Information Security

18CSE532
Unit1 chapter2

Dr. Sarojadevi H., Professor, Dept. of CSE

Ref: Principles of Information Security , 6th edition.
By Michael E. Whitman and Herbert J. Mattord,
Kennesaw State University, Cengage learning . 2018.
 Topics : chapter 2
• Topics: The need for security: Threats and Attacks,
deviations in quality of service, software attacks.
• Example: A malicious worm is on a company’s
computer network. Previously a different worm
program came from an employee’s personal USB drive.
To prevent this from happening again, it is suggested
that all users be prohibited from using personal
devices on corporate systems and networks. Next
suggestion : upgrade antivirus, next, improve security
of technology, next, make project plan to develop a
new information security program => Final.
2
 Introduction

• Primary mission of information security is to

ensure that systems and contents stay the
same.

• If no threats, we could focus on improving

systems, resulting in vast improvements in ease
of use and usefulness.

• Attacks on information systems are a daily

occurrence.
3
 Threats and Attacks: Main terms
• Attack: An intentional or unintentional act that
can damage or otherwise compromise
information and the systems that support it.
Attacks can be active or passive and direct or
indirect.
• Exploit: A technique used to compromise a
system.
• Vulnerability: A potential weakness in an
asset or its defensive control system(s).
4
 Threats..
A threat represents a potential risk to an information
asset, whereas an attack represents an ongoing act
against the asset that could result in a loss.
To protect your organization’s information, the following
are required : (ref. The Art of War)

(1) know yourself. Be familiar with the information to

be protected and the systems that store, transport, and
process it; and
(2) know the threats you face. To make good decisions
about information security, management must be
informed about the various threats to an organization’s
people, applications, data, and information systems.
5
 Threats & attacks
Threat agents damage or steal an organization’s
information or physical assets by using exploits to take
advantage of vulnerabilities where controls are not
present or no longer effective.
Unlike threats, which are always present, attacks exist
only when a specific act may cause a loss.
For example, the threat of damage from a
thunderstorm is present throughout the summer in
many places, but an attack and its associated risk of loss
exist only for the duration of an actual thunderstorm.
6
 Threat from Hackers due to internet
• There is agreement that the threat from external sources
increases when an organization connects to the Internet.
• The number of Internet users continues to grow; about 49.2%
of the world’s 7.34 billion people—that is, more than 3.6
billion people—have some form of Internet access, which is
significant increase over the 25.6 % reported as recently as
2009.
• With ref. to internet usage by continent in 2015 (fig. next),
hackers can be accessing systems & information with online
connections.
• There is increase in Internet usage with increase in
population. Therefore, a typical organization with an online
connection to its systems and information has an increasing
number of potential hackers.
7
 World Internet usage

In 2015, 67.1% of internet users suffered malware infections.

8
Types of attacks /misuses

9
Attack / misuse in the decreasing order

10
 Common Attack Pattern Enumeration and
Classification ( http://capec.mitre.org/PEC)
• A tool that security professionals can use to
understand attacks is the Common Attack Pattern
Enumeration and Classification (CAPEC) Web site
hosted by Mitre—a nonprofit research and
development organization sponsored by the U.S.
government.
• This online repository can be searched for
characteristics of a particular attack or simply
browsed by professionals who want additional
knowledge of how attacks occur procedurally.
11
 The 12 general Categories of Threats to
Information Security
• These represent a clear and present danger to
an organization’s people, information, and
systems.
• Each organization must prioritize the threats it
faces based on the particular security situation
in which it operates, its organizational strategy
regarding risk, and the exposure levels of its
assets.

12
13
 Deviations in quality of service :
main terms
• Availability disruption: An interruption in service, usually from a
service provider, which causes an adverse event within an
organization.
• Downtime : The percentage of time a particular service is not
available; the opposite of uptime.
• Service level agreement (SLA): A document or part of a
document that specifies the expected
• Level of service from a service provider: An SLA usually contains
provisions for minimum acceptable availability and penalties or
remediation procedures for downtime.
• Uptime: The percentage of time a particular service is available;
the opposite of downtime.
14
 Deviations
• An organization’s information system depends on the
successful operation of support systems including power
grids, data and telecommunications networks, parts suppliers,
service vendors, and janitorial staff and garbage haulers.
• These can be interrupted by severe weather, employee
illnesses, or other unforeseen events.
• Deviations in quality of service can result from such accidents
as a backhoe taking out an ISP’s fiber-optic link. The backup
provider may be online and in service, but may be able to
supply only a fraction of the bandwidth the organization
needs for full service.
• This degradation of service is a form of availability disruption.
Irregularities in Internet service, communications, and power
supplies can affect the availability of information and systems.

15
 Internet Service Issues
• In organizations that rely heavily on the Internet and the
WWW to support continued operations, ISP failures can
considerably undermine the availability of information.
• Many organizations have sales staff and telecommuters
working at remote locations.
• When these off-site employees cannot contact the host
systems, they must use manual procedures to continue
operations.
• The U.S. government’s Federal Communications Commission
(FCC) maintains a Network Outage Reporting System (NORS),
which according to FCC regulation 47 C.F.R. Part 4, requires
communications providers to report outages that disrupt
communications at certain facilities, like emergency services
and airports.
16
 Internet Service issues ..
• When an organization places its Web servers in the care of a Web
hosting provider, the provider assumes responsibility for all
Internet services and for the hardware and operating system
software used to operate the Web site.
• These Web hosting services are usually arranged with a service
level agreement (SLA). When a service provider fails to meet the
terms of the SLA, the provider may accrue fines to cover losses
incurred by the client, but these payments seldom cover the losses
generated by the outage.
• Vendors may promote high availability or uptime (or low
downtime), but even an availability that seems acceptably high can
cost the average organization a great deal (ref.fig.).
• In August 2013, the Amazon.com Web site went down for 30 to 40
minutes, costing the company between $3 million and $4 million.
17
 Average Cost of online service provider
Downtime (per year) according to MegaPath

18
www.megapath.com/blog/blog-archive/
infographic-the-cost-of-downtime

19
Source: Megapath

20
 Communications and Other
Service Provider Issues

• Other utility services can affect organizations as well.

• Ex: telephone, water, wastewater, trash pickup, cable
television, natural or propane gas, and custodial services.
• The loss of these services can impair the ability of an
organization to function. For instance, most facilities
require water service to operate an air-conditioning system.
• If a wastewater system fails, an organization might be
prevented from allowing employees into the building.
• Several online utilities allow an organization to compare
pricing options from various service providers; only a few
show a comparative analysis of availability or downtime.

21
 Power Irregularities: main terms
• Blackout : A long-term interruption (outage) in electrical power
availability.
• Brownout: A long-term decrease in electrical power availability.
• Fault: A short-term interruption in electrical power availability.
• Noise: The presence of additional and disruptive signals in
network communications or electrical :power delivery.
• sag : A short-term decrease in electrical power availability.
• Spike: A short-term increase in electrical power availability,
also known as a swell.
• Surge: A long-term increase in electrical power availability.

22
 Power irregularities..
• Irregularities from power utilities are common and can lead to fluctuations such as
power excesses, power shortages, and power losses.
• These fluctuations can pose problems for organizations that provide inadequately
conditioned power for their information systems equipment.
• In the United States, supply has 120-volt, 60-cycle power, through 15- and 20-amp
circuits.
• Europe and most of Africa, Asia, South America, and Australia use 230-volt, 50-
cycle power.
• Because of global travel by organizational employees, failure to properly adapt to
different voltage levels can damage computing equipment, resulting in a loss.
• When power voltage levels vary from normal, expected levels, such as during a
spike, surge, sag, fault, noise, brownout, or blackout, an organization’s sensitive
electronic equipment—especially networking equipment, computers, and
computer based systems, which are vulnerable to fluctuations—can be easily
damaged or destroyed.
• With small computers and network systems, quality power-conditioning options
such a surge suppressors can smooth out spikes. The more expensive
uninterruptible power supply (UPS) can protect against spikes and surges as well as
sags and even blackouts of limited duration.
23
 Software attacks
• Deliberate software attacks occur when an
individual or group designs and deploys software to
attack a system.
• This attack can consist of specially crafted software
that attackers trick users into installing on their
systems.
• The specially crafted software can be used to
overwhelm the processing capabilities of online
systems or to gain access to protected systems by
hidden means.
24
 Software attacks
• Malware: malicious code or malicious software
– Virus: code segments that perform malicious actions.
– Worms: can continue replicating themselves until they completely fill
available resources, such as memory, hard drive space, and network
bandwidth.
– Trojan Horses: can wreck havoc
– Polymorphic Threats: evolving & morphing
– Virus and Worm Hoaxes
• Back Doors: attacker gaining access to system or n/w through
back door
• Denial-of-Service (DoS) and Distributed Denial-of-Service
(DDoS) Attacks
• E-mail Attacks: mail bombs
25
 Software attacks..
Communications Interception Attacks:
• Packet Sniffer: monitor data traveling over a network for
good or bad purpose
• Spoofing: obtains trusted IP addresses and then modifies
the packet headers to insert these forged addresses.
• Pharming: uses Trojans, worms, or other virus technologies
to attack an Internet browser’s address bar to make valid
URL to an illegitimate Web site.
• Man-in-the-Middle: an attacker monitors (or sniffs) packets
from the network, modifies them, and inserts them back
into the network. Ex.TCP hijacking / session hijacking.
26
 Malware : main terms
• Malware: Computer software specifically designed to perform malicious or
unwanted actions (Malicious code/software).
• Adware: Malware intended to provide undesired marketing and advertising,
including popups and banners on a user’s screens.
• boot virus: Also known as a boot sector virus, a type of virus that targets the
boot sector or Master Boot Record (MBR) of a computer system’s hard drive
or removable storage media.
• macro virus: A type of virus written in a specific macro language to target
applications that use the language. The virus is activated when the
application’s product is opened. A macro virus typically affects documents,
slideshows, e-mails, or spreadsheets created by office suite applications.
• memory-resident virus: A virus capable of installing itself in a computer’s
operating system, starting when the computer is activated, and residing in
the system’s memory even after the host application is terminated. Also
known as a resident virus.
27
• non-memory-resident virus : A virus that terminates after it has been activated,
infected its host system, and replicated itself. NMR viruses do not reside in an
operating system or memory after executing. Also known as a non-resident virus.
• polymorphic threat : Malware (a virus or worm) that over time changes the way it
appears to antivirus software programs, making it undetectable by techniques that
look for preconfigured signatures.
• spyware : Any technology that aids in gathering information about people or
organizations without their knowledge.
• Trojan horse : A malware program that hides its true nature and reveals its
designed behavior only when activated.
• Virus: A type of malware that is attached to other executable programs. When
activated, it replicates and propagates itself to multiple systems, spreading by
multiple communications vectors. For example, a virus might send copies of itself
to all users in the infected system’s e-mail program.
• virus hoax : A message that reports the presence of a nonexistent virus or worm
and wastes valuable time as employees share the message.
• worm : A type of malware that is capable of activation and replication without
being attached to an existing program.
• zero-day attack : An attack that makes use of malware that is not yet known by the
anti-malware software companies.
28
 Malware details
• Malware is referred to as malicious code or malicious software.
• Other attacks that use software, like redirect attacks and denial-of-service
attacks, also fall under this threat.
• These software components or programs are designed to damage, destroy,
or deny service to targeted systems.
• Note that the terminology used to describe malware is often not mutually
exclusive; for instance, Trojan horse malware may be delivered as a virus, a
worm, or both.
• Malicious code attacks include the execution of viruses, worms, Trojan
horses, and active Web scripts with the intent to destroy or steal
information.
• The most state-of-the-art malicious code attack is the polymorphic worm,
or multivector worm. These attack programs use up to six known attack
vectors to exploit a variety of vulnerabilities in common information system
devices.
• When an attack makes use of malware that is not yet known by the anti-
malware software companies, it is said to be a zero-day attack.
29
 Malware …
• Other forms of malware include covert software applications—bots, spyware,
and adware.
• These are designed to work out of users’ sight or be triggered by an apparently
innocuous user action.
• Bots are often the technology used to implement Trojan horses, logic bombs,
back doors, and spyware.
• Spyware is placed on a computer to secretly gather information about the user
and report it.
– One type of spyware is a Web bug, a tiny graphic that is referenced within the
Hypertext Markup Language (HTML) content of a Web page or e-mail to collect
information about the user viewing the content.
– Another form of spyware is a tracking cookie, which is placed on users’ computers to
track their activity on different Web sites and create a detailed profile of their behavior.
• Each of these hidden code components can be used to collect user information
that could then be used in a social engineering or identity theft attack.

30
 Malware study (2016)
Malware with biggest impact on computer users to date.

31
 Computer virus
• A computer virus consists of code segments (programming instructions) that
perform malicious actions. This code behaves much like a virus pathogen that
attacks animals and plants, using the cell’s own replication machinery to
propagate the attack beyond the initial target.
• The code attaches itself to an existing program and takes control of the
program’s access to the targeted computer. The virus-controlled target program
then carries out the virus plan by replicating itself into additional targeted
systems.
• Often, users unwittingly help viruses get into a system. Opening infected e-mail
or some other seemingly trivial action can cause anything from random
messages appearing on a user’s screen to the destruction of entire hard drives.
• Computer viruses are passed from machine to machine via physical media, e-
mail, or other forms of computer data transmission.
• When these viruses infect a machine, they may immediately scan it for e-mail
applications or even send themselves to every user in the e-mail address book.

32
Virus..

33
 Virus..
• Alternatively, viruses may be classified as memory-resident
viruses or non-memory-resident viruses, depending on whether
they persist in a computer system’s memory after they have been
executed.
• Resident viruses are capable of reactivating when the computer
is booted and continuing their actions until the system is shut
down, only to restart the next time the system is booted.
• In 2002, the author of the Melissa virus, David L. Smith of New
Jersey, was convicted in U.S. federal court and sentenced to 20
months in prison, a $5,000 fine, and 100 hours of community
service upon release.
• Viruses and worms can use several attack vectors to spread
copies of themselves to networked peer computers as shown..
34
Attack replication vectors

35
 Worms
• Named for the tapeworm in John Brunner’s novel The
Shockwave Rider, worms can continue replicating themselves
until they completely fill available resources, such as
memory, hard drive space, and network bandwidth.
• Code Red, Sircam, Nimda (“admin” spelled backwards), and
Klez are examples of a class of worms that combine multiple
modes of attack into a single package.
• Figure next shows sample e-mails that contain the Nimda
(garbage in the Subject) and Sircam worms( stilted text, or
with .exe attachment). These newer worm variants contain
multiple exploits (polymorphic) that can use any predefined
distribution vector to programmatically distribute the worm.
36
Nimda and Sircam worms

37
Worms..

Read offline: Robert Morris and the Internet Worm

38
Klez worm

39
 Worms..
• The complex behavior of worms can be initiated with or
without the user downloading or executing the file.
• After infecting a worm can redistribute itself to all e-mail
addresses found on the infected system. Furthermore, a
worm can deposit copies of itself onto all the reachable Web
servers; subsequent users visiting those sites become
infected.
• Worms also take advantage of open shares found on the
network in which an infected system is located. The worms
place working copies of their code onto the server so that
users
In 2003, of theLeeopen
Jeffrey Parson,shares are likely
an 18-year-old to become
high school student frominfected.
Minnesota, was
arrested for creating and distributing a variant of the Blaster worm called W32.Blaster-B. He
was sentenced to 18 months in prison, 3 years of supervised release, and 100 hours of
community service. The original Blaster worm was reportedly created by a Chinese hacker
group. 40
Trojan Horses

41
Trojan Horse attacks

42
 Polymorphic Threats
• One of the biggest challenges to fighting
viruses and worms has been the emergence of
polymorphic threats.
• A polymorphic threat actually evolves,
changing its size and other external file
characteristics to elude detection by antivirus
software programs.

43
 Virus and Worm Hoaxes
• Virus hoaxes involve waste of time and money for resolving. Well-meaning
people can disrupt the harmony and flow of an organization when they
send group e-mails warning of supposedly dangerous viruses that don’t
exist.
• When people fail to follow virus-reporting procedures in response to a
hoax, the network becomes overloaded and users waste time and energy
forwarding the warning message to everyone they know, posting the
message on bulletin boards, and trying to update their antivirus protection
software.
• Some hoaxes are the chain letters or chain e-mails of the day, which are
designed to annoy or bemuse the reader.
• They are known as “weapons of mass distraction.” One of the most
prominent virus hoaxes was the 1994 “Goodtimes virus,” which reportedly
was transmitted in an e-mail with the header “Good Times” or
“goodtimes.”
• The virus never existed, and thousands of hours of employee time were
wasted retransmitting the e-mail, effectively creating a denial of service. 44
 Hoax ..
• At one time, hoaxes amounted to little more than pranks;
although occasionally a sting was attached.
• For example, the Teddy Bear hoax tricked users into
deleting necessary operating system files, which made their
systems stop working.
• Criminals have been able to monetize the hoax virus by
claiming that systems are infected with malware and then
selling a cure for a problem that does not exist.
• The perpetrator of the hoax may then offer to sell a fake
antivirus program to correct the fake malware.
• Several Internet resources enable people to research
viruses and determine if they are fact or fiction.
45
 Back doors
• It is a malware payload that provides access to a system by
bypassing normal access controls. It may also be an
intentional access control bypass left by a system designer to
facilitate development. Maintenance hook & trap door are
also important.
• Using a known or newly discovered access mechanism, an
attacker can gain access to a system or network resource
through a back door.
• Viruses and worms can have a payload that installs a back
door or trap door component in a system, allowing the
attacker to access the system at will with special privileges.
• Examples of such payloads include Subseven and Back Orifice.
46
 Back doors
• Sometimes these doors are left behind by system
designers or maintenance staff; such a door is referred
to as a maintenance hook.
• More often, attackers place a back door into a system or
network they have compromised, making their return to
the system that much easier the next time.
• A trap door is hard to detect because the person or
program that places it often makes the access exempt
from the system’s usual audit logging features and
makes every attempt to keep the back door hidden from
the system’s legitimate owners.
47
Denial-of-Service (DoS) and Distributed Denial-of-Service
(DDoS) Attacks

• Bot/zombie: An automated software program that executes

certain commands when it receives a specific input. See also
zombie.
• Denial-of-service (DoS) : An attack that attempts to
overwhelm a computer target’s ability to handle incoming
communications, prohibiting legitimate users from accessing
those systems.
• Distributed denial-of-service (DDoS) attack: A form of DoS
attack in which a coordinated stream of requests is launched
against a target from many locations at the same time using
bots or zombies.
48
 DOS / DDOS
• In a denial-of-service (DoS) attack, the attacker sends a large number of
connection or information requests to a target (ref. Fig.). So many
requests are made that the target system becomes overloaded and
cannot respond to legitimate requests for service.
• The system may crash or simply become unable to perform ordinary
functions. In a distributed denial-of-service (DDoS) attack, a coordinated
stream of requests is launched against a target from many locations at
the same time. Most DDoS attacks are preceded by a preparation phase
in which many systems, perhaps thousands, are compromised.
• The compromised machines are turned into bots or zombies, machines
that are directed remotely by the attacker (usually via a transmitted
command) to participate in the attack.
• DDoS attacks are more difficult to defend against, and currently there
are no controls that any single organization can apply.

49
 DDOS
• There are some cooperative efforts to enable DDoS defenses among groups of
service providers;
• an example is the Consensus Roadmap for Defeating Distributed Denial of
Service Attacks.
• To use a popular metaphor, DDoS is considered a weapon of mass destruction
on the Internet.
• The MyDoom worm attack in February 2004 was intended to be a DDoS attack
against www.sco.com, the Web site of a vendor for a UNIX operating system.
• Allegedly, the attack was payback for the SCO Group’s perceived hostility
toward the open-source Linux community.
• Any system connected to the Internet and providing TCP-based network
services (such as a Web server, FTP server, or mail server) is vulnerable to DoS
attacks.
• DoS attacks can also be launched against routers or other network server
systems if these hosts enable other TCP services, such as echo.

50
Denial-of-service attack

51
 Prominent DOS attacks
• Prominent in the history of notable DoS attacks are those conducted
by Michael Calce (a.k.a. Mafiaboy) on Amazon.com, CNN.com,
ETrade.com, ebay.com, Yahoo.com, Excite.com, and Dell.com.
• These software-based attacks lasted approximately four hours and
reportedly resulted in millions of dollars in lost revenue.
• The British ISP CloudNine is believed to be the first business “hacked
out of existence” by a DoS attack in January 2002.
• This attack was similar to the DoS attacks launched by Mafiaboy in
February 2000.
• In January 2016, a group calling itself New World Hacking attacked
the BBC’s Web site. If the scope of the attack is verified, it would
qualify as the largest DDoS attack in history, with an attack rate of 602
Gbps (gigabits per second). The group also hit Donald Trump’s
campaign Web site on the same day.
52
 E-mail Attacks: mail bombs & spams
Mail bomb: An attack designed to overwhelm the receiver with excessive
quantities of e-mail. It is a kind of DoS attack. It can be done using traditional
e-mailing techniques or by exploiting various technical flaws in the Simple
Mail Transport Protocol (SMTP).
• The target of the attack receives an unmanageably large volume of
unsolicited e-mail.
• By sending large e-mails with forged header information, attackers can take
advantage of poorly configured e-mail systems on the Internet and trick
them into sending many e-mails to an address of the attackers’ choice. If
many such systems are tricked into participating, the target e-mail address
is buried under thousands or even millions of unwanted e-mails.
• Although phishing attacks occur via e-mail, they are commonly associated
with a method of social engineering designed to trick users to perform an
action, rather than simply making the user a target of a DoS e-mail attack.

53
 Spam: e-mail attack
• Spam is unsolicited commercial e-mail. While many consider
spam a trivial nuisance rather than an attack, it has been used
as a means of enhancing malicious code attacks.
• In March 2002, there were reports of malicious code
embedded in MP3 files that were included as attachments to
spam.
• The most significant consequence of spam, however, is the
waste of computer and human resources. Many organizations
attempt to cope with the flood of spam by using e-mail
filtering technologies.
• Other organizations simply tell users of the mail system delete
unwanted messages.
54
Communications Interception Attacks

55
 Communications attack
• Common software-based communications attacks include
several subcategories designed to intercept and collect
information in transit. These types of attacks include
sniffers, spoofing, pharming, and man-in-the-middle attacks.
• The emergence of the Internet of Things (IoT)—the addition
of communications and interactivity to everyday objects—
increases the possibility of these types of attacks.
• Our automobiles, appliances, and entertainment devices
along with smartphones are being interconnected and
remotely controlled. The security of these devices has not
always been a primary concern.

56
 Packet Sniffer
• A packet sniffer (or simply sniffer) can monitor data traveling over
a network. Sniffers can be used both for legitimate network
management functions and for stealing information.
• Unauthorized sniffers can be extremely dangerous to a network’s
security because they are hard to detect and can be inserted
almost anywhere.
• This feature makes them a favorite weapon in the hacker’s arsenal.
Sniffers often work on TCP/IP networks.
• Sniffers add risk to network communications because many
systems and users send information on local networks in clear
text.
• A sniffer program shows all the data going by, including passwords,
the data inside files (such as word-processing documents), and
sensitive data from applications.
57
Spoofing and Pharming

58
IP Spoofing attack

59
 Man in the middle attack
• In the well-known man-in-the-middle attack, an attacker monitors
(or sniffs) packets from the network, modifies them, and inserts
them back into the network.
• In a TCP hijacking attack, also known as session hijacking, the
attacker uses address spoofing to impersonate other legitimate
entities on the network. It allows the attacker to eavesdrop as
well as to change, delete, reroute, add, forge, or divert data.
• A variant of TCP hijacking involves the interception of an
encryption key exchange, which enables the hacker to act as an
invisible man in the middle—that is, an eavesdropper—on
encrypted communications. Fig. next illustrates these attacks by
showing how a hacker uses public and private encryption keys to
intercept messages.
60
Man in the middle attack

61
END

62