Nis Imp Q&a

Download as pdf or txt
Download as pdf or txt
You are on page 1of 129

SAHIL K

UNIT 1 - Introduction to Computer and Information Security

Q. Define computer security. Explain the need of computer security.


Ans: Computer Security: Computer Security is the protection of computing systems and the
data that they store or access.

Need of computer Security:

1. To make data remain safe and confidential.


2. To provide authentication which deals with the desire to ensure that an authorized
individual.
3. To provide integrity which ensures that only authorized individuals should ever be
able change or modify information.
4. To provide availability which ensures that the data or system itself is available for use
when an authorized user wants it.
5. To provide confidentiality which ensures that only those individuals should ever be
able to view data they are not entitled to.
6. To provide non-repudiation which deals with the ability to verify that message has
been sent and received by an authorized user.
7. For prevention of data theft such as bank account numbers, credit card information,
passwords, work related documents or sheets, etc.

Q. Define Information.
Ans: Information: Information is organized or classified data, which has some meaningful
values for the receiver. Information is the processed data on which knowledge, decisions and
actions are based.

Q. Explain CIA model for security.


Ans: Confidentiality, Integrity and Authentication i.e. these three concepts are considered as
the backbone of security. These concepts represent the fundamental principles of security.

Confidentiality:
● The principle of confidentiality specifies that only sender and intended recipients
should be able to access the contents of a message.
● Confidentiality gets compromised if an unauthorized person is able to access the
contents of a message.
● Example of compromising the Confidentiality of a message is shown in fig
● Here, the user of User A sends a message to User B. Another User C gets access to
this message, which is not desired and therefore, defeats the purpose of
confidentiality.
SAHIL K

● This type of attack is also called Interception.

Integrity:
● When the contents of the message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the message is lost.
● For example, here User C tampers with a message originally sent by User A, which is
actually destined for User B. User C somehow manages to access it, change its
contents and send the changed message to User B. User B has no way of knowing
that the contents of the message were changed after User A had sent it. User A also
does not know about this change.
● This type of attack is called Modification.

Authentication:
● Authentication helps to establish proof of identities.
● The Authentication process ensures that the origin of a message is correctly identified.
● For example, suppose that User C sends a message over the internet to User B.
However, the trouble is that User C had posed as User A when he sent a message to
User B. How would User B know that the message has come from User C, who is
posing as User A?
● This concept is shown in fig. below. This type of attack is called Fabrication.
SAHIL K

Q. Explain the terms:


i) Confidentiality
ii) Integrity
iii) Authentication
iv) Availability
Ans:
i) Confidentiality:
● The principle of confidentiality specifies that only sender and intended recipients
should be able to access the contents of a message.
● Confidentiality gets compromised if an unauthorized person is able to access the
contents of a message.
● Example of compromising the Confidentiality of a message is shown in fig:
● Here, the User A sends a message to User B. Another User C gets access to this
message, which is not desired and therefore, defeats the purpose of confidentiality.
● This type of attack is also called interception.

ii) Integrity:
● When the contents of the message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the message is lost.
● For example, here User C tampers with a message originally sent by User A, which is
actually destined for User B. User C somehow manages to access it, change its
contents and send the changed message to User B. User B has no way of knowing
that the contents of the message were changed after User A had sent it. User A also
does not know about this change.
● This type of attack is called modification.
SAHIL K

iii) Authentication:
● Authentication helps to establish proof of identities.
● The Authentication process ensures that the origin of a message is correctly identified.
● For example, suppose that User C sends a message over the internet to User B.
However, the trouble is that User C had posed as User A when he sent a message to
User B. How would User B know that the message has come from User C, who is
posing as User A?
● This type of attack is called fabrication.

iv) Availability:
● The goal of availability is to ensure that the data, or the system itself, is available for
use when the authorized user wants it.
● The information created and stored by an organization needs to be available to
authorized entities. Information is useless if it is not available.
● Information needs to be constantly changed which means it must be accessible to
authorized entities.
● The unavailability of information is just as harmful for an organization as the lack of
confidentiality or integrity.
SAHIL K

Q. Define the following terms:


1) Interruption
2) Interception
3) Fabrication
4) Modification
Ans:
1) Interruption
● Interruption is when a file is corrupted or lost.
● In general, interruption refers to the situation in which services or data become
unavailable, unusable, destroyed, and so on.
● In this sense, denial of service attacks by which someone maliciously attempts to
make a service inaccessible to other parties is a security threat that classifies as
interruption

2) Interception
● Interception refers to the situation that an unauthorized party has gained access to a
service or data.
● A typical example of interception is where communication between two parties has
been overheard by someone else.
● Interception also happens when data are illegally copied, for example, after breaking
into a person’s private directory in a file system.

3) Fabrication
● Fabrication refers to the situation in which additional data or activities are generated
that would normally not exist.
● For example, an intruder may attempt to add an entry into a password file or database.
● Likewise, it is sometimes possible to break into a system by replaying previously sent
messages.

4) Modification
● Modifications involve unauthorized changing of data or tampering with a service so
that it no longer adheres to its original specifications.
● Examples of modifications include intercepting and subsequently changing
transmitted data, tampering with database entries, and changing a program so that it
secretly logs the activities of its user.
SAHIL K

Q. Explain terms regarding computer security.


(i) Assets
(ii) Vulnerability
(iii) Threats
(iv) Risk
Ans:
i) Assets:
● Asset is any data, device, or other component of the environment that supports
information-related activities.
● Assets generally include hardware, software and confidential information.

ii) Vulnerability:
● It is a weakness in computer systems & networks.
● The term "vulnerability" refers to the security flaws in a system that allows an attack
to be successful.
● Vulnerability testing should be performed on an on-going basis by the parties
responsible for resolving such vulnerabilities, and helps to provide data used to
identify unexpected dangers to security that need to be addressed.
● Such vulnerabilities are not particular to technology - they can also apply to social
factors such as individual authentication and authorization policies.
● Testing for vulnerabilities is useful for maintaining on-going security, allowing the
people responsible for the security of one's resources to respond effectively to new
dangers as they arise.
● It is also invaluable for policy and technology development, and as part of a
technology selection process.

iii) Threats: It is a set of things which has potential to lose or harm to computer systems &
networks.

iv) Risk:
● Risk is the probability of threats that may occur because of the presence of
vulnerability in a system.
● A measure of the extent to which an entity is threatened by a potential circumstance
or event, and typically a function of:
1. The adverse impacts that would arise if the circumstance or event occurs
2. The likelihood of occurrence.

Q. Explain four threats to web security.


Ans: The main types of threats to web systems are listed below:
Physical:
● Physical threats include loss or damage to equipment through fire, smoke, water &
other fire suppressants, dust, theft and physical impact.
● Physical impact may be due to collision or the result of malicious or accidental
damage by people.
SAHIL K

● Power loss will affect the ability for servers and network equipment to operate
depending upon the type of back-up power available and how robust it is.

Malfunction:
● Both equipment and software malfunction threats can impact upon the operations of a
website or web application.
● Malfunction of software is usually due to poor development practices where security
has not been built into the software development life cycle.
1) Malware: Malware, or malicious software, comes in many guises. Web
servers are popular targets to aid distribution of such code and sites which
have vulnerabilities that allow this are popular targets.

2) Spoofing: Spoofing where a computer assumes the identity of another and


masquerading where a user pretends to be another, usually with higher
privileges, can be used to attack web systems to poison data, deny service or
damage systems.

3) Scanning: Scanning of web systems are usually part of network or application


fingerprinting prior to an attack, but also include brute force and dictionary
attacks on username, passwords and encryption keys.

4) Eavesdropping: Monitoring of data (on the network, or on user's screens)


may be used to uncover passwords or other sensitive data.

Q. What is Risk? How can it be analyzed? List various assets.


Ans:
Risk:
● A computer security risk is any event or action that could cause a loss or damage to
computer hardware, software, data, or information.

● Some breaches to computer security are accidental, but some are planned. Any an
illegal act involving a computer is generally referred to as a computer crime.

● Cybercrime refers to online or Internet-based illegal acts.

● Some of the more common computer security risks include Computer viruses,
Unauthorized access and use of computer systems, Hardware theft and software theft,
Information theft and information privacy, System failure.

Risk can be analyzed:

● When performing risk analysis it is important to weigh how much to spend protecting
each asset against the cost of losing the asset.
SAHIL K

● It is also important to take into account the chance of each loss occurring.

● If a hacker makes a copy of all a company's credit card numbers it does not cost them
anything directly but the loss in fine and reputation can be enormous.

● An asset is any data, device, or other component of the environment that supports
information-related activities.

Types of Assets:
● Assets generally include
○ Hardware (e.g. Servers and Switches),
○ Software (e.g. Mission Critical Applications and Support Systems)
○ Confidential information.

● Assets should be protected from unauthorized access, use, alteration, destruction,


and/or theft, resulting in loss to the organization.

Q. What is Risk? Describe Risk Management.


Ans: Risk: A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of:
i) The adverse impacts that would arise if the circumstance or event occurs
ii) The likelihood of occurrence.

Risk Management: The process of identifying risk, as represented by vulnerabilities, to an


organization’s information assets and infrastructure, and taking steps to reduce this risk to an
acceptable level.

Risk management involves three major undertakings:


➢ Risk Identification
➢ Risk Assessment
➢ Risk Control

The various components of risk management and their relationship to each other are shown in
figure:
SAHIL K

● Risk Identification: This is the process of examining an organization’s current


information technology security situation.
● Risk Assessment: Risk assessment is the determination of the extent to which the
organization’s information assets are exposed or at risk.
● Risk control: applying controls to reduce risks to an organizations data and
information systems.

Four strategies to control each risk:

1. Avoidance: Defend the defend control strategy attempts to prevent the exploitation of the
vulnerability. This is the preferred approach and is accomplished by means of countering
threats, removing vulnerabilities from assets, limiting access to assets, and adding protective
safeguards.

2. Transference: The transfer control strategy attempts to shift risk to other assets, other
processes, or other organizations.

3. Mitigation: The terminate control strategy directs the organization to avoid those business
activities that introduce uncontrollable risks the mitigate control strategy attempts to reduce
the impact caused by the exploitation of vulnerability through planning and preparation.

4. Acceptance: The accept control strategy is the choice to do nothing to protect a


vulnerability and to accept the outcome of its exploitation.

Risk can be calculated by using Risk Analysis (RA) which is of two types:

1) Quantitative Risk Analysis: A Process of assigning a numeric value to the probability of


loss based on known risks, on financial values of the assets and on probability of threats.

2) Qualitative Risk Analysis: A collaborative process of assigning relative values to assets,


assessing their risk exposure and estimating the cost of controlling the risk.
SAHIL K

Q. Describe qualitative and quantitative risk analysis.


Ans:
Qualitative Risk Analysis:
● It is a collaborative process of assigning relative values to assets, assessing their risk
exposure, and estimating the cost of controlling the risk.
● It differs from quantitative risk analysis in that it utilizes relative measures and
approximate costs rather than precise valuation and cost determination.
● In qualitative risk analysis:
1. Assets can be rated based on criticality - very important, important,
not-important etc.
2. Vulnerabilities can be rated based on how it is fixed - fixed soon, should be
fixed, fix if suitable etc
3. Threats can be rated based on scale of likely - likely, unlikely, very likely etc.

Quantitative Risk Analysis:


● A process for assigning a numeric value to the probability of loss based on known
risks, on financial values of the assets and the probability of threats.
● It is used to determine potential direct and indirect costs to the company based on
values assigned to company assets and their exposure to risk.
● E.g. the cost of replacing an asset, the cost of lost productivity, or the cost of
diminished brand reputation.

Q. Differentiate between qualitative and quantitative risk analysis.


Ans:

Qualitative Risk Analysis Quantitative Risk Analysis

i) It is a collaborative process of assigning i) It is a process for assigning a numeric


relative values to assets, assessing their risk value to the probability of loss based on
exposure, and estimating the cost of known risks, on financial values of the
controlling the risk. assets and on probability of threats.

ii) It utilizes relative measures and ii) It is used to determine potential direct
approximate costs rather than precise and indirect costs to the company based on
valuation and cost determination. values assigned to company assets and their
exposure to risk.

iii) Assets can be rated based on criticality - iii) Assets can be rated as the cost of
very important, important, not-important replacing an asset, the cost of lost
etc. Vulnerabilities can be rated based on productivity, or the cost of diminished brand
how it is fixed - fixed soon, should be fixed, reputation.
fix if suitable etc. Threats can be rated based
on scale of likely, unlikely, very likely etc.

iv) In this 100% qualitative risk analysis is iv) In this 100% quantitative risk analysis is
feasible. not possible.
SAHIL K

Q. Describe any four strategies of “Risk Control”.


Ans:
1. Defend the defend control strategy attempts to prevent the exploitation of the
vulnerability. This is the preferred approach and is accomplished by means of
countering threats, removing vulnerabilities from assets, limiting access to assets, and
adding protective safeguards.

2. The transfer control strategy attempts to shift risk to other assets, other processes, or
other organizations.

3. The terminate control strategy directs the organization to avoid those business
activities that introduce uncontrollable risks the mitigate control strategy attempts to
reduce the impact caused by the exploitation of vulnerability through planning and
preparation.

4. The accept control strategy is the choice to do nothing to protect a vulnerability and to
accept the outcome of its exploitation.

Q. Define Virus. Describe different phases of virus.


Ans:
Virus:
● Virus is a program which attaches itself to another program and causes damage to the
computer system or the network.
● It is loaded onto your computer without your knowledge and runs against your
wishes.

Types of viruses:
● Parasitic Virus
● Memory Resident Virus
● Non-resident Virus
● Boot Sector Virus
● Overwriting Virus
● Stealth Virus
● Macro Virus
● Polymorphic Virus
● Companion Virus
● Email Virus
● Metamorphic Virus

Different phases of viruses are:


SAHIL K

● Dormant phase:
○ The virus is idle.
○ The virus will eventually be activated by some event, such as a date, the
presence of another program or file, or the capacity of the disk exceeding
some limit.
○ Not all viruses have this stage.

● Propagation phase:
○ The virus places a copy of itself into other programs or into certain system
areas on the disk.
○ The copy may not be identical to the propagating version; viruses often morph
to evade detection.
○ Each infected program will now contain a clone of the virus, which will itself
enter a propagation phase.

● Triggering phase:
○ The virus is activated to perform the function for which it was intended.
○ As with the dormant phase, the triggering phase can be caused by a variety of
system events, including a count of the number of times that this copy of the
virus has made copies of itself.

● Execution phase:
○ The function is performed.
○ The function may be harmless, such as a message on the screen, or damaging,
such as the destruction of programs and data files.
SAHIL K

Q. Explain types of viruses.


Ans: Types of viruses:
● Parasitic Viruses: It attaches itself to executable code and replicates itself. Once it is
infected it will find another program to infect.

● Memory resident viruses: It lives in memory after its execution it becomes a part of
the operating system or application and can manipulate any file that is executed,
copied or moved.

● Non- resident viruses: It executes itself and terminates or destroys after specific time.

● Boot sector viruses: It infects the boot sector and spreads through a system when it is
booted from disk containing virus.

● Overwriting viruses: It overwrites the code with its own code.

● Stealth virus: This virus hides the modification it has made in the file or boot record.

● Macro viruses: These are not executable. It affects Microsoft Word like documents,
they can spread through email.

● Polymorphic viruses: it produces fully operational copies of itself, in an attempt to


avoid signature detection.

● Companion viruses: It creates a program instead of modifying an existing file.

● Email viruses: It gets executed when email attachment is open by the recipient. It
sends itself to everyone on the mailing list of sender.

● Metamorphic viruses: It keeps rewriting itself every time, it may change their
behavior as well as appearance code.

Q. Explain virus and worm.


Ans:
Virus:
● A computer virus attaches itself to a program or file enabling it to spread from one
computer to another, leaving infections as it travels.
● Like a human virus, a computer virus can range in severity: some may cause only
mildly annoying effects while others can damage your hardware, software or files.
● Almost all viruses are attached to an executable file, which means the virus may exist
on your computer but it actually cannot infect your computer unless you run or open
the malicious program.
● It is important to note that a virus cannot be spread without human action, (such as
running an infected program) to keep it going.
SAHIL K

● Because a virus is spread by human action people will unknowingly continue the
spread of a computer virus by sharing infecting files or sending emails with viruses as
attachments in the email.

Worm:
● A worm is similar to a virus by design and is considered to be a sub-class of a virus.
● Worms spread from computer to computer, but unlike a virus, it has the capability to
travel without any human action.
● A worm takes advantage of file or information transport features on your system,
which is what allows it to travel unaided.
● The biggest danger with a worm is its capability to replicate itself on your system, so
rather than your computer sending out a single worm, it could send out hundreds or
thousands of copies of itself, creating a huge devastating effect. One example would
be for a worm to send a copy of itself to everyone listed in your e-mail address book.
● Then, the worm replicates and sends itself out to everyone listed in each of the
receiver's address book, and the manifest continues on down the line.
● Due to the copying nature of a worm and its capability to travel across networks the
end result in most cases is that the worm consumes too much system memory (or
network bandwidth), causing Web servers, network servers and individual computers
to stop responding.
● In recent worm attacks such as the much-talked-about Blaster Worm, the worm has
been designed to tunnel into your system and allow malicious users to control your
computer remotely.

Q. Difference between virus and worm.


Ans:
Virus Worm

i) The virus is the program code that i) The worm is code that replicates itself in
attaches itself to the application program order to consume resources to bring it
and when the application program runs it down.
runs along with it.

ii) It inserts itself into a file or executable ii) It exploits a weakness in an application
program. or operating system by replicating itself.

iii) Virus may need a trigger for execution. iii) Worms do not need any trigger.

iv) Virus is slower than worm. iv) Worm is faster than virus

v) Damage is mostly caused to local v) It harms the network and consumes


machines. network bandwidth.

vi) It deletes or modifies files. Sometimes a vi) It usually only monopolizes the CPU and
virus also changes the location of files. memory.

vii) It has to rely on users transferring vii) It can use a network to replicate itself to
SAHIL K

infected files/programs to the other other computer systems without user


computer systems. intervention.

viii) Ex: Macro virus, Directory virus, viii) Ex: Code red
Stealth Virus

Q. Explain the term Intruders and Insiders.


Ans:
Intruders:
● Keep trying attacks till success as they have the access and knowledge to cause
immediate damage to organization.
● Individual or a small group of attackers, they can be more in numbers.
● Next level of this group is script writers, i.e. Elite hackers are of three types:
Masquerader, Misfeasor, Clandestine user is misuse of access given by insiders
directly or indirectly access the organization.
● They may give remote access to the Organization Intruders are authorized or
unauthorized users who are trying to access the system or network.
● They are hackers or crackers. Intruders are illegal users. Less dangerous than insiders.
● They have to study or to gain knowledge about the security system.
● They do not have access to the system.
● Many security mechanisms are used to protect systems from intruders.

Insiders:

● More dangerous than outsiders, as they have the access and knowledge to cause
immediate damage to organization.
● They can be more in numbers who directly or indirectly access the organization.
● They may give remote access to the organization.
● Insiders are authorized users who try to access a system or network for which he is
unauthorized.
● Insiders are not hackers.
● Insiders are legal users.

Q. Explain how insiders are more dangerous than intruders.


Ans: Insiders are more dangerous than intruders because:

● The insiders have the access and necessary knowledge to cause immediate damage to
an organization.
● There is no security mechanism to protect the system from Insiders.
● So they can have all the access to carry out criminal activity like fraud.
● They have knowledge of the security systems and will be better able to avoid
detection.

Q. Difference between intruders and insiders.


SAHIL K

Ans:

Intruders Insiders

i) They are hackers or crackers. i) Insiders are not hackers.

ii) Intruders are illegal users. ii) Insiders are legal users

iii) Less dangerous than insiders. iii) More dangerous than intruders.

iv) They do not have access to the system. iv) They may give remote access to the
organization.

v) Individual or a small group of attackers, v) They can be more in numbers who


they can be more in numbers. directly or indirectly access the
organization.

vi) Keep trying attacks till success as they vi) Insiders are authorized users who try to
have the access and knowledge to cause access system or network for which he is
immediate damage to organization. unauthorized.

Q. With suitable example explain:


i. Logic Bomb Attack
ii. Time Bomb Attack
Ans:
i) Logic Bomb Attack:
● Logic bombs are a type of malicious software that is deliberately installed, generally
by an authorized user.
● A logic bomb is a piece of code that sits dormant for a period of time until some event
invokes its malicious payload.
● Example: An example of a logic bomb might be a program that is set to load & run
automatically and that periodically checks an organization's payroll or personal
database for a specific employee.
● If the employee is not found, the malicious payload executes, deleting vital corporate
files. Logic bombs are difficult to detect because they are often installed by authorized
users & by administrators.

ii) Time Bomb Attack:


● A time bomb refers to a computer program that has been written so that it will stop
functioning after a predetermined date or time is reached.
● Time bombs are commonly used in beta (pre-release) software when the manufacturer
of the software does not want the beta version being used after the final release date.
● Example: Example of time bomb software would be Microsoft's Windows Vista Beta
2, which was programmed to expire on May 31, 2007.
SAHIL K

● The time limits on time bomb software are not usually as heavily enforced as they are
on trial software, since time bomb software does not usually implement secure clock
functions.

Q. Define attack. Explain steps in attack.


Ans: Attack on computer systems is either specifically targeted by an attacker, or an
opportunistic target.

Attacks may have having following steps:

● Interception: concept of confidentiality, Here an unauthorized party has gained access


to a resource, it can be a person, program, or computer based system. i.e. copying of
data or programs, listening to network traffic.

● Fabrication: concept of authorization, It involves the creation of illegal objects on a


computer system. i.e. attacker adds fake records to database.

● Modification: Its under Integrity, Here the attacker may modify the values in the
database.

● Interruption: It's related to availability, Here Resources become unavailable, Lost or


unusable, i.e. denial of service, problem causing to a hardware device, erasing
program, data,or operating system components.

Q. Explain active attack and passive attack with suitable examples.


Ans: Active Attack:
● In an active attack, the attacker tries to bypass or break into secured systems.
● This can be done through stealth, viruses, worms, or Trojan horses.
● Active attacks include attempts to circumvent or break protection features, to
introduce malicious code, and to steal or modify information.
● These attacks are mounted against a network backbone, exploit information in transit,
electronically penetrate an enclave, or attack an authorized remote user during an
attempt to connect to an enclave.
● Active attacks result in the disclosure or dissemination of data files, DoS, or
modification of data.
● Active attacks can be divided into four categories:
○ Masquerade
■ A masquerade takes place when one entity pretends to be a different
entity.
■ A masquerade attack usually includes one of the other forms of active
attack.

○ Replay
SAHIL K

■ In replay attack, authentication sequences can be captured and replayed


after a valid authentication sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra privileges by
impersonating an entity that has those privileges. Replay involves the
passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.

○ Modification of messages
■ Modification of messages simply means that some portion of a
legitimate message is altered, or that messages are delayed or
reordered, to produce an unauthorized effect.
■ For example, a message meaning "Allow Ajay to read confidential
accounts" is modified to mean "Allow Vijay to read confidential
accounts.

○ Denial of Service(DoS)
■ Denial of service (DOS) attack scan exploits a known vulnerability in a
specific application or operating system, or they may attack features
(or weaknesses) in specific protocols or services.
■ In this form of attack, the attacker is attempting to deny authorized
users access either to specific information or to the computer system or
network itself.

Passive Attack:
● A passive attack monitors unencrypted traffic and looks for clear-text passwords and
sensitive information that can be used in other types of attacks.
● Passive attacks include
○ Traffic Analysis
○ Release of Message Contents
○ Monitoring of Unprotected Communications
○ Decrypting Weakly Encrypted Traffic
○ Capturing Authentication Information such as Passwords.
● Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
● The goal of the opponent is to obtain information that is being transmitted.
● The release of message contents is easily understood.
● A telephone conversation, an electronic mail message, and a transferred file may
contain sensitive or confidential information.
● We would like to prevent an opponent from learning the contents of these
transmissions.
● A second type of passive attack, traffic analysis.
● Suppose that we had a way of masking the contents of messages or other information
traffic so that opponents, even if they captured the message,could not extract the
information from the message.
● The common technique for masking contents is encryption.
SAHIL K

● If we had encryption protection in place, an opponent might still be able to observe


the pattern of these messages.
● The opponent could determine the location and identity of communicating hosts and
could observe the frequency and length of messages being exchanged.
● This information might be useful in guessing the nature of the communication that
was taking place.
● Passive attacks are very difficult to detect because they do not involve any alteration
of the data.
● Typically, the message traffic is not sent and received in an apparently normal fashion
and the sender or receiver is aware that a third party has read the messages or
observed the traffic pattern.
● However, it is feasible to prevent the success of these attacks, usually by means of
encryption.
● Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.

Q. Give examples of active and passive attacks.


Ans:
Active Attack:
i) Denial-of-Service (DoS) Attack: An attacker floods a target system, network, or service
with an overwhelming volume of traffic, causing it to become unavailable to legitimate users.

ii) Man-in-the-Middle Attack: An attacker intercepts and potentially alters communication


between two parties without their knowledge. This can occur in various forms, such as
eavesdropping or session hijacking.

iii) Packet Injection Attack: The attacker injects malicious packets into a data stream to
disrupt communication, inject malware, or manipulate data.

iv) DNS Spoofing: Attackers manipulate DNS (Domain Name System) responses to redirect
users to malicious websites by providing false IP addresses for legitimate domain names.

Passive Attack:
i) Packet Sniffing: An attacker intercepts and monitors network traffic to capture sensitive
information, such as usernames and passwords, without altering the transmitted data.

ii) Eavesdropping: Unauthorized individuals listen in on private conversations or


communications to gain sensitive information.

iii) Traffic Analysis: Attackers analyze patterns and characteristics of network traffic, such
as frequency and size of data packets, to infer sensitive information without accessing the
actual content.
SAHIL K

iv) Brute Force Password Cracking (Offline): Attackers obtain encrypted password hashes
and attempt to decrypt them using various techniques, such as dictionary attacks or
exhaustive search.

Q. Explain DOS and DDOS with a neat diagram.


Ans:
Denial of Service Attack:
● Denial of Service (DOS) attack scans exploit a known vulnerability in a specific
application or operating system, or they may attack features (or weaknesses) in
specific protocols or services.
● In this form of attack, the attacker is attempting to deny authorized users access either
to specific information or to the computer system or network itself.
● The purpose of such an attack can be simply to prevent access to the target system, or
the attack can be used in conjunction with other actions in order to gain unauthorized
access to a computer or network.
● SYN flooding is an example of a DOS attack that takes advantage of the way TCP/IP
networks were designed to function, and it can be used to illustrate the basic
principles of any DOS attack.
● SYN flooding utilizes the TCP three-way handshake that is used to establish a
connection between two systems.
● In a SYN flooding attack, the attacker sends fake communication requests to the
targeted system.
● Each of these requests will be answered by the target system, which then waits for the
third part of the handshake.
● Since the requests are fake the target will wait for responses that will never come, as
shown in Figure.

● The target system will drop these connections after a specific time-out period, but if
the attacker sends requests faster than the time-out period eliminates them, the system
will quickly be filled with requests.
● The number of connections a system can support is finite,so when more requests
come in than can be processed, the system will soon be reserving all its connections
for fake requests.
● At this point, any further requests are simply dropped (ignored), and legitimate users
who want to connect to the target system will not be able to.
SAHIL K

● Use of the system has thus been denied to them.

Distributed Denial-of-Service (DDoS):


● DDoS is the attack where the source is more than one,often thousands of, unique IP
addresses.
● It is analogous to a group of people crowding the entry door or gate to a shop or
business, and not letting legitimate parties enter into the shop or business, disrupting
normal operations.
● DDoS is a type of DOS attack where multiple compromised systems, which are often
infected with a Trojan, are used to target a single system causing a Denial of Service
(DoS) attack.
● Victims of a DDoS attack consist of both the end targeted system and all systems
maliciously used and controlled by the hacker in the distributed attack.
● A Denial of Service (DoS) attack is different from a DDoS attack.
● The DoS attack typically uses one computer and one Internet connection to flood a
targeted system or resource.
● The DDoS attack uses multiple computers and Internet connections to flood the
targeted resource.
● DDoS attacks are often global attacks, distributed via botnets.

Types of DDoS Attacks:


● Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP and ICMP
packets to the target. Legitimate requests get lost and these attacks may be
accompanied by malware exploitation.

● Bandwidth attacks: This DDoS attack overloads the target with massive amounts of
junk data. This results in a loss of network bandwidth and equipment resources and
can lead to a complete denial of service.

● Application attacks: Application-layer data messages can deplete resources in the


application layer, leaving the target's system services unavailable.

● Stacheldraht is a piece of software written by Random for Linux and Solaris Systems
which acts as a Distributed Denial of Service (DDoS) agent.
● This tool detects and automatically enables source address forgery.
● Stacheldraht uses a number of different DoS attacks, including UDP flood, ICMP
flood, TCP SYN flood and Smurf attack.
SAHIL K

DDOS ATTACK

Q. Explain back doors and trap doors attacks.


Ans:
Backdoor attacks:
● It is a secret entry point into a program that allows users to gain access without going
through the usual security access procedures.
● It is used legitimately in debugging and testing.
● It also refers to the entry and placement of a program or utility into a network that
creates a backdoor entry for attackers.
● This may allow a certain user ID to login without password to a program or gain
administrative services.
● It becomes a threat when programmers use them to gain unauthorized access.
SAHIL K

● There are several backdoor programs and tools used by hackers in terms of automated
tools.

Trapdoor attacks:
● A trap door is an entrance in a system which circumvents the normal safety measures.
● It is a secret entry point into a program that allows someone who is aware of gaining
access using procedures other than security procedures.
● It might be a hidden program which makes the protection system ineffective.
● This entry can be deliberately introduced by the developer to maintain the system in
case of disaster management.
● Trapdoor programs can be installed through malware using the internet.

Q. Explain sniffing and spoofing attacks.


Ans: Sniffing:
● This is software or hardware that is used to observe traffic as it passes through a
network on shared broadcast media.
● It can be used to view all traffic or target specific protocol, service,or string of
characters like logins.
● Some network sniffers are not just designed to observe all traffic but also modify the
traffic.
● Network administrators use sniffers for monitoring traffic.
● They can also be used for network bandwidth analysis and to troubleshoot certain
problems such as duplicate MAC addresses.

Spoofing:
● Spoofing is nothing more than making data look like it has come from a different
source.
● This is possible in TCP/ IP because of the friendly assumption behind the protocol.
● When the protocols were developed, it was assumed that individuals who had access
to the network layer would be privileged users who could be trusted.
● When a packet is sent from one system to another, it includes not only the destination
IP address and port but the source IP address as well which is one of the forms of
Spoofing.

Example of spoofing:
● E-mail Spoofing
● Caller ID Spoofing
● URL Spoofing
● IP Address Spoofing
● ARP Spoofing
● DNS Spoofing

Q. Explain the following attacks using an example:


i) Sniffing
SAHIL K

ii) Spoofing
iii) Phishing
Ans:
i) Sniffing:

● This is software or hardware that is used to observe traffic as it passes through a


network on shared broadcast media.
● It can be used to view all traffic or target specific protocol, service,or string of
characters like logins.
● Some network sniffers are not just designed to observe all traffic but also modify the
traffic.
● Network administrators use sniffers for monitoring traffic.
● They can also be used for network bandwidth analysis and to troubleshoot certain
problems such as duplicate MAC addresses.

Example:
● Consider an unsecured public Wi-Fi network at a coffee shop.
● An attacker, using specialized software, sets up a sniffer to capture data packets
transmitted over the Wi-Fi.
● As unsuspecting users connect to the network and log in to their email or social media
accounts, the sniffer captures these packets, allowing the attacker to obtain login
credentials and potentially sensitive information.

ii) Spoofing:

● Spoofing is nothing more than making data look like it has come from a different
source.
● This is possible in TCP/ IP because of the friendly assumption behind the protocol.
● When the protocols were developed, it was assumed that individuals who had access
to the network layer would be privileged users who could be trusted.
● When a packet is sent from one system to another, it includes not only the destination
IP address and port but the source IP address as well which is one of the forms of
Spoofing.

Example:
● In a typical IP spoofing scenario, an attacker may send a network packet to a target
system with a forged source IP address.
● The goal is to make the target system believe that the packet is from a trusted source,
possibly allowing unauthorized access.
● For instance, the attacker might spoof the IP address to match that of a legitimate user
to gain access to restricted resources.

iii) Phishing:
SAHIL K

● Phishing is a cyber attack that involves tricking individuals into revealing sensitive
information, such as usernames, passwords, or financial details.
● Attackers often use deceptive emails, messages, or websites that appear legitimate to
lure victims into providing confidential data.

Example:
● An employee receives an email seemingly from their company's IT department,
stating that they need to update their login credentials to enhance security.
● The email includes a link that directs the user to a fake login page, designed to look
identical to the company's actual login portal.
● If the user enters their credentials on this fraudulent page, the attacker captures the
information, gaining unauthorized access to the user's account.

Q. Explain spoofing attack with example. State different ways of spoofing.


Ans:
● Spoofing is the act of disguising a communication from an unknown source as being
from a known, trusted source.
● Spoofing can apply to emails, phone calls, and websites, or can be more technical,
such as a computer spoofing an IP address, Address Resolution Protocol (ARP), or
Domain Name System (DNS) server.
● Spoofing can be used to gain access to a target's personal information,spread malware
through infected links or attachments, bypass network access controls, or redistribute
traffic to conduct a denial-of-service attack.
● Spoofing is often the way a bad actor gains access in order to execute a larger
cyber-attack such as an advanced persistent threat or a man-in-the-middle attack.
● Example: By using corporate logos, or other specific graphics, criminals can disguise
emails to make it look like they've come from a trusted source.

Different ways of spoofing are:

● Email Spoofing:
○ Email spoofing occurs when an attacker uses an email message to trick a
recipient into thinking it came from a known and/or trusted source.
○ These emails may include links to malicious websites or attachments infected
with malware, or they may use social engineering to convince the recipient to
freely disclose sensitive information.

● Caller ID Spoofing:
○ With caller ID spoofing, attackers can make it appear as if their phone calls are
coming from a specific number either one that is known and/or trusted to the
recipient, or one that indicates a specific geographic location.
○ Attackers can then use social engineering often posing as someone from a
bank or customer support to convince their targets to, over the phone, provide
SAHIL K

sensitive information such as passwords, account information, social security


numbers, and more.

● Website Spoofing:
○ Website spoofing refers to when a website is designed to mimic an existing
site known and/or trusted by the user.
○ Attackers use these sites to gain login and other personal information from
users.

● IP Spoofing:
○ Attackers may use IP (Internet Protocol) spoofing to disguise a computer IP
address, thereby hiding the identity of the sender or impersonating another
computer system.
○ One purpose of IP address spoofing is to gain access to networks that
authenticate users based on IP addresses.

● ARP Spoofing:
○ Address Resolution Protocol (ARP) is a protocol that resolves IP addresses to
Media Access Control (MAC) addresses for transmitting data.
○ ARP spoofing is used to link an attacker's MAC to a legitimate network IP
address so the attacker can receive data meant for the owner associated with
that IP address.
○ ARP spoofing is commonly used to steal or modify data but can also be used
in denial-of-service and man-in-the-middle attacks or in session hijacking.

● DNS Server Spoofing:


○ DNS (Domain Name System) servers resolve URLs and email addresses to
corresponding IP addresses.
○ DNS spoofing allows attackers to divert traffic to a different IP address,
leading victims to sites that spread malware.

Q. Explain:
i) Main in the Middle attack
ii) Replay attack.
Ans:
i) Man in the Middle attack:
● A man in the middle attack occurs when attackers are able to place themselves in the
middle of two other hosts that are communicating in order to view or modify the
traffic.
● This is done by making sure that all communication going to or from the target host is
routed through the attacker's host.
● Then the attacker is able to observe all traffic before transmitting it and can actually
modify or block traffic.
SAHIL K

● To the target host, communication is occurring normally, since all expected replies are
received.

ii) Replay attack:


● In replay attack an attacker captures a sequence of events or some data units and
resends them.
● Example: Suppose User A wants to transfer some amount to User C's bank account.
Both Users A and C have accounts with Bank B. User A might send an electronic
message to Bank B requesting for fund transfer. User C could capture this message
and send a copy of the same to Bank B. Bank B would have no idea that this is an
unauthorized message and would treat this as a second and different fund transfer
request from User A. So C would get the benefit of the fund transfer twice - once
authorized and once through a replay attack.

Q. Explain TCP/IP hacking attack.


Ans:
IP Address Spoofing:
● Source and destination address contained in the IP header are the only information
needed for routing the packet.
● Anyone who has access to the IP layer can easily spoof the packet's IP source address
and then masquerade it as from another host in the network.
● The IP address spoofing is based upon maliciously creating TCP/IP packets using
someone else's IP address as source address so as to either conceal own identity or
impersonate the identity of the user of the spoofed IP address being used the packets
are routed by the router to the destination.
● Upon receipt the recipient uses the IP address of the source to reply to the packet.
● Since the source address is spoofed, the recipient will reply to the spoofed address and
not to the original sender who had deliberately changed his IP address in the original
packet.
SAHIL K

● Since the address has been changed intentionally it will be difficult to trace back to
the attacker.
● Using this concept the following types of attacks are normally carried out.

Denial of Services Attacks (DoS):


● Using the above trick the attacker can send a large number of packets to the victim.
● As he will not receive any packet from the victim, all the replies will be directed
towards the spoofed IP addresses and cause the victim to go out of service.
● Using DoS an attacker can disrupt the normal functioning of the network and carry
out the following attacks:-

Storage Consumption Attacks:


● The attacker tries to consume all the available local storage space on the target
machine to slowly bring it to a grinding halt.
● A simple trick of sending emails with very large attachments can be used for
launching this type of DoS.
● Multiple large DVD VOB files and uncompressed JPEG or BMP (bitmap) images of
very high resolution are common file types used to accomplish such attacks.

Subnet Mask Corruption Attacks:


● The attacker may send a message which causes the target machine to reset its subnet
mask and so disrupt the target's subnet routing.

Connection Resources Consumption Attacks:


● By sending very large numbers of erroneous requests for TCP session establishment
an attacker can consume all of the target's available connection resources thereby
resulting in the target being unable to service any new authentic connection requests.

Buffer Overflow Attacks:


● A buffer overflow attack occurs when a process receives much more data than
expected and if it has no programmed routine to deal with this excessive amount of
data, it may act in unexpected ways that an attacker can exploit.
● There are numerous variations and forms of buffer overflow attack that have been
formulated over the years, with the most common of all being the "Ping of Death".

Ping of Death Attacks:


● The Ping of Death attack is also referred to as the "Large Packet Ping Attack".
● The attacker initiates a "ping of death" attack by using network utility PING of
Internet Control Message Protocol (ICMP) to "ping" the target with an illegally
modified and very large IP datagram.
● This will result in overfilling of the target system's buffers causing the target to reboot
or hang.
● PING can be configured to send the "illegal" IP datagram packets in bursts or as a
continual stream.
SAHIL K

● In the case of a continual stream the target will be immediately under attack once it
reboots and will thus hang or reboot continually until something is done to stop it
receiving the attacker's packets.

SYN attacks:
● A SYN attack occurs when an attacker exploits the use of the buffer space during the
Transmission Control Protocol (TCP) session initialization - Three-way Handshake.
● The receiving machine (usually a server) can maintain multiple concurrent
conversations all established using the same small "inprocess" buffer pool.

Smurf attacks:
● Here a combination of IP address Spoofing and ICMP flooding are used to saturate a
target network with traffic so that the normal traffic is disrupted thereby causing a
Denial of Service (DoS) attack.
● Smurf attacks consist of the source site, the bounce site and the target site.
● First the attacker selects a bounce site (usually a very large network).
● The attacker then modifies a PING packet so that it contains the address of the target
site as the PING packet's source address.

Q. Describe the following terms:


i) Application Patches
ii) Hotfix
iii) Upgrades
Ans:
i) Application patches:
● As O.S continues to grow and introduce new functions, the potential for problems
with the code grows as well.
● It is almost impossible for an operating system vendor to test its product on every
possible platform under every possible platform under every possible circumstance,
so functionality and security issues do arise after an O.S has been released.
● Application patches are likely to come in three varieties: hot fixes, patches and
upgrades.
● Application patches are supplied from the vendor who sells the application.
● Application patches can be provided in many different forms like can be downloaded
directly from the vendor's web site or FTP site or by CD.
● Application patches probably come in three varieties: hot fixes, patches and upgrades.

ii) Hotfixes:
● Normally this term is given to small software updates designed to address a particular
problem like buffer overflow in an application that exposes the system to attacks.

iii) Upgrades:
● The term upgrade has a positive implication-you are moving up to a better, more
functional and more secure application.
SAHIL K

● Most vendors will release upgrades for fixes rather than any new or enhanced
functionality.

Q. Define the following terms:


i) Operating System Security
ii) Hot fix
iii) Patch
iv) Service pack
Ans:
i) Operating System Security: The OS must protect itself from security breaches, such as
runaway processes (denial of service), memory-access violations, stack overflow violations,
the launching of programs with excessive privileges, and many others.

ii) Hot Fix: Normally this term is given to small software update designed to address a
particular problem like buffer overflow in an application that exposes the system to attacks.

iii) Patch: This term is generally applied to more formal, larger s/w updates that may address
several or many s/w problems. Patches often contain improvement or additional capabilities
& fixes for known bugs.

iv) Service Pack: A service pack is a collection of updates and fixes, called patches, for an
operating system or a software program. Many of these patches are often released before a
larger service pack, but the service pack allows for an easy, single installation.

OR

A service pack (SP) is an update, often combining previously released updates, that helps
make Windows more reliable. Service packs can include security and performance
improvements and support for new types of hardware.

Q. State the importance of information classification.


Ans:
1. The main reason for classifying is that not all data/information have the same level of
importance or same level of relevance/ criticality to an organization.
2. Some data are more valuable to the people who make strategic decisions (senior
management) because they aid them in making long-range or short range business
direction decisions.
3. Some data such as trade secrets, formulae (used by scientific and/or research
organizations) and new product information (such as the one used by the marketing
staff and sales force) are so valuable that their loss could create a significant problem
for the enterprise in the market.
4. Thus it is obvious that information classification provides a higher, enterprise–level
benefit.
SAHIL K

5. Classification of information is used to prevent the unauthorized disclosure and the


resultant failure of confidentiality

Q. Explain levels of information classification.


Ans:
1. Unclassified: Information that is neither sensitive nor classified. The public release of this
information does not violet confidentiality.

2. Sensitive but Unclassified (SBU): Information that has been designated as a minor secret
but may not create serious damage if disclosed.

3. Confidential: The unauthorized disclosure of confidential information could cause some


damage to the country’s national security.

4. Secret: The unauthorized disclosure of this information could cause serious damage to the
countries national security.

5. Top Secret: This is the highest level of information classification. Any unauthorized
disclosure of top secret information will cause grave damage to the country’s national
security.

Q. Explain criteria for information classification.


Ans:
Criteria for classification of information:
i) Value
ii) Useful Life
iii) Personal Association
iv) Age

i) Useful life
● A data is labeled “more useful” when the information is available ready for making
changes as and when required.
● Data might need to be changed from time to time, and when the “change” access is
available, it is valuable data.

ii) Value
● This is probably the most essential and standard criteria for information classification.
● There is some confidential and valuable information of every organization, the loss of
which could lead to great losses for the organization while creating organizational
issues. Therefore, this data needs to be duly classified and protected.

iii) Personal association


● It is important to classify information or data associated with particular individuals or
addressed by privacy law.
SAHIL K

iv) Age
● The value of information often declines with time.
● Therefore, if the given data or information comes under such a category, the data
classification gets lowered.

Q. Describe Security Awareness in Security.


Ans:
1. Security awareness program is the most effective method to oppose potential social
engineering attacks when an organization's security goals and policies are established.

2. An important element that should concentrate in training is which information is


sensitive for organization and which may be the target of a social engineering attack.

3. Companies implement tools and procedures to protect against these threats and to
comply with law and regulations.

4. Establishing and maintaining information-security awareness through a security and


awareness program is vital to an organization's progress and success.

5. A robust and properly implemented security awareness program assists the


organization with the education, monitoring, and ongoing maintenance of security
awareness within the organization.

6. Security awareness should be conducted as an on-going program to ensure that


training and knowledge is not just delivered as an annual activity, rather it is used to
maintain a high level of security awareness on a daily basis.

Q. State the importance of security awareness. How can it be achieved?


Ans:
● Security awareness program is the most effective method to oppose potential social
engineering attacks when an organization's security goals and policies are established.
● An important element that should concentrate in training is which information is
sensitive for organization and which may be the target of a social engineering attack.

● An unaware user is as dangerous to the system as the attacker.


● An active security awareness program is the most effective method to oppose
potential social engineering attacks.
● Users should be able to create their own easy to remember passwords, but should not
be easy for someone else to guess or obtain using password cracking utilities.
● Passwords should meet some essential guidelines for e.g. password should contain
some special characters etc.
● It should not consist of dictionary words.
SAHIL K

● An approach of following closely behind a person who has just used their own access
card or PIN to gain physical access. In this way an attacker can gain access to the
facility without knowing the access code.
● An attacker positions themselves in such a way that he is able to observe the
authorized user entering the correct access code.
● Because of possible risks, many organizations do not allow their users to load
software or install new hardware without the information and help of administrators.
Organizations also restrict what an individual does by receiving emails.
● An attacker can get physical access to a facility then there are many chances of
obtaining enough information to enter into computer systems and networks. Many
organizations restrict their employees to wear identification symbols at work.

Q. Explain individual user responsibilities in Computer Security.


Ans: Individual user responsibilities in computer security are:
1. Lock the door of the office or workspace.
2. Do not leave sensitive information inside your car unprotected.
3. Secure storage media in a secure storage device which contains sensitive information.
4. Shredding paper containing organizational information before discarding it.
5. Do not expose sensitive information to individuals that do not have an authorized
need to know it.
6. Do not discuss sensitive information with family members.
7. Be alert to, and do not allow, piggybacking, shoulder surfing or access without the
proper identifications.
8. Establish different procedures to implement good password security practice that
employees should follow.

Q. Explain basic principles of information security.


Ans:

i) Confidentiality:
● The principle of confidentiality specifies that only sender and intended recipients
should be able to access the contents of a message.
● Confidentiality gets compromised if an unauthorized person is able to access the
contents of a message.
SAHIL K

● Example of compromising the Confidentiality of a message is shown in fig:


● Here, the user of computer A sends a message to user B. Another user C gets access
to this message, which is not desired and therefore,defeats the purpose of
Confidentiality. This type of attack is also called interception.

ii) Integrity:
● When the contents of the message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the message is lost.
● For example, here user C tampers with a message originally sent by user A, which is
actually destined for user B. user C somehow manages to access it, change its
contents and send the changed message to user B. user B has no way of knowing that
the contents of the message were changed after user A had sent it. User A also does
not know about this change. This type of attack is called modification.

iii) Availability:
● The goal of availability is to ensure that the data, or the system itself, is available for
use when the authorized user wants it.
● The information created and stored by an organization needs to be available to
authorized entities. Information is useless if it is not available.
● Information needs to be constantly changed which means it must be accessible to
authorized entities.
● The unavailability of information is just as harmful for an organization as the lack of
confidentiality or integrity.
SAHIL K

UNIT 2 - User Authentication and Access Control

Q. Describe components of a good password.


Ans: Components of a good password are:
1. It should not contain dictionary words.
2. It should be at least eight characters long.
3. It should not be the same as the user's login name.
4. It should include uppercase and lowercase letters, numbers, special characters or
punctuation marks.
5. It should not be the default passwords as supplied by the system vendor such as
password, guest, admin and so on.
6. It should not contain the user's personal information such as their name, family
member's name, birth date, pet name, phone number or any other detail that can easily
be identified.

Q. Explain different password selection criteria.


Ans:
1. User education:
● Users can be told the importance of using hard-to-guess passwords and can be
provided with guidelines for selecting strong passwords.
● This user education strategy is unlikely to succeed at most installations, particularly
where there is a large user population or a lot of turnover.
● Many users will simply ignore the guidelines.
● Others may not be good judges of what is a strong password.
● For example, many users believe that reversing a word or capitalizing the last letter
makes a password unguessable.

2. Computer-generated passwords:
● Passwords are quite random in nature.
● Computer generated passwords also have problems.
● If the passwords are quite random in nature, users will not be able to remember them.
● Even if the password is pronounceable, the user may have difficulty remembering it
and so be tempted to write it down.
SAHIL K

● In general, computer-generated password schemes have a history of poor acceptance


by users.
● FIPS PUB 181 defines one of the best-designed automated password generators.
● The standard includes not only a description of the approach but also a complete
listing of the C source code of the algorithm.
● The algorithm generates words by forming pronounceable syllables and concatenating
them to form a word.
● A random number generator produces a random stream of characters used to construct
the syllables and words.

3. Reactive password checking:


● A reactive password checking strategy is one in which the system periodically runs its
own password cracker to find guessable passwords.
● The system cancels any passwords that are guessed and notifies the user.
● This tactic has a number of drawbacks.
● First it is resource intensive, if the job is done right.
● Because a determined opponent who is able to steal a password file can devote full
CPU time to the task for hours or even days an effective reactive password checker is
at a distinct disadvantage.
● Furthermore, any existing passwords remain vulnerable until the reactive password
checker finds them.

4. Proactive password checking:


● The most promising approach to improved password security is a proactive password
checker.
● In this scheme, a user is allowed to select his or her password.
● However, at the time of selection, the system checks to see if the password is
allowable and if not, rejects it.
● Such checkers are based on the philosophy that with sufficient guidance from the
system, users can select memorable passwords from a fairly large password space that
are not likely to be guessed in a dictionary attack.
● The trick with a proactive password checker is to strike a balance between user
acceptability and strength.
● If the system rejects too many passwords,users will complain that it is too hard to
select a password.
● If the system uses some simple algorithm to define what is acceptable, this provides
guidance to password crackers to refine their guessing technique.
● In the remainder of this subsection, we look at possible approaches to proactive
password checking.

Q. Enlist various password attacks.


Ans:
i) Piggybacking
ii) Shoulder Surfing
SAHIL K

iii) Dumpster Diving

Q. Explain any 2 password attacks.


Ans:
Piggybacking:
● It is the simple process of following closely behind a person who has just used their
own access card or PIN to gain physical access to a room or building.
● An attacker can thus gain access to the facility without having to know the access
code or having to acquire an access card. i.e. Access of wireless internet connection
by bringing one's own computer within range of another wireless connection & using
that without explicit permission, it means when an authorized person allows
(intentionally or unintentionally) others to pass through a secure door.
● Piggybacking on Internet access is the practice of establishing a wireless Internet
connection by using another subscriber's wireless internet access service without the
subscriber's explicit permission or knowledge.
● It is the simple tactic of following closely behind a person who has just used their own
access card or PIN to gain physical access to a room or building.
● An attacker can thus gain access to the facility without having to know the access
code or having to acquire an access card.
● Piggybacking is sometimes referred to as "Wi-Fi squatting." The usual purpose of
piggybacking is simply to gain free network access rather than any malicious intent,
but it can slow down data transfer for legitimate users of the network.

Shoulder Surfing:
● Shoulder surfing is a similar procedure in which attackers position themselves in such
a way as-to be-able to observe the authorized user entering the correct access code or
data.
● Both of these attack techniques can be easily countered by using simple procedures to
ensure nobody follows you too closely or is in a position to observe your actions.
● Shoulder surfing is using direct observation techniques, such as looking over
someone's shoulder, to get information.
● Shoulder surfing is an effective way to get information in crowded places because it's
relatively easy to stand next to someone and watch as they fill out a form, enter a PIN
number at an ATM machine.
● Shoulder surfing can also be done long-distance with the idea of binoculars or other
vision-enhancing devices.

Dumpster diving:
● It is the process of going through a target's trash in order to find little bits of
information System attackers need a certain amount of information before launching
their attack.
● One common place to find this information, if the attacker is in the vicinity of the
target, is to go through the target's thrash in order to find little bits of information that
could be useful.
SAHIL K

● The process of going through the target's thrash is known as "dumpster diving".
● The search is carried out in waste paper, electronic waste such as old HDD, floppy
and CD media recycle and trash bins on the systems etc.
● If the attacker is lucky, the target has a poor security process; they may succeed in
finding user ID’s and passwords.
● If the password is changed and the old password is discarded, the lucky dumpster
driver may get a valuable clue.

Q. What is piggybacking? How can it be prevented?


Ans:
Piggybacking:
● It is the simple process of following closely behind a person who has just used their
own access card or PIN to gain physical access to a room or building.
● An attacker can thus gain access to the facility without having to know the access
code or having to acquire an access card. i.e. Access of wireless internet connection
by bringing one's own computer within range of another wireless connection & using
that without explicit permission, it means when an authorized person allows
(intentionally or unintentionally) others to pass through a secure door.
● Piggybacking on Internet access is the practice of establishing a wireless Internet
connection by using another subscriber's wireless internet access service without the
subscriber's explicit permission or knowledge.
● It is the simple tactic of following closely behind a person who has just used their own
access card or PIN to gain physical access to a room or building.
● An attacker can thus gain access to the facility without having to know the access
code or having to acquire an access card.
● Piggybacking is sometimes referred to as "Wi-Fi squatting." The usual purpose of
piggybacking is simply to gain free network access rather than any malicious intent,
but it can slow down data transfer for legitimate users of the network.

To prevent piggybacking:
● Piggybacking can be prevented by ensuring that encryption is enabled in the router by
using Wireless Encryption Protocol (WEP) or Wireless Protected Access (WPA) or
WPA2.
● Using a strong password for the encryption key, consisting of at least 14 characters
and mixing letters and numbers.

Q. What is shoulder surfing? How can it be prevented?


Ans:
● Shoulder surfing is a similar procedure in which attackers position themselves in
such a way as-to be-able to observe the authorized user entering the correct access
code or data.
● Both of these attack techniques can be easily countered by using simple procedures to
ensure nobody follows you too closely or is in a position to observe your actions.
SAHIL K

● Shoulder surfing is using direct observation techniques, such as looking over


someone's shoulder, to get information.
● Shoulder surfing is an effective way to get information in crowded places because it's
relatively easy to stand next to someone and watch as they fill out a form, enter a PIN
number at an ATM machine.
● Shoulder surfing can also be done long-distance with the idea of binoculars or other
vision-enhancing devices.

To prevent shoulder surfing:


Experts recommend that you shield paperwork or your keypad from view by using your body
or cupping your hand.

Q. What is dumpster diving? State preventative measures to avoid Dumpster diving.


Ans:
Dumpster diving:
● It is the process of going through a target's trash in order to find little bits of
information System attackers need a certain amount of information before launching
their attack.
● One common place to find this information, if the attacker is in the vicinity of the
target , is to go through the target's thrash in order to find little bits of information that
could be useful.
● The process of going through the target's thrash is known as "dumpster diving".
● The search is carried out in waste paper, electronic waste such as old HDD, floppy
and CD media recycle and trash bins on the systems etc.
● If the attacker is lucky, the target has a poor security process; they may succeed in
finding user ID"s and passwords.
● If the password is changed and the old password is discarded, the lucky dumpster
driver may get a valuable clue.

To prevent dumpster diving:


● To prevent dumpster divers from learning anything valuable from your trash, experts
recommend that your company should establish a disposal policy.
● Shred personal documents and credit card offers before throwing them away,and wipe
hard drives clean before you get rid of computers or smartphones.

Q. Describe Biometric security mechanism with suitable diagram.


Ans:
SAHIL K

● Biometric refers to the study of methods for uniquely recognizing humans based upon
one or more intrinsic physical or behavioral characteristics.
● Biometric identification is used on the basis of some unique physical attribute of the
user that positively identifies the user.
● Ex: fingerprint recognition, retina and face scan technic, voice synthesis and
recognition and so on.
● Physiology is related to the shape of the body.
● Ex: fingerprint, face recognition, DNA, palm print, iris recognition and so on.
● Behavior is related to the behavior of a person.
● Ex: typing rhythm, gait, signature and voice

1. Sensor
2. Preprocessing
3. Feature extractor
4. Template generator
5. Stored templates
6. Matcher
7. Application device
8. Enrollment

Step 1: During registration, the first time an individual uses a biometric system is called an
enrollment.

Step 2: During the enrollment, biometric information from an individual is stored.

Step 3: In the verification process, biometric information is detected and compared with the
information stored at the time of enrolment.

Step 4: The first block (sensor) is the interface between the real world and the system; it has
to acquire all the necessary data.

Step 5: The 2nd block performs all the necessary pre-processing.


SAHIL K

Step 6: The third block extracts necessary features. This step is an important step as the
correct features need to be extracted in the optimal way.

Step 7: If enrollment is being performed the template is simply stored somewhere (on a card
or within a database or both).

Step 8: If a matching phase is being performed the obtained template is passed to a matcher
that compares it with other existing templates, estimating the distance between them using
any algorithm.

Step 9: The matching program will analyze the template with the input. This will then be
output for any specified use or purpose.

List of various biometrics used for computer security:


● Fingerprint
● Handprint
● Iris Scan
● Face Recognition
● DNA Recognition
● Voice Pattern
● Signature Recognition
● Keystrokes

Q. Draw and explain Block Diagram of Biometric.


Ans:

● The block diagram illustrates the two basic modes of a biometric system.
● First, in verification (or authentication) mode the system performs a one-to-one
comparison of a captured biometric with a specific template stored in a biometric
database in order to verify the individual is the person they claim to be.
● Three steps are involved in the verification of a person.
SAHIL K

● In the first step, reference models for all the users are generated and stored in the
model database.
● In the second step, some samples are matched with reference models to generate the
genuine and impostor scores and calculate the threshold.
● In third step is the testing step. This process may use a smart card, username or ID
number (e.g. PIN) to indicate which template should be used for comparison.

● Second, in identification mode the system performs a one-to-many comparison


against a biometric database in attempt to establish the identity of an unknown
individual.
● The system will succeed in identifying the individual if the comparison of the
biometric sample to a template in the database falls within a previously set threshold.
● Identification mode can be used either for 'positive recognition' (so that the user does
not have to provide any information about the template to be used) or for 'negative
recognition' of the person" where the system establishes whether the person is who
she (implicitly or explicitly) denies to be".
● The latter function can only be achieved through biometrics since other methods of
personal recognition such as passwords, PINs or keys are ineffective.

● The first time an individual uses a biometric system is called enrollment. During the
enrollment, biometric information from an individual is captured and stored.
● In subsequent uses, biometric information is detected and compared with the
information stored at the time of enrollment.
● Note that it is crucial that storage and retrieval of such systems themselves be secure
if the biometric system is to be robust.

● The first block (sensor) is the interface between the real world and the system; it has
to acquire all the necessary data. Most of the times it is an image acquisition system,
but it can change according to the characteristics desired.
● The second block performs all the necessary pre-processing: it has to remove artifacts
from the sensor, to enhance the input (e.g. removing background noise), to use some
kind of normalization, etc.
● In the third block necessary features are extracted. This step is an important step as
the correct features need to be extracted in the optimal way.

● During the enrollment phase, the template is simply stored somewhere (on a card or
within a database or both).
● During the matching phase, the obtained template is passed to a matcher that
compares it with other existing templates, estimating the distance between them using
any algorithm (e.g. Hamming distance).
● The matching program will analyze the template with the input.
● Selection of biometrics in any practical application depending upon the characteristic
measurements and user requirements.
SAHIL K

Q. List any four biometric mechanisms.


Ans:
i) Fingerprint
ii) Handprint
iii) Iris Scan
iv) Face Recognition
v) DNA Recognition
vi) Voice Pattern
vii) Signature Recognition
viii) Keystrokes

Q. State any four advantages of Biometrics.


Ans:
● Scalable:
○ As your business develops and grows, it's important to have systems in place
that can scale with the growth of your business.
○ Biometric security systems are flexible and easily scalable.
○ Whether you want to secure more areas of your facility or just add more data
for additional employees, biometric security systems will grow alongside your
business for ease and security.

● Profitable:
○ The return on investment (ROI) on a biometric security system is very high.
○ For one, it's much more effective at avoiding fraud than most security systems,
protecting your business from potentially catastrophic breaches.

● Biometrics reduces administrative costs:


○ Modern biometric identification management systems consist of hardware and
software that are simple to install and easy to use.
○ This reduces the need for intense training and ongoing management costs.

● Identification accuracy:
○ Since every individual on the planet possesses unique physiological features
that can't be easily swapped, shared, or stolen, biometric identification has the
potential to accurately identify someone without a shadow of a doubt nearly
100% of the time.
○ Occasionally, the ability to accurately identify someone can be affected by
environmental, age, or skin integrity issues, but with a multimodal biometric
identification system you can eliminate those factors.
○ Multiple biometric attributes can identify someone with 100% certainty every
time you scan them.

● Difficult to forge:
○ Biometric attributes are almost impossible to forge or duplicate.
SAHIL K

○ Even if you manage to forge a biometric attribute such as a fingerprint,


modern biometric devices with liveness detection have the capability to
identify a fake from the original.

● Establishes accountability:
○ Implementation of a biometric identification solution creates a concrete
activity audit trail to help establish accountability.
○ Each and every action or transaction will be recorded and clearly documented
by the individual associated with it which reduces the possibility of system
misuse and fraud.

● Adds convenience:
○ Biometric technology makes individual identification convenient without the
need to carry around ID cards or remember complicated passwords.
○ Due to the fact that passwords can be forgotten or easily guessed and the fact
that ID cards can be damaged, swapped, or shared, biometrics are more
convenient because individual physiological attributes are always with you.

Q. Explain fingerprint pattern in biometric.


Ans:
Fingerprint:
● The fingerprints of the user are matched with the database and matching is carried out
using complex image processing algorithms.
● The user is authenticated, if a match of satisfactory level is obtained.
● The analysis of fingerprints for matching purposes generally requires the comparison
of several features of the print pattern.
● These include patterns, which are aggregate characteristics of ridges, and minutiae
points, which are unique features found within the patterns.
● It is also necessary to know the structure and properties of human skin in order to
successfully employ some of the imaging technologies.

Fingerprint patterns:
● The three basic patterns of fingerprint ridges are the arch, loop and whorl.
● An arch is a pattern where the ridges enter from one side of the finger, rise in the
center forming an arc, and then exit the other side of the finger.
● The loop is a pattern where the ridges enter from one side of a finger, form a curve,
and tend to exit from the same side they enter.
● In the whorl pattern, ridges form circularly around a central point on the finger.

Q. Explain retina patterns in biometrics.


Ans: Retina pattern:
● A retinal scan is very difficult to fake because no technology exists that allows the
forgery of a human retina, and the retina of a deceased person decays too fast to be
used to fraudulently bypass a retinal scan.
SAHIL K

● A retinal scan is a biometric technique that uses the unique patterns on a person's
retina to identify them.
● The human retina is a thin tissue composed of neural cells that is located in the
posterior portion of the eye.
● Because of the complex structure of the capillaries that supply the retina with blood,
each person's retina is unique.
● A biometric identifier known as a retinal scan is used to map the unique patterns of a
person's retina.
● The blood vessels within the retina absorb light more readily than the surrounding
tissue and are easily identified with appropriate lighting.
● A retinal scan is performed by casting an unperceived beam of low-energy infrared
light into a person's eye as they look through the scanner's eyepiece.
● This beam of light traces a standardized path on the retina.
● Because retinal blood vessels are more absorbent of this light than the rest of the eye,
the amount of reflection varies during the scan.
● The pattern of variations is converted to computer code and stored in a database.

Q. State any four drawbacks of Retina scan Biometrics.


Ans: Drawbacks of Retina Scan Biometrics:
● Very intrusive.
● Very expensive.
● Eye disease may pose a problem.
● Not friendly, may cause discomfort to the user.
● It has the stigma of consumer's thinking it is potentially harmful to the eye.
● It is obscured by eyelashes, lenses and reflections, which create a problem, more often
than not.
● Comparisons of template records can take upwards of 10 seconds,depending on the
size of the database.
● Iris is partially blocked by eyelids which are difficult to control by individuals due to
frequent blinking.

Q. Define access control.


Ans: Access Control:
● Access is the ability of a subject to interest with an object. Authentication deals with
verifying the identity of a subject.
● It is the ability to specify, control and limit the access to the host system or
application, which prevents unauthorized use to access or modify data or resources.

Q. Describe access control, availability, authentication, authorization related to physical


security.
Ans: Access Control:
● Access is the ability of a subject to interest with an object.Authentication deals with
verifying the identity of a subject.
SAHIL K

● It is the ability to specify, control and limit the access to the host system or
application, which prevents unauthorized use to access or modify data or resources.
● It can be represented using Access Control Matrix or List:

Process 1 Process 2 File 1 File 2 Printer

Process Read, Write, - Read Read Write


1 Execute

Process Execute Read, Write, Read Read, Write Write


2 Execute

Availability: The goal of availability s to ensure that the data, or the system itself, is available
for use when the authorized user wants it.

Authentication:
● Authentication helps to establish proof of identities.
● The Authentication process ensures that the origin of a message is correctly identified.
● For example, suppose that user C sends a message over the internet to user B.
However, the trouble is that user C had posed as user A when he sent a message to
user B. How would user B know that the message has come from user C, who is
posing as user A? This concept is shown in fig. below.

Authorization:
● Authorization is a security mechanism used to determine user/client privileges or
access levels related to system resources, including computer programs, files,
services, data and application features.
● Authorization is normally preceded by authentication for user identity verification.
● System administrators (SA) are typically assigned permission levels covering all
system and user resources.
● During authorization, a system verifies an authenticated user's access rules and either
grants or refuses resource access.

Q. Define the following terms:


i) Authorization
ii) Authentication
SAHIL K

Ans:
Authorization:
● In computing systems, authorization is the process of determining which permissions
a person or system is supposed to have.
● In multi-user computing systems, a system administrator defines which users are
allowed access to the system, as well as the privileges of use for which they are
eligible (e.g., access to file directories, hours of access, amount of allocated storage
space).
● Authorization can be seen as both the preliminary setting of permissions by a system
administrator, and the actual checking of the permission values when a user obtains
access.
● Authorization is usually preceded by authentication.

Authentication:
● Authentication is the process of determining whether someone or something is, in
fact, who or what it is declared to be.
● To access most technology services of Indiana University, you must provide such
proof of identity.
● In private and public computer networks (including the Internet), authentication is
commonly done through the use of login passwords or passphrases; knowledge of
such is assumed to guarantee that the user is authentic.
● Thus, when you are asked to "authenticate" to a system, it usually means that you
enter your username and/or password for that system.

Q. Explain the term Authorization and Authentication with respect to security.


Ans:
Authorization:
● It is a process of verifying that the known person has the authority to perform certain
operations.
● It cannot occur without authentication.
● It is nothing but granting permissions and rights to individuals so that he can use these
rights to access computer resources or information.

Authentication:
● Authentication is the process of determining the identity of a user or other entity.
● It is performed during logon process where the user has to submit his/her username
and password.
● There are three methods used in it.
○ Something you know User knows user id and password.
○ Something you have a Valid user has lock and key.
○ Something about your User’s unique identity like fingerprints, DNA etc.

Q. Explain access control policies.


Ans:
SAHIL K

Access control is to specify, control and limit the access to the host system or application,
which prevents unauthorized use to access or modify data or resources.

It can be represented using Access Control Matrix or List:

Process 1 Process 2 File 1 File 2 Printer

Process Read, Write, - Read Read Write


1 Execute

Process Execute Read, Write, Read Read, Write Write


2 Execute

Discretionary Access Control (DAC):


● Restricting access to objects based on the identity of subjects and or groups to which
they belong to, it is conditional, Basically used by the military to control access to the
system.
● UNIX based System is a common method to permit users to read/write and execute.

Mandatory Access Control (MAC):


● It is used in environments where different levels of security are classified.
● It is much more restrictive. It is sensitivity based restriction, formal authorization
subject to sensitivity.
● In MAC the owner or User cannot determine whether access is granted to or not. i.e.
Operating system rights.
● Security mechanism controls access to all objects and individuals cannot change that
access.

Role Based Access Control (RBAC):


● Each user can be assigned specific access permission for objects associated with
computers or networks.
● Set of roles in turn assigns access permissions which are necessary to perform the
role.
● Different Users will be granted different permissions to do specific duties as per their
classification.

Q. State the features of:


i) DAC
ii) MAC
Ans:
i) DAC:
SAHIL K

1. Owner-based Control: DAC allows owners of resources (files, folders, etc.) to have
discretion over access permissions. The owner can decide who has access to the resource and
what actions they can perform.

2. Access Control Lists (ACLs): DAC is often implemented using Access Control Lists
(ACLs), which are lists associated with resources specifying the permissions granted to
individual users or groups.

3. User-Defined Permissions: DAC enables resource owners to define specific access


permissions for other users or groups. Common permissions include read, write, execute,
delete, and others.

4. User Identity Basis: Access decisions are made based on the identity of the user making
the access request. Each user may have a different set of permissions for a particular resource.

5. Dynamic Permission Changes: Resource owners can dynamically change access


permissions as needed, providing flexibility in adapting to evolving security requirements or
changes in user roles.

6. Commonly Used in File Systems: DAC is commonly applied to file systems in operating
systems, where owners of files or directories can control who can access, modify, or delete
their resources.

7. Inherent Limitations: DAC relies on the integrity of user accounts. If a user's credentials
are compromised, the associated permissions can be exploited, making it susceptible to
abuse.

8. Ease of Implementation and Management: DAC is generally easier to implement and


manage than more complex access control models, making it suitable for scenarios where a
straightforward permission management approach is sufficient.

9. Decentralized Control: Decisions regarding access permissions are decentralized,


residing with the owner of the resource rather than being centrally managed by an external
authority.

10. Common in Personal Computing Environments: DAC is often found in personal


computing environments where individual users have control over their own files and
directories.

11. Granularity: DAC allows for granular control over access, enabling owners to specify
different permissions for different users or groups on the same resource.

ii) MAC:
SAHIL K

1. Policy-based Control:
● MAC relies on security policies defined by a central authority to control access.
● Access decisions in MAC are based on predefined policies rather than the discretion
of individual resource owners.

2. Security Labels:
● MAC uses security labels to categorize and control access to resources.
● Each resource (object) and user (subject) is assigned a security label, and access is
granted or denied based on the comparison of these labels according to the security
policy.

3. Formal Security Policies:


● MAC enforces formal, system-wide security policies.
● The security policies are usually well-defined, consistently applied, and enforced
throughout the entire system, providing a high level of control.

4. Least Privilege Principle:


● MAC adheres strictly to the principle of least privilege.
● Users and processes are granted only the minimum level of access necessary for their
specific roles, reducing the potential for unauthorized actions.

5. Centralized Administration:
● MAC is centrally administered by a designated authority.
● Unlike DAC, access control decisions are not decentralized; they are managed by a
central administrator or security policy manager.

6. Compartmentalization:
● MAC often includes compartmentalization to separate sensitive information.
● Different compartments or security domains are established, and access between them
is tightly controlled to prevent unauthorized data flow.

7. Strong Security Assurance:


● MAC provides a high level of assurance in maintaining security.
● Due to its centralized control and strict adherence to policies, MAC is commonly
employed in environments where a strong emphasis on security is critical.

8. Limited Flexibility:
● MAC may have less flexibility compared to DAC.
● While providing robust security, MAC systems may be less adaptable to changes or
dynamic environments due to the rigid enforcement of security policies.

9. User Identity Irrelevant:


● Access decisions are not solely based on the identity of the user.
SAHIL K

● Instead, access decisions are based on the security labels associated with the subjects
and objects, reducing the reliance on user identities.

10. Common in High-Security Environments:


● MAC is commonly used in high-security environments such as government, military,
or critical infrastructure.
● Its strict control and strong security measures make it suitable for protecting sensitive
information in these contexts.

Q. Difference between MAC, DAC and RBAC.


Ans:
Parameter MAC DAC RBAC

Control System Enforced Owner/User Controlled Role Based


Type

Flexibility Less Flexible More Flexible Moderate Flexible

Access Determined by Determined by Determined by roles and


Rules security policies owner/user permissions

Management Requires Owners / Users manage Administrators manage


administrative permissions roles
oversight

Scalability Less scalable for Scalable for smaller Scalable for various
large systems systems system sizes

Example Military systems Personal computer file Enterprise network


permissions access control

UNIT 3 - Cryptography

Q. Explain the terms:


(i) Plain text
(ii) Cipher text
(iii) Cryptography
(iv) Cryptanalysis
(v) Cryptology
Ans:
(i) Plain text: Plain text or clear text significance that can be understood by sender, the
recipient & also by anyone else who gets an access to that message.
SAHIL K

(ii) Cipher text: It is an encrypted text. When plain text is converted using encryption, this
encrypted text is called ciphertext.

(iii) Cryptography: Cryptography is the art & science of achieving security by encoding
messages to make them non-readable.

(iv) Cryptanalysis: Cryptanalysis is the technique of decoding messages from a non-readable


format without knowing how they were initially converted from readable format to
non-readable format.

(v) Cryptology: It is the art and science of transforming the intelligent data into unintelligent
data and unintelligent data back to intelligent data.
Cryptography + Cryptanalysis = Cryptology

Q. Explain application of cryptography.


Ans:
Application of cryptography:

i) Data Hiding: The original use of cryptography is to hide something that has been written.

ii) Digitally Code: Cryptography can also can be applied to software, graphics or voice that
is, it can be applied to anything that can be digitally coded.

iii) Electronic payment: When electronic payments are sent through a network, the biggest
risk is that the payment message will alter or bogus messages introduced and the risk that
someone reads the messages may be minor significance.

iv) Message Authentication: One cannot entirely prevent someone from tampering with the
network and changing the message, but if this happens it can certainly be detected. This
process of checking the integrity of the transmitted message is often called message
authentication. The most recent and useful development in the uses of cryptography is the
digital signature.

Q. Explain encryption and decryption with reference to computer security.


Ans:
Encryption: The process of encoding plain text into a cipher text message is known as
Encryption.

Decryption: The reverse process of transforming ciphertext messages back to plain text
messages is called decryption.
SAHIL K

Encryption and Decryption process:


● In the communication, the computer at the sender's end usually transforms a plain text
into cipher text by performing encryption by applying an encryption algorithm.
● The encrypted cipher text is then sent to the receiver over the network.
● The receiver’s computer then takes the encrypted message and then performs the
reverse of encryption i.e. decryption by applying a decryption algorithm.

Q. Explain Caesar's cipher substitution technique with an example.


Ans:
Caesar Cipher
● It is a mono-alphabetic cipher wherein each letter of the plaintext is substituted by
another letter to form the cipher text.
● It is the simplest form of substitution cipher scheme.
● This cryptosystem is generally referred to as the Shift Cipher.
● The concept is to replace each alphabet by another alphabet which is 'shifted' by some
fixed number between 0 and 25.
● For this type of scheme, both sender and receiver agree on a secret shift number for
shifting the alphabet.
● This number which is between 0 and 25 becomes the key of encryption.
● The name 'Caesar Cipher' is occasionally used to describe the Shift Cipher when the
'shift of three' is used.

Process of Shift Cipher:


● In order to encrypt a plaintext letter, the sender positions the sliding ruler underneath
the first set of plaintext letters and slides it to LEFT by the number of positions of the
secret shift.
SAHIL K

● The plaintext letter is then encrypted to the ciphertext letter on the sliding ruler
underneath. The result of this process is depicted in the following illustration for an
agreed shift of three positions. In this case, the plaintext 'tutorial' is encrypted to the
ciphertext 'WXWRULDO'. Here is the ciphertext alphabet for a Shift of 3 -

Plain text a b c d e f g h i j k l m n o p q r s t u v w x y z
Alphabet

Cipher d e f g h i j k l m n o p q r s t u v wx y z a b c
text
alphabet

● On receiving the cipher text, the receiver who also knows the secret shift, positions
his sliding ruler underneath the ciphertext alphabet and slides it to RIGHT by the
agreed shift number, 3 in this case.

● He then replaces the cipher text letter by the plaintext letter on the sliding ruler
underneath. Hence the ciphertext 'WXWRULDO' is decrypted to 'tutorial'. To decrypt
a message encoded with a Shift of 3, generate the plaintext alphabet using a shift of
‘-3’ as shown below-

Plain text ABC D E F G H I J K L M N O P Q R S T U V W X Y Z


Alphabet

Cipher x y z a b c d e f g h i j k l m n o p q r s t u v w
text
alphabet

Security Value: Caesar Cipher is not a secure cryptosystem because there are only 26
possible keys to try out. An attacker can carry out an exhaustive key search with available
limited computing resources

For example, here's the Caesar Cipher encryption of a full message, using a left shift of 3.
Plaintext: THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG
Cipher text: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD

Q. Consider plain text “CERTIFICATE” and convert it into cipher text using Caesar
Cipher with a shift of position of 4. Write steps for encryption.
Ans:
Plaintext C E R T I F I C A T E
Alphabet

Cipherte G I V X M R M W M R K
SAHIL K

xt
Alphabet

Ciphertext: GIVXRMWMRK

● In order to encrypt a plaintext letter, the sender positions the sliding ruler underneath
the first set of plaintext letters and slides it to LEFT by the number of positions of the
secret shift.

● The plaintext letter is then encrypted to the ciphertext letter on the sliding ruler
underneath. The result of this process is depicted in the above illustration for an
agreed shift of four positions.

Q. Consider plain text “INFORMATION” and convert given plaintext into ciphertext
using ‘Caesar Cipher’ with shift of position three-write down steps in encryption.
Ans:
Plaintext: INFORMATION
Key: 3 Shift
A translation chart for the given plain text is as follows:

Plain text a b c d e f g h i j k l m n o p q r s t u v w x y z
Alphabet

Cipher d e f g h i j k l m n o p q r s t u v wx y z a b c
text
alphabet

Using the chart, we can encrypt the given plaintext:


@a@@@
Plaintext I N F O R M A T I O N
Alphabet

Cipherte L Q I R U P D W L R Q
xt
Alphabet

Plain text: INFORMATION


Convert each alphabet in the plain text, using the table, the cipher text can be written as
Cipher text: LQIRUPDWLRQ

Q. Consider plaintext “gov polytechnic” and convert given plaintext into ciphertext
using algorithm and key “play fair example”.
Ans:
SAHIL K

Insert key into 5×5 Matrix:

P L A Y F

I R E X M

B C D G H

K N O Q S

T U V W Z

Plaintext => GOV POLYTECHNIC


Break plaintext into pair of two: GO VP OL YT EC HN IC
Ciphertext => DQ TA NA PW RD CS RB

Q. Explain transposition technique. Convert plain text to Cipher text using Rail Fence
technique "COMPUTER ENGINEERING".
Ans: Transposition Technique:
● Transposition systems are fundamentally different from substitution systems.
● In substitution systems, plaintext values are replaced with other values.
● In transposition systems, plaintext values are rearranged without otherwise changing
them.
● All the plaintext characters that were present before encipherment are still present
after encipherment.
● Only the order of the text changes.
● Most transposition systems rearrange text by single letters.
● It is possible to rearrange complete words or groups of letters rather than single
letters, but these approaches are not very secure and have little practical value.
● Larger groups than single letters preserve too much recognizable plaintext.
● Some transposition systems go through a single transposition process.
○ These are called single transpositions.
○ Others go through two distinctly separate transposition processes. These are
called double transpositions.

● Most transposition systems use a geometric process. Plaintext is written into a


geometric figure, most commonly a rectangle or square, and extracted from the
geometric figure by a different path than the way it was entered.
○ When the geometric figure is a rectangle or square, and the plaintext is entered
by rows and extracted by columns, it is called columnar transposition.
○ When some route other than rows and columns is used, it is called route
transposition.

Rail Fence Technique:


● It is one of the easiest transposition techniques to create cipher text.
SAHIL K

● When a plain text message is codified using any suitable scheme, the resulting
message is called Ciphertext or Cipher.

Steps are:

Plain text = COMPUTER ENGINEERING


Step 1: Write down Plain text as a sequence of diagonals.

Read Plain text written in Step 1 as a sequence of rows. As,

C M U E E G N E I G

O P T R N I E R N

Then concatenate these two sequences of text as one to create following


Cipher Text: CMUEEGNEIGOPTRNIERN

Q. Consider plain text "Network Security", encrypt it with help of Rail Fence
technique, also write the algorithm.
Ans: Rail Fence Technique: It is one of the easiest transposition techniques to create cipher
text. When a plain text message is codified using any suitable scheme, the resulting message
is called Ciphertext or Cipher.

Steps are:

Plain text = NETWORK SECURITY


Step 1: Write down Plain text as a sequence of diagonal.
Read Plain text written in Step 1 as a sequence of rows. As,

N T O K E U I Y

E W R S C R T

Then concatenate these two sequences of text as one to create following


Cipher Text: NTOKEUIYEWRSCRT

Steps for rail-fence cipher are as follow:


1. Write down the plain text message as a sequence of diagonals.
2. Read the plain text written in step 1, row wise.
3. Let's see an example of a rail-fence cipher. Suppose plain text is NETWORK
SECURITY if we perform rail-fence cipher operation on this text it will be coded as
NTOKEUIYEWRSCRT.
SAHIL K

4. It involves writing plain text in a diagonal sequence and then reading it row by row to
produce ciphertext.

Q. Explain simple columnar transposition technique with algorithm and example.


Ans:
● The columnar transposition cipher is a transposition cipher that follows a simple rule
for mixing up the characters in the plaintext to form the cipher-text.
● It can be combined with other ciphers, such as a substitution cipher, the combination
of which can be more difficult to break than either cipher on its own.
● The cipher uses a columnar transposition to greatly improve its security.

Algorithm:
1. The message is written out in rows of a fixed length.
2. Read out again column by column according to given order or in random order.
3. According to the order, write cipher text.

Example:
The key for the columnar transposition cipher is a keyword e.g. ORANGE. The row length
that is used is the same as the length of the keyword.
To encrypt a below plaintext COMPUTER PROGRAMMING

O R A N G E

C O M P U T

E R P R O G

R A M M I N

G L E X X M

In the above example, the plaintext has been padded so that it neatly fits in a rectangle. This
is known as a regular columnar transposition. An irregular columnar transposition leaves
these characters blank, though this makes decryption slightly more difficult. The columns are
now reordered such that the letters in the key word are ordered alphabetically.

5 6 1 4 3 2

O R A N G E

C O M P U T

E R P R O G

R A M M I N
SAHIL K

G L E X X M

The Encrypted text or Cipher text is: MPMET GNMUO IXPRM XCERG ORAL (Written in
blocks of Five)

Q. Convert plain text into cipher text by using simple columnar technique of the
following sentence: 'ALL IS WELL FOR YOUR EXAM'.
Ans:
● The columnar transposition cipher is a transposition cipher that follows a simple rule
for Mixing up the characters in the plaintext to form the cipher-text.
● It can be combined with other ciphers, such as a substitution cipher, the combination
of which can be more difficult to break than either cipher on its own.
● The cipher uses a columnar transposition to greatly improve its security.

Algorithm:
1. The message is written out in rows of a fixed length.
2. Read out again column by column according to given order or in random order.
3. According to the order , write cipher text.

Example:
The key for the columnar transposition cipher is a keyword e.g. MANGO
The row length that is used is the same as the length of the keyword.
To encrypt a below plaintext: ALL IS WELL FOR YOUR EXAM

3 1 4 2 5

M A N G O

A L L I S

W E L L F

O R Y O U

R E X A M

Cipher text is:


LEREILOAAWORLLYXSFUM

Q. Convert the given plain text into cipher text using simple columnar technique using
the following data:
● Plain text: NETWORK SECURITY
● Number of columns: 6
● Encryption Key: 632514
SAHIL K

Ans:

6 3 2 5 1 4

N E T W O R

K S E C U R

I T Y

=> Ciphertext: OU TEY EST RR WC NKI

Q. Difference between substitution cipher and transposition cipher.


Ans:
Substitution Cipher Transposition Cipher

i) Simple letter substitution. i) Letter substitution along with permutation.

ii) Guessing the key is easy. ii) Bit difficult to find a key.

iii) Less secure. iii) More secure.

iv) Ex: Caesar Cipher. iv) Ex: Rail Fence Technique / Columnar
Technique

Q. Explain the term steganography with an example.


Ans:
● Steganography is the art and science of writing hidden message in such a way that no
one, apart from the sender and intended recipient, suspects the existence of the
message.
● Steganography works by replacing bits of useless or unused data in regular computer
files (such as graphics, sound, text, html or even floppy disks) with bits of different,
invisible information.
● This hidden information can be plain text, cipher text or even images. In modern
steganography, data is first encrypted by the usual means and then inserted, using a
special algorithm, into redundant data that is part of a particular file format such as a
JPEG image.

Steganography process : Cover-media + Hidden data + Stego-key =


Stego-medium

● Cover media is the file in which we will hide the hidden data, which may also be
encrypted using stego-key.
● The resultant file is stego-medium.
SAHIL K

● Cover-media can be image or audio file. Stenography takes cryptography a step


further by hiding an encrypted message so that no one suspects it exists.
● Ideally, anyone scanning your data will fail to know it contains encrypted data.
Stenography has a number of drawbacks when compared to encryption.
● It requires a lot of overhead to hide a relatively few bits of information. i.e. One can
hide text, data, image, sound, and video, behind an image.

Q. Write a short note on steganography.


Ans:
● Steganography is the art and science of writing hidden message in such a way that no
one, apart from the sender and intended recipient, suspects the existence of the
message.
● Steganography works by replacing bits of useless or unused data in regular computer
files (such as graphics, sound, text, html or even floppy disks) with bits of different,
invisible information.
● This hidden information can be plain text, cipher text or even images.
● In modern steganography, data is first encrypted by the usual means and then inserted,
using a special algorithm, into redundant data that is part of a particular file format
such as a JPEG image.

Steganography process : Cover-media + Hidden data + Stego-key =


Stego-medium

● Cover media is the file in which we will hide the hidden data, which may also be
encrypted using stego-key.
● The resultant file is stego- medium. Cover-media can be image or audio file.

Advantages:
1. With the help of steganography we can hide secret messages within graphics images.
SAHIL K

2. In modern Steganography, data is encrypted first and then inserted using a special
algorithm so that no one suspects its existence.

Drawbacks:
1. It requires a lot of overhead to hide a relatively few bits of information.
2. Once the system is discovered, it becomes virtually worthless.

Q. What are applications of steganography?


Ans:
1. Confidential communication and secret data storing
2. Protection of data alteration
3. Access control system for digital content distribution
4. Media Database systems

Q. Describe symmetric and asymmetric key cryptography.


Ans:
Symmetric-Key Cryptography:
● Symmetric-key cryptography uses a single key for both encryption and decryption.
● Encryption and decryption algorithms are inverse of each other.
● Example: To create the cipher text from the plain text John uses an encryption
algorithm and a key. To create the plaintext from ciphertext, Bob uses the decryption
algorithm and the same key.

Asymmetric-Key cryptography:
● It is also called public key cryptography.
● In public key cryptography two keys: a private key and a public key is used.
● Encryption is done through the public key and decryption through private key.
● Receiver creates both the keys and is responsible for distributing its public key to the
communication community.
● Example: The sender (say John) uses the public key to encrypt the plain text into
cipher text and the receiver (say Bob) uses his private key to decrypt the cipher text.

Q. Difference between symmetric and asymmetric key cryptography.


Ans:
Category Symmetric Key Cryptography Asymmetric Key Cryptography

Key used for Same key is used for encryption Different keys for encryption &
encryption & decryption. decryption.
/decryption

Key process Ke=Kd Ke#Kd

Speed of Very fast Slow


Encryption /
Decryption
SAHIL K

Size of resulting Usually same as or less than the More than the original clear text
encrypted text original clear text size. size.

Key agreement / A big problem No problem at all.


exchange

Usage Mainly used for encryption and Can be used for both encryption /
decryption, can't be used for decryption and digital signature.
digital signature.

Efficiency in usage It is often used for long messages. It is more efficient for short
messages.

Q. Explain DES algorithm. Explain each step in detail with the help of a diagram.
Ans:
● The Data Encryption Standard is generally used in the ECB, CBC, or the CFB mode.
DES is a block cipher.
● It encrypts data in blocks of size 64 bits each.
● That is, 64 bits of plain text goes as the input to DES, which produces 64 bits of
ciphertext.
● DES is based on the two fundamental attributes of cryptography: substitution and
transposition.
● The process diagram as follows:

Initial Permutation (IP):


SAHIL K

● It happens only once. It replaces the first bit of the original plain text block with the
58th bit of the original plain text block, the second bit with the 50th bit of original plain
text block and so on.
● The resulting 64-bits permuted text block is divided into two half blocks.
● Each half block consists of 32 bits.
● The left block is called LPT and the right block is called RPT.
● 16 rounds are performed on these two blocks.
● Details of one round in DES.

Step 1: Key Transformation:


● The initial key is transformed into a 56-bit key by discarding every 8th bit of initial
key.
● Thus, for each round, a 56 bit key is available, from this 56-bit key, a different 48-bit
sub key is generated during each round using a process called key transformation.

Expansion Permutation
Key Transformation
S-box substitution
XOR and swap
P-box Permutation

Step 2: Expansion Permutation:


● During Expansion permutation the RPT is expanded from 32 bits to 48 bits.
● The 32-bit RPT is divided into 8 blocks, with each block consisting of 4-bits.
● Each 4-bits block of the previous step is then expanded to a corresponding 6-bit
block; per 4-bit block, 2 more bits are added.
● They are the repeated 1st and 4th bits of the 4-bit block.
● The 2nd and 3rd bits are written as they were in the input.
● The 48 bit key is XORed with the 48-bit RPT and the resulting output is given to the
next step.
SAHIL K

Step 3: S-box Substitution:


● It accepts the 48-bits input from the XOR operation involving the compressed key and
expanded RPT and produces 32-bit output using the substitution techniques.
● Each of the 8 S-boxes has a 6-bit input and a 4-bit output.
● The output of each S-box is then combined to form a 32-bit block, which is given to
the last stage of a round.

Step 4: P-box Permutation:


● The output of S-box consists of 32-bits.
● These 32-bits are permuted using P-box.

Step 5: XOR and Swap:


● The LPT of the initial 64-bits plain text block is XORed with the output produced by
P box-permutation.
● It produces new RPT. The old RPT becomes the new LPT, in a process of swapping.
SAHIL K

Step 6 Final Permutation:


● At the end of 16 rounds, the final permutation is performed.
● This is a simple transposition.
● Ex: The 40th input bit takes the position of the 1st output bit and so on.

Q. Find the output of the initial permutation box when the input is given in hexadecimal
as: 0x0002 0000 0000 0001
Ans:
0x0002 0000 0000 0001
=> 0000000000000010 0000000000000000 0000000000000000 0000000000000001
The input has only two 1s (bit 15 and bit 64); the output must also have only two 1s (the
nature of straight permutation). Bit 15 in the input becomes bit 63 in the output. Bit 64 in the
input becomes bit 25 in the output. So the output has only two 1s, bit 25 and bit 63.

The result in hexadecimal is 0x0000 0080 0000 0002

Q. Describe Digital Signature mechanism with a neat diagram.


Ans:
● A digital signature or digital signature scheme is a mathematical scheme for
demonstrating the authenticity of a digital message or document.
● A valid digital signature gives a recipient reason to believe that the message was
created by a known sender, and that it was not altered in transit.
● Digital signatures are commonly used for software distribution, financial
transactions,and in other cases where it is important to detect forgery or tampering.
SAHIL K

● A digital signature scheme typically consists of three algorithms


● A key generation algorithm that selects a private key uniformly at random from a set
of possible private keys. The algorithm outputs the private key and a corresponding
public key.
● A signing algorithm that, given a message and a private key, produces a signature.
● A signature verifying algorithm that, given a message, public key and a signature,
either accepts or rejects the message's claim to authenticity.

Digital Signature:
1. A digital signature performs the same function as its physical counterpart, the sender
"marks" the message so that the recipients can verify that the message really came
from the sender.

2. The process of digitally signing a message starts with the creation of a unique identity
for the message. The unique identifier can be created using a mathematical technique
called Hashing.

3. A hash function uses a mathematical algorithm to convert the message into a short
fixed-length of bits, often referred to as a "hash value" or "message digest" that
uniquely represents the message used to create it.

4. The hash value is specific to the contents of the message. Thus any change to the
message contents will change the hash value that would be generated by the hash
function.

5. Next, the hash value is encrypted using the sender's private key. Finally, the message
is sent along with the encrypted hash value.

6. On receiving the message and the encrypted hash value, the recipient can only decrypt
the hash value using the sender's public key.

7. This confirms that the message came from the sender and no one else, as long as the
sender's private key remains secure. The message can be rehashed and compared with
the decrypted hash value-if the values do not match, then the message has been
altered since it was the same.

UNIT 4 - Firewall and Intrusion Detection System

Q. Explain the need for a firewall and explain one of the types of firewall with a
diagram.
Ans:
SAHIL K

Need for Firewall:


1. A firewall works as a barrier, or a shield, between your PC and cyberspace.
2. When you are connected to the Internet, you are constantly sending and receiving!
information in small units called packets.
3. The firewall filters these packets to see if they meet certain criteria set by a series of
rules, and thereafter blocks or allows the data
4. This way, hackers cannot get inside and steal information such as bank account
numbers and passwords from you.

Capabilities:
● To achieve this all access to the local network must first be physically blocked and
access only via the firewall should be permitted.
● As per local security policy traffic should be permitted.
● The firewall itself must be strong enough so as to render attacks on it useless.

Types of Firewalls:
i) Packet Filter Firewall
ii) Circuit Level Gateway Firewall
iii) Application Gateway Firewall
iv) Stateful Multilayer Inspection Firewall
v) Software Firewall
vi) Hardware Firewall
vii) Hybrid Firewall

1. Packet Filter Firewall:


● A packet filtering router firewall applies a set of rules to each packet and based on
outcome, decides to either forward or discard the packet.
● Such a firewall implementation involves a router, which is configured to filter packets
going in either direction i.e. from the local network to the outside world and vice
versa Packet filter performs the following functions.

a. Receive each packet as it arrives.


b. Pass the packet through a set of rules, based on the contents of the IP and transport
header fields of the packet. If there is a match with one of the set rule, decide whether
to accept or discard the packet based on that rule.
c. If there is no match with any rule, take the default action. It can discard all packets or
accept all packets.

Advantages: Simplicity, transparency to the users, high speed.


Disadvantages: Difficult to set up packet filtering rules, lack of authentication.
SAHIL K

OR

2. Circuit level gateway Firewalls:


● The circuit level gateway firewalls work at the session layer of the OSI model.
● They monitor TCP handshaking between the packets to determine if a requested
session is legitimate, and the information passed through a circuit level gateway to the
internet appears to have come from the circuit level gateway.
● So, there is no way for a remote Computer or a host to determine the internal private
ip addresses of an organization, for example.
● This technique is also called Network Address Translation where the private IP
addresses originating from the different clients inside the network are all mapped to
the public IP Address available through the internet service provider and then sent to
the outside world (Internet).
● This way, the packets are tagged with only the Public IP address (Firewall level) and
the internal private IP addresses are not exposed to potential intruders.
SAHIL K

OR

3. Application level gateway Firewalls:


● Application level firewalls decide whether to drop a packet or send them through
based on the application information (available in the packet).
● They do this by setting up various proxies on a single firewall for different
applications.
● Both the client and the server connect to these proxies instead of connecting directly
to each other.
● So, any suspicious data or connections are dropped by these proxies.
● Application level firewalls ensure protocol conformance.
● For example, attacks over http that violates the protocol policies like sending
Non-ASCII data in the header fields or overly long string along with Non-ASCII
characters in the host field would be dropped because they have been tampered with,
by the intruder.
SAHIL K

OR

4. Stateful Multilayer Inspection Firewall:


● Stateful (dynamic) packet filters understand requests and replies.
● For example, they would know about the (SYN, SYN-ACK, ACK) pattern of a TCP
open sequence.
● Rules are usually only specified for the first packet in one direction, and a new rule is
created dynamically after the first outbound packet.
● Further packets in the communication are then processed automatically.
● Stateful firewalls can support policies for a wider range of protocols than simple
packet filter, e.g. FTP, IRC, or H323.
SAHIL K

Q. Explain packet filter with diagram.


Ans:
Packet Filtering Firewall:
● A firewall works as a barrier, or a shield, between your PC and cyberspace.
● When you are connected to the Internet, you are constantly sending and receiving
information in small units called packets.
● The firewall filters these packets to see if they meet certain criteria set by a series of
rules, and thereafter blocks or allows the data.
● This way, hackers cannot get inside and steal information such as bank account
numbers and passwords from you.

OR
SAHIL K

Working:
1. A packet filtering router firewall applies a set of rules to each packet and based on
outcome, decides to either forward or discard the packet. Such a firewall
implementation involves a router, which is configured to filter packets going in either
direction i.e. from the local network to the outside world and vice versa.
2. A packet filter performs the following functions.
a. Receive each packet as it arrives.
b. Pass the packet through a set of rules, based on the contents of the IP and
transport header fields of the packet. If there is a match with one of the set
rules, decide whether to accept or discard the packet based on that rule.
c. If there is no match with any rule, take the default action. It can be discard all
packets or accept all packets.

Advantages: Simplicity, transparency to the users, high speed


Disadvantages: Difficult to set up packet filtering rules, lack of authentication.

Q. Explain Application Gateway Firewall.


Ans: Application level gateway Firewalls:
● Application level firewalls decide whether to drop a packet or send them through
based on the application information (available in the packet).
● They do this by setting up various proxies on a single firewall for different
applications.
● Both the client and the server connect to these proxies instead of connecting directly
to each other.
● So, any suspicious data or connections are dropped by these proxies.
● Application level firewalls ensure protocol conformance.
● For example, attacks over http that violate the protocol policies like sending
Non-ASCII data in the header fields or overly long strings along with Non-ASCII
characters in the host field would be dropped because they have been tampered with,
by the intruder.
SAHIL K

OR

Q. Explain proxy server and application level gateway.


Ans: Proxy server is an intermediary server between client and the internet.
Proxy servers offers the following basic functionalities:
● Firewall and network data filtering.
● Network connection sharing
● Data caching

Purpose of Proxy Servers, following are the reasons to use proxy servers:
● Monitoring and Filtering
● Improving performance
● Translation
● Accessing services anonymously
● Security

1. Monitoring and Filtering


SAHIL K

● Proxy servers allow us to do several kind of filtering such as content filtering.

2. Filtering encrypted data


● Bypass filters
● Logging and eavesdropping
● Improving performance
● It fastens the service by process of retrieving content from the cache which was saved
when previous request was made by the client.

3. Translation
● It helps to customize the source site for local users by excluding source content or
substituting
● Source content with original local content.
● In this the traffic from the global users is routed to the Source website through
Translation proxy.

4. Accessing services anonymously


● In this the destination server receives the request from the anonymizing proxy server
and thus does not receive information about the end user

5. Security
● Since the proxy server hides the identity of the user hence it protects from spam and
the hacker attacks.

Application level Gateway:

● A firewall that filters information at the application level blocks all IP traffic between
the private network and the Internet.
● No IP packets from the clients or servers of the private network are allowed to enter
or leave the Internet.

● Instead, this type of firewall operates according to what is referred to as the proxy
principle.
● This means that internal clients set up connections to the firewall and communicate
with a proxy server.
SAHIL K

● If the firewall decides that the internal client should be allowed to communicate, it
sets up a connection with the external server and performs the operation on behalf of
the client. This method solves many of the security problems associated with IP.

● Each proxy server uses a particular application protocol, such as http-proxy or


ftp-proxy.
● The proxy firewall uses a combination of different proxy servers which allows many
different applications to be handled.

● In addition to providing the best security, the proxy firewall can be used to fetch and
store information from the Internet in a cache memory.
● The proxy firewall can achieve short response and download times because it
"understands" the application programs and can see which URLs are most in demand.

● Like a circuit level gateway, an application level gateway intercepts incoming and
outgoing packets, acts as a proxy for applications, providing information exchange
across the gateway.
● It also functions as a proxy server, preventing any direct connection between a trusted
server or client and an untrusted host.

● The proxies that an application level gateway runs often differ in two important ways
from the circuit level gateway:
○ The proxies are application specific
○ The proxies examine the entire packet and can filter packets at the application
layer of the OSI model.

OR
SAHIL K

● Unlike the circuit gateway, the application level gateway accepts only packets
generated by services. They are designed to copy, forward and filter.
● For example, only an HTTP proxy can copy, forward and filter HTTP traffic.
● If a network relies only on an application level gateway, incoming and outgoing
packets cannot access services for which there is no proxy.
● For example, if an application level gateway ran ITP and HTTP proxies, only packets
generated by these services could pass through the firewall.
● All other services would be blocked.

● The application level gateway runs proxies that examine and filter individual packets,
rather than simply copying them and recklessly forwarding them across the gateway.
● Application specific proxies check each packet that passes through the gateway,
verifying the contents of the packet up through the application layer (layer 7) of the
OSI model.
● These proxies can filter on particular information or specific individual commands in
the application protocols the proxies are designed to copy, forward and As an
example, an application level proxy is able to block FTP put commands while
permitting FTP get commands.

● Current technology application level gateways are often referred to as strong


application proxies.
● A strong application proxy extends the level of security afforded by the application
level gateway.
● Instead of copying the entire datagram on behalf of the user, a strong application
proxy actually creates a brand new empty datagram inside the firewall.
● Only those commands and data found acceptable to the strong application proxy are
copied from the original datagram outside the firewall to the new datagram inside the
firewall.
● Then, and only then, is this new datagram forwarded to the protected server behind
the firewall.
● By employing this methodology the strong application proxy can mitigate the risk of
an entire class of covert channel attacks.
SAHIL K

● An application level gateway fitters information at a higher OSI layer than the
common static or dynamic packet filter, and most automatically create any necessary
packet filtering rules, usually making them easier to configure then traditional packet
filters.

Advantages:
● Better logging handling of traffic (because all data between the client and the server is
routed through the application proxy it is able to both control the session and provide
detailed logging; This ability to log and control all incoming and outgoing traffic is
one of the main advantages of application level gateway
● State aware of services (FTP, XII, etc.)
● Packet air gap like architecture, i.e. breaks direct connection to server behind firewall
eliminating the risk of an entire class of covert channel attacks
● Strong application proxy that inspects protocol header lengths can eliminate an entire
class of buffer overrun attacks
● Highest level of security.

Disadvantages:
● A poor implementation that relies on the underlying as Inetd daemon will suffer from
a severe limitation to the number of allowed connections in today's demanding high
simultaneous session environment.
● Complex setup of application firewall needs more and detailed attentions to the
applications that use the gateway.

Q. Explain Circuit Gateway Firewall.


Ans: Circuit level gateway Firewalls:
● The circuit level gateway firewalls work at the session layer of the OSI model.
● They monitor TCP handshaking between the packets to determine if a requested
session is legitimate, and the information passed through a circuit level gateway to the
internet appears to have come from the circuit level gateway.
● So, there is no way for a remote Computer or a host to determine the internal private
ip addresses of an organization, for example.
● This technique is also called Network Address Translation where the private IP
addresses originating from the different clients inside the network are all mapped to
the public IP Address available through the internet service provider and then sent to
the outside world (Internet).
● This way, the packets are tagged with only the Public IP address (Firewall level) and
the internal private IP addresses are not exposed to potential intruders.
SAHIL K

OR

Q. Explain VPN with neat diagram. Enlist different VPN protocols.


Ans:
● A VPN or Virtual Private Network is a network connection that enables you to create
a secure connection over the public Internet to private networks at a remote location.
● With a VPN, all network traffic (data, voice, and video) goes through a secure virtual
tunnel between the host device (client) and the VPN provider‟s servers, and is
encrypted.
● VPN technology uses a combination of features such as encryption, tunneling
protocols, data encapsulation, and certified connections to provide you with a secure
connection to private networks and to protect your identity.
● VPN connections technically give you all the benefits of a Local Area Network
(LAN), which is similar to that found in many offices but without requiring a
hard-wired connection.
● These systems use encryption and other security mechanisms to ensure that only
authorized users can access the network and that the data cannot be intercepted.
SAHIL K

Different VPN protocols are:

i) PPTP (Point-to-Point Tunneling Protocol)


ii) L2TP (Layer 2 Tunneling Protocol)
iii) IPsec (Internet Protocol Security)
iv) SSL (Secure Socket Layer)

Q. Explain Policies, configuration & limitations of firewall.


Ans: Policies of firewall:
● All traffic from inside to outside and vice versa must pass through the firewall.
● To achieve this all access to the local network must first be physically blocked and
access only via the firewall should be permitted.
● As per local security policy traffic should be permitted.
● The firewall itself must be strong enough so as to render attacks on it useless.

There are 3 common firewall configurations:


1. Screened host firewall, single-homed bastion configuration
2. Screened host firewall, dual homed bastion configuration
3. Screened subnet firewall configuration

1. Screened host firewall, single-homed bastion configuration

In this type of configuration a firewall consists of following parts


i) A packet filtering router
ii) An application gateway

The main purpose of this type is as follows:


● Packet filter is used to ensure that incoming data is allowed only if it is destined for
application gateway, by verifying the destination address field of incoming IP packet.
It also performs the same task on outing data by checking the source address field of
outgoing IP packet.
SAHIL K

● Application gateway is used to perform authentication and proxy functions. Here


Internal users are connected to both application gateway as well as to packet filters
therefore if packet filter is successfully attacked then the whole Internal Network is
opened to the attacker

2. Screened host firewall, dual homed bastion configuration

● To overcome the disadvantage of a screened host firewall, single homed bastion


configuration, another configuration is available known as screened host firewall,
Dual homed bastion.
● In this, direct connections between internal hosts and packet filters are avoided.
● As it provides connection between packet filter and application gateway, which has
separate connection with the internal hosts.
● Now if the packet filter is successfully attacked.
● Only the application gateway is visible to the attacker.
● It will provide security to internal hosts.

3. Screened subnet firewall configuration


● It provides the highest security among all firewall configurations.
● It is an improved version over all the available schemes of firewall configuration.
● It uses two packet filters, one between the internet and application gateway and
another between the application gateway and the internal network.
● Thus this configuration achieves 3 levels of security for an attacker to break into.
SAHIL K

Limitations of firewall:
1. A firewall can't set itself up correctly.
2. Firewalls don't deal with the real problem.
3. A firewall can't fully protect against viruses.
4. Firewall can't protect you against malicious insiders.
5. A firewall can't protect against completely new threats.
6. Firewalls cannot protect against what has been authorized.
7. It cannot stop attacks if the traffic does not pass through them.
8. They are only as effective as the rules they are configured to enforce.
9. A firewall can't protect you against connections that don't go through it.
10. Firewalls cannot fix poor administrative practices or poorly designed security
policies.
11. It cannot stop social engineering attacks or an unauthorized user intentionally using
their access for unwanted purposes.

Q. State any four limitations of the firewall.


Ans:
1. A firewall can't set itself up correctly.
2. Firewalls don't deal with the real problem.
3. A firewall can't fully protect against viruses.
4. Firewall can't protect you against malicious insiders.
5. A firewall can't protect against completely new threats.
6. Firewalls cannot protect against what has been authorized.
7. It cannot stop attacks if the traffic does not pass through them.
8. They are only as effective as the rules they are configured to enforce.
9. A firewall can't protect you against connections that don't go through it.
10. Firewalls cannot fix poor administrative practices or poorly designed security
policies.
11. It cannot stop social engineering attacks or an unauthorized user intentionally using
their access for unwanted purposes.

Q. Describe DMZ with a suitable example.


Ans:
● It is a computer host or a small network inserted as a neutral zone between a
company's private network and an outside public network.
SAHIL K

● It prevents direct Access to a server that has company data.

OR

● It avoids outside users from getting direct access to a company's data server. A DMZ
is an optional but more secure approach to a firewall. It can effectively act as a proxy
server.
● The typical DMZ configuration has a separate computer or host in the network which
receives requests from users within the private network to access a web site or public
network.
● Then the DMZ host initiates sessions for such requests on the public network but it is
not able to initiate a session back into the private network. It can only forward packets
which have been requested by a host.
● The public network's users who are outside the company can access only the DMZ
host.
● It can store the company's web pages which can be served to the outside users. Hence,
the DMZ can't give access to the other company's data.
● By any way, if an outsider penetrates the DMZ's security the web pages may get
corrupted but other company's information can be safe.
SAHIL K

Example:

1) Web servers:
● It’s possible for web servers communicating with internal database servers to be
deployed in a DMZ.
● This makes internal databases more secure, as these are the repositories responsible
for storing sensitive information.
● Web servers can connect with the internal database server directly or through
application firewalls, even though the DMZ continues to provide protection.

2) DNS servers:
● A DNS server stores a database of public IP addresses and their associated hostnames.
● It usually resolves or converts those names to IP addresses when applicable. DNS
servers use specialized software and communicate with one another using dedicated
protocols. Placing a DNS server within the DMZ prevents external DNS requests
from gaining access to the internal network. Installing a second DNS server on the
internal network can also serve as additional security.

3) Proxy servers:
● A proxy server is often paired with a firewall. Other computers use it to view Web
pages.
● When another computer requests a Web page, the proxy server retrieves it and
delivers it to the appropriate requesting machine.
● Proxy servers establish connections on behalf of clients, shielding them from direct
communication with a server.
● They also isolate internal networks from external networks and save bandwidth by
caching web content.

Q. Explain in detail intrusion detection systems.


Ans: Intrusion Detection System:
● An IDS (Intrusion detection system) is the process of monitoring the events occurring
in a computer system or network & analyzing tem for signs of possible incident which
are threats of computer security.
● Intrusion detection system (IDS) is a device or software application that monitors
network or system activities for malicious activities or policy violations and produces
reports to a management station.
● IDS come in a variety of "flavors" and approach the goal of detecting suspicious
traffic in different ways.
SAHIL K

IDS have following logical components:

1) Traffic collection: collects activity as events from IDS to examine. On Host-based


IDS,this can be log files, Audit logs or traffic coming to or leaving a system. On
network based IDS, this is typically a mechanism for copying traffic of network link.

2) Analysis Engine: examines collected network traffic & compares it to known patterns
of suspicious or malicious activity stored in digital signature. The analysis engine act
like a brain of IDS.

3) Signature database: a collection of patterns & definitions" of known suspicious or


malicious activity.

4) User Interface & Reporting: interfaces with human element, providing alerts when
suitable & giving the user a means to interact with & operate the IDS.

IDS are mainly divided into two categories, depending on monitoring activity:
1) Host-based IDS
2) Network based IDS

1) Host based IDS looks for certain activities in the log files are:
● Logins at odd hours
● Login authentication failure.
● Adding new user account
● Modification or access of critical systems files.
● Modification or removal of binary files
● Starting or stopping processes.
● Privilege escalation
● Use of certain program

2) Network based IDS looks for certain activities like:


● Denial of service attacks.
● Port scans or sweeps
● Malicious contents in the data payload of packet(s)
● Vulnerability of scanning
● Trojans, Viruses or worms
SAHIL K

● Tunneling
● Brute force attacks

Q. Difference between Firewall & IDS (Intrusion Detection System).


Ans:
Aspect Firewall IDS

Purpose Traffic control and access Threat detection and analysis.


management.

Functionality Rule-based traffic Alerting on suspicious network


blocking/permitting. activity.

Knowledge of Predetermined rules. Requires threat database.


Threats

Scalability Scales well for traffic control. Resource-intensive in large


networks.

Rule Set Generally based on source, Rule set includes signatures,


destination, port, and protocol. patterns, and behavior-based rules.

Response Provides real-time traffic control Provides alerts for post-event


and protection. analysis and response.

Q. Describe the components of NIDS with a neat diagram. State its advantages &
disadvantages.
Ans:

1. Traffic collection:
● Collects activity as events from IDS to examine.
● On Host-based IDS, this can be log files, Audit logs or traffic coming to or
leaving a system.
● On network based IDS, this is typically a mechanism for copying traffic of
network links.
SAHIL K

2. Analysis Engine:
● Examines collected network traffic & compares it to known patterns of
suspicious or malicious activity stored in digital signature.
● The analysis engine act like a brain of IDS.

3. Signature database: A collection of patterns & definitions of known suspicious or


malicious activity.

4. User Interface & Reporting: Interfaces with human element, providing alerts when
suitable & giving the user a means to interact with & operate the IDS.

Advantages of Network-based Intrusion Detection Systems:


● The deployment of network-based IDSs is usually easy with minimal effort.
● Network-based IDSs can be made very secure and are often invisible to most
attackers.
● They can monitor a heterogeneous set of hosts and operating systems simultaneously,
due to the fact that standard network protocols (e.g. TCP, UDP and IP) are supported
and used by most major operating systems.

Disadvantages of Network-based Intrusion Detection Systems:


● Network-based IDSs cannot analyze encrypted information. This problem is
increasing as more organizations and attackers use virtual private networks, which
normally utilize encrypted information.
● The processing load in a large or busy network may cause significant difficulties to
the analysis engine part of the IDS. This condition (high processing load) can
seriously limit an IDS’s ability to detect attacks when the network load is above a
specific amount of network traffic. Although some vendors have adopted
hardware-based solutions for IDSs, to increase the speed of their processing capability
(and the cost of implementation), the limitation still remains.
● • The need to analyze packets as fast as possible, force developers to detect fewer
attacks. Thus, the detection effectiveness is often compromised for the sake of cost
effectiveness.

Q. Explain Host based IDS.


Ans:
HIDS Host Intrusion Detection Systems
● They are run on individual hosts or devices on the network.
● A HIDS monitors the inbound and outbound packets from the device only and will
alert the user or administrator when suspicious activity is detected.
● HIDS is looking for certain activities in the log file are:
○ Logins at odd hours
○ Login authentication failure
○ Adding new user account
○ Modification or access of critical system files
SAHIL K

○ Modification or removal of binary files


○ Starting or stopping processes
○ Privilege escalation
○ Use of certain programs

Basic Components HIDS:


● Traffic collector: This component collects activity or events from the IDS to examine.
On Host-based IDS, this can be log files, audit logs, or traffic coming to or leaving a
specific system.

● Analysis Engine: This component examines the collected network traffic & compares
it to known patterns of suspicious or malicious activity stored in the signature
database. The analysis engine acts like a brain of the IDS.

● Signature database: It is a collection of patterns & definitions of known suspicious or


malicious activity.

● User Interface & Reporting: This is the component that interfaces with the human
element, providing alerts & giving the user a means to interact with & operate the
IDS.

Advantages:
1. Operating System specific and detailed signatures.
2. Examine data after it has been decrypted.
3. Application specific.
4. Determine whether or not an alarm may impact that specific.

Disadvantages:
1. Should have a process on every system to watch.
2. High cost of ownership and maintenance.
3. Uses local system resources.
4. If logged locally, could be compromised or disable.

Q. Explain the features of NIDS and HIDS.


SAHIL K

Ans:
Network Intrusion Detection System (NIDS) Features:

1. Traffic Monitoring:
- Description: NIDS monitors network traffic in real-time to identify suspicious or
malicious activities.
- Significance: It helps in detecting anomalies and potential security threats within the
network.

2. Signature-Based Detection:
- Description: NIDS uses predefined signatures or patterns to identify known attack
patterns or malicious activities.
- Significance: This approach is effective in recognizing well-established threats and attack
patterns.

3. Anomaly-Based Detection:
- Description: NIDS identifies deviations from normal network behavior and raises alerts
when abnormal patterns are detected.
- Significance: Enables detection of previously unknown or emerging threats based on
unusual network activities.

4. Packet Inspection:
- Description: NIDS examines individual packets of data, inspecting headers and payloads
to identify potential security issues.
- Significance: Allows for a granular analysis of network traffic to uncover specific details
about potential threats.

5. Real-Time Alerts:
- Description: NIDS generates real-time alerts or notifications when suspicious activity is
detected.
- Significance: Enables prompt response to potential security incidents, minimizing the
impact of threats.

6. Network Segmentation:
- Description: NIDS can operate in segmented network environments, monitoring specific
network segments or zones.
- Significance: Provides focused monitoring and detection capabilities in different parts of
the network.

Host Intrusion Detection System (HIDS) Features:

1. System Log Analysis:


- Description: HIDS analyzes system logs and activities on individual hosts to detect
unusual behavior or security events.
SAHIL K

- Significance: Offers insights into potential threats at the host level, such as unauthorized
access or suspicious system changes.

2. File Integrity Monitoring:


- Description: HIDS monitors changes to system files and critical configurations, alerting
administrators to unauthorized modifications.
- Significance: Helps in detecting and preventing unauthorized alterations to essential
system files or configurations.

3. Behavioral Analysis:
- Description: HIDS observes the behavior of applications and processes running on a host
to identify abnormal activities.
- Significance: Enhances the ability to detect sophisticated and targeted attacks that may
evade traditional signature-based detection.

4. Resource Utilization Monitoring:


- Description: HIDS monitors the resource usage on individual hosts, detecting anomalies
that may indicate a compromise.
- Significance: Allows for the identification of resource-intensive malicious activities, such
as a malware infection or a denial-of-service attack.

5. Local Alerts and Responses:


- Description: HIDS generates alerts and responses directly on the host where it is
deployed.
- Significance: Provides a more immediate response to potential threats, especially in cases
where network connectivity is limited or compromised.

6. User Activity Monitoring:


- Description: HIDS tracks user activities on the host, identifying suspicious or
unauthorized actions.
- Significance: Helps in detecting insider threats or unauthorized access attempts at the host
level.

Q. Difference between Host Based IDS and Network Based IDS.


Ans:
Parameter Host Based IDS Network Based IDS

Scope i) Single host i) Network-wide

Location ii) Installed on host ii) Deployed in network

Data Source iii) Host logs and activities iii) Network traffic and packets

Resource iv) Host resources iv) Network bandwidth and


consumption processing
SAHIL K

Scalability v) Less Scalable v) More Scalable

Maintenance vi) Less Maintenance vi) More Maintenance

Q. Explain Honey pots.


Ans:

HONEYPOT

● Honeypots are designed to purposely engage and deceive hackers and identify
malicious activities performed over the Internet.
● The honeypots are designed to do the following:
1. Divert the attention of a potential attacker.
2. Collect information about the intruder’s action.
3. Provide encouragement to the attacker so as to stay for some time, allowing
the administrations to detect this and swiftly act on this

Honeypots can be categorized into two main types:


i) Production Honeypots
ii) Research Honeypots

1. Production Honeypots:
● Objective: Production honeypots are deployed within a live network
environment with the main goal of detecting and mitigating real-world attacks.
● Deployment: They are typically placed alongside legitimate production
systems to divert and identify malicious activities targeting those systems.
● Usage: Production honeypots contribute to the overall security of a network
by providing early detection and response to threats.
SAHIL K

● Example: A production honeypot might be used to monitor and identify


attempts to exploit vulnerabilities in a specific type of server within a
corporate network.

2. Research Honeypots:
● Objective: Research honeypots are designed for studying and analyzing the
tactics, techniques, and procedures of attackers. They are often used by
security researchers and professionals to gather insights into emerging threats.
● Deployment: Research honeypots are typically deployed in controlled
environments and may emulate a variety of systems or services to attract a
wide range of attacks.
● Usage: The primary purpose is to gather threat intelligence, understand attack
patterns, and enhance cybersecurity knowledge.
● Example: A research honeypot might be set up to emulate a vulnerable IoT
device to observe how attackers exploit vulnerabilities in such devices.

UNIT 5 - Network Security, Cyber Laws and Compliance


Standards

Q. Explain the Kerberos with the help of a suitable diagram.


Ans:
● Kerberos is a network authentication protocol and it is designed to provide strong
authentication for client server applications. It uses secret key cryptography.
● It is a solution to your network security problems.
● It provides the tools of authentication and strong cryptography over the network to
help you secure your information system.

There are four parties involved in the Kerberos protocol:


● The Client Workstation
● Authentication Server (AS)
● Ticket Granting Server (TGS)
● The server offers services such as network printing, file sharing.

Step 1: The Authentication Server (AS) receives the request from the client and then AS
verifies the client. This is done by just looking into a simple database of the User’s ID.
SAHIL K

Step 2:
● After verification, a time stamp is created.
● It will put the current time in the user session with an expiry date.
● Then the encryption key is created.
● The timestamp says that after 8 hours the encryption key is useless.

Step 3:
● The key is sent back to the client in the form of a Ticket-Granting Ticket (TGT).
● It is a simple ticket which is issued by the Authentication Server (AS) and used for
authenticating the client for future reference.

Step 4: Then the client submits this TGT to the Ticket Granting Server (TGS), for
authentication.

Step 5: TGS creates an encrypted key with a time stamp and grants a service ticket to the
client.
SAHIL K

Step 6: Then the client decrypts the ticket, intimate the TGS that is done and sends its own
encrypted key to the service server or application.

Step 7:
● The service server decrypts the key sent by the client and checks the validity of the
timestamp.
● If the timestamp is valid, the service server contacts the key distribution center to
receive a session which is returned to the client.

Step 8: The client then decrypts the ticket. If the key is still valid then the communication is
initiated between client and server.
SAHIL K

Q. Define AS, TGS with respect to Kerberos.


Ans:
i) Authentication Server (AS):
● The Authentication Server (AS) is the KDC in the Kerberos protocol.
● Each user registers with the AS and is granted a user identity and a password.
● The AS has a database with these identities and the corresponding passwords.
● The AS verifies the user, issues a session key to be used between user and the TGS,
and sends a ticket for the TGS.

ii) Ticket-Granting Server (TGS):


● The Ticket Granting Server (TGS) issues a ticket for the real server.
● It also provides the session key (KAB) between user and server.
● Kerberos has separated user verification from the issuing of tickets.
● In this way, though the user verifies their ID just once with the AS, they can contact
the TGS multiple times to obtain tickets for different real servers.

Q. Explain IPsec security with the help of a diagram.


Ans: IPsec architecture:
● IPsec is to encrypt and seal the transport and application layer data during
transmission.
● Also offers integrity protection for the Internet layer.
● IPSec layer sits in between the transport and the Internet layers of the conventional
TCP/IP protocol stack.
● It encrypts and seals the transport and application layer data during transmission.
● It also offers integrity protection for the internet layer.
● It sits between the transport and internet layer of conventional TCP/IP protocol.

1. Secure remote internet access:


● Using IPsec, make a local call to our internet services provider (ISP) so as to connect
to the organization network in a secure fashion from our house or hotel from there; to
access the corporate network facilities or access remote desktop/servers.

2. Secure branch office connectivity:


● Rather than subscribing to an expensive leased line for connecting its branches across
cities, an organization can setup an IPsec enabled network for security.

3. Setup communication with other organizations:


● Just as IPsec allows connectivity between various branches of an organization, it can
also be used to connect the network of different organizations together in a secure &
inexpensive fashion.
● Basic Concept of IPsec Protocol: IP packet consist of two position IP header & actual
data IPsec features are implemented in the form of additional headers called as
extension header to the standard, default IP header.IPsec offers two main services
authentication & confidentiality.
SAHIL K

● Each of these requires its own extension header.


● Therefore, to support these two main services, IPsec defines two IP extension headers
one for authentication & another for confidentiality.

IPSec consists of two main protocols:


a) Authentication Header (AH)
b) Encapsulating Security Payload (ESP)

1. Authentication Header (AH):


● The AH provides support for data integrity and authentication of IP packets.
● The data integrity service ensures that data inside an IP packet is not altered during
the transit.
● The authentication service enables an end user or computer system to authenticate the
user or the application at the other end and decides to accept or reject packets
accordingly.
● This also prevents IP spoofing attacks. AH is based on MAC protocol, which means
that the two communicating parties must share a secret key in order to use AH.

2. Encapsulating Security Payload (ESP):


● ESP is a member of the IPsec protocol suite.
● In IPsec it provides origin authenticity, integrity and confidentiality protection of
packets.
SAHIL K

● ESP also supports encryption-only and authentication-only configurations, but using


encryption without authentication is strongly discouraged because it is insecure.

Modes of operation: Both AH and ESP works in two modes:

● Tunnel mode:
○ In tunnel mode, IPsec protects the entire IP datagram.
○ It takes an IP datagram, adds the IPSec header and trailer and encrypts the
whole thing.
○ It then adds a new IP header to this encrypted datagram.

● Transport mode:
○ Transport mode does not hide the actual source and destination addresses.
○ They are visible in plain text, while in transit.
○ In the transport mode, IPSec takes the transport layer payload, adds IPSec
header and trailer, encrypted datagram.

Q. List two protocols in IPSec. State its function.


Ans:
Protocols in IPSec:

i) Authentication Header (AH)


ii) Encapsulating Security Payload (ESP)

1. Authentication Header (AH): The AH protocol provides authentication and integrity


protection for the entire IP packet, ensuring that the content has not been altered during
transmission.

2. Encapsulating Security Payload (ESP): ESP, on the other hand, offers confidentiality,
integrity, and optional authentication for the packet's payload, securing the actual data being
transferred within the IP packet.

Q. Define AH and ESP with respect to ip security.


Ans:
1. Authentication Header (AH):
● The AH provides support for data integrity and authentication of IP packets.
● The data integrity service ensures that data inside an IP packet is not altered during
the transit.
● The authentication service enables an end user or computer system to authenticate the
user or the application at the other end and decides to accept or reject packets
accordingly.
● This also prevents IP spoofing attacks. AH is based on MAC protocol, which means
that the two communicating parties must share a secret key in order to use AH.
SAHIL K

2. Encapsulating Security Payload (ESP):


● ESP is a member of the IPsec protocol suite.
● In IPsec it provides origin authenticity, integrity and confidentiality protection of
packets.
● ESP also supports encryption-only and authentication-only configurations, but using
encryption without authentication is strongly discouraged because it is insecure.

Q. Draw and explain the Authentication Header (AH) format of IPsec.


Ans:

i) Next header: The 8-bit next header field defines the type of payload carried by the IP
datagram (such as TCP, UDP, ICMP, or OSPF).

ii) Payload length:


● The name of this 8-bit field is misleading.
● It does not define the length of the payload.
● It defines the length of the authentication header in 4-byte multiples, but it does not
include the first 8 bytes.

iii) Security parameter index:


● The 32-bit Security Parameter Index (SPI) field plays the role of a virtual circuit
identifier and is the same for all packets sent during a connection called a Security
Association.

iv) Sequence number:


● A 32-bit sequence number provides ordering information for a sequence of datagrams.
● The sequence numbers prevent a playback.
● Note that the sequence number is not repeated even if a packet is retransmitted.
● A sequence number does not wrap around after it reaches 232; a new connection must
be established.
SAHIL K

v) Authentication data: The authentication data field is the result of applying a hash function
to the entire IP datagram except for the fields that are changed during transit (e.g.,
time-to-live).

Q. Draw and explain Encapsulation Security Payload (ESP) format of IP sec.


Ans:

Encapsulating Security Payload (ESP):


● ESP is a member of the IPsec protocol suite.
● In IPsec it provides origin authenticity, integrity and confidentiality protection of
packets.
● ESP also supports encryption-only and authentication-only configurations, but using
encryption without authentication is strongly discouraged because it is insecure.

Q. Draw and explain the tunnel and transport modes of IP sec.


Ans:
Tunnel Mode:
● In tunnel mode, IPsec protects the entire IP datagram.
● It takes an IP datagram, adds the IPSec header and trailer and encrypts the whole
thing.
● It then adds a new IP header to this encrypted datagram.
SAHIL K

OR

Transport Mode:
● Transport mode does not hide the actual source and destination addresses.
● They are visible in plain text, while in transit.
● In the transport mode, IPSec takes the transport layer payload, adds IPSec header and
trailer, encrypts the whole thing and then adds the IP header.
● Thus the IP header is not encrypted.
SAHIL K

OR

Q. Explain email security techniques (protocols).


Ans:
1. SMTP - Simple Mail Transfer Protocol:
● It is a popular network service in Email communication.
● SMTP usually is implemented to operate over Internet port 25.
● It is a system for sending messages to other computer users based on email.
● It is a request response based activity.
● It also provides an email exchange process.
● It attempts to provide reliable service but not guarantees to ensure recovery from
failure.
SAHIL K

2. PEM - Privacy Enhanced Mail:


● Privacy-Enhanced Mail (PEM) is an Internet standard that provides for secure
exchange of electronic mail.
● PEM employs a range of cryptographic techniques to allow for:
○ Confidentiality
○ Non - repudiation
○ Message integrity
● The confidentiality feature allows a message to be kept secret from people to whom
the message was not addressed.
● The Non - repudiation allows a user to verify that the PEM message that they have
received is truly from the person who claims to have sent it.
● The message integrity aspects allow the user to ensure that a message hasn't been
modified during transport from the sender.

3.PGP- Pretty Good Privacy:


● It is a popular program used to encrypt and decrypt email over the internet.
● It has become a standard for email security.
● It is used to send encrypted code (digital signature) that lets the receiver verify the
sender's identity and takes care that the route of the message should not change.
● PGP can be used to encrypt files being stored so that they are in unreadable form and
not readable by users or intruders.
● It is available in Low cost and Freeware versions.
● It is the most widely used privacy ensuring program used by individuals as well as
many corporations.

4. S/MIME- Secure Multipurpose Internet Mail Extension:


● The traditional email system using SMTP protocol is text based which means that a
person can compose a text message using an editor and then send it over the Internet
to the recipient, but multimedia files or documents in various arbitrary formats cannot
be sent using this protocol.
● To cater these needs the Multipurpose Internet Mail Extensions (MIME) system
extends the basic email system by permitting users to send the binary files using the
basic email system.
● And when the basic MIME system is enhanced to provide security features, it is
called Secure Multipurpose Internet Mail Extensions.
● S/MIME provides security for digital signature and encryption of email messages.

Q. Explain the working principle of SMTP.


Ans:
1. Composition of Mail:
● A user sends an e-mail by composing an electronic mail message using a Mail User
Agent (MUA).
● Mail User Agent is a program which is used to send and receive mail.
● The message contains two parts: body and header.
SAHIL K

● The body is the main part of the message while the header includes information such
as the sender and recipient address.
● The header also includes descriptive information such as the subject of the message.
● In this case, the message body is like a letter and the header is like an envelope that
contains the recipient's address.

2. Submission of Mail:
● After composing an email, the mail client then submits the completed email to the
SMTP server by using SMTP on TCP port 25.

3. Delivery of Mail:
● E-mail addresses contain two parts: username of the recipient and domain name.
● For example, [email protected], where "vivek" is the username of the recipient and
"gmail.com" is the domain name.
● If the domain name of the recipient's email address is different from the sender's
domain name, then MSA will send the mail to the Mail Transfer Agent (MTA).
● To relay the email, the MTA will find the target domain.
● It checks the MX record from the Domain Name System to obtain the target domain.
● The MX record contains the domain name and IP address of the recipient's domain.
● Once the record is located, MTA connects to the exchange server to relay the
message.

4. Receipt and Processing of Mail:


● Once the incoming message is received, the exchange server delivers it to the
incoming server (Mail Delivery Agent) which stores the email where it waits for the
user to retrieve it.

5. Access and Retrieval of Mail:


● The stored email in MDA can be retrieved by using MUA (Mail User Agent).
● MUA can be accessed by using login and password.

Q. Describe the working principle of PEM email security.


SAHIL K

Ans: Privacy Enhanced Mail (PEM) supports the 3 main cryptographic functions of
encryption, nonrepudiation and message integrity. The steps involved in PEM operation as
follows.

Step 1: Canonical conversion:


● There is a distinct possibility that the sender and the receiver of an email message use
computers that have different architecture and operating systems.
● PEM transforms each email message into an abstract, canonical representation.
● This means that regardless of the architecture and the operating system of the sending
and receiving computers, the email travels in a uniform, independent format.

Step 2: Digital signature:

● It starts by creating a MD of email messages using an algorithm such as MD2 or


MD5.
● The MD thus created is then encrypted with the sender's private key to form the
sender’s digital signature.

Step 3: Encryption: The original email and the digital signature are encrypted together with
a symmetric key:
SAHIL K

Step 4: Base - 64 encoding:


● This process transforms arbitrary binary input into printable character output.
● The binary input is processed in blocks of 3 octets or 24 bits.
● These 24 bits are considered to be made up of 4 sets, each of 6 bits.
● Each such set of 6 bits is mapped into an 8-bit output character in this process.

Q. Explain the role of PGP in Email security.


Ans: PGP is Pretty Good Privacy.
● It is a popular program used to encrypt and decrypt email over the internet.
● It has become a standard for email security.
● It is used to send encrypted code (digital signature) that lets the receiver verify the
sender's identity and takes care that the route of the message should not change.
● PGP can be used to encrypt files being stored so that they are in unreadable form and
not readable by users or intruders.
● It is available in Low cost and Freeware versions.
● It is the most widely used privacy ensuring program used by individuals as well as
many corporations.
SAHIL K

There are five steps as shown below:

Step 1: Digital signature:


● It consists of the creation of a message digest of the email message using SHA-1
algorithm.
● The resulting MD is then encrypted with the sender's private key. The result is the
sender's digital signature.

Step 2: Compression:
● The input message as well as p digital signature are compressed together to reduce the
size of the final message that will be transmitted.
● For this the Lempel -Ziv algorithm is used.

Step 3: Encryption:
● The compressed output of step 2 (i.e. the compressed form of the original email and
the digital signature together) are encrypted with a symmetric key.

Step 4: Digital enveloping:


● The symmetric key used for encryption in step 3 is now encrypted with the receiver's
public key.
● The output of step 3 and 4 together form a digital envelope.

Step 5: Base - 64 encoding:


● This process transforms arbitrary binary input into printable character output.
● The binary input is processed in blocks of 3 octets (24-bits).
● These 24 bits are considered to be made up of 4 sets, each of 6 bits.
● Each such set of 6 bits is mapped into an 8-bit output character in this process.
SAHIL K

Q. Gives the step for verification of a digital certificate.


Ans: Steps for verification of a digital certificate:
Suppose Y receives digitally signed messages from X, who he does not know or trust. X has
included his digital certificate with a message, which has his public key embedded within it.
Before Y can be sure of the message from X, he has to go through following steps:

Step 1: Y will see which CA signed X's certificate and compare it to the list of CAs he has
configured.

Step 2: If X's certificate is in the list of trusted CAs, then he will pass X's certificate through
hashing algorithm which will result in Message digest A.

Step 3: Every certificate has a different encrypted Message digest value embedded within
it,which is a Digital signature. Y takes CA's public key and decrypts the embedded Digital
signature value which is called decrypted DS value B.

Step 4: If value A & B matches then Y can be assured that this CA has actually created a
certificate.

Step 5: Y needs to be ensured that the issuing CA has not revoked this certificate.

Step 6: Y will compare the email address which is inserted by CA in the certificate with the
address that sent this message. If these values are the same he can be assured that the message
came from the email address that was provided during the registration process of the
certificate.

Step 7: Validity of the certificate is proven according to the start and stop date of the
certificate.

Step 8: Y trusts that this certificate is legal and belongs to X.Y could read the message.

Q. Define Public Key Infrastructure (PKI).


Ans:
● A Public Key Infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage, distribute, use, store and revoke digital
certificates and manage public key encryption.
● The purpose of a PKI is to facilitate the secure electronic transfer of information for a
range of network activities such as e-commerce, internet banking and confidential
email.

Q. List the components of PKI.


Ans:
● Digital Certificate
SAHIL K

● End User/Entity
● Certification Authority
● Registration Authority
● Repository
● Relying Party

Q. Explain Public Key Infrastructure with example.


Ans:
● A Public Key Infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage,distribute, use, store and revoke digital
certificates and manage public key encryption.
● The purpose of a PKI is to facilitate the secure electronic transfer of information for a
range of network activities such as e-commerce, internet banking and confidential
email.
● PKI is the governing body behind issuing digital certificates. It helps to protect
confidential data and gives unique identities to users and systems. Thus, it ensures
security in communications.
● The public key infrastructure uses a pair of keys: the public key and the private key to
achieve security.
● The public keys are prone to attacks and thus an intact infrastructure is needed to
maintain them.
● PKI identifies a public key along with its purpose. It usually consists of the following
components:
○ Digital Certificate
○ End User/Entity
○ Certification Authority
○ Registration Authority
○ Repository
○ Relying Party

Working on a PKI:

● PKI and Encryption: The root of PKI involves the use of cryptography and
encryption techniques. Both symmetric and asymmetric encryption uses a public key.
There is always a risk of MITM (Man in the middle). This issue is resolved by a PKI
using digital certificates. It gives identities to keys in order to make the verification of
owners easy and accurate.

● Public Key Certificate or Digital Certificate: Digital certificates are issued to


people and electronic systems to uniquely identify them in the digital world.
○ The Certification Authority (CA) stores the public key of a user along with
other information about the client in the digital certificate. The information is
signed and a digital signature is also included in the certificate.
SAHIL K

○ The affirmation for the public key then can be retrieved by validating the
signature using the public key of the Certification Authority.

● Certifying Authorities: A CA issues and verifies certificates. This authority makes


sure that the information in a certificate is real and correct and it also digitally signs
the certificate. A CA or Certifying Authority performs these basic roles:
○ Generates the key pairs - This key pair generated by the CA can be either
independent or in collaboration with the client.
○ Issuing of the digital certificates -When the client successfully provides the
right details about his identity, the CA issues a certificate to the client. Then
CA further signs this certificate digitally so that no changes can be made to the
information.
○ Publishing of certificates - The CA publishes the certificates so that the users
can find them. They can do this by either publishing them in an electronic
telephone directory or by sending them out to other people.
○ Verification of certificate - CA gives a public key that helps in verifying if the
access attempt is authorized or not.
○ Revocation - In case of suspicious behavior of a client or loss of trust in them,
the CA has the power to revoke the digital certificate.

The most popular usage example of PKI (Public Key Infrastructure) is the HTTPS (Hypertext
Transfer Protocol Secure) protocol. HTTPS is a combination of the HTTP (Hypertext
Transfer Protocol) and SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols
to provide encrypted communication and secure identification of a Web server.

In HTTPS, the Web server's PKI certificate is used by the browser for two purposes:
● Validate the identity of the Web server by verifying the CA's digital signature in the
certificate.
● Encrypt a secret key to be securely delivered to the Web server. The secret key will be
used to encrypt actual data to be exchanged between the browser and the Web server.
SAHIL K

Other examples of PKI (Public Key Infrastructure) are:


● Digital signature: The sender of a digital message uses his/her private key to
generate a digital signature attached to the message. The receiver uses the sender's
certificate to verify the digital signature to ensure the message was sent by the
claimed sender.
● Encryption of documents: The sender of a digital message uses the receiver's
certificate to encrypt the message to protect the confidentiality of the message. Only
the receiver who can use his/her private key decrypt the message.
● Digital identification: User's certificate is stored in a smart card to be used to verify
card holder's identities.

Q. Explain X.509/PKIX Certificate Format.


Ans:

X.509/PKIX Certificate Format

● Version number:
○ This field defines the version of X.509 of the certificate.
○ The version number started at 0; the current version (third version) is 2.

● Serial number:
○ This field defines a number assigned to each certificate.
○ The value is unique for each certificate issuer.

● Signature algorithm ID:


○ This field identifies the algorithm used to sign the certificate.
○ Any parameter that is needed for the signature is also defined in this field.

● Issuer name:
○ This field identifies the certification authority that issued the certificate.
○ The name is normally a hierarchy of strings that defines a country, a state,
organization, department, and so on.
SAHIL K

● Validity Period:
○ This field defines the earliest time (not before) and the latest time (not after)
the certificate is valid.

● Subject name:
○ This field defines the entity to which the public key belongs.
○ It is also a hierarchy of strings.
○ Part of the field defines what is called the common name, which is the actual
name of the beholder of the key.

● Subject public key:


○ This field defines the owner’s public key, the heart of the certificate.
○ The field also defines the corresponding public-key algorithm (RSA, for
example) and its parameters.

● Issuer unique identifier:


○ This optional field allows two issuers to have the same issuer field value, if the
issuer unique identifiers are different.

● Subject unique identifier:


○ This optional field allows two different subjects to have the same subject field
value, if the subject unique identifiers are different.

● Extensions:
○ This optional field allows issuers to add more private information to the
certificate.

● Signature:
○ This field is made of three sections.
○ The first section contains all other fields in the certificate.
○ The second section contains the digest of the first section encrypted with the
CA’s public key.
○ The third section contains the algorithm identifier used to create the second
section.

Q. Describe cybercrime. Describe hacking & cracking related to cybercrime.


Ans: Cybercrime:
● Cybercrime is defined as a crime in which a computer is the object of the crime
(hacking, phishing, spamming) or is used as a tool to commit an offense (child
pornography, hate crimes).
● Cybercriminals may use computer technology to access personal information,
business trade secrets, or use the Internet for exploitive or malicious purposes.
● Criminals can also use computers for communication and document or data storage.
SAHIL K

● Criminals who perform these illegal activities are often referred to as hackers.
● Cybercrime may also be referred to as computer crime.

Types of Cybercrimes:
1. Hacking
2. Cracking
3. Theft
4. Malicious software
5. Child soliciting and abuse

Hacking:
● Hacking is one of the most well-known types of computer crime.
● Hacking refers to unauthorized access of another's computer systems.
● A hacker is someone who finds out and exploits the weaknesses of computer systems
or networks.
● These intrusions are often conducted in order to launch malicious programs known as
viruses, worms, and trojan horses that can shut down hacking an entire computer
network.
● Hacking is also carried out as a way to talk credit card numbers, intent passwords, and
other personal information.
● By accessing commercial databases, hackers are able to steal these types of items
from millions of internet users all at once.

Types of hackers:
1. White hat
2. Black hat
3. Grey hat
4. Elite hacker
5. Script hacker

Cracking:
● In the cyber world, a cracker is someone who breaks into a computer system or
network without authorization and with the intention of doing damage.
● Crackers are used to describe a malicious hacker.
● Crackers get into all kinds of mischief like he may destroy files, steal personal
information like credit card numbers or client data, infect the system with a virus, or
undertake many other things that cause harm.
● Cracking can be done for profit, maliciously, for some harm to organizations or to
individuals.
● Cracking activity is harmful, costly and unethical.

Q. Classify following Cybercrime


i) Cyber terrorism against a government organization
ii) Cyber-stalking
SAHIL K

iii) Copyright Infringement


iv) Email harassment
Ans:
i) Cyber terrorism against a government organization: This falls under the category of
"Cyber Terrorism” or "Government Cybercrime".

ii) Cyber-stalking: This is classified as "Cyber Harassment" or "Crime against Individual".

iii) Copyright Infringement: This is categorized as "Intellectual Property Crime" or


"Property Cybercrime".

iv) Email harassment: This falls under the category of "Cyber Harassment" or "Crime
against Individual".

Q. Explain the concept of hacking.


Ans:
● Hacking is one of the most well-known types of computer crime.
● Hacking refers to unauthorized access of another's computer systems.
● A hacker is someone who finds out and exploits the weaknesses of computer systems
or networks.
● These intrusions are often conducted in order to launch malicious programs known as
viruses, worms, and trojan horses that can shut down hacking an entire computer
network.
● Hacking is also carried out as a way to talk credit card numbers, intent passwords, and
other personal information.
● By accessing commercial databases, hackers are able to steal these types of items
from millions of internet users all at once.

There are different types of hackers:


1. White hat
2. Black hat
3. Grey hat
4. Elite hacker
5. Script hacker

Q. List and explain different types of hackers.


Ans: There are different types of hackers:
1. White hat
2. Black hat
3. Grey hat
4. Elite hacker
5. Script kiddie hacker

1. Black Hat Hacker:


SAHIL K

● Black-hat Hackers are also known as an Unethical Hacker or a Security Cracker.


● These people hack the system illegally to steal money or to achieve their own illegal
goals.
● They find banks or other companies with weak security and steal money or credit card
information.
● They can also modify or destroy the data as well. Black hat hacking is illegal.

2.White Hat Hacker:


● White hat Hackers are also known as Ethical Hackers or a Penetration Tester.
● White hat hackers are the good guys of the hacker world.
● These people use the same technique used by the black hat hackers.
● They also hack the system, but they can only hack the system that they have
permission to hack in order to test the security of the system.
● They focus on security and protecting the IT system.
● White hat hacking is legal.

3. Gray Hat Hacker:


● Gray hat Hackers Are Hybrid between Black Hat Hackers and White hat hackers.
● They can hack any system even if they don't have permission to test the security of
the system but they will never steal money or damage the system.
● In most cases, they tell the administrator of that system.
● But they are also illegal because they test the security of the system that they do not
have permission to test.
● Grey hat hacking is sometimes acted legally and sometimes not.

4. Elite Hacker:
● Elite hackers avoid deliberately destroying information or otherwise damaging the
computer systems they have exploited.

5. Script Kiddie:
● A script kiddie, or “skiddie,” is someone who lacks programming knowledge and uses
existing software to launch an attack.
● Often a script kiddie will use these programs without even knowing how they work or
what they do.
● For example, imagine a child gets their first computer. The child watches a movie
about hacking and then downloads a copy of Kali Linux. They begin playing with the
various programs while searching for online tutorials. At first, they may be perceived
as nothing more than an internet troll or noob, due to their lack of experience and
quickness to brag and boast. Sometimes they will even resort to cyberstalking or
bullying. However, this may simply be a cover for other more nefarious activity.

Q. Describe the process of cyber crime investigation.


Ans:
SAHIL K

● Cybercrime investigation is done to determine the nature of crime and collect


evidence e.g. hardware, software related to the crime.
● This is used to stop a crime in progress, report crime which was done in the past.
● Relevant IT training is necessary for Cybercrime investigation.
● First step of the investigation team is to secure computers, networks & components
that are connected with crime.
● Investigators may clone the system to explore it.
● They can take a detailed audit of a computer
● Interviews: Investigators arrange interviews with victims, witness.
● Surveillance: Investigators check the digital activities, monitor all elements of the
suspect.
● Forensics: Mining a computer for all related information to detect potential evidence.
● Undercover: Steps to uncover to trap criminals using fake online identities.
● Obtain a search warrant and seize the victims equipment
● Identify the victim's configuration.
● Acquire the evidence carefully.

Q. What is pornography?
Ans: Pornography:
● The depiction of nudity or erotic behavior, in writing, pictures,video, or otherwise,
with the intent to cause sexual excitement.
● Is the depiction of erotic behavior (as in pictures or writing) intended to cause sexual
excitement material (as books or a photograph) that depicts erotic behavior and is
intended to cause sexual excitement the depiction of acts in a sensational manner so as
to arouse a quick intense emotional reaction?
● Pornography is defined as imagery, in addition to various forms of media, that depicts
actions presumed to be overtly sexual and erotic in nature.
● In a legal spectrum, Pornography can be defined as sexually-explicit material that is
displayed or viewed with the intention of the provision of sexual gratification.

Q. Explain Cyber Crime.


Ans:
● Crimes against people are a category of crime that consists of offenses that usually
involve causing or attempting to cause bodily harm or a threat of bodily harm.
● These actions are taken without the consent of the individual the crime is committed
against, or the victim.
● These types of crimes do not have to result in actual harm - the fact that bodily harm
could have resulted and that the victim is put in fear for their safety is sufficient. i.e.
Assault, Domestic Violence, Stalking.

● Cybercrime is a bigger risk now than ever before due to the sheer number of
connected people and devices.
● Cybercrime, as it's a bigger risk now than ever before due to the sheer number of
connected people and devices.
SAHIL K

● It is simply a crime that has some kind of computer or cyber aspect to it.
● To go into more detail is not as straightforward, as it takes shape in a variety of
different formats.

Cybercrime:
● Cybercrime has now surpassed illegal drug trafficking as a criminal money maker
● Somebody's identity is stolen every 3 seconds as a result of cybercrime
● Without a sophisticated security package, your unprotected PC can become infected
within four minutes of connecting to the Internet.

● Criminals committing cybercrime use a number of methods, depending on their


skill-set and their goal.
● Here are some of the different ways cybercrime can take shape:
○ Theft of personal data
○ Copyright infringement Fraud
○ Child pornography
○ Cyber stalking
○ Bullying

● Cybercrime covers a wide range of different attacks, all of which deserve their own
unique approach when it comes to improving our computer's safety and protecting
ourselves.
● The computer or device may be the agent of the crime, the facilitator of the crime, or
the target of the crime.
● The crime may take place on the computer alone or in addition to other locations.
● The broad range of cybercrime can be better understood by dividing it into two
overall categories.

Q. What is software piracy?


Ans:
● Software piracy is the illegal copying, distribution, or use of software.
● It is such a profitable “business” that it has caught the attention of organized crime
groups in a number of countries.
● Software piracy causes significant lost revenue for publishers, which in turn results in
higher prices for the consumer.
● Software piracy applies mainly to full-function commercial software.
● The time-limited or function-restricted versions of commercial software called
shareware are less likely to be pirated since they are freely available.
● Similarly, freeware, a type of software that is copyrighted but freely distributed at no
charge.

Types of software piracy include:


● Soft-lifting: Borrowing and installing a copy of a software application from a
colleague.
SAHIL K

● Client-server overuse: Installing more copies of the software than you have licenses
for.
● Hard-disk loading: Installing and selling unauthorized copies of software on
refurbished or new computers.
● Counterfeiting: Duplicating and selling copyrighted programs.
● Online piracy: Typically involves downloading illegal software from peer-to-peer
network, Internet auction or blog.

Q. Explain in brief IT Act 2000 and IT Act 2008.


Ans:
IT Act 2000:
● In May 2000, both the houses of the Indian Parliament passed the Information
Technology Bill.
● The Bill received the assent of the President in August 2000 and came to be known as
the Information Technology Act, 2000.
● Cyber laws are contained in the IT Act, 2000.

● This Act aims to provide the legal infrastructure for E-commerce in India.
● And the cyber laws have a major impact for E-businesses and the new economy in
India.
● So, it is important to understand what the various perspectives of the IT Act 2000 are
and what it offers.
● The Information Technology Act, 2000 also aims to provide for the legal framework
so that legal sanctity is accorded to all electronic records and other activities carried
out by electronic means.

● The Act states that unless otherwise agreed, an acceptance of contract may be
expressed by electronic means of communication and the same shall have legal
validity and enforceability.
● Some highlights of the Act are listed below:
● The Act specifically stipulates that any subscriber may authenticate an electronic
record by affixing his digital signature.
● It further states that any person can verify an electronic record by use of a public key
of the subscriber.
● The Act details about Electronic Governance and provides inter alia amongst others
that where any law provides that information or any other matter shall be in writing or
in the typewritten or printed form, then, notwithstanding anything contained in such
law, such requirement shall be deemed to have been satisfied if such information or
matter is rendered or made available in an electronic form; and accessible so as to be
usable for a subsequent reference and details the legal recognition of Digital
Signatures.
● The Act gives a scheme for Regulation of Certifying Authorities.
SAHIL K

● The Act envisages a Controller of Certifying Authorities who shall perform the
function of exercising supervision over the activities of the Certifying Authorities as
also laying down standards and conditions governing the Certifying Authorities as
also specifying the various forms and content of Digital Signature Certificates.
● The Act recognizes the need for recognizing foreign Certifying Authorities and it
further details the various provisions for the issue of license to issue Digital signature
Certificates.
● The Act also provides for the constitution of the Cyber Regulations Advisory
Committee, which shall advise the government as regards any rules, or for any other
purpose connected with the said act.
● The said Act also proposes to amend the Indian Penal Code, 1860, The Indian
Evidence Act, 1872, The Bankers Books Evidence Act, 1891, The Reserve Bank of
India Act, 1934 to make them in tune with the provisions of the IT Act.

IT Act 2008:
● IT acts 2008: It is the Information Technology Amendment Act, 2008.
● The act was developed for IT industries, to control e-commerce, to provide
E-governance facilities and to stop cybercrime attacks.

● Following are the characteristics of IT ACT 2008: This act provides legal recognition
or the transaction i.e. Electronic Data Interchange (EDI) and other electronic
communications.
● This Act also gives facilities for electronic filing of information with the Government
agencies.
● It is considered necessary to give effect to the said resolution and to promote efficient
delivery of Government services by means of reliable electronic records.

Features of I.T. Amendment Act 2008:


● Focusing on data privacy
● Focusing on information security.
● Defining cyber cafe.
● Making digital signature technology neutral.
● Defining reasonable security practices to be followed by corporate.
● Redefining the role of intermediaries.
● Recognizing the role of the Indian computer Emergency Response Team.
● Inclusion of some additional cybercrimes like child pornography and cyber terrorism.
● Authorizing an Inspector to investigate cyber offenses.

Q. Explain IT Act, 2000 and IT ACT, 2008 with advantages and disadvantages.
Ans:
i) IT Act 2000: The IT Act 2000 gives a very good solution to cyber crimes. In this Act
several sections and Chapters are there which are defined in the following manner:
SAHIL K

● Chapter 1 the preliminary chapter of IT Act 2000 gives all of the information about
the short title, territory up to which it is extendable, and the basic application of
related laws.
● Chapter 2 to 7 of this Act defines “Access”, “Addressee”, “Adjudicating Officer”,
“Affixing Digital Signature”, “Asymmetric Cryptography”, “Cyber”, “Computer”,
“Digital Signature”, “Digital Signature Certificate‟ and other numerous basic terms,
which are defined in its appendix.
● Other chapters of this Act define those crimes which can be considered as cognizable
offenses, i.e. for which the police can arrest the wrongdoer immediately.
● Section 80 of this Act gives a freedom to the police officer to search, arrest the
offender who is indulged in that crime or going to commit it.
● Section 65 to 70 covers all of the cognizable offenses, namely, “tampering of
documents”, “hacking of the personal computer”, “obscene information transmission
or publication”, “failure of compliance by certifying authority or its employees, of
orders of the Controller of certifying authorities”, “Access or attempt to access by any
unauthorized person, a protected system notified by Govt. in the Official Gazette” in
which non-bailable warrant is issued or no warrant is required.
● Section 71 indicates the offense “Misrepresentation of material fact from the
controller of Certifying Authority for obtaining any license or Digital Signature
Certificate”.

Advantages:
● Email is considered as the valid and legal form of communication.
● Digital signatures have been given legal validity and sanction
● Companies can carry out e-business using legal infrastructure.
● Corporate companies can become certifying authorities for issuing digital signatures
certificates.
● Enables the government to issue notifications or any other type of documents through
the internet bringing e-governance.
● Enables businesses to file forms, applications or any other type of document with any
office, body, institute in an electronic form.
● Enables the corporations and businesses to have statutory remedy in case of any act of
intrusion into their computer system or network, which causes damages or copies
data. The Act provides remedy in the form of monetary damages up to 1 crore.

Disadvantages:
● No mention on IPR (Intellectual Property Rights).
● No provisions for copy-righting, trade marking or patenting of electronic information
and data.
● The law does not consist of the rights and liabilities available to the domain name
holders.
● Not considered the regulation of electronic payments gateway, thus making the
banking and financial sectors indecisive (weak) in their stands.
● No mention of internet security while using the IT laws.
SAHIL K

ii) IT Act 2008:


● It is the information Technology Amendment Act, 2008 also known as ITA-2008
● It is a considerable addition to the ITA-2000 and was administered by the Indian
Computer Emergency Response Team (CERT-In) in 2008.
● Basically, the act was developed for IT industries, to control e-commerce, to provide
e-governance facilities and to stop cybercrime attacks.
● The alterations are made to address some issues like the original bill failed to cover, to
accommodate the development of IT and security of e-commerce transactions.

The modification includes:


● Redefinition of terms like communication devices which reflect the current use.
● Validation of electronic signatures and contracts.
● The owner of an IP address is responsible for content that are accessed or distributed
through it.
● Organizations are responsible for implementation of effective data security practices.

Following are the characteristics of IT Act 2008:


● This Act provides legal recognition for the transaction i.e. Electronic Data
Interchange (EDI) and other electronic communications. Electronic commerce is the
alternative to paper based methods of communication to store information.
● This Act also gives facilities for electronic filing of information with the Government
agencies and further to change the Indian Penal Code-Indian Evidence Act 1872,
Bankers code Evidence Act 1891 and Reserve Bank of India Act, 1934 and for matter
connected therewith or incidental thereto.
● The General Assembly of the United Nations by resolution A/RES/51/162, dated 30
January 1997 has adopted the model law on Electronic Commerce adopted by the
United Nations Commission on International Trade Law.
● This recommends that all States give favorable consideration to the above said model
law when they enact or revise their laws, in terms of need for uniformity of the law
applicable to alternative to paper based methods of communication and storage of
information.
● It is considered necessary to give effect to the said resolution and to promote efficient
delivery of Government services by means of reliable electronic records.

Advantages:
● Redefinition of terms like communication devices which reflect the current use.
● Validation of electronic signatures and contracts.
● The owner of an IP address is responsible for content that is accessed or distributed
through it.
● Organizations are responsible for implementation of effective data security practices.

Disadvantages:
SAHIL K

● Liability of ISPs has been revisited and responsibility shall lie on the complainant to
prove lack of due diligence or presence of actual knowledge by intermediary, as
proving conspiracy would be difficult.
● Cyber law enforcement teams will face more challenges.
● The power of interception of traffic data and communications over the internet will
need to be exercised, deliberating powers of monitoring, collection , decryption or
interception.
● Power for blocking websites should also be exercised carefully and should not
transgress into areas that amount to unreasonable censorship.
● Many of the offenses added to the Act are cognizable but bailable which increases the
likelihood of tampering of evidence by cybercriminal once he is released on bail.

Q. Explain following terms of Intellectual property:


(i) Copyright
(ii) Patent
(iii) Trademark.
Ans:
i) Copyright:
● Copyright is a form of IPR concerned with protecting works of human intellect.
● The domain of copyright is literary and artistic works, might be writings, musicals
and works of fine arts, such as paintings and sculptures, as well as technology-based
works such as computer programs and electronic databases.

ii) Patent: Patent is an exclusive right granted by law to an inventor or assignee to prevent
others from commercially benefiting from his/her patented invention without permission, for
a limited period of time in exchange for detailed public disclosure of the patented invention.

iii) Trademark:
● A trademark is a sign that individualizes the goods or services of a given enterprise
and distinguishes them from those of competitors.
● To fall under law protection, a trademark must be distinctive, and not deceptive,
illegal or immoral.

Q. Explain the following:


(i) Software piracy
(ii) Copyright
(iii) Patent
(iv) Trademark
Ans:
1) Software Piracy:
● Cybercrime Investigation Cell of India defines - software piracy as theft of software
through the illegal copying of genuine programs or the counterfeiting and distribution
of products intended to pass for the original.
SAHIL K

● Software piracy can be defined as - copying and using commercial software


purchased by someone else. Software piracy is illegal.
● Each pirated piece of software takes away from company profits, reducing funds for
further software development initiatives.
● Making duplication of software is an act of copyright infringement, and it’s illegal.
Providing unauthorized access to software or to serial numbers used to register
software can also be illegal.
● Ways to Deal With/Minimize Software Piracy:
○ Have a central location for software programs. Know which applications are
being added, modified or deleted.
○ Secure master copies of software and associate documentation, while
providing faculty access to those programs when needed.
○ Never lend or give commercial software to unlicensed users.
○ Permit only authorized users to install software.
○ Train and make staff aware of software use and security procedures which
reduce likelihood of software piracy.

2) Copyright:
● This law is to keep control on use of the creations in a number of ways.
● These uses include making copies, issuing copies to the public, public performance of
the creation, broadcasting and online use.
● It also gives moral rights to be identified as the creator of those materials and
protection against the distortion or modification.
● The purpose of this law is to gain economic rewards for the efforts.
● This encourages future creativity, development of new material.
● However, copyright law does not protect ideas, names, titles.
● Copyright can be considered as a kind of property, which like a person’s physical
assets, can be bought, sold or inherited, transferred.
● It can either Authorize or prohibit Translation into other languages.
● Examples: Literary, musical, dramatic, artistic, films etc
● This law in India has 15 chapters, with terms, definitions, ownership, terms of
copyrights etc.

3) Patent:
● This is a Legal right granted for limited time, as a monopoly, to the owner by a
country.
● Patents can be overruled by health and safety regulation.
● Patents can be given away, sold, inherited, licensed away and can be abandoned.
● A patent gives an inventor the right, for a limited period, to stop others from making,
using and selling or importing an invention without seeking the permission of the
inventor. And hence called “Negative right”.
● Mostly concerned with technical and functional aspects.
● Patents last up to 20 years in India and most countries outside.
● An Indian patent is not effective outside India (territorial).
SAHIL K

● Apply to The Indian Patent Office for patenting in India. Patent Agents are also
available.

4) Trademarks:
● A trademark is a sign that distinguishes the goods and services of one trader from
another. Signs include Slogans, Words, Logos, Colors, 3-D shapes, Sounds, Gestures.
This is considered as a “Badge” of Trade origin. It can be used as Marketing tool.
● Features:
○ Service Marks: Marks used by the service industry.
○ Well Known Marks: Which are defined and cannot be registered or used.
○ Collective Marks: Used by Group of companies
○ Scope of registration: Unauthorized use of certain marks used for certain
classes used by others are prohibited.
○ Punishment if copied
○ Renewed every 10 years
○ License agreements need not be compulsorily registered.
○ Trademarks can include colors and shape of the product also.

Q. Describe ISO 27001 and ISO 20000.


Ans:
ISO 27001:
● The international organization for standard (ISO) was established in 1997.
● It is a nongovernmental international body that collaborates with the International
Electro technical commission (IEC) and the International Telecommunication Union
(ITU) on information and communication technology (ICT) standards.
● ISO 27001 describes following processes:
○ Definition of Information Security Policy
○ Definition of Scope of ISMS
○ Security Risk Assessment
○ Manage the identified risk
○ Select controls for implementation
○ Prepare SoA (Statement of Applicability)
● ISO 27001 uses PDCA (Plan-Do-Check-Act) approach and this is used to improve the
effectiveness of an organization:
SAHIL K

● Plan: This phase serves to plan the basic organization of information security, set
objectives for information security and choose the appropriate security controls.
● Do: This phase includes carrying out everything that was planned during the previous
phase.
● Check: The purpose of this phase is to monitor the functioning of the ISMS through
various channels, and check whether the results meet the set objectives.
● Act: The purpose of this phase is to improve everything that was identified as
non-compliant in the previous phase.
● ISO 27001 allows selection of objectives and controls of security which shows the
unique security risks and requirements. This information is used to prepare SoA and
then SoA is used to prepare a Risk Treatment Plan.

ISO 20000:
● ISO 20000 is an industry standard like ISO 9000/9001, and like ISO 9000/9001, ISO
20000 offers organizational certification.
● ISO 20000 standards show IT how to manage and improve IT while establishing audit
criteria. It also provides auditors with a documented standard to use for measuring IT
compliance.
● The ITIL offers certifications for individuals but ISO 20000 is an organizational
certification with international recognition.
● ISO 20000 Was basically developed to use best practice guidance provided in the
ITIL framework. This standard was developed / published in December 2005.
● ISO 20000 has two specifications.

i) ISO 20000-1: is the specification for Service Management. It defines the processes and
provides assessment criteria and recommendations for those who are responsible for IT
Service Management. Organizational certification uses this section. It includes following
sections:
● Scope
● Terms and Definitions
● Requirements for a Management System
SAHIL K

● Planning and Implementing Service Management


● Planning and Implementing New or Changed Services
● The Service Delivery Process
● Relationship Processes
● Resolution Processes
● Release Process
● Control Processes

ii) ISO 20000-2: It documents a code of practice that explains how to manage IT with regard
to ISO 20000-1 audits. It includes all the sections from part 1 except requirements for a
management system. Both ISO 20000-1 and ISO 20000-2 derive directly from the ITIL best
practice.
● Already, several governments have stated that ISO 20000 is a requirement for
outsourced IT services. As the industry recognizes the value of ISO 20000, more and
more companies will require their partners and vendors to reach ISO 20000
certification.
● ISO 20000 also includes more than Service Delivery and Service Support. It includes
sections on managing suppliers and the business; as Well as Security Management.
● ISO 20000 can assist the organization in benchmarking its IT service management,
improving its services, demonstrating an ability to meet customer requirements and
create a framework for an independent assessment.
● Some of the most common benefits of ISO 20000 certification for service providers
are as follows:
1) It offers competitive differentiation by demonstrating reliability and high
quality of service.
2) It gives access to key markets, as many organizations in the public sector
mandate that their IT service providers demonstrate compliance with ISO/IEC
20000.

Q. Explain use of PCI DSS.


Ans:
● The Payment Card Industry Data Security Standard (PCI DSS) is a set of security
guidelines and requirements established to protect sensitive payment card data.
● It is crucial for organizations that handle credit card transactions, such as retailers and
financial institutions.
● PCI DSS outlines measures like encryption, access controls, regular system
monitoring, and network segmentation to safeguard cardholder information.
● Compliance with PCI DSS helps mitigate the risk of data breaches and financial
losses, enhances customer trust, and ensures the security of payment card transactions.
● Non-compliance can lead to severe consequences, including fines and reputational
damage.
● Therefore, PCI DSS plays a vital role in safeguarding payment card data and
upholding the integrity of the payment card industry.
SAHIL K

Q. Describe ITIL framework with different stages of life cycle.


Ans:

● The Information Technology Infrastructure Library (ITIL) is a collection of best


practices in IT service management (ITSM), and focuses on the service processes of
IT and considers the central role of the user.
● It was developed by the United Kingdom's Office of Government Commerce (OGC).
Since 2005, ITIL has evolved into ISO/IEC 20000, which is an international standard
within ITSM.
● An ITIL service management self-assessment can be conducted with the help of an
online questionnaire maintained on the website of the IT Service Management Forum.
● The self- assessment questionnaire helps evaluate the following management areas:
(a) Service Level Management
(b) Financial Management
(c) Capacity Management
(d) Service Continuity Management
(e) Availability Management
(f) Service Desk
(g) Incident Management
(h) Problem Management
(i) Configuration Management
(j) Change Management
(k) Release Management

The ITIL framework is a source of good practice in service management. The ITIL library
has the following components:
● ITIL Core: Best-practice publications that may be used by any organization that
provides services to a business.
● ITIL Complementary Guidance: A complementary set of publications with guidance
specific to industry sectors, organization types, operating models and technology
architectures.
SAHIL K

● The objective of the ITIL Service Management framework is to provide services that
are fit for purpose, stable and so reliable that the business views them as a trusted
provider.
● ITIL has been deployed successfully around the world for over 20 years. Over this
time, the framework has evolved from a specialized set of Service Management topics
with a focus on function, to a process-based framework which now provides a broader
holistic Service Lifecycle.

● ITIL can be adapted and used in conjunction with other good practices such as
○ COBIT (a framework for IT Governance and Controls)
○ Six Sigma ( a quality methodology)
○ TOGAF (a framework for IT architecture)
○ ISO 27000 (a standard for IT security)
○ ISO/IEC 20000 (a standard for IT service management)

● IT organizations have traditionally focused on managing the infrastructure services


and technology silos.
● ITIL suggests a more holistic approach to managing services from end to end.
● Managing the entire business service along with its underlying components in a
cohesive manner ensures that every aspect of a service is considered so that the
required functionality and service levels are delivered to the business customer.

● Following are the benefits to organization with ITIL framework:


○ Improve resource utilization
○ Be more competitive
○ Reduce re-work
○ Eliminate redundant work
○ Improve availability, reliability and security of business critical IT services
○ Improve project deliverables and time-scales

Q. Describe the COBIT framework with a neat sketch.


Ans:
SAHIL K

● The Control Objectives for Information and Related Technology (COBIT) is a control
framework that links IT initiatives to business requirements, organizes IT activities
into a generally accepted process model, identifies the major IT resources to be
leveraged and defines the management control objectives to be considered.
● The IT GOVERNANCE INSTITUTE (ITGI) first released it in 1995, and the latest
update is version 4.1, published in 2007.

COBIT 4.1 consists of 7 sections:


1) Executive overview
2) COBIT framework
3) Plan and Organize
4) Acquire and Implement
5) Deliver and Support
6) Monitor and Evaluate
7) Appendices, including a glossary.

● Its core content can be divided according to the 34 IT processes. COBIT is


increasingly accepted internationally as a set of guidance materials for IT governance
that allows managers to bridge the gap between control requirements, technical issues
and business risks.
● Based on COBIT 4.1, the COBIT Security Baseline focuses on the specific risks
around IT security in a way that is simple to follow and implement for small and large
organizations.
● COBIT can be found at ITGI or the Information Systems Audit and Control
Association (ISACA) websites.

Services provided by the COBIT:


1. Manage operations
2. Manage service request and incidence
3. Manage problems
SAHIL K

4. Manage continuity
5. Manage security services
6. Manage business process control

Benefits after implementing COBIT framework:


1. Maintaining high-quality information to support business decisions.
2. Achieving strategic goals and realize business benefits through the effective and
innovative use of IT.
3. Achieving operational excellence through reliable, efficient application of technology.
4. Maintaining IT-related risk at an acceptable level.
5. Optimizing the cost of IT services and technology.
6. Supporting compliance with relevant laws, regulations, contractual agreements and
policies.

THE END

You might also like