Computer Network Security Chapter 1: Introduction and Security Threats

Chapter 1: Introduction and Security Threats

1. Computer, Data , Information, Network Security

Computer Security is the application of hardware, firmware and software security features to a
computer system in order to protect against, or prevent, the unauthorized disclosure, manipulation,
deletion of information.
It means that-
 To prevent theft of or damage to the hardware.
 To prevent theft of or damage to the information.
 To prevent disruption of service.

Data security is the means of ensuring that data is kept safe from corruption and that access to it
is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting
personal data. Data Security Technologies are:
 Disk Encryption
 Hardware based Mechanisms for Protecting Data
 Backups
 Data Masking
 Data Erasure

Information Security means protecting information and information systems from unauthorized
access, use, disclosure, disruption, modification or destruction.

"Network security" refers to any activity designed to protect the usability and integrity of your
network and data. It includes both hardware and software technologies. Effective network security
manages access to the network. It targets a variety of threats and stops them from entering or
spreading on your network.

The terms information security, computer security and information assurance are frequently
incorrectly used interchangeably. These fields are interrelated often and share the common goals
of protecting the confidentiality, integrity and availability of information; however, there are some
subtle differences between them.

2. Threats to Security
2.1 Viruses: A computer virus is a piece of software that can “infect” other programs by modifying
them;
• The modification includes injecting the original program with a routine to make copies of
the virus program, which can then go on to infect other programs.
 A computer virus carries in its instructional code the recipe for making perfect copies of
itself.

pg. 1
Computer Network Security Chapter 1: Introduction and Security Threats

• The typical virus becomes embedded in a program on a computer.

• Then, whenever the infected computer comes into contact with an uninfected piece of
software, a fresh copy of the virus passes into the new program.

A computer virus has three parts:

Infection mechanism:
• The means by which a virus spreads, enabling it to replicate.
• The mechanism is also referred to as the infection vector.

Trigger:
• The event or condition that determines when the payload is activated or delivered.

Payload:
• What the virus does, besides spreading.
• The payload may involve damage or may involve benign but noticeable activity.

During its lifetime, a typical virus goes through the following four phases:
Dormant phase:
• The virus is idle.
• The virus will eventually be activated by some event, such as a date, the presence of another
program or file, or the capacity of the disk exceeding some limit.
• Not all viruses have this stage.

Propagation phase:
• The virus places an identical copy of itself into other programs or into certain system areas
on the disk.
• Each infected program will now contain a clone of the virus, which will itself enter a
propagation phase.

Triggering phase:
• The virus is activated to perform the function for which it was intended.
• As with the dormant phase, the triggering phase can be caused by a variety of system events,
including a count of the number of times that this copy of the virus has made copies of
itself.

Execution phase:
• The function is performed.
• The function may be harmless, such as a message on the screen, or damaging, such as the
destruction of programs and data files.

pg. 2
Computer Network Security Chapter 1: Introduction and Security Threats

2.2 Worm: It is a program that can replicate itself and send copies from computer to computer
across network connections.
• Upon arrival, the worm may be activated to replicate and propagate again.
In addition to propagation, the worm usually performs some unwanted function.
• An e-mail virus has some of the characteristics of a worm because it propagates itself from
system to system.
A worm actively seeks out more machines to infect and each machine that is infected serves as an
automated launching pad for attacks on other machines.

2.3 Intruders: An Intruder is a person who attempts to gain unauthorized access to a system, to
damage that system, or to disturb data on that system. In summary, this person attempts to
violate Security by interfering with system Availability, data Integrity or data Confidentiality.
Three main classes of intruders:

Masquerader: An individual who is not authorized to use the computer and who penetrates a
system’s access controls to exploit a legitimate user’s account

Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is
not authorized, or who is authorized for such access but misuses his or her privileges

Clandestine user: An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection.

2.4 Insiders:
• An Insider threat is a malicious threat to an organization that comes from people within the
organization, such as employees, former employees, contractors or business associates, who
have inside information concerning the organization's security practices, data and computer
systems.
• The threat may involve fraud, the theft of confidential or commercially valuable information.
• Insiders are more dangerous than outside intruders.
• They have the access and knowledge necessary to cause immediate damage to an organization.
• Most security is designed to protect against outside intruders and thus lies at the
boundary between the organization and the rest of the world.
• Besides employees, insiders also include a number of other individuals who have
physical access

pg. 3
Computer Network Security Chapter 1: Introduction and Security Threats

3. Difference between Virus and Worm

Virus
A virus is a piece of code that attaches itself to
legitimate program
Virus modifies the code.
Virus does not replicate itself
Virus is a destructive in nature
Aim of virus is to infect the code or program
stored on computer system
Virus can infect other files
Virus may need a trigger for execution
Worm
A worm is a malicious program that spread
automatically.
Worm does not modifies the code
Worm replicate itself
Worm is non-destructive in nature
Aim of worm is to make computer or
network unusable
Worm does not infect other files but it
occupies memory space replication.
Worm does not need any trigger

4. Difference Intruders & Insiders

INTRUDERS
Intruders are authorized or unauthorized users
who are trying to access the system or network.
Intruders are hackers or crackers.
Intruders are illegal users.
Intruders are less dangerous than Insiders
Intruders do not have access to system
Many security mechanisms are used to protect
system from Intruders.
INSIDERS
Insiders are authorized users who try to
access system or network for which he is
unauthorized.
Insiders are not hackers.
Insiders are legal users.
Insiders are more dangerous than Intruders.
Insiders have easy access to the system
because they are authorized users
There is no such mechanism to protect
system from Insider

5. Avenue of Attack
There are two general reasons a particular computer system is attacked: either it is specifically
targeted by the attacker, or it is an opportunistic target. In the first case, the attacker has chosen
the target not because of the hardware or software the organization is running but for another
reason, perhaps a political reason. An example of this type of attack would be an individual in one

pg. 4
Computer Network Security Chapter 1: Introduction and Security Threats

country attacking a government system in another. Second type of attack, an attack against a target
of opportunity, is conducted against a site that has software that is vulnerable to a specific exploit.

6. The steps in attack (General Process)

a. First attacker gathers as much information about the organization as possible. The type of
information attacker wants includes IP address, phone numbers, name of individuals, and
what networks the organization maintains. This step is known as profiling.
b. Next step is to determine what target systems are available and active. This is accomplished
with ping sweep which simply sends a “ping” to the target machine.
c. The next step if often to perform a port scan. This will help identify which ports are open,
thus giving an indication of which services may be running on the target machine.
Operating system and application programs running as well as service that are available on
the target machine is determining.
d. Further research is conducted to find possible vulnerabilities and once a list of these is
developed, the attacker is ready to take next step: an actual attack on the target.

7. Security Basics
When we talk about computer security, we mean that we are addressing three important aspects of
any computer-related system: confidentiality, integrity, and availability.
 Confidentiality ensures that computer-related assets are accessed only by authorized
parties. That is, only those who should have access to something will actually get that
access. By "access," we mean not only reading but also viewing, printing, or simply
knowing that a particular asset exists. Confidentiality is sometimes called secrecy or
privacy.
 Integrity means that assets can be
modified only by authorized parties or only
in authorized ways. In this context,
modification includes writing, changing,
changing status, deleting, and creating.
 Availability means that assets are
accessible to authorized parties at
appropriate times. In other words, if some
person or system has legitimate access to a
particular set of objects, that access should
not be prevented.
Relationship between confidentiality,
integrity, and availability.
8. Active and Passive Attacks
Main aim of a security system is to detect and prevent such security attacks. Security attacks have
been classified as passive attacks and active attacks.

Passive Attacks: Passive attacks are kind of a read only attack where attacker is usually interested
in just gathering information without disruption of computer system’s operations and service.
Passive attack usually involves monitoring and analysis of data transmission to gain some

pg. 5
Computer Network Security Chapter 1: Introduction and Security Threats

meaningful information out of it. Passive attacks are made by directly laying hands on message
contents in the form of emails, sensitive files etc. consisting confidential information.
Another way in which a passive attack is made is by analysis of traffic where raw data is studied
and analyzed to deduce interesting patterns out - of it. For example an attack by studying the data
traffic rate of a victim can deduce at what is the peak time of data transfer when his operations can
be disrupted and will affect most.
Since passive attacks are silent in nature and show no immediate and visible signs of attack, they
are very difficult to detect.

Active Attacks: Involves alteration of data or disruption of normal working of a system. Active
attacks are usually made by masquerading attackers identity with someone else’s to either gain
extra privileges or save attackers when the attack is detected. IP masquerading is one widely used
technique for active attacks.

9. Common Types of Attacks

Without security measures and controls in place, our data might be subjected to an attack. Some
attacks are passive, meaning information is monitored; others are active, meaning the information
is altered with intent to corrupt or destroy the data or the network itself.
Our networks and data are vulnerable to any of the following types of attacks if you do not have a
security plan in place.

9.1 Password-Based Attacks:

A common denominator of most operating system and network security plans is password-based
access control. This means your access rights to a computer and network resources are determined
by who you are, that is, your user name and your password.
Older applications do not always protect identity information as it is passed through the network
for validation. This might allow an eavesdropper to gain access to the network by posing as a valid
user.
When an attacker finds a valid user account, the attacker has the same rights as the real user.
Therefore, if the user has administrator-level rights, the attacker also can create accounts for
subsequent access at a later time.
After gaining access to your network with a valid account, an attacker can do any of the following:
 Obtain lists of valid user and computer names and network information.
 Modify server and network configurations, including access controls and routing tables.
 Modify, reroute, or delete your data.

9.2 Denial-of-Service Attack

Unlike a password-based attack, the denial-of-service attack prevents normal use of your computer
or network by valid users.
After gaining access to your network, the attacker can do any of the following:
 Randomize the attention of your internal Information Systems staff so that they do not see
the intrusion immediately, which allows the attacker to make more attacks during the
diversion.
 Send invalid data to applications or network services, which causes abnormal termination
or behavior of the applications or services.

pg. 6
Computer Network Security Chapter 1: Introduction and Security Threats

 Flood a computer or the entire network with traffic until a shutdown occurs because of the
overload.
 Block traffic, which results in a loss of access to network resources by authorized users.

9.3 Man-in-the-Middle Attack

As the name indicates, a man-in-the-middle attack occurs when someone between you and the
person with whom you are communicating is actively monitoring, capturing, and controlling your
communication transparently. For example, the attacker can re-route a data exchange. When
computers are communicating at low levels of the network layer, the computers might not be able
to determine with whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to read your message.
The person on the other end might believe it is you because the attacker might be actively
replying as you to keep the exchange going and gain more information. This attack is capable of
the same damage as an application-layer attack, described later in this section.

9.4 Sniffer Attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges
and read network packets. If the packets are not encrypted, a sniffer provides a full view of the
data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless
they are encrypted and the attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
 Analyze your network and gain information to eventually cause your network to crash or
to become corrupted.
 Read your communications.

9.5 Spoofing
Spoofing is nothing more than making data look like it has come from a different source. This is
possible in TCP/IP because of the friendly assumptions behind the protocols.
When the protocols were developed, it was assumed that individuals who had access to the network
layer would be privileged users who could be trusted. When a packet is sent from one system to
another, it includes not only the destination IP address and port but the source IP address as well.
You are supposed to fill in the source with your own address, but there is nothing that stops you
from filling in another system’s address. This is one of the several forms of spoofing.
1. Spoofing E-Mail
2. IP address Spoofing
3. Spoofing and Trusted Relationships
4. Spoofing and Sequence Numbers

9.5.1 Email Spoofing

E-mail spoofing is where you send a message with a From address different than your own. A very
simple method often used to demonstrate how simple it is to spoof an e-mail address is to telnet to
port 25 (the port associated with e-mail) on a system. From there, you can fill in any address for
the From and To sections of the message, whether or not the addresses are yours and whether they
actually exist or not.
This same method can be, and has been, used to spoof web sites. The most famous example of this
is probably www.whitehouse.com. The www.whitehouse.gov site is the official site for the White

pg. 7
Computer Network Security Chapter 1: Introduction and Security Threats

House. The www.whitehouse.com URL takes you to a pornographic site. In this case, nobody is
likely to take the pornographic site to be the official government site, and it was not intended to be
taken that way. If, however, the attackers made their spoofed site appear similar to the official one,
they could easily convince many viewers that they were at the official site.

9.5.2 Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a valid entity.
In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An
attacker might also use special programs to construct IP packets that appear to originate from valid
addresses inside the corporate intranet.
After gaining access to the network with a valid IP address, the attacker can modify, reroute, or
delete your data.

9.6 Distributed Denial of Service attack (DDOS)

DOS attacks are conducted using a single attacking system. A denial of service attack employing
multiple attacking systems is known as a distributed denial of service (DDOS) attack. The goal of
a DDOS attack is the same: to deny the use of or access to a specific service or system.
In a DDOS attack, the method used to deny service is simply to overwhelm the target with traffic
from many different systems. A network of attack agents (sometimes called zombies) is created
by the attacker, and upon receiving the attack command from the attacker, the attack agents
commence sending a specific type of traffic against the target.

9.7 Replay Attacks

A replay attack is exactly what it sounds like: it is an attack where the attacker captures a portion
of a communication between two parties and retransmits it at a later time. For example, an attacker
might replay a series of commands and codes used in a financial transaction in order to cause the
transaction to be conducted multiple times.
The best way to prevent replay attacks is with encryption, cryptographic authentication, and time
stamps. If a portion of the certificate or ticket includes a date/time stamp or an expiration date/time,
and this portion is also encrypted as part of the ticket or certificate, replaying it at a later time will
prove useless, since it will be rejected as having expired.

9.8 TCP/IP Hijacking

TCP/IP hijacking and session hijacking are terms used to refer to the process of taking control of
an already existing session between a client and a server. The advantage to an attacker of hijacking
over attempting to penetrate a computer system or network is that the attacker doesn’t have to
circumvent any authentication mechanisms, since the user has already authenticated and
established the session. Once the user has completed the authentication sequence, the attacker can
then usurp the session and carry on as if the attacker, and not the user, had authenticated with the
system. In order to prevent the user from noticing anything unusual, the attacker may decide to
attack the user’s system and perform a denial of service attack on it, taking it down so that the user,
and the system, will not notice the extra traffic that is taking place.

9.9 Phishing Attack

This type of attack use social engineering techniques to steal confidential information - the most
common purpose of such attack targets victim's banking account details and credentials. Phishing

pg. 8
Computer Network Security Chapter 1: Introduction and Security Threats

attacks tend to use schemes involving spoofed emails send to users that lead them to malware
infected websites designed to appear as real on-line banking websites. Emails received by users in
most cases will look authentic sent from sources known to the user (very often with appropriate
company logo and localized information) - those emails will contain a direct request to verify some
account information, credentials or credit card numbers by following the provided link and
confirming the information on-line. The request will be accompanied by a threat that the account
may become disabled or suspended if the mentioned details are not being verified by the user.

Types of Phishing Attacks

1. Social Phishing - in the recent years Phishing techniques evolved much to include as well social
media like Facebook or Tweeter - this type of Phishing is often called Social Phishing.
2. Spear Phishing Attack - this is a type of Phishing attack targeted at specific individuals, groups
of individuals or companies. Spear Phishing attacks are performed mostly with primary purpose
of industrial espionage and theft of sensitive information while ordinary Phishing attacks are
directed against wide public with intent of financial fraud.

9.10 SQL Injection

The point of the hack is not just to get information from the target site. Depending on the intention
of the malicious hooligans attacking you, it can include to bypass logins, to access data as in the
Yahoo! case, to modify the content of a website as when hackers replace the website with a new
front page, or simply shutting down the server.
• Step one of the attack is to scan site to see if a vulnerability exists.
• After a site is identified a hacker will attempt to gain a foothold and search for files containing
usernames and directories that are known to contain sensitive data.
• The attack is opportunistic and does not take a lot of research or a large team to pull off.
• SQL injection is the actual injection of SQL commands into web applications through user input
fields.
• When an application uses internal SQL commands and you also have user input capabilities
(like a login screen), SQL commands can be injected that can create, read, update, or delete any
data available to the application.

10. Malware : Viruses and Logic Bombs

A computer virus is a computer program that can replicate itself and spread from one computer
to another. The term "virus" is also commonly, but erroneously, used to refer to other types
of malware, including but not limited to adware and spyware programs that do not have a
reproductive ability.
Malware includes computer viruses, computer worms, ransomware, trojan horses, keyloggers,
most rootkits, spyware, dishonest adware, and other malicious software.

pg. 9
Computer Network Security Chapter 1: Introduction and Security Threats

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this
reason, many viruses attach themselves to executable files that may be part of legitimate programs
(code injection). If a user attempts to launch an infected program, the virus' code may be executed
simultaneously. Viruses can be divided into two types based on their behavior when they are
executed:
Nonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a replication module.
The finder module is responsible for finding new files to infect. For each new executable file the
finder module encounters, it calls the replication module to infect that file.
Resident viruses
Resident viruses contain a replication module that is similar to the one that is employed by
nonresident viruses. This module, however, is not called by a finder module. The virus loads the
replication module into memory when it is executed instead and ensures that this module is
executed each time the operating system is called to perform a certain operation. The replication
module can be called, for example, each time the operating system executes a file. In this case the
virus infects every suitable program that is executed on the computer.
Computer virus is a harmful software program written intentionally to enter a computer without
the user's permission or knowledge. It has the ability to replicate itself, thus continuing to spread.
Some viruses do little but replicate, while others can cause severe harm or adversely affect the
program and performance of the system. A virus should never be assumed harmless and left on a
system.
There are different types of viruses which can be classified according to their origin, techniques,
types of files they infect, where they hide, the kind of damage they cause, the type of operating
system, or platform they attack. Let us have a look at few of them.

Memory Resident Virus

These viruses fix themselves in the computer memory and get activated whenever the OS runs and
infects all the files that are then opened. This type of virus hides in the RAM and stays there even
after the malicious code is executed. It gets control over the system memory and allocate memory
blocks through which it runs its own code, and executes the code when any function is executed.It
can corrupt files and programs that are opened, closed, copied, renamed, etc. Examples: Randex,
CMJ, Meve, and MrKlunky
Protection is possible due by installing an antivirus program.

Direct Action Viruses

The main purpose of this virus is to replicate and take action when it is executed. When a specific
condition is met, the virus will go into action and infect files in the directory or folder that are
specified in the AUTOEXEC.BAT file path. This batch file is always located in the root directory
of the hard disk and carries out certain operations when the computer is booted.
FindFirst/FindNext technique is used where the code selects a few files as its victims. It also infects
the external devices like pen drives or hard disks by copying itself on them.
The viruses keep changing their location into new files whenever the code is executed, but are
generally found in the hard disk's root directory. It can corrupt files. Basically, it is a file-infecter
virus.Examples: Vienna virus. Protection is possible due by Installing an antivirus scanner.

pg. 10
Computer Network Security Chapter 1: Introduction and Security Threats

However, this type of virus has minimal effect on the computer's performance.

Overwrite Viruses
A virus of this kind is characterized by the fact that it deletes the information contained in the files
that it infects, rendering them partially or totally useless once they have been infected. The virus
replaces the file content. However, it does not change the file size.
Examples: Way, Trj.Reboot, Trivial.88.D For protection the only way to clean a file infected by
an overwrite virus is to delete the file completely, thus losing the original content. However, it is
very easy to detect this type of virus, as the original program becomes useless.

Boot Sector Virus

This type of virus affects the boot sector of a hard disk. This is a crucial part of the disk, in which
information of the disk itself is stored along with a program that makes it possible to boot (start)
the computer from the disk. This type of virus is also called Master Boot Sector Virus or Master
Boot Record Virus. It hides in the memory until DOS accesses the floppy disk, and whichever
boot data is accessed, the virus infects it.
Examples: Polyboot.B, AntiEXE. The best way of avoiding boot sector viruses is to ensure that
floppy disks are write-protected. Also, never start your computer with an unknown floppy disk in
the disk drive.

Macro Virus
Macro viruses infect files that are created using certain applications or programs that contain
macros, like .doc, .xls, .pps, .mdb, etc. These mini-programs make it possible to automate series
of operations so that they are performed as a single action, thereby saving the user from having to
carry them out one by one. These viruses automatically infect the file that contains macros, and
also infects the templates and documents that the file contains. It is referred to as a type of e-mail
virus.These hide in documents that are shared via e-mail or networks. Examples: Relax, Melissa.A,
Bablas, O97M/Y2K. The best protection technique is to avoid opening e-mails from unknown
senders. Also, disabling macros can help to protect your useful data.

Directory Virus
Directory viruses (also called Cluster Virus/File System Virus) infect the directory of your
computer by changing the path that indicates the location of a file. When you execute a program
file with an extension .EXE or .COM that has been infected by a virus, you are unknowingly
running the virus program, while the original file and program is previously moved by the virus.
Once infected, it becomes impossible to locate the original files. It is usually located in only one
location of the disk, but infects the entire program in the directory. Examples: Dir-2 virus. For
protection all you can do is, reinstall all the files from the backup that are infected after formatting
the disk.

Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms
and encryption keys) every time they infect a system. This makes it impossible for antivirus
software to find them using string or signature searches (because they are different in each
encryption). The virus then goes on to create a large number of copies. Examples: Elkern, Marburg,

pg. 11
Computer Network Security Chapter 1: Introduction and Security Threats

Satan Bug and Tuareg. Install a high-end antivirus as the normal ones are incapable of detecting
this type of virus.

Companion Viruses
Companion viruses can be considered as a type of file infector virus, like resident or direct action
types. They are known as companion viruses because once they get into the system they
'accompany' the other files that already exist. In other words, to carry out their infection routines,
companion viruses can wait in memory until a program is run (resident virus), or act immediately
by making copies of themselves (direct action virus).
Hideout: These generally use the same filename and create a different extension of it. For example:
If there is a file "Me.exe", the virus creates another file named "Me.com" and hides in the new file.
When the system calls the filename "Me", the ".com" file gets executed (as ".com" has higher
priority than ".exe"), thus infecting the system.
Examples: Stator, Asimov.1539 and Terrax.1069. For protection install an antivirus scanner and
also download Firewall.

FAT Virus
The file allocation table (FAT) is the part of a disk used to store all the information about the
location of files, available space, unusable space, etc. FAT virus attacks the FAT section and may
damage crucial information. It can be especially dangerous as it prevents access to certain sections
of the disk where important files are stored. Damage caused can result in loss of information from
individual files or even entire directories.
Examples: Link Virus. Before the virus attacks all the files on the computer, locate all the files that
are actually needed on the hard drive, and then delete the ones that are not needed. They may be
files created by viruses.

Multipartite Virus
These viruses spread in multiple ways possible. It may vary in its action depending upon the
operating system installed and the presence of certain files. In the initial phase, these viruses tend
to hide in the memory as the resident viruses do; then they infect the hard disk. Examples: Invader,
Flip and Tequila. You need to clean the boot sector and also the disk to get rid of the virus, and
then reload all the data in it. However, ensure that the data is clean.

Web Scripting Virus

Many web pages include complex codes in order to create an interesting and interactive content.
This code is often exploited to bring about certain undesirable actions. The main sources of web
scripting viruses are the web browsers or infected web pages.
Examples: JS.Fortnight is a virus that spreads through malicious e-mails.
Protection: Install the microsoft tool application that is a default feature in Windows 2000,
Windows 7 and Vista. Scan the computer with this application.

Logic Bombs
Logic bombs are small programs or sections of a program triggered by some event such as a certain
date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example,
a programmer could establish a logic bomb to delete critical sections of code if he/she is terminated

pg. 12
Computer Network Security Chapter 1: Introduction and Security Threats

from the company. Logic bombs are most commonly installed by insiders with access to the
system. Logic bombs go undetected until launched, the results can be destructive, and your entire
data can be deleted!

pg. 13