ASSIGNMENT 2

SWL
CSB-471 / ITB-471
Name - Ayush Tickoo
UID - 18BCS1674
SECTION - 18CSE 6 (B)

Attempt all Questions.

(2 Marks Each)

Q1. Define the terms.

i. HTTP
ii. Email
iii. Firewalls

A1.

i. HTTP:- HTTP (HyperText Transfer Protocol) is a protocol for connecting to

Web servers on the Internet or on a local network (intranet). HTTP's main
purpose is to establish a connection with the server and return HTML pages
to the user's browser. It can also be used to download data from a server to
a browser or any other HTTP-enabled application
ii. Email:- Electronic mail, often known as Email, is information stored on a
computer that is sent between two users via telecommunications. E-mail, to
put it another way, is a message that can contain text, files, photos, or other
attachments and is sent across a network to a specific person or group of
people.
iii. Firewall:- A firewall is a cybersecurity technology that analyses inbound and
outbound network traffic and allows or forbids data packets depending on a
set of cybersecurity rules. Firewalls are commonly used to protect network
nodes from incoming and outgoing data traffic, as well as specialized
 applications. Software, hardware, and cloud-based technologies are used by
firewalls to protect networks from external attacks. A firewall's main goal is to
keep harmful traffic and data packets out while letting genuine traffic
through.

Q2. Define the network services in detail?

A2.

There are four types of network services: user management, email, printing, and
system administration.

i. User Management -

● User Management determines the administrators' capacity to manage

user access to various IT resources such as systems, devices, applications,
storage systems, networks, SaaS services. Any identity and access management
(IAM) solution, particularly directory services solutions, must include user
management.

● Controlling and managing user access to IT resources is a critical

aspect of any organization's security. Admins can regulate user access and on-
board and off-board users to and from IT resources using user management.
Following that, a directory service will authenticate, authorize, and audit user
access to IT resources according to the IT administrator's instructions.

● The problem of managing user access to multiple resources is solved by

user management. The marketing team, for example, typically demands different
resources than the accounting team. Furthermore, a marketing person is unlikely
to require access to internal financial systems, and a finance employee is unlikely
to require access to Salesforce or Marketo. IT administrators can manage
resources and provision users based on need and role while keeping their digital
assets secure with user management.
ii. Mail Services -

● Some apps are newer and nicer, while others utilize more network
bandwidth and are more critical to the network's continuous operation. Email, on
the other hand, is the method by which people communicate with one another.
It's not flashy, but it's necessary.

● Based on a few simple protocols, TCP/IP provides a reliable and

adaptable email system. Simple Mail Transfer Protocol (SMTP), Post Office
Protocol (POP), Internet Message Access Protocol (IMAP), and Multipurpose
Internet Mail Extensions (MIME) are the protocols that are usually employed for a
seamless

iii. Printing Services -

Network printers require an IP address or can be identified using the CUPS-

integrated Simple Network Management Protocol (SNMP). CUPS supports
three different network protocols:

○ AppSocket Protocol is a protocol that is commonly connected with HP

JetDirect.

○ IPP (Internet Printing Protocol), which uses port 631 by default.

○ Port 515 is used by the Line Printer Daemon (LPD) Protocol.

iv. System & Network Administration Services -

 ● A system administrator (sysadmin) is an information technology
professional who manages a multiuser computing environment and ensures that
IT services and support systems run at peak performance.

● System admins are in charge of ensuring that their company's computers,

servers, and internet are up and running at all times, essentially "keeping the
lights on" to avoid work interruptions. This involves system configuration and
maintenance, such as installing and troubleshooting hardware and software, as
well as evaluating new technologies for their businesses.

Q3. List out the various network vulnerabilities.

A3.

Various network vulnerabilities faced by the Information Security industry are :-

1. Ransomware & Malware Attacks - Today's society is heavily reliant on computers,

and as cyber environments evolve, cyber-attacks have become a critical challenge for
computer network security. Ransomware assaults are one of the biggest contributors to
this. Ransomware is a term used to describe a type of software that prevents users from
accessing their system or data unless they pay a ransom. The major objective of this
type of attack is to earn money through illegal methods, hence the ransom payment part
is crucial. The ransom is frequently demanded in Bitcoin, a cryptocurrency, because this
method of payment is difficult to track and backdate. According to the cyber security firm
Sophos, ransomware has infected 82 percent of Indian businesses in the previous six
months. Ransomware attacks are dangerous for individual users, but they're much more
dangerous for organizations who can't access the data they need to conduct their day-
to-day operations. In most ransomware assaults, however, the attackers refuse to
release the data even after payment is received, instead attempting to extort more
money.

2. Phishing Attacks - Humans are generally alluded as the weakest link in an

organization's security posture, and 'human mistake' is regularly cited as a reason why
an attacker was able to infiltrate a network. Phishing emails, in which fraudsters send
large quantities of targeted malicious communications to an employee disguised as
coming from a reputable source, may be the source of such attacks. An employee only
needs to click on a malicious link in a seemingly legitimate email once to trigger a
potentially catastrophic security event that could cost millions of pounds.

3. Cloud Attacks - A cloud cyber attack is any cyber attack that targets off-site service
platforms that provide storage, computing, or hosting services via their cloud
infrastructure. This can involve assaults against service platforms that use SaaS, IaaS,
and PaaS service delivery paradigms. In cloud environments, users store many sorts of
data, and most of that data involves sensitive information about individuals or company
activities. However, as a result of human activities, application vulnerabilities, and
unforeseen situations, this data is vulnerable to loss, breach, or damage. API
vulnerabilities may also substantially impact the security of cloud orchestration,
management, provisioning, and monitoring.

4. IoT Attacks - IoT devices are computational, digital, and mechanical devices that can
send data over the internet on their own. Desktops, refrigerators, voice assistants, smart
wearables, and other IoT devices are examples. As the popularity of IoT devices grows
at an unprecedented rate, so are the cyber security challenges. In the first half of 2021,
1.5 billion smart device attacks were recorded, with attackers attempting to steal data,
mine cryptocurrencies, or create botnets. According to analysts, cyberattacks against
internet-of-things (IoT) devices increased by more than 100 percent in the first six
months of 2021. According to a Kaspersky analysis of data from honeypots shared with
Threatpost, the company detected over 1.5 billion IoT threats in the first half of the year,
up from 639 million in the previous half.
Q4: Discuss and define the intrusion detection in detail.

A4.
1. A monitoring system that identifies suspicious activity and generates alerts is
known as an intrusion detection system (IDS). A security operations center
(SOC) analyst or incident responder can analyze the issue and take the
necessary steps to mitigate the threat based on these notifications.
2. There is no such thing as a reliable firewall or an inaccessible network. Hackers
are constantly coming up with new ways to attack the system. The Intrusion
Detection System (IDS) is a technology that detects network attacks. It takes
prompt action to assess and restore normalcy to such operations. As a result,
IDS in network security is critical. It will aid in the detection of traffic. IDS will
issue an alert right away. This will aid the IT team in resolving such difficulties.
3. The features of IDS that make it popular among its diverse clients are as follows:

a. Routers, firewalls, key management servers, and files are all monitored by
it.

b. It gives users on-going assistance.

c. Arranges the audit trails and other logs in a logical order.

d. When security breaches are identified, it raises an alarm.

e. They quickly block the server whenever suspicious activity is detected.

4. Working - An intrusion detection system (IDS) monitors traffic to and from all
devices on a network. The system works as a secondary filter for malicious
packets behind a firewall, and it primarily looks for two suspicious clues:

a. Attack signatures that have been seen before.

b. Disruptions from a usual routine.

5. When it comes to detecting threats, most intrusion detection systems rely on
pattern correlation. An IDS can use this strategy to compare network packets to
a database of known cyberattack signatures.

6. The most common attacks an IDS can flag with pattern correlation are:

a. Malware (worms, ransomware, trojans, viruses, bots, etc.).

b. Scanning attacks that send packets to the network to gather info about
open or closed ports, types of permitted traffic, active hosts, and software
versions.
c. Asymmetric routing that sends a malicious packet and bypasses security
controls with different entry and exit routes.
d. Buffer overflow attacks that replace database content with malicious
executable files.
e. Protocol-specific attacks that target a specific protocol (ICMP, TCP, ARP,
etc.).

f. Traffic flooding breaches that overload the network, such as a DDoS

attack.

7. When an IDS detects a problem, the system flags it and sounds the alarm. The
alarm could be as basic as a notation in an audit record or as urgent as a
communication to an IT administrator. The team next troubleshoots the issue
and pinpoints the source of the problem.

8. Types - IDS can be network or host-based :-

a. A host-based intrusion detection system is fixed on the client computer

and monitors important operating system files. A HIDS operates from a
specific endpoint where it monitors network traffic and system logs to and
from a single device. This type of IDS security relies on regular
snapshots, file sets that capture the entire system’s state. When the
system takes a snapshot, the IDS compares it with the previous state
and checks for missing or altered files or settings.
 b. A network-based intrusion detection system inhabits and analyzes
traffic coming to and from all network devices. An NIDS operates from a
strategic point (or points, if you deploy multiple detection systems) within
the network, typically at data chokepoints.

Q5: Illustrate the network security tools and devices.

A5.

I. Firewalls:

1. Firewalls are network security devices that monitor and 'curate' network traffic
according to a set of predetermined rules. A firewall creates a barrier between
your internal private network and the rest of the internet.
2. Software applications and hardware devices can both be used as firewalls.
Along with network protection, hardware firewalls can perform other tasks, such
as dynamically assigning identifying IP addresses to networked devices.
3. To prevent unwanted access over the internet, firewalls are employed at the
'border' of a private network. Before they may leave or enter the private
network, the firewall scans all inbound and outgoing messages. During the
scan, the firewall runs the message (also known as a network packet) through a
security checklist, which is a set of criteria that determines whether or not a
message is safe. A message is only permitted to move ahead if it checks all of
the boxes.

4. A hardware firewall is a self-contained unit. They communicate with network

devices using ports, which each firewall has at least four. Larger businesses
might use higher-end firewall devices with more ports and more complex security
features.
5. A software firewall is a set of apps that you install on your computer to protect
your data. They provide customizable settings that assist you in configuring your
 firewall for best security. The software keeps track of every network packet you
send and receive over the internet.

II. Antivirus :

1. An antivirus application is a piece of software that can detect and eradicate

malware and other potentially harmful programmes.

2. Initially, antivirus software could only tackle viruses. However, they now offer
protection against worms, Trojans, ransomware, and spyware, among other
threats. Some antivirus software can help guard against phishing attempts made
over email. Your network security devices / tools should, in theory, be able to
detect security risks coming from any source, including harmful programmes and
viruses sent via email.

III. Content Filtering Devices :

1. Online content that is possibly harmful or objectionable is filtered out using

content filtering devices. Incoming emails, frequent spam, and even webpages
are all examples of this. As the name implies, these gadgets scan web
information and verify its safety by running it through their own blacklist of
phrases. Some CFDs can also save and warn you about well-known spam sites
and email addresses before you interact with them.

2. When someone tries to access unverified, potentially malicious content on these

devices, they get a "Access Denied" error.
3. This network security device's default setting filters pornographic or hostile
content. Aside from that, your company can ban product-selling spam and
unsolicited newsletters.

IV. Intrusion Detection Systems (IDS) :

 1. Intrusion Detection Systems, also known as Intrusion Detection and Prevention
Systems, are devices that monitor hostile activity in a network, log them, and, if
their feature set allows it, take action to stop them. An IDS will, at the very least,
provide you with useful reports on your network's behaviour. You can use these
reports to improve the security of your network.
2. If malicious network packets attempt to destroy your network, active intrusion
detection systems (IDPSs) raise an alarm, aggressively drop the packets, and
reset the network channel connection to avoid your network from blocking all
future, lawful network traffic.

Q6: Define the term application security in detail.

A6.

1. Application security is the process of creating, integrating, and testing security

measures into applications to protect them from dangers like unauthorized
access and alteration.
2. Because today's apps are frequently available over multiple networks and
connected to the cloud, they are more vulnerable to security attacks and
breaches.
3. There is increasing pressure and incentive to assure security not only at the
network level, but also within individual applications. One explanation for this is
because hackers are focusing their attacks on apps more now than in the past.
Application security testing can expose application-level flaws, assisting in the
prevention of these attacks.

4. Types of Application Security :-

a. Authentication: Authentication refers to the mechanisms that software

developers use in a programme to ensure that only authorized users have
access to it. Authentication processes verify that the user is who they
 claim to be. When logging into an application, this can be performed by
requiring the user to supply a username and password. Multi-factor
authentication entails a combination of elements, such as something you
know (a password), something you have (a mobile device), and something
you are (your identity) (a thumb print or facial recognition).

b. Authorization: A user may be authorized to access and use the

programme after being authenticated. By comparing the user's
identification to a list of authorized users, the system may verify that the
user has permission to access the programme. Authentication must occur
prior to authorisation in order for the application to match only validated
user credentials to the approved user list.
c. Encryption: Other security measures can safeguard sensitive data from
being seen or utilized by a cybercriminal after a user has been verified and
is using the programme. Traffic containing sensitive data that flows
between the end user and the cloud in cloud-based apps can be
encrypted to keep the data safe.

d. Logging: If a security breach occurs in an application, logging can assist

in determining who gained access to the data and how. Application log
files keep track of which parts of the application have been accessed and
by whom.
e. Application Security Testing: Application developers do application
security testing as part of the software development process to guarantee
that a new or upgraded version of a software application does not have
any security flaws. A security audit can ensure that the application meets
a certain set of security requirements. Developers must guarantee that
only authorized users have access to the programme after it passes the
audit. During penetration testing, a developer assumes the role of a
cybercriminal and searches for ways to get access to an application.
Social engineering or deceiving users into giving unwanted access are
examples of penetration testing. Unauthenticated security scans and
authenticated security scans (as logged-in users) are often used by
 testers to detect security vulnerabilities that may not show up in both
states.

Q7: List down some of the general system security threats.

A7.

1. Virus - Viruses have the potential to replicate themselves by attaching

themselves to a software on the host computer, such as music or video, and then
spreading around the
Internet. The Creeper Virus was discovered on ARPANET for the first time. File
viruses, macro viruses, boot sector viruses, and stealth viruses are just a few
examples.

2. Worms - Worms are also self-replicating, but they don't attach themselves to the
host computer's programme. Worms are network-aware, which is the most
significant distinction between viruses and worms. They may readily go from one
computer to another if a network is available, and they will not cause much harm
on the target machine; for example, they will occupy hard disc space, slowing
down the computer.
3. Trojans - The name Trojan comes from the Greek mythology story of the 'Trojan
Horse,' which describes how the Greeks were able to penetrate the fortified city
of Troy by concealing their men in a large wooden horse given to the Trojans as
a gift. The Trojans adored horses and put their faith in the gift without question.
Soldiers appeared in the middle of the night and attacked the city from within.
Their goal is to hide themselves inside software that appears to be legitimate,
and when that programme is run, they will carry out their mission of stealing
information or performing any other work for which they were created.

4. Bots - Bots are a more evolved version of worms. They are computer-assisted
operations that communicate over the internet without requiring human
intervention. They can be beneficial or harmful. A malicious bot can infect a
 single system and then establish a link to a central server, which will issue
commands to all infected hosts connected to the Botnet.
5. Adware - Adware isn't dangerous, but it does intrude on consumers' privacy.
They place advertisements on a computer's desktop or within specific
programmes. They come with free-to-use software, which is the primary source
of income for such developers. They keep track of your preferences and show
you advertising that are relevant to you. Adware can monitor your system activity
and potentially infect your PC if malicious code is embedded in the software.
6. Spyware - It is a programme, or software, that monitors your computer activities
and discloses the information obtained to a third party. Trojans, viruses, and
worms are the most common sources of spyware. They install themselves and sit
silently to evade detection once dropped. KEYLOGGER is one of the most
frequent spyware examples. A
keylogger's primary function is to record user keystrokes with a timestamp. As a
result, information such as usernames, passwords, and credit card numbers is
captured.

7. Ransomware - Ransomware is a sort of software that encrypts your files or locks

your computer, rendering it unusable in part or entirely. Then a screen will
appear, requesting money in payment for the ransom.
8. Scareware - It appears to be a tool that will help you fix your computer, but when
you run it, it will infect or entirely damage your computer. The software will
display a message in an attempt to scare you into taking action, such as paying
them to fix your system.

Q8: What do you mean by virtualization?

A8.

1. Security virtualization, often known as virtualized security, refers to software-

based security solutions that are designed to work in a virtualized IT
 environment. Traditional hardware-based network security, on the other hand, is
static and operates on devices like firewalls, routers, and switches.

2. Virtualized security, in contrast to hardware-based security, is adaptable and

dynamic. It can be deployed anywhere on the network and is frequently cloud-
based, rather than being connected to a device. This is critical for virtualized
networks, which allow operators to dynamically construct workloads and
applications; virtualized security allows security services and functions to move
around with those dynamically formed workloads.

3. The functions of traditional security hardware appliances (such as firewalls and

antivirus protection) can be virtualized and deployed via software. Additional
security functions can also be performed via virtualized security. These features
are only possible because of the benefits of virtualization, and they're tailored to
meet the unique security requirements of a virtualized system.
4. An organization can, for example, place security measures (such as encryption)
between the application layer and the underlying infrastructure, or utilize micro-
segmentation tactics to decrease the attack surface.
5. Virtualized security can be deployed as a bare metal hypervisor application
(which it can use to enable excellent application monitoring) or as a hosted
service on a virtual machine. In either case, unlike physical security, which is
bound to a single device, it can be instantly deployed where it is most effective.
6. The following are some examples of virtualized security features:

○ Segmentation, or limiting access to specified resources to specific

applications and individuals. Controlling traffic between different network
segments or tiers is a common example.
○ Micro-segmentation, or the application of specific security policies at the
workload level to create granular safe zones and limit an attacker's ability
to move through the network, is a technique for limiting an attacker's ability
to move through the network. Micro-segmentation divides a data center
into segments, allowing IT teams to define security policies for each
segment separately, increasing the data center's attack resilience.
 ○ Isolation - Separating independent workloads and apps on the same
network is known as isolation. This is especially critical in a multi tenant
public cloud environment, and it can also be used to safeguard physical
equipment from assault by isolating virtual networks from it.

Q9: Discuss the security in Linux.

A9.

1. Security has been a cornerstone of the Linux operating system since its creation.
Each user must be isolated from other users, and a password and user ID are
necessary to utilize Linux.

2. Users also have fewer automatic access permissions, making it more difficult for
them to propagate malware by gaining access to a variety of files on the
computer.
3. The open source format, which supports a wide range of operating systems,
system architectures, and components, such as email clients, makes it more
difficult for malware to spread.
4. In terms of security, Linux users have a distinct advantage over their Windows or
Mac counterparts. Unlike proprietary operating systems, Linux has security
integrated into its core design in numerous ways.
5. The increasingly popular open-source operating system has a lot of freedom, is
flexible, and has a lot of options. It also has a rigorous user privilege model
and a number of built-in kernel security countermeasures to protect against
attacks and vulnerabilities. Because of the open nature of Linux source code,
vulnerabilities - which are unavoidable in any operating system - are virtually
always resolved quickly.
6. Open-Source Security Model - Members of the lively, global open-source
community analyze Linux source code on a regular basis, and as a result of this
inspection, Linux security flaws are generally detected and fixed quickly. In
contrast, proprietary companies such as Microsoft and Apple use a technique
known as "security by obscurity," in which source code is kept from outsiders in
an effort to keep vulnerabilities secret from threat actors.
7. User Privilege Model - Unlike Windows, where "everyone is an administrator,"
Linux has a rigorous user privilege paradigm to limit root access. On Linux, the
superuser has complete control over all rights, whereas ordinary users are
merely given the access they need to do common tasks. It is more difficult to
distribute malware and rootkits on a Linux system because users have limited
default access rights and must request additional permissions to view
attachments, access files, or change kernel parameters. As a result, these built-
in constraints serve as a crucial line of security against attacks and system
compromise.
8. Built-In Kernel Security Defenses - Firewalls that use packet filters in the
kernel, the UEFI Secure Boot firmware verification mechanism, the Linux Kernel
Lockdown configuration option, and the SELinux or AppArmor Mandatory Access
Control (MAC) security augmentation systems are all incorporated into the Linux
kernel. Administrators can add an extra layer of security to their systems by
enabling these features and customizing them to give the maximum level of
security, a process known as Linux kernel self-protection.
9. Highly Customizable & Configurable - Linux administrators have many more
configuration and control options than Windows users, many of which can be
utilized to
 improve security. Linux sysadmins, for example, can use SELinux or AppArmor to
lock down their system with security policies that provide granular access
controls, adding an important layer of security to the system. Admins can also
harden the sysctl.conf file - the main kernel parameter configuration point for a
Linux system - to offer their system a more secure foundation, and employ the
Linux Kernel Lockdown configuration option to strengthen the separation
between userland processes and kernel code.

10. Audit Trails - Linux kernel 2.6 comes with auditd daemon. It’s responsible for
writing audit records to the disk. During startup, the rules in /etc/audit.rules
are read by this daemon. You can open /etc/audit.rules file and make changes
such as setup audit file log location and other options. The default file is good
enough to get started with auditd.

Q10: Is there any way to check which ports are listening on my Linux Server?
A10.
There are 4 ways to check which ports are listening on a Linux server :-

1. Using netstat command- The netstat command (network statistics) is used to

show details about individual network connections, overall and protocol-specific
networking statistics, and much more, all of which could help troubleshoot certain
kinds of networking issues. To print all open ports in the Terminal, we use :-

$ sudo netstat -ltup

 The flag -l tells netstat to print all listening sockets, -t shows all TCP connections,
-u displays all UDP connections and -p enables printing of application/program
name listening on the port.

2. Using nmap command- Nmap is a network scanner utility used for port
mapping, host discovery and vulnerability scanning. Most of its functions are
based on using IP packet
analysis to detect and identify remote hosts, operating systems and services.
Since it is not installed by default, we can install it on our system using any
package installer :-

$ sudo apt install nmap

To scan all open/listening ports in your Linux system, run the following
command :-

$ sudo nmap -n -PN -sT -sU -p- localhost

3. Using ss command- ss command is used to display information about sockets.

The following command will show all listening ports for TCP and UDP
connections :-
$ sudo ss -lntu

4. Using lsof command - lsof command is used to list open files in Linux. Since
everything is a file in Unix/Linux, an open file may be a stream or a network file.
To list all Internet and network files, use the -i option. Note that this command
shows a mix of service names and numeric ports.

$ sudo lsof -i