Security can be defined as the process or procedure to ensure the integrity,
availability, and confidentiality of data and resources against threats, viruses, bugs,
Security can be of two types:
refers to preventing the disclosure of information to unauthorized individuals or
In information security, data integrity means maintaining and assuring the accuracy
and consistency of data over its entire life-cycle.This means that data cannot be
modified in an unauthorized or undetected manner.
For any information system to serve its purpose, the information must
be available when it is needed. This means that the computing systems used to store
and process the information, the security controls used to protect it, and the
communication channels used to access it must be functioning correctly. High
availability systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system upgrades.
An information security management system (ISMS) is a set of policies and
procedures for systematically managing an organization's sensitive data. The
goal of an ISMS is to minimize risk and ensure business continuity by pro-
actively limiting the impact of a security breach.
PLAN : Is about designing the ISMS, assessing information security risks and
selecting appropriate controls.
DO : phase involves implementing and operating the controls.
CHECK : objective is to review and evaluate the performance (efficiency and
effectiveness) of the ISMS.
ACT : changes are made where necessary to bring the ISMS back to peak
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or
'ISO27k' for short) comprises information security standards published jointly
by the International Organization for Standardization (ISO) and the International
Electro technical Commission (IEC). The standard explains the purpose of an
Information Security Management System (ISMS), Management system and risk
management and definition of information security.
is an information security management system (ISMS) standard published in
October 2005 by the International Organization for Standardization (ISO) and
the International Electro technical Commission (IEC).
The key benefits of 27001 are:
o It can act as the extension of the current quality system to include security
o It provides an opportunity to identify and manage risks to key information
and systems assets
o Provides confidence and assurance to trading partners and clients; acts as a
o Allows an independent review and assurance to you on information security
ISO/IEC 27003 is part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC
27000 series. And the purpose of ISO/IEC 27003 is to provide help and guidance
in implementing an ISMS (Information Security Management System).
Tasks To Maintain The Standards :-
o Seeking management approval to start the project and to implement ISMS.
o Describing scope and boundary Of ISMS.
o Conducting security risks assessment planning for risk treatments.
o Designing ISMS and planning the implementation project.
The purpose of ISO/IEC 27004:2009 is to help organizations measure, report and
hence systematically improve the effectiveness of their Information Security
The standard includes the following main sections:
o Information security measurement overview.
o Management responsibilities.
o Measures and measurement development.
o Measurement operation.
o Data analysis and measurement results reporting.
o Information Security Measurement Program evaluation and improvement.
A "passive attack" attempts to learn or make use of information from the
system but does not affect system resources.
BRUTE FORCE ATTACK : Breaks the encrypted data by finding the appropriate
ALGEBERIC ATTACK : In which you can write a cipher as a system equation.
After writing a cipher you can read it by using appropriate key.
CODE BOOK ATTACK : Refers to a technique for cryptanalysis. The attacker
tries to build a code book in which an attacker describes the cipher text and
its corresponding plain test.
An "active attack" attempts to alter system resources or affect their operation.
Refers to a software that is designed for preventing, identifying and removing
malware including malicious codes and computer system virus.
Is a sequence of code or instructions that inserted into other programs and
executed when the program runs. And is harmful for pc.
Boot Sector Virus : - infects the MBR of hard disk and execute at the time
File infector virus : - Attach itself to executable files and executed when
the program runs.
Macro Virus : - Attach itself to the documents and get executed when the
Multipartite Virus : - Combines the boot sector virus with file infector
Polymorphic Virus : - Get replicated when they start replicating themselves
over the network.
Worm : - Refers to the virus they can auto replicate from one to many
and can travel from one place another through network.
Trojan Horse : - A program that appears safe but can harmful for the
computer as it can steal password, delete data and create security hole or
backdoor for hacker.
Logic Bombs : - Embeds with some program and are designed to execute on a
particular date or time.
Bacteria/Rabbit : - The types of codes that do not damage the files but deny
access to the resources by consuming all disk space or memory.
Mac (Mandatory Access Control) : - Stores highly secret or sensitive
information. And mainly used in Govt. Department .
Dac (Discretionary Access Control) : - It Use username and password to
check weather or not the user is authorized.
Authentication : - A method of verifying the users who want to access
the network or computer system.
TYPES OF AUTHENTICATION
SOMETHING THE USER KNOWS : -
SOMETHING THE USER HAS : -
SOMETHING THE USER IS : -
Method of specifying the access right to the information and resources .
INSTANT MESSAGING (IM)
Aims at gaining access to information that the attacker is not authorizes
Refers to the attack in which an attacker can modify your computer
information such as inserting or deleting the text, which appears as
genuine to the user.
Makes the data or information to be useless.
Refers to a strategy of attack in which an outsider tries to disrupt your
network and services.
SCOPING AN ATTACK
Is a method or process which is used to violate the security of the
The process of gathering information about a host or group of hosts .
Information can be gathered in different ways like whois query, zone
transfer, ping sweeps, and traceroute .
It provides the information, such as administrative contact, billing
contact, and address of the target network.
A scanning technique used to determine the range of ip address that
can be mapped to live hosts and also known as ICMP sweep. By which
we can check whether a particular pc is live in a network or not.
THE PING SWEEP
The Zone Transfer
Is performed with the help of nslookup command that is supported by both unix
and windows platform. The various tools can be used for zone transfer such as ws
pingpro, sam spade, and netscan.
A command line tool available on both windows and unix platform
Since domains can be registers via so many registrars you must first
query the registrar to which the domain is registered. After that you can
query the domain record from the associated registrar.
In which you need to query internet regional registries (RIRs) for
network blocks and details. For example ARIN or APNIC whois query.
Is a way of collecting information from the organizational DNS sever by zone
transferring method. Where a hacker can collect information regarding any hosts
inside the organization and their corresponding ip address known as HINFO
In this case the attacker sends a multiple SYN request to a host but never reply
the request sent by the other host. In this way the listen queue is filled and does
not accept new connections, till a partially opened connections is not completed.
In this case the attacker send ICMP packet instead of SYN packet for DOS attack.
TCP/IP hijacking is a clever technique that uses spoofed packets to take over a
connection between a victim and a host machine. This technique is exceptionally
useful when the victim uses a one-time password to connect to the host machine.
A one-time password can be used to authenticate once and only once, which
means that sniffing the authentication is useless for the attacker.
TCP SYN FLOOD ATTACK
TCP SEQUENCE NUMBER ATTACK
The purpose of IP spoofing is to make the data look as if it came from an
trusted host when in reality it did come from the attacker’s host. And the victim
starts communicating with the attacker host as it is an authenticated server.
Lets see what the attacker does :
The attacker wants to attack Host A.
It floods Host B with new requests causing a Denial of service attack to stop
Host B from communicating with A.
Now, the attacker can predict the sequence number of the packet that A is
expecting from B.
Attacker prepares such kind of packet and sends it to Host A.
Since its a faked packed so host A thinks its coming from B.
Now, this host can terminate the connection or asking host A to run some
malicious commands/scripts etc.
The primary purpose of a hacker is to trick people into retrieving password
or other confidential information by pretending as a trustworthy person.
Different ways of social engineering are :-
o DUMPSTER DRIVING
o OFFICE SNOOPING
o BOOT VIRUS : - Affect boot sector
o RESIDENT VIRUS :- Resides in RAM
o DIRECT ACTION VIRUS :- First replicate itself then take action when it
o OVERWRITE VIRUS :-Delete the information contained a file.
o POLYMORPHIC VIRUS :- Can change its own digital signature.
o MULTIPARTITE VIRUS :- Combination of boot sector virus and program virus.
o STEALTH VIRUS :- Has the ability to mask or disguise itself from antivirus.
o MACRO VIRUS :- Infects files and documents.
o PROGRAM VIRUS : - Executed when the program executes with whom it
o REMOTE ACCESS TROJAN : - Provides remote access service to the victim’s pc.
o PASSWORD SENDING TROJAN :- Sends all your credentials to the person who
o KEY LOGGERS :- Track and log the keystrokes of the target computer.
o DESTRUCTIVE TROJANS :- Used to delete the information and database of PC.
o DOS ATTACK TROJANS :-Produce Lot of traffic on the target computer and
create congestion on the internet connection.
o PROXY/WINGATE TROJANS :- Change the target computer into a proxy or
o E-MAIL WORMS : -Spread through emails messages.
o INSTANT MESSAGING WORMS :- Spread through IM applications.
o INTERNET WORMS :- Attempt to access the vulnerable PCs in internet.
o INTERNET RELAY CHAT WORMS :- Spread through the chat channel mainly.
o FILE SHARING NETWORKS WORMS :- Spreads through shared folder affecting it.
o NUWAR OL WORMS :- Delivered to the users inbox with subjects like “you are in
my dreams” , “I love you so much” , etc.. And when the user opens the message it
infects the computer of that user as well as the all those users inside the contact
list of the person by sending the message itself.
o VALENTINE E WORMS – Distribute through emails and equivalent to NUWAR OL
Is a method of obtaining information from the internet conversation between two
Involves physical access to a part of the wire (that is access to a section of PBX)
Is a modification of the software that is used to run the phone system and also
known as Remote Observation System (REMBOS), Direct Access Test Unit (DATU),
Electronic switching System (ESS), and translation Tap.
Refers to the Radio Frequency (RF) transmitter connected a wire. But it can be
easily detectable by competent bug sweep specialist.
Is similar to a tape recorder wire into the phone line. And is similar to hardwire
wiretap. Very difficult to detect as it requires a very high level technical expertise.
Technical surveillance counter measures (TSCM) specialists are usually hired to
detect such wiretap.
Is a process of listening partially of whole conversation between two parties. A
attack on network layer used to capture packet using packet sniffer tools.
Refers to unauthorized, covert monitoring of data transmission.
Refers to probing, scanning to tampering with a transmission channel to access the
PORT SCANNING TECHNIQUES
A method used by attacker to identifying the port that are open or in use by any
pc. And can search port from 0 to 65535 used by TCP/IP suite.
A method used by attacker to identify live hosts or IPs those are actively used by
pcs in a network. Exa- Lan Scanner
The scanning is provided by an operating system . It succeeded if the port is
listening, otherwise the port is unreachable.
A narrower scan that used to check some specific port or services that the attacker
know how to exploit.
Also known as half-open-scanning as it does not require a TCP connection to
complete. If the target respond with a SYN+ACK packet to the attacker’s SYN
packet then it can be considered as a open port and a reset(RST) response
represent non-listener port.
FRAGMENTED PACKET PORT SCAN
IRC BNC (Internet Relay Chat Bouncer)
Splits the TCP header into several IP fragments so that it can easily pass through a
packet filter firewall as filter rule will not match with the fragmented packet.
1. Speed: TCP FIN scanning is fast compared to other types of scans
2. Stealth: TCP FIN scanning is stealthy compared to other types of scans
3. Open Port: Detects an open port via no response to the segment
4. Closed Port: Detects that a closed via a RST received in response to the FIN
FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able
to use the PORT command to request access to ports indirectly through the use
of the victim machine as a middle man for the request.
Refers to the spammers, which try to relay their spams through smtp servers.
Refers to the web server support to use proxy so that all web traffic can
be sent to a single server for filtering and caching to improve performance of
Refers to the attackers who want to hide their
IRC identities by bouncing their connection with the help of other machines.
For this purpose a particular program known as BNC can be used on other pc.
Man In The Middle Attack
a spoofing attack is a situation in which one person or program successfully
masquerades as another by falsifying data and thereby gaining an illegitimate
advantage. IP spoofing and DNS spoofing are the most popular spoofing attacks.
Different types of spoofing are :-
o IP Spoofing
o Content Spoofing
o Caller ID Spoofing
o E-Mail Spoofing
A man-in-the-middle (MITM) attack is a form of eavesdropping where
communication between two users is monitored and modified by an
Denial-Of –Service Attack
URL Spoofing and Phishing
In this method the hacker blindly send packets expecting by target host without
reading or packets and TCP session. Because some operating systems now use
random sequence numbers which is difficult to predict them accurately.
Refers to an attempt that restricts the access to the computer or network to its
intended user or organization. And IP spoofing can be used to defend against D-O-S.
In this method the attacker can capture the information between a client and
authenticated server and then replay it by submitting the security certificate, and if
the attack becomes successful, the attacker will have the privileges that provided to
the certificate holder.
A method of guessing password of any E-mail account or authenticate device
repeatedly with the help of password cracker application.
In this method the attacker design a legitimate web page, such as bank’s site or any
social network web page to misguide the user by making that believe that they are
connected to a trusted web site.
IDENTIFICATION AND AUTHENTICATION
Identification refers to recognizing a user and authentication refers to the process
of verifying whether the user is valid or not. It can be checked in two ways :-
PASSWORD and BIOMETRICS
Is a code, number, word or string of character that must be kept secret from
others. It used to authenticating user over network.
Is defined as the process of identifying or authenticating the identity of a user by
using physiological and behavioral characteristics under the close observation.
And is based on what a person is rather than what a person has. And can be
divided into two classes.
Refers to the body characteristics such as fingerprints, face recognition, hand and
palm geometry, iris scan etc..
Refers to the behavior of a person such as hand writing, voice, sound etc..
Method of biometric authentication also can be of two types..
Here user’s biometric is compared with stored original information to verify the
user and it can be done in combination with smart card, username or ID number.
Here user’s biometric is compared with the biometrics available in a database to
identify an unknown user.
A host can authenticate a user using the following mechanism :-
In SSO a user provides username (ID) and password to the network at the
beginning of the authentication process to logon to the network.
Prompts a user for authentication and getting a Kerberos ticket to verify the user.
AUTHENTICATION OF HOST
Smart Card Based
In the smart card based SSO , The user credential are stored in the smart card.
Refers to one time password token and the best way for SSO authentication.
Kerberos is a secure method for authenticating a request for a service in a
computer network. Kerberos was developed in the Athena Project at the
Massachusetts Institute of Technology (MIT).
o The user enters the username and password to request a service.
o Information is passed to the Authentication server(AS) or Key distribution
o The KDC validates the username and password.
o Then the AS creates a session key basing upon the user password and a random
value that represent the requested service. The session key is effectively a Ticket
Granting Ticket (TGT)
o Then the TGT is sent to the TGS or the user requested server.
o The service either rejects the ticket or accepts it and performs the service
Common Uses of Cryptography
Data Integrity Security
The art of protecting information by transforming it (encrypting it) into an
unreadable format, called cipher text. Only those who possess a secret key can
decipher (or decrypt) the message into plain text. Encrypted messages can
sometimes be broken by cryptanalysis, also called code breaking, although
modern cryptography techniques are virtually unbreakable.
is a mathematical scheme for demonstrating the authenticity of a
message or document. A valid digital signature gives a recipient reason to believe
that the message was created by a known sender. Digital signatures are
commonly used for software distribution, financial transactions, and in other
cases where it is important to detect forgery or tampering.
GOALS OF CRYPTOGRAPHY
Terms Used In Cryptography
Cipher text :-
Plain text :-
BASIC PREMITIVE OF CRYPTOGRAPHY
Symmetric Key -Symmetric-key cryptography refers to encryption methods
in which both the sender and receiver share the same key. This means that
the key must be transferred from sender to reciever.
Symmetric key ciphers are implemented as either ”block ciphers” or ”stream ciphers”.
a block cipher is a deterministic algorithm operating on fixed-length groups of bits,
called BLOCK. The process is used when the size of the data is more than 128 bit. It
takes the whole block of plain text and gives the whole in cipher text as output.
where plaintext digits are combined with a pseudorandom cipher digit stream (key
stream). In a stream cipher each plaintext digit is encrypted one at a time with the
corresponding digit of the key stream, to give a digit of the cipher text stream.
The method of encryption in which different keys are used to encrypt and decrypt
data. The public key is used to encrypt the message, the private key is kept secret and
used to decrypt the massage.
ASYMMETRIC KEY OR PUBLIC KEY ENCRYPTION
Dynamic Hash Function
Hashing is the transformation of a string of characters into a usually shorter
fixed-length value or key that represents the original string. Hashing is used to
index and retrieve items in a database because it is faster to find the item using
the shorter hashed key than to find it using the original value. It is also used in
many encryption algorithms.
Refers to the property that generates the same hash value for
each given input.
Refers to the process of checking consistency of data. This implies
that every input must have output in hash code according to the input.
Refers to the range variation of hash values according to the
program run or data.
The hash table can automatically expand or shrink
according to the size of the data.
Increase or decrease the output value with increase or decrease in the
RSA is an Internet encryption and authentication system that uses
an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.
The RSA algorithm is the most commonly used encryption and authentication
algorithm and is included as part of the Web browsers from Microsoft and Netscape.
Choose p = 3 and q = 11
Compute n = p * q = 3 * 11 = 33
Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
Choose e such that 1 < e < φ(n) and e and n are co-prime. Let e = 7
Compute a value for d such that (d * e) % φ(n) = 1. One solution is d = 3 [(3 * 7) %
20 = 1]
Public key is (e, n) => (7, 33)
Private key is (d, n) => (3, 33)
The encryption of m = 2 is c = 27 % 33 = 29
The decryption of c = 29 is m = 293 % 33 = 2
Where n = modulus
e = encryption exponent
d = decryption exponent
Vulnerability management is a pro-active approach to managing network security.
1.Discover: Inventory all assets across the network and identify host
details including operating system and open services to identify
vulnerabilities. Develop a network baseline. Identify security
vulnerabilities on a regular automated schedule.
2.Prioritize Assets: Categorize assets into groups or business units,
and assign a business value to asset groups based on their criticality
to your business operation.
3.Assess: Determine a baseline risk profile so you can eliminate risks
based on asset criticality, vulnerability threat, and asset classification.
4.Report: Measure the level of business risk associated with your
assets according to your security policies. Document a security plan,
monitor suspicious activity, and describe known vulnerabilities.
5.Remediate: Prioritize and fix vulnerabilities in order according to
business risk. Establish controls and demonstrate progress.
6.Verify: Verify that threats have been eliminated through follow-up
Stages Of IDS
An intrusion detection system (IDS) is a device or software application that
monitors network or system activities for malicious activities or policy
violations and produces reports to a management station.
Capture network traffic to perform intrusion detection operations. NIDS scans the
network at the router or host-level, audits packet information, and log any
suspicious packets into a special log file with extended information. And when it
will find any severity in packets informs the security team with emails or pager
THREATS AND ACTIVITIES THAT CAN BE CONTROLLED BY NIDS
Advantages of IDS
o IP Spoofing
o Denial-Of-Service Attack
o DNS name corruption
o Man-in-the-Middle attack
o Centralized :- The information present in the various IDSs is analyzed and
processed by a central entity.
o Distributed :- The log information is distributed to every node present in the
o Low Cost Of Ownership :- Do not require any additional software to be loaded in
the network. Low cost is due to the small number of detection in can make.
o Detects Attacks Missed by the HIDS:- examine all the packet header for signs of
malicious and suspicious activities.
o Analyze the payload packet :- Examines the content of the payload, looking for
command used in specific attacks.
o Real-time detection and response :- Allows rapid actions such as notification and
responses. The response can ranges from allowing the penetration in surveillance
mode to gather information or to immediate termination of the attack.
o More difficult for an attacker to remove evidence :- Does not allow an attacker to
remove evidence because NIDS use live network traffic for attack detection.
o Active Response : - When a system is threatened by any potential attack it takes
the immediate possible action required to decrease the impact of attack.
o Passive Response : - When a system is threatened by any potential attack it
notifies the administrator about the threat.
o Logging :- Records an event and the circumstances of its occurrence. It can
provide sufficient information about the nature of attack.
o Notification :- Communicates event-related information to the person when an
event takes place.
o Shunning :- refers to the activity of avoiding attack.
o Terminating Process Or Sessions :- Terminate all the unauthorized process and
sessions that are trying to gain access to the system by resetting the network.
o Network Configuration Changes :- Instructs the firewall or border router to reject
any request or traffic coming from a particular socket or address that is being
o Deception :- Fools the attackers and redirects them to a system that is designed to
Common Passive Response Strategies
Common Active Response Strategies
Host Based IDS
Advantages Of HIDS
Statistical Anomaly-based IDS
Designed to monitor, detect and respond to activities or attacks on a given host. And
are run on individual hosts or devices in the network.
o Monitors user privileges
o Verify success or failure of an attack
o Monitors specific system activities
o Detects attacks missed by the NIDS
o Well-Suited for encrypted or switched environment .
o Near-Real-Time detection and response
o Requires no additional hardware.
Also Known as the knowledge-based IDS, compares the packet against a database of
signature or attributes from the known malicious threats.
Also Known as Behavior-based IDS and dynamically detects deviations arising from
the behavior of the user and accordingly triggers alarm.
Issued Faced while using an IDS
o Continuous increase in the network traffic.
o Use of encrypted massage to transport malicious information
o Lack of widely accepted IDS terminology and conceptual structures
o Inappropriate and automated response attacks are also inherited.
o Lacks objectivity in evaluating and testing information.
A honeypot is a computer that has been designed as a target for computer attacks. It
is a trap mechanism that is used to attract a hacker away from valuable network
resources and provide an early indication of an attack. It is configured to interact
with possible hackers and capture details of their attacks and are also known as
sacrificial lambs or booby traps.
It records only limited information like organization of the attack and tools used in
Identifying Operating system vulnerabilities
physical and local security management
Logon Security Management
Is a process of defining the main issues related to the security of an OS.
o Managing physical and local security
o Managing logon security
o Managing users and groups
o Managing local and global groups
o Managing user accounts
o Managing domains
o Password protect your basic input/output system.
o Boot the computer from hard disk not by using floppy or compact disks
o Password protect your computer
o Password Protect your all user accounts
o Set LegalNoticeCaption in registry under the string
User and Group Management
Local And Global Group Management
User Account Management
o Need to create group for easy and reliable management of users
o Access privilege should be given to each user or group according to the
responsibilities given to the user.
o Local groups refer to the computer itself.
o Global groups can be belongs to a whole domain.
o Password complexity must be enabled for your PC.
o Last logon user details can be disabled to make the user account secure by editing
the registry: -
logon then select Edit-New-String Vlaue to create a new string value then rename
the string as “DonotDisplayLastUserName” then doible click it and type 1 for value
o You must create BDC or ADC for PDC. in case PDC stops functioning BDC can work
Hardening the Operating System
Layers Of Protection Analysis
Components of LOPA
o Refers to the process of protecting, securing or providing security to a computer or
network by reducing vulnerabilities, such as weak password or threats from bugs.
o The OS must updated with service pack and hotfixes.
o LOPA is defined as a risk assessment method. It is used in many organizations to
evaluate risks and compare it with risk tolerance criteria to determine if existing
safeguards are adequate or if additional safeguards are required.
o Process Design : -Refers to the components that helps to reduce the probability of
loss due to various events such as fire and explosions.
o Basic Control :- Refers to the components that can be used to responds to critical
o Alarms, Manual, Intervention – IPLs Refers to devices, systems or actions that are
capable of preventing a scenario from proceeding to undesired consequences. And
can be organized as an Independent Protection Layer (IPL)
o SIS :- Stand for Safety Instrumented System which can handle emergency situations
such as emergency shutdown.
o Physical Protection:-Refers to the process of protect our system from outside
accident using any equipments.
o Plant and community response/emergency response :- Refers to the process or
responses they are activated after initial release of critical situations .
:- Refers to the process of sending max to max DHCP requests
with deceived MAC addresses to make the DHCP server out of IP
address. And then the attacker uses a fake DHCP server to provide
IP address to the clients and gain access to the whole network.
Rouge DHCP Server
Refers to a unauthorized DHCP server generally used by attacker for sniffing or
reconnaissance purpose and to gain access to network traffic.