Cyber Security unit 5

Computer Intrusion
Computer intrusion refers to any unauthorized access or breach into a
computer system, network or device

These intrusions are typically carried out by hackers or malicious software to

steal data, disrupt operations, or gain control of a system

During the computer intrusion an attacker bypasses security systems like

password firewall or antivirus. These system is accessed without permission

The intruder can steal sensitive data, plant malware, spy on activity or shut
down operations

Common Types
Sweeper Attack
Cyber criminals erase all the information or data like cache, cookies, internet
history or documents from the system by a malicious program

Cyber Security unit 5 1

 Denial of Service
DDoS types of attack in which attacker may shut down the pc services making
it irascible to its original users. All the system applications and stored
resources come to a halt.

Password Guessing
Most hackers crack password of the system accounts by guessing and
gaining remote entry into our personal computer system. Repeatedly
guessing passwords until access is gained.

Snooping
it refers to opening and looking into someone’s computer or data without their
permission

It can be:

Reading someone else’s emails or messages

Using special software to watch what another person is doing on their

device

Tracking what keys they press (to steal passwords or personal info)

Eavesdropping
Eavesdropping is when someone secretly listens to or intercepts data as it
moves over a network.

For example:

A hacker captures information as it’s sent from your computer to a website

They might listen to private conversations or steal data while it's traveling
online

Firewall
A firewall is a network security device either hardware or software based
which monitors all incoming and outgoing traffic and based on a defined set of

Cyber Security unit 5 2

 security rule it accepts or rejects or drops that specific traffic

It acts like a security guard that helps keep your digital world safe from
unwanted visitors and potential threats

Accept: allow the traffic

Reject: block the traffic but reply with an “unreachable error”

Drop: block the traffic with no reply

A firewall is essentially the wall that separates a private internal network from
the open internet at it very basic level

Characteristics
Traffic Filtering: A firewall monitors ad filters incoming and outgoing network
traffic based on predefined security rules. It decides which data packets to
allow or block

Access Control: It helps control access to internal networks, allowing only

authorized users or systems to communicate with or within the network.

Packet Inspection: Firewalls inspect data packets—looking at headers, IP

addresses, ports, and content—to detect and block suspicious or
unauthorized activities.

Cyber Security unit 5 3

 Monitoring and logging: They keep logs of all traffic and security events,
helping administrators track attempted breaches or policy violations.

Policy Enforcement: Firewalls enforce security policies by restricting the use

of certain applications, ports, or services that may pose risks.

Types of Firewall
1. packet Filtering Firewall
Packet filtering firewall is used to control network access by monitoring
outgoing and incoming packets and allowing them to pass or stop based om
source and destination IP address, protocols, and ports

It analyses traffic at the transport protocol layer

Only It can allow or deny the packets based on unique packet headers.

Packet filtering firewall maintains a filtering table that decides whether the
packet will be forwarded or discarded.

From the given filtering table, the packets will be filtered according to the
following rules:

Incoming packets from network 192.168.21.0 are blocked.

Incoming packets destined for the internal TELNET server (port 23) are
blocked.

Cyber Security unit 5 4

 Incoming packets destined for host 192.168.21.3 are blocked.

All well-known services to the network 192.168.21.0 are allowed

2. Stateful Inspection Firewall

Stateful firewalls are able to determine the connection state of packet, unlike
Packet filtering firewall, which makes it more efficient

It keeps track of the state of networks connection travelling across it, such as
TCP streams.

So the filtering decisions would not only be based on defined rules, but also
on packet’s history in the state table.

3. Application layer Firewall

Acts as an intermediary between users and the internet.

has the ability to block specific content, also recognize when certain
application and protocols (like HTTP, FTP) are being misused.

A proxy firewall prevents the direct connection between either side of the
firewall, each packet has to pass through the proxy.

4. Next generation Firewall

Cyber Security unit 5 5

 Hides internal IP addresses by converting them into a single public IP.

Provides basic protection by preventing direct access to devices behind the

firewall.

5. Cloud Firewall
These are software-based, cloud-deployed network devices.

This cloud-based firewall protects a private network from any unwanted

access. Unlike traditional firewalls, a cloud firewall filters data at the cloud
level.

Difference between Packet filtering firewall and

Stateful Inspection Firewall
Feature Packet Filtering Router Stateful Inspection Firewall

Network + Transport layers (Layer

1. Layer of Operation Network layer (Layer 3)
3 & 4)

Based on IP addresses, ports, Based on connection state and

2. Decision Basis
protocols context

3. Tracking Does not track connection Tracks active sessions and

Connections state connection info

Cyber Security unit 5 6

 4. Security Level Basic Higher than packet filtering

Slightly slower due to state

5. Performance Very fast, minimal processing
tracking

Simple networks with basic Enterprise networks needing

6. Example Use Case
rules stronger control

Advantages
Protection From Unauthorized Access: Firewalls can be set up to restrict
incoming traffic from particular IP addresses or networks, preventing hackers
or other malicious actors from easily accessing a network or system.

Prevention of Malware and Other Threats: Firewalls can be set up to block

traffic linked to known malware or other security concerns, assisting in the
defense against these kinds of attacks.

Control of Network Access: By limiting access to specified individuals or

groups for particular servers or applications, firewalls can be used to restrict
access to particular network resources or services.

Monitoring of Network Activity: Firewalls can be set up to record and keep

track of all network activity.

Regulation Compliance: Many industries are bound by rules that demand the
usage of firewalls or other security measures.

Disadvantages
Complexity: Setting up and keeping up a firewall can be time-consuming and
difficult, especially for bigger networks or companies with a wide variety of
users and devices.

Limited Visibility: Firewalls may not be able to identify or stop security risks
that operate at other levels, such as the application or endpoint level, because
they can only observe and manage traffic at the network level.

False Sense of Security: Some businesses may place an excessive amount of

reliance on their firewall and disregard other crucial security measures like
endpoint security or intrusion detection systems.

Cyber Security unit 5 7

 Limited adaptability: Because firewalls are frequently rule-based, they might
not be able to respond to fresh security threats.

Performance Impact: Network performance can be significantly impacted by

firewalls, particularly if they are set up to analyze or manage a lot of traffic.

Limited Scalability: Because firewalls are only able to secure one network,
businesses that have several networks must deploy many firewalls, which can
be expensive.

Cost: Purchasing many devices or add-on features for a firewall system can
be expensive, especially for businesses.

Screened Subnet Firewall Architecture

The Screened Subnet Firewall Architecture, also known as a DMZ

(Demilitarized Zone) setup, is a security model designed as a protective
buffer between trusted internal network (LAN) and an untrusted external
network

Cyber Security unit 5 8

 At the heart of this architecture are two firewall and and a separate network
segment known as the DMZ

This model is particularly useful for hosting public facing services (like web
servers or email servers) while still safeguarding the internal network from
external network

Working
The architecture begins with internal network, which includes various trusted
devices such as desktop, laptops, machines and phone. These devices
communicate with the rest of the world through firewall

This internal firewall serves as the first line of defense, monitoring all traffic
that attempts to leave or enter the LAN

Sitting between the internal and external firewall is the screened subnet or
DMZ . This is the semi trusted zone that hosts public services such as web
servers, FTP servers and mail servers

When someone from the internet tries to access your website, the request first
goes through the outer firewall, which only allows safe traffic into the DMZ.
The web server in the DMZ handles the request, but cannot directly access
your internal network

The inner firewall separates the internal network from the DMZ and blocks
unknown traffic from entering. This setup ensures that even if a hacker gets
into the DMZ, they can’t reach your main private network

Intrusion Detecting System

Intrusion is when an attacker gets unauthorized access to a device, network or
system

Intrusion detection system observes network traffic for malicious transactions

and send immediate alerts when it is observed

it is a software that checks a network or system for malicious activities or

policy violations

Cyber Security unit 5 9

 IDS monitors a network or system for malicious activity and protects a
computer network from unauthorized access from users, including perhaps
insiders.

The intrusion detector learning task is to build a predictive model (i.e. a

classifier) capable of distinguishing between ‘bad connections’
(intrusion/attacks) and ‘good (normal) connections’.

Common Methods of Intrusion

Address Spoofing: Hiding the source of an attack by using fake or unsecured
proxy servers making it hard to identify the attacker.

Fragmentation: Sending data in small pieces to slip past detection systems.

Pattern Evasion: Changing attack methods to avoid detection by IDS systems

that look for specific patterns.

Coordinated Attack: Using multiple attackers or ports to scan a network,

confusing the IDS and making it hard to see what is happening.

Working of Intrusion Detection System(IDS)

An IDS (Intrusion Detection System) monitors the traffic on a computer
network to detect any suspicious activity.

It analyzes the data flowing through the network to look for patterns and signs
of abnormal behavior.

The IDS compares the network activity to a set of predefined rules and
patterns to identify any activity that might indicate an attack or intrusion.

If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.

The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.

Cyber Security unit 5 10

 Types of IDS
Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point
within the network to examine traffic from all devices on the network.

It performs an observation of passing traffic on the entire subnet and matches

the traffic that is passed on the subnets to the collection of known attacks.

Once an attack is identified or abnormal behavior is observed, the alert can be

sent to the administrator.

Cyber Security unit 5 11

 Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent hosts or devices
on the network.

A HIDS monitors the incoming and outgoing packets from the device only and
will alert the administrator if suspicious or malicious activity is detected.

It takes a snapshot of existing system files and compares it with the previous
snapshot.

If the analytical system files were edited or deleted, an alert is sent to the
administrator to investigate.

Hybrid Intrusion Detection System:

In the hybrid intrusion detection system, the host agent or system data is
combined with network information to develop a complete view of the network
system.

The hybrid intrusion detection system is more effective in comparison to the

other intrusion detection system.

Application Protocol-Based Intrusion Detection System (APIDS):

An application Protocol-based Intrusion Detection System (APIDS) is a
system or agent that generally resides within a group of servers.

It identifies the intrusions by monitoring and interpreting the communication

on application-specific protocols.

Signature-Based Detection:
Signature-based detection checks network packets for known patterns linked
to specific threats.

A signature-based IDS compares packets to a database of attack signatures

and raises an alert if a match is found.

Regular updates are needed to detect new threats, but unknown attacks
without signatures can bypass this system

Cyber Security unit 5 12

 Benefits of IDS
Detects Malicious Activity: IDS can detect any suspicious activities and alert
the system administrator before any significant damage is done.

Improves Network Performance: IDS can identify any performance issues on

the network, which can be addressed to improve network performance.

Compliance Requirements: IDS can help in meeting compliance requirements

by monitoring network activity and generating reports.

Provides Insights: IDS generates valuable insights into network traffic, which
can be used to identify any weaknesses and improve network security.

Disadvantages of IDS
False Alarms: IDS can generate false positives, alerting on harmless activities
and causing unnecessary concern.

Resource Intensive: It can use a lot of system resources, potentially slowing

down network performance.

Requires Maintenance: Regular updates and tuning are needed to keep the
IDS effective, which can be time-consuming.

Doesn’t Prevent Attacks: IDS detects and alerts but doesn’t stop attacks, so
additional measures are still needed.

Complex to Manage: Setting up and managing an IDS can be complex and

may require specialized knowledge.

Password Management
Password management refers to the practices, tools, and strategies used to
create, store, and protect passwords to ensure secure access to digital
systems and services.

Since passwords are the first line of defense against unauthorized access,
managing them effectively is crucial for maintaining cybersecurity.

Goals of Password Management:

Cyber Security unit 5 13

 Prevent unauthorized access to accounts and systems.

Encourage strong, unique passwords for each service.

Simplify the process of handling multiple login credentials.

Reduce the risk of phishing and brute-force attacks.

Common Password Management Practices:

1. Use of Password Managers:
These are applications that generate, store, and auto-fill strong passwords,
making it easier for users to use unique credentials for every site without
memorizing them all.

2. Enforcing Strong Password Policies:

Organizations often require passwords to include a mix of letters, numbers,
and special characters, and have a minimum length.

3. Regular Password Changes:

Changing passwords periodically helps limit the damage if a password is
compromised.

4. Multi-Factor Authentication (MFA):

Adds an extra layer of security by requiring a second factor (like a code sent
to a phone) along with the password.

5. Monitoring and Alerts:

Some systems alert users if their passwords have appeared in known data
breaches.

Trusted System
A trusted system is a computer system that is designed and implemented to
enforce a specified level of security policy, such as protecting data
confidentiality, integrity, and availability.

It operates in a way that users and administrators can trust it to behave

securely and resist unauthorized access or manipulation.

Cyber Security unit 5 14

 In short, a trusted system is a secure computing platform that users can rely
on to enforce strict security rules and protect against unauthorized access or
data breaches

Key Features of a Trusted System:

1. Access Control: Ensures only authorized users can access specific
resources.

2. Authentication: Verifies user identities before granting access.

3. Audit Trails: Keeps detailed logs of system activities for monitoring and
forensic analysis.

4. Security Policy Enforcement: Enforces rules about who can access what and
under what conditions.

5. Data Protection: Maintains the integrity and confidentiality of information.

Cyber Security unit 5 15