1. Difference between firewall and IDS. 5M
No. Firewall Intrusion Detection System
1 A firewall is a hardware and/or software
which functions in a networked
environment to block unauthorized
access while permitting authorized
communications.
An Intrusion Detection System (IDS) is a
software or hardware device installed on the
network (NIDS) or host (HIDS) to detect and
report intrusion attempts to the network.
2 A firewall can block connection. An Intrusion Detection System (IDS) cannot
block connection.
3 Firewall performs actual actions such as
blocking and filtering.
Intrusion detection systems just detect
connections and alert a system
administrator.
4 Firewall restricts access to your network
by deciding which packet should allow.
Intrusion detection system are security
cameras, it only detect packets.
5 Types of Firewall:
Packet Filtering Firewall, Stateful-
inspection Firewall, Network Address
Translation (NAT) Firewall, Application
Based Firewall, Hybrid firewalls.
Types of IDS:
Network IDS, Host IDS or HIDS, Protocol
based IDS, Application protocol based IDS,
Anomaly based IDS, Misuse Based, Hybrid
based.
What is IP spoofing? How does it lead to denial of service attack? 5M
IP spoofing:
1. When a computer outside of your network pretends to be a trusted computer within the
network, then, this action by the attacker is called IP Spoofing.
2. To gain access to your network, an outside computer must gain one of your trusted IP
addresses from the network. So, the attacker might use an IP address within the range of your
network.
3. On the other hand, the attacker can also use an authorized external IP address that is trusted
within the network.
4. These IP addresses could be so trusted that they can also have special privileges to the
important resources on the network.
5. IP Spoofing and Denial of Service are the two most famous attacks that an intruder launches
to attack a particular target.
6. While IP Spoofing targets the routing table of the network, DOS attack aims at burning out
the resources of the target computer.
2. 7. Different ways of IP spoofing:
a. Injection of data or a set of commands into an existing stream of data that is passed in
between a client and server application.
b. Injection of data or commands into a peer-to-peer network connection.
8. The attacker also needs to change the routing table of the network. Changing the routing
table of the network would enable the attacker to have bidirectional communication. For this
purpose, the attacker points the entire routing table to the spoofed IP address.
9. Once the routing table is changed, the attacker starts receiving all the data from the network
to the spoofed IP address.
10. He/she can even reply to those packets just like any other trusted user.
Denial of service attack:
1. A denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make
a machine or network resource unavailable to its intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet.
2. Denial of service is typically accomplished by flooding the targeted machine or resource with
superfluous requests in an attempt to overload systems and prevent some or all legitimate
requests from being fulfilled.
3. A DoS attack is analogous to a group of people crowding the entry door or gate to a shop or
business, and not letting legitimate parties enter into the shop or business, disrupting normal
operations.
4.
For an online shopping system identify vulnerability, threat and attack. 5M
Vulnerability:
1. Vulnerability is a weakness that is inherent in every network and device.
2. This includes routers, switches, desktops, servers, and even security devices themselves.
3. Vulnerability is unintentional, which could exist in system design, business operations,
installed software, and network configurations.
4. Vulnerabilities can be hardware, software or network vulnerabilities.
3. 5. Vulnerability is an internal problem.
6. Types of vulnerability:
i. Software vulnerabilities: Software vulnerabilities are when applications have errors or bugs in
them. Attackers look at buggy software as an opportunity to attack the systemmaking use of
these flaws. Example: Buffer overflow, race conditions etc.
ii. Firewall Vulnerabilities: Firewalls are software and hardware systems that protect intra-
network from attacks. Firewall vulnerability is an error, weakness or invalid assumption made
during the firewall design, implementation or configuration that can be exploited to attack the
trusted network that the firewall is supposed to protect.
iii. TCP/IP Vulnerabilities: These vulnerabilities are of the various layers of a network. These
protocols may lack features that are desirable on the insecure network. Example: ARP attacks,
Fragmentation attacks etc
iv. Wireless Network Vulnerabilities: Wireless LANs have similar protocol-based attacks that
plague wired LAN. Unsecured wireless access points can be a danger to organizations as they
offer the attacker a route around the company’s network. Example: SSID issues, WEP issues etc.
v. Operating System Vulnerabilities: The security of applications running on depends on the
security of the operating system. Slightest negligence by the systemadministrator can make the
operating systems vulnerable.
vi. Web Server Vulnerabilities: These vulnerabilities are caused due to design and engineering
errors or faulty implementation. Example: sniffing, spoofing etc.
Threat:
1. In computer security a threat is a potential cause of an incident that may result in harm of
systems and organization.
2. A threat can be either "intentional" (i.e. hacking: an individual cracker or a criminal
organization) or "accidental" (e.g. the possibility of a computer malfunctioning) or otherwise a
circumstance, capability, action, or event.
3. Threats classification: Threats can be classified according to their type and origin:
4. Types of threats:
i. Interception: When an attacker gains unauthorized access to confidential information, it is
known as interception. Example: Snooping, Traffic analysis
4. ii. Interruption: When important information of the systemis lost or unavailable to a user due
to some reason it is known as interruption. Example: Denial of Service (DoS)
iii. Modification: If an attacker gets access to a user’s information and can also tamper it then
such a threat is known as a modification.
iv. Fabrication: An attacker can create or fabricate counterfeit objects on a computing system.
The attacker may insert extra transaction to a network communication systemor add records
to existing database. Example: Man-in-the-middle attack, Replaying attack etc5.
5. Origins of threats:
i. Deliberate: aiming at information asset- spying, illegal processing of data
ii. Accidental: equipment failure, software failure
iii. Environmental: natural event, loss of power supply
iv. Negligence: Known but neglected factors, compromising the network safety and
sustainability
Attack:
1. In computer and computer networks an attack is any attempt to destroy, expose, alter,
disable, steal or gain unauthorized access to or make unauthorized use of an asset.
2. Types of attack: Active attack and Passive attack
3. An "active attack" attempts to alter systemresources or affect their operation.
4. A "passive attack" attempts to learn or make use of information from the system but does
not affect systemresources.
5. An "inside attack" is an attack initiated by an entity inside the security perimeter (an
"insider").
6. An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate
user of the system (an "outsider").
Explain Needham Schroeder Authentication Protocol. 10M
1. The term Needham–Schroeder protocol can refer to one of the two key transport protocols
intended for use over an insecure network, both proposed by Roger Needham and Michael
Schroeder.
5. 2. The Needham–Schroeder Symmetric Key Protocol is based on a symmetric encryption
algorithm.
3. It forms the basis for the Kerberos protocol.
4. This protocol aims to establish a session key between two parties on a network, typically to
protect further communication.
5. The Needham–Schroeder Public-Key Protocol, based on public-key cryptography.
6. This protocol is intended to provide mutual authentication between two parties
communicating on a network, but in its proposed form is insecure.
7. The symmetric Protocol
Here, Alice (A) initiates the communication to Bob (B). S is a server trusted by both parties. In
the communication:
i. A and B are identities of Alice and Bob respectively
ii. KAS is a symmetric key known only to A and S
iii. KBS is a symmetric key known only to B and S
iv. NA and NB are nonce’s generated by A and B respectively
v. KAB is a symmetric, generated key, which will be the session key of the session between A
and B
The protocol can be specified as follows in security protocol notation:
A → S : A , B , NA
Alice sends a message to the server identifying herself and Bob, telling the server she wants to
communicate with Bob.
S → A : { NA,KAB,B,KAB,AKBS}KASNA,KAB,B,KAB,AKBS}KAS
The server generates KABKAB and sends back to Alice a copy encrypted under KBSKBS for Alice
to forward to Bob and also a copy for Alice. Since Alice may be requesting keys for several
different people, the nonce assures Alice that the message is fresh and that the server is
replying to that particular message and the inclusion of Bob's name tells Alice who she is to
share this key with.
A → B : {KAB,A}KBS{KAB,A}KBS
6. Alice forwards the key to Bob who can decrypt it with the key he shares with the server, thus
authenticating the data.
B−→A{NB}KABB→A{NB}KAB
Bob sends Alice a nonce encrypted under KAB to show that he has the key.
A → B : {NB–1}KABNB–1}KAB
Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that
she is still alive and that she holds the key.
8. Attacks on the protocol
The protocol is vulnerable to a replay attack (as identified by Denning and Sacco). If an attacker
uses an older, compromised value for KAB, he can then replay the message
{KAB,A}KBS{KAB,A}KBS to Bob, who will accept it, being unable to tell that the key is not fresh.
9. Fixing the attack
This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed
with the use of nonces as described below. At the beginning of the protocol:
A → B : A
Alice sends to Bob a request.
B → A : {A, N′BNB′} KBSKBS
Bob responds with a nonce encrypted under his key with the Server.
A → S : A,B,NA,{A,N′B}KBSA,B,NA,{A,NB′}KBS
Alice sends a message to the server identifying herself and Bob, telling the server she wants to
communicate with Bob.
S → A : {NA,KAB,B,KAB,A,N′BKBS}KASNA,KAB,B,KAB,A,NB′KBS}KAS
Note the inclusion of the nonce.
The protocol then continues as described through the final three steps as described in the
original protocol above. Note that N’B is a different nonce from NB. The inclusion of this new
nonce prevents the replaying of a compromised version of {KAB,A}KBS since such a message
would need to be of the form {KAB,A,N′B}KBS{KAB,A,NB′}KBS which the attacker can't forge
since she does not have KBSKBS.
10. The Public-Key protocol
This assumes the use of a public-key encryption algorithm.
7. Here, Alice (A) and Bob (B) use a trusted server (S) to distribute public keys on request. These
keys are:
i. KPA and KSAKPA and KSA, respectively public and private halves of an encryption key- pair
belonging to A (S stands for "secret key" here)
ii. KPB and KSBKPB and KSB, similar belonging to B
iii. KPSKPS and KSSKSS, similar belonging to S. (Note this has the property that KSSKSS is used to
encrypt and KPSKPS to decrypt).
Difference between access control list and capability list. 5M
No. Access control list Capability list
1 An access control list is a table that tells a
computer operating system which access
rights each user has to a particular system
object, such as a file directory or individual
file.
A capability list is a token, ticket, or key
that gives the possessor permission to
access an entity or object in a computer
system.
2 Access control list can attemptto name any
objectinthe systemas the target of an
operation.
In capability list a usercan onlyname those
objectsforwhicha capabilityisheld.
3 Access control list is based on users. Capability list is based on process.
4 Access control list consists of tokens, tickets
and keys that give permission to give access.
Capability list consists addresses or names
of the devices to which permission should
give.
5 Access control list allows deleting a user
from list.
Capability list does not allows to delete
user.
Consider an online voting System. People will cast their votes through the internet. For this
system identify vulnerability, threat and attack. 5M
Vulnerability: Common vulnerability in online voting system are:
1. Denial-of-service attack against the voting process. If a client sends an HTTP request
containing unexpected header fields, the server logs the field names to disk. By sending many
specially crafted requests containing fields with very long names, an attacker can exhaust the
server’s log storage, after which it will fail to accept any new votes. Curiously, the vulnerable
code is only a few lines from the comment, “Don’t write to disk; we don’t know how large the
value is.” This indicates that the developers were aware of similar attacks but failed to account
for all variants.
2. A second problem we discovered is a shell-injection vulnerability in a server-side user
interface that is intended to allow operators to perform pre-determined administrative tasks.
The vulnerability would allow such an operator to execute arbitrary shell commands on the
8. election servers with root privileges. Under current procedures, this is moot, since the same
workers perform other administrative tasks at the command line as root.
3. Reliability of a software or hardware device. There is still a problem in software and device,
meaning if used several times sometimes still an error (error) in the calculation of the number
of votes. Neither in terms of hardware, such as equipment/devices are sometimes not able to
respond quickly.
4. Human factors problems such as election officials, election officials sometimes do not
understand its right to operate the device technology used in elections. And next is the factor
that the voters itself has not been teach, voters doesn’t know of their own constituencies or
have never done the selection by using e-voting technology that goes wrong in the run,
resulting in many failures in performing the intended candidate selection.
Threats: Internet voting systems pose numerous security threats.
1. Denial of service: Denial of service is common threat. It occurs during internet election.
2. Trojan horse spyware to change or monitor votes: In this threat there is possibility of vote
theft and loss of privacy.
3. Automated vote buying:
4. Insider attack on voting system: Insider attacks are common in commercial settings.
5. Virus specific to Internet voting system: There is vote theft, privacy loss, disenfranchisement,
compromise of election.
6. Spoofing: Spoofing is easy and common threat. It can be launched from anywhere.
Attacks:
1.Denial of Service (DoS) attacks that are carried out have devastating consequences and in
most cases the extremely affect the ability to provide availability to a system. The following two
methods described are how a hacker may compromise the availability to a voting system.
A. Ping of Death The ping of death relies on a flaw in some Transmission Control Protocol,
Internet Protocol (TCP/IP) stack implementations. The attack relates to the handling of
unusually and illegally large ping packets. Remote systems receiving such packets can crash as
the memory allocated for storing packets overflows. The attack does not affect all systems in
the same way, some systems will crash, and others will remain unaffected.
9. B. Packet Flooding Packet flooding exploits the fact that establishing a connection with the TCP
protocol involves a three phase handshake between the systems. In a packet flooding attack, an
attacking host sends many packets and does not respond with an acknowledgment to the
receiving host. As the receiving host is waiting for more and more acknowledgments, the buffer
queue will fill up. Ultimately, the receiving machine can no longer accept legitimate connections
2. A computer virus is a computer program that can reproduce itself and may cause undesired
effects in computers where it is active. To do its malicious work, the virus needs executing.
Usually viruses are located together with other code that is likely, will be executed by a user. As
long as the virus is active on the computer, it can copy itself to other files or disks when they
are used. Viruses made could destroy E-voting systems. This could compromise the availability
at election time forcing governments and institutions to perform re-elections.
3. A worm is a type of virus that does not change any existing program or file to spread itself.
Instead, it makes copies of itself within an infected computer and spreads to become active on
other systems. It is intentionally destructive, overwriting portions of the files with random data.
This damage is non-repairable, so files may need reinstallation or restoring from a backup.
Worms could overwrite files and change results of votes if programmed to do so, bringing the
integrity of the votes into question.
4. Trojan horses are pieces of computer code that download to a computer while connected to
the internet. They may be harmless, but it could possibly delete or modify an important file
from the computer, plant a harmful virus, or even steal user's passwords. This makes all sorts of
fraudulent schemes possible. Once inside a computer the Trojan horse can access passwords,
screen names and other personal information and then distribute this confidential data to the
attacker. Trojan horse represents an immense threat to systems confidentially and integrity of
information of E-voting systems.
5. Numerous physical attacks can be carried out on E-voting system to sabotage an election.
Vandalismof E-voting systems would make them inoperable for the day of the election.
Saboteur's could remove network connections and pull plugs out of E-voting systems causing
votes to be lost. Attackers may remove hard drives or smart cards replacing them with falsified
data. E-voting machines could be stolen with attackers discovering sensitive voting information
about users.
Distinguish between attack and vulnerability. 5M
No. Attack Vulnerability
1 An attack is an act or event that harms
a computer system.
Vulnerability is some flaw or weakness is
computer system.
2 Attack is intentional way to destroy a Vulnerability is unintentional, which could exist
10. system. in systemdesign, business operations, installed
software, and network configurations.
3 Attack can be active attack or passive
attack.
Vulnerabilities can be hardware, software or
network vulnerability.
4 Attack is done from out or inside the
network.
Vulnerability is an internal problem.
5 Examples: Cross-site scripting, SQL
injection, Viruses etc.
Examples: Buffer overflow, Race conditions etc.
Difference between symmetric and asymmetric cryptography. 5M
No. Symmetric cryptography Asymmetric cryptography
1 Symmetric encryption requires a single
key known only to the authorized
parties.
Asymmetric encryption uses a pair of keys,
public key and private key.
2 Symmetric encryption uses the same
key to both encryption and decryption.
Asymmetric encryption uses one key for
encryption and another key for decryption.
3 The most commonly used symmetric
encryption algorithms include DES,
3DES, AES and RC4.
The most common asymmetric encryption
algorithm is RSA.
4 Symmetric key algorithms are faster as
compare to asymmetric key algorithms.
Asymmetric key algorithms are slower as
compare to symmetric key algorithms.
5 The symmetric encryption is used for
bulk data transmission.
The asymmetric encryption is used for securely
exchanging secret keys.
Knapsack cryptosystem. 5M
1. Knapsack is an asymmetric-key cryptosystem.
2. It requires two keys for communication public key and private key.
3. Public key is used for encryption and private key is used for decryption.
4. Knapsack problem is also called as rucksack problem.
5. Knapsack is a problem in combinatorial optimization.
6. Knapsack problem states that, Given a set of items, each with a mass and a value, determine
the number of each item to include in a collection so that the total weight is less than or equal
to a given limit and the total value is as large as possible.
7. There are two versions of knapsack:
A. 0/1 Knapsack Problem:
Items are indivisible in this knapsack problem. You can either take an item or not. In this
problem some special instances can be solved with dynamic programming.
11. B. Fractional knapsack problem:
Items are divisible in this knapsack problem. You can take any fraction of an item.
8. Algorithm for knapsack:
KnapsackSum(S[n],X[n])
{
T←0
For (i=1 to n)
{
T←T+Si*X;
}
return T
}
9. Inverse algorithm for knapsack:
Inverse_KnapsackSum(T,S[n])
{
For (i=n to 1)
{
If T≥S;
{
Xi←1
T←T+S
}
Else
Xi←0
}
Return X[1,……,n]
}
10. Knapsack cryptosystem includes following process:
A. Generation of key
B. Encryption process
C. Decryption process
11. Generation of key: Generation of encryption and decryption key i.e. public key and private
key.
12. 12. Encryption process: Encryption of message using knapsack algorithm. It converts plaintext
into ciphertext.
13. Decryption process: Decryption of message using inverse knapsack algorithm. It converts
ciphertext into plaintext.
What are the different modes of authenticating a user?
Different modes of authenticating user:
1. Computer recognition software:
i. This authentication factor is accomplished by installing a small authentication software plug-
in that places a cryptographic device marker onto the consumer’s computer.
ii. It can then be verified as a second factor during the authentication process.
iii. The authentication process would then include two factors: password and the device marker
on the consumer’s computer.
iv. Because the device marker is always on the consumer's computer, the user only has to enter
their username and password to log in.
2. Biometrics:
i. Biometrics authentication is verification of physical characteristics such as a fingerprint or eye
recognition using a hardware device.
ii. Offering biometric authentication for consumer online banking has significant challenges
including distribution of biometric readers and the associated cost per user.
iii. Fingerprint scan is an example of biometric authentication.
iv. Face recognition is also biometric authentication technique.
3. E-mail or SMS one-time password (OTP):
i. E-mail or SMS OTP is based on sending a second one-time use password to a registered e-mail
address or cell phone.
Ii. The user must then input that second one-time password in addition to their normal
password to authenticate to the online bank.
iii. This method is generally used for everyday logins.
13. iv. Because there is a time lag before users get the OTP they need to login but is often used for
the initial enrollment before providing another form of authentication.
4. One Time Password (OTP) token:
i. OTP token providing users with a hardware device that generates a constantly-changing
second password that must be entered into the online banking Web site in addition to the
normal password.
ii. OTP tokens require the user to carry the token with them to login to the bank Web site.
iii. If a customer has multiple banks that require OTP tokens, then the user must carry multiple
tokens unless the banks integrate their systems to accept a single token.
iv. OTP tokens are mostly used in bank transactions.
5. Out of band:
i. Out-of-band verification involves the bank calling a registered phone number and requesting
that the user enter their password over the phone prior to allowing the user to login.
ii. This is similar to e-mail or SMS OTPs.
iii. This requirement introduces a time lag and requires that the user be at the location of the
registered phone number.
6. Peripheral device recognition:
i. Peripheral device recognition is accomplished by placing a cryptographic device marker on a
user’s existing device such as a USB flash drive, Smart Phone memory card, etc.
ii. This can be good alternative to the OTP token.
iii. Because it provides a hardware based second factor but doesn’t require the user to carry an
additional device.
iv. In addition, device markers from multiple banks can reside on a single hardware device
without requiring the various banks to integrate their systems.
7. Scratch-off card:
i. Scratch-off card contains several PIN numbers that the user scratches off and then used only
one time to log in.
ii. This is a lower-cost, one-time password option than tokens.
14. Difference between discretionary access control and mandatory access control: 5M
No. Discretionary access control Mandatory access control
1 In discretionary access control (DAC), the
owner of the object specifies which subjects
can access the object.
In mandatory access control (MAC), the
system specifies which subjects can access
specific data objects.
2 Discretionary access control is based on the
desretion of the owner.
Mandatory access control is based on
security label.
3 Operating systems such as Windows, Linux,
and Macintosh are based on discretionary
access control.
Mandatory access control is used in
military institution.
4 As compare to mandatory access control
discretionary access control is not easier
way for establishing and maintaining access.
Mandatory access control is easier way for
establishing and maintaining access as
compare to discretionary access control.
5 Discretionary access control is more flexible
than mandatory access control.
Mandatory access control is less flexible
than discretionary access control.
6 Discretionary access control is more labor
intensive than mandatory access control.
Mandatory access control is less labor
intensive than discretionary access control.
7 Access can be provided by users. Access can only be change and provide by
admin in mandatory access control.
Software Reverse engineering 5M
1. Software Reverse Engineering (SRE) is the practice of analyzing a software system or a part of
the software system.
2. Reverse engineering skills are also used to detect and neutralize viruses, malware and to
protect intellectual property.
3. The process of taking a software program’s binary code and recreating it to trace it back to
the original source code is called as software reverse engineering.
4. Software reverse engineering involves reversing a program's machine code back into the
source code that it was written in, using program language statements.
5. Software reverse engineering is widely used in computer hardware and software to enhance
product features and to fix certain bugs.
6. Reverse engineering is also known as, the process of converting the code written in high level
language into a low level language without changing the original program.
7. It is similar to disassembling the parts of a vehicle to understand the basic functioning of the
machine and internal parts and making appropriate adjustments for a better performance.
15. 8. Reverse engineering is taking apart an object to see how it works in order to duplicate or
enhance the object.
9. Reverse engineering can be applied to several parts of the software or hardware
development activities to convey different meanings.
10. There are two types of reverse engineering, in the first type, the source code is available,
but high-level aspects of the program are not available. The effort is to discover the source
code for the software that is being developed is known as reverse engineering.
11. In the second case, the source code for the software is not available, the process of
discovering the possible source code is known as reverse engineering.
12. To avoid copyright, reverse engineering uses clean room design technique.
13. The main purpose of reverse engineering:
i. Audit the security
ii. Remove the copy protection
iii. Customize the embedded systems
iv. Include additional features
14. Reverse engineering is used in many fields such as software design, software testing and
software programming etc.
15. In software design, reverse engineering enables the developer or programmer to add new
features to the existing software with or without knowing the source code. There are different
techniques are used to add new features to the software.
16. Reverse engineering helps the testers to study and analyze the virus code and other
malware code.
17. The main purpose of reverse engineering is to make the system robust so as to protect it
from spywares and hackers.
18. The process of reverse engineering uses some tools to analyze software and determine its
component.
19. Tools used in software reverse engineering:
16. i. Disassemblers: A disassembler is used to convert binary code into assembly code and to
extract strings, functions, libraries etc. The disassembler convert the machine language into a
user-friendly format.
ii. Debuggers: This tool expands the functionality of a disassembler by supporting the CPU
registers, the hex duping of the program, view of stack etc. Using debuggers, the programmers
can set breakpoints and edit the assembly code at run time. Debuggers analyze the binary in a
similar way as the disassembler and allow the reverser to step through the code by running one
line at a time to investigate the results.
iii. Hex Editors: These editors allow the binary to be viewed in the editor and change it as per
the requirements of the software. There are different types of hex editors available that are
used for different functions.
iv. PE and Resource Viewer: The binary code is designed to run on a windows based machine
and has a very specific data which tells how to set up and initialize a program. All the programs
that run on windows should have a portable executable that supports the DLLs the program
needs to borrow from.
20. Reverse engineering has developed to take positive approach for creating descriptive data
set of the original object.
21. There are many applications used for reverse engineering.
22. Due to the development of multiple devices, reverse engineering software enables
programmers to manipulate the data into a useful form.
23. Reverse engineering is also beneficial for business and owners to incorporate advanced
features into their software to meet the demands of the growing markets.
What are the different phases of a virus? Explain 5M
Different phases of virus:
i. Dormant phase
ii. Propagation phase
iii. Triggering phase
iv. Execution phase
i. Dormant Phase:
17. 1. The virus remains idle.
2.It gets activated based on a certain action or event.
3. Example of dormant phase is, a user pressing a key or on a certain date and time etc.
ii. Propagation Phase:
1. The virus starts propagating, that is multiplying itself.
2. A piece of code copies itself and each copy starts copying more copies of self, thus
propagating.
3. Virus starts placing its copies into other applications.
iii. Triggering Phase:
1. A Dormant virus moves into this phase when it gets activated, that is, the event it was
waiting for gets initialized.
2. The virus is activated to perform the function for which it was intended.
3. It is caused by a variety of system events.
iv. Execution Phase:
1. This is the actual work of the virus.
2. In this phase virus function is performed.
3. Virus can be destructive or harmless.
Define with examples i) SQL injections ii) Cross-site scripting. 5M
i. SQL injection:
1. SQL injection is malfunction program used to hack databases.
2. SQL injection is a technique used for code injection which exploits security in the database
application programs.
3. Such SQL vulnerabilities are occurred when user input are not strongly checked.
4. SQL injection is one of the most common application layer attack technique used for
extracting valuable data from the databases.
18. 5. SQL injection attacks:
i. Incorrectly filtered escape characters
ii. Incorrect type handling
iii. Vulnerabilities in database server
iv. Blind SQL injection
v. Conditional responses
vi. Conditional errors
vii. Time delays
6. Incorrectly filtered escape characters:
It occurs when user input is not properly filtered.
7. Incorrect type handling:
It occurs when a data field is not strongly typed checked for constraint.
8. Vulnerabilities in database server:
It occurs due to problem in server software.
9. Blind SQL injection:
This attack is used when a web application is vulnerable to an SQL injection but not visiblr to
the attacker.
10 Conditional responses:
This SQL injection evaluates a logical statement on an ordinary application screen.
11. Conditional errors:
This type of blind SQL injection attack causes some error.
12. Time delays:
Time delay is type of blind SQL injection. It causes to query to take infinite time to execute a
query.
ii. Cross site scripting:
19. 1. Cross site scripting attacks are type of injection in which malicious scripts are injected into
trusted website.
2. Cross site scripting attacks occurs when an attacker uses a web application to send malicious
code.
3. Cross site scripting refers to client side code injection attack.
4. An attacker can use cross site script (XSS) to send a malicious script to an unsuspecting user.
5. This malicious script can access any cookies, session tokens, or other sensitive information
from the browser and site.
6. Cross site scripts can rewrite the content of the HTML document/page.
Windows security 5M
1. Windows security and maintenance is a monitoring component of the windows NT family of
operating system.
2. Action center and windows security center monitors the security and maintenance status of
the computer.
3. It includes optimal operation of personal firewalls, anti-virus software and anti-spyware
software.
4. Security and maintenance also includes working status of network access protection,
windows update, user account control, windows error reporting and backup and restore.
6. It notifies the user of any problem with their criteria.
7. Security and maintenance consists of three major components:
i. Control panel applet
ii. Windows service
iii. Application programming interface (API)
8. The control panel applet divides the monitored criteria into categories and color-codes them.
Yellow indicates non-critical warning and red indicates critical warning.
9. Security center determines the current state of the settings.
20. 10. This service continually monitors the system for changes and it notifies the user if it detects
a problem.
11. To show notifications, it adds a notification icon into the windows taskbar.
12. Set of API let programs to retrieve and to receive notification of the aggregate health status
within security and maintenance.
13. These APIs allow programs to confirm that systemis in healthy state or not.
14. Security log is a log that contains records of login/logout activity.
15. Security log is tool to troubleshoot problems and to detect and investigate attempted and
successful unauthorized activity.
What are the different types of malware? How do they propagate? 10M
Types of malware:
1. Virus:
i. A virus is a malicious code that has the capability to copy itself.
ii. Viruses spread when the software or document they are attached to is transferred from one
computer to another using any device or network.
iii. Computer virus can corrupt or destroy your system.
iv. Viruses are generally destructive.
2. Worm:
i. A worm is a part of malicious code that can spread from one computer to another.
ii. Worms are specifically designed to exploit vulnerabilities, and they spread by using network
and Internet connections.
iii. The big danger that a worm poses is its capability to replicate itself on a system.
iv. Worm is also called as sub-class of viruses.
3. Trojan horse or Trojan:
i. Trojan is malicious code that can cause to damage system.
ii. Some Trojans are more annoying than harmful.
21. iii. Some Trojan cause serious damage by deleting files and information stored on the system.
iv. Downloading pirated software may actually contain Trojan.
4. Blended threat:
i. Blended threat is more sophisticated attack.
ii. It bundles some worst aspects of viruses, worms, Trojan horses and malicious code into a
single threat.
iii. Blended threat uses server and internet vulnerabilities to transmit and spread attacks.
iv. They cause harm to the infected system on network and propagate using multiple methods.
5. Spyware:
i. A spyware is a type of malware that spies on you without your knowledge.
ii. It collects a variety of different types of data from your system.
iii. Different types of malware can act as spyware.
iv. There are some spyware that spy on keystrokes to steal financial data.
6. Adware:
i. Adware is a type of malware that comes along with spyware.
ii. Adware is any type of software that displays advertising on computer.
iii. Adware’s are considered to be more acceptable than other types of Malware.
iv. An example of an adware is the Ask Toolbar that’s included with Oracle’s Java software.
7. Key logger:
i. A key logger runs in the background to record every keystroke made by user.
ii. Keystrokes can include usernames, passwords, credit card numbers, and other sensitive data.
iii. Key loggers upload these keystrokes to a malicious server where it can be analyzed and
people can pick out useful passwords and credit card numbers.
iv. Different types of malware can act as key loggers. Employers can also install key loggers into
their employees’ computers for monitoring purposes.
22. 8. Botnet or Bot:
i. A botnet is a software program created to automatically perform specific operations.
ii. Bots are acts like robots that are snippets of code designed to automate tasks and respond to
instruction.
iii. A malicious bot is installed in a systemwithout the user permission.
iv. Websites can guard against bots with CAPTCHA tests that verify users as human. According
to many reports, botnet currently pose the biggest threat to the Internet.
9. Rootkit:
i. A Rootkit is a set of software tools that hides it presence in the lower layers of the operating
system.
ii. A rootkit is a type of malware designed to burrow deep into your computer to avoid
detection by security programs and users.
iii. Rootkits continually hide their presence.
iv. Users can protect themselves from rootkits by regularly patching vulnerabilities in software,
applications, operating systems, updating virus definitions, avoiding suspicious downloads and
performing static analysis scans.
10. Ransomware:
i. Ransomware is a type of malware that takes a computer or its data hostage in an effort to
extort money from victims.
ii. There are two types of Ransomware: Lockscreen Ransomware and Encryption Ransomware.
iii. Lockscreen Ransomware displays a full-screen image or webpage that prevents you from
accessing anything from your computer.
iv. Encryption Ransomware encrypts your files with a password, preventing you from opening
them.
Give two techniques to establish a covert channel. 5M
Techniques to establish a covert channel:
i. Unused Header Bits
23. ii. Optional Header Fields
iii. Semantic Overloading of Header Fields
iv. Packet and Message Sequence Timing
v. Payload Tunneling
i. Unused Header Bits:
1. Exploiting protocols such as TCP/IP it is possible to encode a covert channel using reserved or
unused bits of their headers.
2. If there is no confirmation on the receiver or the protocol specifications do not impose
explicit values then hidden data can be transmitted.
3. The unused fields in TCP/IP can be used to establish malicious communication channel.
4. These malicious software agents use the unused fields of ICMP and TCP/IP packets to
establish malicious communication channels.
ii. Semantic Overloading of Header Fields:
1. Semantic overload occurs when a word or phrase has more than one meaning.
2. Semantic overload is related to the linguistic concept of polysemy.
3. Overloading is related to the psychological concept of information overload, and the
computer science concept of an overloaded expression.
4. A term that is semantically overloaded is a kind of "overloaded expression" in language that
causes a certain small degree of "information overload" in the receiving audience.
What is IDS? How does it differ from a honeypot? Discuss the different types of IDS.
10M
IDS:
1. IDS stand for Intrusion Detection System.
2. An Intrusion Detection System (IDS) is a software or hardware device installed on the
network (NIDS) or host (HIDS) to detect and report intrusion attempts to the network.
3. An IDS gathers information within a LAN of unauthorized access or misuse.
4. An IDS is also referred to as a packet sniffer.
24. 5. An IDS evaluates a suspected intrusion once it has took place and signals an alarm.
IDS is differ from honeypot:
1. An IDS is Intrusion Detection System which gathers information about unauthorized access,
whereas Honeypot is a term derived from old fashioned methods of disposing of unwanted
flying insects.
2. The IDS is designed to protect and monitor a live production environment, whereas the
honeypot is intended to draw them.
3. An IDS is a defense, whereas a honeypot is not a defense.
4. An IDS will never get you charged with "entrapment", whereas a honeypot might get you
charged with “entrapment”.
5. An IDS is a tool for monitoring and reporting systems activities which are unauthorized,
whereas a Honeypot is a decoy system attract attacks for the purpose of analysis.
Types of IDS:
Network IDS, Host IDS or HIDS, Protocol based IDS, Application protocol based IDS, Anomaly
based IDS, Misuse Based, Hybrid based.
Network based IDS and Host based IDS are two general types of IDS.
i. Network Based IDS:
1. Network based IDS is the first type of IDS.
2. This type of IDS is deployed at strategic places in the network infrastructure.
3. It is used to capture traffic going across the wire and comparing it to a database of known
attack signatures.
4. If the packets are inspected and there is a match to the signature database then actions can
be taken such as alerts to the administrator, sending a RST to the attacking host to kill the
connection or dynamically modifying firewall rules to block the connection.
5. Network IDS are most similarly to a sniffer on steroids.
6. Types of Network IDS: Snort Network IDS, Cisco Network IDS.
ii. Host Based IDS:
25. 1. Host based IDS is the second type of IDS.
2. Host IDS is run as a service or agent on the protected host.
3. Host IDS does not insect traffic that is not directed at the host it is protecting.
Explain the process of generation & verification of digital certificate. 10M
1. A digital certificate is a digital form of identification.
2. A digital certificate is a digital credential that provides information about the identity of an
entity and other information.
3. A digital certificate is issued by an authority called as a certification authority (CA).
4. A digital certificate is valid for only a specific period of time.
6. The user knows it is valid because a trusted certification authority has issued the certificate.
7. Digital certificates provide support for public key cryptography because digital certificates
contain the public key of the entity identified in the certificate.
8. Digital certificates are based on public key cryptography for authentication.
9. At the time of issue of digital certificate, the issuing certification authority signs the
certificate with its own private key.
10. The structure of digital certificate is reliable to retrieve and understand information within
the certificate.
11. Digital certificate contains:
a. Version number
b. Serial number
c. Certificate algorithm identifier
d. Issuer name
e. Validity period
f. Subject name
g. Subject public key information
26. h. Issuer unique identifier
i. Subject unique identifier
j. Extensions
k. Certification authority's digital signature
12. Digital signature technology allows the recipient of given signed message to verify its real
origin and its integrity.
13. The process of digital signature verification is purposed to as certain if a given message has
been signed by the private key that corresponds to a given public key.
14. The digital signature verification includes the following steps:
a. Message digest decryption
b. Digest evaluation
c. Digest comparison
15. Message digest decryption: The digest has been encrypted using the issuer’s (Alice) private
key. The digest is now decrypted using the issuer’s public-key included in the message.
16. Digest evaluation: The message cannot be derived from the digest itself, the recipient must
re-evaluate the digest using the exact same hashing algorithm the issuer used.
17. Digests comparison: The digest decrypted and the digest evaluated are compared. If there is
a match, the signature has been verified, and the recipient can accept the message as coming
unaltered from the issuer.
18. If the digital signature is not real and it is decrypted with the public key then the obtained
original value will not be the original hash-value of the original message.
19. If the message was changed after its signing, the current hash-value calculated from this
changed message will differ from the original hash-value because the two different messages
correspond to different hash-values.
20. If the public key does not correspond to the private key used for signing, the original hash-
value obtained by decrypting the signature with an incorrect key will not be the correct one.
ARP spoofing:
1. ARP stands for address resolution protocol.
27. 2. ARP spoofing is a malicious technique that causes the redirection of network traffic to a
hacker.
3. ARP Spoofing may denote sniffing out LAN addresses on both wired and wireless LAN
networks.
4. The concept behind ARP spoofing is to send bogus ARP communications to Ethernet LANs
and the attack may modify traffic or block it altogether.
5. There are three types of ARP spoofing:
a. Man-In-The-Middle Attacks: These involve traffic modifications.
b. Denial-of-Service Attacks: These involve a fake MAC address attached to the user’s default
gateway.
c. Passive Sniffing: This happens when traffic is sent to the user’s default gateway through their
IP address.
6. Useful and non-malicious usages for ARP spoofing are hotels utilizing the technique to allow
guests to access the Internet from their laptops.
TCP SYN flood attack:
1. TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack.
2. It exploits part of the normal TCP three-way handshake to consume resources on the
targeted server and to render it.
3. In this attack the offender sends TCP connection requests faster than the targeted machine
can process them which cause network saturation.
4. In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted
server using a fake IP address. The server is unaware of the attack and receives multiple and
apparently legitimate requests to establish communication. It responds to each attempt with a
SYN-ACK packet from each open port.
5. The malicious client either does not send the expected ACK, or—if the IP address is
spoofed—never receives the SYN-ACK in the first place.
6. Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for
some time.
Port scanning:
28. 1. The act of systematically scanning a computer’s ports is called as port scanning.
2. Port scanning has legitimate uses in managing networks.
3. Port scanning also can be malicious in the nature.
4. Types of port scans:
i. vanilla: the scanner attempts to connect to all 65,535 ports
ii. Strobe: a more focused scan looking only for known services to exploit
iii. Fragmented packets: the scanner sends packet fragments that get through simple packet
filters in a firewall
iv. UDP: the scanner looks for open UDP ports
v. sweep: the scanner connects to the same port on more than one machine
vi. FTP bounce: the scanner goes through an FTP serverin order to disguise the source of the
scan
vii. Stealth scan: the scanner blocks the scanned computer from recording the port scan
activities.
5. Port scanning is not a crime.
6. There is no way to stop someone from port scanning your computer while you are on the
Internet because accessing an Internet server opens a port, which opens a door to your
computer.
7. There are software products that can stop a port scanner from doing any damage to your
system.
What is sessionhijacking?How doesit occur? Give twoways to preventa sessionhijack10M
1. The Session hijacking attack consists of the exploitation of the web session control
mechanism which is managed for a session token.
2. A session token is composed of a string of variable width and it could be used in the URL,
cookie, etc.
3. The Session hijacking attack compromises the session token by stealing or predicting a valid
session token to gain unauthorized access to the Web Server.
29. 4. The session token could be compromised in different ways:
i. Predictable session token
ii. Session Sniffing
iii. Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)
iv. Man-in-the-middle attack
v. Man-in-the-browser attack
5. Session hijacking can be done in two levels:
I. Network Level
II. Application Level
I. Network Level:
Network layer hijacking involves TCP and UDP sessions.
A. TCP session Hijacking:
1. TCP hijacks are meant to intercept the already established TCP sessions between any two
communicating parties and then pretending to be one of them and redirecting the TCP traffic to
it by injecting spoofed IP packets so that user commands are processed on behalf of the
authenticated host of the session.
2. It desynchronizes the session between the actual communicating parties and by intruding
itself in between.
3. Authentication is only required at the time of establishing connection.
4. An already established connection can be easily stolen without going through any sort of
authentication or security measures concerned.
5. TCP session hijacks can be implemented in two different ways:
i. Middle Man Attack
ii. Blind attack
iii. IP Spoofing
30. i. Middle Man Attack: Middle man attack involves using a packet sniffer to intercept the
communication between client and the server.
ii. Blind attack: If user is not able to sniff the packets and guess the correct sequence number
expected by server.
iii. IP Spoofing: When a computer outside of your network pretends to be a trusted computer
within the network, then, this action by the attacker is called IP Spoofing.
B. UDP session hijacking:
1. UDP does not use packet sequencing and synchronizing.
2. It is easier than TCP to hijack UDP session.
3. The hijacker has simply to forge a server reply to a client UDP request before the server can
respond.
4. If sniffing is used than it will be easier to control the traffic generating from the side of the
server and thus restricting server’s reply to the client in the first place.
II. Application level:
1. Application level session hijack occurs with HTTP sessions.
2. At this level a hijacker can not only hijack already existing sessions.
3. Hijacker can also create new sessions fromthe stolen data.
4. HTTP Session Hijack Hijacking:
i. HTTP sessions involve obtaining Session ID’s for the sessions.
ii. It is the only unique identifier of the HTTP session.
iii. Session ID’s can be found at three places in the URL received by the browser for the HTTP
GET request with cookies which will be stored in client’s computer within the form fields.
Methods to prevent session hijacking:
1. Regenerating the session ID after a successful login:
This method prevents the session fixation because the attacker does not know the session ID of
the user after he has logged in.
2. Using a Long Random Number or String as a Session Key:
31. This reduces the risk that an attack could simply guess a valid session key through trial and
error or brute force attacks.
3. Encryption of the data passed between the parties:
This technique is widely relied upon by web-based e-commerce services as it completely
prevents sniffing-style attacks. Some services make additional checks against the identity of the
user.
What is firewall? Explain different types of firewalls and specify at which layer of the
Internet stack do they operate. 10M
Firewall:
1. A firewall is a systemthat provides network security by filtering incoming and outgoing
network traffic based on a set of user-defined rules
2. A firewall is a hardware or software which functions in a networked environment to block
unauthorized access while permitting authorized communications.
3. The purpose of a firewall is to reduce or eliminate the occurrence of unwanted network
communications while allowing all legitimate communication to flow freely.
4. Firewall performs actual actions such as blocking and filtering.
5. Firewall restricts access to your network by deciding which packet should allow.
6. In most server infrastructures, firewalls provide an essential layer of security that, combined
with other measures, prevent attackers from accessing your servers in malicious ways.
Types of Firewall:
Packet Filtering Firewall, Stateful-inspection Firewall, Network Address Translation (NAT)
Firewall, Application Based Firewall, Hybrid firewalls.
A. Packet Filtering Firewall:
i. Packet filtering firewalls work by inspecting individual packets in isolation.
ii. Packet filtering firewall is also called as stateless firewall.
iii. They are unaware of connection state.
iv. They can only allow or deny packets based on individual packet headers.
32. B. Stateful-inspection Firewall:
i. Stateful firewall determines the connection state of packets.
ii. It makes them much more flexible than stateless firewalls.
iii. They work by collecting related packets until the connection state can be determined before
any firewall rules are applied to the traffic.
C. Network Address Translation (NAT) Firewall:
i. Network Address Translation firewall is the process in which a network device or a firewall,
assigns a public address to a computer or group of computers in a private network.
ii. The main use of this firewall is to limit the number of public IP addresses an organization or
company must use for economy and security purposes.
iii. Network address translation is the process of modifying IP information in IP packets.
D. Application Based Firewall:
i. Application firewalls go one step further by analyzing the data being transmitted.
ii. It allows network traffic to be matched against firewall rules that are specific to individual
services or applications.
iii. These are also known as proxy-based firewalls.
E. Hybrid firewalls:
i. A hybrid is a firewall that combines features and functions from other types of firewalls.
ii. Hybrid firewalls uses multiple approaches within the same device.
No-Malicious programming errors 5M
1. No-Malicious programming errors are also known as buffer overflows.
2. A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-
liter pitcher.
3. It can be also be stated as trying to copy 4GB data into 2GB drive.
4. This is a stack based buffer overflow and it is also known as smashing the stack.
33. 5. Assume a Web form that asks the user to enter data, such as name, age and date of birth of
the user.
6. The information entered by the user is then sent to a server and the server writes the data
entered to a buffer that can hold N characters.
7. If the server software does not verify that the length of the data is at most N characters, then
a buffer overflow will occur.
8. Any overflowing data will overwrite something important and cause the computer to crash.
9. This problem can be explained using software which is used for authentication.
10. The decision of the authentication resides in a single bit. If a buffer overflow overwrites this
authentication bit, then the user which is unauthorized can authenticate him as the actual user.
11. Such errors cause program malfunction but do not causes more harm to the system.
12. There may be loss of some important data in this type of errors.
Multilevel access control 5M
1. Multilevel access control is also known as label-based access control.
2. Multilevel security or multiple levels of security (MLS) is the application of a computer system
to process information with incompatible classifications.
3. It allows user to classify objects and users with security labels.
4. It prevent users from obtaining access to information for which they lack authorization.
5. The security labels are based on hierarchical security levels and non-hierarchical security
categories.
6. Multilevel security solution uses the multilevel security feature in the operating system.
7. It prevents unauthorized users from accessing information at a higher classification than their
authorization.
8. It also prevents users from declassifying information.
9. Using multilevel security with row-level granularity, user can define strong security for
database objects and perform security checks.
34. 10. Row-level security checks allow you to control which users have authorization to view,
modify, or perform other actions on specific rows of data.
11. Multilevel Access Control Scheme in Transparent Computing (MACTC) to protect user data
with different security levels and provide multilevel access control and valid identity
authentication.
Explain RSA algorithm for publickey encryption. Given modulus N=143 and public key=7, find
the values of p, q, phi(n), and private key d. can we choose value of e=5? Justify.
RSA algorithm for public key encryption:
1. RSA is one of the public key cryptosystem and it is widely used for secure data transmission.
2. In this cryptosystem there are two keys used for encryption and decryption purpose.
3. Public key is used for encryption and private key is used for decryption.
4. Both the keys, public key and private key are differs from each other.
5. Encryption key is public i.e. it is same for every user or sender.
6. Decryption key is different for each user or receiver.
7. RSA algorithm is an asymmetric cryptographic algorithm.
8. RSA is also called as public key cryptography.
9. Public key is used to encrypt the message and private key is used to decrypt the message and
the encrypted message is only decrypted by private key.
10. The process of encryption and decryption in RSA algorithm:
35. Given data:
N=143, public key=7
Step1: choose two distinct prime numbers p and q.
N=143=13*11
Prime numbers, p=13 and q=11
Step2: find n=p*q
n=a*b=143
step3: calculate ɸ(n)=(a-1)*(b-1)
ɸ(n)=(a-1)*(b-1)
=(13-1)*(11-1)
=12*10=120
Step4: select e that e is relatively prime to ɸ(n) i.e. gcd(e, ɸ(n))=1 and 1<e< ɸ(n).
gcd(e,120)=1
gcd(5,120)=1 …….e=5 is given
step5: calculate d
d=e-1modɸ(n) or edmodɸ(n)=1
5*d mod20=1
d=(( ɸ(n)*i)+1))/e …………… where i=0 to 9
d=((120*4)+1)/5=481/5=69
d=96
Public key= {e,n}{5,143}
Private key= {d,n}{96,143}
Difference between SSL and IPSec protocols 5M
No. SSL IPSec
36. 1 SSL stands for secure socket layer. IPSec stands for internet protocol security.
2 SSL protocol generates between application
and transport layer.
IPSec protocol operates between network
layers.
3 SSL protocol provides confidentiality,
integrity and authentication (availability).
IPSec protocol provides integrity and
authentication (availability).
4 SSL protocol provides protection to browser. IPSec provides secret level security at
internet network layer.
5 Protocols of SSL: Handshake protocol,
Record protocol, Alert protocol
IPSec has two modes: Transport mode,
Tunnel mode