Cyber Security

UNIT 2: Cyber security key aspects

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 1
Definition of Cyber Security Vulnerability

A vulnerability in cybersecurity is a weakness in a host or

system, such as a missed software update or system
misconfiguration, that can be exploited by cybercriminals to
compromise an IT resource and advance the attack path.
Identifying cyber vulnerabilities is one of the most
important steps that organizations can take to improve and
strengthen their overall cybersecurity posture.
Most of us use the terms vulnerability, threat and risk
interchangeably. However, in the cybersecurity world, these
terms have distinct and specific meanings.
A threat is a malicious act that can exploit a security
vulnerability.

Dr.G.Veera Senthil Kumar 2

Contd...
A risk is what happens when a cyber threat exploits a
vulnerability. It represents the damage that could be caused to
the organization in the event of a cyberattack.
A vulnerability is a weakness that can be exploited by a
malicious actor. For example, unpatched software or overly
permissive accounts can provide a gateway for cybercriminals to
access the network and gain a foothold within the IT
environment.
Examples of cyber security vulnerabilities: Missing data
encryption, Lack of security cameras, Unlocked doors at
businesses, Unrestricted upload of dangerous files, Code
downloads without integrity checks, Using broken algorithms,
URL Redirection to untrustworthy websites, Weak and
unchanged passwords and Website without Secure Socket
Layer(SSL).
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 3
Causes of Cyber Security Vulnerabilities
Complexity: The likelihood of errors, defects, or
unauthorized access increases with complex systems.
Familiarity: Attackers may already be acquainted with
common code, operating systems, hardware, and software
that result in well-known vulnerabilities.
Connectivity: Vulnerabilities are more likely to exist in
connected devices. It is better to avoid connecting to
multiple devices unnecessarily.
Poor Password Management: This can cause several data
breaches because of weak or repeated passwords. It is
important to change passwords using strong password
generators regularly.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 4
Contd...
Internet: Spyware and adware that can be loaded on computers
automatically are abundant on the internet.
Operating System Flaws: Operating systems can also be flawed.
Operating systems that aren’t safe by default might provide users
unrestricted access and serve as a heaven for malware and
viruses.
Software Bugs: Sometimes, programmers may unintentionally
introduce a vulnerability that can exploit.
Unchecked User Input: If software or a website presumes that all
user input is secure, SQL injection may be executed without the
user’s knowledge.
People: For most organizations, social engineering poses the
biggest concern. Therefore, one of the main sources of
vulnerability can be people.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 5
Types of Cyber Vulnerabilities
When reviewing your company’s cybersecurity posture and
approach, it’s important to realize that cybersecurity
vulnerabilities are within the control of the organization —
not the cybercriminal.

There are seven most common types of cyber vulnerabilities

and let us study how organizations can neutralize them.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 6
Misconfigurations
Misconfigurations are the single largest threat to both cloud and app
security. Because many application security tools require manual
configuration, this process can be rife with errors and take
considerable time to manage and update.
In recent years, numerous publicly reported breaches started with
misconfigured S3 buckets( public cloud storage resource) that were
used as the entry point. The absence of perimeter security within the
cloud further compounds the risk associated with misconfigurations.
Hence, it is important for organizations to adopt security tooling and
technologies and automate the configuration process and reduce the
risk of human error within the IT environment.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 7
Unsecured APIs
Another common security vulnerability is unsecured application
programming interfaces (APIs). APIs provide a digital interface that
enables applications or components of applications to communicate
with each other over the internet or via a private network.
APIs are one of the few organizational assets with a public IP address. If
not properly and adequately secured, they can become an easy target for
attackers to breach.
As with misconfigurations, securing APIs is a process prone to human
error.
IT teams may simply be unaware of the unique security risk.
Conducting a security awareness training to educate teams on security
best practices specific to the cloud — such as how to store secrets, how to
rotate keys and how to practice good IT hygiene during software
development — is critical in the cloud, just as in a traditional environment.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 8
Outdated or Unpatched Software
Software vendors periodically release application updates to
either add new features and functionalities or patch known
cybersecurity vulnerabilities. Unpatched or outdated
software often make for an easy target for advanced
cybercriminals.

While software updates may contain valuable and important

security measures, it is the responsibility of the organization
to update their network and all endpoints.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 9
Contd...
Unfortunately, because updates from different software
applications can be released daily and IT teams are typically
overburdened, it can be easy to fall behind on updates and
patching, or miss a new release entirely.
Failing to update even one machine can have potentially
disastrous consequences for the organization, providing an
attack path for ransomware, malware and a host of other
security threats
To help address this issue, organizations should develop and
implement a process for prioritizing software updates and
patching.
To the extent possible, the team should also automate this
activity so as to ensure systems and endpoints are as up to
date and secure as possible.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 10
Zero-day Vulnerabilities
A zero-day vulnerability refers to a security flaw that has
been discovered by a threat actor but is unknown to the
enterprise and software vendor.

The term “zero-day” is used because the software vendor

was unaware of their software vulnerability, and they’ve
had “0” days to work on a security patch or an update to fix
the issue; meanwhile it is a known vulnerability to the
attacker.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 11
Contd...
Zero-day attacks are extremely dangerous for companies
because they can be very difficult to detect.
To effectively detect and mitigate zero-day attacks, a
coordinated defense is needed — one that includes both
prevention technology and a thorough response plan in the
event of a cyberattack.
Organizations can prepare for these stealthy and damaging
events by deploying a complete endpoint security solution
that combines technologies including next-gen antivirus
(NGAV), endpoint detection and response (EDR) and threat
intelligence.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 12
Weak or Stolen User Credentials
Many users fail to create unique and strong passwords for each
of their accounts. Reusing or recycling passwords and user IDs
creates another potential avenue of exploitation for
cybercriminals.
Weak user credentials are most often exploited in brute force
attacks when a threat actor tries to gain unauthorized access to
sensitive data and systems by systematically trying as many
combinations of usernames and guessed passwords as
possible.
If successful, the actor can enter the system and masquerade as
the legitimate user; the adversary can use this time to move
laterally, install back doors, gain knowledge about the system
to use in future cyberattacks, and, of course, steal data.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 13
Contd...
To address this particular cybersecurity vulnerability,
organizations should set and enforce clear policies that
require the use of strong, unique passwords and prompt
users to change them regularly.
Organizations should also consider implementing a
multifactor authentication (MFA) policy, which requires
more than one form of identification, such as both a
password and a fingerprint or a password and a one-time
security token, to authenticate the user.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 14
Access Control or Unauthorized Access

Companies often grant employees more access and

permissions than needed to perform their job functions. This
increases identity-based threats and expands access to
adversaries in the event of a data breach.

To address this issue, organizations should implement the

Principle of Least Privilege (POLP), a computer security
concept and practice that gives users limited access rights
based on the tasks necessary to their job. POLP ensures only
authorized users whose identity has been verified have the
necessary permissions to execute jobs within certain systems,
applications, data and other assets.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 15
Contd...
POLP is widely considered to be one of the most effective
practices for strengthening the organization’s cybersecurity
posture, in that it allows organizations to control and monitor
network and data access.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 16
 Misunderstanding the “Shared Responsibility Model”
(Runtime Threats)
Cloud networks adhere to what is known as the “shared
responsibility model.” This means that much of the
underlying infrastructure is secured by the cloud service
provider. However, the organization is responsible for
everything else, including the operating system, applications
and data.
Unfortunately, this point can be misunderstood, leading to
the assumption that cloud workloads are fully protected by
the cloud provider.
This results in users unknowingly running workloads in a
public cloud that are not fully protected, meaning
adversaries can target the operating system and the
applications to obtain access.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 17
Contd...
Organizations that are using the cloud or shifting to a cloud
or hybrid work environment must update their
cybersecurity strategy and tooling to ensure they are
protecting all areas of risk across all environments.
Traditional security measures do not provide security in a
cloud environment and must be supplemented to provide
enhanced protection from cloud-based vulnerabilities and
threats.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 18
 Cyber Security Safeguards
Cybersecurity safeguards are all kind of control measures that
support the fulfillment of requirements or the achievement of
objectives related to cybersecurity.
Safeguards can be functionally distinguished in administrative,
technical safeguards and physical safeguards.

Administrative safeguards include all activities that do not

necessarily have to be carried out by technical means. Examples
are guidelines, trainings, manual controls and planning measures.
The effectiveness of these safeguards depends on the awareness
and the acceptance of the employees.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 19
Contd...
Technical safeguards are supported or enabled by technical
means, like antivirus software and access control systems. In
many cases, the operation of technical safeguards can be
automated, e.g. antivirus software can move a malicious program
in quarantine or delete it without manual action.
Physical safeguards that are not part of cybersecurity in the
narrower sense, but rather part of the more general field of
information security. Physical safeguards are used to protect the
physical perimeter and infrastructure of a company.
Physical safeguards are e.g. fences, security guards, security
cameras, fire-fighting equipment, uninterruptible power supplies
and flood protection mechanisms.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 20
Contd...
Another way for distinguishing safeguards is the perspective of
time. From this perspective, they can be preventive, detective or
corrective:

Preventive safeguards become effective before an event occurs.

Generally, they are the first choice in cybersecurity because negative
impacts and resulting damages can be completely avoided.
Detective safeguards become effective while an event occurs. They
often trigger corrective safeguards.
Corrective safeguards become effective after an event occurs. They are
used to correct the negative effects of adverse events.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 21
Contd...
From the combined perspectives of function and time, six different
safeguard types can be derived.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 22
Contd...
It is impossible to achieve 100% protection from cyber crimes.
The focus is, however, to minimize their occurrence and the
resulting losses.
Some common measures to safeguard ourselves are listed
below. We can divide them into two categories:
(1) Strengthening security over the Internet
(2) Strengthening security of a web site

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 23
Contd...
In order to reinforce Internet security, we could use the following
measures:
a) Encryption
b) Digital signatures
c) Secure Web servers
d) Anti-Virus software
e) Security in Internet Explorer
Encryption is the process of scrambling data which is transmitted in
an unreadable format. This process converts the original
representation of the information(plaintext) into an alternative form
known as ciphertext.
The data has to be unscrambled or decrypted in order to be converted
back into readable format.
To achieve this, the user needs to have a key or password which
reverses the process of encryption.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 24
Contd...
Digital signatures: Though encrypted files can be used to
verify that the person sending you the file is known to you,
sometimes using digital signatures is more efficient. Digital
signature also called as e-signature.
This ensures that the file or message was not altered since it
was signed. Digital signatures are based on Public Key
Infrastructure (PKI) and guarantees signer authenticity. The
digital signature cannot be copied, tampered or altered.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 25
Contd...
Secure Web servers: Sensitive Internet transactions such as
online shopping, stock trading, banking etc should only be
performed via Web pages that use some kind of encryption
or some appropriate security method.
The way to find out if a web page is secure or not is to look
for an icon of a locked padlock which is normally located on
the bottom right of status bar. Also, the URL of the secure
Web page begins with https:// instead of http://

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 26
Contd...
Anti Virus software: A variety of anti-virus software are
available that prevent virus programs from attacking your
computer.
However, it is always prudent to buy the latest anti-virus
software from well known software dealers such as Norton
Utilities, McAfee Antivirus and so on.
You must run regular updates to keep the anti-virus
protection up-to-date since new viruses are constantly being
written by malicious hackers.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 27
Contd...
Security in Internet Explorer and e-mails: Digital
certificates(SSL certificates) are authentication for an
individual or business web site, and are available from any
certificate authority such as VeriSign, PrivacyX, or Equifax.
A server certificate ensures that the data transfer between
the user’s computer and the server is tamper-proof and free
from being intercepted.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 28
 Strengthening security of a web site
In order to reinforce the security of a web site, we could perform the
following:
a) Configure the security features of a web page
b) Understand the role of cookies
Before you send your sensitive information such as credit card
numbers, addresses, phone numbers, and social security numbers
over the Internet, you should check if the Web page will be
encrypted during its transmission from the Web server.
The following figures will show how to identify an authentic
website. To view the certificate, you need to click on the menu
option called “view”, and then click “Security report” & ”View
certificate”. These dialog boxes indicate that the Web site is verified.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 29
Contd...
Digital certificate in Internet Explorer- General tab

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 30
Contd...
Digital Certificate in Internet Explorer- Details tab

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 31
Contd...
Understanding the role of cookies: A cookie is a small
electronic text file stored on your hard drive. Cookies are
used by the Web sites to keep a track of any information
that the browser will need on a future visit. The cookie
might silently record your behavior on a Web site.
Only the Web site that recorded a cookie on your hard drive
can read it, it cannot read other cookies or other files on your
computer.
That’s the reason, they say, cookies are harmless. However,
you can delete the cookies after your session is over. Most
browsers provide you with that option.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 32
 Steps to Keeping Your Computer Safe on the
Internet
Use a Firewall
Scan for Viruses
Scan for Spyware
Stay Up-To-Date
Don’t open suspicious attachments or click unusual links in
messages.
Make sure your passwords are well-chosen and protected
Secure Your Home Network and Your Mobile Connection
Stay away from pirated material
Back Up data periodically

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 33
Securing Web Application, Services and
Servers
Web application security is the practice of protecting
websites, applications, and APIs from attacks. It is a broad
discipline, but its ultimate aims are keeping web applications
functioning smoothly and protecting business from cyber
vandalism, data theft, unethical competition, and other
negative consequences.

Web applications may face a number of attack types

depending on the attacker’s goals, the nature of the targeted
organization’s work, and the application’s particular security
gaps.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 34
Contd...
Common attack types include:
Zero-day vulnerabilities: These are vulnerabilities unknown to an
application’s makers, and which thus do not have a fix available.
Attacks look to exploit these vulnerabilities quickly, and often follow
up by seeking to evade protections put in place by security vendors.
Cross site scripting (XSS): XSS is a vulnerability that allows an attacker
to inject client-side scripts into a webpage viewed by other users in
order to access important information directly, impersonate the user,
or trick the user into revealing important information.
SQL injection (SQi):SQi is a method by which an attacker exploits
vulnerabilities in the way a database executes search queries.
Attackers use SQi to gain access to unauthorized information, modify
or create new user permissions, or otherwise manipulate or destroy
sensitive data.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 35
Contd...
Denial-of-service (DoS) and distributed denial-of-service (DDoS)
attacks: Through a variety of vectors, attackers are able to overload
a targeted server or its surrounding infrastructure with different
types of attack traffic. When a server is no longer able to
effectively process incoming requests, it begins to behave
sluggishly and eventually deny service to incoming requests from
legitimate users.
Memory corruption: Memory corruption occurs when a location in
memory is unintentionally modified, resulting in the potential for
unexpected behavior in the software. Bad actors will attempt to
sniff out and exploit memory corruption through exploits such as
code injections or buffer overflow attacks.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 36
Contd...
Buffer overflow: Buffers are memory storage regions that
temporarily hold data while it is being transferred from one
location to another.
A buffer overflow occurs when the volume of data exceeds the
storage capacity of the memory buffer.
Overflowing the buffer’s capacity results in adjacent memory
locations being overwritten with data.
This behavior can be exploited to inject malicious code into
memory, potentially creating a vulnerability in the targeted
machine.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 37
Contd...
Cross-site request forgery (CSRF): Cross site request forgery
involves tricking a victim into making a request that utilizes
their authentication or authorization.
For example, this might be to change the email address on
their account, to change their password, or to make a funds
transfer.
By leveraging the account privileges of a user, an attacker is
able to send a request masquerading as the user.
Once a user’s account has been compromised, the attacker
can exfiltrate, destroy or modify important information.
Highly privileged accounts such as administrators or
executives are commonly targeted.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 38
Contd...
Credential stuffing: Attackers may use bots to quickly input large
numbers of stolen username and password combinations into a
web application’s login portal.
For example, an attacker may take a list of usernames and
passwords obtained from a breach of a major department store,
and use the same login credentials to try and log in to the site of a
national bank.
The attacker is hoping that some fraction of those department
store customers also have an account at that bank, and that they
reused the same usernames and passwords for both services.
This practice gives the attacker access to a real user’s account,
they may steal the user’s data or make fraudulent purchases in the
user’s name.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 39
Contd...
Page scrapping: also known as Web scrapping. Attackers
may use bots to steal content from webpages on a large
scale.
It extracts underlying HTML code and, with it, data stored in
a database.
They may use this content to gain a pricing advantage over a
competitor, imitate the page owner for malicious purposes,
or other reasons.
Web Scrapers can extract all the data on particular sites or
the specific data that a user wants.
For example, you might want to scrape an Amazon page for
the types of juicers available.
very helpful for companies in analyzing consumer trends
and understanding which direction the company should
move in the future.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 40
Contd...
API abuse: APIs, or Application Programming Interfaces, are
software that allow two applications to communicate with each
other.
Like any type of software, they may have vulnerabilities that allow
attackers to send malicious code into one of the applications or
intercept sensitive data as it moves from one application to
another.
This is an increasingly common attack type as API use increases.

Shadow APIs: Development teams work quickly to meet business

objectives, frequently building and publishing APIs without
informing security teams.
These unknown APIs may expose sensitive company data,
operating in the “shadows”, as security teams tasked with
protecting APIs are unaware of their existence.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 41
Contd...
Third-party code abuse: Many modern web applications use a
variety of third-party tools — for example, an ecommerce site
using a third-party payment processing tool.
If attackers find a vulnerability in one of these tools, they may be
able to compromise the tool, and steal the data it processes,
prevent it from functioning, or use it to inject malicious code
elsewhere in the application.

Magecart attacks, which skim credit card data from payment

processors, are an example of this attack type. These attacks are
also considered to be browser supply chain attacks.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 42
Important web application security strategies

DDoS mitigation: DDoS mitigation services sit between a

server and the public Internet, using specialized filtration
and extremely high bandwidth capacity to prevent surges of
malicious traffic from overwhelming the server.
These services are important because many modern DDoS
attacks deliver enough malicious traffic to overwhelm even
the most resilient servers.

Web Application Firewall (WAF): Which filter out traffic

known or suspected to be taking advantage of web
application vulnerabilities. WAFs are important because new
vulnerabilities emerge too quickly and quietly for nearly all
organizations to catch on their own.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 43
Contd...
Web application security products and policies strive to
protect applications through measures such as web
application firewalls (WAFs), multi-factor authentication
(MFA) for users, validation of cookies to maintain user state
and privacy status, and various methods for validating user
input.

The primary target is the application layer (i.e., what is

running on the HTTP protocol). HTTP stands for Hypertext
Transfer Protocol.

Hypertext Transfer Protocol is a set of rule which is used for

transferring the files like, audio, video, graphic image, text
and other multimedia files on the WWW (World Wide Web).

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 44
Contd...
HTTP is used to communicate over the internet, so users,
information providers, and application developers should
be aware of the limitations of security in HTTP.
In HTTP, clients are often privy to a large amount of
personal information like: name of the user, email address,
passwords, location, Encryption key, etc.
We should be careful to prevent unintentional leakage of
this personal information of the client via the HTTP protocol
to other sources.
A WAF protects web applications from a variety of
application layer attacks such as cross-site scripting (XSS),
SQL injection, and cookie poisoning, among others.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 45
Contd...
A WAF protects your web apps by filtering, monitoring, and
blocking any malicious HTTP/S traffic traveling to the web
application, and prevents any unauthorized data from leaving the
app.
It does this by adhering to a set of policies that help determine
what traffic is malicious and what traffic is safe.
Just as a proxy server acts as an intermediary to protect the identity
of a client, a WAF operates in similar fashion but in the
reverse—called a reverse proxy—acting as an intermediary that
protects the web app server from a potentially malicious client.
WAFs can come in the form of software, an appliance, or delivered
as-a-service.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 46
Contd...
API gateways: Which help identify overlooked ‘shadow APIs,’
and block traffic known or suspected to target API
vulnerabilities. They also help manage and monitor API traffic.
DNSSEC(Domain Name System Security Extensions): A protocol
which guarantees a web application’s DNS traffic is safely
routed to the correct servers, so users are not intercepted by an
on-path attacker.
Encryption certificate management: In which a third party
manages key elements of the SSL/TLS encryption process, such
as generating private keys, renewing certificates, and revoking
certificates due to vulnerabilities. This removes the risk of those
elements going overlooked and exposing private traffic.
Secure Socket Layer(SSL) and Transport Layer Security(TLS) are
encryption protocols that protect internet communications.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 47
Contd...
Bot management: Bot management refers to blocking undesired
or malicious Internet bot traffic while still allowing useful bots to
access web properties.
Bot management accomplishes this by detecting bot activity,
discerning between desirable and undesirable bot behavior, and
identifying the sources of the undesirable activity.
Client-side security: refers to the technologies and policies used to
protect an end user from malicious activity that is occurring on
dynamic web pages accessed from the end user's own device.
Attack surface management: An attack surface is defined as the
total number of all possible entry points for unauthorized access
into any system.
Actionable attack surface management tools should provide a
single place to map your attack surface, identify potential security
risks, and mitigate risks with a few clicks.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 48
Intrusion Detection and Prevention
Intrusion Detection System (IDS):
An IDS is a security system which monitors the computer
systems and network traffic.
It analyses that traffic for possible hostile attacks originating
from the outsider and also for system misuse or attacks
originating from the insider.
Like, the firewall protects an organization sensitive data from
malicious attacks over the Internet, the Intrusion detection
system alerts the system administrator in the case when
someone tries to break in the firewall security and tries to
have access on any network in the trusted side.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 49
 Types of IDS
NIDS :
It is a Network Intrusion Detection System which monitors the
inbound and outbound traffic to and from all the devices over the
network.

HIDS:
It is a Host Intrusion Detection System which runs on all devices in
the network with direct access to both internet and enterprise
internal network.
It can detect anomalous network packets that originate from inside
the organization or malicious traffic that a NIDS has failed to catch.
HIDS may also identify malicious traffic that arises from the host
itself.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 50
How IDS works?
Signature-based Intrusion Detection System:
It is a detection system which refers to the detection of
an attack by looking for the specific patterns, such as
byte sequences in network traffic, or known malicious
instruction sequences used by malware.
This IDS originates from anti-virus software which can
easily detect known attacks. In this terminology, it is
impossible to detect new attacks, for which no pattern
is available.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 51
Contd...
Anomaly-based Intrusion Detection System:
This detection system primarily introduced to detect
unknown attacks due to the rapid development of
malware.
It alerts administrators against the potentially
malicious activity. It monitors the network traffic and
compares it against an established baseline.
It determines what is considered to be normal for the
network with concern to bandwidth, protocols, ports
and other devices.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 52
Intrusion Prevention System
It is also known as Intrusion Detection and Prevention
System.
It's a network security program that looks for harmful
activity on a network or system. Intrusion prevention
systems' main functions are detecting malicious behavior,
collecting information about it, reporting it, and trying to
block or stop it.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 53
Contd...
IPS normally logs information about observed events,
notifies security administrators about significant
occurrences, and generates reports.
Many IPS can also try to prevent a threat from succeeding if
it has been discovered.
They utilize various response strategies, including the IPS
interrupting the attack, modifying the security environment,
and changing the substance of the attack.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 54
How IPS works
The IPS thoroughly inspects every packet that travels across the
network in real-time. If the IPS detects any malicious or
suspicious packets, it will take one of the following actions:
◦ Terminate the compromised TCP session and block the
offending source IP address or user account from accessing
any application, target hosts, or other network resources in an
unethical manner.
◦ Reprogram or adjust the firewall to avoid future attacks of
this nature.
◦ Removes or replaces any dangerous content that is found on
the network after an attack. This is accomplished by
repackaging payloads, removing header information, and
removing any malicious attachments from file or email
servers.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 55
Advantages of IPS
Lowering the likelihood of security incidents
Providing dynamic threat protection
Defending against zero-day threats, distributed
denial-of-service attacks, and brute-force attacks
Informing admins automatically when questionable activity is
discovered
Permitting or refusing certain inbound traffic to a network
Reducing network maintenance for IT workers.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 56
Drawbacks of IPS
When a system detects unusual network activity and
assumes it is malicious, it may be a false positive, resulting in
a DoS attack on an innocent user.
If an organization's bandwidth and network capacity are
insufficient, an IPS tool may slow down a system
If a network has numerous IPS, data must transit through
each to reach the end-user, which may reduce network
performance.
IPS is more costly than others.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 57
Types of Prevention Mechanism
To defend the network from unauthorized access, an intrusion prevention
system is usually set up to use various methods. These are some of them:
◦ Signature-Based- The signature-based technique employs predefined
signatures of well-known network hazards. When an attack is launched
that matches one of these signatures or patterns, the system reacts.
◦ Anomaly-Based - The anomaly-based strategy keeps an eye on the
network for any unusual or unexpected activity. The system
immediately disables access to the target host if an abnormality is
identified.
◦ Policy-Based - Administrators must configure security policies by
organizational security policy and network infrastructure in this
manner. When behaviour that violates a security policy occurs, an alert
is triggered and sent to the system administrators.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 58
Contd...
In its signature-based detection mechanism, intrusion
prevention systems use a dictionary of individually
identifiable signatures detected in the code of each exploit.
There are two types of signature-based detection approaches
for intrusion prevention systems: exploit-facing and
vulnerability-facing.
Detecting harmful activity by identifying individual
vulnerabilities is the goal of exploit-facing methodologies,
whereas detecting malicious activity by detecting common
attack patterns is the goal of vulnerability-facing methods.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 59
Classification of IPS
The network-based interruption anticipation framework (NIPS)
analyses protocol activity to monitor the entire network for
suspicious traffic.
Wireless interruption anticipation framework (WIPS) analyzes
wireless networking protocols to keep an eye on suspicious traffic
on a wireless network.
Network Behavior Analysis (NBA): It analyses network data to
look for threats that cause odd traffic patterns, such as distributed
denial of service assaults, certain types of malware, and policy
violations.
Host-based interruption anticipation framework (HIPS):It's a
built-in software package that monitors a single host for
suspicious behavior by examining events that take place on that
host.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 60
Difference between IDS and IPS
An IDS is designed to only provide an alert about a potential
incident, which enables a security operations center (SOC) analyst
to investigate the event and determine whether it requires further
action. An IPS, on the other hand, takes action itself to block the
attempted intrusion or otherwise remediate the incident.
The following features differentiate IPS and IDS:
Intrusion prevention systems are deployed in-line and can actively
prevent or block suspected invasions.
An IPS can issue an alert drop malicious identifications packets,
re-establish a connection, or block traffic from the attacker's IP
address.
IPS can also defragment packet streams, reduce TCP sequencing
difficulties, clean out unwanted transport and network layer
options, and repair CRC errors.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 61
Cyberspace and the Law
The term Cyberspace seemed to have originated from a Science
fiction movie. However, in the 21st century, it has become an
integral part of our lives.
The best way to define Cyberspace is the virtual and dynamic space
created by the machine clones.
According to the Cyberspace definition, it is a web consisting of
consumer computers, electronics and communication networks by
which the consumer is connected to the world.
Cyberspace can be compared to a human brain where the network
of computers represent the innumerable neurons and the
connections between them. Therefore, it can be considered as a link
between the physical and the infinite world.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 62
Cyber Laws and Cyber Security
In order to ensure that humans do not misuse Cyber
technologies, Cyber laws are generated.
The overall idea of Cyberlaw is to stop any person from
violating the rights of other persons in Cyberspace.
Any kind of violation of Cyber rights is considered to be a
Cyberspace violation and is deemed punishable under Cyber
Laws.
A separate set of Cyber laws are formulated by the
government to provide Cybersecurity to Cyber users.
Cyber laws are needed to monitor and prevent any immoral
or illegal activities of humans like hacking, theft, money
laundering, terrorism, piracy, etc.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 63
Contd...
Cyber laws encompass all the legal issues related to the
communicative, distributive and transactional aspects of
network-related information devices and technologies.

Cyber laws are related to individuals and institutions that

◦ Play a crucial role in providing Cyberspace access to people
◦ Generates software and/or hardware to allow people with
entry into Cyberspace, and
◦ Make use of their computer system to gain entry into
Cyberspace.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 64
Contd...
To define the different arms of Cybersecurity, two main acts are
considered in India. They are:
◦ The Indian Penal Code, 1860
◦ The Information Technology Act, 2000
The Information Technology Act, 2000 was enacted by the Indian
Parliament in 2000. It is the primary law in India for matters
related to cybercrime and e-commerce.
The act was enacted to give legal sanction to electronic commerce
and electronic transactions, to enable e-governance, and also to
prevent cybercrime.
Under this law, for any crime involving a computer or a network
located in India, foreign nationals can also be charged.
The law prescribes penalties for various cybercrimes and fraud
through digital/electronic format.
Dr.G.Veera Senthil Kumar, Assistant
Professor, IMU 65
Contd..
It also gives legal recognition to digital signatures.
The IT Act also amended certain provisions of the Indian
Penal Code (IPC), the Banker’s Book Evidence Act, 1891, the
Indian Evidence Act, 1872 and the Reserve Bank of India Act,
1934 to modify these laws to make them compliant with
new digital technologies.
In the wake of the recent Indo-China border clash, the
Government of India banned various Chinese apps under
the Information Technology Act.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 66
Contd...
Cyber laws are formed to punish people who perform any
illegal activities online such as online harassment, attacking
another website or individual, data theft, disrupting the
online workflow of any enterprise and other illegal activities.
If anyone breaks a cyber law, the action would be taken
against that person on the basis of the type of cyberlaw he
broke, where he lives, and where he broke the law.
It is most important to punish the criminals or to bring them
to behind bars, as most of the cybercrimes cross the limit of
crime that cannot be considered as a common crime.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 67
Contd...
These crimes may be very harmful for losing the reliability and
confidentiality of personal information or a nation. Therefore,
these issues must be handled according to the laws.
There are various broad categories that come under cyber laws;
some are as follows:
Fraud:
Cyber laws are formed to prevent financial crimes such as
identity theft, credit card theft and other that occurring online.
A person may face confederate criminal charges if he commits
any type of identity theft. These laws have explained strict
policies to prosecute and defend against allegations of using the
internet.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 68
Contd...
Copyrighting Issues:
The Internet is the source that contains different types of
data, which can be accessed anytime, anywhere. But it is the
authority of anyone to copy the content of any other person.
The strict rules are defined in the cyber laws if anyone goes
against copyright that protects the creative work of
individuals and companies.

Scam/ Treachery:
There are different frauds and scams available on the
Internet that can be personally harmful to any company or an
individual. Cyber laws offer many ways to protect people and
prevent any identity theft and financial crimes that happen
online.

Dr.G.Veera Senthil Kumar, Assistant

Professor, IMU 69