SY ‘se 15 a0 snbrowpn SaaT MOU a, wonmpiy Auto wars or woNPMpONET eT wap waaay woneueysy fuNo9s SSUE'SaIN sts wonsensig SNOUT, snbuysy uoataxat poe vonsaiq Won] SNORE, peg 4a pos sonbquooy ss200y pazzompnmya soqag 0 may wa, ESPeet 2 (CYBER SECURITY Snowe, Mo Peper 4 is 1m in an unauthorized way by violating, ‘An inrader is person who tis to gain access to the syst security, Vinnes and intruders are the two important threats to security. They are commonly known as hacky orerackers, ‘Classes of Intruders Intruders are categorized into the following thee classes, 1. Masquerader 2. Misfeasor Clandestine wet G2. What is physical helt? Answer! Physical theft refers to an aetivity where an unauthorized person (or an attacker) gains physical ress ofan authorized user by stealing hisfer computer system. Ite data isin encrypted form thea it cannot e ‘risused, otherwise the sensitive data available inthe system can be misused for legal activities. ‘Some ofthe devices that canbe stolen frequently are, & LaplopiComputers & Removable Storage Media Mobile phones ‘G3. What is an Unauthorized access by outsider? Answer ‘Unauthorized acoess by outsider i a form of treatin which an unauthorized wser can secretly insub it the system to perform unauthorized changes, causing harm tothe system by introducing malicious cob ‘or acessing data transmitted ovr the network, taking undue advantages tothe privileges which s meant Torsuthorzed users, stealing confidential dal, unauthorized downloads and making changes inthe messi ‘Another important concern shat such ype of access isnot confined to single system within the network Uunauthorizg user can easily intrude in any information system if proper security is not provided. — G4. Wile short note on Backdoor. Anew Mogren Backdoor ae also known as tapdoors. They allow malicious wer to acces the aye wil exceuingany serie funetons.Baksors af beng used legally byte programmers for mah 4 Inorerto debug and test the programs This done by developing an application which cade ue ‘Procedure. While performing debugging, developer want allsin speci ight im order to excape est procedure, The developer also wishes to ensue that the activation method must be executed incorrectly {he sutenzaionfncion whieh incorporated in the application ackaloors canbe built into the system as well at network deviees, It defines a program code wii ‘identifies some input event sequences, These sequences can be activated by executing them fom paid One way to detect backdoors is by receiving af rate update information regarding the sO" dy concentrating on developing asorare propane cm (CS IA Pus tists ano DisTRIBUTORS PVT LTD. -Tt a” “0 CYBER SECURITY, . Intruder. Us the categories of intruders. Ql. Define oct Intruder an unauthorized way by violating nde peso who reso gain ces tthe sytem in an unm ss scr. Versa indo ae enor tanto tty. Theyre commonly Know ask, remcters | Classes of intruders Intrders ar categorized into the following thee classes, 1. Masquereder 2. Misfessor 3.__Clandestin wer (G2. What s physical thet? Answer: Psi het refers to an avy whee an unauthorized peron or anata) gins physical ace ofan are’ tary tangs Compe oes Stn cnaacs eee haan ‘ined, thers the seit dna vale inthe system canbe missed or eal eivies, ‘Some ofthe devices that canbe stolen frequently are, & Laptop/Computers % Removable Storage Medi &_ Mobile (G3. What son Unauthorized access by outsider? Answer: ‘Unnuhorized aces by ouside is. form of treatin which an unauthorized see can secretly nde int the system o perform unauthorized changes, causing harm tothe system by intedicing leo cae ‘or acessng data ransmited over the network, taking undue advantages tothe pvleges whch os ato orautorized users, stealing confidential data, unauthorized downloads and making changes i the moses ‘Another important concem shat such ype of acces i not confined to single system mithinthe eee OF nator utr can cas insu in any information tem i proper ssi snot provided @4. Wille short note on Backdoor. Answer: Moga paper. ot | Backdoor ate also known as trapdoor. They allow malicious users to access the system withod ions. Backdoor are being used legally by te programmes or many Ye rams. Tiss done by developing an application which includes autiea™ rose. Whi performing debugging, developer wants to athn special righ inorder toeseape thes Free ey gevlone also wishes o ensure thatthe activation method must be executed incest wi ‘he authenication function which is incorporated into the application, ,Backdoors can be built into the system as well as network devices. It defines a program code whic! | Terese iP event sequences, These sequences can be activated by excting oe hes parse Ccs.way te detect backdoors by reeving appropriate update information regarding the softs ‘and by concentrating on developing 168 Sohware program. -& SUA PUBLISHERS AND DISTRIBUTORS PVELTO. ee alied detection. Ustlts advantages, answer signature-based Detection ‘This technique is used to examine the behavior x pterns of the network tai. Ifthe pttre fhe withthe known behivir ofan inrusion, then itrasesan alarm. On disclosure of new vlnerailiy, sberesearchers develop signatres in ardertocounigg thon. ignature-based system views pylon and ddemines whether it inehades a matched sigatoe 20 ‘Advantages 1. Signature-based detection idcmtifies an intrusion attempt more accurately. 2. Itissimple to implement and serves slight ‘weight process 3. Tesaves time, asthe administrators spend Jess amouat of time while dealing with false positives 4. team easily tack down the cause ofalrm due to detiled og les G6. Discuss about Host-based Intrusion Prevention System along with its edvantage and disadvantage. ‘Answer: ‘A Host-based Intrusion Prevention System (OPS) can be defined es an installed software og that monitors and analyzes the processes tha cus within the host system. In the syste, it il50 "sponsible for monitoring the following. % Process System calls Inter process communication Network aie Behavioral pater. Thiss performed in ode to densify suspicious *ivtes and prevent them from entering hese. ‘Advantage 114s capable of examining the eneypied network traffic to identify any maliciow software Srodvanioge UW neades more proening \theaton oven eee reuPiainapg oir took a NPN * + * 1d system ene eal Wiite about signature-bai @7. List any five advantages of Security Information Management System. se of security information ‘management system area follows, Lt provides security to organizational information, 2 Ithelps to avoid data loss while tansering dat rom source to destination. 3. assists in securing and maintaining the confidentiality, integrity and availability of {information in an organization, 4. Teheps the security analyst to do complex queries aros this database 5. Ieallows the data from multiple systems to nommalize into uniform database sactae, which a tum allows an analyst to investigate suspicious activity ora known incident across different aspects and elements of the IT (G8. Whats session data? ‘Answer Mode Pope Session data can be defined as 2 summary ‘of conversation or communication between two ‘computer systems over the network, The various lemeats of conversation are maintained which can tbe use for fate purpose, Session data ean be generated fom varios sources and consists of following information, Source IP address Source port Destination 1 address Destination port Time stamp data Bytes Transfer Packet distribution, eeeeeee Auer ord way ARLE a ee LEGAL roeeng‘CYBER SECURITY | @ vet mnson en Mend tt recs te Toor: toon sin ieeschyofa propane eon ape ibn i eyelet oreaure Basal Acmpomies bey mato oe en tnt inmate rnp othe ent an ud wy ing a ee erento oa hey ween tena concn Chott inka tandem wecridion linng le, 1 Mite 2 Mista 3 Cun 1. Mosqverader fds eon os tiv yeh nym res Et sprees sonoadw ws oem hel seein ing a eet oR asec Mono mar pn wo ih rl pg ov cou etwamrni 2. Misteasor ‘A misfeasor san authentic person who ean access those data, program or system resources SbeBt tse these access rights to acces the dat or) program to which he is not authorized, Msfeasor ‘also be a person who misuses his privileges io acces data, 3. Clandestine User (Clandestine users person who can resid inside or outside the system. This user captures al HE administrative controls, I applies these control to avoid auditing orto hide at collection. functions. Intrusion Detection Systems (IDSs) andInusion Prevention Systems (PSs) are the two solutions WA# se used to figh with inirsion IDS aise an alarm to administrator whenever it detects an intrusion IPS acts as router which checks the network trafic nd doesnot allow to enter thet ito the sys it detets an intution.pain in brief about the folowing, (0) Physical thet (0) Abuse of privieg ser * Nodetropert a1) (@) Physical Thett ysl hf frst nativity where an auras person (rn atiacker) gins physical access tes noize user by stealing hier compute syste Ifthe dat in encrypted fc then iteannot be te, oterwise the sensitive daa avalahe nthe sytem an be missed for legal cvs. Some ofthe devices that canbe stolen eguenly ae, 4 LaptopComputers Removable Storage Mein Mobile phones. Forexample, Lapopthef, where a perio ls lptop of n authorized sein whih else stores seine information id a3 unautborzed person sin ysl neess and may perform egal eves tndsses it So, physical security mus be provided to avoid such het. (0) Abuse of Privilege Abuse of pivilege canbe defined ss siuaton when auerzed person may misuse hsherpvilege ani perm unauthorized fas ke dsbuting confident esto unnortzed persons Is also refered ‘Sie ataceheat i vandalies (damages) the sensitive or confide nfrmaion by injecting Trojan vies with in ‘enstem or network Its mun execute by the people working with nthe company such a employees ‘Semcramloyecn conmactors or busines associates Al, host pros wha hve infomation elated oth ‘Somty messre’ dg and computer yams ofthe orgatizaton Additonal also afet the avalabilty oft sjtem by taking he nctwork overload and ning the spe rahe. “Aan fom this deal it considered ht the Insider atack is more powerful than extemal stack. ‘iss eae tate nde atacke has authorized acess 0 he Systm and als informed about {evened see ols, oss thew by te ine ates i sear ifcomparsonexerai ack a many companies encompasses the Security measures A ee aati reasons which enals inside atocks are mistakes, nepigence reckless Somes Tou ane ace ‘han sacar ee (0 vale Te romeo Ot rare (0. Malicious insider Threat eI Ee Te acer nics csi cae Ineo emai ce oy © Coretess insider Threat Ce Ne mmr ia ayy nl Tab en Isp efa eca en eeme ©) Ticked insider threat ads iets dhsaatreletems ‘This happens when people in the company are not truthful regarding their identities and purpose. ting arwPhoecoprng ot bok CRIMINAL act Anone Found Gly ABLE mo face LEGAL proceedings“ CYBER SECURITY 11. Deine outsider. Explain n brlet about techniques used by outsider. Answer: Outsider An outsider canbe defined! a a person who docs not have any authorized access tothe system or ts resources, Eventhough helse is not authorized tous the system, but ill suceeds in gaining all the access controls ofa system. ‘Unauthorized acess by outsiders a form of trea in which an unauthorized user can secretly intrde {into the system to perform untthorized changes, causing arm to the system by introducing malicious code ‘or accessing data tansmited over the network, aking undve advantages to the pivleges which s meant eny {oc authorized uses, sealing confidential data, unauthorized downloads and making changes inthe messages, Another important concer stat soc type of acces is ot confined o singe system within the network, the ‘nauhorized user can easily intrude in any information sytem if proper security isnot provided. Techniques used by Outsider ‘The techniques sed by outsider to (Password Guessing Password guessing is nothing but guessing the user names and passwords of an authorized ser by tering all the necessary information abot the authorized user such as thet complete names, ames ‘oftheir family members, their hobbies ete ae tied. Social Engineering Social engineering canbe defined as a technique where in wer is leveraged or infiuenced to atempt the attack, In simple terms, itis related to deception and the user secretly acquires the information perform the stack, Here employees are ticked by the fake people who acts legitimate members of ‘the company such fake people ask the employees to give away ther system passwords. AS ares ty information can be aken sway secrlly by intruders without any knowledge of employees. in acess of authorized user system are as follows, Answer Malware Mode ropes. 218) Matware refers to malicious software program that is intentionally attached with a legitimate progam fn order to cause damage to system’ confidential data or resources, Malware Programs ‘The various malicious software programs areas follows, 1 Views Avirus is software program that creates duplicate copy ofitself and infets another computer witha the knowledge of use. In order to duplicate itself, avis must execute code and should get writet io the memory. They ae usually tansmited aloog an e-mail message or ina downloaded fle 2. Trojan Horses A trojan horse can be defined asa computer program containing hidden code, which results in har fanesioning ater execution. These programs allow users to access information for which they ar rized, These programs can be modified when compared to other possible software programs. ‘di S1A PUBLISHERS AND DISTRIBUTORS PVT. LTD.LUNIT-3: Intrusion Detection and Pr ‘Trojan horses allow the attackers o access functions indirectly: Most ofthe trojan hore infections eeu becuse the authentic user i rapped to execu an infected malicious program. The important ‘ature of teojan horse is that it has all eapailiies and permissions ofan authorized user. Trojan horse an ther be malicious ono. malicious progam. Te folowing ar some ofthe damages caused by trojan horses (© Deteting or overrting data on he computer GG Cormpting Ses in mysterious way. (Gi). Deactvating soins software program. (i) Randomly shutig down the system, ‘The best way to detect trojan hors i to ident the executable fiesta are changed by comparing CCRC valves of al exeutble ie inthe sytem Worms ‘Wom aresftware programs that repli themssve and ransithe cloned copy tobe computers ‘sing network, They ae reproducing program tat execute independ} and rave rss network nection. These worms te teed netork worms. ‘Worms are similar ines but the oly dierece tht worm doen't atachthemssives texting program. The dificult ak fora wom sth it requires a program code to be executed ona emote hos eystem. Worms propagate hy ulizing sare ulnerbites valble in operating system, Esmal virus has same behavior as that of computer worms but, he former requires human to perform the actions whereas the Iter independent searches forthe system o perform its ations. Network ‘worm can exhibit similar property ax compar virus, once thas been activated to perform destructive scion, 4. Trapdoor/Backdoor Backdoors are also known as trapdoors. They allow malicious users to acess the system without executing any security related functions. Backdoors are being used legally by the programmers for Iany years inorder to debug and test the programs. This is done by developing, an aplication which includes authentic procedure. While performing debugging, developer wants to tain special rights in ter fo escape the setup procedure. The developer also wishes to easure thatthe activation method ‘ust be excutedincoecty withthe authentication function which incorporated into the application. defines a program code which -Backloors can be built ito the sytem a8 wel as network devices. ‘deties some input event sequences. These sequences can be activated by executing them from anicular user account. ‘One way to detec backdoors is by secciving appropriate update information regarding the software tnd by concentrating on developing a software program. 13, Discuss about intrusion detection and prevention techniques. Srauectl Mode Pope ata) Intution Detection System ‘The Intsion Detection System (IDS) ia defensive tool which i se for detecting malicious attacks ‘Meting the security features of system. 'ntrusion Prevention System “The Iniruson Prevention System (IPS) is ool tat not only detects the malicious attacks but also mpi o stop them fom entering into te system. These (WO systems are together known as Intrusion on and Prevention System (IDPS).FF Intrusion Detection and Prevention Techniques, ‘The various intron det Signaturesbased detection a (CYBER SECURITY ad prevention techniques areas follows, ()_Signature-based Detector “This technique is used to examine the behavior of pattems of the network traffic. Ifthe pater ‘matches with the known behavior of intron, then it rases an alarm, On disclosure of new vulnera iy, ‘the researchers develop signatures in order to counter threats, Signaure-based system views @ payload and OHY UD 10] NOW“ 2peve onsed ip Sun9]9p‘woRDA|09 Np poe apow ‘euyn SPHRE a UH SDuNplONee uy paz2aop st SsuDdss pr fans wy wonensued a soprot 8 J0 YoRZa}p AN sof etuodsoy pun uoy2e}eq ouyiooy 1 op moneda poi span pay pyar ag o1pou poe Qo noes oa, 91204 poo vod ou BurAuy cyan Suu! apy sed ay (a egmoptar spa so euro yous any} aspey oN aH eae Sat ou Aa pets sx20uY He “soy worayyp wo seve Kye fens euoyppe Kut woddes ou sop OsTY "809 dyssouno mo} 30 ae309 pala ‘SqIN#V 24788 Lomsou amp youn o Sued seabe pas SN 1 UoezLO ue 1G SIN “SCIN Jo sates ip a Bao) 2 ‘sam wet ny sey. reson geo) da. so pasaens sf wormuoj 29 on pasn99 0 pong UL etoun x so 9pousau P2029. pangs popstar ‘sain 2 4 papa.p sapesoneuy ‘aN 8 BONO) ay, Tinandas waEAD a |LUNIT-3 Intrusion Dototion cay Boo sew ot = a) _ = beta oa Noc gure: Fonetining of OS IDS, located in the frontend of the firewall keeps rack of network wafic flowing inthe network and helps the user to evaluate the huge amount of dala over a neswork. While the NIDS located in backend of @ ‘rewall displays the traffic entering into the rewallNIDS are connected othe switch hu, tp, where group of switches or hubs generate a monitoring port inorder to toubleshot and dignostc functions Secured Management chanael Hubor ower Figur: Connetions tothe Networks Using 2 Hub Firowall eyo, wo types of egos genera ay twok lvl ich as psive and ctv. ach tin nit rs nacht rerpons aes necessary ation reduce he let of Fea a i dt capone i infos he administer eprcing he ach, which 6 ‘acest method vo develop and implement. "ostve Responses The general passive response teniques are given allows, 1 Logging Here events are recorded along with the situation as how it occurred, Aside this it also presents inforeeion about the nature ofthe aac, This information i necessary to develop method 02086 the threat.so 3. shunning Acca the at of avon he ata, Ire 0 have inp accuate plans. plies which specifies the system how to detect and smalicios sacks ‘Active Responses Based on these plans 1. Terminating Processes (CYBER SECURITY norte the active type of response the sYatem overcome the sive responsesareseintohesysem, The following arethe ative responses, “The aetve response deeteremoves all the malicious processes and sessions which are trying acces, thc aytem. At this momen, the IDS changes ll the network connections. enone, 1S Forcing TOP Reset 1. Ataok detected ecw 2.108 Ameo aaraar 3.-TeP reset command z er crater ‘rc sue ® TDS Ae . @ [RSME |_tos commana wes TCP) igure: 2. Network Configuration Changes ress of 1S Instructing the TEP Reset al Connections Here, border route or Firewall needed to be informed so a to avoid the request o network iat coming rom an atacked specifi socket or por. 2.1DS analyssresponse 3. Por 80 closed jo [ws ‘Alert detected Client (ele 80, 60 seconds) —— Figure: Process f 105 nstretng the Fre 0 Cose the Port (CBSA puBLISHERS AND DISTRIBUTORS PVT LTD, 3 iSS and Prevention a 3, Deception 1 changes the routes ofan attackers to tow os Maida collected related to ana, rs aleady hire systems. This shows how the dat ws Honeypot 2. atack sur 2. Annlyichesponse 3 Reroute network aie Figure: Procas of» Network Honypot Deceiving an Attacker (8 NETWORK BASED INTRUSION PREVENTION SYSTEMS, HOST BASED INTRUSION PREVENTION SYSTEMS 16. Explain brlety about the following () Network-based intusion prevention system (i) Host-based intusion prevention system. Answer model Papert ani) (Network-based Intrusion Prevention System (NIPS) ion Prevention Sytem (NIPS) is 100] that i mainly developed to stop the | ete artempt to enter into te system over the network, Iti deployedinlne network hy packet i examined and ithe afi pattern does not matches with ‘o monitor the intemal afie where ac mami the nea) a ase intrusion Pallet thn ts passed, And also suspicious packets are aso Aiea. ‘Adventage ‘© Taetcs and prevents the hrown behavior pater fom entering no hese A Network-based2 Cnt SECURIT Disadvantage (NOMS depen oft anon alle a te data Wear be eo exami emery el, i) tena fae i) tons hs wth very hgh wank ee, ase ors ate nl ne en ()__Host-based intrusion Prevention System (Hits) Attost-ased tnitson Prove ‘monitors and aly the proce for monitoring the following, lon gn (10) es dn tall wb ne urn that nk xh a unt ay, os ao a espe © Process Syste calls © tnterprocesscomnuiicaton & _Neswork ttc © Behavioral patterns This is performed in rer okey ssp elvis Advantage Its capable oF examining tho encrypted nelwuek the Disadvantage e rove he ea enc ts etn (ety ay eles ets "inctades more processing al sya aiizaion over, 319 SECURITY INFonMariON mannGHMNY Discuss about i +cunly Information management system, ‘Security Information Management System Security Information Manmgement § ‘ore, onganize and mlz the Ine dat systems server et, yee (SINS) sted nn enilized epee tha wed next by various security lg wich ws fuel mninnlnare rae ne teen o SIMS io del loge! poco hat can were 1 of agian ma {any tveal, Moreover, SIMS gutaneesuecepale level of saint Wnts ‘Advantages of Secuily information Managemen! System ‘Te advantages oferty inxmation mn een Stem ms Follow, provides security to oa ization iatirmation, ‘helps o avoid datos whi ‘assists in securing and mn orznization. instream ae a destinations, "the content, integrity nd wlll of inferno a [ebelps the security analyst to do complex qucies rete dab, ree a ta om miners to neni hw unit dale sete, whlch nan meas Ne pcos at or aha ie me dla pa elements ofthe IT environment, 2 provides assurance fr proction aginst unauthorized acess a cic tt wine(a) Network Session Analysis and Session data (©) System integrity vaidation, Answer Model reper a1) (@) Network Session Analysis and Session data Network Session Analysis, Network Session Analysis canbe defined as process of analyzing the session data taking place i the rework. session Data Session data can be defined asa summary of conversation or communication between two computer systems over the network. The varios elemens of conversation ae maintained which ean be useful for future pose Session data can be generated from various sources and consists of following information, Source IP address Source port Destination IP address Bytes Transfer Packet distribution. eee sees “This infomation can be used to examine the afc sesion and identify the suspicious activity inthe reoork which needs further investigation Consider an example ia server which is configured for internal tee communicates with external adress i, internet and establishes a session or multiple sesions without tty purpose then te ala ie raised. This indicate an analyst tht there is a suspicious malware infection or imwusion over the network which needs further investigation. “The abnormal sessions can be identified by generating various queries in which the conditions can Be specified e the sesion lifetime, byte count and baseline, This mean, if session exceeds this condition then ‘isconsidere as a abnormal sesion. (©) system Integrity Vatidation System Integrity Validation (SIV) ‘ethnology which analyzes the running socalled as system integrity verter. It ean be defined as @ 1, memory ofthe system and detects the malicious software, Feson a ature ie when an inser rates changes or delete those files. SIV canbe considered a8 * power tot to detect the intrusions iit is implemented propel.