CMP 318 – NETWORK

SECURITY ISSUES
(3 UNITS)
Prepared by: Dr. T. A. Olowookere
 “The art of war teaches us not on the likelihood
of the enemy’s not coming, but on our own
readiness to receive him; not on the chance of
RELEVANT his not attacking, but rather on the fact that
QUOTE we have made our position unassailable.”
--The art of War, Sun Tzu
 Network security is the process of taking physical
and software preventative measures to protect the
What is underlying network infrastructure from
unauthorized access, misuse, malfunction,
Network modification, destruction, or improper disclosure,
Security? thereby creating a secure platform for computers,
users, and programs to perform their permitted
critical functions within a secure environment.
 Network Security deals with all aspects related to
What is the protection of the sensitive information assets
Network existing on the network. It covers various
mechanisms developed to provide fundamental
Security? security services for data communication.
 Network security revolves around the three key
principles of:
Key
confidentiality, integrity, and availability (C-I-A).
Principles of
Depending upon the application and context, one
Network of these principles might be more important than
Security the others.
 For example, a government agency would encrypt
an electronically transmitted classified document
to prevent an unauthorized person from reading
its contents. Thus, confidentiality of the
information is paramount.
If an individual succeeds in breaking the
encryption cipher and, then, retransmits a
Brief Example modified encrypted version, the integrity of the
message is compromised.
On the other hand, an organization such as
Amazon.com would be severely damaged if its
network were out of commission for an extended
period of time. Thus, availability is a key concern
of such e-commerce companies.
The CIA
Triad
 Confidentiality is concerned with preventing the
unauthorized access to/disclosure of sensitive
network information.
prevents/detects/deters improper disclosure of
Confidentiality information.
Methods of achieving Confidentiality: User Id’s and
passwords, access control lists (ACL)….
 Integrity is concerned with the assurance that
information is accurate, and reliable – in other
words, protected from unauthorized modification,
destruction, and loss.
prevents/detects/deters improper modification of
information.
Integrity
ensuring information has not been altered by
unauthorized or unknown means.
Methods of achieving Integrity: Data Encryption,
Hashing Algorithms….
 There are three goals of integrity:
✦ Prevention of the modification of information by
unauthorized users
Integrity(2) ✦ Prevention of the unauthorized or unintentional
modification of information by authorized users
✦ Preservation of the internal and external
consistency
 Availability is concerned with the access to
information by authorized persons as and when
necessary.
Availability assures that a system’s authorized users
have timely and uninterrupted access to the
information in the system and to the network.
Availability
prevents/detects/deters improper denial of access
to services/infrastructure.
Methods of achieving Integrity: Hardware
maintenance, software upgrading….
 Authentication: Verification that the user’s
claimed identity is valid, such as through the use of
a password
Identification: Evidence of the identity of an entity
(e.g., a person, a computer terminal, a credit card,
Other C-I-A- etc.).
related Key The act of a user professing an identity to the
system, such as a logon ID
Terminologies
Authorization: The privileges allocated to an entity
(or process) that enable access to a computer
network resource.
Non-repudiation: preventing the denial of
previous commitments or actions.
 Threats
A threat is anything that can disrupt the operation,
functioning, integrity, or availability of a network or
system.
NETWORK
SECURITY Vulnerabilities
ISSUES: A vulnerability is an inherent weakness in the design,
configuration, implementation, or management of a
network or system that renders it susceptible to a threat.
Vulnerabilities are what make networks susceptible to
Threats, information loss and downtime. Every network and
system has some kind of vulnerability.
Vulnerabilities
and Attacks Attack
Attack is any action of malicious intruder that exploits
vulnerabilities of the system/network to cause a threat
to occur.
 Vulnerability in information systems or networks
is the a flaw or weakness that leaves a
system/network open to attack that can be
exploited by attack vectors or cyber criminals to
perpetrate security breach or unauthorized action.

Types of Vulnerabilities:
Vulnerability
Hardware Vulnerabilities
Software Vulnerabilities
Human Resource Vulnerabilities
Process Vulnerabilities
Physical & Environmental Vulnerabilities
Network & Protocol Vulnerabilities
 So basically, threat is a possible danger or
vulnerability while attack is the action or attempt
of unauthorized action.
A threat is the known possibility of an attack. An
attack is the actual occurrence of an unauthorized
access or malicious activity.
Threat vs
Your computer hasn't been updated in a while.
Attack Due to which there are a lot of vulnerabilities, now
this is a threat.
A hacker sees that you have not updated your
computer and tries to exploit one of the
vulnerabilities using his toolset. Now that is an
attack.
 The actions that compromise the security of information
owned or transferred by an entity comes in different forms.
These Security Attacks can be one of four 4 forms:
Interruption
Forms of
Interception
Security Attacks
Modification
Fabrication

16
 Forms of
Security Attacks

Normal Transmission of Information

17
 Forms of
Security Attacks

Interruption: In an interruption, an asset of the

network/system becomes lost, unavailable, or unusable.

18
 Forms of
Security Attacks

Interception: An interception means that some unauthorized

party has gained access to an asset. The outside party can be
a person, a program, or a computing system.

19
 Forms of
Security Attacks

Modification: If an unauthorized party not only accesses but

tampers with an asset, the threat is a modification.

20
 Forms of
Security Attacks

Fabrication: Finally, an unauthorized party might create a

fabrication of counterfeit objects on a computing system. The
intruder may insert spurious transactions to a network
communication system.

21
 Information Information
source (a) Normal Flow Destination

Forms of I
I

Security Attacks
in a whole (b) Interruption (d) Fabrication

I I

(c) Modification (e) Interception

22
The Major
Types of Passive and Active attacks.
Attack
 Attack

Active and Passive Attack

Active Attack

Passive
Attacks
Interception (Confidentiality)
Interruption Modification Fabrication
(Availability) (Integrity) (authentication)

Release of message Traffic analysis

contents

24
 A Passive attack can only observe communications or
data.
Forms: Interception ( also called eavesdropping or passive
Active and wiretapping)

Passive An Active attack can actively modify communications

or data.
Attacks
Forms: Interruption, Modification ( also called active
wiretapping), Fabrication

25
 ✦ Passive — Passive attacks include traffic analysis,
monitoring of unprotected communications, decrypting
weakly encrypted traffic, and capture of authentication
information (such as passwords).
Passive intercept of network operations can give
adversaries indications and warnings of impending
Passive Attacks actions.
Passive attacks can result in disclosure of information
or data files to an attacker without the consent or
knowledge of the user. Examples include the
disclosure of personal information such as credit card
numbers and medical files

26
 ✦Active — Active attacks include attempts to
circumvent or break protection features, introduce
malicious code, or steal or modify information.
These attacks may be mounted/launched against a
network backbone, exploit information in transit,
Active Attacks electronically penetrate a network, or attack an authorized
remote user during an attempt to connect to network.
Active attacks can result in the disclosure or
dissemination of data files, denial of service, or
modification of data.

27
 Network sniffing or packet sniffing is the process
of monitoring a network in an attempt to gather
information that may be useful in an attack. With the
proper tools a hacker can monitor the network
packets to obtain passwords or IP addresses.
Sniffing involves capturing, decoding, inspecting
and interpreting the information inside a network
packet on a TCP/IP network.
Sniffing Sniffing is a process of monitoring and capturing all
data packets passing through given network.
Sniffing is generally referred to as a “passive” type
of attack, wherein the attackers can be
silent/invisible on the network. This makes it
difficult to detect, and hence it is a dangerous type
of attack.
 There are two types:
Active Sniffing:
Sniffing in the switch is active sniffing. A switch is a point
to point network device. The switch regulates the flow of
data between its ports by actively monitoring the MAC
address on each port, which helps it pass data only to its
intended target. In order to capture the traffic between target,
sniffers has to actively inject traffic into the LAN to enable
Types of Sniffing sniffing of the traffic.

Passive Sniffing:
This is the process of sniffing through the hub. Any traffic
that is passing through the non-switched or unbridged
network segment can be seen by all machines on that
segment. Sniffers operate at the data link layer of the
network. Any data sent across the LAN is actually sent to
each and every machine connected to the LAN. This is called
passive since sniffers placed by the attackers passively wait
for the data to be sent and capture them.
Network
Layers’
Vulnerability to
Sniffing
Password sniffing is particularly a threat for users
who log into Unix systems over a network. Telnet
or rlogin is usually employed when logging onto a
Unix systems over a network.
 Sniffer tool usage (E.g., Wireshark, dSniff etc)
Ethical usage
1. Packet capturing
2. Network traffic usage and analysis
3. Packet conversion for data analysis
Sniffer tools 4. Network troubleshooting
usage Unethical usage
1. User identity and password stealing
2. Email or instant message data stealing
3. Packet spoofing and data theft
4. Monetary or reputational damage
 A spoofing attack is when a malicious party
impersonates another device or user on a network in
order to launch attacks against network hosts, steal data,
spread malware or bypass access controls.
In general terms, a spoof entails falsifying one's identity
or masquerading as some other individual or entity to
gain access to a system or network or to gain information
Spoofing for some other unauthorized purpose.
Spoofing is an Active attack
There are many different kinds of spoofs, including,
among many others,
IP address spoofing,
domain name service (DNS) spoofing
session highjacking,
 Every device on a TCP/IP network has a unique IP
address. The IP address is a unique identification
of the device, and no two devices on the network
can have the same IP address.
IP Address In an IP address spoofing attack, an attacker sends
Spoofing IP packets from a false (or “spoofed”) source
address in order to disguise itself.
Denial-of-service attacks often use IP spoofing to
overload networks and devices with packets that
appear to be from legitimate source IP addresses.
IP Spoofing
 The Domain Name System (DNS) is a system that
associates domain names with IP addresses. Devices that
connect to the internet or other private networks rely on
the DNS for resolving URLs, email addresses and other
human-readable domain names into their corresponding
IP addresses.
DNS In a DNS server spoofing attack, a malicious party
Spoofing modifies the DNS server in order to reroute a specific
domain name to a different IP address. In many cases,
the new IP address will be for a server that is actually
controlled by the attacker and contains files infected
with malware.
DNS server spoofing attacks are often used to spread
computer worms and viruses.
DNS
Spoofing
 Session hijacking is defined as taking over an active
TCP/IP communication session without the user’s
permission.
Session When implemented successfully, attackers assume the
Highjacking identity of the compromised user, enjoying the same
access to resources as the compromised user.
Identity theft, Information theft, stealing sensitive data
are some of the common impacts of session hijacking.
Session
Highjacking
Session
Highjacking
 There are two types of session hijacking depending
on how they are done. If the attacker directly gets
involved with the target, it is called active
hijacking, and if an attacker just passively
monitors the traffic, it is passive hijacking.
Active:
The attacker will silence one of the machines,
Types of session usually the client computer, and take over the
clients’ position in the communication exchange
hijacking attacks between the workstation and the server.
The active attack also allows the attacker to issue
commands on the network making it possible to
create new user accounts on the network, which
can later be used to gain access to the network
without having to perform the session hijack
attack.
 Passive:
In Passive session hijacking attack, the attacker
Types of session monitors the traffic between the workstation and
server. The primary motivation for the passive
hijacking attacks attack is to monitor network traffic and potentially
discover valuable data or passwords.
 Traffic Redirection, also named DNS redirection, is a
type of DNS attack in which DNS queries are
incorrectly resolved in order to unexpectedly redirect
users to malicious sites. To perform the attack,
perpetrators either install malware on user
computers, take over routers, or intercept or hack
Traffic DNS communication.
Redirection Under this method of DNS attack, hackers
compromise a link on someone else's page or set up
their own page with false links. In either case, the link
could state that it is for a legitimate site, but in reality
the link brings the Web surfer to a site set up and
controlled by the hacker that looks like the site the
Web surfer was expecting.
Session
Highjacking
 Denial of service attack (DOS) is an attack against
computer or network which reduces, restricts or
prevents accessibility of its system resources to
Denial-of-Service authorized users.
(DoS) Attack Denial-of-Service (DoS) attacks deny the use of
& resources, information, or capabilities of a system to
legitimate users.
Distributed
Denial of Service
Distributed Denial of Service (DDoS) attack is an
(DDoS) Attack attack where multiple compromised systems
simultaneously attack a single system; thereby, causing
a DOS attack for the users of the target.
 Denial-of-
Service (DoS)
Attack

In a DoS attack, the attacker usually sends

excessive messages asking the network or server to
authenticate requests that have invalid return
addresses.
Distributed
Denial of
Service
(DDoS)
Attack An attacker can select the Zombies randomly or
topologically and once compromised, he sets up a
command and controller to control the zombies that
attack the target. A bot is a malicious software installed
on compromised machines, this gives the attacker control
over the zombies. The network of Bots is called botnet
 Denial-Of-Service Attack = DOS Attack is a
malicious attempt by a single person or a group of
WHAT IS people to cause the victim, site or node to deny
service to it customers.
“DOS
ATTACK” DoS = when a single host attacks
DDoS = when multiple hosts attack simultaneously
 A man-in-the-middle (MitM) attack is the type of
attack where attackers intrude into an existing
communication between two computers and then
monitor, capture, and control the communication.
Man-in-the-
In Man-in-the-middle attack, an intruder assumes a
Middle Attack legitimate users identity to gain control of the network
communication. The other end of the communication
path might believe it is you and keep on exchanging
the data.
MiTM attack
 Traffic analysis is the process of intercepting and
examining messages in order to deduce
information from patterns in communication,
Traffic which can be performed even when the messages
are encrypted.
Analysis
Inferring sensitive information from
communication patterns, instead of traffic
contents, no matter if encrypted.

CS660 - Advanced Information Assurance - UMassAmherst 50

Traffic
Analysis
 Session Hijacking: An example:
A customer may select books on Amazon.com.
When it comes to taking the order and making the
payment, Amazon.org may hijack the session.
MitM vs
Session
Man-in-the-middle Attack vs. Session Hijacking
Hijacking
Man-in-the-middle is wire-tapping actively from
the beginning,
whereas a session-hijacker takes over after part of
the session is over.

52
 1. https://www.tutorialspoint.com/network_security/index.htm
2. https://www.csoonline.com/article/3285651/what-is-network-
security-definition-methods-jobs-and-salaries.html.
3. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone. (1996).
Handbook of Applied Cryptography.
4. Eric Cole, Dr. Ronald Krutz, and James W. Conley (2005). Network
References Security Bible
5. https://www.quora.com/What-is-the-difference-between-threat-and-
attack-in-information-security
6. https://www.greycampus.com/opencampus/ethical-hacking
7. https://www.hackingloops.com/session-hijacking-how-to-hack-online-
sessions/
CMP 318 – NETWORK
SECURITY ISSUES
(3 UNITS)
Prepared by: Dr. T. A. Olowookere
 “The art of war teaches us not on the likelihood
of the enemy’s not coming, but on our own
readiness to receive him; not on the chance of
RELEVANT his not attacking, but rather on the fact that
QUOTE we have made our position unassailable.”
--The art of War, Sun Tzu
Use of Cryptography
for Data and Network
Security
 Cryptography is the art of converting text into
another form for secret transmission and reception.
It works by converting plain text into cipher text
using some encryption algorithm at the sender’s side
Cryptography and converting ciphertext into plain text at the
receiver’s side.
Cryptography is used to provide confidentiality,
integrity, authenticity and non-repudiation.
 Cryptography is the art of protecting information
by transforming it (encrypting it) into an
unreadable format, called cipher text.
Only those who possess a secret key can decipher
Cryptography (or decrypt) the message into plain text.
Encrypted messages can sometimes be broken by
cryptanalysis, also called codebreaking, although
modern cryptography techniques are virtually
unbreakable.
 Cryptography includes a set of techniques for
scrambling or disguising data so that it is available
only to someone who can restore the data to its
original form.
Cryptography In current computer systems, cryptography
provides a strong, economical basis for keeping
data secret and for verifying data integrity.
 Key terms:

Plain text: Message to be encrypted

Ciphertext: Encrypted message

Cryptography Encryption: Process of converting plain text into cipher text.

Decryption: Process of converting ciphertext into plain text.

Algorithm: The method used to encrypt/decrypt the plain text.

Key: The data used for encrypting/decrypting.

 Cryptography is broadly classified into two
categories:
Symmetric key Cryptography (also known as
Categories of Secret-Key Cryptography) and
Cryptography Asymmetric key Cryptography (popularly known
as public key cryptography).
 Now Symmetric key Cryptography is further
categorized as Classical Cryptography and Modern
Cryptography.

Sub-Categories
Further drilling down, Classical Cryptography is
of divided into Transposition Cipher and Substitution
Cryptography Cipher.

On the other hand, Modern Cryptography is

divided into Stream Cipher and Block Cipher.
Categories of
Cryptography
 Symmetric key Cryptography: This refers to an
encryption system in which the sender and
receiver of a message share a single, common key
that is used to encrypt and decrypt the message.
Here, one single key is used for encryption and same
Symmetric key key is used for decryption.
Cryptography The most popular example of symmetric–key
cryptographic system are:
Data Encryption Standard (DES)
Advanced Encryption Standard (AES)
Symmetric key
Cryptography
Symmetric key
Cryptography
 Transposition Ciphers: In Cryptography, a
transposition cipher is a method of encryption by
which the positions held by units of plaintext (which
are commonly characters or groups of characters)
Classical are shifted according to a regular system, so that the
Cryptography: ciphertext constitutes a permutation (rearrangement
of order) of the plaintext.
(Transposition
& Substitution That is, the order of the units is changed (the
Ciphers) plaintext is reordered). Mathematically, a bijective
function is used on the characters’ positions to
encrypt and an inverse function to decrypt.
 Example:

Transposition
Ciphers
 Classical Substitution Cipher: Method of encryption by
which units of plaintext are replaced with ciphertext,
Cryptography: according to a fixed system; the “units” may be
(Transposition single letters (the most common), pairs of letters,
triplets of letters, mixtures of the above, and so
& Substitution forth.
Ciphers)
Substitution Cipher:
Example: Consider this example shown on the slide: Using the system
just discussed, the keyword “zebras” gives us the following alphabets:
 Stream Cipher: Symmetric or secret-key
encryption algorithm that encrypts a single bit at a
time.
Modern
With a Stream Cipher, the same plaintext bit or
Cryptography byte will encrypt to a different bit or byte every
(Stream & time it is encrypted.
Block Ciphers) The incoming data is encrypted or decrypted byte
by byte; or bit by bit
Stream Cipher
 Block Cipher : An encryption method that applies
a deterministic algorithm along with a symmetric
Modern key to encrypt a block of text, rather than
Cryptography encrypting one bit at a time as in stream ciphers.
(Stream & The input plain text is broken into fixed size blocks
and they are encrypted /decrypted as a block; e.g.
Block Ciphers) DES, AES.
Block Cipher
 Example:

Block Ciphers
 Asymmetric key Cryptography: This refers to an
encryption process where different keys are used for
Asymmetric encrypting and decrypting the information.
Key Keys are different but are mathematically related,
such that retrieving the plain text by decrypting
Cryptography ciphertext is feasible.
(or Public Key Here two keys are used, Public key is used for
Cryptography) encryption and Private key is used for decryption;
e.g. RSA.
 Asymmetric
key
Cryptography
 Asymmetric
key
Cryptography
 RSA is the most widely used form of public key
encryption
Asymmetric
Key The RSA Algorithm
Cryptography RSA stands for Rivest, Shamir, and Adelman,
inventors of this technique
(or Public Key
Both public and private key are interchangeable
Cryptography)
Variable Key Size (512, 1024, or 2048 bits)
The RSA
Algorithm
Architectures for
Secure Networks
 Essential to network design is the security
architecture that describes the network segmentation
(i.e., security zones) and security layers (i.e., access
control, intrusion prevention, content inspection, etc.).
Architectures
The network communication between different zones
for Secure is strictly controlled.
Networks A secure network is any home, business, school,
enterprise or any other network that has security
measures in place that help protect it from outside
attackers.
 A secure channel is a way of transferring data that is
resistant to overhearing and tampering.

Architectures A confidential channel is a way of transferring data

that is resistant to overhearing (i.e., reading the
for Secure content), but not necessarily resistant to tampering.
Networks
An authentic channel is a way of transferring data
that is resistant to tampering but not necessarily
resistant to overhearing.
 Basic Internet Network Architecture

Architectures The typical architectural diagram shown below

offers only two slim layers of protection, yet it is
for Secure widely accepted that more layers equal a more
Networks secure environment.
In the diagram below, an attacker must
compromise only one server to gain access to the
Web applications provided on the same system.
 The Ultra-Secure Network Architecture

The diagram below represents the base-level ultra-

secure network architecture, which meets all
regulatory requirements and limits the likelihood
Architectures of information being obtained as long as all of the
architectural components are properly managed,
for Secure maintained and monitored.
Networks Although it employs a number of layers of security
implemented through a variety of security
measures, no system can provide absolute
protection of your information. Only through
constant vigilance can the system be properly
secured.
 Ultra-secure architecture relies on multiple
network and application firewalls.
Also, the architecture uses two DMZs: one is
available to the Internet (public) and the other is
Architectures private.
for Secure The ultra-secure architecture also uses two internal
Networks LANs: the internal LAN containing the employee-
accessible servers and systems that do not store
sensitive information and a secure LAN containing
servers with encrypted information that could be
used for identity theft or other frauds
 All components are maintained via a complete
management and monitoring system implemented
in a protected management LAN.
Architectures This consists of intrusion detection/prevention
system(s), Domain Name Services, Kerberos
for Secure servers, time server(s) and system log (syslog)
Networks server(s).
All of these servers are also firewalled from the
DMZs and the secure LAN to allow for better
control and protection.
 Control System Security DMZ
In computer security, a demilitarized zone (DMZ)
or perimeter network is a network area (a
subnetwork) that sits between an internal network and
an external network.
The point of a DMZ is that connections from the
Architectures internal and the external network to the DMZ are
permitted, whereas connections from the DMZ are
for Secure only permitted to the external network -- hosts in the
DMZ may not connect to the internal network.
Networks This allows the DMZ's hosts to provide services to
the external network while protecting the internal
network in case intruders compromise a host in the
DMZ. For someone on the external network who
wants to illegally connect to the internal network,
the DMZ is a dead end.
 Control System Database Server
The function of the database server is to provide
various database services to the control system
applications. The application control system point
database information is located on this computer
as well as the system configuration database
Architectures information.
for Secure Control System Applications Server
Networks This server formats the data into proper formats
for transmission to the various applications and
enforces communications priorities on the data
communications. Advanced or special data
processing applications are located on this server.
 Control System Firewall (F/W)
In computer security, a firewall is a piece of hardware
and/or software which functions in a networked environment
to prevent some communications forbidden by the security
policy, analogous to the function of firewalls in building
construction.

Architectures A firewall is also called a Border Protection Device (BPD).

A firewall has the basic task of controlling traffic
for Secure between different zones of trust.
Networks Typical zones of trust include the Internet (a zone with no
trust) and an internal network (a zone with high trust).
The ultimate goal is to provide controlled connectivity
between zones of differing trust levels through the
enforcement of a security policy and connectivity model
based on the least privilege principle.
 Control System LAN
The local area network that connects all of the vendor and
add-on networked equipment that comprises the control
system applications. This includes the network equipment
such as switches, routers, IDS, firewalls and other
equipment used to complete the control system LAN.
Control System Web Server
Architectures The WWW server or Web server can mean one of two
things:
for Secure 1. A computer that is responsible for accepting HTTP
Networks requests from clients, which are known as Web
browsers, and serving them Web pages, which are
usually HTML documents and linked objects (images,
etc.).
2. A computer that provides corporate and external user
access to web-enabled business applications
information.
 Corporate DNS Server
The Domain Name System or Domain Name Server
(DNS) is a system that stores information associated
with domain names in a Distributed database on
networks.
The domain name system (Domain Name Server)
Architectures associates many types of information with domain
names, but most importantly, it provides the IP
for Secure address associated with the domain name. It also lists
Networks mail exchange servers accepting e-mail for each
domain.
Kerberos is a network authentication protocol. It is
designed to provide strong authentication for
client/server applications by using secret-key
cryptography.
 An Intrusion Detection System (IDS) is a device or
software application that monitors a network for
malicious activity or policy violations.
Any malicious activity or violation is typically
reported or collected centrally using a security
Architectures information and event management system.
for Secure An Intrusion Prevention System (IPS) is a form of
network security that works to detect and prevent
Networks identified threats.
Intrusion prevention systems continuously monitor
your network, looking for possible malicious
incidents and capturing information about them.
 A VPN (Virtual Private Network) enables secure
private (virtual) use of a public network (ensuring
the integrity of the information, its encrypting and
confidentiality)
Virtual
A VPN, or Virtual Private Network, allows you to
Private create a secure connection to another network over
Networks the Internet.
(VPN) VPNs can be used to access region-restricted
websites, shield your browsing activity from prying
eyes on public Wi-Fi, and more.
 1. https://www.edureka.co/blog/what-is-cryptography/
2. https://www.tutorialspoint.com/network_security/index.htm
3. https://www.csoonline.com/article/3285651/what-is-network-
security-definition-methods-jobs-and-salaries.html.
4. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone. (1996).
Handbook of Applied Cryptography.
5. Eric Cole, Dr. Ronald Krutz, and James W. Conley (2005). Network
References Security Bible
6. https://www.quora.com/What-is-the-difference-between-threat-and-
attack-in-information-security
7. https://www.greycampus.com/opencampus/ethical-hacking
8. https://www.hackingloops.com/session-hijacking-how-to-hack-online-
sessions/
CMP 318 – NETWORK
SECURITY ISSUES
(3 UNITS)
Prepared by: Dr. T. A. Olowookere
 “The art of war teaches us not on the likelihood
of the enemy’s not coming, but on our own
readiness to receive him; not on the chance of
RELEVANT his not attacking, but rather on the fact that
QUOTE we have made our position unassailable.”
--The art of War, Sun Tzu
Introduction to Malware
Threat/Attack and its Types;
Social Engineering;
Défense Mechanisms and
Countermeasures.
Malware
Threat/Attack and its
Types
 Malware is the collective name for a number of
malicious software variants.
Malware is malicious a computer program
designed to infiltrate and damage computers
without the users consent.
Malware is malicious software which when it
Malware enters the target host, gives an attacker full or
limited control over the target.
They can either damage or modify the
functionalities of target host helping an attacker to
steal or destroy information.
 Various types of malware
Virus
Trojans horse
Worms
Malware Rootkits
Spyware
Ransomware
Botnets
 A virus is a self-replicating program that produces
its own copy by attaching itself to another
program, computer boot sector or document.
Characteristics of Viruses:
It infects other programs,
Alters Data
Virus
Transforms itself
Encrypts Itself
Corrupt files and Programs
Self Propagates
 Boot sector virus: Replaces itself with boot sector moving boot
sector into another location on the hard disk.
File overwriting or cavity Virus: Replaces the content of files
with some other content leaving the file unusable.
Crypter: Encrypts the contents of the file which causes the file
unusable for the user.
Cluster Virus: Modifies the directory entries so it always
directs the user to the virus code instead of the actual program
Different types Stealth/Tunnelling virus: They intercept the anti-virus call to
the operating system and give back uninfected version of the
of Viruses files requested for thereby evading anti-virus
Metamorphic virus: They rewrite themselves every time,
reprogram themselves into a completely different code and
back to normal vice versa, thereby increasing the difficulty of
detection. Metamorphic viruses may change their behaviour as
well as their appearance.
Macro Virus: Infects Microsoft products like WORD and
EXCEL. They are usually written in the macro language visual
basic language or VBA.
 A Trojan horse, or Trojan, is a type of malicious
code or software that looks legitimate and helpful
but can take control of your computer.
Trojans are malicious files which are used by the
attacker to create a backdoor without the
knowledge of the user.
It usually deletes or replaces operating system
Trojan Horse critical files, steal data, send notifications to remote
attacker, and remotely control the target.
Trojans usually hide behind a genuine code or
program or file to avoid getting noted by the user.
Behind the original program, it establishes a
backdoor connection with the remote attacker.
Unlike viruses, Trojan horses do not replicate
themselves but they can be just as destructive.
 Trojan has 3 parts:
Dropper: This is the code which installs malicious
code into the target.
Malicious code: This is the code which exploits the
system and gives the attacker control over the
target.
Trojan Parts Wrapper: Wrapper wraps dropper, malicious code,
genuine code into one .exe package.
When victims try to download an infected file,
dropper installs the malicious code first and then
the genuine program.
 Steal information such as passwords, security
codes, credit card information using keyloggers
Use victim´s PC as a botnet to perform DDoS
attacks
Delete or replace OS critical files
Purpose of Generate fake traffic to create DoS
Trojans Download spyware, adware and malware
Record screenshots, audio and video of victim´s PC
Infect victim´s PC as a proxy server for relaying
attacks.
 The worm is a standalone malicious program
which spreads from computer to computer, but
unlike a virus, it has the capability to travel
without any human action.
A worm takes advantage of file or information
Worms transport features on the system, which is what
allows it to travel unaided.
Often, it uses a computer network to spread itself,
relying on security failures on the target computer
to access it.
 Virus:
A virus is a program that replicates, i.e. it spreads from file to
file on your system
It may be programmed to erase or damage data.
A virus is a set of code which adds itself to existing files.

Difference Worm:
A worm is a malicious program that originates on a single
between computer and searches for other computers connected
through a local area network or Internet Connection.
Worms and When a worm finds another computer, it replicates itself onto
that computer and continues to look for other connected
Viruses computers on which to replicate.
A worm continues to attempt to replicate itself indefinitely or
until a self-timing mechanism halts the process.
It does not infect other files.
A worm code is a stand-alone code. In other words, a worm
is a separate file.
 A rootkit is a collection of malicious computer
software created to get access to a target computer
and often hides its existence or the existence of
other software.
Rootkits The term rootkit is a concatenation of "root" (the
privileged account on Unix-like operating systems)
and the word "kit" (which refers to the software
components that implement the tool).
 A rootkit can be installed by an attacker directly or
remotely by exploiting a known vulnerability.
Once installed, it hides and runs with
administrator privilege.
Rootkits Rootkit detection is difficult because a rootkit
intercepts operating system calls by antivirus and
return a good version of the software. It either
duplicates or replaces OS system files making it
difficult to detect it.
 Methods of Detection:
Behavioural-based methods
signature scanning
Integrity scanning by taking snapshots
Memory dump analysis.
Rootkits
The usual solution is to reinstall the operating system.

When dealing with firmware rootkits, removal may

require hardware replacement or specialized equipment.
 Spyware
This malware when installed on the target, monitor
the Target for every action and report to the remote
attacker. Cookie stealing, Password stealing,
identity theft, information theft are few attacks
which are common using spyware
Spyware &
Ransomware Ransomware
These are malicious software which restricts access
to computer system files and folders asking for an online
ransom amount to remove the restrictions.
Usually, they encrypt the data, making the user
pay them a huge ransom to get the decrypted data.
 A botnet is a number of Internet-connected
devices, each of which is running one or more bots.
Botnets are large networks of bots that are
orchestrated by a command and control center that
instructs them on specific malicious actions.
A bot, short for "robot", is a type of software
Botnets application or script designed to automatically executes
some tasks.
Botnets can be used to perform distributed denial-
of-service attack (DDoS attack), steal data, send
spam, and allows the attacker to access the device
and its connection.
 Malicious Software (Malware) can be detected:
If there is a degradation of system performance
If there are New folders and files on the system
Unknown processes running in the task manager
How to Detect By Scanning for suspicious ports
Malicious By Scanning for suspicious registry entries
Software New programs in the startup section

Tools used for monitoring: Currports, Process

manager, TCPview, RegScanner are few tools
Social Engineering
and its Attack Types
 Social engineering is the art of convincing people to
reveal confidential information.
By taking advantage of basic human nature like trust or
a lack of knowledge, the attacker deceives people to
reveal sensitive information.

Social
The social engineering attacks can be grouped into
Engineering three types:

Human-based
Mobile-based
Computer-based
 Impersonation: Acting like someone else to get access
to the information.

Human-Based They may act as a legitimate user and request for

Attacks: information or they pose as a higher authority and
may ask for sensitive information or they pose as a
technical support person and try to gather sensitive
and confidential details.
 Dumpster Diving: This involves an attacker
searching into the dustbin to access any confidential
or sensitive document which has not been properly
shredded before disposal into the dustbin.

Human-Based Eavesdropping: Unauthorised listening to

conversations thereby collecting important data is
Attacks: called as eavesdropping.

Shoulder surfing: It is a direct observation technique

like looking over someone’s shoulder to know the
sensitive information like password, pin numbers,
etc.
 Phishing: Creating a cloned fake website trying to
gather sensitive information about users. It can be
done by sending a fake email as though coming
from an original website and then trying to collect
confidential information.
Phishing can also be executed through fake mobile
applications.
Computer-Based
Hoax Letters: These are fake emails sending
Social warnings about malware, virus and worms causing
harm to the computers.
Engineering
Chain letters: Asking people to forward emails or
messages for money.
Spam Messages: These are unwanted irrelevant
emails trying to gather information about users.
Instant Chat messengers: Gathering personal
information from a single user by chatting with
them.
 SMS based: Sending a fake SMS saying that the user
has won a bounty, urging him/her to register with
confidential information or try and collect other
important details.

Through Malicious Apps: Applications downloaded

Mobile based from third party sources may be malicious; they can
access authentication information and other sensitive
Attacks details.

Through Email and messengers: Attackers can send

spam emails or malicious links through messenger
applications. When the victim clicks on it- he may be
redirected to a malicious site, or a malware could be
downloaded or it may lead to some other malicious
activity.
Défense Mechanisms
and Countermeasures
 Countermeasure is any action to prevent a threat or attack
against a vulnerability of a network.
Countermeasures can be of following types.
Administrative Countermeasures: Security policies,
general procedures, accepted safety guidelines etc can
be considered as Administrative Countermeasures.

Physical Countermeasures: Physical security for Server

Countermeasures Rooms, Network Infrastructure devices, Data centers,
Accident and Fire Prevention, Uninterrupted Power
and Types Supply, Video Surveillance etc can be considered as
Physical Countermeasures.

Logical Countermeasures: Proper configuration of

network Firewalls, application and operating system
password security, ID/PS (Intrusion
Detection/Prevention Systems), etc are examples of
Logical Countermeasures .
 Possible Défense Mechanisms and
Countermeasures Include:
1. Network Monitoring
2. Honeypots
Countermeasures 3. IP Trace-backs
4. Firewalls
5. Intrusion Detection
 Network monitoring is a critical IT process where
all networking components like routers, switches,
firewalls, servers, and VMs are monitored for fault
and performance and evaluated continuously to
maintain and optimize their availability.
1. Network One important aspect of network monitoring is
monitoring that it should be proactive.
Finding network security issues and bottlenecks
proactively helps in identifying issues at the initial
stage.
 Honeypots are traps which are set to detect
attempts at any unauthorized use of information
systems, with a view to learning from the attacks to
further improve computer security.
Honeypots are primarily deployed to distract
would-be attackers from the real servers.
2. Honeypots Using a honeypot may give you the opportunity to
detect and respond to an attack (on the bogus
network) before the attackers are able to do any
real harm.
Honeypots have long been used to track attackers’
activity and defend against coming threats.
 Based on deployment, honeypots may be classified
into two types:
Research Honeypot – A Research Honeypot is
used to study about the tactics and techniques of
the intruders. It is used as a watch post to see how
an attacker is working when compromising a
Honeypots Types system.
Production Honeypot – These are primarily used
for detection and to protect organizations’
production network. The main purpose of a
production honeypot is to help improve overall
state of security in an organization.
 IP traceback is any method for reliably determining the
origin of a packet on the Internet.
The IP protocol does not provide for the
authentication of the source IP address of an IP
packet, enabling the source address to be falsified
in a strategy called IP address spoofing, and
3. IP Trace-backs creating potential internet security and stability
problems.
Therefore, IP traceback is critical for identifying
sources of attacks and instituting protection
measures for the Internet.
 One of the ways to achieve IP traceback is hop-by-
hop link testing. When an attack is launched, the
network administrator will log into the closest
router to the victim and analyse the packet flow to
determine the origin of the malicious packets.
IP traceback techniques can be classified into two
IP Trace-backs approaches: pro-active or reactive.
and its
Approaches A pro-active approach locates the source after the
attack by looking at the records files and logs of the
network.

A reactive approach locates the attacker on the

flight when the attack is detected by a specialised
hardware.
 Firewall is a network security device, either
hardware or software based, which monitors all
incoming and outgoing traffic and based on
defined set of security rules, it accepts, rejects or
drops that specific traffic.
Accept: allow the traffic
4. Firewall Reject: block the traffic but reply with an
“unreachable error”
Drop: block the traffic with no reply

Firewall establishes a barrier between secured

internal networks and outside untrusted network,
such as Internet.
Firewall
 Firewall matches the network traffic against the rule set
defined in its table.
Once the rule is matched, associate action is applied to the
network traffic.
For example, Rules are defined like any employee from HR
department cannot access the data from code server and at the
same time other rule is defined like system administrator can
access the data from both HR and technical department.
Rules can be defined on firewall based on the necessity
How Firewall and security policies of the organization.
Works From the perspective of a server, network traffic can be
either outgoing or incoming. Firewall maintains distinct
set of rules for both the cases. Mostly the outgoing traffic,
originated from the server itself, are allowed to pass.
Still, setting rule on outgoing traffic is always better in
order to achieve more security and prevent unwanted
communication.
Incoming traffic is treated differently. Most traffic
which reaches on firewall is one of these three major
Transport Layer protocols- TCP, UDP or ICMP.
 Firewalls are generally of two types: Host-based and
Network-based.
Host- based Firewalls: Host-based firewall are installed
on each network node which controls each incoming
and outgoing packet. It is a software application or suite
of applications, that comes as a part of operating
system. Host-based firewalls are needed because
network firewalls cannot provide protection inside a
trusted network. Host firewall protects each host from
Types of Firewall attacks and unauthorized access.

Network-based Firewalls: Network firewalls function

on network level. In other words, these firewalls filters
all incoming and outgoing traffic across the network. It
protects the internal network by filtering the traffic
using rules defined on firewall. A Network firewall
might have two or more network interface cards (NICs).
Network-based firewall is usually a dedicated system
with proprietary software installed.
 An Intrusion Detection System (IDS) is a system
that monitors network traffic for suspicious activity and
issues alerts when such activity is discovered.
It is a software application that scans a network or
a system for harmful activity or policy breaching.
5. Intrusion Any malicious venture or violation is normally
Detection reported either to an administrator or collected
centrally using a Security Information and Event
Management (SIEM) system.
A SIEM system integrates outputs from multiple
sources and uses alarm filtering techniques to
differentiate malicious activity from false alarms.
 IDS is basically classified into 2 types:
1. Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are
set up at a planned point within the network to examine
traffic from all devices on the network.
Classification of It performs an observation of passing traffic on the
Intrusion entire subnet and matches the traffic that is passed
on the subnet to the collection of known attacks.
Detection System:
Once an attack is identified or abnormal behavior
is observed, the alert can be sent to the
administrator.
An example of an NIDS is installing it on a subnet
where firewalls are located in order to see if
someone is trying crack the firewall.
 2. Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network.
A HIDS monitors the incoming and outgoing
packets from the device only and will alert the
Classification of administrator if suspicious or malicious activity is
Intrusion detected.

Detection System: It takes a snapshot of existing system files and

compares it with the previous snapshot. If the
analytical system files were edited or deleted, an
alert is sent to the administrator to investigate.
An example of HIDS usage can be seen on mission
critical machines, which are not expected to change
their layout.
 Signature-based Method:
Signature-based IDS detects the attacks on the
basis of the specific patterns such as number of bytes
or number of 1’s or number of 0’s in the network
traffic.
It also detects on the basis of the already known
The Detection malicious instruction sequence that is used by the
Methods of IDS malware. The detected patterns in the IDS are
known as signatures.
Signature-based IDS can easily detect the attacks
whose pattern (signature) already exists in system
but it is quite difficult to detect the new malware
attacks as their pattern (signature) is not known.
 Anomaly-based Method:
Anomaly-based IDS was introduced to detect the
unknown malware attacks as new malware are
developed rapidly.
In anomaly-based IDS there is use of machine
The Detection learning to create a trustful activity model and
Methods of IDS anything coming is compared with that model and
it is declared suspicious if it is not found in the
existing model.
Machine learning based method has a better
generalized property in comparison to signature-
based IDS as these models can be trained according
to the applications and hardware configurations.
 Comparison of IDS with Firewalls:
IDS and firewall are both related to the network
security but an IDS differs from a firewall as a
Comparison of firewall looks outwardly for intrusions in order to
IDS with stop them from happening.

Firewalls Firewalls restrict access between networks to

prevent intrusion and if an attack is from inside the
network it does not signal. An IDS describes a
suspected intrusion once it has happened and then
signals an alarm.
 Underground Economy:
The underground economy refers to economic
transactions that are deemed illegal, either because the goods
Attacker goals, or services traded are unlawful in nature, or because
capabilities, and transactions fail to comply with governmental reporting
requirements.
motivations;
other typical Digital espionage:
attack methods Digital espionage is a form of hacking conducted for either
political or economic reasons, such as stealing secret
information to engineer new technologies based on the stolen
information or strictly for political reasons.
 Cyber warfare :
Cyber warfare involves the actions by a nation-state
or international organization to attack and attempt to
Attacker goals, damage another nation's computers or information
networks through, for example, computer viruses
capabilities, and or denial-of-service attacks.
motivations; Insider Threat:
other typical An insider threat is a security risk that originates from
attack methods within the targeted organization. It typically involves
a current or former employee or business associate
who has access to sensitive information or
privileged accounts within the network of an
organization, and who misuses this access.
 Hacktivism
Hacktivism is a social or political activist act that is
carried out by breaking into and wreaking havoc
on a secure computer system. Hacktivism is
usually directed at corporate or government
targets. The people or groups that carry out
Attacker goals, hacktivism are referred to as hacktivists.
capabilities, and
motivations; Advanced Persistent Threat (APT):
other typical An advanced persistent threat is an attack in which
an unauthorized user gains access to a system or
attack methods network and remains there for an extended period
of time without being detected.
An Advanced Persistent Threat (APT) is a
computer network threat actor, typically a nation
state or state-sponsored group, which gains
unauthorized access to a computer network and
remains undetected for an extended period.
 1. https://wikisites.cityu.edu.hk/sites/netcomp/articles/Pages/IP
Traceback.aspx
2. https://www.edureka.co/blog
3. Eric Cole, Dr. Ronald Krutz, and James W. Conley (2005). Network
Security Bible

References 4. https://www.greycampus.com/opencampus/ethical-hacking
5. “Infrastructure for Intrusion Detection and Response” D.
Schnackenberg et al.
6. https://www.geeksforgeeks.org/introduction-of-firewall-in-computer-
network/
7. https://www.geeksforgeeks.org/intrusion-detection-system-ids/