Task 1 (a)
Viruses & Worms
A
virus is a program that can be loaded and ran onto your computer without the
user knowing. Some virus carrier programs could be macros, games and email
attachments. Virus can be used for many different things such as from slowing
down the performance of the user’s computer by duplicating different
files/folders which will take up the computers resources, to a program that can
see everything that you are doing which can be used to obtain personal
information such as bank details.
A
worm is similar to a virus, but instead does not need a carrier program and can
spread from computer to computer, unlike a virus it has the capability to
travel without any action from a user. A huge problem with worms is that it can
largely replicate itself on a user’s system and could end up sending hundreds
or even thousands of worms to everyone on your emails for which the same
process could happen to them if clicked on. Worms are one of the best ways to
bring down a complete network as the worms can just keep duplicating.
Trojans
& Backdoor
A Trojan can look like a piece of software
that is supposed to be helpful but instead once installed onto a system they
can cause data theft and loss, as well as system crashes or slowdown. Trojans
are often downloaded along with other programs or software packages. Trojans
can also create a backdoor on your computer that can give hackers access to
your system which can allow for your confidential or personal information to be
compromised.
Backdoor is a piece of software which is
used by hackers to open ports or any other vulnerability on a user’s computer.
The hacker will then know what ports open to exploit the system, which then
allows the hackers to send different tools and techniques through the open
ports.
Spyware
& Adware
Spyware are programs that can secretly
record what you are doing on your computer. The purpose of spyware is to
capture passwords, banking credentials and credit card details which can then
be used by hackers to commit fraud. Spyware is like a Trojan in the way that it
can be downloaded within another program that you have downloaded without the
user actually knowing or wanting to. Spyware steals from the user by using the
computer's memory resources and also by using up a lot of bandwidth as it sends
information back to the hacker by internet connection, as a lot of resources
are being taken up by the spyware this can also result in frequent system
crashes or even making the users system unstable.
Ad-ware is software that automatically
displays or downloads advertising material such as pop-ups or banners when a
user is online. The software could seem like it is needed for your computer as
a pop up message may say your computer
has a virus click here for a free scan when in fact when the user does click to
get the scan it is fake and will give the user a virus.
Key logger & Rootkits
Key loggers are a
piece of surveillance software that is used to capture every key you type into
your computer, which is then saved onto a log file that can then be transferred
to a hacker over the network to a remote computer or Web server, who can use
the file to check everything that you may have entered to check all your
personal/confidential information such as passwords to bank accounts and email
addresses. Some key loggers can also be used to take screenshots. Key loggers
can also be used by employers to ensure employees use work computers for
business purposes only.
A rootkit is a
type of software designed to hide the fact that an operating system has been
compromised. Rootkits are used to hide malware, bots and worms without the
anti-virus actually picking them up. To install a rootkit, an attacker must
first gain access to the root account. Rootkits are difficult to detect because
they are activated before your system's Operating System has completely booted
up, so even with a good antivirus rootkits may still not be detected.
Impact of Operating
Systems, using off the shelf software and configuration vulnerability
If there are vulnerabilities within an operating system then it will be
open for attack by malicious programs. Many system administrators install
operating systems with the default settings such as not setting a password or
changing the username, resulting in potential vulnerabilities that remain
unpatched.
There can be many vulnerabilities with application software, especially
with customized software or from downloading for unknown websites as although
these pieces of software may seem legit, they may contain extra software that
can seem to be useful but in fact is a piece of malware that is designed to
harm your computer either by monitoring your system or slowing down system
performance. Off the shelf software is usually safe as you know where it is
from and you will know it will be safe if it is sealed and brought from big
companies such as PC World or Microsoft.
Dictionary
& Brute Force Attack
The concept of the dictionary attack is a
method of getting into a password protected computer or server by
systematically entering every word in a dictionary as a password. A dictionary
attack can also be used to find the key necessary to decrypt an encrypted
message or document. Dictionary attacks are not very successful against systems
that use multiple words, combination of letters and numbers and also uppercase
and lowercase letters. If that is the case then the brute force attack method
(automated software) is used, which is where every possible combination of
characters and spaces is tried upon a certain length. The brute force attack
may be very successfully but can take a very long time to actually obtain
correct passwords.
Social
engineering
Social engineering refers to psychological
manipulation of people into performing actions or giving away confidential
information. This is a big threat as someone may seem nice but really it is a
type of confidence trick for the purpose of information gathering, system
access or even by committing fraud by obtaining your personal bank information
or email addresses. Social engineering is done by human interaction over the
phone, text, mail or face to face, such as someone wanting to gain access to a
network could say they urgently needed access to sort out a major problem which
then someone may give then the password to the network when really they want to
gain confidential information from it. Social engineering can also be done by
using phishing which is used to convince people to divulge sensitive
information such as usernames, passwords, credit card details and sometimes
even money. Phishing is used to make a website or a program seem like it
original and trustworthy but really it’s a fake duplicate which is used by
hackers to obtain information, which most of the time works as people think they
are logging in or paying money to the correct website. A well-known social
engineering scam is known as the '419 scam.
Email
spamming/Phishing
Email spam (also junk email) is a bunch of
emails set to numerous users in which clicking on the email may send users to
phishing websites or sites that host malware. To protect against email spam,
email filtering can be used to organise emails according to criteria.
Greylisting is a method of defending users against email spam. A mail transfer
agent using greylisting will temporary reject any emails from a sender it does
not recognise, but if the email is legitimate the server will try again and
after sufficient time has elapsed the email will be accepted. A spamtrap is a
honeypot used to collect spam. Spamtraps are usually email addresses that are
made to lure spam.
Spoofing
Spoofing’ is falsifying the origin of an
internet communication in order to mislead users into thinking they are
visiting the real website or email when in fact it’s a fake lookalike. Spoofing
is widely used to create fake emails or web pages that look real in order to
steal money, passwords or banking credentials.
Task 1 (b)
Technology
and impact of XSS Attack
Cross Site
Scripting (XSS) is one of the most common application-layer attacks which
targets scripts imbedded in a page which are executed on the users web browser.
XSS attacks occur when an attacker uses a web application to send malicious
code, usually in the form of a browser side script, to a different end user, so
when a user visits this web page the script is downloaded to their browser and
executed. Cross-site scripting attacks are used to bypass access controls and
to impersonate users.
Technology
and impact of SQL injection attack
The SQL injection attack is code injection
technique, used to attack data driven applications where malicious SQL commands
are inserted into an entry field for execution through a web page. Injected SQL
commands can alter SQL statement and compromise the security of a web application.
Dos
Attack, DDoS Attack and spoofing
The DoS (Denial of service) attack is when
an attacker attempts to prevent users from accessing information or services by
targeting your computer and network which will prevent users from accessing
emails or online websites such as a bank account. The most common type of DoS
attack is when an attacker floods a network with too much information that when
a user wants to visit a site, they can’t because the server can only process a
certain amount of requests.
The DoS attack can have a huge impact on an
organisation as it can prevent all users from doing any work as it will stop
people within the organisation from accessing important information or services
such as their work emails or their website which may contain important
information to get work done, but will not be able to as the have been attacked
by DoS. For an organisation to be attacked by Dos it can result in a loss of a
lot of money and slow or even no productivity, also it can affect the
reputation of the organisation if workers are not being able to get work done
and customers are not receiving a service.
The DDoS (Distributed Denial of Service)
attack is when a system is targeted by overwhelming it with hundreds and
thousands of requests forcing it to shut down. For all these requests to be
sent to a target an intruder usually uses bots so that it makes it hard for the
intruder to be caught and so it also looks less suspicious with requests being
send from many computers rather than just one, which effectively makes it
impossible to stop the attack simply by blocking a single IP address and is
also very difficult to distinguish legitimate user traffic from attack traffic
when spread across so many points of origin.
The spoofing technique can be used for a
successful DDoS attack by a hacker using a third party organisation network to
attack a victims organisation as the incoming packets will look like they are
coming from a trusted source so will allow the packets which will then crash
the victims network. Also the technique is used to cover the hacker’s footsteps
as he is not directly sending the packets and cannot easily be traced back.
Google
Hacking technique
The Google hacking technique is a computer
hacking technique that uses Google search to find security holes in the
configuration and computer code that websites use. So if an organisation has
all its staffs usernames and passwords stored into the server and has not been
changed so that it cannot be read by Google then it means that if someone types
the correct search into Google then they will be able to find the text document
will all the usernames and passwords of people working within the organisation
which can be a massive security breach if there confidential information is
used as hackers can tamper with their accounts and cause big problems for the
organisation. For an organisation to protect against Google hacking, a user
will create a robot.txt document with a list of all the pages they want hidden
so they cannot be seen by Google.
Task 1 (c)
The Heartbleed Bug
The Heartbleed bug is a serious vulnerability in the recent years that
affected many major websites. The Heartbleed Bug is a serious vulnerability in
the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal
conditions, by the SSL/TLS encryption used to secure the Internet. The bug
allowed anyone on the internet to read the memory of the systems protected by
the vulnerable versions of the open SSL software, the bug allowed attackers to
obtain data directly from the services and the users to impersonate services
and users.
Affected major sites include Facebook, Instagram, Tumblr, Google search,
Gmail, Yahoo and Yahoo Mail, Netflix, YouTube, Amazon web services and Dropbox.
There wasn’t a real technique but someone did exploit a loophole in the Open
SSL which was used to attack major websites.
The attack was dealt with a new version of Open SSL called Fixed Open
SSL. Operating system vendors and distribution, appliance vendors, independent
software vendors have to adopt to fix and notify their users as they have to
install the fix to stop them from being attacked.
eBay data breach
The data breach affected up to 145 million eBay customers, in order for
people to secure their data everyone was ordered to change their passwords. The
breach comes from hackers compromising a small number of employee log-in
credentials, which gave access to eBay’s corporate network allowing hackers to
obtain all eBay users confidential data. This breach of security would decrease
the reputation as it is a massive buyer/seller company which allowed hackers to
see over 145 million customers personal information, although eBay stated that
no money could be taken users confidential information could still be seen such
as home address, name and date of birth. The attack was dealt with by eBay
sending millions of emails to all users telling them to change their passwords
to block out any hacker if they were viewing their account. eBay stated that if
any email contained a link directing them to a page to reset their passwords
then it would be a phishing email as eBay sent emails with no external links.
To stop future attacks all users must make sure they have complicated unique
passwords that are different to any other accounts you may have.
Task 2 (a)
Different features to secure email
Hoax Email
Hoax emails are also known as spoof emails meaning falsified. Hoax
emails are when the sender changes parts of an email to make it look as though
it was authorised by someone else, meaning that the senders name/address and
body of the message may appear to look like they are from a legitimate source
such as from the bank, newspaper or legitimate company on the web.
S/MIME to protect
hoax email
Secure/Multipurpose Internet Mail Extensions provide a constant way to
send and receive MIME data. S/MIME provides cryptographic security services for
electronic messaging applications in different ways such as authentication,
message integrity, using digital signatures and also data confidentiality using
encryption. S/MIME can be used by mail agents to add cryptographic security
services to mail that is sent and to interpret cryptographic security services
in mail that is received. S/MIME can also be used with any transport mechanism
that transports MIME data such as HTTP.
To protect against hoaxing damage a few things can be done such as
generate alerts, develop and implement company email use policy, consider a
single point of entry for email to your site so that mail will be much easier
to monitor, configure your mail delivery daemon to prevent someone from
connecting to your SMTP port to send spoofed emails to other sites and also the
header of emails often contain a complete history but this can be spoofed.
Spam
guard
Spam guard is a way of stopping emails from
flooding a server which works by the patterns within the emails based on black
lists. Spam guard helps reduce the amount of spam you receive in your inbox by
diverting most of it to your junk mail folder. With spam guard you can use
filters to sort out emails with specific senders, subject or body text. A
spamtrap honeypot can be used to attract spammers to fake email addresses. Spam
guard will add all the incoming email senders to a blacklist, as emails sent to
those addresses will most likely be spam. Grey listing will temporary reject
emails from a sender it does not recognise.
Wireless
networked security/Networked devices security
There are a few ways in which you can
secure your wireless network to stop hackers or other users from accessing it.
You can use a security password so that when you go to connect to the wireless
network you will have to enter the password that only you or anyone else with
authorized access will know. Another way to secure a network is to change the
name of the network such as if the name is BTWIFI-JW7843 a hacker may be able
to find out the model of the network and be able to download the right software
to hack into the network so the name should be changed to something such as the
name of the organisation. Another big problem with hackers is that there may be
someone outside an organisation with a strong Wi-Fi signal giving users free
access to internet which they will use as it is free and will think it’s coming
from a trusted source as it may be called Halifax free Wi-Fi when in fact it’s
a hacker wanting users to connect to the access point to hack into their
devices, so to stop this from happening every organisation should do Wi-Fi
checks making sure there are no other access points that are not trusted in and
around the organisation for users to connect to. All the MAC addresses of the
users devices have to be saved to the wireless access point so that if anyone
tries to connect to the network then they won’t be able to as they don’t have
access.
Use
of transmission media
UTP (unshielded twisted pair) cable is a
popular type of cable that consists of two unshielded wires twisted around each
other. UTP is a low cost cable so UTP cabling is widely used for local-area
networks (LANs) and telephone connections. UTP cabling does not have as high
bandwidth or as good protection from interference as coaxial or Fiber optic
cables. UTP cable has 4 cables that carry the data and 4 twists that protect
the data from EMI.
STP (shielded twisted pair) cable cables
have a conducting shield encasing the twisted wire pairs which blocks out
electromagnetic interference, allowing the cable to carry out data at a faster
speed. Shielded cables are much more expensive than unshielded cables but give
you much better protection against EMI.
So using a shielded cable instead of
unshielded cable is safer as you won’t be interrupted by electrical
interferences but it will cost a lot more than unshielded. Shielded cables are
not always necessary and only bigger companies will mainly use them or places
such as factory’s with large electrical equipment, whereas small offices will
mainly use unshielded as it is cheap and still does the job.
Access Control
There are three factors of access control which are, something you know
(Password, PIN etc.), something you have (card reader, ID card etc.) and
something you are (biometrics such as fingerprint or retina scan). Access
control is a way of limiting access to a system or physical or virtual
resources. In computing access control is used for users to be granted access
and certain privileges to systems, resources or information (this is mostly
used in organisations to allow certain staff to have access to certain data
based on their job role). Access control is used hugely for security so that
unauthorized users can not gain access to certain information or places. A key
card may be used to allow access to a certain area in a company, a fingerprint
scan may be used to access a personal phone or a password may be used to access
a personal computer system or server.
Secure Password
Having a secure password is very important as it what helps to keep
hackers away from accessing our personal/confidential data. Passwords can be
hacked in different ways such as from simply just guessing to dictionary based
attacks and phishing. Never have a password that will be easy to remember such
as a family, friend, favourite place or pet name as people that know you may be
able to easily guess these passwords. A recommended way to create a more secure
and memorable password is to follow a repeatable pattern, which will enable
your password to be recreated when needed. These are a few steps that should be
followed in creating a secure and memorable password:
- Start with a
memorable phase such as usesecurepasswords
- Change every
other letter to uppercase, resulting in UsEsEcUrEpAsSwOrDs
- Change “a” to
“@” and “s” to “5” to yield U5E5EcUrEpa55wOrD5
- Drop every
other pair to result in a secure repeatable password 5cUrEpa5wOrD
Following these steps will give you a password that meets all the
requirements, yet can be changed (remade) if necessary.
Intrusion Detection
System (IDS)
Intrusion detection system is used to detect unauthorized entries and
alert responsible entity to respond. An ID system gathers and analyses
information from various areas within a computer or a network to identify
possible security breaches. IDS check’s all inbound and outbound network
activity and identifies if there are any suspicious pattern that may end up in
an attack on a network or system from someone attempting to compromise a
system.
Intrusion
Prevention System (IPS)
IPS is used in a computer security which
provides policies and rules for network traffic along with an IDS system for
alerting administrators for potential harmful traffic, but allows the
administrator to undertake action from being alerted. So IPS identifies
potential threats and allows the administrator to respond quickly to them by
looking at the incoming traffic and seeing if the packet should be dropped or
not if it seems to be harmful.
Use
of encryption
Encryption is the process of encoding
messages or information so that it is only understood by authorised users only.
Some modes of encryption may provide higher levels of protection than others so
the more important data/information may be the better level of encryption it
may use. Encryption is also used on websites, wireless networking security and
remote access to prevent eavesdropping and spoofing.
Task 2 (b)
Active
& Passive IDS
In a passive system the IDS detects a potential security breach and then
logs the information and signal an alert to either the administrator or user,
for which it is up to them to take action to block the activity or respond in
some way, whereas in an active system the IDS responds to the suspicious
activity by logging off a user or by reprogramming the firewall to block
network traffic from the suspected malicious source, so whereas in passive IDS
the user has to do something about any suspicious activity in reactive IDS it
deals with any suspicious activity without user input.
Networked and Host
IDS
In a network based system
individual packets flowing through a network are analysed for which NDIS can
detect malicious packets that are designed to be overlooked by a firewalls
simple filtering rules. In a host based system the IDS examines the
activity on each individual computer or host. Network based IDS is very good
when wanting to protect the whole network which makes it have better protection
than host based IDS but is all that is needed for a home network. Although NDIS
gives better protection, host based IDS uses up a lot less resources.
Knowledge
Based and Behaviour Based IDS
Many IDS tools are knowledge based for
which knowledge-based intrusion detection techniques apply the knowledge
accumulated about specific attacks and system vulnerabilities which the IDS
contains information about the vulnerabilities and looks for attempts to
exploit them. When an attempt is detected an alarm will be triggered to warn
the administrator. Knowledge based IDS has many advantages such as that they
have very low false alarm rates and that the contextual analysis proposed by
the IDS is very detailed which makes it easier for people using the IDS to take
action to prevent or correct the problem. The maintenance of knowledge based
IDS requires careful analysis of each vulnerability, which can take up a lot of
time.
Behaviour–based IDS techniques assume that
an intrusion can be detected by observing a difference from normal or expected
behaviour of the system or users. The model of normal or accepted behaviour is
taken from reference information for which the IDS later compares this model
with current activity. When an irregularity is observed an alarm is generated.
There are also many advantages of behaviour-based IDS such as that they can
detect attempts to exploit new and unforeseen vulnerabilities and also they can
help detect 'abuse of privileges' types of attacks that do not actually involve
exploiting any security vulnerability. Behaviour-based IDS has a high false
alarm rate and also the information system can undergo attacks at the same time
the intrusion detection system is learning the behaviour.
Firewall and how it
works
Firewall is a piece of software/hardware that is built into the router
which is a first line of defence to a network that checks for information
coming from the internet/network, and then either blocks it or allows it to
pass it through to your computer depending on your firewall settings. Firewall
is based on rules which are set by the user. Many organisations prefer to have
the firewall before the router so that the router does not get overloaded with
all the traffic at once. If a data packet has a certain pattern the firewall
will know if it’s bad because of ACL (Access control List) which is where the
firewall has a database of thousands of rules used to determine different data
packets. Packets coming through the network will have content and a header to
show the IP address of where the packets are from and the there is a CRC (Cycle
redundancy check) to see if the packets have arrived to the destination
completely intact and none have been dropped by any electrical errors.
Different types of
Firewall
The first generation of firewall was the packet filtering firewall, then
proxy firewall was used and now the current generation of firewall that is used
is Stateful inspection firewall.
Packet
Filtering Firewall
The first generation of firewall available to the public and one of the
most basic firewall was packet filtering
firewall which checks every single data packet and controls what data can
flow in to and out of a network, but the firewall does not check the content or
header so it makes it easy for hackers to bypass the firewall by amending the
content and header.
Stateful
Inspection Firewall
The current generation of firewall that is used is the stateful inspection firewall which
keeps a record of all the incoming and outgoing traffic, so the firewall works
on a trust basis where if certain packets has entered through the firewall
before and was already trusted several times then less inspection is needed
whereas if new packets are entering the firewall then a more thorough check
will be mad to see if the packets can be trusted or not. The state table (which
keeps a record of all the connections within the network) will be changed
regularly making it a bit of a slower firewall than product filtering.
Proxy
Firewall
The proxy firewall had very
good security as all the traffic coming in and out through the proxy firewall
allows for very good control such as allowing you to monitor who is visiting
what websites and easily allows you to block certain content, which is very
good to be used in organisations and schools. The security is also very good
because all the data packets that go through the firewall will every part of
the data packet will get checked, but this can lead to slowing down the whole
network as every detail of the packets are checked.
HoneyPot
A honey pot system is a computer that
usually sits in the screened subnet or DMZ and attempts to attract attackers to
it instead of to the actual production computers. Hackers will try to attack
through the web and database server, but for protection a replication server is
used and set up by the administrator who will enable services and ports that
are popular to exploit to attack attackers and keep their attention away from
the real servers. Using honey pot the replication allows the administrator to
monitor what techniques hackers are using which can allow greater protection
for the real servers and you can protect yourself from the techniques hackers
are using. Many organisations will buy a normal computer but uses honey pot
software to make it look like it is very powerful and has all the real data, which
makes it look like it is important which will attack the attackers.
Anti-Virus
A virus is a piece of malware that tries to
harm your computer in different ways. The Anti-Virus picks up the malware that
gets through the firewall. An anti-virus is a specialised anti-virus software
engine that works based on signatures that checks many files on your computer
then notifies the user, which can then remove the piece of malware. It is
important to keep your anti-virus updated and that you scan your computer for
threats regularly.
Anti spyware
Anti spyware is similar to an antivirus,
they help to block and prevent spyware and malware infections. Anti spyware monitor incoming data from emails, websites and downloads of files and stops
spyware programs from infecting the computer operating system.