CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in

CYBER SECURITY PRIMER
CYBER SECURITY PRIMER
A brief introduction to cyber security for students who are new
to the field.
Network outages, data compromised by hackers, computer
viruses and other incidents affect our lives
in ways that range from inconvenient to life-threatening. As the
number of mobile users, digital
applications and data networks increase, so do the opportunities
for exploitation.
WHAT IS CYBER SECURITY?
Cyber security, also referred to as information technology
security, focuses on protecting computers,
networks, programs and data from unintended or unauthorized
access, change or destruction.
WHY IS CYBER SECURITY IMPORTANT?
Governments, military, corporations, financial institutions,
hospitals and other businesses collect,
process and store a great deal of confidential information on
computers and transmit that data across
networks to other computers. With the growing volume and
sophistication of cyber attacks, ongoing
attention is required to protect sensitive business and personal
information, as well as safeguard
national security.

During a Senate hearing in March 2013, the nation's top
intelligence officials warned that cyber attacks
and digital spying are the top threat to national security,
eclipsing terrorism.
CYBER SECURITY GLOSSARY OF TERMS
Learn cyber speak by familiarizing yourself with cyber security
terminology.1
Access −
The ability and means to communicate with or
otherwise interact with a system, to use system
resources to handle information, to gain
knowledge of the information the system
contains or to control system components and
functions.
Active Attack −
An actual assault perpetrated by an intentional
threat source that attempts to alter a system, its
resources, its data or its operations.
Blacklist −
A list of entities that are blocked or denied
privileges or access.
Bot −
A computer connected to the Internet that has
Information Assurance −
The measures that protect and defend
information and information systems by
ensuring their availability, integrity and
confidentiality.
Intrusion Detection −

The process and methods for analyzing
information from networks and information
systems to determine if a security breach or
security violation has occurred.
Key −
The numerical value used to control
cryptographic operations, such as decryption,
encryption, signature generation or signature
verification.
Malware −
http://www.umuc.edu/cybersecurity/about/#
been surreptitiously/secretly compromised with
malicious logic to perform activities under the
remote command and control of a remote
administrator.
Cloud Computing −
A model for enabling on-demand network
access to a shared pool of configurable
computing capabilities or resources (e.g.,
networks, servers, storage, applications and
services) that can be rapidly provisioned and
released with minimal management effort or
service provider interaction.

Critical Infrastructure −
The systems and assets, whether physical or
virtual, so vital to society that the incapacity or
destruction of such may have a debilitating
impact on the security, economy, public health
or safety, environment or any combination of
these matters.
Cryptography −
The use of mathematical techniques to provide
security services, such as confidentiality, data
integrity, entity authentication and data origin
authentication.
Cyber Space −
The interdependent network of information
technology infrastructures, that includes the
Internet, telecommunications networks,
computer systems and embedded processors
and controllers.
Data Breach −
The unauthorized movement or disclosure of
sensitive information to a party, usually outside
the organization, that is not authorized to have
or see the information.
Digital Forensics −
The processes and specialized techniques for
gathering, retaining and analyzing system-
related data (digital evidence) for investigative
purposes.
Enterprise Risk Management −
A comprehensive approach to risk management

that engages people, processes and systems
across an organization to improve the quality of
decision making for managing risks that may
hinder an organization's ability to achieve its
objectives.
Software that compromises the operation of a
system by performing an unauthorized function
or process.
Passive Attack −
An actual assault perpetrated by an intentional
threat source that attempts to learn or make use
of information from a system but does not
attempt to alter the system, its resources, its
data or its operations.
Penetration Testing −
An evaluation methodology whereby assessors
search for vulnerabilities and attempt to
circumvent the security features of a network
and/or information system.
Phishing −
A digital form of social engineering to deceive
individuals into providing sensitive
information.
Root −
A set of software tools with administrator-level
access privileges installed on an information
system and designed to hide the presence of the
tools, maintain the access privileges and
conceal the activities conducted by the tools.
Software Assurance −

The level of confidence that software is free
from vulnerabilities, either intentionally
designed into the software or accidentally
inserted at any time during its lifecycle, and
that the software functions in the intended
manner.
Virus −
A computer program that can replicate itself,
infect a computer without permission or
knowledge of the user and then spread or
propagate to another computer.
Whitelist −
A list of entities that are considered trustworthy
and are granted access or privileges.
International Journal of Computer and Information Technology
(ISSN: 2279 – 0764)
Volume 02– Issue 06, November 2013

www.ijcit.com 1029
Malware Detection from a Virtual Machine
Correlating Unusual Keystrokes, Network Traffic, and
Suspicious Registry Access
Nathaniel Amsden
Department of Computer Science
Sam Houston State University
Huntsville, TX, USA
Cihan Varol
Department of Computer Science
Sam Houston State University
Huntsville, TX, USA
Email: cxv007 {at} shsu.edu
Abstract—Current anti-virus malware detection methods focus
on signature-based methods. Recent research has introduced
new, effective methods of malware detection. First, recent

research including cloud-based monitoring and analysis, joint
network-host based methods, feature ranking, machine learning
and kernel data structure invariant monitoring are reviewed.
Second, virtual machine based malware detection is proposed.
This method combines network traffic analysis through
keystroke analysis and registry anomaly detection to detect
malware. It correlates suspicious network activity with
suspicious
registry accesses in order to detect malware with a higher
confidence and lower false positives.
Keywords-keystroke analysis; malware detection; registry
analysis; traffic analysis; virtual machine
I. INTRODUCTION
Current home and corporate malware detection primarily
focus on anti-virus signature-based methods. Recent research
in the field of malware detection has introduced new methods
such as cloud-based analysis, machine learning, joint network-
host methods and feature ranking. One network-host based
method involves analyzing keystrokes to determine when
malware is attempting a network connection. Registry anomaly
detection utilizes machine learning to compare registry changes
against a normal baseline to detect malicious changes. Both
setups are computationally expensive, but, if improved, could

be implemented in a virtual machine set up.
Virtual machines (VM) have been used in a variety of
malware detection projects. VMs separated from the host
operating system (OS) offer a level of protection from malware
trying to subvert anti-virus programs. Also, as VMs are
separated from the host OS, a client-server relationship
between the two can be established. This eliminates the need
for a second computer in solutions requiring a client-server set
up. Lightweight OSs running in a virtual machine decrease host
system resource requirements, run faster, and are potentially
more secure than normal-sized OSs.
Running keystroke analysis and registry anomaly detection
programs in a virtual machine protect them from malware and
offer additional advantages. The VM can be trimmed down,
using the bare minimum of required resources and components
to successfully run the detection solution without harming
performance. In this research, we propose correlating
suspicious network traffic generated by unusual keystrokes
with suspicious registry accesses in order to detect malware
with a higher degree of accuracy and with a lower false
positive rate.
II. EXISTING ALGORITHMS
A. Detection of kernel-level invariants
Kernel data structures are often modified by rootkits in an
attempt to hide their execution from detection methods. Kernel
data structures include control data such as the system call
table, jump tables and function pointers. They also include
non-control data such as linked lists used for bookkeepi ng and
pseudorandom number generators. Gibraltar [1] automatically
generates kernel data structure integrity specifications known

as data structure invariants. Invariants are properties that must
hold for the lifetime of the data structure. Gibraltar’s inference
phase creates a baseline of the kernel data structures. During
the rootkit detection phase, invariants are compared against
the baseline. Any deviation is assumed to indicate the
presence of a rootkit. Gibraltar resides on an external
computer and captures snapshots of the target system’s kernel
memory via an external PCI card and reconstructs the kernel
data structure. It utilizes Daikon, an invariant inference tool, to
infer invariants on the kernel data structures. Gibraltar
successfully detected 23 of 23 rootkits during experiments.
Benchmarking utilities determined Gibraltar added a one-
half percent runtime monitoring overhead, a very minimal
amount. It successfully detected rootkits that modified both
control and non-control data structures with an average
detection time of twenty seconds. Gibraltar works well in a
client-server setting. One server running Gibraltar can manage
malware detection on multiple clients.
Gibraltar has downsides as well. It requires a second,
observer computer to monitor the target computer. Gibraltar
cannot be deployed on the target computer. It also has a long
startup time. It requires twenty five minutes to take snapshots
of kernel memory followed by thirty one minutes to infer
invariants. This is a total of fifty six minutes every time the
target computer boots up before Gibraltar is ready to monitor it.
However, the researchers determined invariant inference can be
completed in parallel while the system takes the next snapshot
(ISSN: 2279 – 0764)

www.ijcit.com 1030
of kernel memory. Gibraltar also infers 236,444 or more
invariants. Each of these invariants is very precise. There
currently is no way to group the invariants together e.g. broader
rules that encompass multiple invariants. The invariants are not
portable and are system-specific. Each target must be analyzed
every time the system boots. False invariants may be inferred
and refined to reduce spurious alerts. Gibraltar also cannot
detect transient attacks, that is, rootkits that modify an invariant
and revert it back between kernel snapshots.
B. Cloud based malware detection
Cloud anti-virus servers [2] offer enhanced detection of
malware. Cloud servers require an analysis engine to scan for
malware. Multiple anti-virus programs and detection
algorithms can be loaded on the cloud server. A forensics
archive serves as a database with which the analysis engi ne
compares malware against. Client computers require an
isolated host that interfaces to the cloud server and the system
memory or physical disk. An isolated host agent environment
allows the host to send requests and provides direct access to
host storage. Two prototypes are proposed. The first is based
on the Intel Active Management Technology (AMT) combined
with the Intel vPro. The second is based on a Virtual Memory
Monitor.
Cloud-based anti-virus servers reduce the amount of
storage and computational resources required on the client due
to the fact no anti-virus resources must be installed on the
client. It simplifies management of signature files, as only the
information on one computer, the server, must be configured.
Also, since servers are typically more powerful than individual

workstations, more advanced, sophisticated and
computationally expensive heuristics can be employed to
determine threat profiles.
Disadvantages include the fact that host agents still require
mechanisms to detect and prevent agents that have been
disabled or subverted. The first prototype based on Intel AMT
uses a blacklist approach. Only 192KB of a blacklist can be
stored. This is a very small amount of storage for an ever -
increasing amount of malware. Scan frequency is also low.
Additionally, attackers can compromise the host operating
system or the virtual machine monitor itself, thereby
circumventing the detection mechanisms.
C. Joint network-host based malware detection
Joint network-host based malware detection with
information theoretic tools [3] detects deviations from a
behavioral model baseline derived from a benign data profile.
A baseline of keystrokes is determined against which data is
compared. This algorithm analyzes perturbations in the
distribution of keystrokes used to create network connections.
Keystroke entropy increases and session-keystroke mutual
information decreases when an endpoint is compromised by
self-propagating malware. If both host and network features
are correlated, malware detection is increased. The last input
from a keyboard or mouse hardware buffer is correlated with
every new network session. Only outgoing unicast traffic is
analyzed, as firewalls block incoming traffic.
This algorithm attains an almost one hundred percent
detection rate with a low false-positive rate. Instead of
comparing malware to known signatures, it works based on
behavioral analysis. This allows the algorithm to detect
previously unknown malware.

Joint network-host based malware detection can be
defeated by mimicry attacks. Malware utilizing mimicry
attacks hide its traffic in benign traffic. This effectively hides
its network traffic from the detection system allowing it to
avoid detection. Ill-defined security policies and user
privileges pose problems for this detection system. Malware
can circumvent the policies and exploit user privileges,
allowing it to gain system level privileges and disable the
detector.
D. System function call analysis
Rather than employing traditional reverse engineering or
debugging techniques, this algorithm extracts malware
behavior by observing all system function calls [4]. It controls
various parameters of a sandboxed virtual execution
environment and analyzes the interaction of malware on the
system. It computes similarities and distances between
malware behaviors in order to classify malware behaviors. A
phylogenetic tree, a type of branching diagram, tracks
evolution of malware features and implementations. It shows
inferred relationships between entities based upon similarities
and differences in characteristics.
This method requires research and analysis work to be
performed on known malware before the algorithm can be
employed against suspected malware. Malware must first be
introduced to the virtual machine sandbox environment for
analysis and classification. Once malware has been classified
and the phylogenetic tree built, unknown executables can be
compared against the tree. Zero-day exploits can be detected
based on similar operating characteristics.
E. Feature ranking and machine learning
Computer virus detection can be enhanced via feature

ranking and machine learning [5]. This is a combination of the
information gain and voted perceptron detection methods. Test
and training data are fed into a portable executable (PE)
parser. The PE parser extracts windows API calls and converts
them into thirty two bit global IDs as features of the training
data. Features are then selected based on the information
theoretical concept of entropy. The distinguishing power of
each feature is then derived by computing its information gain
(IG) based on frequencies of appearances in the malicious
class and the benign class. A voted perceptron classifier
constructs the malware detection classifier. This model was
tested with known malware downloaded from an online
malware database.
Test results demonstrated a ninety nine percent true
positive rate, a ninety nine percent detection rate and a ninety
nine percent precision rate. These rates are four to nine percent
higher than analysis using either the information gain or voted
perceptron respectively.
(ISSN: 2279 – 0764)
www.ijcit.com 1031
The algorithm must first be trained and fed test data to
build a sample signature database of called APIs. However,
once built, it could detect zero-day malware based on similar
API calls and behavioral analysis. As signatures are added to
the database, the system learns and increases its detection
capabilities.

F. Registry anomaly detection
Analyzing registry changes facilitates malware detection
[6]. Creating a baseline of normal registry changes allows the
algorithm to compare registry changes against that baseline.
Anything out of the ordinary, e.g. malicious, triggers an alert.
The Registry Anomaly Detector (RAD) requires three
components. These components include a Registry Basic
Auditing Model (RegBAM), a Model Generator, and an
Anomaly Detector.
The RegBAM monitors registry reads and writes. Initially,
this data is fed into a database for the model generator. After
the baseline registry changes model is created, the RegBAM
feeds data into the anomaly detector.
The model generator takes data gathered by the RegBAM
and builds a normal usage model. This model represents
normal registry usage and can be easily distributed to new
machines. This is especially desirable in a large IT enterprise
where standard desktop configurations are the norm. Normal
registry usage should be similar from computer to computer.
The anomaly detector receives live data from the
RegBAM. The detector compares data to the normal usage
model and generates a score based on the anomalies in the
registry. A user-defined threshold signifies when the anomaly
detector should trigger an anomalous event.
One disadvantage is the amount of traffic generated by
registry reads and writes. The researchers measured a load of
approximately 50,000 registry accesses per hour. The three
RAD components can be configured on different machines.
The downside to this approach is the increase in network
traffic. The tradeoff is network traffic vs. host machine

resources.
III. METHODOLOGY
A. Bell-LaPadula model for the host and virtual machine
The foundation of this solution lies in the ability to modify
a virtual machine to directly access the host operating system.
Virtual machines are currently completely separated from the
host OS and have no direct access to its internals. Allowing
VMs to directly monitor the host OS is an area of on-going
research.
The host and virtual machine shall follow the Bell-
LaPadula security model [7]. The virtual machine shall be
designated a higher security level than the host it resides on.
The host shall follow the simple security property, i.e. the host
shall not read up to a higher security level, the VM. The VM
shall follow the star property, i.e. the VM shall not write down
to a lower security level, the host. We caveat this by explicitly
specifying which data the host may write up to the VM. The
host shall only feed network packets to the VM for analysis.
All other writes to the VM from the host shall be disallowed.
Four components, shown in figure 1, comprise the solution.
This includes a network traffic monitor, a keystroke analyzer,

a registry anomaly detector, and a correlator. The VM shall
read keystrokes and registry changes on the host machine.
The details of these components will be discussed in Sections
III.C - III.E.
Figure 1. Four components of the malware detection
scheme.
Figure 2 below describes data flow between the virtual
machine, the host OS, and applications running on the host.
Label 1 shows network traffic. The host sends network traffic
to the virtual machine for analysis and correlation. This data is
then sent back out through the host’s network adapter, as the
VM contains only a virtual network adapter. The VM does not
write any data to the host. Label 2 shows keystroke and
registry data flowing to the VM. This data is read from the
host by the VM and is not written to the VM by the host.
Figure 2. System data flow.
Host OS
Apps VM
1 2
Network
Adapter

Registry
Anomaly
Detector
Network
Traffic
Monitor
VM
Correlator
Keystroke
Analyzer
(ISSN: 2279 – 0764)
www.ijcit.com 1032
B. Virtual machines to guard malware detection systems
Malware developers usually create their software with
stealth in mind. Avoiding detection by antivirus programs,

users, and administrators is key. For this reason, malware
authors employ a variety of methods to hide their malicious
programs. Malware can subvert and disable anti-virus
programs and other malware detection methods. It is important
to protect anti-malware programs from malware. If malware
fails to detect the anti-malware programs, it cannot disable
them.
Virtual machines add a level of protection to security
solutions. Programs running in a virtual environment are not
detectable by anything on the host operating system. The only
thing the host OS knows is a virtual machine is running. Any
malware that infects the host machine will not be able to
attack programs running in the VM.
What does this mean for anti-malware programs? Running
anti-malware in a VM prevents any malware that infects the
host machine from undermining the anti-malware software. As
long as the VM is not infected, malware detection programs
will run. Additionally, if VMs directly monitor host internals
without installing any software on the host, malware cannot
block, terminate, or otherwise disable software the anti-
malware solutions depend on. All software resides in the VM.

Secondly, VMs are typically large and resource intensive.
Creating a trimmed down, lightweight VM will consume less
host processing power and memory. Only the bare minimum
of drivers and services needed to run the VM and the four
detection components are required. Non-essential elements
must be removed. In addition to consuming fewer resources,
removing components creates a more secure environment.
Fewer components mean less vulnerability.
Multiple lightweight operating systems (including
Windows and Linux) that can run in a VM have been created.
One example is Damn Small Linux (DSL), a 50mb Linux
installation. DSL requires a minimal amount of processor and
memory resources. However, DSL contains unnecessary
packages, such as Pac Man, that can be removed. Several
lightweight Windows installations have been created. nLite
allows the user to trim down a Windows installation disk,
customizing the installation so only selected components are
installed.
Additionally, research has shown trusted virtual machine
monitors can boot individual programs into separated,
individual virtual machines [8]. These VMs boot directly into
the program, without any user interfaces or shells.
C. Correlating keystrokes to network connections in a virtual
machine
Of the four components in this solution, correlating
keystrokes to network connections requires two of the
components. A network traffic analyzer and a keystroke
monitor are required. As described in [3], keystrokes are
correlated to corresponding network traffic. Their solution
uses a joint network-host based approach. We propose feeding
network traffic through the virtual machine for analysis and

correlation before transmission to the internet.
Virtual machines and their host share a virtual network as
shown in Figure 3 below.
Figure 3. Virtual network between a VM and the host.
Remember in Figure 2 that network traffic flows from the
host to the virtual machine. We specifically state that all
network traffic must flow through the virtual machine before
transmission to the internet. Outbound packets can be
forwarded to the VM for analysis by the network traffic
monitor. Once routed through the network traffic monitor, the
packets are sent to their intended destination.
The second component of this portion is the keystroke
analyzer. The keystroke analyzer resides on the VM and
requires direct access to the host. It reads down to the host to
monitor keystrokes. Each keystroke shall be logged and stored
for correlation to a network packet. The solution described in
[3] correlates the keystrokes and packets through the use of
timestamps. Timestamps are more important when the
monitors reside in the VM. The generated packets will retain
the same timestamp. Additional delay between the VM and
host may cause keystroke timestamps to be slightly later than
the actual time. Careful testing of timing is necessary to
determine timing delays introduced by the components being
inside a virtual machine. It is possible that the additional time
for the network packets to arrive at the network traffic monitor
could result in it being correlated to the wrong keystroke.
D. Monitoring the host registry from a virtual machine
The third component of this solution is the registry
anomaly detector. The authors of [6] propose storing the

system behavior model in the registry. This allows the RAD to
monitor the baseline model, securing it from malicious
changes. The training data gathered for the model comprised
500,000 records, which, when added to the registry, would
greatly increase the size. Moving the RAD to a virtual
machine would keep the host registry at a normal size, while
retaining the desired security.
The main requirement is to directly access the host OS’s
registry. The RAD proposed in [6] allows the components to
Host
Network
Adapter
VM
Virtual Switch
(ISSN: 2279 – 0764)
www.ijcit.com 1033
be split among systems, with, at a minimum, the RegBAM
remaining on the computer being monitored. We propose
putting all components in the virtual machine and allowing the
RegBAM direct access to the host’s registry.

Additionally, the RegBAM needs to be modified to include
timestamps. Each registry read or write requires an associated
timestamp. The RAD works in real time to detect registry
changes, but all changes require a timestamp to allow
correlation with suspicious network traffic.
E. Putting it all together
We propose correlating suspicious network traffic with
suspicious registry accesses. The probability of detecting
malicious software will increase while simultaneously
lowering false positive rates through correlation of potentially
malicious traffic and potentially malicious registry accesses. If
a suspicious network connection is made following an unusual
keystroke corresponds to a recent abnormal registry access,
the likelihood of malware activity increases. Both components
showed high success rates of detection. Correlating both to
each other will further increase detection rates and confidence.
A lower confidence registry access when correlated to a
suspicious network connection may signify the presence of
malware that would otherwise fall below detection thresholds.
The RAD, keystroke analyzer, and network traffic monitor
looks for specific portions or products of the host. The final
component of the virtual machine is the correlator. The
correlator works in two parts. As shown in Figure 4, the
algorithm consist of two main parts in VM. The first part
correlates keystrokes to network traffic. The second part
correlates results of part one with output from the RAD.
Figure 4. High Level Design Diagram
The authors of [3] already correlate keystrokes with
network traffic. Due to the fact the components are in a VM,
the algorithm will most likely need to be modified to account

for timing delays as information is transferred to the virtual
machine. Timestamps from suspicious registry accesses will
be correlated to network traffic and keystrokes. The correlator
can be triggered by either a suspicious RAD report or a
suspicious network traffic report. Once triggered, it polls the
other for recent activity with a similar timestamp. Reports are
analyzed and a confidence assigned based on how malicious
the activity appears.
IV. CONCLUSION
Recent advances in non-signature-based malware detection
have proven effective in research and testing. We have shown
how virtual machines can be used to provide a secure
environment for anti-malware solutions, helping to protect
them from malware that attempts to disable or otherwise harm
detection methods. We expand upon the work of [3], [6], and
[7] to correlate suspicious network traffic generated by unusual
keystroke patterns with suspicious registry accesses. By
correlating these together, we theorize a resulting higher
detection rate with a lower amount of false positives.
V. FUTURE WORK
We plan further research to support and test our hypotheses.
A key component of future research is to create a connection
between the host operating system and the virtual machine.
This connection needs to act as a diode, allowing the virtual
machine to monitor the host’s registry and keystrokes, but
disallowing all interaction with the VM initiated by the host.
We need to trim down a virtual machine to determine the best
balance between host performance and algorithm speeds. The
more we trim the virtual machine and its operating system, the
more efficient the host should run, but the longer it may take
our solution to process.

We also plan to gather data regarding actions of malware.
We intend to find out the percentage of malware that generates
network traffic and the percentage of malware that modifies the
registry. This information will allow us to calculate the overall
improvement in the ability to detect malware by correlating
network traffic with registry accesses.
Timestamps and network delay need additional research.
By running our solution in a virtual machine, we’d like to find
the answer to see if there are any timing delays introduced that
may cause the wrong keystrokes to be correlated to network
packets? We also intend to determine timing correlation
between malicious registry changes and start of network traffic
flow.
REFERENCES
[1] A. Baliga, V. Ganapathy, and L. Iftode, “Detecting kernel -
level rootkits
using data structure invariants,” IEEE Transactions on
Dependable and
Secure Computing, vol. 8, no. 2, pp. 670-685, Sept-Oct, 2011.
[2] C. Rozas, H. Khosravi, D. K. Sunder and Y. Bulygin,
“Enhanced
detection of malware,” Intel Tech. Jour., vol. 13, no. 2, pp. 6-
15, Jun,
2009.
[3] S. Khayam, A. Ashfaq and H. Rahda, “Joint network-host
based
malware detection using information-theoretic tools,” Jour.
Compute.
Virology, vol. 7, no. 2, pp. 159-172, May, 2011.

[4] G. Wagener, R. State and A. Dulaunoy, “Malware behaviour
analysis,”
Jour. Compute. Virology, vol. 4, no. 4, pp. 279-287, Nov, 2008.
[5] A. Altaher, S. Ramadass and A. Ali, “Computer virus
detection using
features ranking and machine learning,” Australian Jour. Basic
&
Applied Sciences, vol. 5, no. 9, pp. 1482-1486, 2011.
[6] F. Apap, A. Honig, S. Hershkop, E. Eskin and S. Stolfo,
“Detecting
malicious software by monitoring anomalous windows registry
accesses,
5th International Symposium on Recent Advances in Intrusion
Detection,
Zurich, Switzerland, 2002.
(ISSN: 2279 – 0764)
www.ijcit.com 1034
[7] D.E. Elliot and L. J. LaPadula, “Secure computer systems: a
mathematical model,” MITRE Corp., Bedford, MA, Tech. Rep.
2547,
May 31, 1973.
[8] T. Garfinkle, B. Pfaff, J. Chow, M. Rosenblum and D.
Boneh, “Terra: a
virtual machine-based platform for trusted computing,” 19th

Symposium
on Operating Systems Principles, Bolton Landing, NY, 2003,
pp. 193-
206.
A Comprehensive Study of Phishing Attacks
Dr. M. Nazreen Banu
S. Munawara Banu
Professor, Department of MCA
Assistant Professor, Department of IT
M.A.M College of Engineering
Jamal Mohamed College(Autonomous)
Tiruchirappalli
Tiruchirappalli
Abstract- Now a days one of the highly used techniques to
pursue online stealing of data and to do fraudulent transactions
is phishing. Phishing is a form of online identity theft that aims
to steal sensitive information such as online passwords and
credit card information. It is affecting all the major sectors of
industry day by day with a lot of misuse of user credentials. To
stop phishing many detection and prevention techniques has
been made with their own advantages and disadvantages
respectively, but phishing has not been eradicated completely
yet. In this paper , we have studied phishing and its types in

detail and reviewed some of the phishing and anti phishing
techniques.
Keywords- Phishing, Anti-phishing, Malware, Web
spoofing.
I. INTRODUCTION
Phishing is a form of online identity theft that aims to steal
sensitive information such as online passwords and credit
card information[1]. Phishing attacks use a combination of
social engineering and technology spoofing techniques to
persuade users into giving away sensitive information that the
attacker can used to make financial profit. Normally phishers
hijack a banks web pages and send emails to the victim in
order to trick the victim to visit the malicious site in order to
collect the victim bank account information and card number.
The information flow is depicted in Fig 1.
Fig 1: Information Flow in phishing
A complete phishing attack involves the roles of phisher.
Firstly mailers send out large number of fraudulent e-mails
which directs uses to fraudulent websites. Secondly collector
set up fraudulent websites which actively prompt users to
provide confidential information. Finally cashers use the
confidential information to achieve a payout. Goal of this
paper is to present on extensive overview of the phishing
attacks. The paper is organized as follows. The section II will
have an outline of the types of phishing. The section III deals
with the theoretical aspects of the phishing techniques. The
section IV describes the categories of anti-phishing
techniques. Finally conclusion given in section V.

II. TYPES OF PHISHING
Phishing has spread beyond e-mail to include VOIP, SMS,
Instant messaging, social networking sites and even
multiplayer games. Below are some major categories of
phishing.
A. Clone phishing
Clone phishing is a type of phishing attack where hacker
tries to clone a web site that is victim usually visits. The
clone web site usually asks for login credentials, mimicking
the real websites. This will allow the attackers to save these
credentials in a text file, database record on his own server,
then the attacker redirects his victim to the real websites as a
authenticated user[2]. Fig 2 depicts how the hackers clone the
face book profiles.
Fig 2: Clone phishing in Facebook profiles
B. Spear phishing
Spear phishing targets at specific group. So instead of
casting out thousands of e-mails randomly spear phishers
target selected groups of people with something in
common[3]. For example, people from same organisation.
Spear phishing is represented in Fig 3.
M. Nazreen Banu et al, / (IJCSIT) International Journal of
Computer Science and Information Technologies, Vol. 4 (6) ,
2013, 783-786
www.ijcsit.com 783

Fig 3: Spear phishing
C. Phone phishing
This type of phishing refers to messages that claim to be
form a bank asking users to dial a phone number regarding
problems with that bank accounts. SMS phishing is a
variation for phone phishing. The end-users receives sms
telling him that he has successfully subscribed to a service[4].
If he wants to unsubscribe the service he should visit the
website now the end users visit the websites and provide
sensitive information. Fig 4 represents how an attacker gets
the user details from the user by SMS.
Fig 4: Phone phishing
D. DNS-Based Phishing (Pharming)
Pharming is an attack aiming to redirect a website traffic
to another bogus site. Pharming interfere with the resolution
of domain name to an IP address so that domain name of
genuine web site is mapped onto IP address of rogue
website[6]. DNS based phishing is depicted in Fig 5.
Fig 5: DNS Based phishing
If we are typing the domain name www.barclays.co.uk in
the address bar, it is redirected to www.google.co.uk. It is
shown in the following Fig 6.
Fig 6: Website redirection

E. Man-in-the-middle-attack
A man-in-the-middle attack often refers to an attack in
which an attacker secretly intercepts the electronic messages
given between the sender and receiver and then capture,
insert and modify message during message transmission[7].
A man-in-the-middle attack uses Trojan horses to intercept
personal information. It is shown in Fig 7.
Fig 7: Man-In-The-Middle Attack
III. THEORETICAL ASPECTS OF PHISHING TECHNIQUES
Various techniques are developed to conduct phishing
attacks. The phishing techniques are described as follows.
A. Email spoofing
Email spoofing is used to make fraudulent emails appear
to be from legitimate senders so that recipients are more
likely to believe in the message and take actions according to
its instructions. Email spoofing is possible because Simple
Mail Transfer Protocol does not include an authentication
mechanism. To send spoofed emails sender inserts commands
in headers that will alter message information[5]. It is
possible to send a message that appears to be from anyone
anywhere saying whatever the sender wants it to say. Fig 8
shows the example for e-mail spoofing.
2013, 783-786
www.ijcsit.com 784

Fig 8: Email Spoofing
B. Web spoofing
A Phisher could forge a website that looks identical to a
legitimate website so that the victims may think this is the
genuine site and enter the personal information which is
collected by the phisher. Web spoofing creates a shadow
copy of the World Wide Web[8]. The shadow copy is
funnelled through attackers’ machine. Fig 9 shows how does
the attacker work.
Fig 9: Web spoofing
Modern web browsers have built in security indicators
that can including domain name highlighting and HTTPS
indicators as shown in Fig 10. They are often neglected by
careless users. Modern web browsers display a padlock icon
when visting an HTTPS web site of Hyper Text Transfer
Protocol and HTTPS, Transport Layer Security, provides
encryption and identification through public key
infrastructure.
Fig 10: Padlock icon in HTTPS
Web browsers examined the certificate presented by the
web browser. The certificate considered as invalid if any of

the following situations occurs, the certificate is expired, the
certificate is not signed by root CA, the certificate is revoked
by CA otherwise the website host name does not match the
subject name in the certificate. Fig 11 shows the warning
message provided by web browsers. At this moment the
browser display a warning and the address bar would turn
red.
Fig 11: Certificate Verification
C. DNS Cache Poisoning
DNS cache poisoning attempts to feed the cache of local
DNS resolves with incorrect records. DNS runs over UDP
and easy to spoof the source address of the UDP packet[9].
For example, attacker wants his IP address returned for a
DNS query, when the resolver ask NS1.google.com for
www.google.com. The attacker could reply first, with its own
IP. Fig 12 shows the DNS poisoning attacks.
Fig 12: DNS Cache poisoning
D. Malware
Malware is a software used to distrupt computer operation
gather sensitive information. It can appear in the form of
code, scripts, active content and other software. Malware
includes viruses, worms, trojan horses, key loggers, spyware,
adware. Client security products are able to detect and
remove malware and other potentially unwanted programs.
But phishers can make malware undetectable[10]. Key
strokes, screen shots, clipboard contents and program

activities can be collected and send this information to
phishers by e-mail, ftp server or IRC channel. Malware
detection is represented in Fig 13.
2013, 783-786
www.ijcsit.com 785
Fig 13: Malware Warning
IV. ANTI-PHISHING TECHNIQUES
AntiPhish is based on the premise that for inexperienced,
technically unsophisticated users, it is better for an
application to attempt to check the trustworthiness of a web
site on behalf of the user. Unlike a user, an application will
not be fooled by obfuscation tricks such as a similar sounding
domain name[11]. AntiPhish is an application that is
integrated into the web browser that is depicted in Fig 14. It
keeps track of a user’s sensitive information and prevents this
information from being passed to a web site that is not
onsidered “trusted”.
Fig 14: Anti-phishing integration in Browser
In general anti-phishing techniques can be classified into
following four categories[12].

Content Filtering- In this methodology ontent/email are
filtered as it enters in the victim’s mail box using machine
learning methods, such as Bayesian dditive Regression Trees
or Support Vector Machines.
Black Listing- Blacklist is collection of known phishing Web
sites/addresses published by trusted entities like google’s and
Microsoft’s black list. It requires both a client & a server
component. The client component is implemented as either
an email or browser plug-in that interacts with a server
component, which in this case is a public Web site that
provides a list of known phishing sites.
Symptom-Based Prevention- Symptom-based prevention
analyses the content of each Web page the user visits and
generates phishing alerts according to the type and number of
symptoms detected.
Domain Binding- It is an client’s browser based techniques
where sensitive information is bind to a particular domains. It
warns the user when he visits a domain to which user
credential is not bind.
V. CONCLUSION
Phishing attacks are still successful because of many
inexperienced and unsophisticated internet users. The last
years have brought a dramatic increase in the number and
sophistication of such attacks. This paper provides a broad
survey of various phishing types which are used by attackers
to steal the sensitive information. This study clearly shows
that phishing techniques enables the attackers to steal the
information efficiently. Our future work is to compare
various types of anti-phishing techniques and choose the best
one for further research.

REFERENCES
[1] Antonio San Martino, Xavier Perramon, “Phishing Secrets:
History,
Effects, and Countermeasures”, International Journal of
Network
Security, Vol.11, No.3, PP.163–171, Nov. 2010.
[2] Clone Phishing - Phishing from Wikipedia, the free
encyclopedia,
http://en.wikipedia.org/wiki/Phishing
[3] Bimal Parmar, Faronics, “Protecting against spear-
phishing”,
http://www.faronics.com/assets/CFS_2012-01_Jan.pdf
[4] Phone spoofing From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Phishing#Phone_phishing
[5] Email spoofing From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Email_spoofing
[6] John, “ DNS-Based Phishing Attack in Public Hotspots”
[7] Mattias Eriksson, “An Example of a Man-in-the-middle
Attack Against
Server Authenticated SSL-sessions”
[8] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S.
Wallach,
“Web Spoofing: An Internet Con Game”
[9] Joe Stewart, “DNS Cache Poisoning – The Next
Generation”
[10] Malware from Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Malware

[11]Engin kirda, Christopher Kruegel, “Protecting users against
Phishing
attacks”, The Computer Journal Vol. 00, No. 0, 2005
[12] Gaurav, Madhuresh Mishra, Anurag Jain, “ Anti-Phishing
Techniques:
A Review”, International Journal of Engineering Research and
Applications ISSN: 2248-9622, Vol. 2, Issue 2,Mar-Apr 2012,
pp.350-
355
2013, 783-786
www.ijcsit.com 786
International Journal of Computer Trends and Technology
(IJCTT) – volume 7 number 1 – Jan 2014
ISSN: 2231-2803 www.internationaljournalssrg.org
Page 52
Aligning Cloud Computing Security with Business Strategy
Hany Mohamed Hassan El-Hoby 1, Mohammed A. F. Salah 2,
Prof. Dr. Mohd Adam Suhaimi3
1(Information System,, ICT/ IIUM, Malaysia),
2(IS, ICT/ IIUM, Malaysia),
3(IS, ICT/ IIUM, Malaysia)

ABSTRACT : These days, the technological
growth in the IT sector is rapid. Cloud computing
is also one of the new technologies that have both
benefits and limitations. This paper gives an
overview of how cloud computing can be helpful
for an enterprise. It emphasizes on how cloud
computing can be adopted in the IT sector. The
paper also discusses the security issues of cloud
computing. This article also highlights the issue of
data leakage in this technology which face the
cloud computing clients. The authors have
designed a model to solve this issue through data
isolation. A business value will be achieved
through the proposed model by aligning the cloud
computing security with the business strategy and
increase the security procedures to verify the
authenticated users through the virtual system.
Keywords -: Aligning Business/ IT goal, cloud
computing, security, Privacy.
1. introduction
Because of serious market competition and a
considerably modifying company environment,
cloud computing is considered as an important area
for IT. The goal of the practice of computing and
that is to make better use of information technology
resources, and combine them together to achieve
the increase in production and be able to deal with
various issues calculation [1]
From a business perspective, companies
are progressively trying to move the business

processes and to integrate them with the current
information system (IS) programs and construct an
application based on the internet technologies to
exchange with trading associates. [2]
The provider must ensure that customers
can continue to have the same protection and
privacy management over their applications and
services to ensure that their organization and
customers are protected and they can meet their
service-level agreements, and show how they can
prove compliance to their auditors.
The authentication system seeks to
increase the confidentiality of security providers.
The Virtualization refers to virtual process that are
used to simulate physical resources. Thus great
benefit can be derived from cloud computing
systems.
Cloud computing is a growing technology
that can provide customers with all kinds of
accessible alternatives, such as channels, tools, and
applications.
This paper proposes a Trusted Platform to
ensure accuracy and confidentially in Cloud
Computing Security Platform (CCSP) aligned with
business strategy.
1. BACKGROUND
1.1. Cloud computing concept
The cloud computing is a kind of service

provider that offers all of the application delivered
as a service through the Internet and the hardware
and software that may be located in the data center.
Cloud computing is a new model that provides
computing resources with services and applications
soft distributed systems and data storage [1].
1.2. Business Factors in Cloud Computing:
The potency factors of cloud computing ensure
a competitive advantage and system agility in
business [3].
A business value will be gained from the
following factors which will be achieved through
the cloud computing service provider.
1.2.1. The business factors of cloud computing:
a- Agility and Competitive Edge:
Level to which enhanced agility in
working with competitive markets and customer
requirements allowed alignment with cloud.
International Journal of Computer Trends and
Technology(IJCTT) – volume 7 number 1 – Jan 2014

b- Cost-Benefits:
Level to which financial concerns allowed
alignment with cloud.
c- Executive Involvement of Business
Organization(s):
Level to which contribution of senior
managers from business enterprise allowed
alignment with cloud.
d- Executive Involvement of Information
Systems Organization:
Extent to which contribution of senior
managers from internal information systems of the
organization allowed alignment with cloud.
e- Organizational Change Management:
To which extent business change
management procedures allowed alignment with
cloud.
f- Participation of Client Organizations:
Level to which government or industry
regulating requirements allowed alignment with
cloud
g- Regulatory Requirements:

To which level government or industry
regulating requirements allowed alignment with
cloud.
h- Strategic Planning:
To which level business planning allowed
alignment with cloud. [4].
1.3. Threats, Vulnerabilities and Risks in Cloud
Computing:
Bisong mentioned the risks related with the
cloud processing systems, which may appear as
listed below [5]:
1- Cloud computing resources and components
can be used through the unauthorized access
2- Malicious attacks which may appear from
internally
3- The risk which related with shared
information technology systems and IT
resources
4- Data can face some trouble such as data loss,
leakage and manipulation
5- Data manipulation, leakage and loss.
6- User account hijacking

2. Literature review
2.1. Issues to Clarify Before Adopting Cloud
Computing:
Before adopting cloud computing there are
some issue should be considered:
2.1.1. User Access:
Administrators who have privileges to
control the information in the cloud computing
environment should follow the companies hiring
rules and policies.
2.1.2. Regulatory Compliance:
The organization or the company have to
be sure that the security certification and external
audits are needed to be submitted by the cloud
service provider.
2.1.3. Data location:
Cloud computing service provider need to
follow the organization request in storing the data
in specific locations and these location have to

follow the current state rules.
2.1.4. Isolating the data:
Organization should take care about the
data isolation and have to investigate if the
encryption methods are applied and work
effectively.
2.1.5. Disaster Recovery:
Organization has to be sure that data
recovery plan is already active for recovering data
and information and how long of time it will take
in case of disasters.
2.1.6. Long-term Viability:
Ask potential suppliers how you would
get your data back if they were to don't succeed or
be obtained, and discover out if the data would be
in a structure that you could quickly transfer into an
alternative program.

Page 54
2.2. Cloud Security Requirements:
The security architecture of the cloud is
established after the construction of the security
policy in the cloud. The creation of the cloud
security architecture should be directed by the
security policy. Some of the security requirements
for the cloud architecture are listed below:[15]
a. Network Time Protocol by synchronizing
at the same time helps in the correct
working of systems and gives reliable
system information records. Clock
divergence between system and computers
are resulting in errors which may be
difficult to identify.
b. The cloud users should be managed and
verified in agreement with the lawful
requirements and the policies. For
example, if the system is compromised in
the future, the historical information of the
user login can be helpful for further
investigations.
c. The access to the cloud infrastructure can
be narrow and limited by identifying the
user information through the access
control action. Thus, accessing the client’s

data and information by the cloud staff
should be limited and restricted.
d. Security staff should deliver the important
security alerts on time. So, by identifying,
analyzing and investigation these alerts
the other related security incident can be
controlled. Cloud computing service
provider can avoid the critical security
incidents by providing specialized systems
for intrusion detection. So, by installing
these systems in the cloud service it will
be applied automatically to the cloud
users.
2.3. Security Standards and Policies:
There are a lot of resources are available to
help in the enhancement of information security
standards and polices. These policies and standards
should be analyzed when significant changes
happen in the company or in the IT environment
[4].
a. Different people should be granted the
roles and responsibilities. Also the policy
should be granted the techniques on how
to execute the investigation reporting.
b. All infrastructure components, servers,
switches, software configuration, and
network configurations back up have to be

taken care of.
c. Initial and regular testing should be
documented.
d. To follow the encryption standard an
accepted cryptography algorithms with a
key needed to be used
e. Quality of acceptable password should
meet the Criterions Comply.
2.4. Steps to Cloud Security:
Organizations need to understand the security
vulnerability that might be appeared through using
the services of cloud computing. By following the
steps below enterprises will understand the security
paradigm provided by the cloud computing service
provider [5],[14]:
a. Understand the cloud
By recognizing how the security of the data
received by the cloud can be impacted through the
cloud’s loose structure. This can be achieved by
looking inside the cloud deeply and knowing the
way of transferring data and managing data which
done by cloud service.
b. Demand Transparency.

By ensure that the cloud computing service
provider is ready to provide information by detailed
about the security architecture and the cloud
provider is prepared to be ready to consent frequent
security audit. The frequent protection audit should
be conducted by a separate body or government
organization.
c. Reinforce Internal Security.
By ensure that internal protection technologies
and techniques containing firewalls and user access
Page 55
controls of the cloud computing service provider
are powerful and capable with the measurements of
cloud security.
d. Consider the Legal Implications:
Understanding how the information
transmitted to cloud is going to be impacted by the
rules.
e. Pay attention:
Regularly get the new updates in the
technology of cloud computing and examine how it

will affect and influence the security of the data.
2.5. What is the challenges in security of cloud
computing and how to handle it:
The challenges of cloud computing are
very big. The cloud architecture faced more threats.
Like internal and external threats on cloud
environments on cloud providers.
ti-Tenancy
On one hand, the cloud provider develops its
protection to fulfill at a higher risk customer, and
all the customers of low risk and then get better
protection than they would have. On the other
hand, a customer may come in contact with a
higher level of exterior threat because of the
business practices of the other subscribers [6].
When you are dealing with information technology
within an organization, the threat is mostly for the
organization alone to bear.
Centers
Theoretically, a cloud computing environment
should be less prone to mishaps because suppliers

can offer an environment that is distributed
geographically. And organizations should
participate in the cloud computing services that do
not require geographically dispersed provider to
initiate the study regularly disaster recovery plan
and work. [7]
If the software as a service provider of
infrastructure needs, it may be best to get those
infrastructure of infrastructure as a service
provider, rather than build it [8]. And thus is
designed layers service provider cloud by SaaS
layers on top of IAAS. In this type of multi level
order of the service provider, shares of each of the
risk of security problems because the threat may
have effects on all parties in all classes.
We inform to every client, the coding had
followed by protected practices in the cloud
provider [7]. Also, you must write all the code
using a technology standard that is documented and
can be demonstrated on the client.
Must have a cloud computing project the
ability to map the structure of the framework of
policies to protect customers must comply with,
and to discuss this issue. At a minimum, the data
should be secured under consideration. Cloud

provider needs also to be a strategy that feed the
costumer protection occurrence protection policy to
deal with any data leakage that can happen
[9].
2.6. The major Technology of cloud computing
security:
The factors below are supported by
Natural Science Foundation of Shandong
Province of China (2011)[8]
2.6.1. Trusted Access Control
Researchers have more concerned in cloud
computing modules, so It can not completely trust
the service providers. So, how we can implement
access control with object data access control with
non-traditional. Which means to obtain more
attention, and which are depend on encryption
techniques to manage and easy access, and include:
focused on the establishment of key hierarchy and
strategy to provide management technique for the
disabled; standards-based encryption feature, based
on proxy re-encryption method and access
Page 56

management technology shrub ensures that the key
username or revision and so on.
2.6.2. Retrieval and Processing of the Cipher-
text
Some features will be lost when data goes
into cipher text, as a result of the data analysis
technique failure. There are many techniques of
cipher text to recovery: Depending on the mode
index of security and protection through the
development of the revision index search phrases,
retrieves keyword index exists, this approach will
compare every word and confirm if there are the
keywords, and their own statistics.
The design of cryptographic secret which
depend on homomorphic algorithm. In the
beginning of the eighty decade, the
homomorphism was suggested from a variety of
add or algorithm homomorphism beating , but it
turned out the existence of a safety problem , and
Follow-up in the event of an interruption in, and
there is still a long distance Practically.[8]
2.6.3. Protection of data privacy
The data life cycle have concerned about
data privacy protection on the cloud on each level.
In the phase of the data generation and
computation, the central information , flow control

and distinctive privacy protection technology had
integrated by Roy, and it has come up with system
of privacy, prevented leakage of the Illegality data
privacy in the process of computing calculations,
and supported the density as a result of the expense
by the automatic addition. Mowbray said, Privacy
and management tools based on the client, and the
introduction of confidence-centric model used to
help users to control data storage and use of
sensitive information on the cloud.
Munts Mulero shows, Privacy
technologies treatment of pre-existing, which
containing anonymous, as anonymity, and
processing data, that there is a massive problem
will be facing, when data had published, and some
existing solutions. Rankova proposed, Search
provided by Interactive Data Search Engine
anonymous. It can make the search an interactive
database with each other, and they need to get
aspects, while ensuring that the query search was
not known on the versus side.
2.6.4. Virtual Technology
Solution
Virtual solution is one of the best

techniques to distinguish the cloud computing
services. Cloud computing model depends on
virtual technology solution on cloud architecture
by cloud providers to introduce a security and
isolation data to his customers.
Isolation actuators provides by Santhanam
based on virtual machines under the grid
environment security and performance provides by
Raj with realize separation by two of the resource
management techniques. first, distribution of basic
with cache level, Second, Partitioned cache with
page of dyeing.
The writers supports Wei in his insight
about the security problem in virtual technology
image file. Because of it's have a high level of
integrity. It's assist to solve many problems i.e.
access control, security breach, source tracking,
filtering and it's easy to detect data from
attacking.[8]
2.6.5. Trusted technology

Trusted solution has become a big matter
into cloud environment where provide IaaS
trustworthy manner, nowadays trust has become a
hot environment of research because of a lot of
security issues.
Santos suggested TCCP of cloud
computing platform trustworthy. It provides a box-
type environment, the implementation of closed
based on this platform, IAAS service provider
ensures confidentiality of the guest virtual systems
running. In addition, IAAS service provider of
secure service introduced to allows the user to start
by virtual machine. Trusted hardware and software
has provided by trusted computing technology.
Sadeghi believes that trusted design the credibility
of the symbolic software, under Security briefing
model authentication, It is under non-disclosure of
any information, as well as it's proving itself a
credible method. it can be perform various
functions to be data confidentiality and integrity

Page 57
with sensitive operation as data encryption. to
solve outsourcing of data. [8].
3. Problem statement:
There are many problems and challenges
face the cloud computing providers and the cloud
clients. Therefore, data have to be isolated to avoid
data leakage.
This paper suggests that to protect cloud
computing, the service providers should secure data
first. overall, companies should defending their
information, it is very important to classify their
data to know what guidelines they must adhere to
secure them:

levels.
need. Different design in cloud offers
various levels of business.
ation and
procedures to move to the cloud. [9]
4. Research model:
The model suggests that cloud computing
facility should be created by the service providers
by incorporating the requirements of the business.
To co-create value for sustainability, organizations
need to take a more extensive view of the
surroundings in which it competes. There is a need
for the corporation to make and sustain resource
alignment abilities that allow collaborating firms to
develop “solution” to business problems that
customers will value (Teece, 2010)[11].

Cloud system structure used to convey the
Iaas include software and hardware habitant in the
cloud. Although there are several perspectives, they
all share the same core elements, namely: People,
Procedures and Technology. Organizations of all
sizes across nearly every industry are investigating
new ways to address their business. Cloud
computing provides many alternatives to the
problems had faced.
The authors have developed a conceptual
framework for co-creation of value for business.
The dynamic ability value co-creation framework
should involve of the following capabilities:
-Side Security abilities
lities
(Access Control)

(Fig 1. Framework for Co-creation of Value on IT
Business in cloud computing)
Data will be stored in the cloud which has built
in a distributed environment with others data client.
As the enterprises are moving delicate data, it have
to be ensured that the data can only be used by
authorized persons showing proper authentication
so the data remains safe from any unauthorized
users.
4.1. The proposed model:
The proposed model provide universal service to
the customers, with a high level of trust to be
trustworthy on the customers. like,
o Client-Side Security abilities:
A successful protection against strikes needs both a
protected customer and a secure Website

infrastructure. The Browsers was be an important
element in a cloud environment. Because of plug-
ins and extensions for them are disreputable for
their security issue [12]. Moreover, many web
Page 58
browser add-ons do not offer automatic up to dates
that increases vulnerabilities.
o Virtual System Security capabilities:
Virtualization systems consist of switches and
hubs on network, that is configured as part of the
virtual environment. they have the ability to create
software which allow VMs to connect directly

immediately and efficiently effectively “For
example, VMware virtual network infrastructure
that supports the same networks that host subnet is
created especially for VMS does not require access
to the external network”. Security protection
devices can not noticeable the traffic over
networks, such as matching attack network-based
and firewall protection. This model provide or
avoid a lack of protection against attacks to
services providers in cloud computing, by create
virtual network to make duplication of the actual
protections. [12].
o Authentication:
Most of cloud service providers endure the
(SAML) Security Assertion Markup Language and
use it to manage customers and verify previously
so offering accessibility to platforms and
information. SAML introduce techniques for data
exchange, such as motivation regarding on a matter
or verification information among participating
websites [10].

o Access Control:
Besides documentation, required the ability to get
privileges to users and maintain control over
access to resources as well, as part of the identity
management. Criteria such as language and access
control extensible Markup (XACML) can be used
to control access to cloud resources, rather than
using the interface property service provider.
XACML concentrates on the procedure for
reaching at permission resolutions, which enhances
SAML’s focus on the means for shifting
verification and permission resolutions among the
entities involved. XACML is able to managing
Service Interfaces property for most suppliers, and
some cloud companies, such Amazon.com and
Google Apps. This is already in position. Messages
was be attacked when it passed among XACML
entities because of his vulnerable and it is harmful
by third parties, Which makes it important to be
safety scales in position to protect resolutions
demands and permission resolutions from potential
offensives, through illegal detection, replay,

removal and adjustment [12].
o Data Isolation:
This model proposed data isolation to keep
database integration and safety from outside attack
or illegal users. This tool working with the
structure of virtual system to get users a factual
system after the access control stage was done.
This techniques means to keep data away from
illegal users, by encryption. even customers, finish
his own process to buy from the cloud portal. After
the system analyze the entities records from client
to inform on this is a real purchase. Then the
system moved from virtual system to a real one to
make the business process are safety. So the system
can book a goods and up-date the database
repository.
4.2. Cloud Goals in this model:
These goals will be accomplished through a
cloud investment strategy:

- Reduce the costs to subscribers companies.
- Introduce another IT solutions through the
virtual system to confirmed best practice
procedures
- Improved client satisfaction through to make
duplication of the actual protections.
- Standards authentication and guidance
- Improved performance
- Improved the services abilities
- Make a business value
4.3. Business Processes:
A business procedure is a organized set of
activities developed to generate a particular
outcome or accomplish a goal. This implies a high
emphasis on how work is performed within an

Page 59
organization, in contrast with the product approach
in which the emphasis is on what is created.
Therefore, the procedure is a specific sequence of
perform activities through time and area, with a
beginning, an end, and clearly assign inputs and
outputs
4.4. Business/It alignment in cloud security
model:
A relational procedure that enable both IT
people and business to achieve their liabilities in
endure of business/IT alignment to create value
from information technology to inform business

investments. [13]
(Figure 2, Business/IT goals)
The authors said, the results of the model was
thorough understanding of the goals of information
technology and business goals and how to connect.
This paper contains detailed findings on how the
goals of information technology can support
business goals. Figure 2, shows in a matrix how the
goals of information technology are relevant to
business goals. For example, the IT goal “Make
sure that IT services are available and secure” does
prop all business goals in a primary (P) or a
secondary manner (S). And IT goal “Accomplish
proper use of applications, information and
technology solutions” does prop all business goals
in a secondary (S) manner. And the IT goal
“Improve IT's cost-efficiency” does prop some
business goals in a primary manner (P). [13].

The outcomes of this paper provide authentic
guidance. The writers focus in the correlation
between the security problem and the trust to
enhance build up business goals and the goals of
information technology for a particular enterprise
and this way you get the best participate in the
business/IT alignment issue.
5. Conclusion:
This model attempt to permitted by a
virtualization part will provide a provide
duplication of the actual protections to make a
better market and a safety environment. The system
appliances will help simplify this conversion.
Cloud computing, in synchronism with
virtualization software to keep data far from illegal
users, and will also create new business designs
that will enable providers to offer a single product
on the premises, on demand, or in a hybrid
deployment pattern. While it is necessary to begin
understanding the new characteristics that will
begin to appear to offer application and

components to end customers.
From author’s perspective, to protect cloud
computing, the service providers should secure data
first. Overall, companies should defending their
information, and then protected the infrastructure.
In this aria, the authors developed model to kept
data from leakage and secure it on cloud
computing.
6. Acknowledgements:
We would like to thank our Prof. Dr.
Mohd Adam Suhaimi for his kind assistant
and great contribution in this research.
7. References
1- Armbrust, M., Fox, A., Griffith, R., Joseph, A. D.,
Katz, R., Lee, G., Patterson, D., Rabkin, A., Stoica,
I., Konwinski, A., & Zaharia, M., (2010). A view of
Cloud Computing. Communications of the ACM, 53

(4), 50-58.
Page 60
2- Low, C., Chen, Y., & Wu, M. (2011). Understanding
the determinants of cloud computing adoption.
Industrial Management & Data Systems, 111(7),
1006–1023.
3- Barber, H. H., Lawler, J., Desai, S., & Joseph, A.
(2012). A Study of Cloud Computing Soft ware-as-a-
Service (SaaS) in Financial Firms. Education special
interest group of the AITP, 5(2205), 1–14.
4- Joseph, A., Kim, P., & Wu, P. (2013). Information
Systems Applied Research Special Issue: Cloud
Computing In this issue, 6(3), 1–33.

5- Bisong, A. (2011). AN OVERVIEW OF THE
SECURITY CONCERNS IN, 3(1), 30–45.
6- Wang, C., Chow, S. S. M., Wang, Q., Ren, K., &
Lou, W. (2013). Privacy-Preserving Public Auditing
for Secure Cloud Storage. Institute of Electrical and
Electronics Engineers (IEEE), 62 (2), 1–12.
7- Wang, C., Wang, Q., Ren, K., & Lou, W., (2009).
Ensuring data storage security in Cloud Computing.
International Workshop on Quality of Service, 1–9.
8- Ming, T., & Yongsheng, Z., (2012). Analysis of
Cloud Computing and Its Security. Information
Technology in Medicine and Education (ITME), 1,
379–381.
9- Hamouda, S., (2012). Security and privacy in cloud
computing. Cloud Computing Technologies,
Applications and Management (ICCCTAM),
241–245.
10- Zissis, D., & Lekkas, D., (2012). Addressing cloud
computing security issues. Future Generation

Computer Systems,28(3),583–592.
11- Teece, D. J. (2010). Business Models, Business
Strategy and Innovation. Long Range Planning,
43(2-3), 172–194.
12- Jansen, W. a., (2011). Cloud Hooks: Security and
Privacy Issues in Cloud Computing. Hawaii
International Conference on System Sciences, 1–10.
13- Van, G. W., & De, H. S. (2008). Enterprise
governance of information technology: Achieving
strategic alignment and value. New York: Springer.
14- Edwards, J. (2009). Cutting through the fog of cloud
security. Computerworld. Framingham: 43, (8), 3-26
15- Francis, T., & Vadivel, S. (2012). Cloud computing
security: Concerns, strategies and best practices.
Cloud Computing Technologies, Applications and
Management (ICCCTAM), 205–207.
Cybersecurity Paper 1Local DiskEvernote ExportCybersecurity

Paper 2Cybersecurity Paper 3Cybersecurity Paper 4
EVENT
PROBABILITY
SEVERITY = (MAGNITUDE + MITIGATION)
HUMAN
IMPACT
PROPERTY
IMPACT
BUSINESS
IMPACT
PREPARED-
NESS
INTERNAL
RESPONSE

EXTERNAL
RESPONSE
Likelihood this
with occur
Possibility of
death or injury
Physical losses
and damages
Interruption of
services
Preplanning
Time
effectiveness,
resources
Community/
mutual aid staff
and supplier

Relative
Threat§
SCORE
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High

0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High
0 = N/A
1 = Low
2 = Moderate
3 = High
0–100%
Mass Casualty Incident
(trauma)
Terrorism, Biological
Mass Casualty Incident
(medical/infectious)
Fuel Shortage
Natural Gas Failure
Water Failure

Sewer Failure
Steam Failure
Fire Alarm Failure
Communications Failure
Medical Vacuum Failure
HVAC Failure
Information System Failure
Fire, Internal
Hazmat Exposure, Internal
AVERAGE SCORE
OSHA (n.d.). Hazard and Vulnerability Assessment Tool:
Technological
Events. OSHA Best Practices for Hospital-based First
Receivers.)
HAZARD AND VULNERABILITY ASSESSMENT TOOL |
TECHNOLOGIC EVENTS
(example of format used with a complete threat list)
RISK = PROBABILITY + SEVERITY
§Threat increases with percentage.

External Sender. Be aware of links, attachments and requests.
Sent from my T-Mobile 5G Device
Get Outlook for Android

External Sender. Be aware of links, attachments and requests.
Sent from my T-Mobile 5G Device
Get Outlook for Android
1
Data Breaches
Chapter
Extension 14
ce14-2
Study Questions
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

.
Q1: What is a data breach?
Q2: How do data breaches happen?
Q3: How should organizations respond to data breaches?
Q4: What are the legal consequences of a data breach?
Q5: How can data breaches be prevented?
2
ce14-3
Q1: What is A Data Breach?
.
• Data breach
– Unauthorized person views, alters, or steals secured data

• 1+ billion people affected in past 5 years, 75% of breaches
happened in US
• Average cost of a single data breach $3.5 million
• Average costs per stolen record
Healthcare ($359), Pharmaceutical ($227 Communications
industries ($177)
Education ($294) Financial ($206)
ce14-4
Costs of Handling a Data Breach
Direct Costs
• Notification
• Detection
• Escalation
• Remediation

• Legal fees and
consultation
Indirect Costs
• Loss of reputation
• Abnormal customer
turnover
• Increased customer
acquisition activities
• Additional $3.3 million
per incident in US
.
3
ce14-5

What Are the Odds?
• More likely to lose smaller amounts of data than larger
amounts
of data
22% chance of losing 10,000 records over any 24-month
period
.
ce14-6
Well-known Data Breaches
.
4
ce14-7

Why Do Data Breaches Happen?
• 67% are hackers trying to make money from:
– Personally identifiable information (PII)
numbers, credit card numbers, health records, bank
account numbers, PINs, email addresses
• Rogue internal employees
• Credit card fraud, identity theft, extortion, industrial
espionage
.
ce14-8
Q2: How Do Data Breaches Happen?
• Attack vectors
– Phishing scam
– Trick users into donating funds for a natural disaster

– Exploit new software vulnerability
.
5
ce14-9
Hitting Target
• Lost 40 million credit and debit card numbers to attackers
(Dec.
18, 2013)
• Less than a month later, announced additional 70 million
customer names, emails, addresses, phone numbers stolen
– Total 98 million customers affected
• Stolen from point-of-sale (POS) systems at Target retail stores
.

ce14-10
How Did They Do It?
.
6
ce14-11
The Damage
• Attackers sold about 2 million credit card numbers and PINs
for
about $26.85 each (total $53.7 million)
• Sold in batches of 100,000 card numbers
• Cost Target $450 million
– Upgraded POS terminals to support chip-and-PIN enabled
cards

– Increased insurance premiums, legal fees, credit card
processors
settlement, pay for consumer credit monitoring, regulatory fines
– Lost sales, 46% drop in next quarter revenues
.
ce14-12
Collateral Damage
• Credit unions and banks
– Spent more than $200 million issuing new cards
• Consumers
– Enrolled in credit monitoring, continually watch their credit,
and fill out paperwork if fraudulent charges appear on
statements
• Increased insurance premiums, stricter controls, and more
system auditing for organizations similar to Target

.
7
ce14-13
Q3: How Should Organizations Respond
To Data Breaches?
• Respond Quickly
– Stop hackers from doing more damage
– Immediately notify affected users
• Plan for a Data Breach
– Walkthroughs, business continuity planning, computer
security incident response team (CSIRT)
.

ce14-14
Q3: How Should Organizations Respond
To Data Breaches? (cont'd)
• Get experts to perform an effective forensic investigation
• Identify additional technical and law enforcement
professionals
needed
• Be honest about the breach
.
8
ce14-15
Best Practices for Notifying Users of a Data
Breach

.
ce14-16
Q4: What Are The Legal Consequences of a Data
Breach?
.
9
ce14-17
Regulatory Laws Govern the Secure Storage
of Data in Certain Industries
• Federal Information Security Management Act (FISMA)
– Requires security precautions for government agencies
• Gramm-Leach-Bliley Act (GLBA), a.k.a., Financial Services

Modernization Act
– Requires data protection for financial institutions
• Health Information Portability and Accountability Act
(HIPAA)
– Requires data protection for healthcare institutions
• Payment Card Industry Data Security Standard (PCI DSS)
– Governs secure storage of cardholder data
• Family Educational Rights and Privacy Act (FERPA)
– Provides protection for student education records
.
ce14-18
Q5: How Can Data Breaches Be Prevented?
• Use countermeasures software or procedures to prevent an
attack
• Better phishing detection software

• Better authentication (i.e., multifactor authentication
• Network intrusion detection system (NIDS) to examine traffic
passing through internal network
• Data loss prevention systems (DLP) to prevent sensitive data
from being released to unauthorized persons
.
10
ce14-19
Q5: How Can Data Breaches Be Prevented?
(cont'd)
• Appoint a chief information security officer (CISO) to ensur e
sufficient executive support and resources
.

1
Information Security Management
Chapter 10
10-2
Study Questions
.
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security
threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
this chapter help you?
2
10-3
Q1: What Is the Goal of Information Systems
Security?
.
10-4

Examples of Threat/Loss
.
3
10-5
What Are the Sources of Threats?
.
10-6
What Types of Security Loss Exists?
.
• Unauthorized Data Disclosure
– Pretexting

– Phishing
– Spoofing
– Drive-by sniffers
– Hacking & Natural disasters
4
10-7
Incorrect Data Modification
.
• Procedures incorrectly designed or not followed
• Increasing a customer’s discount or incorrectly modifying
employee’s salary

• Placing incorrect data on company Web site
• Improper internal controls on systems
• System errors
• Faulty recovery actions after a disaster
10-8
Faulty Service
.
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors

• Usurpation
• Denial of service
(unintentional)
• Denial-of-service attacks
(intentional)
5
10-9
Loss of Infrastructure
.
• Human accidents
• Theft and terrorist events
• Disgruntled or terminated employee

• Natural disasters
• Advanced Persistent Threat (APT1)
– Theft of intellectual property from U.S. firms
10-10
Goal of Information Systems Security
.
• Appropriate trade-off between risk of loss and cost of
implementing safeguards
• Use antivirus software
• Deleting browser cookies (Worth it?)
• Get in front of security problems by making appropriate
trade-offs

6
10-11
Q2: How Big Is the Computer Security Problem?
.
10-12
Computer Crime Costs by Attack Type
.
7
10-13
Ponemon Study Findings (2014)

.
• Malicious insiders increasingly serious threat
• Business disruption and data loss principal costs of computer
crime
• Negligent employees, personal devices connecting to
corporate network, use of commercial cloud-based applications
pose significant security threats
• Security safeguards work
• Ponemon Study 2014
10-14
Q3: How Should You Respond to Security
Threats?
.
Personal
Security

Safeguards
Intrusion detection system (IDS)
8
10-15
Security Safeguards and the Five Components
.
10-16
So What? New from Black Hat 2014
.
• Educational forum for hackers, developers, manufacturers, and
government agencies

• Briefings on how things can be hacked
• Show how to exploit weaknesses in hardware, software,
protocols, or systems from smartphones to ATMs
9
10-17
Keynote Speaker Recommendations
.
1. Mandatory reporting of security vulnerabilities
2. Software makers liable for damage their code causes after
abandoned or users allowed to see it
3. ISP liable for harmful, inspected content
4. “Right to be forgotten” - appropriate and advantageous

5. End-to-End Encrypted Email
10-18
Hacking Smart Things
.
• Automobile wireless features and poor internal systems
architecture allow hackers to access automated driving
functions through features like car’s radio
• Control hotel lights, thermostats, televisions, and blinds in
200+
rooms by reverse-engineering home automation protocol called
KNX/IP
• 70% smart devices use unencrypted network services, 60%
vulnerable to persistent XSS (cross-site scripting), and weak
credentials
10

10-19
Q4: How Should Organizations Respond to
Security Threats?
.
• Senior management creates company-wide policies:
– What sensitive data will be stored?
– How will data be processed?
– Will data be shared with other organizations?
– How can employees and others obtain copies of data stored
about them?
– How can employees and others request changes to inaccurate
data?
• Senior management manages risks
10-20
Q5: How Can Technical Safeguards Protect

Against Security Threats?
.
11
10-21
Technical safeguards
.
• Identification and authentication
– Smart Cards
– Biometric authentication
• Single sign-on for multiple systems
• Encryption
– Symmetric encryption
– Asymmetric encryption

- special version
10-22
Essence of https (SSL or TLS)
.
12
10-23
Use of Multiple Firewalls
.
Packet-filtering Firewall
10-24
Malware Types and Spyware and Adware

Symptoms
.
• Viruses
13
10-25
Malware Safeguards
.
• Install antivirus and antispyware software

• Scan your computer frequently
• Update malware definitions
• Open email attachments only from known sources
• Promptly install software updates from legitimate sources
• Browse only reputable web sites
10-26
Design for Secure Applications
.
• SQL injection attack
– User enters SQL statement into a form instead of a name or
other data
– Accepted code becomes part of database commands issued
– Improper data disclosure, data damage and loss possible

– Well designed applications make injections ineffective
14
10-27
Q6: How Can Data Safeguards Protect Against
Security Threats?
.
• Data safeguards
• Data administration
• Key escrow
10-28
Q7: How Can Human Safeguards Protect Against
Security Threats?

.
15
10-29
Human Safeguards for Nonemployee Personnel
.
• Temporary personnel, vendors, partner personnel (employees
of business partners), and public
• Require vendors and partners to perform appropriate screening
and security training
• Contract specifies security responsibilities
• Least privilege accounts and passwords, remove accounts as
soon as possible
10-30

Public Users
.
• Web sites and other openly accessible information systems.
– Hardening
eliminate operating systems features and functions not
required by application
– Protect public users from internal company security problems
16
10-31
Account Administration
.

• Account Management
– Standards for new user accounts, modification of account
permissions, removal of unneeded accounts
• Password Management
– Users change passwords frequently
• Help Desk Policies
– Provide means of authenticating users
10-32
Sample Account Acknowledgment Form
.
17
10-33

Systems Procedures
.
10-34
Security Monitoring
.
• Activity logs
– Firewall log
unauthorized access, attempts from within the firewall
– DBMS
– Web servers
• PC O/S produce logs of log-ins and firewall activities

18
10-35
Security Monitoring (cont’d)
.
• Employ utilities to assess their vulnerabilities
• Honeypots for computer criminals to attack
• Investigate security incidents
• Constantly monitor existing security policy and safeguards
10-36
Q8: How Should Organizations Respond to
Security Incidents?

.
19
10-37
How Does the Knowledge in This Chapter Help
You?
.
• Awareness of:
– Threats to computer security as an individual, business
professional, employer
– Risk trade offs
– Technical, data, human safeguards to protect computing
devices and data
– How organizations should respond to security threats
– How organizations should respond to security incidents
– Importance of creating and using strong passwords!

10-38
Ethics Guide: Hacking Smart Things
.
• Unintended risks associated IoT
• 26 billion IoT devices by 2020
• Hackers access automated driving functions through features
like car’s radio
– Via automobile wireless features with poor internal systems
architecture
• Control hotel lights, thermostats, televisions, room blinds by
reverse-engineering home automation protocol (KNX/IP)
20

10-39
Ethics Guide: Hacking Smart Things
.
• Threats to securing home, appliances, your car
– 70% smart devices use unencrypted network services
– 60% vulnerable to persistent XSS (cross-site scripting) and
weak credentials
10-40
Guide: EMV to the Rescue
.
• EMV chip-and-PIN.
• Changes way cards are verified
• Chip verifies authenticity of physical card, PIN verifies

identity of
cardholder
• What EMV can do to protect you?
21
10-41
Case Study 10: Hitting the Target
.
• Lost 40 million credit and debit card numbers
• Less than a month later, announced additional 70 million
customer accounts stolen that included names, emails,
addresses, phone numbers, etc
• 98 million customers affected
– 31% of 318 million in US

• Stolen from point-of-sale (POS) systems at Target stores
during
holiday shopping season
10-42
Hitting the Target (cont’d)
.
• Spear-phished third party vendor, Fazio Mechanical Services
• Malware gathered keystrokes, login credentials, screenshots
from Fazio users
• Used stolen login credentials to access vendor server on
Target’s network
• Escalated privileges to gain access to Target’s internal
network
• Compromised internal Windows file server
• Installed malware named Trojan.POSRAM

22
10-43
Hitting the Target (cont’d)
.
• Customer data continuously sent from POS terminals to an
extraction server within Target’s network
• Funneled out of Target’s network to drop servers in Russia,
Brazil, and Miami
• Data sold on black market
10-44
How Did
They Do It?

.
Spearphished
malware to gather
keystrokes, login
credentials,
and screenshots
from Fazio users
Attackers escalated
privileges to gain
access to Target’s
internal network.
Trojan.POSRAM
extracted data
from POS terminals
23
10-45

Damage
.
• Attackers sold about 2 million cards for $26.85 each ($53.7M)
• Target took loss on merchandise purchased using stolen credit
cards
• Costs
– Upgraded POS terminals to support chip-and-pin cards
– Increased insurance premiums
– Paid legal fees
– Settled with credit card processors
– Paid consumer credit monitoring
– Paid regulatory fines
10-46
Damage (cont'd)
.
• Target loss of customer confidence and drop in revenues (46%

loss for
quarter)
• Direct loss to Target as high at $450 million
• CIO resigned, CEO paid $16 million to leave
• Cost credit unions and banks more than $200 million to issue
new cards
• Insurers demand higher premiums, stricter controls, more
system auditing
• Consumers must watch their credit card statements, and fill
out paperwork
if fraudulent charges appear

CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in

More Related Content

Similar to CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in

More from OllieShoresna

Recently uploaded

CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in