Network Security

Dr. Imran Rashid

irashid@mcs.edu.pk
 About Myself
 PhD (University of Manchester, UK) – 2007 to 2011
 MS (Technical University of Denmark (DTU)) –2002 to 2004
 BE (MCS – NUST) – 1996 to 1999 (President Gold Medal)
 Certified Ethical Hacking (CEH) - 2014
 Computer Hacking Forensic Investigator (CHFI) – 2014
 EC-Council Certified Security Analyst (ECSA)-2015
 EC-Council Certified Incident Handler (ECIH)-2016
 Certified EC-Council Instructor (CEI)
 4 x PhD students completed PhD in 2020-21 under my supervision
 Supervising 5 x PhD students; Co-supervising 3 x PhD students
 Supervising 6 x MS thesis students
Adv NW Security

Course Serial: IS-821

Title: Adv NW Security
Credits Hrs: 3 (3+0)
Pre-requisite: Comp NW
Text Books:
 Raymond R. Panko (2004), Corporate Computer and
Network Security
Reference Books:
 Network security essentials: applications and standards
by William Stallings..
Goals/Objectives

 Security course – help to bring

computer and network security into the
organisation
 Additional issues associated with risk
and data protection
 Course Contents
 The Threat Environment: Attackers and their Attacks Basic Security Terminology,
Employee and Ex-Employee threats, Traditional External Attacks, The Criminal Era,
Cyberware and Cyberterror, A Constantly Changing Threat Environment.
 DDoS and Traceback: TCP Handshake, IP Spoofing & SYN Flood, Distributed DoS (DDoS)
Attacks, Prevention and Detection, Trace back, Input Debugging, Controlled Flooding, ICMP
Trace back, Probabilistic Marking, Botnets. Elements of Cryptography Introduction,
Cryptographic Systems, VPN, SSL/TLS, WAN Security, Ethernet Security, Wireless Security.
 IP Security: IPSec architecture & concepts, IPSec authentication header, IPSec
encapsulating security payload, Key Management –Concepts, Manual Exchange, Internet Key
Exchange, IPSec Strengths & Weaknesses, Implementation of IPSec
 Access Controls Org and Human Controls, Physical Access and Security, Biometric
Authentication, Cryptographic Authentication, Authorization, Central Authentication, Directory
Servers, Full Identification Management.
 Firewalls Introduction, Typical Configuration, Static Packet Filtering, State full Packet Filter,
NAT, Application Proxy firewall and Content Filtering, Firewall Architecture, Encrypted
Tunnels, Firewall Management.
 Intrusion Detection & Prevention Systems Elements of Intrusion Detection, Approaches,
Misuse Detection, Anomaly Detection, Monitoring Networks and Hosts, Audit Data
Preprocessing, Host-based IDSs, Network IDSs, Antivirus Filtering and Unified Threat
Management, Intrusion Response for Threats.
 Policies
 Attendance Policy: Attendance at all lectures is mandatory and
participation in class discussions is highly encouraged.
Assessments
 Final Term
 OHT-1 & OHT-2 (Midterm Exam)
 Paper writing
 Assignments/Project
 World's Biggest Data Breaches

Personal data of a billion

Indians sold online for £6,
report claims

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
https://www.zdnet.com/article/details-of-44m-pakistani-mobile-users-leaked-online-part-
of-bigger-115m-cache/
 Backdoor found in Netis or Netcore
Routers
 Netcore or Netis has a
backdoor that can easily run
arbitrary code on these
routers
 Open UDP port listening at
port 53413
 port is accessible from the
WAN side of the router
 hardcoded password
located in the router’s
firmware How funny the security is
 users cannot modify or
disable this backdoor
 Kevin Mitnick
•Served a five-year sentence
• One of the most wanted hacker
• Started from using bus for free
• Hacked various organizations
• Now runs a security firm named Mitnick Security
Consulting
• Hollywood movie was made on him “Takedown”
in year 2000.
• IMDB ranking is 6.3

• Documentary titled as “Freedom Downtime” – 2001

was also made
 Gary Mckinnon
• Scottish system administrator and hacker
• Biggest military computer hacker of all time
• Hacked  97 United States military and NASA computers in
13-month period between February 2001 and March 2002
Albert Gonzalez
 Stole credit-card information
 130 million card numbers
 largest retail-store theft in U.S. history
 Sold these credit card details from 2005
through 2007—the biggest such fraud in
history
Home‐computer Users at Risk Due to Use of

Folk Model
‘EAST LANSING, Mich. — Most home computers are vulnerable to hacker attacks because the users either
mistakenly think they have ’ Security
enough security in place or they don’t believe they have enough valuable information that would be of interest
to a hacker.
That’s the point of a paper published this month by Michigan State University’s Rick Wash,
who says that most home‐computer users rely on what are known as “folk models.” Those
are beliefs about what hackers or viruses are that people use to make decisions about
security
– to keep their information safe.
Unfortunately, they don’t often work the way they should.
“Home security is hard because people are untrained in security,” said Wash, an assistant
professor in the Department of Telecommunication,
3 Information Studies and Media. “But
it isn’t because people are idiots. Rather they try their best to make sense of what’s going
on and frequently make choices that leave them vulnerable.”
http://news.msu.edu
 RANSOMWARE

CryptoLocker-2013 TeslaCrypt-2016
spread via Variant of CryptoLocker
attachments to spam
messages,
SimpleLocker-2016
Infected over
Android based
500,000 machines

WannaCry-2017 Petya and NotPetya

shut down hospitals in Ukraine 2016-2017
and radio stations in California Encrypts Hard drive system table 
250,000 detections in 116 countries total damages more than $10 billion
 THE WORST CYBERSECURITY BREACHES OF 2018 SO FAR

Cyber attacks - 2018 Personal data and booking

215,000,000 records information from 13 hotels
leaked so far operated by Huazhu Hotels Group
has been leaked
Misc Data Breaches
• T Mobile Financial Breaches
• Babysitting App • Credit Card Issuer TCM Bank Leaked
Applicant Data
• Melbourne Health Records
• Fiserv Flaw Exposed Customer Data
• Superdrug customer data at Hundreds of Banks
• Moscow Police records • Data leaks at 2 Thai banks spark call
• Medspring medical records for legal safeguards
• Reddit breach • CreditMate Private financial
• and many more . . . . technology company, exposed 19,000
customer’s data

The U.K.’s Financial Conduct Authority issued a £16.4 million ($21.4 million)
penalty to Tesco Bank for failing to protect clients from a cyber attack in
November 2016. (£ 2.26million was stolen from 9000 customers)
 Computer Security

Security is a state of well‐ Computer security refers to Users should focus on

being of information and the protection of computer various security threats and
infrastructure systems and the countermeasures in order to
information a user stores or protect their information
processes assets

1 2 3

10 Copyright © by EC-Council
All Rights Reserved.
Reproduction is Strictly
Prohibited.
Why Security?

Computer security is Computer administration

important for protecting the and management have
confidentiality, integrity, and become more complex
availability of computer which produces more attack
systems and their resources avenues

Evolution of technology has

Network environments and
focused on the ease of use
network‐based applications
while the skill level needed
provide more attack paths
for exploits has decreased

11 Copyright © by EC-Council
All Rights Reserved.
Reproduction is Strictly
Prohibited.
Layers of Security Layer 5

Layer 4

Layer 3
User
Layer 2
Security
Application
Layer 1 Ensures that
Security a valid user
System
Covers the use is logged in
Security
Network of software, and that the
Protects the hardware, and logged‐in
Security
Physical system and its procedural user is
Security Protects the information methods to allowed to
networks and from theft, protect use an
Safeguards the their services corruption, applications application/
personnel, from unauthorized from external program
hardware, unauthorized access, or threats
programs, modification, misuse
networks, and destruction, or
data from disclosure
physical
threats

17 Copyright © by EC-Council
All Rights Reserved.
Reproduction is Strictly
Prohibited.
Potential Losses Due to
Attacks
Misuse of computer
resources Financial loss

Unavailability of
Data loss/theft
resources

Loss of trust Identity theft

12 Copyright © by EC-Council
All Rights Re served. Reproduction is Strictly Prohibited.
Threat Environment

The threat environment consists of the

types of attackers and attacks that
companies face
1-1: Basic Security
Terminology
 Security Goals
 Confidentiality
 Confidentiality means that people cannot
read sensitive information, either while it is on
a computer or while it is traveling across a
network.

Copyright Pearson Prentice- 26

Hall 2010
1-1: Basic Security
Terminology
 Security Goals
 Integrity
 Integrity means that attackers cannot change
or destroy information, either while it is on a
computer or while it is traveling across a
network. Or, at least, if information is
changed or destroyed, then the receiver can
detect the change or restore destroyed data.

Copyright Pearson Prentice- 27

Hall 2010
1-1: Basic Security
Terminology
 Security Goals
 Availability
 Availability means that people who are
authorized to use information are not
prevented from doing so

Copyright Pearson Prentice- 28

Hall 2010
1-1: Basic Security
Terminology
 Compromises
 Successful attacks
 Also called incidents
 Also called breaches (not breeches)

Copyright Pearson Prentice- 29

Hall 2010
1-1: Basic Security
Terminology
 Countermeasures
 Tools used to thwart attacks
 Also called safeguards, protections, and
controls

Copyright Pearson Prentice- 30

Hall 2010
1-2: The TJX Data Breach
 The TJX Companies, Inc. (TJX)
 A group of more than 2,500 retail stores
companies operating in the United
States, Canada, England, Ireland, and
several other countries
 Does business under such names as TJ
Maxx and Marshalls

Copyright Pearson Prentice- 31

Hall 2010
 Network/Cyber Security Importance

Array of networked/smart devices and internet have rendered

users of modern IT technologies extremely vulnerable to covert
cyber attacks
 UNDERSTANDING CYBER SPACE

A notional envmt of interdependent network of IT infrastructure which

incl internet, telecomm networks, computers sys and embedded
processors / controllers in critical industries / enterprises
 GLOBAL CYBER SPACE ENVMT

Approx 51 % of world population is an active user of internet and

related technologies, and almost 100% are the effectees
SIGNIFICANT GLOBAL
CYBER OPERATIONS
RUSSIAN CYBER ATTACK ON ESTONIA

 Reportedly, Russia conducted

Distributed Denial of Service (DDoS)
cyber attack against Estonia in 2007
 National identification, banking,
parking services etc were inaccessible
36
 OPERATION ORCHARD

 Operation Orchard – 2007

 Malware installed by Mossad, in
laptop of a senior officer of Syrian
Army
Kibar Camp
(Before and After Air
 Syrian nuclear plans hacked by Strikes)

Israel
 Israel conducted air strikes and
destroyed nuclear facility at Kibar
Camp
37
RUSSIAN CYBER ATTACK ON GEORGIA

 War between Russia and Georgia in

2008
 Cyberattacks Conducted by Russia
 Result – Paralysis of major public
services for 5 days

38
US’s CYBER ATTACK ON
IRAN

 US and Israel launched cyber attack

on Iran using malware named as
Stuxnet in 2010
 Reportedly, one fifth of Iranian nuclear
centrifuges were damaged
39
 WORLD’S LARGEST CYBER
ATTACK
 Largest Cyber Attack on Backbone of Internet – Oct
2016
 Targets – Amazon, BBC, CNN, Netflix, Twitter etc
 Effects Achieved – Disruption of Internet by
Hackers

Global Cyber Attack

40
US ELECTIONS HACKED

 US Suspected that Russia hacked

their recent elections

41
DUTCH ELECTIONS
 Amid “Hacking” fears, Dutch
Government decided that general
elections will be entirely conducted
manually and votes will be counted by
hand and tallied with pen and paper

42
NSA’S WORLDWIDE
SURVEILLANCE
 Edward Snowden defected US in 2013
 Revealed information regarding
various cyber-attacks by US

43
NSA’S WORLDWIDE SURVEILLANCE

Skynet – Surveillance Program by NSA

Location of Mobiles (Specially focusing
Pakistan)
Call Data Records (CDRs)

44
 NSA’S WORLDWIDE
SURVEILLANCE

 NSA can hack network devices and servers during

shipment

 Tailored Access Operations (TAO) – Cyber

Warfare Wing of NSA

 Google, Hotmail, Yahoo, Facebook & Skype –

Accessible to NSA
45
 CYBER ATTACK ON
UKRAINE
 Cyber attack on Ukraine’s power grid
in 2015 and 2016
 Massive power outage
 Reportedly attack originated from
Russia

46
CYBER ATTACKS ON
BANKS
 Bangladesh’s
Central Bank, 101
million USD – Feb
2016

 Ukrainian Bank –
10 million USD –
Jun 2016

47
CYBER TERRORISM
 ISIS Cyber Warfare Wing - United
Cyber Caliphate
 Capabilities
 Support to evade monitoring
 Conduct cyber attacks

48
 CYBER TERRORISM
 ISIS released list of 1400 officers of US Armed
Forces
 Paris Attacks 2015
 ISIS’s cyber Attacks against servers in UK, Canada
etc
 Disrupted of some servers in target countries

49
 CYBERSECURITY EFFORTS AT
NATIONAL LVL

• National Cyber Security Policy – July 2021 (22 Pages)

• Prevention of Electronic Crime Act 2016
• National Telecom and Info Security Bd (NTISB) Cabinet Div
• National Response Cen for Cyber Crime (NR3C) at FIA Isb
• Cybercrime Hotline (9911) and SMS Alert Svc
• Act for Website Monitoring - 2015
• Cptr Forensic Unit at Punjab Forensic Science Agency, 2011
• Digital Forensic Lab at Sind Police Forensics Div, 2012
• Pakistan Research Cen for Cyber Security (PRCCS)
• Policy for Internet, Website, Email for Government – 2009/11
• Act for Protection from Spam – 2009
• Cyber Def Day – 6 Sep
 PAK CYBER SPACE ENVMT

• Fastest growing cellular mkt (72% pen)

• Well dev IT Industry

• Maj portion of internet tfc routed through India

(Submarine cables)
• Ltd monitoring mechanism for ISPs

• Absence of state owned Telco

• Absence of National lvl CERT (efforts in hand)

• Hy reliance on foreign eqpt / tech

Approx 35 % of Pak’s population is active user of internet and

related techs
PAK CYBER SECURITY POLICY
 National Cyber Security Policy
July 2021

Information being a National asset, its

management, governance, and regulation
must be synchronized at the National level
using all available resources, to secure this
time-sensitive and valuable asset (Para 1.3.1)
 National Cyber Security Policy
July 2021 (Cont…)

The existing legislation related to Cyber Security is not sufficient to provide

an adequate mechanism and there is a dire need to transform it in such a
manner that it should keep the interest of the nation in letter and spirit
without fail. Para 1.3.2 (i)

VISION
The vision is for Pakistan to have a secure, robust, and continually
improving nationwide digital ecosystem ensuring accountable
confidentiality, integrity, and availability of digital assets leading to socio-
economic development and national security (Para 2.1)
 National Cyber Security Policy
July 2021 (Cont…)
Objectives
•To establish governance and institutional framework
•To enhance the security of national information systems and infrastructure
•To create a protection and information sharing mechanism at all tiers capable
to monitor, detect, protect and respond against threats
•To mandate national security standards and processes
•To create an information assurance framework of audits and compliance
•To ensure the integrity of ICT products, systems, and services by establishing
a mechanism of testing, screening, forensics, and accreditation
•To protect the online privacy of the citizens
•To create a country-wide culture of Cyber Security awareness
•To train skilled Cyber Security professionals
•To encourage and support indigenization and development of Cyber
Security solutions
•To provide a framework on national-global cooperation and collaborations
•To Identify and process legislative and regulatory actions
Contents. . . . continued
Contents
PREVENTION OF ELECTRONIC CRIME
ACT – 2016
 NATIONAL CYBER SECURITY
CHALLENGES
Implementation of Cyber Security laws / regs

Absence of National lvl CERT

Absence of adequate disaster rec mechanism

Critical national networks are prone to cyber threats

Lack of qual Cyber Security workforce both in pub and pte secs

Less emphasis on Cyber Security awareness at all lvls

PAK’s CYBER THREAT PROFILE
PAK’s CYBER THREAT PROFILE
60 Maj National Lvl Cyber Attks during last 8 yrs

Cyber threat is ever evolving and pervasive

 Lack of Cyber Security awareness at all levels

Need of improvement in a cyber governance framework and

Cyber Security laws / regulations

Absence of national level system for detection of cyber threats

and situational awareness

Dependence on foreign vendors for hardware and software

products

63
Most of the critical networks are connected to the public internet

Lack of effective public private partnerships

Lack of coherence amongst various cyber security organizations

and initiatives

Disaster recovery management system of national framework is

missing

64
Lack of qualified Cyber Security workforce both in public and
private sectors

Widespread use of social media networks in public without

requisite safe guards

Poor and missing arrangements at embassies and DAs abroad

Lack of international cooperation for mitigating threats from

outside own borders

65
 IXP
An Internet exchange point (IXP) is a physical location through which Internet
infrastructure companies such as Internet Service Providers (ISPs) connect with
each other and international Internet Service Provider

IXP of UK ( London Internet Exchange ("LINX"))

 PKNIC
(.pk) dotPK domain is private property
country code top-level domain (ccTLD)

Ashar Nisar is the Founder and Chief Executive of PKNIC

Government of Pakistan has no control over .pk

 INTERNET SOVEREIGNTY
(DIGITAL SOVEREIGNTY/SPLINTERNET)

Digital Iron Curtain of Russia

Canadian Cyber Shield

is the effort of a governing entity to create boundaries on a

network and then exert control, often in the form of law
enforcement over such boundaries
 CASE STUDY – 1
(Open Source Profiling)

Aval of personal details incl Email ID on website

 RUSSIA UKRAINE WAR
Before Invasion

1. Researchers discovered destructive malware called WhisperGate circulating in

Ukraine
2. Distributed denial of service (DDoS) attacks knocked Ukrainian banking and
government websites

War begins 24 Feb,2022

In early hours of Feb. 24, as Russian forces entered eastern Ukraine, hackers
crippled tens of thousands of satellite internet modems in Ukraine
Hybrid War Continues
After the invasion, Russian hackers compromised several important Ukrainian
organizations, including nuclear power companies, media firms and government
entities
Malware named Industroyer 2
Russia's military intelligence agency, designed Industroyer 2, which could
manipulate equipment in electrical utilities to control the flow of power
Reference
https://www.reuters.com/world/europe/factbox-the-cyber-war-between-ukraine-russia-2022-05-10/
 CASE STUDY – 1
(Open Source Profiling)

Ident of Facebook ID through Email ID

 CASE STUDY – 1
(Open Source Profiling)

• Insecure privacy settings of Facebook allowed the attk to ident

friends’ list
• Masqueraded as a friend and successfully hacked FB (acquired
Password)
 CASE STUDY – 1
(Exploitation)

• Similar password was also used in the email

• Email was accessed – Contents of the emails gave fair idea about
friends’ interests
• Later attk signatures were dev and wrapped in docus / pics of
interest
 CASE STUDY – 1
(Exploitation)

• Attk signatures were sent to all friends

• Large no of friends were also hacked
• Data stored on their sys were acquired by the hacker
 CASE STUDY – 2
(Bulk Spread of Malwares)

Attk Methodology

‒ Hackers sent bulk emails with attk signatures or links to files

‒ The links / atts were given name of interest (Imp docus,

pornography etc)

‒ On opening the att / linked file, cptrs got infected

‒ Upon infection, data was stolen from cptrs without knowledge of

the user
 CASE STUDY – 2
(Bulk Spread of Malwares)
 CASE STUDY – 2
(Bulk Spread of Malwares)

URL
 CASE STUDY – 2
(Bulk Spread of Malwares)
 CASE STUDY – 2
(Bulk Spread of Malwares)

Attk Signature hidden behind the Docu

 CASE STUDY – 2
(Bulk Spread of Malwares)

On opening the docu, attk signature executed

 CASE STUDY – 2
(Bulk Spread of Malwares)

Attk Signature hidden behind pornography

 CASE STUDY – 2
(Bulk Spread of Malwares)

L ost
l Data
C