5

SECURITY PRACTICE AND SYSTEM

SECURITY
Electronic Mail security – PGP, S/MIME – IP security – Web Security - SYSTEM
SECURITY: Intruders – Malicious software – viruses – Firewalls.
5.1 Email Security
 Email is one of the most widely used and regarded network services.

 Email security describes different techniques for keeping sensitive information in

email communication and accounts secure against unauthorized access, loss or
compromise.

 Email is often used to spread malware, spam and phishing attacks. Attackers use
deceptive messages to entice recipients to part with sensitive information, open
attachments or click on hyperlinks that install malware on the victim’s device.

 Email is also a common entry point for attackers looking to gain a foothold in an
enterprise network and obtain valuable company data.

Requirements

 E-Mail needs the following requirements

 Confidentiality
 protection from disclosure
 Authentication
 Ensure the sender of message
 Message integrity
 protection from modification
 Non-repudiation of origin
 protection from denial by sender
These services are achieved by two schemes,
1. PGP
2. S/MIME

5.2 Pretty Good Privacy (PGP)

 Open source, freely available software package for secure e-mail
 Standard for secure email
 Developed by Phil Zimmermann
 Selected best available crypto algorithms to use
  Runs on a variety of platforms like Unix, PC, Macintosh and other systems
 Originally free (now also have commercial versions available)
Services provided by PGP are:
 Authentication- through Digital signature
 Confidentiality- through symmetric block encryption
 Compression-through ZIP algorithm
 E-mail Compatibility- through radix 64 encoding scheme
 Segmentation and Reassembly- to accommodate long e-mails
Reason for wide growth of PGP are:
 Available freely in internet
 It can run on any platform
 Applicability
 Not depending on government or standard
PGP Operation – Authentication
 It is a digital signature service provided by PGP
Sequence is as follows
1. sender creates message
2. Generates a digital signature for the message
3. use SHA-1 to generate 160-bit hash of message
4. signed hash with RSA using sender's private key, and is attached to message
5. receiver uses RSA with sender's public key to decrypt and recover hash code
6. receiver verifies received message using hash of it and compares with decrypted hash
code. Figure 5.1 shows this approach.
 Figure 5.1 PGP Cryptographic Function; Authentication Only
PGP Operation – Confidentiality
1. Sender generates a message and encrypts it.
2. Generates a128-bit random number as session key
3. Encrypts the message using 3DES with session key
4. Session key encrypted using RSA with recipient's public key and attached to the
message.
5. Receiver uses RSA with private key to decrypt and recover session key
6. The session key is used to decrypt message. Figure 5.2 shows confidentiality
approach.

Figure 5.2 PGP Cryptographic Function; Confidentiality Only

PGP Operation – Confidentiality and Authentication

 This operation can use both services on same message
 Create signature and attach to message.
 Encrypt both message and signature
 Attach RSA/ElGmal encrypted session key
 Figure 5.3 illustrates both services.
 Figure 5.3 PGP Cryptographic Function; Confidentiality and Authentication

PGP Operation – Compression

 PGP compresses messages to save space for e-mail transmission and storage
 By default PGP compresses message after signing but before encrypting
 so can store uncompressed message & signature for later verification
 Encryption after compression strengthens security (because compression has
less redundancy)
 uses ZIP compression algorithm
 Z- compression, Z-1 -Decompression
PGP Operation – Email Compatibility
 When using PGP will have binary data (8-bit octets) to send (encrypted message, etc)
 However, email was designed only for text
 Hence PGP must encode raw binary data into printable ASCII characters
 Uses radix-64 algorithm
 maps 3 bytes to 4 printable chars
  PGP also segments messages if too big
(maximum length 50,000 octets)
PGP Operation – Summary

Figure 5.4 Transmission and Reception of PGP Messages

PGP Session Keys
 PGP makes use of four types of keys one-time session symmetric keys, public keys,
private keys, and passphrase-based symmetric keys.
 need a session key for each message
 of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES
 Random numbers generated using ANSI X12.17 mode
 uses random inputs taken from previous uses and from keystroke timing of user
PGP Public & Private Keys
 Since many public/private keys may be in use, need to identify which is actually used
to encrypt session key in a message
  Could send full public-key with every message
 But this is inefficient
 Rather use a key identifier based on key
 It is the least significant 64-bits of the key
 It will very likely be unique
 Also use key ID in signatures
PGP Message Format

Figure 5.5 General Format PGP Message

 A message consists of three components:

 The message component,
 A signature (optional)
 A session key component (optional).
 The message component includes the actual data to be stored or transmitted, as well
as a filename and a timestamp that specifies the time of creation.
5.3 S/MIME-Secure/Multipurpose Internet Mail Extensions
 It is an internet standard approach to email security, has same functionality as PGP.
 It is a security enhancement of MIME
 It addresses limitations of SMTP
SMPT Limitation
 It cannot transmit executable files
 It cannot transmit text data that includes characters
 It rejects mail over certain size
Overview of the MIME
The MIME specification includes following elements:

1. Five new message header files, these fields provide information about the body of the
message.

2. A number of content formats, thus standardizing representations that support

multimedia electronic mail.

3. Transfer encodings that enable the conversion of any content format into a form that
is protected from alteration by the email system.

Five header files

1. MIME version- indicates version

2. Content –Type-data contained in the body with sufficient details

3. content- Transfer- Encoding- type of transformation used to represent the body of the
message

4. Content-ID- used to identify MIME entities uniquely in multiple contexts

5. content- Description- text description of the object, this is useful when the object is not
readable (eg.audio files)

MIME- Content Types

  Used to variety of information representations in a multimedia environment.

Type Sub type

Text Plain, enriched

Multipart Mixed

Image Jpeg, gif

Video mpeg

MIME- Transfer Encoding

 It provides reliable delivery across the largest range of environment.
 Two methods of encoding data.
1. Quoted- printable transfer encoding
 Useful when the data consists largely of octets that correspond to printable
ASCII characters.
2. Base 64 Transfer encoding
 Like radix 64 encoding, common type for encoding binary data.
S/MIME Functionality
 It is very similar to PGP. Bothe offer the ability to sign and / or encrypt message
 Enveloped data
 encrypted content and associated keys
 Signed data
 encoded message + signed digest
 Clear-signed data
 Digital signature encoding using base 64
 Signed & enveloped data
 Encrypted data may signed or signed data may be encrypted
S/MIME Cryptographic Algorithms
 Digital signatures: DSS & RSA
 Hash functions: SHA-1 & MD5
  Session key encryption: ElGamal & RSA
 Message encryption: AES, Triple-DES, RC2/40 and others
 MAC: HMAC with SHA-1
 Have process to decide which algorithms to use
S/MIME Certificate Processing
 S/MIME uses X.509 v3 certificates
 Each client has a list of trusted CA’s certificate
 And own public/private key pairs & certificate
 Certificates must be signed by trusted CAs

5.4 IP Security
 The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite
of protocols between 2 communication points across the IP network that provide data
authentication, integrity, and confidentiality.

 It also defines the encrypted, decrypted and authenticated packets. The protocols
needed for secure key exchange and key management are defined in it.

 The general IP Security mechanisms provides 3 functional areas:

 Authentication- use of HMAC message authentication code.

 Confidentiality-enables communicating nodes to encrypt messages to prevent

eavesdropping by third parties

 key management – secure exchange of keys

IP security overview

 Internet needs more and better security and need to secure end-user- to end-user
traffic using authentication and encryption mechanisms.

 Because attacker closely monitoring the network traffic.

 Different attacks may possible, IP spoofing, in which intruders create packets with
false IP address.

Applications of IP Sec
  Enhancing e-commerce security
 Secure remote access over the internet
 Establishing extranet and intranet connectivity with partners.
Benefits of IPSec
 A firewall/router provides strong security to all traffic crossing the perimeter
 A firewall/router is resistant to bypass
 can be transparent to end users
 can provide security for individual users
 secures routing architecture
5.4.1 IP security Architecture
IPSec Documents
 The IPSec specification consists of numerous documents. The most important of
these, issued in November of 1998, are RFCs 2401, 2402, 2406, and 2408:
 RFC 2401: An overview of a security architecture
 RFC 2402: Description of a packet authentication extension to IPv4 and IPv6
 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6
 RFC 2408: Specification of key management capabilities
 Figure 5.5 shows overview of IPsec Architecture

Figure 5.5 Overview of IPsec Architecture

  Architecture: Covers the general concepts, security requirements, definitions, and
mechanisms defining IPSec technology.

 Encapsulating Security Payload (ESP): Covers the packet format and general issues
related to the use of the ESP for packet encryption and, optionally, authentication.

 Authentication Header (AH): Covers the packet format and general issues related to
the use of AH for packet authentication.

 Encryption Algorithm: A set of documents that describe how various encryption

algorithms are used for ESP.

 Authentication Algorithm: A set of documents that describe how various

authentication algorithms are used for AH and for the authentication option of ESP.

 Key Management: Documents that describe key management schemes.

 Domain of Interpretation (DOI): Contains values needed for the other documents to
relate to each other. These include identifiers for approved encryption and
authentication algorithms, as well as operational parameters such as key lifetime.

IP security services
 IPSec provides security services at the IP layer.
 Two protocols are used to provide security:

 An authentication protocol designated by the Authentication Header

(AH)

 A combined encryption/authentication protocol designed by

Encapsulating Security Payload (ESP).

The services are

 Access control
 Connectionless integrity
 Data origin authentication
 Rejection of replayed packets (a form of partial sequence integrity)
 Confidentiality (encryption)
 Limited traffic flow confidentiality
5.4.2 Authentication Header (AH)
 The Authentication Header provides support for data integrity and authentication of
IP packets.

 The data integrity feature ensures that undetected modification to a packet's content in
transit is not possible. T

 he authentication feature enables an end system or network device to authenticate the

user or application and filter traffic accordingly;

 It also prevents the address spoofing attacks observed in today's Internet. The AH also
guards against the replay attack.

 Authentication is based on the use of a message authentication code (MAC), hence

the two parties must share a secret key.

 Figure 5.6 shows authentication header

Figure 5.6 Authentication Header

The Authentication Header consists of the following fields:

 Next Header (8 bits): Identifies the type of header immediately following this
header.

 Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2.

 Reserved (16 bits): For future use.

 Security Parameters Index (32 bits): Identifies a security association.

  Sequence Number (32 bits): A monotonically increasing counter value

 Authentication Data (variable): A variable-length field (must be an integral number

of 32-bit words) that contains the Integrity Check Value (ICV), or MAC

5.4.3 Encapsulating Security Payload (ESP)

 The Encapsulating Security Payload provides confidentiality services, including
confidentiality of message contents and limited traffic flow confidentiality.

 As an optional feature, ESP can also provide an authentication service.

 Figure 5.7 shows the ESP packet.

Figure 5.7 ESP Packet

 Security Parameters Index (32 bits): Identifies a security association.

 Sequence Number (32 bits): A monotonically increasing counter value

 Payload Data (variable): This is a transport-level segment (transport mode) or

IP packet (tunnel mode) that is protected by encryption.

 Padding (0255 bytes): adding bits to obtain fixed length payload data

 Pad Length (8 bits): Indicates the number of pad bytes immediately preceding
this field.
  Next Header (8 bits): Identifies the type of data contained in the payload data
field by identifying the first header in that payload

 Authentication Data (variable): A variable-length field (must be an integral

number of 32-bit words) that contains the Integrity. Check Value computed
over the ESP packet minus the Authentication Data field.

Key Management
 It is the determination and distribution of secret keys
Two types of key management
1. Manual: system admin manually configures each system with its own keys.

2. Automated: automated system enables the on demand creation of keys for security
associations.

The default automated key management protocols are

1. Oakley key distribution/agreement protocol
2. Internet Security Association and Key Management Protocol (ISAKMP)
Oakley key determination protocol
 A key exchange protocol based on Diffie-Hellman
 It provides added security (e.g., authentication)
Features of Oakley key determination protocol
 It uses nonces to ensure against replay attack
 Overcome the man-in-the-middle attack
Three authentication mechanism of oaklay
1. Digital Signature
2. Public Key Encryption
3. Secret Key Encryption
ISAKMP
 It provides a framework for key exchange.
 It defines message formats that can carry the messages of various key exchange
protocols. Figure 5.8 shows header format of ISAKMP.
 Figure 5.8 ISAKMP Header

5.5 Web Security

 The World Wide Web (WWW) is fundamentally a client/server application running
over the internet and TCP/IP.
 The Web now widely used by business, government, individuals
 But Internet & Web are vulnerable
 Have a variety of threats
 Integrity
 Confidentiality
 Denial of service
 Authentication
 Need added security mechanisms

5.6 SSL (Secure Socket Layer)

 SSL is designed to make use of TCP to provide a reliable end-to-end secure service.
 Transport layer security service
 Originally developed by Netscape
 Version 3 designed with public input
 Subsequently became Internet standard
5.6.1 SSL Architecture
 Figure 5.9 SSL Architecture
Three higher layers of SSL
1. Handshake protocol
2. Change cipher Spec protocol
3. Alert protocol
Two important SSL concepts
1. SSL connection- it is transport that provides suitable types of service.
2. SSL session- association between client & server, created by the Handshake Protocol
SSL Record Protocol
 Confidentiality
 Using symmetric encryption with a shared secret key defined by Handshake
Protocol
 IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
 The message is compressed before encryption
 Message integrity
 Using a MAC with shared secret key
 Similar to HMAC but with different padding
SSL Record Protocol Operation
 Figure 5.10 SSL Record Protocol Operation
SSL Change Cipher Spec Protocol
 One of 3 SSL specific protocols which use the SSL Record protocol
 It is a single message
 The causes pending state to become current
 Hence, updating the cipher suite in use

Figure 5.11 Change Cipher Protocol

SSL Alert Protocol
 It conveys SSL-related alerts to peer entity
 severity
 warning or fatal
 specific alert
  fatal: unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
 warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown
 compressed & encrypted like all SSL data

Figure 5.11 Alert Protocol

SSL Handshake Protocol

 It allows server & client to:
 Authenticate each other
 To negotiate encryption & MAC algorithms
 To negotiate cryptographic keys to be used
 Comprises a series of messages in phases
 Establish Security Capabilities
 Server Authentication and Key Exchange
 Client Authentication and Key Exchange
 Finish

Figure 5.11 Handshake Protocol

 Figure 5.12 Handshake Protocol Action

5.7 TLS (Transport Layer Security)

 Transport Layer Security (TLS) [RFC2246]
 TLS provides transport layer security for Internet applications
 It provides for confidentiality and data integrity over a connection between two end
points
 TLS operates on a reliable transport, such as TCP, and is itself layered into
 TLS Record Protocol
 TLS Handshake Protocol
Advantage of TLS
 The Applications can use it transparently to securely communicate with
each other
  TLS is visible to applications, making them aware of the cipher suites and
authentication certificates negotiated during the set-up phases of a TLS session

TLS Record Protocol

 TLS Record Protocol layers on top of a reliable connection-oriented transport, such as
TCP

 It Provides data confidentiality using symmetric key cryptography.

 It Provides data integrity using a keyed message authentication checksum (MAC).

 The keys are generated uniquely for each session based on the security parameters
agreed during the TLS handshake

 The basic operation of the TLS Record Protocol

 Read messages for transmit
 Fragment messages into manageable chunks of data
 Compress the data, if compression is required and enabled
 Calculate a MAC
 Encrypt the data
 Transmit the resulting data to the peer
 At the opposite end of the TLS connection, the basic operation of the sender is
replicated, but in the reverse order
 read received data from the peer
 decrypt the data
 verify the MAC
 decompress the data, if compression is required and enabled
 reassemble the message fragments
 deliver the message to upper protocol layers
TLS Handshake Protocol
 TLS Handshake Protocol is layered on top of the TLS Record Protocol
 TLS Handshake Protocol is used to
 Authenticate the client and the server
  Exchange cryptographic keys
 Negotiate the used encryption and data integrity algorithms before the
applications start to communicate with each other

Figure 5.13 TLS Handshake Protocol

 Figure 5.13 illustrates the actual handshake message flow
 [Step1]
 The client and server exchange Hello messages

 The client sends a ClientHello message, which is followed by the

server sending a ServerHello message

 These two messages establish the TLS protocol version, the

compression mechanism used, the cipher suite used, and possibly the
TLS session ID
  Additionally, both a random client nonce and a random server nonce
are exchanged that are used in the handshake later on

 [Step2]

 The server may send any messages associated with the ServerHello

 Depending on the selected cipher suite, it will send its certificate for
authentication

 The server may also send a key exchange message and a certificate
request message to the client, depending on the selected cipher suite

 To mark the end of the ServerHello and the Hello message exchange,
the server sends a ServerHelloDone message

 [Step3]

 Next, if requested, the client will send its certificate to the server

 In any case, the client will then send a key exchange message that sets the pre-
master secret between the client and the server

 Optionally, the client may also send a Certificate Verify message to explicitly
verify the certificate that the server requested

 [Step4]

 Then, both the client and the server send the Change CipherSpec messages
and enable the newly negotiated cipher spec

 The first message passed in each direction using the new algorithms, keys and
secrets is the Finished message, which includes a digest of all the handshake
messages

 Each end inspects the Finished message to verify that the handshake was not
tampered with

 TLS protocol provides transport layer security for Internet applications and
confidentiality using symmetric key cryptography and data integrity using a keyed
MAC
  It also includes functionality for client and server authentication using public key
cryptography

5.8 Difference between TLS and SSL

The differences between the two protocols are very minor and technical, but SSL and
TLS are different standards. TLS uses stronger encryption algorithms and has the ability to
work on different ports. Additionally, TLS version 1.0 does not interoperate with SSL version
3.0.

Netscape originally developed the SSL (Secure Sockets Layer) protocol to transmit
information privately, ensure message integrity, and guarantee the server identity. SSL works
mainly through using public/private key encryption on data. It is commonly used on
web browsers, but SSL can also be used with email servers or any kind of client-server
transaction. For example, some instant messaging servers use SSL to protect conversations.

The Internet Engineering Task Force (IETF) created TLS (Transport Layer Security) as the
successor to SSL. It is most often used as a setting in email programs, but, like SSL, TLS can
have a role in any client-server transaction.
 5.9SYSTEM SECURITY
 The Security of a computer system is a crucial task.

 It is a process of ensuring confidentiality and integrity of the operating systems.

A system is said to be secure if its resources are used and accessed as intended under
all the situations, but no system can guarantee absolute security from several of the
various malicious threats and unauthorized access.

Security of a system can be susceptible via two violations:

 Threat: A program which has the potential to cause serious damage to the
system.
  Attack: An attempt to break security and make unauthorized use of an asset.

 Security violations affecting the system can be categorized as malicious and

accidental.
 Malicious threats, as the name suggests are a kind of harmful computer code or web
script designed to create system vulnerabilities leading to back doors and security
breaches.
 Accidental Threats, on the other hand, are comparatively easier to be protected
against. Example: Denial of Service DDoS attack.

Security can be compromised via any of the breaches mentioned:

 Breach of confidentiality: This type of violation involves the unauthorized

reading of data.
 Breach of integrity: This violation involves unauthorized modification of data.
 Breach of availability: It involves an unauthorized destruction of data.
 Theft of service: It involves an unauthorized use of resources.
 Denial of service: It involves preventing legitimate use of the system. As
mentioned before, such attacks can be accidental in nature.

Security System Goals

Henceforth, based on the above breaches, the following security goals are aimed:

1. Integrity
The objects in the system mustn’t be accessed by any unauthorized user & any user
not having sufficient rights should not be allowed to modify the important system
files and resources.
2. Secrecy
The objects of the system must be accessible only to a limited number of authorized
users. Not everyone should be able to view the system files.
3. Availability
All the resources of the system must be accessible to all the authorized users i.e. only
one user/process should not have the right to hog all the system resources. If such
 kind of situation occurs, denial of service could happen. In this kind of situation, a
malware might hog the resources for itself & thus preventing the legitimate processes
from accessing the system resources.

Threats can be classified into the following two categories:

1. Program Threats
A program written by a cracker to hijack the security or to change the behaviour of a
normal process.
2. System Threats
These threats involve the abuse of system services. They strive to create a situation in
which operating-system resources and user files are misused. They are also used as a
medium to launch program threats.

5.10 Intruders
 An Intruder is a person who attempts to gain unauthorized access to a system, to
damage that system, or to disturb data on that system. In instantaneous, this person
attempts to violate Security by interfering with system Availability, data Integrity or
data Confidentiality.

 The significant issue for networked systems is hostile or unwanted access

 It may use compromised system to launch other attacks

 It may happen either via network or local

Classes of intruders
 Masquerader-unauthorized user who penetrates a system exploiting a
legitimate user’s account (outside)

 Misfeasor-legitimate user who makes unauthorized accesses. (inside)

 Clandestine user-seizes supervisory control (inside/outside)

 varying levels of competence

Intrusion Techniques
 Aim to gain access and/or increase privileges on a system
 Basic attack methodology
  Target acquisition and information gathering
 Initial access
 Privilege escalation
 Covering tracks
 Key goal often is to acquire passwords
 So, then exercise access rights of owner

Password Guessing
 one of the most common attacks
 attacker knows a login (from email/web page etc)
 then attempts to guess password for it
 defaults, short passwords, common word searches
 user info (variations on names, birthday, phone, common words/interests)
 exhaustively searching all possible passwords
 check by login or against stolen password file
 success depends on password chosen by user
 surveys show many users choose poorly
Password Capture
 The another attack involves password capture watching over shoulder as password is
entered

 Using a trojan horse program to collect

 Monitoring an insecure network login eg. telnet, FTP, web, email

 The extracting recorded info after successful login (web history/cache, last number
dialled)

 Using valid login/password can impersonate user

 Users need to be educated to use suitable precautions/countermeasures

Intrusion Detection

 It inevitably will have security failures

 So, need to detect intrusions so can

  Block if detected quickly

 Act as deterrent

 Collect info to improve security

 Assume intruder will behave differently to a legitimate user
Approaches to Intrusion Detection
 Statistical anomaly detection
 threshold
 profile based
 Rule‐based detection
 anomaly
 penetration identification

5.10.1 Statistical Anomaly Detection

 Threshold detection
 count occurrences of specific event over time
 if exceed reasonable value assume intrusion
 Profile based
 characterize past behavior of users
 detect significant deviations from this
 profile usually multi‐parameter
5.10.2 Rule‐Based Intrusion Detection
 It Observe events on system & apply rules to decide if activity is suspicious or
not
 rule‐based anomaly detection
 analyze historical audit records to identify usage patterns & auto‐
generate rules for them
 then observe current behavior & match against rules to see if conforms
 like statistical anomaly detection does not require prior knowledge of
security flaws
Rule‐based penetration identification
  uses expert systems technology
 with rules identifying known penetration, weakness patterns, or
suspicious behavior
 compare audit records or states against rules
 rules usually machine & O/S specific
 rules are generated by experts who interview & codify knowledge of
security admins
 quality depends on how well this is done
Audit Records
 Fundamental tool for intrusion detection
 native audit records
 part of all common multi‐user O/S
 already present for use
 may not have info wanted in desired form
 detection‐specific audit records
 created specifically to collect wanted info
 at cost of additional overhead on system
Distributed Intrusion Detection
 The traditional focus is on single systems
 But typically, have networked systems
 More effective defense has these working together to detect intrusions
 Issues
 dealing with varying audit record formats
 integrity & confidentiality of networked data
 centralized or decentralized architecture
Distributed Intrusion Detection ‐Architecture
 Figure 5.14 Distributed ID Architectre
5.10.3 Honeypots
 Honey pots are decoy (mislead) systems that are designed to lure (an attraction)
a potential attacker from critical systems.

 It is designed for:

 Divert on attacker from accessing critical system.

 Collection information about attacker’s activity

 Encourage attacker to stay on system long enough for administrator to

respond.

Functions of Honeypots

 The function of a honeypot is to represent itself on the internet as a potential target for
attackers.

 Usually a server or other high-value target and to gather information and notify
defenders of any attempts to access the honeypot by unauthorized users.

 Honeypots are most often used by large enterprises and by companies involved in
cybersecurity research, to identify and defend attacks from advanced persistent threat
 actors. Honeypots can be an important tool for large organizations to take an active
defense stance against attackers, or for cybersecurity researchers who want to learn
more about the tools and techniques that attackers use.

 The cost of maintaining a honeypot can be high, in part because of the specialized
skills required to implement and administer a system that appears to expose the
organization's network resources while still preventing attackers from gaining access
to any production systems.

How a Honeypot works

 Generally, a honeypot operation consists of a computer, applications and data that

simulate the behaviour of a real system and appears as part of a network; however, the
honeypot is actually isolated and closely monitored. Because there is no reason for
legitimate users to access a honeypot, any attempts to communicate with a honeypot
should be considered hostile.
 Viewing and logging this activity can help improve security by providing insight into
the level and types of threat a network infrastructure faces while distracting attackers
away from assets of real value. Researchers suspect that some cybercriminals use
honeypots themselves to gather intelligence about researchers, act as decoys and to
spread misinformation.
 Virtual machines are often used to host honeypots, so if it is compromised by
malware, for example, the honeypot can be quickly restored. Two or more honeypots
on a network form a honeynet, while a honeyfarm is a centralized collection of
honeypots and analysis tools.

Types of Honeypots

 Based on design and deployment, there are two main types of honeypots:

1. Research: Research honeypots perform close analysis of hacker activity and

aim to discover how hackers develop and progress in order to learn how to
better protect systems against them. Data placed in a honeypot with unique
identifying properties can also help analysts track stolen data and identify
connections between different participants in an attack.
 2. Production: honeypots are usually deployed inside production networks
alongside production servers; the honeypot plays the role of a decoy as part of
the production network intrusion detection system (IDS). A production
honeypot is designed to appear real and contains information to attract and
occupy hackers to tie up their time and resources, ultimately giving
administrators time to assess and mitigate any vulnerabilities in their actual
production systems.

Advantages of Honeypot

 Collect real data: Honeypots collect data from actual attacks and other
unauthorized activities, providing analysts with a rich source of useful
information.

 Reduce false positives: Ordinary cybersecurity detection technologies generate

alerts that can include a significant volume of false positives, but honeypots
reduce this volume because there is no reason for legitimate users to access them.

 Cost-effective: Honeypots can be good investments because they do not require

high-performance resources to process large volumes of network traffic looking
for attacks, because they only interact with malicious activities.

 Encryption: Honeypots capture malicious activity, even if an attacker is using

encryption.

Disadvantages of Honeypot

 Data: Honeypots only collect information when an attack occurs. Zero attempts to
access the honeypot means there is no data to analyze.

 Honeypot network: Malicious traffic that has been captured is only collected
when an attack targets the honeypot network; if attackers suspect a network is a
honeypot, they will avoid it.

 Distinguishable: Honeypots are often distinguishable from legitimate production

systems, which means experienced hackers can often differentiate a production
system from a honeypot system using system fingerprinting techniques.
5.11 Malicious Software
 Malicious software, commonly known as malware, is any software that brings harm to
a computer system. Malware can be in the form of worms, viruses, trojans, spyware,
adware and rootkits, etc., which steal protected data, delete documents or add
software not approved by a user. Figure 5.15 shows classification of malicious
program.

 Malware is software designed to cause harm to a computer and user. Some forms of
malware “spy” on user Internet traffic. Examples include spyware and adware.
Spyware monitors a user’s location and if enabled, it can capture sensitive
information, e.g., credit card numbers, promoting identity theft. Adware also acquires
user information, which is shared with advertisers and then integrated with unwanted,
triggered pop-up ads.

 Worms and viruses behave differently, as they can quickly proliferate and undermine
an entire computer system. They also may perform unsavory activities from a user’s
computer without the user’s knowledge. In the wake of a virus or worm, a computer
system can experience significant damage.

 Anti-malware should determine if there are threats by scanning a computer and

removing them, if found. Prevention is better than corrective action after infection.
Although anti-virus programs should be continually enabled and updated, certain
types of threats, like spyware, often make their way into a computer system.

 At all times, a firewall should be in place for additional security. Multiple, compatible
protective sources are encouraged as additional insurance against malware.
 Figure 5.15 Classification of Malicious Program
Trapdoors or Backdoor

 A trap door is a secret entry point into a program that allows someone that is aware of
the trap door to gain access without going through the usual security access
procedures.
 Trap doors become threats when they are used by unscrupulous programmers to gain
unauthorized access.

Logic Bomb

 A logic bomb is a piece of code inserted into an operating system or software

application that implements a malicious function after a certain amount of time, or
specific conditions are met.
 Logic bombs are often used with viruses, worms, and trojan horses to time them to do
maximum damage before being noticed.
 It activated when specified conditions met.
 It Modify/delete files/disks, halt machine etc.
Trojan Horses
 A Trojan horse, or Trojan, is a type of malicious code or software that looks
legitimate but can take control of your computer.
 A Trojan is designed to damage, disrupt, steal, or in general inflict some other
harmful action on your data or network.
 Virus
 A computer virus is malicious code that replicates by copying itself to another
program, computer boot sector or document and changes how a computer works.
 The virus requires someone to knowingly or unknowingly spread the infection
without the knowledge or permission of a user or system administrator.

Worms

 A computer worm is a standalone malware computer program that replicates itself in

order to spread to other computers.
 Worms almost always cause at least some harm to the network, even if only by
consuming bandwidth, whereas viruses almost always corrupt or modify files on a
targeted computer.

Zombie

 A zombie is a computer that has been implanted with a daemon that puts it under the
control of a malicious hacker without the knowledge of the computer owner.
 Zombies are used by malicious hackers to launch DoS attacks.
 The hacker sends commands to the zombie through an open port.

5.12 Viruses

 A computer virus is malicious code that replicates by copying itself to another

program, computer boot sector or document and changes how a computer works.

 The virus requires someone to knowingly or unknowingly spread the infection

without the knowledge or permission of a user or system administrator.

 A virus is a fragment of code embedded in a legitimate program.

 Virus are self-replicating and are designed to infect other programs. They can wreak
havoc in a system by modifying or destroying files causing system crashes and
program malfunctions.

 Once a virus is executing, it can perform any function, such as erasing files and
programs.
Types of Viruses
 File Virus: This type of virus infects the system by appending itself to the end
of a file. It changes the start of a program so that the control jumps to its code.
 After the execution of its code, the control returns back to the main program. Its
execution is not even noticed. It is also called Parasitic virus because it leaves
no file intact but also leaves the host functional.
 Boot sector Virus: It infects the boot sector of the system, executing every time
system is booted and before operating system is loaded. It infects other bootable
media like floppy disks. These are also known as memory virus as they do not
infect file system.
 Source code Virus: It looks for source code and modifies it to include virus and
to help spread it.
 Polymorphic Virus: A virus signature is a pattern that can identify a virus (a
series of bytes that make up virus code). So, in order to avoid detection by
antivirus a polymorphic virus changes each time it is installed. The functionality
of virus remains same but its signature is changed.
 Encrypted Virus: In order to avoid detection by antivirus, this type of virus
exists in encrypted form. It carries a decryption algorithm along with it. So, the
virus first decrypts and then executes.
 Stealth Virus: It is a very tricky virus as it changes the code that can be used to
detect it. Hence, the detection of virus becomes very difficult. For example, it
can change the read system call such that whenever user asks to read a code
modified by virus, the original form of code is shown rather than infected code.
 Tunnelling Virus: This virus attempts to bypass detection by antivirus scanner
by installing itself in the interrupt handler chain. Interception programs, which
remain in the background of an operating system and catch viruses, become
disabled during the course of a tunnelling virus. Similar viruses install
themselves in device drivers.
 Multipartite Virus: This type of virus is able to infect multiple parts of a
system including boot sector, memory and files. This makes it difficult to detect
and contain.
 Armored Virus: An armored virus is coded to make it difficult for antivirus to
unravel and understand. It uses a variety of techniques to do so like fooling
antivirus to believe that it lies somewhere else than its real location or using
compression to complicate its code.
Macro Virus
 Macro virus are particularly threatening for number of reasons.

 platform independent

 infect documents not executable portions of code

 Can easily spread

 Macro viruses take advantage of the macro feature found in Word and other office
applications.

 Successive releases of Word provide increased protection against macro viruses, and
they no longer are the predominant virus threat

Email Virus

 A more recent development in malicious software is the e-mail virus

 The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft
Word macro embedded in an attachment, triggered when the attachment was opened.

 At the end of 1999, a more powerful version of the e-mail virus appeared, activated
merely by opening an e-mail that contains the virus rather than opening an
attachment.

 As a result, instead of taking months or years to propagate, now take only hours.

 This makes it very difficult for antivirus software to respond before much damage is
done.

Worms

 A worm is a program that can replicate itself and send copies from computer to
computer across network connections.

 Upon arrival, the worm may be activated to replicate and propagate again, and
usually to also perform some unwanted function.

 A worm actively seeks out more machines to infect and each machine that is infected
serves as an automated launching pad for attacks on other machines.

 To replicate itself, a network worm uses some sort of network vehicle such as email,
remote execution, or remote login. Once active within a system, a network worm can
 behave as a computer virus or bacteria, or it could implant Trojan horse programs or
perform any number of disruptive or destructive actions.

Operation of worms
 A computer worm infection spreads without user interaction. All that is necessary is
for the computer worm to become active on an infected system.
 Before widespread use of networks, computer worms were spread through
infected storage media, such as floppy diskettes, which, when mounted on a system,
would infect other storage devices connected to the victim system. USB drives are
still a common vector for computer worms.
 Computer worms often rely on the actions of, and vulnerabilities in,
networking protocols to propagate.
 For example, the WannaCry ransomware worm exploited a vulnerability in the first
version of the Server Message Block (SMBv1) resource sharing protocol
implemented in the Windows operating system.
 Once active on a newly infected computer, the WannaCry malware initiates a network
search for new potential victims: systems that respond to SMBv1 requests made by
the worm.
 The worm is able to continue to propagate within an organization in this way. When a
bring your own device (BYOD) is infected, the worm can spread to other networks,
giving hackers even more access.

Types of computer worms

There are several types of malicious computer worms:

 A computer virus or worm hybrid is a piece of malware that spreads like a worm,
but that also modifies program code like a virus or else carries some sort of
malicious payload, such as a virus, ransomware or some other type of malware.

 A bot worm may be used to infect computers and turn them into zombies or bots,
with the intent of using them in coordinated attacks through botnets.

 Instant messaging, or IM worms propagate through instant messaging services and

exploit access to contact lists on victim computers.

 Email worms are usually spread as malicious executable files attached to what appear
to be ordinary email messages.
  Ethical worm is a computer worm designed to propagate across networks with the
express purpose of delivering patches for known security vulnerabilities.

Difference between worms and viruses

 Viruses are also self-replicating programs, but usually require some action on the part
of the user to spread inadvertently to other programs or systems.
 After a computer worm loads and begins running on a newly infected system, it will
typically follow its prime directive: to remain active on an infected system for as long
as possible, and to spread to as many other vulnerable systems as possible.

Morris Worms

 The Morris Worm was a self-replicating computer program (worm) written by Robert
Tappan Morris, a student at Cornell University, and released from MIT on November
2, 1988.

 It was designed to spread on UNIX systems and used a number of different

techniques for propagation, including cracking the local password file to get
logins/passwords.

Why are virus created by people??

They are created because of the following reasons:

 Inflict Damage to Competitors

 Financial benefits

 Research projects

 Play pranks

 Cyber Terrorism, etc..

Countermeasures of Virus and Worms

Users should practice good cybersecurity hygiene to protect themselves against being
infected with computer worms and virus. Measures that will help prevent the threat of
computer worms and virus infections:
 Scan the files when downloaded from internet or your email attachments
  Beware when you install the pirated software.

 Using firewalls will help reduce access to systems by malicious software.

 Encrypt files to protect sensitive data stored on computers, servers and mobile devices

 Keep your antivirus updated and scan your system at least once a week.

 Possibility of virus infection may corrupt data, so usually maintain your data backup.

 Avoid opening your email accounts from an unknown sender.

 Run disk Clean-up, registry scanner, defragmentation once a week.

 Do not boot the system with infected bootable system disk

5.13 Firewalls
 A firewall is a network security device, which monitors all incoming and outgoing
traffic and based on a defined set of security rules it accepts, rejects or drops that
specific traffic.

 The firewall acts as a guard. It guards a corporate network acting as a shield between
the inside network and the outside world such as internet. All the traffic in either
direction must pass through the firewall. The firewall can be implemented as
hardware and software, or a combination of both.

Accept: allow the traffic

Reject: block the traffic but reply with an “unreachable error”
Drop: block the traffic with no reply
 Figure 5.16 Firewall

Firewall Limitations
 cannot protect from attacks bypassing it
 eg sneaker net, utility modems, trusted organisations, trusted services (eg
SSL/SSH)
 cannot protect against internal threats
 eg disgruntled or colluding employees
 cannot protect against access via WLAN
 if improperly secured against external use
 cannot protect against malware imported via laptop, PDA, storage infected outside
Operation of firewall

 Firewall match the network traffic against the rule set defined in its table. Once the
rule is matched, associate action is applied to the network traffic.

 For example, Rules are defined as any employee from HR department cannot access
the data from code server and at the same time another rule is defined like system
administrator can access the data from both HR and technical department. Rules can
be defined on the firewall based on the necessity and security policies of the
organization.

 From the perspective of a server, network traffic can be either outgoing or incoming.
Firewall maintains a distinct set of rules for both the cases.
  Mostly the outgoing traffic, originated from the server itself, allowed to pass. Still,
setting a rule on outgoing traffic is always better in order to achieve more security and
prevent unwanted communication.

 Most traffic which reaches on the firewall is one of these three major Transport Layer
protocols- TCP, UDP or ICMP. All these types have a source address and destination
address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port
number which identifies purpose of that packet.

Types of Firewall
1. Packet Filter
2. Application level gateways
3. Circuit level gateways
1.Packet Filters
 It works in the network layer of the OSI Model.
 It applies a set of rules (based on the contents of IP and transport header fields) on
each packet and based on the outcome, decides to either forward or discard the packet.
 For example, a rule could specify to block all incoming traffic from a certain IP
address or disallow all traffic that uses UDP protocol. Figure 5.17 shows packet filter
firewall
 If there is no match with any predefined rules, it will take default action.
 The default action can be to ‘discard all packets’ or to ‘accept all packets’

Figure 5.17 Packet Filters

Advantages
 Simple
 Transparent to users
  Very fast
Disadvantages
 Don’t support advanced user authentication schemes
 Don’t examine upper layer data, they cannot prevent attacks
Attacks on Packet Filters
 IP address Spoofing
In this kind of attack, an intruder from the outside tries to send a packet towards the
internal corporate network with the source IP address set equal to one of the IP
address of internal users.
Prevention
Firewall can defeat this attack if it discards all the packets that arrive at the incoming
side of the firewall, with source IP equal to one of the internal IPs.
 Source Routing Attacks
In this kind of attack, the attacker specifies the route to be taken by the packet with a
hope to fool the firewall.
Prevention
Firewall can defeat this attack if it discards all the packets that use the option of
source routing aka path addressing.
 Tiny Fragment Attacks
Many times, the size of the IP packet is greater than the maximum size allowed by the
underlying network such as Ethernet, Token Ring etc. In such cases, the packet needs
to be fragmented, so that it can be carried further. The attacker uses this characteristic
of TCP/IP protocol. In this kind of attack, the attacker intentionally creates fragments
of the original packet and send it to fool the firewall.
Prevention
Firewall can defeat this attack if it discards all the packets which use the TCP protocol
and is fragmented. Dynamic Packet Filters allow incoming TCP packets only if they
are responses to the outgoing TCP packets.

2. Application Gateways
It is also known as Proxy server. It works as follows:
 Step-1: User contacts the application gateway using a TCP/IP application such as
HTTP.
  Step-2: The application gateway asks about the remote host with which the user wants
to establish a connection. It also asks for the user id and password that is required to
access the services of the application gateway.
 Step-3: After verifying the authenticity of the user, the application gateway accesses
the remote host on behalf of the user to deliver the packets.

Figure 5.18 Application Gateways

Advantages

 More secure than packet filter

 Easy to log and audit all incoming traffic at application level.

Disadvantages

 Processing overhead

 Two spliced connection between end user, so gateway must examine and forward all
traffic in both direction

3.Circuit-Level Gateways

 It works at the session layer of the OSI Model.

 It is the advanced variation of Application Gateway. It acts as a virtual connection

between the remote host and the internal users by creating a new connection between
itself and the remote host.

 It also changes the source IP address in the packet and puts its own address at the
place of source IP address of the packet from end users. This way, the IP addresses of
the internal users are hidden and secured from the outside world.
 Figure 5.19 Circuit-Level Gateways

5.13.1 Bastion Host

 A bastion host is a special-purpose computer on a network specifically designed

and configured to withstand attacks.

 The computer generally hosts a single application, for example a proxy server, and
all other services are removed or limited to reduce the threat to the computer.

 It is hardened in this manner primarily due to its location and purpose, which is
either on the outside of a firewall or in a demilitarized zone (DMZ) and usually
involves access from untrusted networks or computers.

Characteristics of bastion host

 Executes a secure version of its OS, making it a trusted system.

 It has only essential services installed on the bastion host.

 It may require additional authentication before a user is allowed access to the

proxy services.

 Maintains detailed audit information b logging all traffic.

5.14 Firewall Configurations

 In addition to the use of simple configuration of a single system (single packet

filtering router or single gateway), more complex configurations are possible.

 Screened host (single homed bastion host)

 Screened host (dual homed bastion host)
 Screened (subnet firewall system)
Screened host (single homed bastion host)
  It consists of two systems, a packet filter and bastion host. Figure 5.20 shows
screened host.
 For traffic from internet, only IP packets destined for the bastion host are allowed in.
 For traffic from the internal network, only IP packets from the bastion host allowed
out. The bastion host performs authentication and proxy functions.

Figure 5.20 Screened host (single homed bastion host)

Screened host (dual homed bastion host)
 Physically prevents security breach. Figure 5.21 shows this approach.
 An information server or other hosts can be allowed direct communication with the
router if this is in accord with security policy

Figure 5.21 Screened host (Dual homed bastion)

Screened subnet
 This configuration creates an isolated sub network
  Two packet filtering routers are used.
 One between bastion host and internet
 One between bastion host and internal network

Figure 5.22 Screened subnet

Advantages
 Three levels of defence.
 Internal network is invisible to internet.
 Inside network cannot construct direct routes to internet.