1

CYBER SECURITY (KCA A01)

UNIT- 2
Application Security- (Database, E-mail and Internet), Data Security
Considerations-(Backups, Archival Storage and Disposal of Data), Security
Technology-(Firewall, VPNs, Intrusion Detection System), Access Control.
Security Threats -Viruses, Worms, Trojan horse, Bombs, Trapdoors, Spoofs, E-mail
Viruses, Macro Viruses, Malicious Software, Network and Denial of Services
Attack.

Application Security
 Application security is the use of software, hardware, and procedural
methods to protect applications from external threats.
 It includes knowing your threat, securing the network, applications, file and
data.
 Application security is the discipline of processes, tools, and works on
planning to protect applications from dangers all through the whole
application lifecycle.

 There are various challenges for vendors to prevent any malicious activity
and for users to keep their system secure.
 Vendors is to develop secure applications for varieties and versions of
platforms whereas user challenges include compliance with its standards
and managing patch cycles.
2

 Security is becoming an increasingly important concern during development

as applications become more frequently accessible over networks and are, as
a result, vulnerable to a wide variety of threats.
 Application security includes:
 Knowing your threats.
 Securing the network, host and application.
 Incorporating security into your software development process

Vendors challenges for Application Security

The biggest challenge for software vendors is the availability of various OS
platforms and different versions of software applications. Developing secure
applications for every platform is a daunting task for organizations. The other big
challenge for vendors to provide secure application is the compatibility issue.

Application Security Issues

1. Verifications of users: Applications need to verify that only legitimate users are
trying to use them. Users may prove their ID in multiple ways, such as something
that users know, something that users have or something that users are.
2. Granting access to users: Once a user is authenticated, the application needs to
determine if the identified user is allowed to access the functionality he is
requesting. This is called authorization.
3

3. Keeping data confidential with encryption: For business transactions, data

from application systems gets exchanged over the networks. Data stored by
applications needs to be safeguarded from potential attacks.
4) Guaranteeing data integrity and Non-repudiation: When the receiver gets a
message, neither the sender nor the receiver should be able to repudiate it – that is
deny the authenticity of the message. Digital signature is a common mechanism to
guarantee data integrity.
5) Safeguarding applications from common attack strategies.
6) Guarding privacy of applications.

Data Security Considerations

Data security means maintaining CIA (confidentiality, Integrity and Availability)
properties.
• To maintain these properties following points need to considered
 Data Backup Security Considerations
 Data Archival Security Considerations
 Data Disposal Security Considerations
Data Backup Security Considerations
To manage data properly we must consider data backup which is used for the
purpose data security against any kinds of loss of data.
• Backup of data refer to storage of copies of data in the latest stage.
• Backup types are
 Hardware backup
 Software backup

Hardware Backup
• It is important to decide which hardware to use for the backup.
• The speed of processing the backup and restore depends on the
hardware being used, how the hardware is connected, bandwidth of
the network, backup software, and the speed of server's I/O system.
• Tape Technology
• Disk Backups

Software Backups
• There are software tools available that help in the backup process. These software
tools come as a package.
• These tools not only take backup, they can effectively manage and control the
backup strategies.
• The criteria for choosing the best software package are listed below
 How scalable is the product as tape drives are added?
4

 Does the package have client-server option, or must it run on the database
server itself?
 What degree of parallelism is required?
 What platforms are supported by the package?
 Does the package support easy access to information about tape contents?
 Is the package database aware?
 What tape drive and tape media are supported by the package?

Data Archival Security Considerations

• Data archiving is the process of moving data that is no longer actively used to a
separate storage device for long-term retention.
• Archive data consists of older data that is still important to the organization and
may be needed for future reference.
• Data archives are indexed and have search capabilities so files and parts of files
can be easily located and retrieved.

Data Disposal Security Considerations

• Data disposal is the process of destroying data stored on tapes, hard disks and
other forms of electronic media so that it is completely unreadable and cannot be
accessed or used for unauthorized purposes.
•When data is deleted, it is no longer readily accessible by the operating system or
application that created it.
• But deleting a file is not enough data destruction software must be used to
overwrite the available space/blocks with random data until it is considered
irretrievable.

Data Disposal Security Considerations

There are basically three options for data secure disposal:
1. Overwriting
2. Degaussing
3. Physical destruction

Firewall
Firewall is computer system which inspect incoming and outgoing traffic and
control traffic flow by dropping or passing certain packets.
• Firewall can be implemented using:
 Hardware
 Software
5

 Combination of Hardware and Software

Types of Firewalls
1. Packet Filter
2. Application Level Gateway
3. Circuit Level Gateway
4. Proxy Server

1. Packet Filter Firewall

• It is also known as network layer firewall.
• It allows passing or blocking packets as per rule
• The firewall administrator may define the rules or default rules may apply.
• Modern firewalls can filter traffic based on many packet attributes like:
 source IP address, source port, destination IP address or port, destination
service like WWW or FTP values etc.
6

2. Application Level Gateway

• Application-layer firewalls work on the application level of the TCP/IP stack
(i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets
travelling to or from an application.
• They block other packets (usually dropping them without acknowledgment to the
sender).
• On inspecting all packets for improper content, firewalls can restrict or prevent
outright the spread of networked computer worms and Trojans.
7

3. Circuit Level Gateway

• It works in session layer of OSI (Open System Interconnection) Model.
• These devices monitor the TCP(Transmission Control Protocol) handshakes
across the network as they are established between the local and remote hosts to
determine:
 whether the session being initiated.
 whether the remote system is considered trusted.
• They don't inspect the packets themselves

4. Proxy Server
• Act as intermediate between client and server
• Block the unauthorized packets
•Monitor the outbound traffic
• Hide the true network address and intercept all messages entering and leaving
the network
• It is also serve as intermediate for request sent by hackers seeking resource for
other servers
8

VPN (Virtual Private Network)

• A virtual private network (VPN) is a framework that consists of multiple remote
peers transmitting private data securely to one another over an otherwise public
infrastructure such as the Internet.
• In this framework, inbound and outbound network traffic is protected by using
tunnels that encrypt all data at the IP level.
• The function of VPN are:
 Authentication
 Access Control
 Confidentiality
 Data Integrity
9

Intrusion Detection System (IDS)

 Intrusion detection is a set of techniques and methods that are used to detect
suspicious activity both at the network and host level.
 The intrusion detection system (IDS) can also be used to track the user’s
activities such as websites they are visiting , time of visit , number of pages
on the site visited and entry and exit uniform resource locators(URL).
 An intrusion detection system (IDS) always as a sensor as its core element
that is used to detect intrusions. The data received by these sensors is
obtained from various sources such as IDS knowledge database and audit
trails.
 An intrusion detection system (IDS) is a system that monitors network
traffic for suspicious activity and issues alerts when such activity is
discovered
 Some intrusion detection systems are capable of taking actions when
malicious activity or anomalous traffic is detected.
 Blocking traffic sent from suspicious IP addresses.

Types of Intrusion Detection System (IDS)

• Intrusion detection systems detect suspicious activities using different methods,
including the following:
1. Network intrusion detection system (NIDS)
2. Host intrusion detection systems (HIDS)
10

3. Signature Based Intrusion Detection (SBIDS)

4. Anomaly Based Intrusion Detection Systems (ABIDS)

Network Intrusion Detection System (NIDS)

 An NIDS captures network traffic to perform intrusion detection operations.
 An NIDS scans the network packets at the router , audits packet information
and logs any suspicious packets into a special log file with extended
information.
 A NIDS tries to detect malicious activity such as denial-of-service attacks,
port scans and attacks by monitoring the network traffic.
 A network-based intrusion detection system (NIDS) is used to monitor and
analyze network traffic to protect a system from network-based threats.

Host based Intrusion Detection Systems (HIDS)

 A host intrusion detection system is designed to monitor, detect and respond
and attacks on a given host.
 HIDS run on all computers or devices in the network with direct access to
both the internet and the enterprise internal network.
11

 HIDS may also be able to identify malicious traffic that originates from the
host itself, as when the host has been infected with malware and is
attempting to spread to other systems.
 It is used to monitor the packets inbound as well as outbound. HIDS run on
individual host or devices on the network.

Signature Based Intrusion Detection Systems (SBIDS)

 SBIDS monitor all the packets traversing the network and compares them
against a database of signatures or attributes of known malicious threats,
much like antivirus software.

Anomaly Based Intrusion Detection Systems (ABIDS)

 ABIDS monitor network traffic and compare it against an established
baseline, to determine what is considered normal for the network with
respect to bandwidth, Protocols and Ports and other devices.
 An anomaly-based intrusion detection system, is an intrusion detection
system for detecting both network and computer intrusions and misuse by
monitoring system activity and classifying it as either normal or anomalous.

Access Control
 Access Control is a mechanism that defines and controls access rights for
individuals who can use specific resource in the OS.
 Access control system include
 File permissions – refer to the access control in which the user can
create, read, edit or delete on the file server.
12

 Program permission – refers to the access control in which the user can
execute a program on the application server.
 Data right permission- refers to the access control in which the user
can retrieve or update information in a database.
 Access control is a way of limiting access to a system or to physical or
virtual resources.
 Access control is a process by which users are granted access and certain
privileges to systems, resources or information.
 In access control systems, users must present credentials before they can be
granted access.

Types of Access Control

The three main categories of access control are:
1. Mandatory access control
2. Role-based access control
3. Rule-based access control
4. Discretionary access control

Mandatory Access Control (MAC)

 MAC defines the accessibility of information in a consistent manner.
 Mandatory Access Control (MAC) is a set of security policies constrained
according to system classification, configuration and authentication.
 Mandatory access control (MAC) is a security strategy that restricts the
ability individual resource owners have to grant or deny access to resource
objects in a file system
 MAC policy management and settings are established in one secure network
and limited to system administrators.
 In this model every Subject (users) and Object (resources) are classified and
assigned with a security label.

Role-Based Access Control (RBAC)

 RBAC models put control over the information access from the viewpoint of
organizational roles into perspective.
 Role-based access control (RBAC) restricts network access based on a
person's role within an organization and has become one of the main
methods for advanced access control.
 The roles in RBAC refer to the levels of access that employees have to the
network.
 Role-Based Access Control (RBAC), when a request is made for access to a
network or network resource, the controlling device allows or blocks access
13

to a network or network resource based on that user's role in the

organization.
 For example, an individual with the engineer role in an organization might
be allowed access to the specifications of parts used in the company's
product, but blocked access to employee records.
 An individual with the supervisor role might be allowed access to employee
records, but blocked access to engineering documents and specifications

Rule-Based Access Control

 In Rule-Based Access Control, the decision making is dependent on the
settings that have saved into preconfigured security policies.
 With Rule-Based Access Control (RuBAC), when a request is made for
access to a network or network resource, the controlling device, e.g. firewall,
checks properties of the request against a set of rules.
 Examples of Rules Based Access Control include situations such
as permitting access for an account or group to a network connection at
certain hours of the day or days of the week.

Discretionary access control

 DAC model offers flexibility to the exchange of information to the network
users.
 It ensures dynamic exchange of information with other users.
 (DAC) is a type of security access control that grants or restricts object
access via an access policy determined by an object's owner group and/or
subjects.

Security Threat
A security threat is a malicious act that aims to corrupt or steal data or disrupt
an organization's systems or the entire organization.
With the increasing use of the internet and advancing IT, applications are becoming
increasingly vulnerable to threat that could be malicious code, virus, worms etc.

Types of Security Threats

There are various security threats are as follows:-

Virus
A virus refers to piece of software that is designed and developed with the purpose
of infecting a computer system and perform illicit operations.
A virus can hamper data stored on a hard drive, crash the OS or get spread on the
network.
14

Different types of Virus

 Polymorphic Virus: refers to the virus that change from one form to another
to avoid being detected. A system infected by a polymorphic virus displays a
message deletes the files available on the system.
 Stealth Virus: refers to a virus that masks itself from application in order to
avoid being detected. The stealth virus gets attached to the boot sector of a
hard disk.
 Retro viruses: refer to the virus types that bypass installed antivirus software.
The retro virus is capable of making direct attack on the antivirus.
 Multipartite virus: refers to virus type that has ability to react in multiple
ways. It provides harm to a system in such a way that it infects boot sector
and executable files.
 Macro Virus: Refer to the virus that effect the enhancement available in
applications programs. This type of virus is commonly found in programs
such as Microsoft Word or Excel. These viruses are usually stored as part of
a document and can spread when the files are transmitted to other computers,
often through email attachments.
 Browser Hijacker -This virus targets and alters your browser setting. It is
often called a browser redirect virus because it redirects your browser to
other malicious websites
 Boot Sector Virus – It is a type of virus that infects the boot sector of floppy
disks or the Master Boot Record (MBR) of hard disks.
 File Infector Virus – As the name suggests, it first infects a single file and
then later spreads itself to other executable files and programs. The main
source of this virus are games and word processors.
 Network Virus -Network viruses travel through network connections and
replicate themselves through shared resources.
 Resident Virus -A resident virus stores itself on your computer’s memory
which allows it to infect files on your computer. This virus can interfere with
your operating system leading to file and program corruption.
 web scripting virus – It is the malware that breaches your web browser's
security and injects the malicious code on the webpage to take control of
your browser and alter its settings.

Trojan Horses
 Trojan horses can be defined as programs that are transmitted to a system
under disguise of any legitimate application programs such as attachment to a
program or as part of an installation process.
15

 A Trojan Horse Virus is a type of malware that downloads onto a computer

disguised as a legitimate program. The delivery method typically sees an
attacker use social engineering to hide malicious code within legitimate
software to try and gain users' system access with their software.

Logic Bombs
 A logic bomb is a piece of code intentionally inserted into a software system
that will set off a malicious function when specified conditions are met.
 For example, a programmer may hide a piece of code that starts
deleting files (such as a salary database trigger), should they ever be
terminated from the company.
 A logic bomb is a malicious piece of code that’s secretly inserted into a
computer network, operating system, or software application.

Worms
 Worms can be defined as threats that are self-sufficient to replicate themselves
and do not need any host application to get transmitted.
 A computer worm is a type of malware whose primary function is to self-
replicate and infect other computers while remaining active on infected
systems.
Spoofing
 Spoofing means to provide false information about your identity to gain
unauthorized access to others computer systems.
 Spoofing is a type of attack on computer device in which the attacker tries
to steal the identity of the legitimate user and act as another person.
 In a spoofing attack, one person or program successfully pretends as another
by falsifying data, there by gaining an illegitimate advantage.
 IP spoofing and DNS spoofing are two popular spoofing attacks.
16

 The objective of IP spoofing is to make the data look as if it has come from a
trusted host when it did not.

Types of Spoofing

IP Spoofing:
IP is a network protocol that allows you to send and receive messages over the
internet. The sender’s IP address is included in the message header of every email
message sent (source address). By altering the source address, hackers and
scammers alter the header details to hide their original identity.
Email Spoofing:
The most common type of identity theft on the Internet is email spoofing. Phishers,
send emails to many addresses and pose as representatives of banks, companies,
and law enforcement agencies by using official logos and headers. Links to
dangerous or otherwise fraudulent websites, as well as attachments loaded with
malicious software, are included in the emails they send.
17

URL spoofing:
A spoofed URL is a fraudulent link that is masked to look like a legitimate source in
order to steal your data. Sometimes, just clicking on a spoofed URL is enough to
infect your device with malware.

DNS Spoofing
It means getting a wrong entry or IP address of the requested site from the DNS
server. Attackers find out the flaws in the DNS system and take control and will
redirect to a malicious or fake website.

Global Positioning System (GPS) spoofing

GPS spoofing alters the signals or data associated with the Global Positioning System
to produce different position, navigation, or timing (PNT) information. It’s a way to
trick the GPS receiver (and the applications running on it) into thinking that you’re in
another place or another time.

Trapdoor or Backdoor
 Backdoor is any hidden method for obtaining remote access to a computer.
 Trap doors are hidden entryways into a program that allow access to anyone
without going through the usual security checks.
 It is an undocumented entry point to a module or application.
 Network administrations often use backdoors to control their clients and
supervise their actions in a business network
 Backdoors are usually based on client –server network communication,
where server is the attacked machine and the client is the attacker.
18

 Trap doors turns to threats when any dishonest programmers to gain illegal
access.

Malicious software
Malicious software, commonly known as malware, is any software that brings harm
to a computer system. Malware can be in the form of worms, viruses, trojans,
spyware, adware and rootkits, etc., which steal protected data, delete documents or
add software not approved by a user. Malicious Software refers to any malicious
program that causes harm to a computer system or network.
19

Denial of Service Attack

 A Denial-of-Service (DoS) attack is an attack meant to shut down a
machine or network, making it inaccessible to its intended users.
 DoS attacks accomplish this by flooding the target with traffic, or sending it
information that triggers a crash.
 A denial-of-service (DoS) attack is a security threat that occurs when an
attacker makes it impossible for legitimate users to access computer systems,
network, services or other information technology (IT) resources.
 DoS attack refers to an attempt that restricts access to the computer resources
to its intended users or organizations.

Distributed denial of service (DDoS)

 Distributed denial of service (DDoS) attacks are a subclass of denial of service

(DoS) attacks.
 A DDoS attack involves multiple connected online devices, collectively
xknown as a botnet, which are used to overwhelm a target website with fake
traffic.
 In DDoS attack, a large number of hosts are used to flood unwanted traffic to
a single target server.
 It is a cybercrime in which the attacker floods a server with internet traffic to
prevent users from accessing connected online services and sites.
20

Difference between Denial of Service (Dos) vs Distributed Denial of Service

(DDoS)