Anda di halaman 1dari 11

1|Page

Assignment
Ques. 1. What is an “information security breach” and what are its common causes?

Ans:Security Breach:-A breach of security is where a stated organizational policy or legal requirement
regarding Information Security has been contravened. However every incident which suggests that the
Confidentiality, Integrity and Availability of the information have been inappropriately changed can be
considered a Security Incident. Every Security Breach will always be initiated via a Security Incident, only if
confirmed does it become a security breach.
The recent government guides define “security breaches” to include the loss or theft of devices (e.g., laptops
or external drives) and storage media (e.g., disks or USB drives) that happen to contain personal data, even in
the absence of any evidence that the data have been accessed. Breaches are also defined to include
misdirected or undelivered faxes, emails, and parcels, or other errors involving responsible parties who have
no interest in accessing or misusing the data.

Common causes of IT security breaches


Historically, the approach to enterprise security has been to make the fortress bigger and stronger – to install
more products, and write more policies. Yet despite heightened security awareness and Cutting edge tools,
2006 was the worst year yet on record for corporate security breaches – continuing the year on year escalation
of security risk. The problem is, attackers are as advanced as the defenders – and the attacks don’t always
come from the expected direction.

1. Inside job
The fact is that the biggest threat to an organization lies within its boundaries. In its 2006 survey,
“Information Security Breaches,” the DTI and PricewaterhouseCoopers found that 32% of Information
Security attacks originated from internal employees while 28% came from ex-employees and partners.
Similarly, law enforcement experts in Europe and the US estimate that over 50% of breaches result from
employees misusing access privileges, whether maliciously or unwittingly. So securing the enterprise isn’t
just about stopping external threats. It’s just as important to contain the threat from hapless or hazardous
employees. One of the key internal threats to corporate is spyware, because it’s all too often introduced
without malicious intent, by employees that naively click through a couple of popup browser windows, or
install an unapproved yet ‘cool’ application on the network. The situation isn’t helped by the myths that
surround spyware.

2. Myth busting
These are the six most common spyware myths: It’s an isolated problem; Blocking at the gateway is good
enough; Locking down the desktop is good enough; Driveby downloads are a primary source of penetration;
The problem comes from the outside in; No one wants spyware. But the truth of the matter is somewhat
different. Let’s look at the real situation that’s masked by each myth.
 Most spyware comes in as the direct result of user behavior, whether that user is naive or ill
intentioned.
 Stuff comes in at the desktop all day long. Blocking at the gateway without securing the desktop PC
doesn’t make security sense. It’s like locking the doors and windows of the house – with the burglar
still in the basement – and not bothering to call the police. What’s more, gateway defenses cannot
detect threats already on desktop PCs.
 If “locking down” the desktop and restricting user installation were effective, there would be no need
for antivirus software. Spyware is designed to get around acceptable use policies and exploits users’
inquisitive nature.
 “Driveby downloads” should never occur in a corporate environment, because they come from sites
that users should not visit at work.
 Sure, spyware comes from outside – because someone opened the door and let it in. Not recognizing
this results in a porous security infrastructure.
 True, no one actually wants spyware, but it comes as part of that cool application that users do want.
So spyware gets installed anyway.

3. Spy trap
So what can companies do to minimize internal threats? First, make a Web filter a required part of the
network security arsenal. This should prohibit users from visiting known spyware and ‘drive by download’
2|Page

sites. Second, deploy an effective email filter that blocks spyware from entering the network via active
HTML, attachments, phishing and spam. There also needs to be protection at the desktop to stop spyware as
it’s introduced. Finally, implement a solution that disallows running or installing programs that in turn install
spyware. Put simply, to keep the burglar out of the basement, organizations need to remove the ability of
employees to let the burglars in, in the first place. They need to implement tamperproof solutions that users
cannot easily evade – no matter what the external inducements. Surf control is exhibiting at Info security
Europe 2007, Europe’s number one dedicated Information security event.

Ques. 2. What are the different kinds of hackers?

Ans:Various kind of hackers:-There are various types of computer hackers that all have different malicious
intent. It's important to know these different types of hackers so we can properly defend our data. The term
hacker is a generic term to describe attackers. Not all have intent to steal our data. Below is a list of various
types of hackers:-

White Hat
White hat has the skills to break into computer systems and do damage. However, they use their skills to help
organizations. For example a white hat might work for an organization to test for security weaknesses and
vulnerabilities in the network.

Black Hat
Black Hat also known as a cracker uses his skills to break into computer systems for unethical reasons. For
example, steal user data like, username and password, credit card numbers, bank information.

Grey Hat
This type can be thought of as a white hat attacker who sometimes acts unethically. They could be employed
as a legit network security administrator. But, during this person's duties, he may find an opportunity for
gaining access
to company data and stealing that data.

Phreaker
A phreaker is simply a hacker of telecommunications. An example of this is tricking the phone system into
letting you make free long distance calls.

Script Kiddy
A Script Kiddy is someone who lacks the skills of a typical hacker. They rely on downloading hacking
programs or utilities sometimes calls scripts to perform an attack.

Hacktivist
This is a person with political motivations, such as someone defacing a website and leaving messages on the
hacked site for the world to see.

Computer Security Hacker


This is someone who knows the technical aspects of computer networking and security. This person could
attack a network protected by a firewall or IPS by fragmenting packets.

Academic Hacker
This type is typically an employee or student at an institution of higher education. They would use the
institutions computing resources to write malicious programs.

Hobby Hacker
This is someone that tends to focus more on home computing. Such as, modifying existing hardware or
software, use software without a license, unlock Apple iPhone.
3|Page

Ques. 3. Explain the following terms as threat consequences:

Ans :-Threat consequence is a security violation that results from a threat action. The following subentries
describe threat consequences, and also list and describe the kinds of threat actions that cause each
consequence:-
a) Unauthorize Access
Unauthorized Access is when a person who does not have permission to connect to or use a system gains
entry in a manner unintended by the system owner. The popular term for this is “hacking”. It could happen in
any number of ways, but usually access is gained via unpatched software or other known vulnerabilities.

b) (Unauthorized) Disclosure
A circumstance or event whereby an entity gains access to data for which the entity is not authorized (data
confidentiality). The following threat actions can cause unauthorized disclosure:
"Exposure"
A threat action whereby sensitive data is directly released to an unauthorized entity. This includes:
"Deliberate Exposure"
Intentional release of sensitive data to an unauthorized entity.
"Scavenging"
Searching through data residue in a system to gain unauthorized knowledge of sensitive data.
"Human error"
Human action or inaction that unintentionally results in an entity gaining unauthorized knowledge of
sensitive data.
"Hardware/software error"
System failure that results in an entity gaining unauthorized knowledge of sensitive data.
"Interception"
A threat action whereby an unauthorized entity directly accesses sensitive data travelling between authorized
sources and destinations. This includes:
"Theft"
Gaining access to sensitive data by stealing a shipment of a physical medium, such as a magnetic
tape or disk, that holds the data.
"Wiretapping (passive)"
Monitoring and recording data that is flowing between two points in a communication system.
"Emanations analysis"
Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted
by a system and that contains the data but is not intended to communicate the data.
"Inference"
A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data
contained in the communication) by reasoning from characteristics or byproducts of
communications. This includes:
"Traffic analysis"
Gaining knowledge of data by observing the characteristics of communications that carry the data.
"Signals analysis"
Gaining indirect knowledge of communicated data by monitoring and analyzing a signal that is
emitted by a system and that contains the data but is not intended to communicate the data.
"Intrusion"
A threat action whereby an unauthorized entity gains access to sensitive data by circumventing a system's
security protections. This includes:
"Trespass"
Gaining unauthorized physical access to sensitive data by circumventing a system's protections.
"Penetration"
Gaining unauthorized logical access to sensitive data by circumventing a system's protections.
"Reverse engineering"
Acquiring sensitive data by disassembling and analyzing the design of a system component.
"Cryptanalysis"
Transforming encrypted data into plain text without having prior knowledge of encryption
parameters or processes.
4|Page

c) Deception
A circumstance or event that may result in an authorized entity receiving false data and believing it to be true.
The following threat actions can cause deception:
"Masquerade"
A threat action whereby an unauthorized entity gains access to a system or performs a malicious act by posing
as an authorized entity.
"Spoof"
Attempt by an unauthorized entity to gain access to a system by posing as an authorized user.
"Malicious logic"
In context of masquerade, any hardware, firmware, or software (e.g., Trojan horse) that appears to
perform a useful or desirable function, but actually gains unauthorized access to system resources or
tricks a user into executing other malicious logic.
"Falsification"
A threat action whereby false data deceives an authorized entity (active wiretapping).
"Substitution"
Altering or replacing valid data with false data that serves to deceive an authorized entity.
"Insertion"
Introducing false data that serves to deceive an authorized entity.
"Repudiation"
A threat action whereby an entity deceives another by falsely denying responsibility for an act.
"False denial of origin"
Action whereby the originator of data denies responsibility for its generation.
"False denial of receipt"
Action whereby the recipient of data denies receiving and possessing the data.

d) Disruption
A circumstance or event that interrupts or prevents the correct operation of system services and functions.
(See: denial of service.) The following threat actions can cause disruption:
"Incapacitation"
A threat action that prevents or interrupts system operation by disabling a system component.
"Malicious logic"
In context of incapacitation, any hardware, firmware, or software (e.g., logic bomb) intentionally
introduced into a system to destroy system functions or resources.
"Physical destruction"
Deliberate destruction of a system component to interrupt or prevent system operation.
"Human error"
Action or inaction that unintentionally disables a system component.
"Hardware or software error"
Error that causes failure of a system component and leads to disruption of system operation.
"Natural disaster"
Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component.
"Corruption"
A threat action that undesirably alters system operation by adversely modifying system functions or data.
"Tamper"
In context of corruption, deliberate alteration of a system's logic, data, or control information to
interrupt or prevent correct operation of system functions.
"Malicious logic"
In context of corruption, any hardware, firmware, or software (e.g., a computer virus) intentionally
introduced into a system to modify system functions or data.
"Human error"
Human action or inaction that unintentionally results in the alteration of system functions or data.
"Hardware or software error"
Error that results in the alteration of system functions or data.
"Natural disaster"
Any "act of God" (e.g., power surge caused by lightning) that alters system functions or data.
"Obstruction"
A threat action that interrupts delivery of system services by hindering system operations.
5|Page

"Interference"
Disruption of system operations by blocking communications or user data or control information.
"Overload"
Hindrance of system operation by placing excess burden on the performance capabilities of a system
component. (flooding.)

e) Usurpation
A circumstance or event that results in control of system services or functions by an unauthorized entity. The
following threat actions can cause usurpation:
"Misappropriation"
A threat action whereby an entity assumes unauthorized logical or physical control of a system resource.
"Theft of service"
Unauthorized use of service by an entity.
"Theft of functionality"
Unauthorized acquisition of actual hardware, software, or firmware of a system component.
"Theft of data"
Unauthorized acquisition and use of data.
"Misuse"
A threat action that causes a system component to perform a function or service that is detrimental to system
security.
"Tamper"
In context of misuse, deliberate alteration of a system's logic, data, or control information to cause
the system to perform unauthorized functions or services.
"Malicious logic"
In context of misuse, any hardware, software, or firmware intentionally introduced into a system to
perform or control execution of an unauthorized function or service.
"Violation of permissions"
Action by an entity that exceeds the entity's system privileges by executing an unauthorized
function.

f) Snooping
Snooping, in a security context, is unauthorized access to another person's or company's data. The practice is
similar to eavesdropping but is not necessarily limited to gaining access to data during its transmission.
Snooping can include casual observance of an email that appears on another's computer screen or watching
what someone else is typing. More sophisticated snooping uses software programs to remotely monitor
activity on a computer or network device. Malicious users frequently use snooping techniques and equipment
such as key loggers to monitor keystrokes, capture passwords and login information, and to intercept email
and other private communications and data transmissions. Corporations sometimes snoop on employees
legitimately to monitor their use of business computers and track Internet usage; governments may snoop on
individuals to collect information and avert crime and terrorism. Although snooping has a negative
connotation in general, in computer technology snooping can refer to any program or utility that performs a
monitoring function. For example, a snoop server is used to capture network traffic for analysis, and the
snooping protocol monitors information on a computer bus to ensure efficient processing.

Ques. 4. List various passive and active attacks.

Ans: Passive Attacks:-Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are:

 Release of message contents (Figure 1.a)


A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the contents of these
transmissions.
6|Page

 Traffic Analysis (Figure 1.b)


Suppose that we had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information from the message.
The common technique for masking contents is encryption. If we had encryption protection in place,
an opponent might still be able to observe the pattern of these messages. The opponent could
determine the location and identity of communicating hosts and could observe the frequency and
length of messages being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.

Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically,
the message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is
aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to
prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with
passive attacks is on prevention rather than detection.
7|Page

Active Attacks
Active attacks involve some modification of the data stream or the creation of a false stream and can be
subdivided into four categories:

 Masquerade
A masquerade takes place when one entity pretends to be a different entity (Figure 2.a). A
masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after a valid authentication sequence has
taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by
impersonating an entity that has those privileges.

 Replay Attacks
An attack in which a service already authorized and completed is forged by another "duplicate
request" in an attempt to repeat authorized commands (Figure 2.b).

 Modification of messages
It simply means that some portion of a legitimate message is altered, or that messages are
delayed or reordered, to produce an unauthorized effect (Figure 2.c). For example, a message
meaning “Allow John Smith to read confidential file accounts” is modified to mean “Allow Fred
Brown to read confidential file accounts.”

 Denial of service
The denial of service prevents or inhibits the normal use or management of communications
facilities (Figure 2.d). This attack may have a specific target; for example, an entity may
suppress all messages directed to a particular destination (e.g., the security audit service).
Another form of service denial is the disruption of an entire network, either by disabling the
network or by overloading it with messages so as to degrade performance.

Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult
to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent
active attacks absolutely, because of the wide variety of potential physical, software, and network
vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays
caused by them. If the detection has a deterrent effect, it may also contribute to prevention.
8|Page

Figure 2. Active Attacks


9|Page

Ques. 5. What are the different Security threats & what are their counter measures?

Ans.5:- The object of security is to protect valuable or sensitive information while making it readily
available. Attackers trying to harm a system or disrupt normal business operations exploit vulnerabilities by
using various techniques, methods, and tools. System administrators need to understand the various aspects of
security to develop measures and policies to protect assets and limit their vulnerabilities.
10 | P a g e

Goal + Method + Vulnerabilities = Attack.


Following introduces basic security threats into different areas.
Natural Disasters: Nobody can stop nature from taking its course. Earthquakes, hurricanes, floods, lightning,
and fire can cause severe damage to computer systems. Information can be lost, downtime or loss of
productivity can occur, and damage to hardware can disrupt other essential services. Few safeguards can be
implemented against natural disasters. The best approach is to have disaster recovery plans and contingency
plans in place. Other threats such as riots, wars, and terrorist attacks could be included here. Although they
are human-caused threats, they are classified as disastrous.
Human Threats: Malicious threats consist of inside attacks by malicious employees and outside attacks by
non-employees just looking to harm and disrupt an organization.
The most dangerous attackers are usually insiders (or former insiders), because they know many of the codes
and security measures that are already in place. Insiders are likely to have specific goals and objectives, and
have legitimate access to the system. Employees are the people most familiar with the organization's
computers and applications, and they are most likely to know what actions might cause the most damage.
Insiders can plant viruses, Trojan horses, or worms, and they can browse through the file system.
The insider attack can affect all components of computer security. By browsing through a system, confidential
information could be revealed. Trojan horses are a threat to both the integrity and confidentiality of
information in the system. Insider attacks can affect availability by overloading the system's processing or
storage capacity, or by causing the system to crash.
Malicious attackers normally will have a specific goal, objective, or motive for an attack on a system. These
goals could be to disrupt services and the continuity of business operations by using denial-of-service (DoS)
attack tools. They might also want to steal information or even steal hardware such as laptop computers.
Hackers can sell information that can be useful to competitors.
Non-malicious threats usually come from employees who are untrained in computers and are unaware of
security threats and vulnerabilities. Users who open up Microsoft Word documents using Notepad, edit the
documents, and then save them could cause serious damage to the information stored on the document.
The following table gives various aspects discussed above.
Threats Motives/Goals Methods Security Policies
• Employees • Deny services • Social engineering • Vulnerabilities
• Malicious • Steal information • Viruses, Trojan horses, worms • Assets
• Ignorant • Alter information • Packet replay • Information and data
• Non-employees • Damage information • Packet modification • Productivity
• Outside attackers • Delete information • IP spoofing • Hardware
• Natural disasters • Make a joke • Mail bombing • Personnel
• Floods • Show off • Various hacking tools
• Earthquakes • Password cracking
• Hurricanes
• Riots and wars
Motives, Goals, and Objectives of Malicious Attackers
Various methods that attackers use:
• Deleting and altering information. Malicious attackers who delete or alter information. Outside
attackers might want to do this to prove that they can get in to the system or for the fun of it.
• Committing information theft and fraud: Computer systems are exploited in numerous ways, both by
automating traditional methods of fraud and by using new methods.
• Disrupting normal business operations. Attackers may want to disrupt normal business operations.
Malicious attackers can gain access or deny services in numerous ways. Here are some of them:
• Viruses-Attackers can develop harmful code known as viruses. Using hacking techniques, they can
break into systems and plant viruses. Viruses in general are a threat to any environment. They come
in different forms and although not always malicious, they always take up time. Viruses can also be
spread via e-mail and disks.
11 | P a g e

• Trojan horses-These are malicious programs or software code hidden inside what looks like a normal
program. When a user runs the normal program, the hidden code runs as well. It can then start
deleting files and causing other damage to the computer. Trojan horses are normally spread by e-mail
attachments.
• Worms-These are programs that run independently and travel from computer to computer across
network connections. Worms may have portions of themselves running on many different computers.
• Password cracking-This is a technique attackers use to surreptitiously gain system access through
another user's account. This is possible because users often select weak passwords.
• Denial-of-service attacks-This attack exploits the need to have a service available. It is a growing
trend on the Internet because Web sites in general are open doors ready for abuse. People can easily
flood the Web server with communication in order to keep it busy. Therefore, companies connected
to the Internet should prepare for (DoS) attacks. They also are difficult to trace and allow other types
of attacks to be subdued.
• E-mail hacking-Electronic mail is one of the most popular features of the Internet. With access to
Internet e-mail, someone can potentially correspond with any one of millions of people worldwide.
Some of the threats associated with e-mail are:
• Impersonation-The sender address on Internet e-mail cannot be trusted because the sender can create
a false return address.
• Eavesdropping-E-mail headers and contents are transmitted in the clear text if no encryption is used.
As a result, the contents of a message can be read or altered in transit. The header can be modified to
hide or change the sender, or to redirect the message.
• Packet replay-This refers to the recording and retransmission of message packets in the network.
Packet replay is a significant threat for programs that require authentication sequences, because an
intruder could replay legitimate authentication sequence messages to gain access to a system. Packet
replay is frequently undetectable, but can be prevented by using packet time stamping and packet
sequence counting.
• Packet modification-This involves one system intercepting and modifying a packet destined for
another system.
• Eavesdropping-This allows a cracker (hacker) to make a complete copy of network activity. As a
result, a cracker can obtain sensitive information such as passwords, data, and procedures for
performing functions. It is possible for a cracker to eavesdrop by wiretapping, using radio, or using
auxiliary ports on terminals. It is also possible to eavesdrop using software that monitors packets
sent over the network. In most cases, it is difficult to detect eavesdropping.
• Social engineering-This is a common form of cracking. It can be used by outsiders and by people
within an organization. Social engineering is a hacker term for tricking people into revealing their
password or some form of security information.
• Intrusion attacks-In these attacks, a hacker uses various hacking tools to gain access to systems.
These can range from password-cracking tools to protocol hacking and manipulation tools. Intrusion
detection tools often can help to detect changes and variants that take place within systems and
networks.
• Network spoofing-In network spoofing, a system presents itself to the network as though it were a
different system (computer A impersonates computer B by sending B's address instead of its own).
The reason for doing this is that systems tend to operate within a group of other trusted systems.
Trust is imparted in a one-to-one fashion; computer A trusts computer B (this does not imply that
system B trusts system A). Implied with this trust is that the system administrator of the trusted
system is performing the job properly and maintaining an appropriate level of security for the
system. Network spoofing occurs in the following manner: if computer A trusts computer B and
computer C spoofs (impersonates) computer B, then computer C can gain otherwise-denied access to
computer A.