the attack is difficult to detect due to the random distribution of attacking systems
(often worldwide)

It is more difficult to shut down multiple machines than one

The true attacking party is very difficult to identify, as they are disguised behind many (mostly
compromised) systems

Modern security technologies have developed mechanisms to defend against most forms of DoS
attacks, but due to the unique characteristics of DDoS, it is still regarded as an elevated threat and is
of higher concern to organizations that fear being targeted by such an attack.

What is Wireshark?

Wireshark is an open-source packet analyzer, which is used for education, analysis, software
development, communication protocol development, and network troubleshooting.

It is used to track the packets so that each one is filtered to meet our specific needs. It is commonly
called as a sniffer, network protocol analyzer, and network analyzer. It is also used by network
security engineers to examine security problems.

16 | P a g e
Wireshark is a free to use application which is used to apprehend the data back and forth. It is often
called as a free packet sniffer computer application. It puts the network card into an unselective mode,
i.e., to accept all the packets which it receives.

Uses of Wireshark:

Wireshark can be used in the following ways:

It is used by network security engineers to examine security problems.

It allows the users to watch all the traffic being passed over the network.

It is used by network engineers to troubleshoot network issues.

It also helps to troubleshoot latency issues and malicious activities on your network.

It can also analyse dropped packets.

It helps us to know how all the devices like laptop, mobile phones, desktop, switch, routers, etc.,
communicate in a local network or the rest of the world.

What is a packet?

A packet is a unit of data which is transmitted over a network between the origin and the destination.
Network packets are small, i.e., maximum 1.5 Kilobytes for Ethernet packets and 64 Kilobytes for IP
packets. The data packets in the Wireshark can be viewed online and can be analyzed offline.

History of Wireshark:

In the late 1990's Gerald Combs, a computer science graduate of the University of Missouri-Kansas
City was working for the small ISP (Internet Service Provider). The protocol at that time did not
complete the primary requirements. So, he started writing ethereal and released the first version
around 1998. The Network integration services owned the Ethernet trademark.

Combos still held the copyright on most of the ethereal source code, and the rest of the source code
was re-distributed under the GNU GPL. He did not own the ethereal trademark, so he changed the
name to Wireshark. He used the contents of the ethereal as the basis.

Wireshark has won several industry rewards over the years including eWeek, InfoWorld, PC
Magazine and also as a top-rated packet sniffer. Combos continued the work and released the new
version of the software. There are around 600 contributed authors for the Wireshark product website.

Functionality of Wireshark:

Wireshark is similar to Tcpdump in networking. Tcpdump is a common packet analyzer which allows
the user to display other packets and TCP/IP packets, being transmitted and received over a network
attached to the computer. It has a graphic end and some sorting and filtering functions. Wireshark
users can see all the traffic passing through the network.

Wireshark can also monitor the unicast traffic which is not sent to the network's MAC address
interface. But, the switch does not pass all the traffic to the port. Hence, the promiscuous mode is not
sufficient to see all the traffic. The various network taps or port mirroring is used to extend capture at
any point.

17 | P a g e
Port mirroring is a method to monitor network traffic. When it is enabled, the switch sends the copies
of all the network packets present at one port to another port.

What is colour coding in Wireshark?

The packets in the Wireshark are highlighted with blue, black, and green color. These colors help
users to identify the types of traffic. It is also called as packet colorization. The kinds of coloring rules
in the Wireshark are temporary rules and permanent rules.

The temporary rules are there until the program is in active mode or until we quit the program.

The permanent colour rules are available until the Wireshark is in use or the next time you run the
Wireshark. The steps to apply colour filters will be discussed later in this topic.

Features of Wire shark

It is multi-platform software, i.e., it can run on Linux, Windows, OS X, FreeBSD, NetBSD, etc.

It is a standard three-pane packet browser.

It performs deep inspection of the hundreds of protocols.

It often involves live analysis, i.e., from the different types of the network like the Ethernet, loopback,
etc., we can read live data.

It has sort and filter options which makes ease to the user to view the data.

It is also useful in VoIP analysis.

It can also capture raw USB traffic.

Various settings, like timers and filters, can be used to filter the output.

It can only capture packet on the PCAP (an application programming interface used to capture the
network) supported networks.

Wireshark supports a variety of well-documented capture file formats such as the PcapNg and
Libpcap. These formats are used for storing the captured data.

It is the no.1 piece of software for its purpose. It has countless applications ranging from the tracing
down, unauthorized traffic, firewall settings, etc.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of
various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary,
Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords,
recovering wireless network keys, revealing password boxes, uncovering cached passwords and
analysing routing protocols.

What Does Cain & Abel Windows Password Cracker Do?

The program does not exploit any software vulnerabilities or bugs that could not be fixed with little
effort. It covers some security aspects/weakness present in protocol’s standards, authentication
methods and caching mechanisms; its main purpose is the simplified recovery of passwords and

18 | P a g e
credentials from various sources; however, it also ships some “non-standard” utilities for Microsoft
Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators,
teachers, security consultants/professionals, forensic staff, security software vendors, professional
penetration tester and everyone else that plans to use it for ethical reasons.

19 | P a g e