NIS/IS

Introduction To Information Security

•Foundation of Computer Security
 Definition of Security:
o Computer security deals with prevention and detection of unauthorized
actions by users of a computer system.
o Computer security provides  security to data, computer system, services,
and supporting procedures.
o Different techniques are used for this purpose  access control, cryptography
etc.
o Computers are connected via network term network security is
introduced.
o Network security: protection of multiple computers and other devices
that are connected.
o Information security and information assurance focuses on data
possessed by system.
o Data security  content of information and source of data transfer
should be secure only valid users can change or access the data.
o Data should be secured from  modification, insertion, deletion or reply
from unauthorized person.
 Need of Security
 people are dependent on computers and networks so they are
interested in security of computers and networks.

 as a result several terms emerged hacking, virus , TCP/IP,

encryption, firewalls.

 computers and networks have been part of daily needs like 

making purchases  payment mode has to be secured
 computerized information  medical information, financial
information, data related to purchase should be secured and
privacy is the be maintained.

 hence computer and network security is essential in todays highly

automated world.
Security Basics
•Basic Goals or Components of Security:
• Confidentiality
• Integrity
• Availability
• Accountability
• Non- repudiation
• Reliability
• Authentication
• Authorization
o Confidentiality
 Ensures that only the individuals who have the authority can view
a piece of information.
 Unauthorized individuals cannot
 This is security and concealment of information and resources.
 Industries need to maintain confidentiality of information:
government, military .
 Various resource hiding mechanisms are used.
oIntegrity
 Generation and modification of data
 Only authorized users can create or changes the
information.
 Integrity can be lost as user C has access and can modify
the message
oAvailability:
oUsed to ensure that data or system is available for
use when authorized user wants to access it.
oAccountability:
 Every individual working with
information should have specific
responsibility for information assurance.
 His task should be part of information
security plan.
 Accountability traceability of actions performed on
system entity like users, process, device.
 Audit information must be kept protected and actions
affecting security should be traced.

 System need to verify and authenticate users with

the help of audit trail of security relevant events.
 If security is violated information from audit train will
help to identify the executor.
oNon- repudiation:
 Ability to verify message sent and received are same
 Sender can be identified and verified
 Required for online transactions
oReliability
 Ability of computer hardware and software to perform
according to its specification and produces intended results.
oAuthentication
 Process of determining identity in following 3 ways:
1. Something you know:
I. Common identification mechanism: user ID, password
II. Should not be shared with anyone else
2. Something you have:
I. Use of something like lock and key
II. Only individuals having valid key can open the lock
3. Something about you:
 Something unique about you : finger print, DNA
oAuthorization
 Process of identifying known person having authority to
perform certain operation
 Authorization cannot occur without authentication
• Risk and Threat Analysis

• Risk analysis is applied to:

• All information assets of an enterprise.

• The IT infrastructure of an enterprise.
• Development of new products or system.
• Risk  some incident or attack  causing damage to the
system.
• Attack is done by

• Sequence of actions,
• Exploiting weak points…….until attackers' goal is
not completed,

• Risk is calculated as
• Assets
• In computer security assets are  any data,
device, other component
• Assets are identified and valued
• Asset can be - hardware, software, confidential
information
• E.g. server, switches, support system
• Valuation of assets :
• Hardware – easy to evaluate.
• Data and information – difficult to evaluate – leaked
information is indirect loss.

• Assets should be protected from:

• Legal access, use, disclosure, alteration, destruction,
theft  resulting in loss to organization.
• Vulnerability
Vulnerability = Weakness in information structure.
• It will accidentally or intentionally damage the asset.
• Vulnerabilities can be:
• Default password is not changes
• Programs with unnecessary privilege
• Program with known fault
• Weak access control settings on resources
• Weak firewall configuration.
• Susceptibilities can originate from- hardware,
software, business processes, procedures, policies,
mistakes , computer used be malicious user.
• Vulnerability scanner(tools) can be used – which gives
systematic and automated way to find vulnerabilities.
• Vulnerability can be rated according to their impact.
• Threats
• Threat is an action by hacker who exploit the vulnerabilities to
damage assets.

• Threats can be identified by the damage done to assets:

• Spoofing the identities of users.

• Securing settings may be changed which gives the
attacker more privilege.
• Information may be disclosed.
• Threat puts critical information at risk.
• An attack can :

• Start with innocent steps like- gathering

information to gain privilege on one machine.
• Then jump from one machine to another machine
until final goal is reached.
• To get complete idea of potential threat – an attack
tree is used.
• Attack tree is structured way of analyzing threats.
• In attack tree nodes- represent attacks.
• Root node – goal of attacker.

• Leaf node- way of achieving goals.

• Values are assigned to edges which help to calculate estimated

cost of the attack.
Attack
Tree
• Risks
• Circumstances in which an organizations information is
confronted(face) with a threat and vulnerability
converging(together).

• Different organizations have different threats.

• Preparing for unexpected risk is key for security assurance.

• Trickiest task is calculating risk.

• Risk Analysis (RA) is the identification and estimation of risks.

• In an information security risk analysis, risk identification is the

identification of hazards.
There are two fundamental types of risk analyses :
quantitative and qualitative
• Quantitative Risk Analysis
• A process for assigning a numeric value to the probability of loss based on
known risks, on financial values of the assets and on probability of threats.

• used to determine potential direct and indirect costs to the company based
on value of assets and their exposure to risk.

• For example –

• the cost of replacing an asset,

• the cost of lost productivity,

• the cost of diminished brand reputation.

• Qualitative Risk Analysis
• collaborative process of :
• assigning relative values to assets,
• assessing their risk exposure,
• estimating the cost of controlling the risk.
• it utilizes relative measures and approximate costs
rather than precise valuation and cost
determination.
• In qualitative risk analysis :
• Assets can be rated based on criticality — very
important, important, not-important etc.
• Vulnerabilities can be rated based on how it is
fixed — fixed soon, should be fixed, fix if suitable
etc.
• Threats can be rated based on scale of likely —
likely, unlikely, very likely etc.
• For rating 1-10 values are assigned.
• Figure for reference only (from science direct)
qualitative risk analysis
Figure for reference only (from science
direct) quantitative risk analysis
• Countermeasures
• The result of risk analysis is a list of threats with priority and
recommended countermeasures to mitigate the risk.

• Risk analysis tools come with countermeasures.

• But there are few challenges:
• Risk analysis for large organization is time consuming
• IT system is changing continuously
• Cost of full risk analysis is difficult to justify

• So, most of organizations prefer baseline

protection as an alternative solution.
• This approach analyzes the requirements of
typical cases and recommends security measures.
• Threat to Security

• Threat exists when there is an action that causes harm to

security.

• Categories of threats:
• Disclosure: disclosure of confidential information

• Deception: access to wrong data

• Disruption: prevention of correct action

• Usurpation: unauthorized access to system or part of system

• Viruses
• A virus is a code or program that attaches itself to another code or
program which causes damage to the computer system or to the
network.

• It is a piece of code.

• Loaded without individual’s knowledge.

• Runs against his/her wishes.

• Virus can replicate itself.

• Viruses are manmade.
• Simple virus can copy itself multiple number times.
• Simple virus can be dangerous.
• It quickly uses all available memory space.
• It can bring system to halt.
• Dangerous viruses are Capable of transmitting itself
across networks.
• It can avoid security systems.
• Phases of Viruses(Life Cycle of Viruses)
•.
• Virus undergoes 4 phases
• Dormant Phase: virus is idle and eventually
activated by some event.
• Propagation Phase: virus places identical
copies of itself in other programs or into
certain areas on the disk.
• Triggering Phase: virus is activated to perform
the function for which it was intended.
• Execution Phase: the function is performed
• Types of Viruses
• Parasitic viruses
• Attaches itself to executable code and replicates itself.
• When code is executed, it will find another executable
code or program to infect.

• Memory resident virus

• Lives in memory after its execution
• Enters into part of operating system or application.
• manipulates any file that is executed, copied or moved.
• Non-resident virus
• It executes itself.

• terminated or destroyed after specific time.

• Boot sector virus

• infects the boot record and spread through a system when system is
booted from disk containing virus.

• overwriting virus
• overwrites the code with its own code.

• Stealth virus
• Virus who hides the modifications made in the file or boot record.
• Macro virus
• These are not executable.
• They affect Microsoft word like documents
• They can spread through email.

• Polymorphic virus
• It produces fully operational copies of itself- in an
attempt to avoid signature detection.
• Companion virus
• It creates a new program instead of modifying an
existing file.

• Email virus
• Virus gets executed when email attachment is open
by recipient
• Virus sends itself to everyone on the mailing list of
senders
• Metamorphic virus
• It keeps rewriting itself every time.
• It may change their behavior as well as appearance
code.
• Dealing with Viruses
• There is no direct way to test/find the hidden code but we can
attempt to detect, identify and remove viruses.

• Detection: Find out the location of virus.

• Identification: identify the specific virus that has attacked.

• Removal: after identification it is necessary to remove all traces of

virus and restore the affected file to its original state with the help
of anti-virus.
• Worms
• A worm is a special type of virus that can replicate itself and use
memory.

• Bu cannot attach itself to other programs.

• Viruses and worms are most common problems.

• Antivirus can reduce maximum portion of threat.

• Generally, viruses and worms are non-
discriminating threats.
• Released on internet in general fashion.
• Are not targeted at specific organization.
Worm code:
• Trojan Horse
• It is a hidden piece of code.
• It allows an attacker to obtain
confidential data.
• Purpose is to reveal confidential
information to an attacker.
• E.g. Trojan Horse can hide in code for login screen.
• When users enter ID and password Trojan Horse captures detail
and sends information to attacker without knowledge of authorized
user.
• Attacker can use the information and gain access to the system
• Intruders
• Intruder is a person that enters territory that does not
belong to that person.
• Objective- to gain access to system or to increase range
of privileges accessible on a system.
• One of the most publicized threats to security.
3 classes of intruders:
• Masquerader (generally outsiders): not authorized to
user the computer but enters a system’s access
controls to use a legal user’s account.

• Misfeasor (an Insider): legitimate(acceptable) user

who accesses data, programs or resources for whom
this access is not authorized OR who is authorized but
misuses his privilege.
• Clandestine/Secret User (either insider or outsider):

individual holding managerial control and uses his control

to avoid auditing and access controls or suppress audit

collection.
• Intruder attack ranges from simple (just checking data)

to serious (unauthorized modification or disruption).

• E.g. in addition to password-checking program, intruder

attempts to modify login software and can capture

passwords of users logging on to system.

• Intruder makes collection of compromised passwords
available on bulletin board set up on victim’s own
machine.
• Bulletin Board setup: computer server running software
that allows users to connect to the system using a
terminal program.
• To avoid intruders attack one must maintain password
file and protect it.
• Insiders
• The insiders have the access and necessary knowledge to
cause immediate damage to an organization hence,
Insiders is more dangerous than outside intruders.
• Many securities are designed to protect the organization
against outside intruders.
• so they lies at the boundary between the organization
and the rest of the world.
• Insiders have all access to carry out criminal activity like
fraud.
• Insiders have knowledge about security system.
• Employees as well as number of other individuals have
physical access to facilities, computer systems or
networks.
• E.g. contractors,
partners.
• Type of attacks

• Attack is a path or way by which hacker can gain access to

computer system without your knowledge.

• Computer system and network attacks can be grouped into

2 categories:

• Attack on specific software

• Attacks on a specific protocol or service
• Attacker’s target can be of 2 types:
• Target of opportunities
• Defined target
• Attacks are grouped in 2 types:
• Passive attacks

• Active attacks
• Active attacks

• Content of original message are modified in some

way.
• These attacks
cannot be
prevented
easily.
• Types of active attacks
1. Interruption: Causes when an unauthorised user
pretend to be another user.
2. Modification: It contains replay attack and Alterations.
User captures a sequence of events and re-sends it.
Alteration involves modification/changes to original
message.
3. Fabrication: it is an attempt to prevent authorised
users from accessing some services. E.g. Denial of
Service(DOS) attack.
• Passive attacks
• Passive attacks are those, where attacker aims to obtain
information that is in transit.
• Does not involve modifications to original message
• Hard to detect.
• Types of passive attacks
a) Release of message contents: Release of message
contents means a confidential message should be
accessed by authorised user otherwise a message is
released against our wishes.
b) Traffic Analysis: passive attacker may try to find out
similarities between encodes message for some clues
regarding communication and this analysis is known as
traffic analysis
• Denial of Service (DOS)
• Denial of Service (DOS) attack can exploit a known vulnerability in a
specific application or operating system.

• may attack features or weaknesses in particular protocols or Services.

• attacker is attempting to deny authorized users access to

specific information or to the computer system or network
itself.
• Aim of the attacker is just to prevent access or to gain
unauthorised access to a computer network.
• DOS attacks are conducted using a single attacking system.
• SYN Flooding attack:
• used to prevent the services to the system.

• It takes the advantage of trusted relationship and TCP/IP networks

design.

• This attack uses TCP/IP three-ways handshake for connection

between two systems.
• System I sends SYN packet to the System-ll, with which he
wants, communication.

• Then System-Il will send SYN/ACK if he wants to

communicate or he is able to accept the request and send
ACK packet to System-I.

• But in SYN flooding attack, the attacker will send fake

request of communication.

• These requests will be answered by target system and waits

for responses.
• Which will never come because request is fake.

• The connection will be dropping by the target system after

time-out period but if attacker sends request faster than
time-out period then target system will quickly be filled with
requests.

• After this system will be re-serving all connections for fake

request.

• Because of this authorised user won't be able to

communicate with target system.
2. Ping-of-death (POD) attack

• The attacker sends an Internet Control Message

Protocol (ICMP) “ping” packet equal to, or
exceeding 64 kB.
• This packet should not occur naturally.
• System cannot handle such packets and it will
hang or crash.
• Distributed Denial of Services (DDOS)
• Denial of Service attacks is using multiple attacking
systems which are known as a Distributed Denial of
Service (DDOS) attack.
• The goal is to deny the use of or access to a specific
service or system.
• Methods used to deny service is - with traffic from many
different systems.
• Network attack agents are sometimes called as Zombies.
• Attacker creates it and on receiving requests commands
attack agents to start sending specific type of traffic
against target.
• Attack agents are not willing agents.
• They are the systems on which DDOS attack software has
been installed.
• The attack’s network may contain multiple step process

in which the attacker first Compromises a few systems

and then used as handlers or masters, which in turn

compromise other systems.

• After creation of the attack’s network the agent wait for

an attack message that will include data on the specific

target before launching the attack.

• One important thing of DDOS attack is that with just

a few messages to the agents, the attacker can have

a flood of messages sent against the targeted system.

• The attack’s network may contain multiple step

process in which the attacker first Compromises a

few systems and then used as handlers or masters,

which in turn compromise other systems.

• To stop or mitigate the effects of a DOS or DDOS attack,

one important precaution is to be taken that is apply the

latest patches and upgrades to your systems and the

applications running on them.

Distributed
Denial of
Services
(DDOS)
• Backdoors and Trapdoors
1. Backdoor attacks
• Backdoor attacks are the
methods used by software
developers to make sure that
they can gain access to an
application even If something
were to happen in the future
to prevent normal access
methods.
• In backdoor attack attackers install programs after
gaining unauthorised access to a system to ensure that
they can have unrestricted access to the system even if
their initial access methods is discovered and blocked.
• Authorized individuals can also install Backdoors
inadvertently(unintentionally).
• This is possible if they run a software that contains
Trojan Horse.
• NetBus and Back Office are common backdoors.
• If running on your system it allows remote access to

attacker and they can perform any function on your

system.

• Backdoor is generally installed at lower levels closer to

Operating System.

• Rootkits are established to ensure root access.

2. Trapdoor attacks

• Trapdoors are bits of code embedded in program to

quickly gain access at a later time(i.e. during testing

phase).

• If corrupt programmer purposely leaves this code in or

forgets to remove it a potential security hole is

introduced.
• Hackers often plant a backdoor on previously

compromised systems to gain later access.

• Trap doors can be almost impossible to remove in a

reliable manner.
• Sniffing

• Sniffer is an application that can capture network packets.

• Sniffers are also known as network protocol analysers

• Objective of Sniffing is to steal:

• Password (from Email, Web Site, FTP, TELNET etc)

• Email Text

• Files in Transfer
• Network Sniffing
• a network sniffer is software or hardware device that is used
to observe traffic as- it passes through a network on shared
broadcast media.

• these devices can be used to view all traffic or it can target a

specific protocol, service, or even string of characters like
logins.
• Generally, the network device is designed to ignore all
traffic that is not destined for that computer.
• Network sniffers attacks ignore this friendly agreement
and observe all traffic on the network, weather destined
for that computer or other.
• Some network sniffers modify the traffic as well.
• For monitoring network performance- network
administrators can use network sniffers.
• They can be used to perform traffic analysis.

• They can also be used for network bandwidth analysis

or to troubleshoot some problems.

• Attackers use network sniffers to gather information like

authorised users username and password for later use.

• The contents of e-mail messages Can also be viewed as

the messages travel across the network.

• To be most effective; the network sniffers need to be on

the internal network hence the chances for outsiders to

use them against you are extremely limited.

• Packet Sniffing
• It is a passive attack.
• attacker does not hijack the conversation but he will
observe the packets as they passed by.
• To prevent from sniffing attack, the information can be
protected in following way:
• The information
that is travelling
can be encoded.
• The transmission
link can be encoded.
• Spoofing

• Spoofing is making data similar to it has come from a

different source. This is possible in TCP/IP because of

the friendly assumptions(trust) behind the protocols.

• The assumption at the time of protocol development is

that an individual who is having access to the network

layer will be privileged users who can be trusted.

• When a packet is sent from one system to another, it

includes not only the destination IP address and port but

the source IP address as well.

• This is one of the several forms of spoofing.

1. Spoofing e-mail

• E-mail spoofing can be easily accomplished, and there

are several different ways to do It and programs that can
assist you in doing so.
• E-mail spoofing refers to email that appears to have been
originated from one source but, it was actually send from
another source.
• Best example of Email Spoofing is:
• Spam Mail and

• Junk mails.

• A very simple method to spoof an e-mail address is to

telnet to port 25; the port is associated with e-mail on a
system.
• From there, you can fill in any address for the from and
to sections of the message, whether or not the addresses
are yours and whether they actually exist or not.
• There are simple ways to determine that an e-mail
message was probably not sent by the source, but
most users but most of the users do not question
their e-mail and will accept it.
2. URL spoofing

• An attacker acquires a URL close to the one they want to

spoof so, that e-mail sent from their system appears to

have come from official site.

• E.g. if attackers wanted to spoof XYZ corporation, which

onward XYZ.com, the attackers might gain access to the

URL XYZ.Corp.com
• An individual receiving a message from the spoofed

corporation site would not normally suspect it to be a

spoof but would take it to be official.

• This same methods can be used to spoof web sites.

3. IP address spoofing

• IP protocol contains originators IP address in “from”

portion of packet.

• There is nothing that prevents a system from inserting a

different address in the “From” portion of the packet is

known as IP Address Spoofing.

• IP address can be spoofed for several reasons like DOS

(Denial Of Service) attack is known as Smurf attack- the

attacker sends a spoofed packet to the broadcast address

for a network, which distributes the packet to all systems

on that network

• Spoofing can take advantage of a trusted relationship

between two systems.

• If two systems are configured to accept the

authentication by each other, an individual logged on

any one system may not be forced to go through an

authentication process again to access the other

system.
• An attacker can take advantage of this by sending a

packet to one system that appears to have come

from a trusted system. Since the trusted relationship

is in place, the targeted system may perform the

requested task without authentication.

• The reply will be sent once a packet is received, the
impersonate system can interfere with the attack, since it
would receive an acknowledgment for a request it never
made.

• Initially the attacker will launch a DOS attack to

temporarily take out the spoofed system for the period
of time that the attacker is exploiting the trusted
relationship.
• When the attack is complied , the DOS attack on the
spoofed system would be terminated and the
administrators for the system never notice that the
attack occurred.
• Fig shows a spoofing attack that includes a SYN flooding
attack.
• Because of this attack administrators are encouraged to

strictly limit any trusted relationship between hosts.

• Firewalls should also be configured to discard any packets

from outside of the firewall that have from address

indicating they originated within network.

• For example – Smurf attack
• The attacker has sent one packet and able to generate 254 responses at the
specific target.
• Then, an attacker can send several of these spoofed requests to the target, or
send them to several different networks.
• Then the target system can quickly become overwhelmed with the volume of
echo replies it receives.
• Man in the Middle (MITM) attack or Bucket-Bridge Attack
• It occurs when attackers are able to place themselves in the
middle of two other hosts that are communicating in order to view
or modify the traffic.
• They do it by making sure that all communication is

routed through the attacker’s host.

• Attackers can observe traffic before transmitting it and

modify it or block it.

• For target host communication is occurring normally

since expected responses are received.

• If the communication is encrypted then the amount of information
that can be obtained in a man-in-the-middle attack will be
reduced.
• Replay
• In this attack the attacker captures a portion of a
communication between two parties and
retransmits it after some time.

• E.g. attacker might replay a series of commands and

codes used in a financial transaction in order to cause
the transaction to be conducted multiple times.

• Normal replay attacks attempt to avoid

authentication mechanisms like capturing and reuse
of certificate or ticket.
• Replay attack can be prevented by using – encryption,
cryptographic authentication and time stamps.

• If certificate contains date and time stamp or expired date and

time stamp this portion of certificate will be encrypted ….if this
portion is replayed then it is useless since it will be rejected as it is
now expired.
• TCP/IP Hijacking

• TCP/IP hacking is the process of taking control of an already

existing session between a client and a server.

• Here one benefit to attacker is that the doesn’t have to avoid any

authentication mechanism  since user have already

authenticated and established the session.

• When user have completed authentication sequence attacker can

take session and carry similar to attacker not to user.

• To prevent the user from noticing anything unusual the
attacker may decide to attack the user's system and perform
a Denial-of-Service attack on it, so that the user and the
system, will not notice the extra traffic that is taking place.

• Generally hack attacks are used against web and telnet

sessions.

• The hijacker will need to provide the correct sequence

number to continue the appropriated sessions.
• Encryption attacks
• Cryptography: Cryptography is the art and science of
writing secret message and encryption is the process of
transforming plaintext into ciphertext, which is in
unreadable format known using a specific technique or
algorithm.
• Key is used by many encryption techniques
• The one key is used in a mathematical process to jumble the
original message to unreadable ciphertext and another key is
used to decrypt the ciphertext to re-create the original
plaintext.
• The length of the key directly relates to the strength of the
encryption.
• Cryptanalysis: Cryptanalysis is the process of attempting
to break a cryptographic system.
• This is an attack on the specific method used to encrypt the
plaintext.

• There are many ways cryptographic systems can be

compromised.
• Weak keys
• Some encryption algorithms may

have poor keys, or easily decrypted

ciphertext,

• Encryption algorithm that consists of a single XOR

function where, the key was repeatedly used to
XOR with the plaintext

• For example, a key where all bits are 0's will result
the ciphertext that is the same as the original
plaintext. That means this will be a weak key for
this encryption algorithm.
• Any key with long strings of 0's will yield portions of the
ciphertext that are same as the plaintext. In this
example, there will be many keys that can be considered
as a weak key.

• Encryption algorithms are much more complicated than

a simple XOR function, but there are some algorithms
which still found a weak key that make cryptanalysis
easier.
• Exhaustive Search for Key Space
• If algorithm used is complicated and has no weak keys, the key
length will play important role in attack.

• If key is longer, it is hard to attack – 40 bit encryption scheme will

be easier to attack using Brute Force Algorithm so 256 bit key
methods is used.

• Every bit that is added to the length of a key doubles the number
of keys those have to be tested in brute force attack on the
encryption.
• Indirect Attacks
• Common way of attacking is to find weaknesses in mechanisms in
the cryptography.

• E.g. poor random number generator, unprotected key exchanges,

key stored on hand drives without sufficient protection and
general programmatic errors such as buffer overflow.

• Attack that targets such type of weaknesses, it is not the

cryptographic algorithm that is being attacked.
• Operating system security

Operating system updates

• Operating systems are very large and complex
combination of interconnected s/w modules written by
several separate individuals.

• When OS continuously grows with new functions then

potential problems with that code will also increase.

• It is not possible for OS vendor to test their product on

each platform under every situation, hence functionality
and security issues occur after release of OS.
• So, vendors typically follow a hierarchy for software
updates given below:
• Hotfix
• Small software update designed to address a particular problem like
buffer overflow in an application that exposes the system to attack.

• Hotfixes are developed in reaction

to discovered problem, they are

produced and then released rather

Quickly.
• Patch
• A large software update that may address several or many
software problems.

• Patches contain improvements or additional capabilities

and fixes for known bugs.

• Patches are developed over a longer period of time.

• Service pack
• A large collection of patches and hotfixes that are rolled into a
single , rather large package

• Service packs are designed to bring a system up to the latest

known good level all at once….rather than downloading several
updates separately.

• E.g. Microsoft Windows provides updates, which needs to be

downloaded from website
• By selecting Windows Update from the Tools menu in Internet
Explorer users will be taken to the Microsoft website.

• By selecting Scan for Updates, users can allow their systems to be

examined for needed or required updates,
• Website identifies updates needed and provides to user with the
option to download and install.

• Microsoft also provides automated update functionality

 active internet connection is required for => both web based and
automatic updates.

• Such utilities are provided by Microsoft as well as Red Hat Linux.

• By registering your system and user profile with Red Hat, you can
get a customized list of updates for your specific system.
• Information Security
• Information is combination of following three parts:

• Information is a important asset and need to be protected all

the time.
1. Data: collection of all type of information which can be
stored and used as per requirement e.g. personal data,
medical information, accounting data

2. Knowledge: It is based on data that is organized,

synthesized or summarized and it is carried by
experienced employees in the organization.

3. Action: It is used to pass the required information to a

person who needs it with the help of information system.
• Need and importance of Information
• Information is very important for every organization
because damage to information can cause disruption in a
normal process of organization like financial loss, etc.

• Classification of information will help organization to

employ security policies and procedures.
• Advantages of information classification are:
• Information classification is a commitment to the organization for
security protection.

• Information classification will help organization to identify which

information is critical and more sensitive.

• Information classification supports CIA- Confidentiality, Integrity,

Availability.

• Information classification will help organization to decide what

type of protection is applied to which type of information.

• Information classification will fulfil the legal requirement to legal

mandates, compliance and regulations.
• in organization classification should be based on sensitivity of
information towards its loss and disclosure.
• Criteria for Information classification
• Levels of information classification used in Government or
Military:
1. Unclassified: information is not classified as well as not
sensitive, Information access is public and will not affect
confidentiality, information is low-impact, and hence it does
not require any security.

2. Sensitive but unclassified: Information is less sensitive and if

gets disclosed then it will not create serious damage to the
organization.

3. Confidential: the unauthorised access to confidential

information will cause damage or be prejudicial to national
security. This label is used for information which is labelled
between sensitive but unclassified (SBU) and secret.
4. Secret: Secret label should be applied to the information
where the unauthorized disclosure of such information
could cause Serious damage to national security.

5. Top Secret: top secret shall be applied to information

where unauthorised disclosure of this type of
information could cause exceptionally grave damage to
the national security. This is the highest level of
classification.
• Levels of information classification used in Public or
private organizations
1. Public: it is similar to unclassified information,
information which is not fit into any level then it can
have public access, because its disclosure will not
create any serious impact on organization.

2. Sensitive: this type of information needs higher level of

classification than normal information. Such type needs
security for confidentiality as well as integrity.

3. Private: this type of information is personal in nature

and used by company only. Its disclosure can affect
company and its employees. e.g. salary information.
• And criteria used for information classification in Public or
private organizations
• Value: it is the common criteria of information classification. When
the information is more valuable for organization then that
information should be classified.

• Age: classification of information might be lowered if

information’s value decreases over time. E.g. if the documents are
classified and then they are automatically declassified after
specific time period.
• Useful Life: if the Information has become out-of-date due to new
information or any other reasons then that information can
regularly be declassified.

• Personal Association: The information which is personally

associated with particular Individuals or it is addressed by a
privacy law then such information should be classified.
• Security

• Security is the method which makes the accessibility of

information or system more reliable,

• Security means to protect information or system from

unauthorized users like attackers, who do harm to system or to

network intentionally or unintentionally.

• Security is not only to protect system or network, but also
allows authorized users to access the system or network.
• For protecting any organizations , Multilayer security is
important.
Physical security: It will protect physical Items /
assets like Hard Disk, RAM,
objects or areas from
unauthorised users.

Personal security: It will protect individual users or

groups in the organization who
are authorised to use operations
and organizations.

Operational security: It will protect details of particular

operations/series of activities in
the organization.
 it will protect communication
Communication
technology , media and content
security: of communication.

It will protect networking

Network
components like router, bridges,
security: connections and contents etc

Will protect all informational

Information
assets. It contains management
security: information security , computer
and data security and network
security.
National Cyber Security Intelligence System
• Need of Security:
• For any organization , information security performs
following 4 important functions:
1. Protect the organization’s ability to function

• Information security is a part of management that technology.

• Policy and its implementation are important in information

security than technology which is implementing it.

• Security is to be treated as business issue rather than a technical

problem.
2. Enable safe operations of applications
• Organizations purchase and operate integrated, efficient and
capable applications.

• These applications are important to organizations infrastructure-

email, messaging app, OS.

• So, organization need to protect these apps.

• Apps are developed or purchased by organization.

• After setting infrastructure its organizations responsibility to

protect entire infrastructure.
3. Protects the data collected and used by organization:
• Data is important factor for any organization.

• Government, business, educational organizations support various

transactions.

• Data attracts attackers.

• Hence protection of data is important for information security.

• Management should protect the integrity of data.

4. Safeguard the technological assets of an organization:
• To work effectively organization should add secure infrastructure
services.

• Small businesses use personal encryption tools for email service

where as large organization can use Public Key Infrastructure (PKI)
which uses digital certificate to check confidentiality of the
transaction.

• As organizations grow more robust and secure technologies are to

be used like firewalls.
• Basic Principals of Information Security
• There are 3 goals of information security:
• Pillars of Information Security:
1. Integrity
2. Confidentiality
3. Availability
• Onion skin is the ideal approach of security.

• It is the layered mechanism so failure at any

level does not completely expose the system
so it’s called as “Defence-In-Depth”

• Which protects the system with a series of

defensive mechanisms

• If one mechanism fails other will already be

in place to stop an attack
SY: INFORMATION SECURITY
UNIT 1
EXTRA POINTS THAN NIS
• Types of Attacks: Phishing:
• It is an attempt to steal sensitive information like:
• Username

• Password

• Credit Card Details

• Bank Account Information

• Other critical data

• Attacker can – use or sell stolen information

• Attacker- pretend to be trusted source and makes an attractive

offer to trick victim
• How Phishing works?
• Planning:
• Phisher selects the target based on – victims’ potential vulnerability and
likelihood of them of responding to the fake message.

• Setup:
• Create methos for delivering the message.

• To collect data about the target.

• Attack:
• Phisher sends fake message to trick the victim into revealing sensitive
information.
• Collection:
• Phisher records victims’ information such as – login
credentials or personal details after tricking the into
providing them.

• Identify theft and fraud:

• They use gathered information –
• to make illegal purchase
• commit fraud
• accessing bank accounts
• making unauthorized transactions
• opening credit accounts in victims name
• Types of Attacks: Social Engineering

• Social engineering is a manipulation technique

which exploits the human error and gain the
private and sensitive information.
• Goals of Social Engineering attacks:
• Sabotage: disrupting or damaging data to create harm
or inconvenience.
• Theft: Stealing valuable items such as: information,
access or money.
• Types of Attacks: Spyware
• It is a malicious software designed to secretly collect information
from user’s device without the knowledge or consent of user.

• It can also refer as a legitimate software that monitors your data

and communicate to attacker.
• Spyware will take following action:
• Infiltrate: act of gaining unauthorized access to a system, network or
device

• Attackers infiltrate system through various methods such as:

App Installation, Malicious Website, File Attachment
• Infiltrate is used by cyberattacks to install malware, steal data
or gain control over system
• Monitor and Capture Data: Action taken by attacker to secretly observe
and record user’s activities
• Common methods of monitoring and capturing data:
• Keystrokes
• Screen capture
• Tracking codes
 • Goal is to gain unauthorized access to sensitive data or monitor user
behavior for malicious purpose.

• Send Stolen Data: act of transmitting the information captured by

spyware or malicious software back to attacker.
• Stolen data can be used for different malicious purposes:

• Identity theft

• Fraud
• Goal is to exploit stolen data for financial and other harmful purpose.
• Types of Attacks: Adware
• It is a type of software designed to deliver advertisements to
users, often without their consent.

• It is a trojan horse that collects information for marketing purpose

and display information based in collected information.

• It is typically bundled with free software and generates revenue

for its developers by

• displaying intrusive ads,

• redirecting search results,
• collecting user data to target personalized advertisements
• while some adware is legitimate, other can be malicious,
comprising user’s privacy and degrading system performance.

• adware can enter system through:

• embedded in software downloads

• hidden on websites visited by users

• when adware is bundled with software – users are unaware that

installing or running the program also installs the adware.
• Types of Attacks: Ransomware
• Malicious software that restricts access to computer or its files

• It can either lock the computer screen or encrypts files

• Two types of ransomwares:
• Lock Screen Ransomware: locks the victim’s screen and prevents
access to the computer displaying a message demanding
ransom for unlocking it.
• Encryption Ransomware: encrypts victim’s files, making them
inaccessible until the ransom is paid for decryption

• In both cases victim is demanded to pay ransom to remove

the restriction

• Additionally, a notification may appear on the victim’s

system stating that illegal activities have been detected and
ransom must be paid to avoid prosecution
• Types of Attacks: Logic Bombs
• A type of malicious software intentionally inserted by an
authorized user.

• This code is embedded within a legitimate program and is

triggered to activate when specific conditions are met.
• Triggers can be:
• Particular date or time.
• Reaching a certain percentage of disk space.
• Deletion of a file.
• Other predefined conditions.
• e.g. a program that is set to automatically run and
that periodically checks an organizations payroll and
personnel database for specific employee  if the
employee is not found the malicious payload
executes, deleting VITAL corporate files.
• It is a challenging task to identify the logic bombs.

• They are often installed by authorized employees such as:

administrator who is responsible for security.

• It is harder to identify because malicious code originates from

trusted source.
• Types of Attacks: Rootkits
• Collection of programs installed on a system to maintain
unauthorized administrator access to that system.

• Root access provides control over all functions and services of OS.

• Rootkits modify host’s standard operations in a malicious way.

• Once attackers gain the root access, they can:
• fully control the system

• altering programs and files

• monitoring processes

• sending network traffic

• gaining backdoor access as needed

• Rootkits can make various changes in the system: - to hide their

presence making it difficult for users to detect themand
identify what changes to the system they have made.
• Rootkit conceals itself by bypassing the mechanism that
monitor and report on the systems processes, file, and
registers.
• Types of Rootkits:
• Persistent:
• Activates each time when system boots.
• Stores its code in registry or file system
• Sets up a method to execute automatically without
user intervention
• Memory-Based:
• Does not have persistent code
• Cannot survive a reboot
• Once system restarts rootkit is removed
• User Mode:
• Intercepts(catches) calls to API(application Program Interface) and alters
results which are in return.

• E.g. when app lists files it may not show files associated wit rootkit.

• Kernel Mode:
• Intercepts calls to native API in kernel mode.

• Rootkit can hide presence of malware process by removing it from the list
of kernel’s active processes.
• Types of Attacks: Keyloggers
• Keyloggers software is capable of recording the
keystrokes and capturing screenshots, storing
them in encrypted log file.

• It can track all typed information including-

password, emails, messages.

• Log files made by keyloggers are saved and sent

to attacker’s remote machine.

• Attacker steals passwords and banking details for

financial frauds.