Chapter Two: Computer Threats

2.1 Malicious Code

Malicious code or rogue programs or malware (short for MALicious
softWARE) is the general name for programs or program parts planted
by an agent with malicious intent to cause unanticipated or undesired
effects. The agent is the program’s writer or distributor. Malicious intent
distinguishes this type of code from unintentional errors, even though
both kinds can certainly have similar and serious negative effects. This
definition also excludes coincidence, in which minor flaws in two
benign programs combine for a negative effect. Most faults found in
software inspections, reviews, and testing do not qualify as malicious
code; their cause is usually unintentional. However, unintentional faults
can in fact invoke the same responses as intentional malevolence; a
benign cause can still lead to a disastrous effect. Let us see types of
malware:

I. Virus: A virus is a program that can replicate itself and pass on

malicious code to other non-malicious programs by modifying them.
The term ‘virus’ was coined because the affected program acts like a
biological virus: It infects other healthy subjects by attaching itself to
the program and either destroying the program or coexisting with it.
Because viruses are insidious, we cannot assume that a clean program
yesterday is still clean today. Moreover, a good program can be
Page 1 of 23
Computer Security
 modified to include a copy of the virus program, so the infected good
program itself begins to act as a virus, infecting other programs. The
infection usually spreads at a geometric rate, eventually overtaking an
entire computing system and spreading to other connected systems.
So in short a Virus is a code with malicious purpose; intended to
spread.
A virus can be either transient or resident. A transient virus has a life
span that depends on the life of its host; the virus runs when the
program to which it is attached executes, and it terminates when the
attached program ends. A resident virus locates itself in memory; it
can then remain active or be activated as a stand-alone program, even
after its attached program ends.
II. Worm: A worm is a program that spreads copies of itself through a
network. The primary difference between a worm and a virus is that a
worm operates through networks, and a virus can spread through any
medium (but usually uses a copied program or data files).
Additionally, the worm spreads copies of itself as a stand-alone
program, whereas the virus spreads copies of itself as a program that
attaches to or embeds in other programs. Worm programs, sometimes
called ‘crawlers’ seek out machines on which they can install small
pieces of code to gather such data. The code items report back to
collection points, telling what connectivity they have found.

Page 2 of 23
Computer Security
III. Trojan Horse: Trojan horse is malicious code that, in addition to its
primary effect, has a second, non-obvious, malicious effect. It slips
inside a program undetected and produces unwelcome effects later on.
As an example of a computer Trojan horse, consider a login script
that solicits a user’s identification and password, passes the
identification information on to the rest of the system for login
processing, but also retains a copy of the information for later,
malicious use. In this example, the user sees only the login occurring
as expected, so there is no reason to suspect that any other,
unwelcome action took place.
IV. Spyware: Spyware is malicious software that enters a user’s
computer, gathers data from the device and user, and sends it to third
parties without their consent. A commonly accepted spyware
definition is a strand of malware designed to access and damage a
device without the user’s consent. Spyware collects personal and
sensitive information that it sends to advertisers, data collection firms,
or malicious actors for a profit. Attackers use it to track, steal, and sell
user data, such as internet usage, credit card, and bank account details,
or steal user credentials to spoof their identities.

Beyond the above terminology, there is much similarity in types of

malicious code. Types of malware differ widely in their operation,

Page 3 of 23
Computer Security
transmission and objective. Many other types of malicious code are
shown in the following table.

Code that causes malicious behavior and propagates

Virus
copies of itself to other programs

Trojan Code that contains unexpected, undocumented,

Horse additional functionality

Code that propagates copies of itself through a

Worm
network; impact usually degrades performance

Code that replicates itself without limit to exhaust

Rabbit
resources

Code that triggers action when a predetermined

Logic bomb
condition occurs

Code that triggers action when a predetermined time

Time bomb
occurs

Transfer agent code only to drop other malicious

Dropper
code, such as virus or Trojan horse

Hostile
Code communicated semi-autonomously by programs
mobile code
transmitted through the web
agent

Script Malicious code communicated in JavaScript,

attack, ActiveX, or another scripting language, downloaded

Page 4 of 23
Computer Security
 JavaScript, as part of displaying a web page
Active code
attack

RAT
(Remote Trojan horse that, once planted, gives access from
Access remote location
Trojan)

Program that intercepts and covertly communicates

Spyware
data on the user or user’s activity

Semi-autonomous agent, under control of a

Bot
controller; not necessarily malicious

Code or entire computer under control of a (usually

Zombie
remote) program

Browser Code that changes browser settings, disallows access

hijacker to certain sites, or redirects browser to others

Code installed in “root” or most privileged section of

Rootkit
operating system; hard to detect

Code feature that allows unauthorized access to a

Trapdoor or
machine or program; bypasses normal access control
backdoor
and authentication

Tool or Program containing a set of tests for vulnerabilities;

toolkit not dangerous itself, but each successful test identifies

Page 5 of 23
Computer Security
 a vulnerable host that can be attached

Scareware Not code; false warning of malicious code attack

2.2 Class of Attacks

I. Reconnaissance Attack: Reconnaissance is the practice of
covertly discovering and collecting information about a system.
This method is often used in ethical hacking or penetration
testing. Like many computer security terms, reconnaissance
derives from military language, where it refers to a mission with
the goal of obtaining information from enemy territory. It generally
works in seven general steps:
1. Collect initial information
2. Determine the network range
3. Identify active machines
4. Find access points and open ports
5. Fingerprint the operating system
6. Discover services on ports
7. Map the network
Using these steps, an attacker will aim to gain the information
about a network: File permissions, running network services, OS
platform, Trust relationships, User account information.
One of the most common techniques involved
with reconnaissance is port scanning, which sends data to various
Page 6 of 23
Computer Security
 TCP and UDP ports on a device and evaluates the response. There
are two main types of reconnaissance: active and
passive reconnaissance.
With active reconnaissance, hackers interact directly with the
computer system and attempt to obtain information through
techniques like automated scanning or manual testing and tools
like ping and netstat. Active recon is generally faster and more
accurate, but riskier because it creates more noise within a system
and has a higher chance of being detected.
Passive reconnaissance gathers information without directly
interacting with systems, using tools such as Wireshark and
Shodan and methods such as OS fingerprinting to gain information.
II. Access Attack: Access attacks require intrusion capabilities. These
can consist of anything as simple as gaining an account holder’s
credentials, to plugging foreign hardware directly into the network
infrastructure. Access attacks are carried out through Logical or
Physical Access.
Logical access attacks, such as exploitation through brute force
attacks or testing passwords on the network using “rainbow tables”
or dictionary attacks tend to create a lot of traffic on the network. It
is for this reason that most logical access attacks are usually
attempted only after sufficient reconnaissance or credentials have
been obtained.

Page 7 of 23
Computer Security
 Physical access is either access to the infrastructure itself or access
to the people. One form of physical attack is a Social engineering,
which is very dangerous and hard to defend against simply because
of its insidious effectiveness. The easiest type of social engineering
attack involves sending out phishing emails designed to hook
someone as a leverage point that enables an attacker to begin
strategically maneuvering into the company. This can happen in a
variety of ways, but could include someone internal to the
company opening an email that contains a malicious application
that helps the attacker achieve access.
III. Denial of Service (DoS) Attack: Denial of Service (DoS) means
that the information exchange has been prevented due to some
form of interference. This can happen from a natural disaster event,
such as an electrical failure, or a flood of packets that clogs the
network’s ability to function. So DoS can be malicious, and a true
incident. While the power failure is very apparent, imagine a
company boasting a new advertised event, then on the day of the
event the servers cannot handle the inbound network traffic and
result in failure. Fortunately, both can be mostly preventable with
the proper implementation of protective measures. To achieve a
malicious denial of service against an entire network, the attacker
usually needs ample computer power on the attacking side as well.
This can be achieved using a collection of networked devices that

Page 8 of 23
Computer Security
 may or may not be aware of their involvement. This would be
referred to as a botnet, and it can bring swift devastation to
network traffic without any warning through a process called a
Distributed Denial of Service (DDoS) attack. Essentially, the
linked computers all generate packets into the network
simultaneously. A typical modern computing resource can only
perform one action at a time, so flooding the network with these
packets generates a need to respond, and if the network cannot
keep up with the responses, then the network simply cannot
function. Another type of DoS attack aims to entirely crash a
system. This full failure can cause temporary or permanent damage
to a network. The purpose is to make the network inoperable.

2.3 Program Flaws

Program flaw is a part of a program that can cause the system to violate
its security requirements. Finding security problems resulting from
program flaws, demands some knowledge of system security
requirements.
I. Buffer Overflows: Buffers are memory storage regions that
temporarily hold data while it is being transferred from one
location to another. A buffer overflow (or buffer overrun) occurs
when the volume of data exceeds the storage capacity of the

Page 9 of 23
Computer Security
 memory buffer. As a result, the program attempting to write
the data to the buffer overwrites adjacent memory locations.

For example, a buffer for log-in credentials may be designed to

expect username and password inputs of 8 bytes, so if a transaction
involves an input of 10 bytes (that is, 2 bytes more than expected),
the program may write the excess data past the buffer boundary.
Buffer overflows can affect all types of software. They typically
result from malformed inputs or failure to allocate enough space
for the buffer. If the transaction overwrites executable code, it can
cause the program to behave unpredictably and generate incorrect
results, memory access errors, or crashes.

Buffer Overflow Example

Attackers exploit buffer overflow issues by overwriting the

memory of an application. This changes the execution path of the
program, triggering a response that damages files or exposes
private information. For example, an attacker may introduce extra
code, sending new instructions to the application to gain access to
IT systems. If attackers know the memory layout of a program,
Page 10 of 23
Computer Security
 they can intentionally feed input that the buffer cannot store, and
overwrite areas that hold executable code, replacing it with their
own code. For example, an attacker can overwrite a pointer (an
object that points to another area in memory) and point it to an
exploit payload, to gain control over the program.

II. Time-of-Check to Time-of-Use (TOCTOU): TOCTOU attacks

fall under the category of a race condition (which occurs when two
or more operations that should be done in sequence are attempted
simultaneously). A hacker is able to access a file and make harmful
changes between the time of check (first time the program accesses
the file) and the time of use (when the software uses the file). The
opportunity window is very short due to that near simultaneous
overlap.
TOCTOU can be recognized when shared files that multiple users
can access are susceptible to TOCTOU issues. A file that has been
corrupted could cause a system crash or corrupt data related to the
file.

III. Incomplete mediation: Mediation is checking the process of

intervening to confirm an actor’s authorization before it takes an
intended action. In computer security it has become common to
use access control triple (AAA) that describes what subject can

Page 11 of 23
Computer Security
 perform what operation on what object. Verifying that the subject
is authorized to perform the operation on an object is called
mediation. A scenario called incomplete mediation occurs when a
program accept an erroneous data and process it. Incomplete
mediation is a security problem which attackers exploit to cause
security problems.
Consider the following url:
[Link]
51212&parm2=2015Jan17
The parameters parm1 and parm2 look like a telephone number
and a date, respectively. Probably the client’s (user’s) web browser
enters those two values in their specified format for easy
processing on the servers side. But what would happen if parm2
were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32?
Or 1Aardvark2Many? Something in the program or the system
with which it communicates would likely fail. As with other kinds
of programming errors, one possibility is that the system would fail
catastrophically, with a routine’s failing on a data type error as it
tried to handle a month named “Min” or even a year (like 1800)
that was out of expected range. Another possibility is that the
receiving program would continue to execute but would generate a
very wrong result. (For example, imagine the amount of interest
due today on a billing error with a start date of 1 Jan 1800) Then

Page 12 of 23
Computer Security
 again, the processing server might have a default condition,
deciding to treat 1Aardvark2Many as 21July 1951. The
possibilities are endless.
2.4 Controls to protect against program flaws
There are several techniques that can prove useful in finding and fixing
security flaws in programs. For this course we will look at three types of
controls: developmental, operating system, and administrative.
2.4.1 Developmental Controls
Software development is a collaborative effort, involving people with
different skill sets who combine their expertise to produce a working
product. Many controls can be applied during software development to
hunt out and fix problems. Here are the practices that should be
considered during software development.
 Modularity: Dividing a task into subtasks. This division is done
on a logical or functional basis. Each component performs a
separate, independent part of the task. The goal is to have each
component meet four conditions: Single-purpose, Small, Simple
and Independent.
 Encapsulation: Encapsulation hides a component's
implementation details, but it does not necessarily mean complete
isolation. Many components must share information with other
components, usually with good reason. However, this sharing is

Page 13 of 23
Computer Security
 carefully documented so that a component is affected only in
known ways by others in the system.
 Information Hiding: Developers who work where modularization
is stressed can be sure that other components will have limited
effect on the ones they write. Thus, we can think of a component
as a kind of black box, with certain well-defined inputs and outputs
and a well-defined function. Other components' designers do not
need to know how the module completes its function; it is enough
to be assured that the component performs its task in some correct
manner. Information hiding is desirable, because developers
cannot easily and maliciously alter the components of others if
they do not know how the components work.
 Hazard Analysis: Hazard analysis is a set of systematic
techniques intended to expose potentially hazardous system states.
In particular, it can help us expose security concerns and then
identify prevention or mitigation strategies to address them.
Hazard analysis hunts out likely causes of problems so that we can
then apply an appropriate technique for preventing the problem or
softening its likely consequences. Thus, it usually involves
developing hazard lists, as well as procedures for exploring "what
if" scenarios to trigger consideration of non obvious hazards.
 Testing: Testing is a process activity that homes in on product
quality: making the product failure free or failure tolerant. Each

Page 14 of 23
Computer Security
 software problem (especially when it relates to security) has the
potential not only for making software fail but also for adversely
affecting a business or a life.
 Good Design: modularity, information hiding, and encapsulation
are characteristics of good design. Several design-related process
activities are particularly helpful in building secure software:
o Using a philosophy of fault tolerance
o Having a consistent policy for handling failures
o Capturing the design rationale and history
o Using design pattern
 Configuration Management: When software are being developed,
it is important to know who is making which changes to what and
when:
o corrective changes: maintaining control of the system's day-
to-day functions
o adaptive changes: maintaining control over system
modifications
o perfective changes: perfecting existing acceptable functions
o preventive changes: preventing system performance from
degrading to unacceptable levels
We want some degree of control over the software changes so that
one change does not inadvertently undo the effect of a previous
change. And we want to control what is often a proliferation of
Page 15 of 23
Computer Security
 different versions and releases. For instance, a product might run
on several different platforms or in several different environments,
necessitating different code to support the same
functionality. Configuration management is the process by which
we control changes during development and maintenance, and it
offers several advantages in security.

2.4.2 Operating System Controls

An operating system actually implements the security functions for
general objects of unspecified types, such as files, devices, or lists,
memory objects, databases, or sharable tables. In principle, in operating
systems, A subject is permitted to access an object in a particular mode,
and only such authorized accesses are allowed. Operating systems
provide functionalities to ensure security access into resources through
the implementation of the access control mechanisms. The best
noticeable example can be related to the access control function is audit:
a log of which subject accessed which object when and in what manner.
Let us techniques used in operating systems to control program flaws:
 Virtual Machine: An important operating system security
technique is virtualization, providing the appearance of one set of
resources by using different resources. If you present a plate of
cookies to a group of children, the cookies will likely all disappear.
If you hide the cookies and put them out a few at a time you limit

Page 16 of 23
Computer Security
 the children’s access. Operating systems can do the same thing.
Virtualization is implemented by creating virtual machines. Virtual
machines are machines that are created virtually with configured
services specific to the user requirements.
 Sandbox: A concept similar to virtualization with a protected
environment in which a program can run and not endanger
anything else on the system. So a sandbox is an environment from
which a process can have only limited, controlled impact on
outside resources. A good example of a sandbox is how applets are
executed in java. The designers of Java intended the system to run
code, called applets, downloaded from untrusted sources such as
the Internet. Java trusts locally derived code with full access to
sensitive system resources (such as files). It does not, however,
trust downloaded remote code; for that code Java provides a
sandbox, limited resources that cannot cause negative effects
outside the sandbox.
 Honeypot: A honeypot is a fake environment intended to attract
an attacker. Usually employed in a network, a honeypot shows a
limited (safe) set of resources for the attacker; meanwhile,
administrators monitor the attacker’s activities in real time to learn
more about the attacker’s objectives, tools, techniques, and
weaknesses, and then use this knowledge to defend systems

Page 17 of 23
Computer Security
 effectively. So, honeypot is a system to attract an attacker into an
environment that can be both controlled and monitored.

2.5 Program Security Defenses

2.5.1 Software development controls and Testing techniques
Testing is a process activity that homes in on product quality: making
the product failure free or failure tolerant. Each software problem
(especially when it relates to security) has the potential not only for
making software fail but also for adversely affecting a business or a life.

Testing usually involves several stages. First, each program component

is tested on its own, isolated from the other components in the system.
Such testing, known as module testing, component testing, or unit testing,
verifies that the component functions properly with the types of input
expected from a study of the component's design. Unit testing is done in
a controlled environment whenever possible so that the test team can
feed a predetermined set of data to the component being tested and
observe what output actions and data are produced. In addition, the test

Page 18 of 23
Computer Security
team checks the internal data structures, logic, and boundary conditions
for the input and output data.

When collections of components have been subjected to unit testing, the

next step is ensuring that the interfaces among the components are
defined and handled properly. Indeed, interface mismatch can be
significant security vulnerability. Integration testing is the process of
verifying that the system components work together as described in the
system and program design specifications.

Once we are sure that information is passed among components in

accordance with the design, we test the system to ensure that it has the
desired functionality. A function test evaluates the system to determine
whether the functions described by the requirements specification are
actually performed by the integrated system. The result is a functioning
system.

The function test compares the system being built with the functions
described in the developers' requirements specification. Then,
a performance test compares the system with the remainder of these
software and hardware requirements. It is during the function and
performance tests that security requirements are examined, and the
testers confirm that the system is as secure as it is required to be.
Page 19 of 23
Computer Security
When the performance test is complete, developers are certain that the
system functions according to their understanding of the system
description. The next step is conferring with the customer to make
certain that the system works according to customer expectations.
Developers join the customer to perform an acceptance test, in which
the system is checked against the customer's requirements description.
Upon completion of acceptance testing, the accepted system is installed
in the environment in which it will be used. A final installation test is
run to make sure that the system still functions as it should. However,
security requirements often state that a system should not do something.

The objective of unit and integration testing is to ensure that the code
implemented the design properly; that is, that the programmers have
written code to do what the designers intended. System testing has a
very different objective: to ensure that the system does what the
customer wants it to do. Regression testing, an aspect of system testing,
is particularly important for security purposes. After a change is made to
enhance the system or fix a problem, regression testing ensures that all
remaining functions are still working and performance has not been
degraded by the change.

Page 20 of 23
Computer Security
Each of the types of tests listed here can be performed from two
perspectives: black box and clear box (sometimes called white
box). Black-box testing treats a system or its components as black
boxes; testers cannot "see inside" the system, so they apply particular
inputs and verify that they get the expected output. Clear-box
testing allows visibility. Here, testers can examine the design and code
directly, generating test cases based on the code's actual construction.
Thus, clear-box testing knows that component

2.5.2 Database Management System Security

Database security refers to the range of tools, controls, and measures
designed to establish and preserve database confidentiality, integrity,
and availability.
Database security must address and protect the following:
 The data in the database
 The database management system (DBMS)
 Any associated applications
 The physical database server and/or the virtual database server and
the underlying hardware
 The computing and/or network infrastructure used to access the
database

Page 21 of 23
Computer Security
Because databases are nearly always network-accessible, any security
threat to any component within or portion of the network infrastructure
is also a threat to the database, and any attack impacting a user’s device
or workstation can threaten the database. Thus, database security must
extend far beyond the confines of the database alone. When evaluating
database security in your environment to decide on your team’s top
priorities, consider each of the following areas:
 Physical security: Whether your database server is on-premise or
in a cloud data center, it must be located within a secure, climate-
controlled environment. (If your database server is in a cloud data
center, your cloud provider will take care of this for you.)
 Administrative and network access controls: The practical
minimum number of users should have access to the database, and
their permissions should be restricted to the minimum levels
necessary for them to do their jobs. Likewise, network access
should be limited to the minimum level of permissions necessary.
 End user account/device security: Always be aware of who is
accessing the database and when and how the data is being used.
Data monitoring solutions can alert you if data activities are
unusual or appear risky. All user devices connecting to the network
housing the database should be physically secure (in the hands of
the right user only) and subject to security controls at all times.

Page 22 of 23
Computer Security
  Encryption: ALL data—including data in the database, and
credential data—should be protected with best-in-class encryption
while at rest and in transit. All encryption keys should be handled
in accordance with best-practice guidelines.
 Database software security: Always use the latest version of your
database management software, and apply all patches as soon as
they are issued.
 Application/web server security: Any application or web server
that interacts with the database can be a channel for attack and
should be subject to ongoing security testing and best practice
management.
 Backup security: All backups, copies, or images of the database
must be subject to the same (or equally stringent) security controls
as the database itself.
 Auditing: Record all logins to the database server and operating
system, and log all operations performed on sensitive data as well.
Database security standard audits should be performed regularly.

Page 23 of 23
Computer Security