Ques on 2

User authentication is a method that keeps unauthorized users from

accessing sensitive information. For example, User A only has access to
relevant information and cannot see the sensitive information of User B.
Cybercriminals can gain access to a system and steal information when
user authentication is not secure. The data breaches companies like
Adobe, Equifax, and Yahoo faced are examples of what happens when
organizations fail to secure their user authentication. Hackers gained
access to Yahoo user accounts to steal contacts, calendars and private
emails between 2012 and 2016. The Equifax data breach in 2017 exposed
credit card data of more than 147 million consumers. Without a secure
authentication process, any organization could be at risk.

Common types of user authentication include:

 1. Password-based Authentication: Users authenticate themselves by
providing a username and password. This method is widely used but
can be vulnerable to various attacks such as brute force attacks,
phishing, and password guessing.
2. Multi-factor Authentication (MFA): MFA adds an extra layer of
security by requiring users to provide multiple forms of
authentication. This could include something they know (e.g., a
password), something they have (e.g., a mobile device or security
token), or something they are (e.g., biometric information like
fingerprints or facial recognition). Even if one factor is compromised,
the others provide additional security.
3. Biometric Authentication: This method uses unique biological traits
such as fingerprints, iris patterns, facial features, or voice recognition
to authenticate users. Biometric authentication is often perceived as
more secure and convenient than traditional password-based
methods, as it is difficult to forge or steal biometric data.
4. Token-based Authentication: Users authenticate themselves using a
cryptographic token, such as a smart card or security token. These
tokens generate one-time passwords or cryptographic keys that are
used for authentication, providing an additional layer of security.

The process typically involves capturing biometric data during enrollment,

where the system records and stores a template or representation of the
biometric trait. During authentication, the user provides the biometric
sample again, and the system compares it with the stored template to
verify the user's identity.

Biometric authentication offers several advantages:

Strong Security: Biometric traits are difficult to forge or steal, making them
inherently more secure than passwords or tokens.
Convenience: Users don't need to remember passwords or carry physical
tokens; their biometric traits are always with them.
Enhanced User Experience: Biometric authentication can streamline the
login process, improving user experience and reducing friction.
Non-repudiation: Biometric authentication provides strong evidence of an
individual's identity, enhancing accountability and reducing the risk of
repudiation.
Ques on 3
A digital signature is a cryptographic technique used to verify the
authenticity and integrity of digital messages, documents, or transactions. It
serves as a digital equivalent of a handwritten signature or a stamped seal
on a paper document.

Here's how it typically works:

1. Signing: To create a digital signature, the signer uses a cryptographic

algorithm and their private key to generate a unique digital
fingerprint, or hash, of the data being signed. This hash is specific to
the content being signed and is created in such a way that even a
small change in the content would result in a completely different
hash.
2. Private Key: The signer's private key is a secret piece of information
known only to them. It's used to create the digital signature and must
be kept secure to prevent unauthorized access.
3. Verification: To verify the digital signature, the recipient uses the
signer's public key, which is associated with their private key. The
recipient generates a new hash of the received data using the same
cryptographic algorithm used by the signer.
4. Comparison: The recipient then compares the hash generated from
the received data with the digital signature using the signer's public
key. If the two hashes match, it verifies that the data has not been
altered since it was signed and that the signer is indeed the entity
that possesses the private key associated with the provided public
key.

Digital signatures offer several benefits:

 Authentication: They provide a way to verify the identity of the

signer, ensuring that the message or document was indeed created
by them.
 Integrity: They ensure that the signed data has not been altered or
tampered with since it was signed.
 Non-repudiation: Once a digital signature is applied, the signer
cannot deny their involvement or claim that the signature was forged,
providing a level of accountability.
There are three types of attacks on Digital Signatures:
1. Chosen-message Attack
2. Known-message Attack
3. Key-only Attack

Let us consider an example where c is the attacker and A is the victim

whose message and signature are under attack.
1. Chosen-message Attack :
The chosen attack method is of two types:
1. Generic chosen-method – In this method C tricks A to digitally
sign the messages that A does not intend to do and without the
knowledge about A’s public key.
2. Direct chosen-method – In this method C has the knowledge
about A’s public key and obtains A’s signature on the messages
and replaces the original message with the message C wants A
to sign with having A’s signature on them unchanged.
2. Known-message Attack :
In the known message attack, C has a few previous messages and
signatures of A. Now C tries to forge the signature of A on to the
documents that A does not intend to sign by using the brute force
method by analyzing the previous data to recreate the signature of A.
This attack is similar to known-plain text attack in encryption.
3. Key-only Attack :
In key-only attack, the public key of A is available to every one and C
makes use of this fact and try to recreate the signature of A and digitally
sign the documents or messages that A does not intend to do. This
would cause a great threat to authentication of the message which is
non-repudiated as A cannot deny signing it.
Question 4

Ques on 5
Packet Sniffing
When any data has to be transmitted over the computer network, it is
broken down into smaller units at the sender’s node called data
packets and reassembled at receiver’s node in original format. It is
the smallest unit of communication over a computer network. It is also
called a block, a segment, a datagram or a cell. The act of capturing data
packet across the computer network is called packet sniffing. It is similar
to as wire tapping to a telephone network. It is mostly used by crackers
and hackers to collect information illegally about network. It is also used
by ISPs, advertisers and governments. ISPs use packet sniffing to track all
your activities such as:
 who is receiver of your email
 what is content of that email
 what you download
  sites you visit
 what you looked on that website
 downloads from a site
 streaming events like video, audio, etc.

Advantages:
Network troubleshooting
Security analysis
Network optimization
Protocol analysis

Disadvantages:

Privacy violations:
Legal issues:
Resource usage:
Complexity

Spoofing
Spoofing is a type of attack in which hackers gain access to the victim’s
system by gaining the trust of the victim (target user) to spread the
malicious code of the malware and steal data such as passwords and PINs
stored in the system.In Spoofing, psychologically manipulating the victim
is the main target of the hacker.

Address Resolution Protocol: ARP stands for Address Resolution

Protocol. It is a communication protocol that is one of the important
network layer protocols in the OSI model and is used to determine a
device’s Media Access Control (MAC) address based on its Internet
Protocol (IP) address in order to communicate with other devices on the
network
ARP Spoofing Attack: ARP spoofing is a cyber attack that allows hackers
to intercept communications between network devices on a network.
Hackers can also use ARP spoofing to alter or block all traffic between
devices on the network.

Types of ARP Spoofing:

Man-in-the-Middle: In the Man-in-the-Middle Attack, hackers use ARP

spoofing to intercept communications that occur between devices on a
network to steal information that is transmitted between devices.
Sometimes, hackers also use man-in-the-middle to modify traffic between
network devices.
Session hijacking: In Session hijacking, With the help of ARP spoofing
hackers are able to easily extract the session ID or gain inauthentic access
to the victim’s private systems and data.
Denial-of-service attacks: Denial-of-service attack is a type of attack in
which one or more victims deny to access the network. With the help of
ARP spoofing, A single target victim’s mac address is linked with multiple
IP addresses. Due to this whole traffic is shifted toward the target victim’s
mac address which causes overloading of the network of the target victim
with traffic.

Working:

Scanning: Hackers use ARP spoofing tools to scan the IP and MAC
addresses of hosts.
Selection and Launching: Hackers select their target and then send ARP
packets over the local network containing the hacker’s MAC address and
the target’s IP address.
Accessing: Once the ARP cache on the host on the local network is
corrupted. Then the data the host wants to send to the victim is sent to
the hacker instead of the victim. Hackers can steal data or launch other
attacks from here.

Question 6
Port Scanning is the name of the technique used to identify available
ports and services on hosts on a network. Security engineers sometimes
use it to scan computers for vulnerabilities, and hackers also use it to
target victims. It can be used to send connection requests to target
computers and then track ports. Network scanners do not actually harm
computers; instead, they make requests that are similar to those sent by
human users who visit websites or connect to other computers using
applications like Remote Desktop Protocol (RDP) and Telnet. A port scan
is performed by sending ICMP echo-request packets with specific flags
set in the packet headers that indicate the type of message being
transmitted

Types of Port Scans:

To protect your network from port scans, it is essential to understand the

different types of port scans used by hackers.
 Vanilla: The scanner tries to connect to all 65,535 ports ) – The
scanner looks for open UDP ports
 Sweep: The scanner pings an identical port on over one
computer to envision which pc is active
 FTP Bounce: The scanner goes through an FTP server to mask
the source
 Stealth: The scanner locks scanned computer records Scan of
port

Types of Ports:

 Open: The host replies and announces that it is listening and

open for queries. An undesired open port means that it is an
attack path for the network.
 Closed: The host responds but notices that no application is
listening. Hackers will scan again if it is opened.
 Filtered: The host does not respond to a request. This could
mean that the packet was dropped due to congestion or a firewall

IP spoofing
IP spoofing, also known as "IP address spoofing", is the process of
sending Internet Protocol (IP) packets with a fake source IP
address in order to mimic another computer system.
Cybercriminals can use IP spoofing to carry out harmful acts
without being detected. It's possible that someone will steal your
data, infect your device with malware, or crash your server.

IP spoofing is a hostile attack in which the threat actor conceals

the real source of IP packets to make it harder to determine where
they originated. To mimic a different computer system, hide the
sender's identity, or both, the attacker produces packets with a
new source IP address. The header field for the source IP address
in the spoofed packet has an address that differs from the true
source IP address.

EMAIL SPOOFING – This is a simple as it sounds: attackers send emails

to unsuspecting victims after adopting the header of certain trusted sources

URL SPOOFING – This is commonly known as website spoofing

CALLER ID SPOOFING – This is also known as Phone spoofing. In this type

of spoofing, attackers find a way of altering the caller ID sent to your mobile
phone

TEXT MESSAGE SPOOFING – In this type of attack, the criminal

masquerades as a legitimate recognized sender by altering the header of the
text sending number.

Question 7

DOS DDOS

DOS Stands for Denial of service DDOS Stands for Distributed Denial of
attack. service attack.

In Dos attack single system In DDoS multiple systems attacks the

targets the victim system. victims system..
 DOS DDOS

Victim PC is loaded from the

Victim PC is loaded from the packet of
packet of data sent from a single
data sent from Multiple location.
location.

Dos attack is slower as compared

DDoS attack is faster than Dos Attack.
to DDoS.

It is difficult to block this attack as

Can be blocked easily as only one
multiple devices are sending packets
system is used.
and attacking from multiple locations.

In DOS Attack only single device is In DDoS attack,The volumeBots are

used with DOS Attack tools. used to attack at the same time.

DOS Attacks are Easy to trace. DDOS Attacks are Difficult to trace.

DDoS attacks allow the attacker to

Volume of traffic in the Dos attack
send massive volumes of traffic to the
is less as compared to DDos.
victim network.

Types of DOS Attacks are: 1. Types of DDOS Attacks are: 1.

Buffer overflow attacks 2. Ping of Volumetric Attacks 2. Fragmentation
Death or ICMP flood 3. Teardrop Attacks 3. Application Layer Attacks 4.
Attack 4. Flooding Attack Protocol Attack.

Ques on 8

IPsec (Internet Protocol Security) is a protocol that provides security for

IP-based communication. IPsec can operate in two modes: Tunnel Mode
and Transport Mode.

Tunnel Mode:
  In Tunnel Mode, the entire original IP packet is encapsulated in a
new IP packet. The new packet is then encrypted and sent over
the network.
 This mode is used when two entire networks need to be
connected over a public network, such as the Internet.
 In Tunnel Mode, the entire IP packet, including the original source
and destination addresses, is encrypted, providing end-to-end
security.

Transport Mode:

 In Transport Mode, only the payload of the IP packet is encrypted,

not the entire packet.
 This mode is used when a single host needs to communicate with
another single host over a public network.
 In Transport Mode, only the data being transmitted is encrypted,
not the header information such as the source and destination
addresses.

When comparing Tunnel Mode and Transport Mode, one key difference
is the level of encryption provided. Tunnel Mode provides end-to-end
security by encrypting the entire IP packet, while Transport Mode only
encrypts the payload of the packet.

Another difference is the use case: Tunnel Mode is used for connecting
entire networks, while Transport Mode is used for host-to-host
communication.

The choice between Tunnel Mode and Transport Mode depends on the
specific requirements of the network and the level of security desired.

Ques on 9
A firewall is a network security device or so ware that monitors and controls
incoming and outgoing network traffic based on predetermined security rules. It
acts as a barrier between a trusted internal network and untrusted external
networks, such as the internet, to protect against unauthorized access, malicious
ac vi es, and cyber threats.
Firewalls can be implemented in various forms, including hardware appliances,
so ware applica ons, or a combina on of both. They operate at different layers
of the OSI (Open Systems Interconnec on) model, providing protec on at
different levels of the network stack.
Types of firewalls based on their characteris cs and deployment methods:

1. Packet Filtering Firewall: Network Layer (Layer 3)

How it Works: Packet filtering firewalls inspect individual packets of data as they
pass through the firewall and determine whether to allow or block them based on
predefined rules, such as source/des na on IP addresses, port numbers, and
protocols.
Characteris cs: They are typically fast and efficient but offer limited security as
they only examine packet headers and lack deep inspec on capabili es.

2. Stateful Inspec on Firewall: Network Layer (Layer 3) and Transport

Layer (Layer 4)
How it Works: Stateful inspec on firewalls maintain a stateful database of ac ve
connec ons, tracking the state of each connec on and filtering packets based on
the context of the en re session, not just individual packets.
Characteris cs: They offer improved security compared to packet filtering firewalls
by understanding the context of network traffic, allowing them to make more
informed decisions about which packets to allow or block.

3. Proxy Firewall (Applica on Layer Firewall): Application Layer (Layer 7)

How it Works: Proxy firewalls act as intermediaries between internal and external
networks, intercep ng and inspec ng incoming and outgoing traffic at the
applica on layer. They establish separate connec ons for each request, hiding the
internal network's IP addresses and providing addi onal security features such as
content filtering and caching.
Characteris cs: They offer advanced security features and granular control over
network traffic but may introduce latency due to the addi onal processing
involved in proxying connec ons.
4. Next-Genera on Firewall (NGFW):
Network Layer (Layer 3) and above, including Application Layer (Layer
7)
How it Works: NGFWs integrate tradi onal firewall capabili es with advanced
security features such as intrusion preven on systems (IPS), deep packet
inspec on (DPI), applica on awareness, and threat intelligence to provide
enhanced protec on against modern threats.
Characteris cs: They offer comprehensive security features to address evolving
cyber threats, including applica on-level a acks, malware, and advanced
persistent threats (APTs).
5. Unified Threat Management (UTM):
Network Layer (Layer 3) and above, including Application Layer (Layer
7)
How it Works: UTM appliances consolidate mul ple security func ons, including
firewall, intrusion detec on/preven on, an virus, content filtering, VPN, and
more, into a single integrated device or so ware pla orm.
Characteris cs: They provide simplified management and comprehensive security
coverage, making them suitable for small to medium-sized businesses (SMBs) and
organiza ons with limited IT resources.

Ques on 10

A system called an intrusion detection system (IDS) observes network

traffic for malicious transactions and sends immediate alerts when it is
observed. It is software that checks a network or system for malicious
activities or policy violations. Each illegal activity or violation is often
recorded either centrally using an SIEM system or notified to an
administration. IDS monitors a network or system for malicious activity and
protects a computer network from unauthorized access from users,
including perhaps insiders. The intrusion detector learning task is to build
a predictive model (i.e. a classifier) capable of distinguishing between ‘bad
connections’ (intrusion/attacks) and ‘good (normal) connections’.

Working of Intrusion Detection System(IDS)

 An IDS (Intrusion Detection System) monitors the traffic on
a computer network to detect any suspicious activity.
 It analyzes the data flowing through the network to look for
patterns and signs of abnormal behavior.
  The IDS compares the network activity to a set of predefined
rules and patterns to identify any activity that might indicate an
attack or intrusion.
 If the IDS detects something that matches one of these rules or
patterns, it sends an alert to the system administrator.
 The system administrator can then investigate the alert and take
action to prevent any damage or further intrusion.

Intrusion Detection System Evasion Techniques

 Fragmentation
 Packet Encoding
 Traffic Obfuscation
 Encryption

Benefits of IDS
 Detects malicious activity
 Improves network performance
 Compliance requirements
 Provides insights

Question 11

Buffer overflow is a software coding error or vulnerability that can be

exploited by hackers to gain unauthorized access to corporate systems. It
is one of the best-known software security vulnerabilities yet remains
fairly common. This is partly because buffer overflows can occur in various
ways and the techniques used to prevent them are often error-prone.

The software error focuses on buffers, which are sequential sections of

computing memory that hold data temporarily as it is transferred between
locations. Also known as a buffer overrun, buffer overflow occurs when
the amount of data in the buffer exceeds its storage capacity. That extra
data overflows into adjacent memory locations and corrupts or overwrites
the data in those locations.

A buffer overflow attack takes place when an attacker manipulates the

coding error to carry out malicious actions and compromise the affected
system. The attacker alters the application’s execution path and overwrites
elements of its memory, which amends the program’s execution path to
damage existing files or expose data.

A buffer overflow attack typically involves violating programming

languages and overwriting the bounds of the buffers they exist on. Most
buffer overflows are caused by the combination of manipulating memory
and mistaken assumptions around the composition or size of data.

A buffer overflow vulnerability will typically occur when code:

 Is reliant on external data to control its behavior

 Is dependent on data properties that are enforced beyond its
immediate scope
 Is so complex that programmers are not able to predict its behavior
accurately

Question 12

SQL injection is a code injection technique that might destroy your

database.

SQL injection is one of the most common web hacking techniques.

SQL injection is the placement of malicious code in SQL statements, via

web page input.

SQL in Web Pages

SQL injection usually occurs when you ask a user for input, like their
username/userid, and instead of a name/id, the user gives you an SQL
statement that you will unknowingly run on your database.

Here's how it works

1. Injection Point Identification: The attacker identifies input fields on a web
form or URL parameter where user-supplied data is directly included in SQL
queries without proper validation or sanitization.
2. Crafting Malicious Input: The attacker crafts a malicious SQL query by
injecting SQL code into the input fields. For example, if the application uses a
query like SELECT * FROM users WHERE username='$username' AND
password='$password' , the attacker might input something like ' OR '1'='1.
3. Exploiting the Vulnerability: When the application receives the input, it
interprets it as part of the SQL query. In this example, the attacker's input
alters the logic of the query to always return true, effectively bypassing any
authentication mechanism and allowing unauthorized access.
4. Executing Malicious Queries: The manipulated SQL query is executed by the
application's database server, resulting in unintended actions such as
accessing, modifying, or deleting data. In some cases, the attacker might even
gain administrative access to the entire database server.
5. Exfiltrating Data: Once the attacker gains access to the database, they can
retrieve sensitive information such as user credentials, personal data, or
financial records. This data can be used for further attacks, identity theft, or
sold on the black market.