Network Security is a branch of computer science that involves in securing a

computer network and network infrastructure devices to prevent unauthorized

access, data theft, network misuse,device and data modification. Another function
of Network Security is in preventing DoS (Denial of Service) attacks and assuring
continuous service for legitimate network users. Network Security involves
proactive defense methods and mechanisms to protect data, network and network
devices from external and internal threats.

Data is the most precious factor of today’s businesses. Top business organizations
spend billions of dollars every year to secure their computer networks and to keep
their business data safe. Imagine the loss of all important research data on which
the company has invested millions of dollars and working for years !

We are dependent on computers today for controlling large money transfers

between banks, insurance, markets, telecommunication, electrical power
distribution, health and medical fields, nuclear power plants, space research and
satellites. We cannot negotiate security in these critical areas.

Need network security:

Network security is any action an organization takes to prevent malicious
use or accidental damage to the network's private data, its users, or their
devices. The need of network security is to keep the network running and
safe for all legitimate users. Blocking unauthorized use of the network.
SECURITY BASICS:

• Three key objectives are at the heart of computer security

– Confidentiality

– Integrity

– Availability
Confidentiality: Confidentiality is the protection of personal
information. Confidentiality means keeping a client's information between
you and the client, and not telling others including co-workers, friends,
family, etc. Examples of maintaining confidentiality include: individual files
are locked and secured.

Covering two related concepts:

— Data confidentiality: Assures that private or confidential information is not

made available or disclosed to unauthorized individuals

—Privacy: Assures that individuals control or influence what information related

to them may be collected and stored and by whom and to whom that information
may be disclosed

Integrity: Also covers two related concepts:

—Data integrity: Assures that information and programs are changed only in a
specified and authorized manner

—System integrity: Assures that a system performs its intended function in an

unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system
 Availability: Assures that systems work promptly and service is not denied to
authorized users

Authenticity:

• The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator.

• This means verifying that users are who they say they are and that each input
arriving at the system came from a trusted source.
 Accountability:

• The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity.

• This supports non repudiation, deterrence, fault isolation, intrusion detection

and prevention, and after-action recovery and legal action.

INTEGRITY:
Integrity, in the context of computer systems, refers to methods of ensuring
that data is real, accurate and safeguarded from unauthorized user
modification.

Integrity models keep data pure and trustworthy by protecting system data
from intentional or accidental changes. Integrity models have three goals:

 Prevent unauthorized users from making modifications to data or

programs
 Prevent authorized users from making improper or unauthorized
modifications
 Maintain internal and external consistency of data and programs

AVAILABILITY:
Availability keeps data and resources available for authorized use,
especially during emergencies or disasters. Information security
professionals usually address three common challenges to availability:

 Denial of service (DoS) due to intentional attacks or because of

undiscovered flaws in implementation (for example, a program written
by a programmer who is unaware of a flaw that could crash the
program if a certain unexpected input is encountered)
 Loss of information system capabilities because of natural disasters
(fires, floods, storms, or earthquakes) or human actions (bombs or
strikes)
 Equipment failures during normal use

AUTHENTICATION

In the context of computer ystems, authentication is a process that ensures

and confirms a user’s identity.

-authentication is The process of identifying an individual, usually

based on a username and password.
Authentication begins when a user tries to access information. First, the
user must prove his access rights and identity. When logging into a
computer, users commonly enter usernames and passwords for
authentication purposes. This login combination, which must be assigned
to each user, authenticates access.

Access control:
In the fields of physical security and information security, access
control (AC) is the selective restriction of access to a place or other
resource. The act of accessing may mean consuming, entering, or using. ...
Locks and login credentials are two analogous mechanisms of access
control.

Definition -
Access control is a way of limiting access to a system or to physical or
virtual resources. In computing, access control is a process by which users
are granted access and certain privileges to systems, resources or
information.
In access control systems, users must present credentials before they can
be granted access. In physical systems, these credentials may come in
many forms, but credentials that can't be transferred provide the most
security.

For example, a key card may act as an access control and grant the bearer
access to a classified area. Because this credential can be transferred or
even stolen, it is not a secure way of handling access control.
A more secure method for access control involves two-factor
authentication. The person who desires access must show credentials and
a second factor to corroborate identity. The second factor could be an
access code, a PIN or even a biometric reading.
There are three factors that can be used for authentication:

 Something only known to the user, such as a password or PIN

 Something that is part of the user, such as a fingerprint, retina scan
or another biometric measurement
 Something that belongs to the user, such as a card or a key
 THREATS OF SECURITY:

1. Viruses :A computer virus is a piece of software that can “infect” other

programs by modifying them;

• The modification includes injecting the original program with a routine to make
copies of the virus program, which can then go on to infect other programs.

A computer virus carries in its instructional code the recipe for making
perfect copies of itself.

• The typical virus becomes embedded in a program on a computer.

• Then, whenever the infected computer comes into contact with an uninfected
piece of software, a fresh copy of the virus passes into the new program.

A computer virus has three parts:

(i) Infection mechanism:

• The means by which a virus spreads, enabling it to replicate.

• The mechanism is also referred to as the infection vector.

(ii) Trigger:

• The event or condition that determines when the payload is activated or

delivered.

(iii) Payload:
 • What the virus does, besides spreading.

• The payload may involve damage or may involve benign but noticeable activity.

During its lifetime, a typical virus goes through the following four phases:

(i) Dormant phase:

• The virus is idle.

• The virus will eventually be activated by some event, such as a date, the presence
of another program or file, or the capacity of the disk exceeding some limit.

• Not all viruses have this stage.

(ii) Propagation phase:

• The virus places an identical copy of itself into other programs or into certain
system areas on the disk.

• Each infected program will now contain a clone of the virus, which will itself
enter a propagation phase.

(iii) Triggering phase:

• The virus is activated to perform the function for which it was intended.

• As with the dormant phase, the triggering phase can be caused by a variety of
system events, including a count of the number of times that this copy of the virus
has made copies of itself.

(iv) Execution phase:

• The function is performed.

• The function may be harmless, such as a message on the screen, or damaging,

such as the destruction of programs and data files.

Most viruses carry out their work in a manner that is specific to a particular
operating system and, in some cases, specific to a particular hardware platform.

• Thus, they are designed to take advantage of the details and weaknesses of
particular systems.

2. Worm :It is a program that can replicate itself and send copies from computer to
computer across network connections.

• Upon arrival, the worm may be activated to replicate and propagate again.

In addition to propagation, the worm usually performs some unwanted function.

• An e-mail virus has some of the characteristics of a worm because it propagates

itself from system to system.

• However, we can still classify it as a virus because it uses a document modified

to contain viral macro content and requires human action.

A worm actively seeks out more machines to infect and each machine that is
infected serves as an automated launching pad for attacks onother machines.

3. Intruders:An Intruder is a person who attempts to gain unauthorized access to a

system, to damage that system, or to disturb data on that system. In summary, this
person attempts to violate Security by interfering with system Availability,
data Integrity or data Confidentiality.

• Three main classes of intruders:

i. Masquerader:

• An individual who is not authorized to use the computer and who penetrates a
system’s access controls to exploit a legitimate user’s account

ii. Misfeasor:

• A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or
her privileges

iii. Clandestine user:

• An individual who seizes supervisory control of the system and uses this control
to evade auditing and access controls or to suppress audit collection

4. Insiders :

§ An Insider threat is a malicious threat to an organization that comes from people

within the organization, such as employees, former employees, contractors or
business associates, who have inside information concerning the organization's
security practices, data and computer systems.

§ The threat may involve fraud, the theft of confidential or commercially valuable
information.

§ Insiders are more dangerous than outside intruders.

§ They have the access and knowledge necessary to cause immediate damage to an
organization.

 Most security is designed to protect against outside intruders and thus lies
at the boundary between the organization and the rest of the world.
 Besides employees, insiders also include a number of other individuals
who have physical access to facilities.
6. Terrorists and Information warfare:

§ Many countries have already developed a capability to conduct information

warfare.

§ Information warfare is the offensive and defensive use of information and

information systems to deny, exploit, corrupt, or destroy, an adversary's
information, information-based processes, information systems, and computer-
based networks while protecting one's own. Such actions are designed to achieve
advantages over military or business adversaries.”

§ Terrorist organizations can also accomplish information warfare.

§ A cyber-terrorist is a criminal who uses computer technology and the internet,

especially to cause fear and disruption. Some cyber-terrorists spread computer
viruses and others threaten people electronically.

§ Terrorist organizations are highly structured threats that:-

o Are willing to conduct long-term operations.

o Have tremendous financial support.

o Have a large and organized group of attackers.\

Criminal Organizations :

 Criminal organizations are terms which categorise transnational, national, or local

groupings of highly centralized enterprises run by criminals, who intend to engage
in illegal activity, most commonly for monetary profit. Some criminal
organizations, such as terrorist organizations, are politically motivated. Sometimes
criminal organizations force people to do business with them, as when a gang
extorts money from shopkeepers for so-called "protection". Gangs may become
disciplined enough to be considered organized. An organized gang or criminal set
can also be referred to as a mob.
 Other organizations—including states, militaries, police forces, and corporations—
may sometimes use organized crime methods to conduct their business, but their
powers derive from their status as formal social institutions.
 A difference between criminal groups and the “average” hacker is the level of
organization that criminal elements may employ in their attack.

Trojan, Virus, and Worm Differential Table

Trojan Virus Worm

Malicious program used Self replicating program

Illegitimate programs tha
to control a victim’s that attaches itself to
Definition replicate themselves
computer from a remote other programs and
usually over the network
location. files

Install backdoors on
Steal sensitive data, spy Disrupt normal
victim’s computer, slow
Purpose on the victim’s computer, computer usage,
down the user’s network
etc. corrupt user data, etc.
etc.

Counter Use of anti-virus software, update patches for operating systems, security
Measures policy on usage of the internet and external storage media, etc.

Attacks

Active attacks: An Active attack attempts to alter system resources or

effect their operations. Active attack involve some modification of the data
stream or creation of false statement. Types of active attacks are as
following:
1. Masquerade –
Masquerade attack takes place when one entity pretends to be
different entity. A Masquerade attack involves one of the other form of
active attacks.

2. Modification of messages –
It means that some portion of a message is altered or that message
is delayed or reordered to produce an unauthorised effect. For
example, a message meaning “Allow JOHN to read confidential file
X” is modified as “Allow Smith to read confidential file X”.
1.
2. Repudiation –
This attack is done by either sender or receiver. The sender or receiver
can deny later that he/she has send or receive a message. For
example, customer ask his Bank “To transfer an amount to someone”
and later on the sender(customer) deny that he had made such a
request. This is repudiation.
3. Replay –
It involves the passive capture of a message and its subsequent the
transmission to produce an authorized effect.
5.Denial of Service –
It prevents normal use of communication facilities. This attack may have a
specific target. For example, an entity may suppress all messages directed
to a particular destination. Another form of service denial is the disruption of
an entire network wither by disabling the network or by overloading it by
messages so as to degrade performance.

Passive attacks: A Passive attack attempts to learn or make use of

information from the system but does not affect system resources. Passive
Attacks are in the nature of eavesdropping on or monitoring of
transmission. The goal of the opponent is to obtain information is being
transmitted. Types of Passive attacks are as following:

1.The release of message content –

Telephonic conversation, an electronic mail message or a transferred file
may contain sensitive or confidential information. We would like to prevent
an opponent from learning the contents of these transmissions.

2.Traffic analysis –
Suppose that we had a way of masking (encryption) of information, so that
the attacker even if captured the message could not extract any information
from the message.
The opponent could determine the location and identity of communicating
host and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
BACKDOOR

A backdoor is a malware type that negates normal authentication

procedures to access a system. As a result, remote access is granted to
resources within an application, such as databases and file servers, giving
perpetrators the ability to remotely issue system commands and update
malware.
Backdoor installation is achieved by taking advantage of vulnerable
components in a web application. Once installed, detection is difficult as
files tend to be highly obfuscated.
Webserver backdoors are used for a number of malicious activities,
including:

 Data theft
  Website defacing
 Server hijacking
 The launching of distributed denial of service (DDoS) attacks
 Infecting website visitors (watering hole attacks)
 Advanced persistent threat (APT) assaults

Trap doors
Trap doors, also referred to as backdoors, are bits of code embedded
in programs by the programmer(s) to quickly gain access at a later time,
often during the testing or debugging phase. If an unscrupulous
programmer purposely leaves this code in or simply forgets to remove it,
a potential security hole is introduced. Hackers often plant a backdoor
on previously compromised systems to gain later access. Trap doors
can be almost impossible to remove in a reliable manner. Often,
reformatting the system is the only sure way.

Man-in-the-middle (MitM) attack

A MitM attack occurs when a hacker inserts itself between the

communications of a client and a server. Here are some common types of
man-in-the-middle attacks:

Session hijacking

In this type of MitM attack, an attacker hijacks a session between a trusted

client and network server. The attacking computer substitutes its IP
address for the trusted client while the server continues the session,
believing it is communicating with the client. For instance, the attack might
unfold like this:

1. A client connects to a server.

2. The attacker’s computer gains control of the client.
3. The attacker’s computer disconnects the client from the server.
4. The attacker’s computer replaces the client’s IP address with its own
IP address and
spoofs the client’s sequence numbers.
5. The attacker’s computer continues dialog with the server and the
server believes it is still communicating with the client.
Logic Bombs

A logic bomb is a malicious program timed to cause harm at a certain point

in time, but is inactive up until that point. A set trigger, such as a
preprogrammed date and time, activates a logic bomb. Once activated, a
logic bomb implements a malicious code that causes harm to a computer.
A logic bomb's application programming points may also include other
variables such that the bomb is launched after a specific number of
database entries. However, computer security experts believe that certain
gaps of action may launch a logic bomb as well, and that these types of
logic bombs may actually cause the greatest harm. A logic bomb may be
implemented by someone trying to sabotage a database when they are
fairly certain they won’t be present to experience the effects, such as full
database deletion. In these instances, logic bombs are programmed to
exact revenge or sabotage work.
A logic bomb is also known as slag code or malicious logic.
sniffing

Sniffing is a process of monitoring and capturing all data packets passing

through given network. Sniffers are used by network/system administrator
to monitor and troubleshoot network traffic. Attackers use sniffers to
capture data packets containing sensitive information such as password,
account information etc. Sniffers can be hardware or software installed in
the system. By placing a packet sniffer on a network in promiscuous mode,
a malicious intruder can capture and analyze all of the network traffic.

There are two types:

Active Sniffing:
Sniffing in the switch is active sniffing. A switch is a point to point network
device. The switch regulates the flow of data between its ports by actively
monitoring the MAC address on each port, which helps it pass data only to
its intended target. In order to capture the traffic between target sniffers has
to actively inject traffic into the LAN to enable sniffing of the traffic. This
can be done in various ways.
Passive Sniffing:
This is the process of sniffing through the hub. Any traffic that is passing
through the non-switched or unbridged network segment can be seen by all
machines on that segment. Sniffers operate at the data link layer of the
network. Any data sent across the LAN is actually sent to each and every
machine connected to the LAN. This is called passive since sniffers placed
by the attackers passively wait for the data to be sent and capture them.

What is a Spoofing Attack?

A spoofing attack is when an attacker or malicious program successfully
acts on another person’s (or program’s) behalf by impersonating data.

takes place when the attacker pretends to be someone else (or another
computer, device, etc.) on a network in order to trick other computers,
devices or people into performing legitimate actions or giving up sensitive
data. Some common types of spoofing attacks include ARP spoofing, DNS
spoofing and IP address spoofing. These types of spoofing attacks are
typically used to attack networks, spread malware and to access
confidential information and data.

Types of Spoofing Attacks

1. ARP Spoofing Attack

The Address Resolution Protocol (ARP) is a protocol used to

translate IP addresses into Media Access Control (MAC)
addresses in order to be properly transmitted. In short, the
protocol maps an IP address to a physical machine address.

This type of spoofing attack occurs when a malicious attacker

links the hacker’s MAC address with the IP address of a
company’s network. This allows the attacker to intercept data
intended for the company computer. ARP spoofing attacks can
lead to data theft and deletion, compromised accounts and
other malicious consequences. ARP can also be used for DoS,
hijacking and other types of attacks.

2. DNS Spoofing Attack

The Domain Name System (DNS) is responsible for

associating domain names to the correct IP addresses. When a
user types in a domain name, the DNS system
corresponds that name to an IP address, allowing the visitor to
connect to the correct server. For a DNS spoofing attack to be
successful, a malicious attacker reroutes the DNS translation
so that it points to a different server which is typically infected
with malware and can be used to help spread viruses and
worms. The DNS server spoofing attack is also sometimes
referred to as DNS cache poisoning, due to the lasting effect
when a server caches the malicious DNS responses and
serving them up each time the same request is sent to that
server.

3. IP Spoofing Attack
 The most commonly-used spoofing attack is the IP spoofing
attack. This type of spoofing attack is successful when a
malicious attacker copies a legitimate IP address in order to
send out IP packets using a trusted IP address. Replicating the
IP address forces systems to believe the source is trustworthy,
opening any victims up to different types of attacks using the
‘trusted’ IP packets.

The most popular type of IP spoofing attack is a Denial of

Service attack, or DoS, which overwhelm and shut down the
targeted servers. One outcome attackers can achieve using IP
spoofing attacks is the ability to perform DoS attacks,
using multiple compromised computers to send out spoofed IP
packets of data to a specific server. If too many data packets
reach the server, the server will be unable to handle all of the
requests, causing the server to overload. If trust relationships
are being used on a server, IP spoofing can be used to bypass
authentication methods that depend on IP address verification.
TCP/IP Hijacking is when an authorized user gains access to a
genuine network connection of another user. It is done in order
to bypass the password authentication which is normally the
start of a session.
In theory, a TCP/IP connection is established as shown below –

To hijack this connection, there are two possibilities −

  Find the seq which is a number that increases by 1, but
there is no chance to predict it.
 The second possibility is to use the Man-in-the-Middle attack
which, in simple words, is a type of network sniffing. For
sniffing, we use tools like Wireshark or Ethercap.

In cryptography, the goal of the attacker is to break the secrecy of the

encryption and learn the secret message and, even better, the secret
key. There are dozens of different types of attacks that have been
developed against different types of cryptosystems with varying levels of
effectiveness. Some are easily understandable while others may require
an advanced degree in mathematics to comprehend. In this post, we'll
be discussing some of the more common attacks and why they may or
may not work against different types of ciphers.