cse405 Chapter 16

UNIT –V

Web Security Considerations:

The World Wide Web is fundamentally a client/server application running over the
Internet and TCP/IP intranets. As such, the security tools and approaches discussed so far in this
book are relevant to the issue of Web security. But the Web presents new challenges not generally
appreciated in the context of computer and network security.

 The Internet is two-way. The Web is vulnerable to attacks on the Web servers over
the Internet.
 The Web is increasingly serving as a highly visible outlet for corporate and product
information and as the platform for business transactions. Reputations can be
damaged and money can be lost if the Web servers are subverted.
 Although Web browsers are very easy to use, Web servers are relatively easy to
configure and manage, and Web content is increasingly easy to develop, the
underlying software is extraordinarily complex.
 Once the Web server is subverted, an attacker may be able to gain access to data
and systems not part of the Web itself but connected to the server at the local site.
 Casual and untrained (in security matters) users are common clients for Web-based
services. Such users are not necessarily aware of the security risks that exist and do
not have the tools or knowledge to take effective countermeasures.

Web Traffic Security Approaches

A number of approaches to providing Web security are possible. The various approaches
that have been considered are similar in the services they provide and, to some extent, in the
mechanisms that they use, but they differ with respect to their scope of applicability and their
relative location within the TCP/IP protocol stack. Stallings Figure 16.1 illustrates this difference.

1
 cse405 Chapter 16

One way to provide Web security is to use IP Security (Figure 16.1a). The advantage of
using IPSec is that it is transparent to end users and applications and provides a general-purpose
solution. Further, IPSec includes a filtering capability so only selected traffic need incur the IPSec
processing overhead.
Another relatively general-purpose solution is to implement security just above TCP (Figure
16.1b). The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on
Internet standard known as Transport Layer Security (TLS). At this level, there are two
implementation choices. For full generality, SSL (or TLS) could be provided as part of the
underlying protocol suite and therefore be transparent to applications. Alternatively, SSL can be
embedded in specific packages, e.g. both the Netscape and Microsoft Explorer browsers come with
SSL, & most Web servers have implemented it.
Application-specific security services are embedded within the particular application.
Figure 16.1c shows examples of this architecture. The advantage of this approach is that the service
can be tailored to the specific needs of a given application.

SSL (Secure Socket Layer)

SSL probably most widely used Web security mechanism, and it is implemented at the
Transport layer
SSL is designed to make use of TCP to provide a reliable end-to-end secure service. N
etscape originated SSL. Version 3 of the protocol was designed with public

2
 cse405 Chapter 16

review and input from industry and was published as an Internet draft document. Subsequently,
when a consensus was reached to submit the protocol for Internet standardization, the TLS
working group was formed within IETF to develop a common standard. This first published
version of TLS can be viewed as essentially an SSLv3.1 and is very close to and backward
compatible with SSLv3. SSL is not a single protocol but rather two layers of protocol, as shown next.

SSL Architecture:

SSL is designed to make use of TCP to provide a reliable end-to-end secure service.
SSL is not a single protocol but rather two layers of protocols, as illustrated in Figure 16.2.
The SSL Record Protocol provides basic security services to various higher-layer protocols.
In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web
client/server interaction, can operate on top of SSL.
Three higher-layer protocols are also defined as part of SSL: the Handshake Protocol,
Change Cipher Spec Protocol, and Alert Protocol. These SSL-specific protocols are used in the
management of SSL exchanges.

Two important SSL concepts are the SSL connection and the SSL session:

• Connection: A connection is a network transport that provides a suitable type of

service, such connections are transient, peer-to-peer relationships, associated with one
session
• Session: An SSL session is an association between a client and a server, created by the
Handshake Protocol. Sessions define a set of cryptographic security parameters, which
can be shared among multiple connections. Sessions are used to avoid the expensive
negotiation of new security parameters for each connection.

3
 cse405 Chapter 16

Between any pair of parties (applications such as HTTP on client and server), there may be
multiple secure connections. In theory, there may also be multiple simultaneous sessions between
parties, but this feature is not used in practice.
Once a session is established, there is a current operating state for both read and write (i.e.,
receive and send). In addition, during the Handshake Protocol, pending read and write states are
created. Upon successful conclusion of the Handshake Protocol, the pending states become the
current states. A session state and a connection state are defined by sets of parameters, see
textbook for details.

SSL Record Protocol Services

SSL Record Protocol defines two services for SSL connections:

• Confidentiality: The Handshake Protocol defines a shared secret key that is used for
conventional encryption of SSL payloads. The message is compressed before being
concatenated with the MAC and encrypted, with a range of ciphers being supported as
shown.

4
 cse405 Chapter 16

• Message Integrity: The Handshake Protocol also defines a shared secret key that is
used to form a message authentication code (MAC), which is similar to HMAC

Fig: 17.3 SSL Record protocol Operation.

Figure 17.3 shows the overall operation of the SSL Record Protocol. The Record Protocol
takes an application message to be transmitted, fragments the data into manageable blocks,
optionally compresses the data, computes and appends a MAC (using a hash very similar to
HMAC), encrypts (using one of the symmetric algorithms listed on the previous slide), adds a
header (with details of the SSL content type, major/minor version, and compressed length), and
transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed,
and reassembled and then delivered to higher-layer applications.

The first step is fragmentation. Each upper-layer message is fragmented into blocks
14
of 2 bytes (16384 bytes) or less. Next, compression is optionally applied.

5
 cse405 Chapter 16

Compression must be lossless and may not increase the content length by more than 1024 bytes.
The next step in processing is to compute a message authentication code over the
compressed data. For this purpose, a shared secret key is used. The calculation is defined as

Next, the compressed message plus the MAC are encrypted using symmetric encryption.
For stream encryption, the compressed message plus the MAC are encrypted. Note that the
MAC is computed before encryption takes place and that the MAC is then encrypted along with the
plaintext or compressed plaintext.
For block encryption, padding may be added after the MAC prior to encryption. The padding
is in the form of a number of padding bytes followed by a one-byte indication of the length of the
padding.

6
 cse405 Chapter 16

The final step of SSL Record Protocol processing is to prepare a header consisting of the following
fields:
• Content Type (8 bits): The higher-layer protocol used to process the enclosed
fragment.
• Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
• Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.
• Compressed Length (16 bits): The length in bytes of the plaintext fragment (or
compressed fragment if compression is used).The maximum value is 214 +2048.

Change Cipher Spec Protocol:

The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL
Record Protocol, and it is the simplest, consisting of a single message (shown in Stallings Figure
16.5a), which consists of a single byte with the value 1. The sole purpose of this message is to cause
the pending state to be copied into the current state, which updates the cipher suite to be used on
this connection.

SSL Alert Protocol

The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with other
applications that use SSL, alert messages are compressed and encrypted, as specified by the current
state.

7
 cse405 Chapter 16

Each message in this protocol consists of two bytes (as shown in Stallings Figure 16.5b), the
first takes the value warning(1) or fatal(2) to convey the severity of the message. The second byte
contains a code that indicates the specific alert.

 Fatal errors: unexpected message, bad record MAC, decompression failure,

handshake failure, illegal parameter
 warning: close notify, no certificate, bad certificate, unsupported certificate,
certificate revoked, certificate expired, certificate unknown

SSL Handshake Protocol:

The most complex part of SSL is the Handshake Protocol. This protocol allows the server
and client to authenticate each other and to negotiate an encryption and MAC algorithm and
cryptographic keys to be used to protect data sent in an SSL record. The Handshake Protocol is used
before any application data is transmitted. The Handshake Protocol consists of a series of messages
exchanged by client and server, which have the format shown in Stallings Figure 16.5c, and which
can be viewed in 4 phases:

8
cse405 Chapter 16

9
 cse405 Chapter 16

Phase 1. Establish Security Capabilities:

This phase is used by the client to initiate a logical connection and to establish the security
capabilities that will be associated with it.
• The exchange is initiated by the client, which sends a client_hello message with
the following parameters:
• Version: The highest SSL version understood by the client.
• • Random: A client-generated random structure consisting of a 32-bit timestamp
and 28 bytes generated by a secure random number generator. These values serve
as nonces and are used during key exchange to prevent replay attacks
• Session ID: A variable-length session identifier. A nonzero value indicates that the
client wishes to update the parameters of an existing connection or to create a new
connection on this session. A zero value indicates that the client wishes to establish
a new connection on a new session.
• CipherSuite: This is a list that contains the combinations of cryptographic algorithms
supported by the client, in decreasing order of preference. Each element of the list
(each cipher suite) defines both a key exchange algorithm and a CipherSpec; these
are discussed subsequently.
• Compression Method: This is a list of the compression methods the client supports.

After sending the client_hello message, the client waits for the server_hello

message, which contains the same parameters as the client_hello message.

The first element of the CipherSuite parameter is the key exchange method (i.e., the means
by which the cryptographic keys for conventional encryption and MAC are exchanged).The
following key exchange methods is supported.

• RSA: The secret key is encrypted with the receiver’s RSA public key.

• Fixed Diffie-Hellman: This is a Diffie-Hellman key exchange in which the server’s

certificate contains the Diffie-Hellman public parameters signed by the certificate

10
 cse405 Chapter 16

authority (CA). That is, the public-key certificate contains the Diffie-Hellman public-key parameters.

• Ephemeral Diffie-Hellman: This technique is used to create ephemeral (temporary,

one-time) secret keys. In this case, the Diffie-Hellman public keys are exchanged, signed
using the sender’s private RSA or DSS key. The receiver can use the corresponding
public key to verify the signature.

• Anonymous Diffie-Hellman: The base Diffie-Hellman algorithm is used with no

authentication. That is, each side sends its public Diffie-Hellman parameters to the
other with no authentication.

Phase 2. Server Authentication and Key Exchange:

The server begins this phase by sending its certificate if it needs to

be authenticated.

• Next, a server_key_exchange message may be sent if it is required.

• Next, a nonanonymous server (server not using anonymous Diffie-Hellman) can
request a certificate from the client. The certificate_request message includes
two parameters: certificate_type and certificate_authorities.
• The final message in phase 2, and one that is always required, is the
server_done message, which is sent by the server to indicate the end of the
server hello and associated messages. After sending this message, the server
will wait for a client response.

Phase 3. Client Authentication and Key Exchange:

The client should verify that the server provided a valid certificate if required and check that the
server_hello parameters are acceptable.

11
 cse405 Chapter 16

• If the server has requested a certificate, the client begins this phase by
sending a certificate message. If no suitable certificate is available, the
client sends a no_certificate alert instead.
• Next is the client_key_exchange message, which must be sent in this phase.
• Finally, in this phase, the client may send a certificate_verify message to
provide explicit verification of a client certificate. This message is only sent
following any client certificate that has signing capability (i.e., all
certificates except those containing fixed Diffie-Hellman parameters).

Phase 4. Finish:
• This phase completes the setting up of a secure connection.
• The client sends a change_cipher_spec message and copies the pending
CipherSpec into the current CipherSpec.
• The client then immediately sends the finished message under the new
algorithms, keys, and secrets.
• The finished message verifies that the key exchange and authentication
processes were successful.
• At this point the handshake is complete and the client and server may
begin to exchange application layer data.

Secure electronic transaction intruders:

12
 cse405 Chapter 16

What is Secure Electronic Transaction (SET)?

 SET is a security protocol that enhances online payment
security and integrity, especially those involving debit and credit
cards.
 SET protects electronic payments by encrypting personal card
details and authenticating users through digital certificates.
 SET ensures that only authorised parties can access sensitive
information and that transactions are not tampered with.

SET was developed in the late 1990s by Visa and Mastercard, in

collaboration with several technology and Internet companies, such as
Microsoft, IBM, Verisign and Netscape. The aim was to create a
standard and universal protocol for securing online payments and
promoting the growth of e-commerce.

SET is not a payment system, but a security framework that can be

linked with existing payment systems. It is founded on the principles of
Public Key Infrastructure (PKI). PKI relies on the use of both public
and private keys to secure data through encryption and decryption,
alongside digital certificates. This plays a crucial role in authenticating
the parties engaged in the transaction.
13
SET uses four types of digital certificates:
 cse405 Chapter 16

 Cardholder certificates

 Merchant certificates

 Payment gateway certificates

 Authority certificates

These certificates are issued by trusted third parties and are used to
establish a secure connection between the cardholder, the merchant,
the payment gateway, and the card issuer.

Secure Electronic Transaction

Participants
1. Cardholder
A cardholder is an authorised user of a payment card, such as a
MasterCard or Visa, issued by a financial institution. The cardholder
can utilise the card to make purchases from merchants who accept
the card as a form of payment. The cardholder is also the owner of
the card account, which is used to track transactions and card
balance.

2. Merchant
A merchant is an entity that sells goods or services to cardholders. To
accept online payments, merchants must establish a relationship with
an acquirer. This allows them to process payment transactions from
customers securely.

3. Issuer
An issuer is a financial organisation, such as a bank, that provides
payment cards to cardholders. Issuers are responsible for managing
the debt incurred by the cardholder.

4. Acquirer 14
 cse405 Chapter 16

An acquirer is a financial organisation that collaborates with

merchants to process payment authorisations and transactions.
Acquirers facilitate electronic fund transfers to merchant accounts,
enabling seamless online payments.

5. Payment Gateway
A payment gateway intermediates between SET and card payment
networks. It facilitates communication between merchants and
acquirers for payment authorisation, ensuring secure and efficient
online transactions.

6. Certification Authority
A certification authority is a trusted entity providing public-key
certificates to cardholders, payment gateways and merchants. These
certificates ensure the security and authenticity of all the participants
involved in the SET process.

How Does Secure Electronic

Transaction Work?
Here is the step-by-step functioning of the secure
electronic payment systems –

1. Customer Account Setup

You must open a credit card account with a bank supporting
electronic payments and the SET protocol. You can visit the bank’s
website or contact customer service to do so.

2. Certificate Issuance to Customer

Once your identity is verified, you will receive a digital certificate from
a trusted Certificate Authority (CA). This certificate contains essential
details such as your name, public key, expiry date and certificate
number. The CA ensures the authenticity and integrity of this
certificate.
15

3. Merchant Certificate
 cse405 Chapter 16

To establish trustworthiness, merchants also obtain a digital

certificate. This certificate verifies their identity and allows them to
accept credit cards from certain issuers for secure electronic
transactions.

4. Placing an Order
Browse through the merchant’s website and select the items you wish
to buy. This creates a record of your order on the merchant’s site.

5. Merchant Verification
To assure authenticity, merchants send you their digital certificates,
along with the order details. This helps you identify valid and
authorised merchants.

6. Order and Payment Details

Next, you securely transmit your encrypted order and payment details
to the merchant using your digital certificate for identification. The
merchant cannot read this information but can verify your identity
through your digital certificate.

7. Payment Authorisation Request

The merchant forwards the payment details to the payment gateway
through an acquirer. They request payment authorisation from the
payment gateway, which acts as an intermediary between the
merchant and your credit card issuer.

8. Payment Gateway Authorisation

The payment gateway cross-verifies your credit card information with
the issuer for authorising or rejecting the payment request. This
verification process ensures online payment security by confirming
that your credit card is valid and has sufficient funds.

9. Order Confirmation
16
 cse405 Chapter 16

Upon successful payment authorisation, the merchant confirms the

order, providing payment authorisation details and purchase
information.

10. Goods and Services Provision

Once the order is confirmed, the merchant provides the requested
goods or services. This can include shipping physical products or
granting access to digital content.

11. Payment Request by Merchant

Finally, after providing goods or services, the merchant requests
payment from the payment gateway. The payment gateway interacts
with various financial organisations, including the credit card issuer,
acquirer and clearing house, to facilitate fund transfer from your
account to the merchant’s account.

Security Architecture of Secure

Electronic Transaction
1. SET Digital Certificates
Digital certificates are issued by trusted third parties called Certificate
Authorities, which verify the identity and public key of the certificate
holder.

Cardholder certificates are assigned to you by your card issuer, such

as a bank or credit card company. These certificates contain your
name, account number, expiration date, and public key. Cardholder
certificates allow you to prove your identity and payment information
to merchants and payment gateways, reducing the threat of fraud and
identity theft.

2. SET Dual Signatures

Digital signatures are utilised for card authentication during
transactions. Each transaction generates encrypted digital signatures 17
for the merchant, customer and associated financial institutions. This
 cse405 Chapter 16

secures the transaction by encrypting order information with the

merchant’s public key and payment information with the acquiring
bank’s public key.

3. SET Digital Wallet

SET activates your digital wallet through a password-based self-
authentication process to enable secure payments. After
authentication, your device sends the purchase and payment details
to the merchant. Upon successful authentication, the issuing bank
provides payment authorisation to the acquiring bank, hence
informing the merchant of the success of the transaction.

What are the Benefits of Secure

Electronic Transactions?
Some of the most popular advantages of Secure
Electronic Transactions are:
1. Growing online sales: With a projected growth of over
50% in global online retail sales in the next four years, it
is essential to prioritise customer account security.
Potential risks associated with fraud, data breaches and
hacked accounts make it imperative for businesses to
implement robust security measures.
2. Mitigating security risks: The SET protocol was
introduced as a solution to secure credit card transactions
over networks. Its advanced encryption and algorithm
systems are specifically designed to address security
challenges associated with online payments. By
leveraging SET, businesses can engage in secure
payments, protect sensitive customer data and prevent
unauthorised access.
3. Use of digital certificates: SET issues digital
certificates to users during transactions. These
certificates are verified using digital signatures and
certificates among all involved parties, including
merchants, cardholders and financial entities. This
ensures the authenticity and integrity of the transaction,
18
reducing the risk of fraudulent activities.
 cse405 Chapter 16

4. Ensuring privacy and confidentiality: The

combination of digital signatures and certificates in the
SET protocol ensures complete privacy and confidentiality
for transactions. It safeguards sensitive information from
unauthorised access or interception during transmission,
instilling trust in customers while conducting online
transactions.

Virus and firewalls:-

Firewall

Firewall is a network security device that observes and filters incoming

and outgoing network traffic, adhering to the security policies defined by
an organization. Essentially, it acts as a protective wall between a
private internal network and the public Internet

Types of Firewalls

A firewall can either be software or hardware. Software firewalls are programs

installed on each computer, and they regulate network traffic through applications
and port numbers. Meanwhile, hardware firewalls are the equipment established
between the gateway and your network. Additionally, you call a firewall delivered by
a cloud solution as a cloud firewall.

There are multiple types of firewalls based on their traffic filtering methods, structure,
and functionality. A few of the types of firewalls are:

 Packet Filtering

A packet filtering firewall controls data flow to and from a network. It allows or blocks
the data transfer based on the packet's source address, the destination address of
the packet, the application protocols to transfer the data, and so on.

 Proxy Service Firewall

This type of firewall protects the network by filtering messages at the application
layer. For a specific application, a proxy firewall serves as the gateway from one 19
network to another.
 cse405 Chapter 16

 Stateful Inspection

Such a firewall permits or blocks network traffic based on state, port, and protocol.
Here, it decides filtering based on administrator-defined rules and context.

 Next-Generation Firewall

According to Gartner, Inc.’s definition, the next-generation firewall is a deep-packet

inspection firewall that adds application-level inspection, intrusion prevention, and
information from outside the firewall to go beyond port/protocol inspection and
blocking.

 Unified Threat Management (UTM) Firewall

A UTM device generally integrates the capabilities of a stateful inspection firewall,

intrusion prevention, and antivirus in a loosely linked manner. It may include
additional services and, in many cases, cloud management. UTMs are designed to
be simple and easy to use.

 Threat-Focused NGFW

These firewalls provide advanced threat detection and mitigation. With network and
endpoint event correlation, they may detect evasive or suspicious behavior.

Firewall Work

As mentioned previously, firewalls filter the network traffic within a private network. It
analyses which traffic should be allowed or restricted based on a set of rules. Think
of the firewall like a gatekeeper at your computer’s entry point which only allows
trusted sources, or IP addresses, to enter your network.

A firewall welcomes only those incoming traffic that has been configured to accept. It
distinguishes between good and malicious traffic and either allows or blocks specific
data packets on pre-established security rules.

These rules are based on several aspects indicated by the packet data, like their
source, destination, content, and so on. They block traffic coming from suspicious
sources to prevent cyberattacks.

For example, the image depicted below shows how a firewall allows good traffic to 20
pass to the user’s private network.
 cse405 Chapter 16

However, in the example below, the firewall blocks malicious traffic from entering the private
network, thereby protecting the user’s network from being susceptible to a cyberattack.

This way, a firewall carries out quick assessments to detect malware and other
suspicious activities.

There are different types of firewalls to read data packets at different network levels.
Now, you will move on to the next section of this tutorial and understand the different
types of firewalls.

Various

A virus is a fragment of code embedded in a legitimate program. Viruses

are self-replicating and are designed to infect other programs. They can
wreak havoc in a system by modifying or destroying files causing system
crashes and program malfunctions. On reaching the target machine a
virus dropper(usually a trojan horse) inserts the virus into the system. 21

Various types:
 cse405 Chapter 16

 File Virus:
This type of virus infects the system by appending itself to the end of a
file. It changes the start of a program so that the control jumps to its
code. After the execution of its code, the control returns back to the
main program. Its execution is not even noticed. It is also called
a Parasitic virus because it leaves no file intact but also leaves the
host functional.

 Boot sector Virus:

It infects the boot sector of the system, executing every time system is
booted and before the operating system is loaded. It infects other
bootable media like floppy disks. These are also known as memory
viruses as they do not infect the file systems.

 Macro Virus:
Unlike most viruses which are written in a low-level language(like C or
assembly language), these are written in a high-level language like
Visual Basic. These viruses are triggered when a program capable of
executing a macro is run. For example, the macro viruses can be
contained in spreadsheet files.
22
 cse405 Chapter 16

 Source code Virus:

It looks for source code and modifies it to include virus and to help
spread it.

 Polymorphic Virus:
A virus signature is a pattern that can identify a virus(a series of bytes
that make up virus code). So in order to avoid detection by antivirus a
polymorphic virus changes each time it is installed. The functionality of
the virus remains the same but its signature is changed.

 Encrypted Virus:
In order to avoid detection by antivirus, this type of virus exists in
encrypted form. It carries a decryption algorithm along with it. So the
virus first decrypts and then executes.

 Stealth Virus:
It is a very tricky virus as it changes the code that can be used to
detect it. Hence, the detection of viruses becomes very difficult. For
example, it can change the read system call such that whenever the
user asks to read a code modified by a virus, the original form of code
is shown rather than infected code.

 Browser Hijacker:
As the name suggests this virus is coded to target the user’s
browser and can alter the browser settings. It is also called the
browser redirect virus because it redirects your browser to other
malicious sites that can harm your computer system.

Intruders

One of the two most publicized threats to security is the

intruder (the other is viruses), often referred to as a hacker or
cracker.
Three classes of intruders:
• Masquerader: An individual who is not authorized to use the
computer and who penetrates a system’s access controls to exploit a
legitimate user’s account •
Misfeasor: A legitimate user who accesses data, programs, or
resources for which such access is not authorized, or who is
authorized for such access but misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of
the system and uses this control to evade auditing and access controls
or to suppress audit collection.
23
 The masquerader is likely to be an outsider; the misfeasor
generally is an insider; and the clandestine user can be either
 cse405 Chapter 16

an outsider or an insider.

Following examples of intrusion:

• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical
information, without authorization
• Running a packet sniffer on a workstation to capture usernames and
passwords
• Using a permission error on an anonymous FTP server to distribute
pirated software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the
executive’s e-mail password, and learning the new password

HACKERS Traditionally, those who hack into computers do so for the

thrill of it or for status.
Some Examples of Hacker Patterns of Behavior

1. Select the target using IP lookup tools such as NSLookup, Dig, and
others.
2. Map network for accessible services using tools such as NMAP.
3. Identify potentially vulnerable services (in this case, pcAnywhere).
4. Brute force (guess) pcAnywhere password.
5. Install remote administration tool called DameWare.
6. Wait for administrator to log on and capture his password.
7. Use that password to access remainder of network.

INSIDER ATTACKS Insider attacks are among the most difficult to

detect and prevent. Employees already have access and knowledge
about the structure and content of corporate databases. Insider
attacks can be motivated by revenge or simply a feeling of
entitlement.

Some Examples of INSIDER ATTACKS Patterns of Behavior

1. Create network accounts for themselves and their friends.

2. Access accounts and applications they wouldn’t normally use for their
daily jobs.
3. E-mail former and prospective employers.
4. Conduct furtive instant-messaging chats.
5. Visit Web sites that cater to disgruntled employees, such as
f’dcompany.com.
6. Perform large downloads and file copying.
7. Access the network during off hours.

Intrusion Techniques

 The objective of the intruder is to gain access to a system or to 24

increase the range of privileges accessible on a system.
 cse405 Chapter 16

 Most initial attacks use system or software vulnerabilities that

allow a user to execute code that opens a back door into the
system.
 Alternatively, the intruder attempts to acquire information that
should have been protected.
 In some cases, this information is in the form of a user
password. Typically, a system must maintain a file that
associates a password with each authorized user.
 If such a file is stored with no protection, then it is an easy
matter to gain access to it and learn passwords.
 The password file can be protected in one of two ways:
One-way function: The system stores only the value of a function
based on the user’s password. When the user presents a
password, the system transforms that password and compares it
with the stored value. In practice, the system usually performs a
one- way transformation (not reversible) in which the password is
used to generate a key for the one-way function and in which a
fixed-length output is produced.
Access control: Access to the password file is limited to one or a very
few accounts.

 If one or both of these countermeasures are in place, some

effort is needed for a potential intruder to learn passwords.

The following techniques for learning passwords:

1. Try default passwords used with standard accounts that are
shipped with the system. Many administrators do not bother to
change these defaults.
2. Exhaustively try all short passwords (those of one to three characters).
3. Try words in the system’s online dictionary or a list of likely
passwords. Examples of the latter are readily available on hacker
bulletin boards.
4. Collect information about users, such as their full names, the
names of their spouse and children, pictures in their office, and books
in their office that are related to hobbies.
5. Try users’ phone numbers, Social Security numbers, and room numbers.
6. Try all legitimate license plate numbers for this state.
7. Use a Trojan horse (described in Chapter 10) to bypass restrictions on
access.
8. Tap the line between a remote user and the host system.

INTRUSION DETECTION

Intrusion detection is based on the assumption that the behavior

of the intruder differs from that of a legitimate user in ways that can be
quantified.

The following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data 25
relating to the behavior of legitimate users over a period of time. Then
statistical tests are applied to observed behavior to determine with a
 cse405 Chapter 16

high level of confidence whether that behavior is not legitimate user

behavior.

a. Threshold detection: This approach involves defining thresholds,

independent of user, for the frequency of occurrence of various
events.

b. Profile based: A profile of the activity of each user is developed and

used to detect changes in the behavior of individual accounts.

2. Rule-based detection: Involves an attempt to define a set of rules

that can be used to decide that a given behavior is that of an
intruder.
a. Anomaly detection: Rules are developed to detect deviation from
previous usage patterns.
b. Penetration identification: An expert system approach that
searches for suspicious behavior.

Audit Records

A fundamental tool for intrusion detection is the audit

record. Some record of ongoing activity by users must be
maintained as input to an intrusion detection system. Basically, two
plans are used:
• Native audit records: Virtually all multiuser operating systems
include accounting software that collects information on user activity.
 The advantage of using this information is that no additional
collection software is needed.
 The disadvantage is that the native audit records may not contain
the needed information or may not contain it in a convenient
form.
• Detection-specific audit records: A collection facility can be
implemented that generates audit records containing only that
information required by the intrusion detection system.
 One advantage of such an approach is that it could be made
vendor independent and ported to a variety of systems.
 The disadvantage is the extra overhead involved in having, in
effect, two accounting packages running on a machine.

 A good example of detection-specific audit records is one

developed by Dorothy Denning . Each audit record contains the
following fields:

• Subject: Initiators of actions. A subject is typically a terminal user

but might also be a process acting on behalf of users or groups of
users.

• Action: Operation performed by the subject on or with an object;

for example, login, read, perform I/O, execute.
26
• Object: Receptors of actions. Examples include files, programs,
messages, records, terminals, printers, and user- or program-created
 cse405 Chapter 16

structures. When a subject is the recipient of an action, such as

electronic mail, then that subject is considered an object.

• Exception-Condition: Denotes which, if any, exception condition is raised

on return.
• Resource-Usage: A list of quantitative elements in which each
element gives the amount used of some resource (e.g., number of lines
printed or displayed, number of records read or written, processor
time, I/O units used, session elapsed time).

• Time-Stamp: Unique time-and-date stamp identifying when the

action took place. Consider the command
COPY GAME.EXE TO <Libray>GAME.EXE
issued by Smith to copy an executable file GAME from the current
directory to the
<Library> directory.The following audit records may be generated:

Statistical Anomaly Detection

Statistical anomaly detection techniques fall into two broad

categories: threshold detection and profile-based systems.
Threshold detection involves counting the number of
occurrences of a specific event type over an interval of time. If the
count surpasses what is considered a reasonable number that one
might expect to occur, then intrusion is assumed. Threshold
analysis, by itself, is a crude and ineffective detector of even
moderately sophisticated attacks.
Profile-based anomaly detection focuses on
characterizing the past behavior of individual users or related
groups of users and then detecting significant deviations. A profile
may consist of a set of parameters, so that deviation on just a single
parameter may not be sufficient in itself to signal an alert.

The foundation of this approach is an analysis of audit records.

Examples of metrics that are useful for profile-based intrusion
detection are the following:

• Counter: A nonnegative integer that may be incremented but not

decremented until it is reset by management action. Typically, a count
of certain event types is kept over a particular period of time.
Examples include the number of logins by a single user during an hour,
the number of times a given command is executed during a single 27
user session, and the number of password failures during a minute.
 cse405 Chapter 16

• Gauge: A nonnegative integer that may be incremented or

decremented. Typically, a gauge is used to measure the current value
of some entity. Examples include the number of logical connections
assigned to a user application and the number of outgoing messages
queued for a user process.

• Interval timer: The length of time between two related events.

An example is the length of time between successive logins to an
account.
• Resource utilization: Quantity of resources consumed during a
specified period. Examples include the number of pages printed during
a user session and total time consumed by a program execution.

Rule-Based Intrusion Detection

Rule-based techniques detect intrusion by observing events
in the system and applying a set of rules that lead to a decision
regarding whether a given pattern of activity is or is not
suspicious.

Rule-based anomaly detection is similar in terms of its

approach and strengths to statistical anomaly detection. With the
rule-based approach, historical audit records are analyzed to
identify usage patterns and to generate automatically rules that
describe those patterns. Rules may represent past behavior
patterns of users, programs, privileges, time slots, terminals, and so
on. Current behavior is then observed, and each transaction is
matched against the set of rules to determine if it conforms to any
historically observed pattern of behavior.
Rule-based penetration identification takes a very
different approach to intrusion detection. The key feature of such
systems is the use of rules for identifying known penetrations or
penetrations that would exploit known weaknesses. Typically, the
rules used in these systems are specific to the machine and
operating system. The most fruitful approach to developing such
rules is to analyze attack tools and scripts collected on the Internet.
These rules can be supplemented with rules generated by
knowledgeable security personnel.

Distributed Intrusion Detection

The typical organization, however, needs to defend a

distributed collection of hosts supported by a LAN or internetwork.
Although it is possible to mount a defense by using stand-alone
intrusion detection systems on each host, a more effective
defense can be achieved by coordination and cooperation among 28
intrusion detection systems across the network.
The following major issues in the design of a distributed intrusion
 cse405 Chapter 16

detection system

 A distributed intrusion detection system may need to deal with

different audit record formats.
 One or more nodes in the network will serve as collection and
analysis points for the data from the systems on the network.
Thus, either raw audit data or summary data must be transmitted
across the network. Therefore, there is a requirement to assure
the integrity and confidentiality of these data. Integrity is
required to prevent an
intruder from masking his or her activities by altering the
transmitted audit information.
 Either a centralized or decentralized architecture can be used.
With a centralized architecture, there is a single central point of
collection and analysis of all audit data. This eases the task of
correlating incoming reports but creates a potential bottleneck and
single point of failure. With a decentralized architecture, there are
more than one analysis centers, but these must coordinate their
activities and exchange information.

Architecture for
Distributed Intrusion
Detection

Architecture, which consists of three main components:

• Host agent module: An audit collection module operating as a
background process on a monitored system. Its purpose is to collect
data on security related events on the host and transmit these to the
central manager.
• LAN monitor agent module: Operates in the same fashion as a host
agent module except that it analyzes LAN traffic and reports the
results to the central manager. 29
• Central manager module: Receives reports from LAN monitor and
 cse405 Chapter 16

host agents and processes and correlates these reports to detect

intrusion.

 The agent captures each audit record produced by the native

audit collection system.
 A filter is applied that retains only those records that are of security
interest.
 These records are then reformatted into a standardized format
referred to as the host audit record (HAR).
 Next, a template-driven logic module analyzes the records for
suspicious activity.
 At the lowest level, the agent scans for notable events that are
of interest independent of any past events.
 Examples include failed file accesses, accessing system files,
and changing a file’s access control.
 At the next higher level, the agent looks for sequences of
events, such as known attack patterns (signatures).
 Finally, the agent looks for anomalous behavior of an individual
user based on a historical profile of that user, such as number
of programs executed, number of files accessed, and the like.

Passwords are the keys to our online existence. If our passwords fall into
30
the wrong hands, it may create havoc. Password management involves
 cse405 Chapter 16

setting and storing safe passwords for our internet-based accounts

and endpoints.
In this tutorial, we’ll discuss why password management is important, and
how to build reliable login credentials. Further, we’ll discuss how to use a
password management tool to maintain them secure and organized.

2. Why Is Safeguarding a Network Vital?

Security breaches such as theft of identities, attacks by ransomware, and
cyber spying are some of the network weaknesses that could have serious
implications. Therefore, protecting a network is critical. Above all, it lowers
the likelihood of unforeseen legal, regulatory, or reputational
implications for system administrators and managers.
Let’s discuss some of the key benefits:

 Keeps network users’ information and assets secure from

unauthorized access and network flaws that could expose
vulnerabilities
 Ensures the accessibility and dependability of network applications
and services, which are critical to network users’ performance and
efficiency
 Safeguard from threats such as Denial-of-service attacks
 Blocks the network from being breached by cybercriminals, other
malicious individuals, who can take advantage of its weaknesses for
private gain
 Protects from phishing, malware infestations, and zero-day
exploits
 Lowers the risks of data and credibility loss for network
administrators and data owners.

Passwords are the first defense against intruders because login

credentials are entry keys to access network resources and systems
as per access rules. They’re the most simple and inexpensive to set up
and maintain compared to other options like biometrics, encryption, or
multi-factor authentication (MFA).

3. Common Password Problems and

Threats
31
 cse405 Chapter 16

Let’s see what are the most frequent password errors that help
hackers get access to our accounts:

 Using the same login credentials across several accounts

 Creating passwords with personal information such as name,
birthday, address, etc.
 Using easy-to-guess passwords such as 12345
 Failure to regularly update login information results in exploiting login
credentials.

4. Generate a Strong Password

Hackers could exploit our compromised accounts to steal our identity and
distribute malware. Furthermore, the majority of hacks might have been
avoided by following proper security procedures. Cybercriminals can
readily assume or obtain account information through social media.
Further, passwords are the keys to our online accounts. As a result, if they
are easy to guess, or stolen, we end up exposing our information to threats.
Therefore, we need a strong password that secures our
information using the following criteria:

Criteria Rule Benefits

Combination of uppercase,
A random password is difficult
Complexity lowercase letters, numbers
to compromise.
and symbols

Length More than 12 characters Difficult to guess or crack

Use of different passwords for This reduces the risk of

Uniqueness
different accounts. compromise

This minimizes the risk of

Frequency Periodically change passwords compromise even if a hacker
gets access to older passwords.

This involves an improved

Add multiple factors to verify
Verification secured access mechanism to
the identity
verify passwords.

32
5. Authentication Techniques
 cse405 Chapter 16

Authentication is a method through which a system ensures that

they’re really who they claim to be.
Single Sign-On (SSO) and Multifactor Authentication (MFA) are two
extensively used authentication techniques.
While SSO and MFA serve distinct purposes, they are not mutually
exclusive. Moreover, SSO and MFA can collaborate to establish a
robust and user-friendly authentication environment.
Let’s discuss in detail about both SSO and MFA.

5.1. Single-Sign-on (SSO)

SSO is a user authentication technique that allows users to use different
apps and networks with a single set of usernames and passwords.
Additionally, SSO simplifies the user login process as shown below:

Let’s consider that a user wants to access an application using SSO. The
application sends a request to the SSO server to authenticate the user.
Upon validating the credentials, the SSO server confirms the authentication
and grants access to the application.

5.2. Multi-Factor Authentication (MFA)

MFA raises a safety bar by requiring users to give extra confirmation
factors in addition to regular passwords. Further, it adds layers of security
through multiple authentication factors as shown below: 33
 cse405 Chapter 16

MFA is usually an amalgamation of a password, a mobile device for OTP,

and an identity. The password is something the user understands. Mobile
devices are things they own. A user’s identity describes who they are.

6. What Is a Password Management Tool?

Password management tool allows users to store credentials in a
straightforward, safe method and instantly access them when needed.

6.1. Key Components

As Users, we can manage our credentials from a single, centralized
location with the help of a password management tool. Further, we use
them for much more than just saving our login credentials.
A password management tool helps to select and rotate complex passwords
regularly. Furthermore, it enforces several cybersecurity guidelines .
For example, the password should be at least 20 characters long. Include
numbers, symbols, upper and lower case letters. Further, during
deboarding an employee, reset passwords or close accounts. Additionally,
use the same password for linked network systems and accounts.
34
 cse405 Chapter 16

The key components of the password management tool are shown in the
figure below:

Managing password techniques differs based on the network’s

configuration and end-user needs. However, the following are the key
components of a password management tool :

 Uniqueness – Ensures that the password is for one account,

complex, and unique
 Access management – Runs periodic evaluations and an audit trail to
ensure access only when authorized
 Password Manager- Keeps track of vital credentials and
organizations
 Password sync – Resets passwords periodically to ensure security.

Passwords manager allows easy login to websites and applications by

using previously saved passwords. Further, the password manager
maintains encrypted passwords for every application and uses them as
needed.
Users often access different applications via the Internet. The password
manager uses cloud sync to provide credentials to applications accessed
over the internet.
35
 cse405 Chapter 16

Viruses and Similar

Threats
1. Malicious Programs

Malicious software can be divided into two categories:

The former are essentially fragments of programs that cannot exist

independently of some actual application program, utility, or system program.
Viruses, logic bombs, and backdoors are examples. The latter are self-contained
programs that can be scheduled and run by the operating system. Worms and
zombie programs are examples.
36
 cse405 Chapter 16

2.The Nature of Viruses

A virus is a piece of software that can "infect" other programs by modifying
them; the modification includes a copy of the virus program, which can then go
on to infect other programs.

A virus can do anything that other programs do. The only difference is that it
attaches itself to another program and executes secretly when the host program
is run. Once a virus is executing, it can perform any function, such as erasing
files and programs.

37
 cse405 Chapter 16

VIRUS COUNTERMEASURES
The ideal solution to the threat of viruses is prevention: Do not allow a virus to
get into the system in the first place, or block the ability of a virus to modify
any files
containing executable code or macros. This goal is, in general, impossible to ac
hieve,
although prevention can reduce the number of successful viral attacks. The nex
t best approach is to be able to do the following:

• Detection: Once the infection has occurred, determine that it has occurred
and locate the virus.

• Identification: Once detection has been achieved, identify the specific

virus that has infected a program.
• Removal: Once the specific virus has been identified, remove all traces of
the 38
virus from the infected program and restore it to its original state. Remove
 cse405 Chapter 16

the virus from all infected systems so that the virus cannot spread further.
identifies four generations of antivirus software:

• First generation: simple scanners

• Second generation: heuristic scanners
• Third generation: activity traps
• Fourth generation: full-featured protection
A first-generation scanner requires a virus signature to identify a
virus. The
virus may contain “wildcards” but has essentially the same structure and bi
t pattern in all copies. Such signature-
specific scanners are limited to the detection of known
viruses. Another type of first-generation scanner maintains a record of the
length of programs and looks for changes in length.
A second-generation scanner does not rely on a specific signature. Rather, the
scanner uses heuristic rules to search for probable virus infection. One class of
such scanners looks for fragments of code that are often associated
with viruses. For example, a scanner may look for the beginning of an
encryption loop used in a poly- morphic
virus and discover the encryption key. Once the key is discovered, the scanner
can decrypt the virus to identify it, then remove the infection and return the
program to service.

Third-generation programs are memory-resident programs that

identify a
virus by its actions rather than its structure in an infected program. Such pr
ograms
have the advantage that it is not necessary to develop signatures and heuris
tics for a
wide array of viruses. Rather, it is necessary only to identify the small set of
actions that indicate an infection is being attempted and then to intervene.
Fourth-generation products are packages consisting of a variety of
antivirus techniques used in conjunction. These include scanning and
activity trap compo-
nents. In addition, such a package includes access control capability, which
limits the
39
ability of viruses to penetrate a system and then limits the ability of a virus
to update files in order to pass on the infection.
 cse405 Chapter 16

Firewall Design Principles

A Firewall is a hardware or software to prevent a private computer or a
network of computers from unauthorized access, it acts as a filter to avoid
unauthorized users from accessing private computers and networks. It is
a vital component of network security. It is the first line of defense for
network security. It filters network packets and stops malware from
entering the user’s computer or network by blocking access and
preventing the user from being infected.

1. Developing Security Policy

Security policy is a very essential part of firewall design. Security policy is
designed according to the requirement of the company or client to know
which kind of traffic is allowed to pass. Without a proper security policy, it
is impossible to restrict or allow a specific user or worker in a company
network or anywhere else. A properly developed security policy also
knows what to do in case of a security breach. Without it, there is an
increase in risk as there will not be a proper implementation of security
solutions.
2. Simple Solution Design
If the design of the solution is complex. then it will be difficult to implement
it. If the solution is easy. then it will be easier to implement it. A simple
design is easier to maintain. we can make upgrades in the simple design
according to the new possible threats leaving it with an efficient but more
simple structure. The problem that comes with complex designs is a
configuration error that opens a path for external attacks.
3. Choosing the Right Device
Every network security device has its purpose and its way of
implementation. if we use the wrong device for the wrong problem, the
network becomes vulnerable. if the outdated device is used for a
designing firewall, it exposes the network to risk and is almost useless.
Firstly the designing part must be done then the product requirements
must be found out, if the product is already available then it is tried to fit in
a design that makes security weak.
4. Layered Defense
A network defense must be multiple-layered in the modern world because
if the security is broken, the network will be exposed to external attacks.
Multilayer security design can be set to deal with different levels of threat.
It gives an edge to the security design and finally neutralizes the attack on
the system.
40
 cse405 Chapter 16

5. Consider Internal Threats

While giving a lot of attention to safeguarding the network or device from
external attacks. The security becomes weak in case of internal attacks
and most of the attacks are done internally as it is easy to access and
designed weakly. Different levels can be set in network security while
designing internal security. Filtering can be added to keep track of the
traffic moving from lower-level security to higher level.

41