Please read this disclaimer before proceeding:

This document is confidential and intended solely for the educational purpose of
RMK Group of Educational Institutions. If you have received this document
through email in error, please notify the system manager. This document
contains proprietary information and is intended only to the respective group /
learning community as intended. If you are not the addressee you should not
disseminate, distribute or copy through e-mail. Please notify the sender
immediately by e-mail if you have received this document by mistake and delete
this document from your system. If you are not the intended recipient you are
notified that disclosing, copying, distributing or taking any action in reliance on
the contents of this information is strictly prohibited.
 AD8602- DATA AND
INFORMATION
SECURITY

DEPT: AI-DS
BATCH / YEAR: 2020-24 / III
CREATED BY: Ms. MARY SELVAN
Table of Contents

Sl. Topics Page

No. No.
1. Contents 5

2. Course Objectives 6

3. Pre Requisites (Course Name with Code) 8

4. Syllabus (With Subject Code, Name, LTPC details) 10

5. Course Outcomes (6) 12

6. CO-PO/PSO Mapping 14

16
Lecture Plan (S.No., Topic, No. of Periods, Proposed date, Actual
7.
Lecture Date, pertaining CO, Taxonomy level, Mode of Delivery)

8. Activity based learning 18

Lecture Notes ( with Links to Videos, e-book reference, PPTs, Quiz 20

9.
and any other learning materials )
Assignments ( For higher level learning and Evaluation - Examples: 74
10.
Case study, Comprehensive design, etc.,)

11. Part A Q & A (with K level and CO) 76

12. Part B Qs (with K level and CO) 81

Supportive online Certification courses (NPTEL, Swayam, Coursera, 83

13.
Udemy, etc.,)

14. Real time Applications in day to day life and to Industry 85

15. Content beyond syllabus 87

16. Assessment Schedule ( Proposed Date & Actual Date) 89

17. Prescribed Text Books & Reference Books 91

18. Mini Project 93

Course Objectives
Course Objectives
• To understand the basics of Number Theory and Security

• To understand and analyze the principles of different encryption techniques

• To understand the security threats and attacks

• To understand and evaluate the need for the different security aspects in real
time applications

• To learn the different applications of information security

PRE REQUISITES
 Prerequisites

SUBJECT CODE: MA8391

SUBJECT NAME: Probability and Statistics

SUBJECT CODE: CW8691

SUBJECT NAME: Computer Networks
Syllabus
Syllabus
AD8602 DATA AND INFORMATION SECURITY LTPC 3003

UNIT I FUNDAMENTALS OF SECURITY 9

Computer Security Concepts - Threats, Attacks and Assets – Security Functional
Requirements – Fundamental Security Design Principles – Attack Surfaces and Attack
Trees. Computer Security Strategy– Number Theory: Prime Numbers and
Factorization, Modular Arithmetic, GCD and Euclidean Algorithm, Chinese Remainder
Theorem, Multiplication Modulo m and the Totient Function, Problems, Fermat and
Euler Theorem. Primitive Roots and the Structure of F*p, Number in other Bases,
Fast Computation of Powers in Z/mZ, Multiplicative Functions, Group Theory, Fields
and Problems
UNIT II ENCRYPTION TECHNIQUES AND KEY MANAGEMENT 9
Symmetric Encryption Principles – Data Encryption Standard – Advanced Encryption
Standard – Stream Ciphers and RC4 - Cipher Block Modes Operation – Digital
Signatures - Key Distributions - Public Key Cryptosystem: RSA, Elliptic Curve
Cryptography - Key Exchange Algorithms: Diffie Hellmen and ELGamal Key Exchange
UNIT III AUTHENTICATION, INTEGRITY AND ACCESS CONTROL 9
Authentication: Security Hash Function – HMAC – Electronic User Authentication
Principles, Password Based Authentication, Token Based and Remote Authentication;
Internet Authentication Applications: Kerberos X.509 – Public Key Infrastructure;
Access Control: Access Control Principles - Subjects, Objects, and Access Rights -
Discretionary Access Control - Example: UNIX File Access Control – Role Based
Access Control - Attribute-Based Access Control - Identity, Credential, and Access
Management - Trust Frameworks
UNIT IV SECURITY 9
System Security: Firewall, Viruses, Worms, Ransomware, Keylogger, Greyware, IDS,
DDoS Network Security: SSL – TLs – HTTPS –IP Security; OS Security: Introduction
to Operating System Security - System Security Planning - Operating Systems
Hardening - Application Security - Security Maintenance - Linux/Unix Security -
Windows Security - Virtualization Security; Wireless Security: Risks and Threats of
Wireless- Wireless LAN Security- Wireless Security Policy-Wireless Security
Architectures-Wireless security Tools
UNIT V SECURITY APPLICATIONS 9
IOT security: Introduction- Architectures- Security challenges- Security
requirements- Trust, Data confidentiality, and privacy in IOT- Security in future IOT
systems; Cloud Security: Security requirements - Security patterns and Architectural
elements- Cloud Security Architecture Security Management in the Cloud- Availability
Management- SaaS Availability Management PaaS Availability Management- IaaS
Availability Management- Access control- Security Vulnerability, Patch and
Configuration Management.
Course Outcomes
Course Outcomes
CO# COs K Level
Understand the fundamentals of security and the significance of
CO1 K1
number theory in computer security
Learn the public key cryptographic standards and authentication
CO2 K3
scheme
CO3 Able to apply the security frameworks for real time applications K2

CO4 Understand the security threats and attacks in IoT, Cloud K3

Able to develop appropriate security algorithms understanding the
CO5 K3
possible threats

Knowledge Level Description

K6 Evaluation

K5 Synthesis

K4 Analysis

K3 Application

K2 Comprehension

K1 Knowledge
CO – PO/PSO Mapping
 CO – PO /PSO Mapping Matrix

CO PO PO PO PO PO PO PO PO PO PO PO PO PSO PSO PS0

# 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3

CO1 3 3 3 1 - 2 - - - - - - 1 2 1

CO2 3 3 3 1 - 2 - - - - - - 1 2 1

CO3 3 2 3 1 - 2 - - - - - - 1 2 1

CO4 3 2 3 1 - 2 - - - - - - 1 2 1

CO5 3 2 3 1 - 2 - - - - - - 1 2 1

1 – Low, 2 – Medium, 3 – Strong

Lecture Plan
Unit IV
 Lecture Plan – Unit 4- SECURITY
Sl. Topic Nu Propos Actual CO Taxon Mode
No mb ed Lecture omy of
er Date Date Level Deliver
of y
Peri
ods
1 System Security: 1 CO4 K3 PPT /
Firewall, Viruses, Chalk &
Worms, Ransomware, Talk
Keylogger, Greyware,
IDS, DDoS
2 Network Security: SSL 1 CO5 K3 PPT /
– TLs – HTTPS Chalk &
Talk
3 IP Security 1 CO4 K3 PPT /
Chalk &
Talk
4 OS Security: 1 CO4 K3 PPT /
Introduction to Chalk &
Operating System Talk
Security - System
Security Planning
5 Operating Systems 1 CO4 K3 PPT /
Hardening - Application Chalk &
Security - Security Talk
Maintenance
6 Linux/Unix Security - 1 CO5 K3 PPT /
Windows Security Chalk &
Talk

7 Virtualization Security 1 CO5 K3 PPT /

Chalk &
Talk

8 Wireless Security: Risks 1 CO5 K3 PPT /

and Threats of Chalk &
Wireless- Wireless LAN Talk
Security
9 Wireless Security 1 CO5 K3 PPT /
Policy-Wireless Security Chalk &
Architectures-Wireless Talk
security Tools
Activity Based Learning
Unit IV
Activity Based Learning
Lecture Notes – Unit 4
 UNIT IV - SECURITY
Firewall
Information systems in corporations, government agencies, and other organizations have
undergone changes like
• Centralized data processing system, with a central mainframe supporting a number of
directly connected terminals
• Local area networks (LANs) interconnecting PCs and terminals to each other and the
mainframe
• Premises network, consisting of a number of LANs, interconnecting PCs, servers, and
perhaps a mainframe or two
Enterprise-wide network, consisting of multiple, geographically distributed premises
networks interconnected by a private wide area network (WAN)
• Internet connectivity, in which the various premises networks all hook into the Internet
and may or may not also be connected by a private WAN
However, while Internet access provides benefits to the organization, it enables the
outside world to reach and interact with local network assets. This creates a threat to the
organization.

Firewall Characteristics
• All traffic from inside to outside, and vice versa, must pass through the firewall.
• Only authorized traffic, as defined by the local security policy, will be allowed to pass.
• The firewall itself is immune to penetration.

Limitations of Firewall
• The firewall cannot protect against attacks that bypass the firewall.
• The firewall does not protect against internal threats, such as a disgruntled employee
or an employee who unwittingly cooperates with an external attacker.
• The firewall cannot protect against the transfer of virus-infected programs or files.

Types of Firewalls
1. packet filters
2. application-level gateways
3. circuit-level gateways
 UNIT IV - SECURITY
Packet-Filtering Router

A packet-filtering router applies a set of rules to each incoming and outgoing IP packet
and then forwards or discards the packet. Filtering rules are based on information
contained in a network packet like Source IP address , Destination IP address , Source
and destination transport-level address , IP protocol field and Interface.

The packet filter is typically set up as a list of rules based on matches to fields in the IP
or TCP header. If there is a match to one of the rules, that rule is invoked to determine
whether to forward or discard the packet. If there is no match to any rule, then a default
action is taken.

Two default policies are possible:

Default = discard (That which is not expressly permitted is prohibited.)

Default = forward (That which is not expressly prohibited is permitted.)

Attacks on Packet Filtering Router and its Countermeasures

IP address spoofing

The intruder transmits packets from the outside with a source IP address field containing
an address of an internal host (spoofed address). The countermeasure is to discard
packets with an inside source address if the packet arrives on an external interface.

Source routing attacks

The source station specifies the route that a packet should take as it crosses the
Internet, in the hopes that this will bypass security measures that do not analyze the
source routing information. The countermeasure is to discard all packets that use this
option.

Tiny fragment attacks

The intruder uses the IP fragmentation option to create extremely small fragments and
force the TCP header information into a separate packet fragment. Typically, a packet
filter will make a filtering decision on the first fragment of a packet. All subsequent
fragments of that packet are filtered out solely on the basis that they are part of the
packet whose first fragment was rejected.
 UNIT IV - SECURITY

A countermeasure is to enforce a rule that the first fragment of a packet

must contain a predefined minimum amount of the transport header. If the first
fragment is rejected, the filter can remember the packet and discard all subsequent
fragments.
 UNIT IV - SECURITY
Application-Level Gateway

An application-level gateway, also called a proxy server, acts as a relay of

application-level traffic. The user contacts the gateway using a TCP/IP application, such
as Telnet or FTP, and the gateway asks the user for the name of the remote host to be
accessed. When the user responds and provides a valid user ID and authentication
information, the gateway contacts the application on the remote host and relays TCP
segments containing the application data between the two endpoints. If the gateway
does not implement the proxy code for a specific application, the service is not supported
and cannot be forwarded across the firewall.

Application-level gateways tend to be more secure than packet filters. Rather

than trying to deal with the numerous possible combinations that are to be allowed and
forbidden at the TCP and IP level, the application-level gateway need only scrutinize a
few allowable applications. In addition, it is easy to log and audit all incoming traffic at
the application level.

A prime disadvantage of this type of gateway is the additional processing overhead on

each connection.

Circuit-Level Gateway

A third type of firewall is the circuit-level gateway. A circuit-level gateway does not permit
an end-to-end TCP connection; instead, the gateway sets up two TCP connections,

1. between itself and a TCP user on an inner host

2. between itself and a TCP user on an outside host.

Once the two connections are established, the gateway typically relays TCP segments
from one connection to the other without examining the contents. A typical use of circuit-
level gateways is a situation in which the system administrator trusts the internal users.
The gateway can be configured to support application-level or proxy service on inbound
connections and circuit-level functions for outbound connections. The gateway incurs the
processing overhead of examining incoming application data for forbidden functions but
does not incur that overhead on outgoing data.
 UNIT IV - SECURITY
Bastion Host

A bastion host is a system identified by the firewall administrator as a critical strong point
in the network's security. Typically, the bastion host serves as a platform for an
application-level or circuit level gateway.

Common characteristics

• The bastion host hardware platform executes a secure version of its operating system,
making it a trusted system.

• Only the services like Telnet, DNS, FTP, SMTP, and user authentication that the
network administrator considers essential are installed on the bastion host.

• The bastion host may require additional authentication before a user is allowed access
to the proxy services.

• Each proxy is configured to support only a subset of the standard application’s

command set.

• Each proxy is configured to allow access only to specific host systems. This means that
the limited command/feature set may be applied only to a subset of systems on the
protected network.

• Each proxy maintains detailed audit information by logging all traffic, each connection,
and the duration of each connection. The audit log is an essential tool for discovering
and terminating intruder attacks.

• Each proxy module is a very small software package specifically designed for network
security. Because of its relative simplicity, it is easier to check such modules for security
flaws. For example, a typical UNIX mail application may contain over 20,000 lines of
code, while a mail proxy may contain fewer than 1000.

• Each proxy is independent of other proxies on the bastion host. If there is a problem
with the operation of any proxy, or if a future vulnerability is discovered, it can be
uninstalled without affecting the operation of the other proxy applications. Also, if the
user population requires support for a new service, the network administrator can
easily install the required proxy on the bastion host.
 UNIT IV - SECURITY
• A proxy generally performs no disk access other than to read its initial configuration
file. Hence, the portions of the file system containing executable code can be made
read only. This makes it difficult for an intruder to install Trojan horse sniffers or other
dangerous files on the bastion host.
• Each proxy runs as a nonprivileged user in a private and secured directory on the
bastion host.
Firewall Location and Configurations
A firewall is positioned to provide a protective barrier between an external (potentially
untrusted) source of traffic and an internal network. With that general principle in mind, a
security administrator must decide on the location and on the number of firewalls needed
In addition to the use of simple configuration of a single system (single packet filtering
router or single gateway), more complex configurations are possible
There are three configurations like
1. screened host firewall, single-homed bastion configuration:
• Firewall consists of two systems:
A packet-filtering router
A bastion host
• Configuration for the packet-filtering router:
Only packets from and to the bastion host are allowed to pass through the router
• The bastion host performs authentication and proxy functions
• Greater security than single configurations because of two reasons:
This configuration implements both packet-level and application-level filtering
(allowing for flexibility in defining security policy)
An intruder must generally penetrate two separate systems
• This configuration also affords flexibility in providing direct Internet access (public
information server, e.g. Web server)
 UNIT IV - SECURITY
2. screened host firewall, dual-homed bastion configuration:

 The packet-filtering router is not completely compromised

 Traffic between the Internet and other hosts on the private network has to flow
through the bastion host

3. screened subnet firewall configuration:

 Most secure configuration of the three

 Two packet-filtering routers are used

 Creation of an isolated sub-network

Advantages:

• Three levels of defense to thwart intruders

• The outside router advertises only the existence of the screened subnet to the Internet
(internal network is invisible to the Internet)

• The inside router advertises only the existence of the screened subnet to the internal
network (the systems on the inside network cannot construct direct routes to the
Internet)

Viruses and Related Threats

Most types of threats to computer systems are created by programs that are executed
with vulnerabilities.
 UNIT IV - SECURITY
Malicious Programs

S.No Name Description

1 Virus Attaches itself to a program and propagates copies

of
itself to other programs
2 Worm Program that propagates copies of itself to
other computers
3 Logic Triggers action when condition occurs
bomb
4 Trojan Program that contains unexpected
horse additional functionality
5 Backdoor Program modification that allows unauthorized
(trapdoor) access to functionality
6 Exploits Code specific to a single vulnerability or set of
vulnerabilities
7 Download ers Program that installs other items on a machine
that is under attack. Usually, a
downloader is sent in an e-mail.
8 Auto- Malicious hacker tools used to break into new
rooter machines remotely
9 Kit (virus Set of tools for generating new viruses
generator) automatically
10 Spammer Used to send large volumes of unwanted e-mail
programs
11 Flooders Used to attack networked computer systems with
a large volume of traffic to
carry out a denial of service (DoS)
attack
12 Keyloggers Captures keystrokes on a compromised
system
13 Rootkit Set of hacker tools used after attacker has
broken into a computer system and
gained root-level access
14 Zombie Program activated on an infected machine that
is activated to launch attacks on
other machines.
 UNIT IV - SECURITY
Malicious software can be divided into two as

i. those that need a host program. Viruses, logic bombs, and backdoors are examples.

ii. those that are independent. Worms and zombie programs are examples.

Similarly software threats based on replication feature as

i. software threats that do not replicate and programs or fragments of programs that
are activated by a trigger. Examples are logic bombs, backdoors, and zombie
programs.

ii. a program fragment or an independent program that, when executed, may produce
one or more copies of itself to be activated later on the same system or some other
system. Viruses and worms are examples.

Backdoor

A backdoor, also known as a trapdoor, allows users to gain access without passing
through the usual security access procedures. It can also be said as a secret entry point
into a program. Mainly this has been used by the programmers legitimately to debug and
to test the programs developed. This become as threat when unscrupulous programmers
use to gain unauthorized access. It is difficult to implement OS controls for backdoor.

Logic Bomb

One of the oldest types of program threat, predating viruses and worms, is the logic
bomb. Code is embedded in legitimate program which explodes when certain conditions
are met. Embedded code is termed as logic bomb. Triggers can be presence or absence
of certain files, a particular day of the week or date, or a particular user running the
application. Once any of the condition (trigger) specified is satisfied, a bomb may alter or
delete data or entire files, cause a machine halt, or do some other damage.

Trojan Horses

A Trojan horse is a useful, program which contains hidden code that, when invoked,
performs some unwanted or harmful function. Trojan horse programs can be used to
perform functions indirectly that an unauthorized user could not perform directly.
 UNIT IV - SECURITY
For example, to gain access to the files of another user on a shared system, a user
could create a Trojan horse program that, when executed, changed the invoking user's
file permissions so that the files are readable by any user. An example of a Trojan horse
program that would be difficult to detect is a compiler that has been modified to insert
additional code into certain programs as they are compiled, such as a system login
program. The code creates a backdoor in the login program that permits the author to
log on to the system using a special password. This Trojan horse can never be
discovered by reading the source code of the login program. Another common motivation
for the Trojan horse is data destruction. The program appears to be performing a useful
function (e.g., a calculator program), but it may also be quietly deleting the user's files.
Zombie
A zombie is a program that secretly takes over another Internet-attached computer and
then uses that computer to launch attacks that are difficult to trace to the zombie's
creator. Zombies are used in denial of-service attacks, typically against targeted Web
sites. The zombie is planted on hundreds of computers belonging to unsuspecting third
parties, and then used to overwhelm the target Web site by launching an overwhelming
onslaught of Internet traffic.
The Nature of Viruses
A piece of software infects other program by modifying the program is termed as virus.
Modification is that a copy of the virus program is attached with legitimate program
which affects the system or other programs. A computer virus carries in its instructional
code the recipe for making perfect copies of itself. A virus can do anything that other
programs do. The typical virus becomes embedded in a program on a computer. Then,
whenever the infected computer comes into contact with an uninfected piece of
software, a fresh copy of the virus passes into the new program. The only difference is
that it attaches itself to another program and executes secretly when the host program is
run. Once a virus is executing, it can perform any function, such as erasing files and
programs. Thus, the infection can be spread from computer to computer by unsuspecting
users who send programs to one another over a network. In a network environment, the
ability to access applications and system services on other computers provides a perfect
culture for the spread of a virus.
 UNIT IV - SECURITY
A typical virus goes through the following four phases:

Dormant phase

In this phase, virus is idle. It will be activated by some event like date or presence of a
file etc., Not all viruses have this stage.

Propagation phase

In this phase the virus places an identical copy of itself into other programs. Each
infected program will contain a copy of the virus (clone), which will itself enter a
propagation phase.

Triggering phase: The virus is activated to perform the function for which it was
intended. As with the dormant phase, the triggering phase can be caused by a variety of
system events, including a count of the number of times that this copy of the virus has
made copies of itself.

Execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files.

Virus Structure

A virus can be prepended or postpended to an executable program, or it can be

embedded in some other fashion. The key to its operation is that the infected program,
when invoked, will first execute the virus code and then execute the original code of the
program.
 UNIT IV - SECURITY
The infected program begins with the virus code and works as follows.

1. The first line of code is a jump to the main virus program.

2. The second line is a special marker that is used by the virus to determine whether or
not a potential victim program has already been infected with this virus.

3. When the program is invoked, control is immediately transferred to the main virus
program.

4. The virus program may first seek out uninfected executable files and infect them.

5. Next, the virus may perform some action, usually detrimental to the system.

6. This action could be performed every time the program is invoked, or it could be a
logic bomb that triggers only under certain conditions.

7. Finally, the virus transfers control to the original program. If the infection phase of the
program is reasonably rapid, a user is unlikely to notice any difference between the
execution of an infected and an uninfected program.

A virus is easily detected because an infected version of a program is longer than the
corresponding uninfected one. A way to thwart such a simple means of detecting a virus
is to compress the executable file so that both the infected and uninfected versions are
of identical length.

Types of Viruses

Parasitic virus

The traditional and still most common form of virus. A parasitic virus attaches itself to
executable files and replicates, when the infected program is executed, by finding other
executable files to infect.

Memory-resident virus

Lodges in main memory as part of a resident system program. From that point on, the
virus infects every program that executes.
 UNIT IV - SECURITY
Boot sector virus
Infects a master boot record or boot record and spreads when a system is booted from
the disk containing the virus.
Stealth virus
A form of virus explicitly designed to hide itself from detection by antivirus software.
Polymorphic virus
A virus that mutates with every infection, making detection by the "signature" of the
virus impossible.
Metamorphic virus
As with a polymorphic virus, a metamorphic virus mutates with every infection. The
difference is that a metamorphic virus rewrites itself completely at each iteration,
increasing the difficulty of detection. Metamorphic viruses may change their behavior as
well as their appearance.
Macro Viruses
A macro virus is platform independent. Macro viruses are easily spread. Virtually all of
the macro viruses infect Microsoft Word documents. Macro viruses infect documents, not
executable portions of code. Most of the information introduced onto a computer system
is in the form of a document rather than a program. Macro viruses take advantage of a
feature found in Word and other office applications such as Microsoft Excel, namely the
macro.
E-mail Virus
A more recent development in malicious software is the e-mail virus. The first rapidly
spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro
embedded in an attachment. If the recipient opens the e-mail attachment, the Word
macro is activated. Then the e-mail virus sends itself to everyone on the mailing list in
the user's e-mail package. The virus does local damage. A new virus which can be
activated merely by opening an e-mail that contains the virus rather than opening an
attachment. The virus uses the Visual Basic scripting language supported by the e-mail
package.
 UNIT IV - SECURITY
Worm
A worm is a program that can replicate itself and send copies from computer to computer
across network connections. Upon arrival, the worm may be activated to replicate and
propagate again. In addition to propagation, the worm usually performs some unwanted
function. A worm actively seeks out more machines to infect and each machine that is
infected serves as an automated launching pad for attacks on other machines.

Virus Countermeasures
Antivirus Approaches
The ideal solution to the threat of viruses is prevention. Otherwise these steps can be
done
Detection
Once the infection has occurred, determine that it has occurred and locate the virus.
Identification
Once detection has been achieved, identify the specific virus that has infected a program.
Removal
Once the specific virus has been identified, remove all traces of the virus from the
infected program and restore it to its original state. Remove the virus from all infected
systems so that the disease cannot spread further.

Four generations of antivirus software

First generation: simple scanners
Second generation: heuristic scanners
Third generation: activity traps
Fourth generation: full-featured protection

RANSOMEWARE:
Ransomware is a form of malware that locks the user out of their files or their device,
then demands a payment to restore access. Ransomware attackers hit businesses,
organizations, and individuals alike.
 UNIT IV - SECURITY
KEYLOGGER:
Keyloggers, or keystroke loggers, are tools that record what a person types on a device.
While there are legitimate and legal uses for keyloggers, many uses for keyloggers are
malicious. In a keylogger attack, the keylogger software records every keystroke on the
victim's device and sends it to the attacker.
GREYWARE:
Grayware, unwanted applications or files that are not classified as malware, but can
worsen the performance of computers and cause security risks.
INTRUSION DETECTION SYSTEM:
• It is defined as the tools, methods, and resources to help identify, assess, and report
unauthorized or unapproved network activity.
• An IDS detects activity in traffic that may or may not be an intrusion.
• IDSes can detect and deal with insider attacks, as well as, external attacks, and are
often very useful in detecting violations of corporate security policy and other internal
threats.
Host Based Intrusion Detection
• Are usually installed on servers and are more focused on analyzing the specific
operating systems and applications, resource utilization and other system activity
residing on the Host-based IDS host.
• It will log any activities it discovers to a secure database and check to see whether the
events match any malicious event record listed in the knowledge base.
• Host-based IDS are often critical in detecting internal attacks directed towards an
organization’s servers such as DNS, Mail, and Web Servers.
Network Based Intrusion Detection
• Are dedicated network devices distributed within networks that monitor and inspect
network traffic flowing through the device.
• Instead of analyzing information that originates and resides on a host, Network-based
IDS uses packet sniffing techniques to pull data from TCP/IP packets or other protocols
that are traveling along the network.
• Most Network-based IDS log their activities and report or alarm on questionable events.
• Network-based IDS work best when located on the DMZ, on any subnets containing
mission critical servers and just inside the firewall.
 UNIT IV - SECURITY
• Host Based • Network Based
• Narrow in scope (watches only • Broad in scope (watches all network
specific host activities) activities)
• More complex setup • Easier setup
• Better for detecting attacks from the • Better for detecting attacks from the
inside outside
• More expensive to implement • Less expensive to implement
• Detection is based on what any single • Detection is based on what can be
host can record recorded on the entire network
• Does not see packet headers • Examines packet headers
• Usually only responds after a • Near real-time response
suspicious log entry has been made
• OS-independent
• OS-specific
• Detects network attacks as payload is
• Detects local attacks before they hit analyzed
the network
• Detects unsuccessful attack attempts
• Verifies success or failure of attacks

Hybrid Intrusion Detection

Are systems that combine both Host-based IDS, which monitors events occurring on the
host system and Network-based IDS, which monitors network traffic, functionality on the
same security platform.

A Hybrid IDS, can monitor system and application events and verify a file system’s
integrity like a Host-based IDS, but only serves to analyze network traffic destined for the
device itself.

A Hybrid IDS is often deployed on an organization’s most critical servers.

Denial-of-Service (DoS) Attack

Denial of service is a form of attack on the availability of some service. In the context of
computer and communications security, the focus is generally on network services that
are attacked over their network connection. We distinguish this form of attack on
availability from other attacks, such as the classic acts of god, that cause damage or
destruction of IT infrastructure and consequent loss of service.
 UNIT IV - SECURITY
NIST SP 800-61 (Computer Security Incident Handling Guide , August 2012) defines denial-
of-service (DoS) attack as follows:
A denial of service (DoS) is an action that prevents or impairs the authorized use of
networks, systems, or applications by exhausting resources such as central processing
units (CPU), memory, bandwidth, and disk space.

Distributed Denial of Service (DDoS) Attacks

Attacker uses a
Large collections of
flaw in operating
such systems
system or in a
Use of multiple under the control
common
systems to of one attacker’s
application to gain
generate attacks control can be
access and installs
created, forming a
their program on it
botnet
(zombie)

Recognizing the limitations of flooding attacks generated by a single system, one

of the earlier significant developments in DoS attack tools was the use of multiple systems
to generate attacks. These systems were typically compromised user workstations or PCs.
The attacker uses malware to subvert the system and to install an attack agent, which
they can control. Such systems are known as zombies. Large collections of such systems
under the control of one attacker can be created, collectively forming a botnet. Such
networks of compromised systems are a favorite tool of attackers, and can be used for a
variety of purposes, including distributed denial-of-service (DDoS) attacks. Indeed, there is
an underground economy that creates and hires out botnets for use in such attacks. Report
evidence that 40% of DDoS attacks in 2015 were from such botnets for hire. In the
example network shown in Figure, some of the broadband user systems may be
compromised and used as zombies to attack any of the company or other links shown.
 UNIT IV - SECURITY
Many other DDoS tools have been developed since. Instead of using dedicated
handler programs, many now use an IRC or similar instant messaging server program to
manage communications with the agents. Many of these more recent tools also use
cryptographic mechanisms to authenticate the agents to the handlers, in order to hinder
analysis of command traffic.
The best defense against being an unwitting participant in a DDoS attack is to
prevent your systems from being compromised. This requires good system security
practices and keeping the operating systems and applications on such systems current and
patched.
For the target of a DDoS attack, the response is the same as for any flooding
attack, but with greater volume and complexity.

While the attacker could command each zombie individually, more generally a
control hierarchy is used. A small number of systems act as handlers controlling a much
larger number of agent systems, as shown in Figure 7.4 . There are a number of
advantages to this arrangement. The attacker can send a single command to a handler,
which then automatically forwards it to all the agents under its control. Automated
infection tools can also be used to scan for and compromise suitable zombie systems. Once
the agent software is uploaded to a newly compromised system, it can contact one or more
handlers to automatically notify them of its availability. By this means, the attacker can
automatically grow suitable botnets.
 UNIT IV - SECURITY
One of the earliest and best-known DDoS tools is Tribe Flood Network (TFN),
written by the hacker known as Mixter. The original variant from the 1990s exploited Sun
Solaris systems. It was later rewritten as Tribe Flood Network 2000 (TFN2K) and could
run on UNIX, Solaris, and Windows NT systems. TFN and TFN2K use a version of the two-
layer command hierarchy shown in Figure 7.4. The agent was a Trojan program that was
copied to and run on compromised, zombie systems. It was capable of implementing
ICMP flood, SYN flood, UDP flood, and ICMP amplification forms of DoS attacks. TFN did
not spoof source addresses in the attack packets. Rather it relied on a large number of
compromised systems, and the layered command structure, to obscure the path back to
the attacker.

The handler was simply a command-line program run on some compromised

systems. The attacker accessed these systems using any suitable mechanism giving shell
access, and then ran the handler program with the desired options. Each handler could
control a large number of agent systems, identified using a supplied list.

Communications between the handler and its agents was encrypted and could be
intermixed with a number of decoy packets. This hindered attempts to monitor and
analyze the control traffic. Both these communications and the attacks themselves could
be sent via randomized TCP, UDP, and ICMP packets. This tool demonstrates the typical
capabilities of a DDoS attack system.

Many other DDoS tools have been developed since. Instead of using dedicated
handler programs, many now use an IRC or similar instant messaging server program, or
web-based HTTP servers, to manage communications with the agents.

SSL (Secure Socket Layer)

SSL is designed to make use of TCP to provide a reliable end-to-end secure
service. Transport layer security service originally developed by Netscape. Version 3
designed with public input subsequently became Internet standard known as TLS
(Transport Layer Security). Uses TCP to provide a reliable end-to-end service. SSL has two
layers of protocols.
 UNIT IV - SECURITY
Layers of Security:

Establish a session
• Agree on algorithms
• Share secrets
• Perform authentication
Transfer application data
Ensure privacy and integrity
Architecture:
• Record Protocol to transfer application and TLS information
• A session is established using a Handshake Protocol

Handshake Change Alert

Protocol Cipher Spec Protocol

TLS Record Protocol

 UNIT IV - SECURITY

Handshake
Negotiate Cipher-Suite Algorithms
Symmetric cipher to use
Key exchange method
Message digest function
Establish and share master secret
Optionally authenticate server and/or client

Handshake phases:
• Hello messages
• Certificate and Key Exchange messages
• Change CipherSpec and Finished messages

SSL Messages

CLIENT SIDE SERVER SIDE

OFFER CIPHER SUITE SELECT A CIPHER SUITE
MENU TO SERVER
SEND CERTIFICATE AND
CHAIN TO CA ROOT
SEND PUBLIC KEY TO
ENCRYPT SYMM KEY
SERVER NEGOTIATION
SEND ENCRYPTED
FINISHED
SYMMETRIC KEY
ACTIVATE
ENCRYPTION ( SERVER CHECKS OPTIONS )
CLIENT PORTION ACTIVATESERVER
DONE ENCRYPTION
( CLIENT CHECKS OPTIONS ) SERVER PORTION
DONE
NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION
 UNIT IV - SECURITY
Web Security
• Web now widely used by business, government, individuals
• but Internet & Web are vulnerable
• have a variety of threats
o integrity
o confidentiality
o denial of service
o authentication
• need added security mechanisms
SSL Architecture

SSL session
o an association between client & server
o created by the Handshake Protocol
o define a set of cryptographic parameters
o may be shared by multiple SSL connections
SSL connection
o a transient, peer-to-peer, communications link
o associated with 1 SSL session

SSL Record Protocol

Confidentiality
o using symmetric encryption with a shared secret key defined by Handshake
Protocol
o IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
o message is compressed before encryption
Message integrity
o using a MAC with shared secret key
o similar to HMAC but with different padding
 UNIT IV - SECURITY
SSL Change Cipher Spec Protocol
o one of 3 SSL specific protocols which use the SSL Record protocol
o a single message
o causes pending state to become current
o hence updating the cipher suite in use

SSL Alert Protocol

• conveys SSL-related alerts to peer entity
• severity
o warning or fatal
• specific alert
o unexpected message, bad record mac, decompression failure, handshake failure,
illegal parameter
o close notify, no certificate, bad certificate, unsupported certificate, certificate
revoked, certificate expired, certificate unknown
• compressed & encrypted like all SSL data

SSL Handshake Protocol

• allows server & client to:
o authenticate each other
o to negotiate encryption & MAC algorithms
o to negotiate cryptographic keys to be used
• comprises a series of messages in phases
o Establish Security Capabilities
o Server Authentication and Key Exchange
o Client Authentication and Key Exchange
o Finish
 UNIT IV - SECURITY

TLS (Transport Layer Security)

• Transport Layer Security (TLS) is a feature of mail servers designed to secure the
transmission of electronic mail from one server to another using encryption technology.
Transport Layer Security, or TLS, is a widely adopted security protocol designed to
facilitate privacy and data security for communications over the Internet. A primary use
case of TLS is encrypting the communication between web applications and servers,
such as web browsers loading a website. TLS can also be used to encrypt other
communications such as email, messaging, and voice over IP (VoIP).
• TLS was proposed by the Internet Engineering Task Force (IETF), an international
standards organization, and the first version of the protocol was published in 1999. The
most recent version is TLS 1.3, which was published in 2018.
 UNIT IV - SECURITY
What is the difference between TLS and SSL?
TLS evolved from a previous encryption protocol called Secure Sockets Layer (SSL), which
was developed by Netscape. TLS version 1.0 actually began development as SSL version
3.1, but the name of the protocol was changed before publication in order to indicate that
it was no longer associated with Netscape. Because of this history, the terms TLS and SSL
are sometimes used interchangeably.
What does TLS do?
There are three main components to what the TLS protocol accomplishes: Encryption,
Authentication, and Integrity.
Encryption: hides the data being transferred from third parties.
Authentication: ensures that the parties exchanging information are who they claim to
be.
Integrity: verifies that the data has not been forged or tampered with.

How does TLS work?

For a website or application to use TLS, it must have a TLS certificate installed on
its origin server (the certificate is also known as an "SSL certificate" because of the naming
confusion described above). A TLS certificate is issued by a certificate authority to the
person or business that owns a domain. The certificate contains important information
about who owns the domain, along with the server's public key, both of which are
important for validating the server's identity.
A TLS connection is initiated using a sequence known as the TLS handshake.
When a user navigates to a website that uses TLS, the TLS handshake begins between the
user's device (also known as the client device) and the web server.

During the TLS handshake, the user's device and the web server:
• Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
• Decide on which cipher suites (see below) they will use
• Authenticate the identity of the server using the server's TLS certificate
• Generate session keys for encrypting messages between them after the handshake is
complete
 UNIT IV - SECURITY
The TLS handshake establishes a cipher suite for each communication session.
The cipher suite is a set of algorithms that specifies details such as which shared
encryption keys, or session keys, will be used for that particular session. TLS is able to set
the matching session keys over an unencrypted channel thanks to a technology known as
public key cryptography.

The handshake also handles authentication, which usually consists of the server
proving its identity to the client. This is done using public keys. Public keys are encryption
keys that use one-way encryption, meaning that anyone with the public key can
unscramble the data encrypted with the server's private key to ensure its authenticity, but
only the original sender can encrypt data with the private key. The server's public key is
part of its TLS certificate.

Once data is encrypted and authenticated, it is then signed with a message

authentication code (MAC). The recipient can then verify the MAC to ensure the integrity of
the data. This is kind of like the tamper-proof foil found on a bottle of aspirin; the
consumer knows no one has tampered with their medicine because the foil is intact when
they purchase it.
 UNIT IV - SECURITY
HTTPS
HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure
communication between a Web browser and a Web server. The HTTPS capability is built
into all modern Web browsers. Its use depends on the Web server supporting HTTPS
communication.
The principal difference seen by a user of a Web browser is that URL (uniform resource
locator) addresses begin with https:// rather than http://. A normal HTTP connection uses
port 80. If HTTPS is specified, port 443 is used, which invokes SSL.
When HTTPS is used, the following elements of the communication are encrypted:
• URL of the requested document
• Contents of the document
• Contents of browser forms (filled in by browser user)
• Cookies sent from browser to server and from server to browser
• Contents of HTTP header
HTTPS is documented in RFC 2818, HTTP Over TLS. There is no fundamental change in
using HTTP over either SSL or TLS, and both implementations are referred to as HTTPS.
Connection Initiation
For HTTPS, the agent acting as the HTTP client also acts as the TLS client. The
client initiates a connection to the server on the appropriate port and then sends the TLS
Client Hello to begin the TLS handshake. When the TLS handshake has finished, the
client may then initiate the first HTTP request. All HTTP data is to be sent as TLS
application data. Normal HTTP behavior, including retained connections, should be
followed.
We need to be clear that there are three levels of awareness of a connection in
HTTPS. At the HTTP level, an HTTP client requests a connection to an HTTP server by
sending a connection request to the next lowest layer. Typically, the next lowest layer is
TCP, but it also may be TLS/SSL. At the level of TLS, a session is established between a
TLS client and a TLS server. This session can support one or more connections at any
time. As we have seen, a TLS request to establish a connection begins with the
establishment of a TCP connection between the TCP entity on the client side and the TCP
entity on the server side
 UNIT IV - SECURITY
Connection Closure
An HTTP client or server can indicate the closing of a connection by including the following
line in an HTTP record: Connection: close. This indicates that the connection will be closed
after this record is delivered.
The closure of an HTTPS connection requires that TLS close the connection with the peer
TLS entity on the remote side, which will involve closing the underlying TCP connection. At
the TLS level, the proper way to close a connection is for each side to use the TLS alert
protocol to send a close_notify alert. TLS implementations must initiate an exchange of
closure alerts before closing a connection.
A TLS implementation may, after sending a closure alert, close the connection without
waiting for the peer to send its closure alert, generating an “incomplete close.”
Note that an implementation that does this may choose to reuse the session.
This should only be done when the application knows (typically through detecting HTTP
message boundaries) that it has received all the message data that it cares about.
HTTP clients also must be able to cope with a situation in which the underlying
TCP connection is terminated without a prior close_notify alert and without a Connection:
close indicator. Such a situation could be due to a programming error on the server or a
communication error that causes the TCP connection to drop. However, the unannounced
TCP closure could be evidence of some sort of attack. So the HTTPS client should issue
some sort of security warning when this occurs.
IPV4 and IPV6 SECURITY:
IP Security overview
The most serious types of attacks includes IP spoofing, in which intruder create
packets with false IP address and exploit applications that use authentication based on IP;
and various form of eavesdropping and packet sniffing, in which attackers read
transmitted information, including logon information and database contents.
By implementing security at the IP level, an organization can ensure secure
networking not only for applications that have security mechanisms but for the many
security-ignorant applications. IP level security encompasses 3 functional areas:
authentication, confidentiality and key management.
 UNIT IV - SECURITY
Applications of IPsec

IPsec provides the capability to secure communication across a LAN, across private and
public WANs and across the internet. Example of its use includes the following.

Secure branch office connectivity over the Internet: A company can build a secure
virtual private network over the Internet or over a public WAN. This enables a business to
rely heavily on the Internet and reduce its need for private networks, saving costs and
network management overhead.

Secure remote access over the Internet: An end user whose system is equipped with
IP security protocols can make a local call to an Internet service provider (ISP) and gain
secure access to a company network. This reduces the cost of toll charges for traveling
employees and telecommuters.

Establishing extranet and intranet connectivity with partners: IPSec can be used
to secure communication with other organizations, ensuring authentication and
confidentiality and providing a key exchange mechanism.

Enhancing electronic commerce security: Even though some Web and electronic
commerce applications have built-in security protocols, the use of IPSec enhances that
secure.

Benefits of IPsec
• When IPsec is implemented in a firewall or router, it provides strong security that can be
applied to all traffic crossing the perimeter.
• IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP.
• IPsec is below the transport layer and so it is transparent to applications.
• IPsec can be transparent to the end users.
• It can provide security for individual users if needed. IPsec can play a vital role in the
routing architecture required for internetworking. IPsec can assure that
• A router advertisement comes from an authorized router.
• A neighbor advertisement comes from an authorized router.
• A redirect message comes from the router to which the initial packet was sent.
• A routing update is not forged.
 UNIT IV - SECURITY
IP security architecture

Architecture: Covers the general concepts, security requirements

Encapsulating Security Payload: Covers the packet format and issues related to
encryption

Authentication Header: packet format for authentication

Encryption Algorithm: A set of encryption algorithms

Authentication Algorithm: A set of authentication algorithms

Key Management: Describes the key management schemes

Domain of Interpretation (DOI): contains values that are needed for other documents
to relate to each other.

IPsec services

IPsec provides security services at the IP layer by enabling a system to select required
security protocols, determine the algorithms to use for the services and put in place any
cryptographic keys required to provide the requested services. Two protocols are used to
provide security:

• Authentication header (AH)

• Encapsulating Security Payload (ESP)

The services are as follows: access control, connectionless integrity, data origin
authentication, rejection of replayed packets, confidentiality and limited traffic flow
confidentiality.

Security associations

A key concept that appears in both the AH and ESP mechanisms for IP is the security
association (SA). An association is a one-way relationship between a sender and a receiver
that afford security services to the traffic carried on it.
 UNIT IV - SECURITY
A security association is uniquely identified by 3 parameters:

Security Parameter Index (SPI) – a bit string assigned to this SA and has local
significance only.

IP destination address – this is the address of the destination end point of the SA,
which may be an end user system or a network system such as a firewall or router.

Security protocol identifier – this indicates whether the association is an AH or ESP

security association.

SA parameters

In each IPsec implementation, there is a nominal security association database that

defines the parameter associated with each SA. An SA is normally defined by the following
parameters:

Sequence number counter – a 32-bit value used to generate the sequence number
field in AH or ESP headers.

Sequence counter overflow – a flag indicating whether overflow of the sequence

number counter should generate an auditable event and prevent further transmission of
packets on this SA.

Anti-replay window – used to determine whether an inbound AH or ESP packet is a

replay.

AH information – authentication algorithms, keys, key lifetimes and related parameters

being used with AH.
 UNIT IV - SECURITY
ESP information – encryption and authentication algorithms, keys, key lifetimes and
related parameters being used with ESP.
Lifetime of this SA – a time interval or byte count after which an SA must be replaced
with a new a SA or terminated.
IPsec protocol mode – tunnel transport or wildcard mode
Path MTU – any observed path maximum transmission unit and aging variables required
for all implementations.
SA selectors
The means by which IP traffic is related to specific SAs is the nominal security policy
database (SPD). In its simplest form, an SPD contains entries, each of which defines a
subset of IP traffic and points to an SA for that traffic. In more complex environments,
there may be multiple entries that potentially relate to a single SA or multiple SAs
associated with a single SPD entry. Each SPD entry is defined by a set of IP and upper
layer protocol field values, called selectors. In effect, these selectors are used to filter
outgoing traffic in order to map it into a particular SA.

The Encapsulating Security Payload

The Encapsulating Security Payload provides confidentiality services, including

confidentiality of message contents and limited traffic flow confidentiality. As an optional
feature, ESP can also provide an authentication service.

The below figure shows the format of an ESP packet. It contains the following fields:

Security parameter index (32-bits) – identifies a security association.

Sequence number (32-bits) – a monotonically increasing counter value.

Payload Data (variable): This is a transport-level segment (transport mode) or IP packet

(tunnel mode) that is protected by encryption.

Padding (0–255 bytes): May be required if the encryption algorithm requires the
plaintext to be a multiple of some number of octets.

Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field.
 UNIT IV - SECURITY
Next Header (8 bits): Identifies the type of data contained in the Payload Data field by
identifying the first header in that payload (e.g., an extension header in IPv6, or an upper-
layer protocol such as TCP).
Integrity Check Value (variable): A variable-length field (must be an integral number
of 32-bit words) that contains the integrity check value computed over the ESP packet
minus the Authentication Data field.

Transport and Tunnel modes

Both AH and ESP support two modes of use: transport and tunnel mode.
Transport mode
Transport mode provides protection primarily for upper layer protocols. i.e., protection
extends to the payload of an IP packet. Transport mode is used for end-to-end
communication between two hosts. ESP in transport mode encrypts and optionally
authenticates the IP payload but not the IP header. AH in transport mode authenticates
the IP payload and selected portions of IP header.
Tunnel mode
Tunnel mode provides protection to the entire IP packet. To achieve this, after the AH or
ESP fields are added to the IP packet, the entire packet plus the security fields is treated
as the payload of new ‘outer’ IP packet with a new outer IP header. The entire original, or
inner packet travels through a ‘tunnel’ from one point of an IP network to another; no
router along the way are able to examine the inner IP header. Tunnel mode is used when
one or both ends of an SA is a security gateway, such as a firewall or router that
implements IPsec.
 UNIT IV - SECURITY
INTRODUCTION TO OPERATING SYSTEM SECURITY
Building and deploying a system should be a planned process designed to counter such a
threat, and to maintain security during its operational lifetime.
[SCAR08] states that this process must:
• Assess risks and plan the system deployment.
• Secure the underlying operating system and then the key applications.
• Ensure any critical content is secured.
• Ensure appropriate network protection mechanisms are used.
• Ensure appropriate processes are used to maintain security.
SYSTEM SECURITY PLANNING
The first step in deploying new systems is planning. Careful planning will help
ensure that the new system is as secure as possible, and complies with any necessary
policies.
[SCAR08] provides a list of items that should be considered during the system
security planning process. While its focus is on secure server deployment, much of the list
applies equally well to client system design. This list includes consideration of:
• The purpose of the system, the type of information stored, the applications
and services provided, and their security requirements.
• The categories of users of the system, the privileges they have, and the types
of information they can access.
• How the users are authenticated.
• How access to the information stored on the system is managed.
• What access the system has to information stored on other hosts, such as file
or database servers, and how this is managed.
• Who will administer the system, and how they will manage the system (via
local or remote access).
• Any additional security measures required on the system, including the use of
host firewalls, anti-virus or other malware protection mechanisms, and logging.
 UNIT IV - SECURITY
OPERATING SYSTEM HARDENING:

The first critical step in securing a system is to secure the base operating system
upon which all other applications and services rely. A good security foundation needs a
properly installed, patched, and configured operating system. Unfortunately, the default
configuration for many operating systems often maximizes ease of use and functionality,
rather than security. Further, since every organization has its own security needs, the
appropriate security profile, and hence configuration, will also differ.

While the details of how to secure each specific operating system differ, the
broad approach is similar. Appropriate security configuration guides and checklists exist for
most common operating systems, and these should be consulted, though always informed
by the specific needs of each organization and their systems. In some cases, automated
tools may be available to further assist in securing the system configuration.

[SCAR08] suggests the following basic steps that should be used to secure an operating
system:
• Install and patch the operating system.
• Harden and configure the operating system to adequately address the
identified security needs of the system by:
• Removing unnecessary services, applications, and protocols.
• Configuring users, groups, and permissions.
• Configuring resource controls.
• Install and configure additional security controls, such as anti-virus, host-
based firewalls, and intrusion detection systems (IDS), if needed.
• Test the security of the basic operating system to ensure that the steps taken
adequately address its security needs.
 UNIT IV - SECURITY
Install and patch the operating system:

Remove Unnecessary Services, Application, and Protocols

Because any of the software packages running on a system may contain

software vulnerabilities, clearly if fewer software packages are available to run, then the
risk is reduced. There is clearly a balance between usability, providing all software that
may be required at some time, with security, and a desire to limit the amount of software
installed. The range of services, applications, and protocols required will vary widely
between organizations, and indeed between systems within an organization. The system
planning process should identify what is actually required for a given system, so that a
suitable level of functionality is provided, while eliminating software that is not required to
Improve security.

The default configuration for most distributed systems is set to maximize ease of
use and functionality, rather than security. When performing the initial installation, the
supplied defaults should not be used, but rather the installation should be customized so
that only the required packages are installed. If additional packages are needed later,
they can be installed when they are required.
 UNIT IV - SECURITY
Configure Users, Groups, and Authentication:
Not all users with access to a system will have the same access to all data and
resources on that system. Some systems may provide role-based or mandatory access
control mechanisms as well.
The system planning process should consider the categories of users on the
system, the privileges they have, the types of information they can access, and how and
where they are defined and authenticated. Some users will have elevated privileges to
administer the system; others will be normal users, sharing appropriate access to files and
other data as required; and there may even be guest accounts with very limited access.
The third of the four key ASD mitigation strategies is to restrict elevated privileges to only
those users that require them.
Further, it is highly desirable that such users only access elevated privileges
when needed to perform some task that requires them, and to otherwise access the
system as a normal user. This improves security by providing a smaller window of
opportunity for an attacker to exploit the actions of such privileged users.
Some operating systems provide special tools or access mechanisms to assist
administrative users to elevate their privileges only when necessary, and to appropriately
log these actions.
One key decision is whether the users, the groups they belong to, and
their authentication methods are specified locally on the system or will use a
centralized authentication server. Whichever is chosen, the appropriate details are now
configured on the system.
Also at this stage, any default accounts included as part of the system
installation should be secured. Those which are not required should be either removed or
at least disabled. System accounts that manage services on the system should be set so
they cannot be used for interactive logins. And any passwords installed by default should
be changed to new values with appropriate security.
Any policy that applies to authentication credentials, and especially to password
security, is also configured. This includes details of which authentication methods are
accepted for different methods of account access. And it includes details of the required
length, complexity, and age allowed for passwords.
 UNIT IV - SECURITY
Configure Resource Controls
Once the users and their associated groups are defined, appropriate permissions
can be set on data and resources to match the specified policy. This may be to limit which
users can execute some programs, especially those that modify the system state. Or it may
be to limit which users can read or write data in certain directory trees. Many of the
security hardening guides provide lists of recommended changes to the default access
configuration to improve security.
Install Additional Security Controls
Further security improvement may be possible by installing and configuring
additional security tools such as anti-virus software, host-based firewalls, IDS or IPS
software, or application white-listing. Some of these may be supplied as part of the
operating systems installation, but not configured and enabled by default. Others are third-
party products that are acquired and used.
Host-based firewalls, IDS, and IPS software also may improve security by limiting
remote network access to services on the system.
Test the System Security
The final step in the process of initially securing the base operating system is security
testing. The goal is to ensure that the previous security configuration steps are correctly
implemented, and to identify any possible vulnerabilities that must be corrected or
managed.
Suitable checklists are included in many security hardening guides. There are also
programs specifically designed to review a system to ensure that a system meets the basic
security requirements, and to scan for known vulnerabilities and poor configuration
practices. This should be done following the initial hardening of the system, and then
repeated periodically as part of the security maintenance process.
APPLICATION SECURITY
Once the base operating system is installed and appropriately secured, the required
services and applications must next be installed and configured. The steps for this very
much mirror the list already given in the previous section. The concern, as with the base
operating system, is to only install software on the system that is required to meet its
desired functionality, in order to reduce the number of places vulnerabilities may be found.
Software that provides remote access or service is of particular concern, since an attacker
may be able to exploit this to gain remote access to the system. Hence any such software
needs to be carefully selected and configured, and updated to the most recent version
available.
 UNIT IV - SECURITY
Application Configuration
Any application specific configuration is then performed. This may include
creating and specifying appropriate data storage areas for the application, and making
appropriate changes to the application or service default configuration details.
As part of the configuration process, careful consideration should be given to the
access rights granted to the application. Again, this is of particular concern with remotely
accessed services, such as Web and file transfer services.
Encryption Technology
Encryption is a key enabling technology that may be used to secure data both in
transit and when stored. If such technologies are required for the system, then they must
be configured, and appropriate cryptographic keys created, signed, and secured.
If secure network services are provided, most likely using either TLS or IPsec,
then suitable public and private keys must be generated for each of them. Then X.509
certificates are created and signed by a suitable certificate authority, linking each service
identity with the public key in use.

SECURITY MAINTENANCE
Once the system is appropriately built, secured, and deployed, the process of maintaining
security is continuous. This results from the constantly changing environment, the
discovery of new vulnerabilities, and hence exposure to new threats.
[SCAR08] suggests that this process of security maintenance includes the following
additional steps:
• Monitoring and analyzing logging information
• Performing regular backups
• Recovering from security compromises
• Regularly testing system security
• Using appropriate software maintenance processes to patch and update all
critical software, and to monitor and revise configuration as needed.
Logging
[SCAR08] notes that “logging is a cornerstone of a sound security posture.” Logging is a
reactive control that can only inform you about bad things that have already happened
 UNIT IV - SECURITY
Data Backup and Archive:
Backup is the process of making copies of data at regular intervals, allowing the
recovery of lost or corrupted data over relatively short time periods of a few hours to some
weeks.
Archive is the process of retaining copies of data over extended periods of time,
being months or years, in order to meet legal and operational requirements to access past
data. These processes are often linked and managed together, although they do address
distinct needs.

LINUX/UNIX SECURITY:
There are a large range of resources available to assist administrators of these
systems, including many texts, for example [NEME10], online resources such as the “Linux
Documentation Project,” and specific system hardening guides such as those provided by
the “NSA—Security Configuration Guides.” These resources should be used as part of the
system security planning process in order to incorporate procedures appropriate to the
security requirements identified for the system.

Patch Management
Ensuring that system and application code is kept up to date with security
patches is a widely recognized and critical control for maintaining security.
keeping security patches up to date is a widely recognized and critical control for
maintaining security.
Application and Service Configuration
– most commonly implemented using separate text files for each application and service
– generally located either in the /etc directory or in the installation tree for a specific
application
– individual user configurations that can override the system defaults are located in hidden
“dot” files in each user’s home directory
– most important changes needed to improve system security are to disable services and
applications that are not required
 UNIT IV - SECURITY
Users, Groups, and Permissions
– access is specified as granting read, write, and execute permissions to each of owner,
group, and others for each resource
– guides recommend changing the access permissions for critical directories and files
– local exploit
• software vulnerability that can be exploited by an attacker to gain elevated
privileges
– remote exploit
• software vulnerability in a network server that could be triggered by a remote
attacker
Remote Access Controls
• several host firewall programs may be used
• most systems provide an administrative utility to select which services will be
permitted to access the system

Logging and Log Rotation

• should not assume that the default setting is necessarily appropriate

Application Security Using a chroot jail

– restricts the server’s view of the file system to just a specified portion
– uses chroot system call to confine a process by mapping the root of the
filesystem to some other directory
– file directories outside the chroot jail aren’t visible or reachable
– main disadvantage is added complexity

Security Testing
The system hardening guides such as those provided by the “NSA—Security
Configuration Guides” include security checklists for a number of Unix and Linux
distributions that may be followed. There are also a number of commercial and open-
source tools available to perform system security scanning and vulnerability testing.
 UNIT IV - SECURITY
WINDOWS SECURITY:
patch management
• “Windows Update” and “Windows Server Update Service” assist with regular
maintenance and should be used.
• third party applications also provide automatic update support.
users administration and access controls
• systems implement discretionary access controls resources
• Vista and later systems include mandatory integrity controls
• objects are labeled as being of low, medium, high, or system integrity level
• system ensures the subject’s integrity is equal or higher than the object’s level
• implements a form of the Biba Integrity model

Application and Service Configuration:

• much of the configuration information is centralized in the Registry
• forms a database of keys and values that may be queried and interpreted by applications
• registry keys can be directly modified using the “Registry Editor”
• more useful for making bulk changes
 UNIT IV - SECURITY

Other Security Controls:

– essential that anti-virus, anti-spyware, personal firewall, and other malware and attack
detection and handling software packages are installed and configured
– current generation Windows systems include basic firewall and malware countermeasure
capabilities
– important to ensure the set of products in use are compatible

VIRTUALIZATION SECURITY:
• Virtualization refers to a technology that provides an abstraction of the computing
resources used by some software, which thus runs in a simulated environment called a
virtual machine (VM).
• benefits include better efficiency in the use of the physical system resources
• provides support for multiple distinct operating systems and associated applications on
one physical system
• raises additional security concerns

Native Virtualization Security Layers

 UNIT IV - SECURITY
Hosted Virtualization Security Layers

Virtualization Security Issues

• security concerns include:
– guest OS isolation
• ensuring that programs executing within a guest OS may only access and use the
resources allocated to it
– guest OS monitoring by the hypervisor
• which has privileged access to the programs and data in each guest OS
– virtualized environment security
• particularly image and snapshot management which attackers may attempt to view
or modify
Securing Virtualization Systems
[SCAR11] provides guidance for providing appropriate security in virtualized systems, and
states that organizations using virtualization should:
• Carefully plan the security of the virtualized system
• Secure all elements of a full virtualization solution, including the hypervisor,
guest OSs, and virtualized infrastructure, and maintain their security
• Ensure that the hypervisor is properly secured
• Restrict and protect administrator access to the virtualization solution
 UNIT IV - SECURITY
Hypervisor Security
• should be
– secured using a process similar to securing an operating system
– installed in an isolated environment
– configured so that it is updated automatically
– monitored for any signs of compromise
– accessed only by authorized administration
• may support both local and remote administration so must be configured appropriately
• remote administration access should be considered and secured in the design of any
network firewall and IDS capability in use
• ideally administration traffic should use a separate network with very limited access
provided from outside the organization
Virtualization Infrastructure Security

Hosted Virtualization Security

Hosted virtualized systems, as typically used on client systems, pose some additional
security concerns. These result from the presence of the host OS under, and other host
applications beside, the hypervisor and its guest OSs. Hence there are yet more layers to
secure. Further, the users of such systems often have full access to configure the
hypervisor, and to any VM images and snapshots. In this case, the use of virtualization is
more to provide additional features, and to support multiple operating systems and
applications, than to isolate these systems and data from each other, and from the users of
these systems
 UNIT IV - SECURITY
WIRELESS SECURITY:
Wireless networks, and the wireless devices that use them, introduce a host of
security problems over and above those found in wired networks.
Some of the key factors contributing to the higher security risk of wireless
networks compared to wired networks include the following [MA10]:
• Channel: Wireless networking typically involves broadcast communications,
which is far more susceptible to eavesdropping and jamming than wired networks. Wireless
networks are also more vulnerable to active attacks that
exploit vulnerabilities in communications protocols.
• Mobility: Wireless devices are, in principal and usually in practice, far more
portable and mobile than wired devices. This mobility results in a number of risks,
described subsequently.
• Resources: Some wireless devices, such as smartphones and tablets, have
sophisticated operating systems but limited memory and processing resources with which
to counter threats, including denial of service and malware.
• Accessibility: Some wireless devices, such as sensors and robots, may be left
unattended in remote and/or hostile locations. This greatly increases their vulnerability to
physical attacks.
Wireless Network Threats
[CHOI08] lists the following security threats to wireless networks:
• Accidental association: Company wireless LANs or wireless access points to
wired LANs in close proximity (e.g., in the same or neighboring buildings) may create
overlapping transmission ranges. A user intending to connect to one LAN may
unintentionally lock on to a wireless access point from a neighboring network. Although the
security breach is accidental, it nevertheless exposes resources of one LAN to the
accidental user.
• Malicious association: In this situation, a wireless device is configured to
appear to be a legitimate access point, enabling the operator to steal passwords from
legitimate users and then penetrate a wired network through a legitimate wireless access
point.
 UNIT IV - SECURITY
• Ad hoc networks: These are peer-to-peer networks between wireless
computers with no access point between them. Such networks can pose a security threat
due to a lack of a central point of control.
• Nontraditional networks: Nontraditional networks and links, such as
personal network Bluetooth devices, barcode readers, and handheld PDAs pose a security
risk both in terms of eavesdropping and spoofing.
• Identity theft (MAC spoofing): This occurs when an attacker is able to
eavesdrop on network traffic and identify the MAC address of a computer with network
privileges.
• Man-in-the middle attacks: In a broader sense, this attack involves
persuading a user and an access point to believe that they are talking to each other when
in fact the communication is going through an intermediate attacking device. Wireless
networks are particularly vulnerable to such attacks.

• Denial of service (DoS):In the context of a wireless network, a DoS attack

occurs when an attacker continually bombards a wireless access point or some other
accessible wireless port with various protocol messages designed to consume system
resources. The wireless environment lends itself to this type of attack, because it is so easy
for the attacker to direct multiple wireless messages at the target.
• Network injection: A network injection attack targets wireless access points
that are exposed to nonfiltered network traffic, such as routing protocol messages or
network management messages. An example of such an attack is one in which bogus
reconfiguration commands are used to affect routers and switches to degrade network
performance.
Wireless Security Measures
Following [CHOI08], we can group wireless security measures into those dealing with
wireless transmissions, wireless access points, and wireless networks (consisting of
wireless routers and endpoints).
 UNIT IV - SECURITY
Securing Wireless Transmissions The principal threats to wireless transmission are
eavesdropping, altering or inserting messages, and disruption. To deal with eavesdropping,
two types of countermeasures are appropriate:
• Signal-hiding techniques: Organizations can take a number of measures to
make it more difficult for an attacker to locate their wireless access points, including
turning off service set identifier (SSID) broadcasting by wireless access points; assigning
cryptic names to SSIDs; reducing signal strength to the lowest level that still provides
requisite coverage; and locating wireless access points in the interior of the building, away
from windows and exterior walls.
Greater security can be achieved by the use of directional antennas and of signal-shielding
techniques.
• Encryption: Encryption of all wireless transmission is effective against
eavesdropping to the extent that the encryption keys are secured.
Securing Wireless Networks [CHOI08] recommends the following techniques for
wireless network security:
1. Use encryption. Wireless routers are typically equipped with built-in encryption
mechanisms for router-to-router traffic.
2. Use anti-virus and anti-spyware software, and a firewall. These facilities should be
enabled on all wireless network endpoints.
3. Turn off identifier broadcasting. Wireless routers are typically configured to broadcast an
identifying signal so that any device within range can learn of the router’s existence. If a
network is configured so that authorized devices know the identity of routers, this
capability can be disabled, so as to thwart attackers.
4. Change the identifier on your router from the default. Again, this measure thwarts
attackers who will attempt to gain access to a wireless network using default router
identifiers.
5. Change your router’s pre-set password for administration. This is another prudent step.
6. Allow only specific computers to access your wireless network. A router can be
configured to only communicate with approved MAC addresses.
 UNIT IV - SECURITY
WIRELESS LAN SECURITY:
There are two characteristics of a wired LAN that are not inherent in a wireless LAN.
1. In order to transmit over a wired LAN, a station must be physically connected to the
LAN. On the other hand, with a wireless LAN, any station within radio range of the other
devices on the LAN can transmit. In a sense, there is a form of authentication with a wired
LAN in that it requires some positive and presumably observable action to connect a station
to a wired LAN.
2. Similarly, in order to receive a transmission from a station that is part of a wired LAN,
the receiving station also must be attached to the wired LAN.
On the other hand, with a wireless LAN, any station within radio range can
receive. Thus, a wired LAN provides a degree of privacy, limiting reception of data to
stations connected to the LAN.
These differences between wired and wireless LANs suggest the increased need
for robust security services and mechanisms for wireless LANs. The original 802.11
specification included a set of security features for privacy and authentication that were
quite weak. For privacy, 802.11 defined the Wired Equivalent Privacy (WEP) algorithm.
In order to accelerate the introduction of strong security into WLANs, the Wi-Fi
Alliance promulgated Wi-Fi Protected Access (WPA) as a Wi-Fi standard.
WPA is a set of security mechanisms that eliminates most 802.11 security issues
and was based on the current state of the 802.11i standard. The final form of the 802.11i
standard is referred to as Robust Security Network (RSN).
IEEE 802.11i Services
The 802.11i RSN security specification defines the following services:
• Authentication: A protocol is used to define an exchange between a user
and an AS (authentication server) that provides mutual authentication and generates
temporary keys to be used between the client and the AP over the wireless link.
• Access control1: This function enforces the use of the authentication
function,
routes the messages properly, and facilitates key exchange. It can work with a variety of
authentication protocols.
• Privacy with message integrity: MAC-level data (e.g., an LLC PDU) are
encrypted along with a message integrity code that ensures that the data have not been
altered.
 UNIT IV - SECURITY
Figure 24.6a indicates the security protocols used to support these services, while Figure
24.6b lists the cryptographic algorithms used for these services.

IEEE 802.11i Phases of Operation

The operation of an IEEE 802.11i RSN can be broken down into five distinct phases. The
exact nature of the phases will depend on the configuration and the end points of the
communication. Possibilities include (see Figure 24.5):
1. Two wireless stations in the same BSS communicating via the access point for that BSS.
2. Two wireless stations (STAs) in the same ad hoc IBSS communicating directly with each
other.
3. Two wireless stations in different BSSs communicating via their respective APs across a
distribution system.
4. A wireless station communicating with an end station on a wired network via its AP and
the distribution system.
 UNIT IV - SECURITY
The five phases are defined as follows:
• Discovery: An AP uses messages called Beacons and Probe Responses to
advertise its IEEE 802.11i security policy. The STA uses these to identify an AP for a WLAN
with which it wishes to communicate. The STA associates with the AP, which it uses to
select the cipher suite and authentication mechanism when the Beacons and Probe
Responses present a choice.
• Authentication: During this phase, the STA and AS prove their identities to
each other. The AP blocks non-authentication traffic between the STA and AS until the
authentication transaction is successful. The AP does not participate in the authentication
transaction other than forwarding traffic between the STA and AS.
• Key Management: The AP and the STA perform several operations that
cause cryptographic keys to be generated and placed on the AP and the STA. Frames are
exchanged between the AP and STA only.
• Protected data transfer: Frames are exchanged between the STA and the
end station through the AP. As denoted by the shading and the encryption module icon,
secure data transfer occurs between the STA and the AP only; security is not provided end-
to-end.

• Connection termination: The AP and STA exchange frames. During this

phase, the secure connection is torn down and the connection is restored to the original
state.
 UNIT IV - SECURITY
WIRELESS SECURITY POLICY:
1) Wireless technology may be used to access, store, process or transmit City of New York
business and connect to Citynet’s infrastructure provided that it conforms to all applicable
DoITT Information Security Policies including but not limited to this policy.
2) Wireless devices may not be used to gain or attempt to gain unauthorized access to any
network. This includes accessing Citynet, external non-city networks and the internet
where the user has not been granted access.
3) Only approved services and applications may be used with wireless devices.
4) Any planned wireless connection(s) must be reviewed and approved in advance of
installation by the local agency including the agency CISO. If the wireless connection(s)
provide access to Citynet, or a network connected to Citynet, then approval must include
DoITT.
5) The Wireless network must have a disaster recovery plan if required based on business
function of the applications running on the network.
Access Control
6) Access to the city’s networking and computing infrastructure via a wireless connection is
considered remote access and must utilize strong authentication and encryption.
7) The Agency must use the current City of New York wireless standard at the time of the
implementation of their wireless system.
8) Appropriate encryption utilizing approved ciphers must be used
Risk Assessment
The agency CISO should employ security measures commensurate with the risk associated
with the wireless network. If the network is used for transmission of business sensitive
material, classified communications or supports City critical services the risk of loss in the
event of an attack on the wireless network, or loss of service can be extensive.
9) Due to the ever changing threats and vulnerabilities, risk assessments should be
conducted on a periodic basis no less than annually to provide an accurate picture of the
total risk to the organization.
10) A risk assessment should be performed to ensure the capabilities of protection for the
technologies utilized. A risk assessment should include but not be limited to; identifying
data sensitivity, network vulnerabilities, and critical services. The focus
should be to identify potential threats and vulnerabilities.
 UNIT IV - SECURITY
Authentication
11) All users of WLANs are required to authenticate before being allowed to access the
network.
What are the three types of wireless architecture?
WLANs are described by three broad categories of architectures: autonomous, centralized
(controller-based), and cooperative (controller-less).
Wireless security Tools :
Wireless security tools, should be used to test (audit) wireless implementations regularly.
Good wireless security audit is not only practical testing, but also proper documentation,
including recommendations of how to make WLAN more secure. There is a bunch of
possible audits, one can try to perform − Layer 1 Audit.
Types of Security Tools:
Penetration testing.
Packet sniffers.
Encryption.
Scanning web vulnerability.
Network defenses.
Network security monitoring.
Detecting network intrusions.
Assignments
 Assignments

1. Assess security risks, threats and vulnerabilities to the organization and implement
appropriate information security protection mechanisms by analyzing requirements,
plans and IT security policies.
2. Perform Firewall setup along with its configuration.
Part A – Q & A
Unit - IV
 PART-A
1. Do firewalls protect against worms?
Not only does a firewall block unwanted traffic, it also helps block malicious software and
worms from infecting a computer. Many computer operating systems include a software
firewall to protect against such threats.

2. What is a worm type virus?

A computer worm is a type of malware whose primary function is to self-replicate and infect
other computers while remaining active on infected systems. A computer worm duplicates
itself to spread to uninfected computers.

3. What is virus worm or Trojan?

Viruses use executable files to spread. Worms take use of system flaws to carry out their
attacks. Trojan horse is a type of malware that runs through a program and is interpreted
as utility software

4. What is virus vs worm vs Trojan?

A Worm is like a Computer Virus by its design but is a sub-class of a Virus or Trojan Horse.
Worms spread from computer to computer, but unlike a virus, it has the capability to travel
without attaching to a host program and can run independently.

5. What's a Greyware?
Grayware, unwanted applications or files that are not classified as malware, but can worsen
the performance of computers and cause security risks.

6. What are examples of grayware?

Common examples of greyware are location trackers, browsing monitors, and programs
that serve unwanted pop-up ads. While not as dangerous as other malicious software,
greyware often leads to system vulnerabilities that create opportunities for cyber attacks.

7. What Are the Most Common Types of Malware Attacks?

1) Adware.
2) Fileless Malware.
3) Viruses.
4) Worms.
5) Trojans.
6) Bots.
7) Ransomware.
8) Spyware

8. What are the Different Types of Firewalls?

Packet filtering firewalls.
Stateful inspection firewalls.
Circuit-level gateways.

9. What is a firewall?
A firewall is a network security device that monitors incoming and outgoing network traffic
and decides whether to allow or block specific traffic based on a defined set of security
rules.
 PART-A
10. Why TLS is still called SSL?
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version
of SSL. It works in much the same way as the SSL, using encryption to protect the transfer
of data and information. The two terms are often used interchangeably in the industry
although SSL is still widely used.

11. What is SSL used for?

Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted
link between a server and a client—typically a web server (website) and a browser, or a
mail server and a mail client (e.g., Outlook)

12. What is an example of SSL?

SSL provides a secure channel between two machines or devices operating over the
internet or an internal network. One common example is when SSL is used to secure
communication between a web browser and a web server. This turns a website's address
from HTTP to HTTPS, the 'S' standing for 'secure’.

13. What is an IP Security?

IP security allows individual users or organizations to secure traffic for all applications,
without having to make any modifications to the applications. Therefore, the transmission
of any data, such as e-mail or application-specific company data, can be made secure.

14. What is the need of IP Security?

IP Security (IPSec) provides a stable, long lasting base for providing network layer security.
IPSec supports all of the cryptographic algorithms in use today, and can also accommodate
newer, more powerful algorithms as they become available.

15. What do you mean by security in OS?

OS security refers to specified steps or measures used to protect the OS from threats,
viruses, worms, malware or remote hacker intrusions. OS security encompasses all
preventive-control techniques, which safeguard any computer assets capable of being
stolen, edited or deleted if OS security is compromised.

16. What is OS security hardening?

The idea of OS hardening is to minimize a computer's exposure to current and future
threats by fully configuring the operating system and removing unnecessary applications.

17. What is the aim of system security planning?

The purpose of the system security plan is to provide an overview of the security
requirements of the system and describe the controls in place or planned for meeting those
requirements. The system security plan also delineates responsibilities and expected
behavior of all individuals who access the system.

18. What are the 5 pillars of system security?

The U.S. Department of Defense has promulgated the Five Pillars of Information Assurance
model that includes the protection of confidentiality, integrity, availability, authenticity, and
non-repudiation of user data.
 PART-A

19. What is application security and examples?

Firewalls, antivirus systems, and data encryption are just a few examples to prevent
unauthorized users from entering a system. If an organization wishes to predict specific,
sensitive data sets, they can establish unique application security policies for those
resources.

20. What are the 5 types of application security?

Authentication, authorization, encryption, logging, and application security testing are all
examples of application security features. Developers can also use code to reduce security
flaws in applications.

21. What is security maintenance?

A security maintenance Programme involves periodic checks of all the installed security
devices within a property. These include alarms, surveillance cameras, detectors, circuits,
lighting and entry systems, etc. It verifies that they're in good working order and your
valuable assets remain well protected.

22. What are the 5 security services?

Define five security services to prevent security attacks— data confidentiality, data integrity,
authentication, non-repudiation and access control.

23. What is the Linux Unix security model?

Linux Security Modules (LSM) is a framework allowing the Linux kernel to support without
bias a variety of computer security models. LSM is licensed under the terms of the GNU
General Public License and is a standard part of the Linux kernel since Linux 2.6.

24. Does UNIX have security?

UNIX has a sophisticated security system that controls the ways users access files, modify
system databases, and use system resources. Unfortunately, those mechanisms don't help
much when the systems are misconfigured, are used carelessly, or contain buggy software.

25. What is window security?

Windows Security is your home to manage the tools that protect your device and your
data: Virus & threat protection - Monitor threats to your device, run scans, and get updates
to help detect the latest threats.

26. How safe is Windows security?

Microsoft Defender antivirus is pretty safe. It has almost 100% real-time protection rates,
according to independent tests.

27. What are the security benefits of virtualization?

Virtualization offers significant security benefits in the cloud. Because VMs and virtual
infrastructure stay separate from other parts of your systems, it's much harder for viruses
and malware to spread. With virtual firewalls, you can restrict access to your data for much
less money than with traditional methods.
 PART-A
28. What do you mean by virtualization security?
Virtualized security, or security virtualization, refers to security solutions that are software-
based and designed to work within a virtualized IT environment. This differs from
traditional, hardware-based network security, which is static and runs on devices such as
traditional firewalls, routers, and switches.

29. What is meant by wireless security?

Wireless security is the prevention of unauthorized access or damage to computers or data
using wireless networks, which include Wi-Fi networks. The term may also refer to the
protection of the wireless network itself from adversaries seeking to damage the
confidentiality, integrity, or availability of the network.

30. What is an example of wireless security?

Wireless networks are often less secure than wired ones, so wireless security protocols are
crucial for keeping you safe online. The most common Wi-Fi security protocols today are
WEP, WPA, and WPA2.

31. What is the advantage of wireless security?

A wireless system has no wires to cut, and is much harder to bypass or work around. That
makes your home or business a harder target. There's an added bonus: with battery
backups, you're assured of protection in the event of a fire, power outage, or other events
that could disrupt or disable a traditional system.

32. What are the security features of wireless LAN?

As with any other computer network, the major security goals in WLANs are: confidentiality,
integrity and availability (termed as CIA triad). Prominent techniques that help in attaining
these goals include: access control, authentication, encryption, message authentication
codes (MAC)

33. What is IEEE 802.11 wireless LAN security?

IEEE 802.11 provides security through encryption and authentication. Authentication can be
done through an “open system” or “shared key” in either ad hoc mode or infrastructure
mode.

34. What is the importance of WLAN security?

Wireless network security is vital because it helps protect your data from unauthorized
access. Wi-Fi networks are particularly vulnerable to cyberattacks because they use radio
waves to transmit data; this means that anyone within range of the Wi-Fi signal can
potentially intercept and read the data being sent.

35. What is wireless security tool?

Wireless security tools, should be used to test (audit) wireless implementations regularly.
Good wireless security audit is not only practical testing, but also proper documentation,
including recommendations of how to make WLAN more secure. There is a bunch of
possible audits, one can try to perform − Layer 1 Audit.
Part B – Questions
 Part-B Questions

Q. Questions CO K Level
No. Level
1 Explain System security issues in detail. CO4 K3

2 Explain TSL/SSL and HTTPS in detail. CO5 K3

3 Explain IP security issues in detail with a neat CO5 K3
diagram.

4 Explain OS security and OS security planning and CO4 K3

hardening with an example.
5 Explain Linux/Unix security. CO5 K3

6 Explain windows security and visualization security. CO5 K3

7 Explain wireless security in detail. CO5 K3

8 Explain Wireless Security Policy and Wireless CO5 K3

security Tools
Supportive online
Certification courses
(NPTEL, Swayam, Coursera,
Udemy, etc.,)
Supportive Online Certification
Courses

Sl. Courses Platform

No.
1 Cryptography and Network Security NPTEL
2 Introduction to Cryptology NPTEL
3 Foundations of Cryptography NPTEL
4 Computational number theory and cryptography NPTEL
5 Cryptography Coursera
6 Applied Cryptography Coursera
7 Number theory and cryptography Coursera
8 Cryptography and Information theory Coursera
9 Asymmetric cryptography and key management Coursera
10 Symmetric Cryptography Coursera
11 Introduction to Cryptography Udemy
12 Cryptography with Python Udemy
13 Complete Cryptography master class Udemy
Real time Applications in
day to day life and to
Industry
Real Time Applications

 Secure Network Communications Secure Socket Layer (SSL)

 The SSL Handshake Protocol authenticates each end of the connection (server
and client), with the second or client authentication being optional. In phase 1,
the client requests the server's certificate and its cipher preferences. When the
client receives this information, it generates a master key and encrypts it with
the server's public key, then sends the encrypted master key to the server. The
server decrypts the master key with its private key, then authenticates itself to
the client by returning a message encrypted with the master key. Following
data is encrypted with keys derived from the master key. Phase 2, client
authentication, is optional. The server challenges the client, and the client
responds by returning the client's digital signature on the challenge with its
public-key certificate.
 SSL uses the RSA public-key cryptosystem for the authentication steps. After the
exchange of keys, a number of different cryptosystems are used, including RC2,
RC4, IDEA, DES and triple-DES.
Content Beyond
Syllabus
Contents beyond the Syllabus

 Anonymous Remailers
 GnuPrivacy Guard (GPG)
Assessment Schedule
(Proposed Date &
Actual Date)
 Assessment Schedule

Assessment Proposed Actual Course Program

Tool Date Date Outcome Outcome
(Filled Gap)
Assessment I

Assessment II
Model
Prescribed Text Books
& Reference
Prescribed Text & Reference
Books

Sl. Book Name & Author Book

No.

1 William Stallings, “Cryptography and Network Security Text Book

Principles and Practice”, Fifth Edition, 2011, Pearson Education
International

2 William Stallings and Lawrie Brown, “Computer Security Text Book

Principles and Practice”, Third Edition,2015, Pearson Education
International

3 Tim Mather, Subra Kumaraswamy and Shahed Latif, “Cloud Reference

Security and Privacy: An Enterprise Perspective on Risks and Book
Compliance”, 2009, Oreilly

4 Mikhail Gloukhovtsev, “IoT Security: Challenges, Solutions & Reference

Future Prospects”, 2018, Knowledge Sharing Article, Dell Inc. Book

5 Pradip KumarDas, Hrudaya Kumar Tripathy, Shafiz Affendi Mohd Reference

yusuf, Privacy and Security Issues in Big Data, An Analytical Book
View on Business Intelligence. Springer 2021.
Mini Project Suggestions
Mini Project
1. Command line interface for crypto functionality
2. Action history view with replay functionality (like a macro recorder) for all
algorithm operations (classic and modern)
3. An implementation of pairing based multi-partite key exchange protocols
4. Visualization of classic algorithms and its analysis
5. A demonstration of the interchangeability of PGP and S/MIME formats.
6. A demonstration of the S/MIME standard for secure e-mail.
7. Educational game for pupils
8. A visualization of zero-knowledge proofs
9. A visualization of the ACO algorithm for cryptanalysis of simple transposition
algorithms.
10. A visualization of Huffman codes.
11. Comprehensive Entropy plug-in for Entropy education (for texts from different
languages).
12. Implementation for this modern symmetric cipher
13. Design and prevention of side-channel attacks.
14. Implement three of the SHA-3 proposals: ECHO, JH and Skein
15. New attack idea against symmetric ciphers.
16. Visualization of different methods of steganography.
17. Alternate password storage for non-FlexiProvider algorithms.
18. Various tools for analysis of already implemented ciphers/protocols/formats.
19. Visualization of the grille cipher (Fleissner Schablone)
20. Visualize hash sensitivity (analogue to CrypTool 1).
21. Visualize the certificate validity models (shell and chain).
22. Implement and visualize the knapsack problem (Merkle-Hellman knapsack
cipher and the according attacks)
23. Implement and visualize the Rabin public key cipher (1979).
24. Implement a general dialog to filter and transform a text document (e.g.
before encrypting it)
25. Improving the classic algorithms, e. g. by implementing the transformation
page as a core part of the wizards
 Thank you

Disclaimer:

This document is confidential and intended solely for the educational purpose of RMK Group of
Educational Institutions. If you have received this document through email in error, please notify the
system manager. This document contains proprietary information and is intended only to the
respective group / learning community as intended. If you are not the addressee you should not
disseminate, distribute or copy through e-mail. Please notify the sender immediately by e-mail if you
have received this document by mistake and delete this document from your system. If you are not
the intended recipient you are notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.