Introduction to Information

Security
Information Security…
• Information systems security, more commonly referred to as INFOSEC, refers to the
processes and methodologies involved with keeping information confidential, available,
and assuring its integrity.
• It also refers to:
o Access controls, which prevent unauthorized personnel from entering or accessing a
system.
o Protecting information no matter where that information is, i.e. in transit (such as in an
email) or in a storage area.

o The detection and remediation of security breaches, as well as documenting those

events(proof of concept).
• Information Security is not all about securing information from
unauthorized access.
• Information Security is basically the practice of preventing
unauthorized access, use, disclosure, disruption, modification,
inspection, recording or destruction of information.
• Information can be physical or electrical one.
Why information security…
• If you know the enemy and know yourself, you need not fear the result
of a hundred battles. If you know yourself but not the enemy, for
every victory gained you will also suffer a defeat. If you know neither
the enemy nor yourself, you will succumb in every battle.
• To be secured, information needs to be hidden from unauthorized
access(confidentiality),protected from unauthorized
change(integrity), and available to an authorized entity when it is
needed(availability).
Essential Terminologies…
• Confidentiality, in terms of selecting who or what is allowed access to data and
systems. This is achieved through encryption and access control systems.
• The integrity of data, where modification is allowed only by authorised persons
or organisations. The modifications could include any changes such as adding to,
selectively deleting from, or even changing the status of a set of data.
• The freshness of data contained in messages. An attacker could capture part or
all of a message and re-use it at a later date, passing it off as a new message.
Some method of incorporating a freshness indicator (e.g. a time stamp) into
messages minimises the risk of this happening.
• The authentication of the source of information, often in terms of the identity of
a person as well as the physical address of an access point to the network such as
a workstation.
• The availability of network services, including security procedures, to authorised
people when they are needed.
Key terms…
• Breach - An exposure of protected data to someone not authorised to see it. So,
for example, an attacker gaining access to a company's private financial records.
• Encrypted - If something has been encrypted, it has been converted into a code
so that it cannot be read by someone who doesn't have a key to decrypt it. There
are many different levels and types of encryption, each used for different
purposes, depending on security requirements.
• Exploit - An exploit is a sequence of steps or lines of code that can be used to
take advantage of a vulnerability in a system. An exploit gives an attacker access
to parts of a system that they shouldn't be able to access.
• Firewall - A security program or piece of equipment that filters all data going to
or from a device.
• Malware - Malware stands for malicious software. Simply put, it's any software
which has negative intentions unbeknown to the person installing it.
• Patch - A patch is an update to software released which resolves one or more
vulnerabilities, stopping specific exploits from working.
• Phishing - Phishing is a social engineering tactic where an attacker attempts to
fool you into taking a specific action in response to an email. For example, you
may receive an email from someone posing as Paypal, telling you that you need
to login to your account and confirm your phone number to stop your account
being shut down.
• Spear Phishing - A spear phishing attack is a phishing attack that targets one very
specific person. An attacker comes up with a specific attack to get access to one
person's information.
• Spyware - Software designed to spy on a victim. Most spyware
transmits data to an attacker over the internet, unbeknown to the
victim.
• Trojan - A trojan, or trojan horse, is a piece of malware which
contains malicious code designed to take specific actions to steal
data, or harm a system.
• Vulnerability - A vulnerability is any weakness in an application or
system that can be exploited by attackers.
• Worm - A worm is a type of malware that automatically replicates
itself, without requiring any human interaction.
Types of attacks…
• Passive attack: In this attack, the attacker’s goal is to just obtain
information. Attacker does not modify or harm system.
• Attacks that threaten confidentiality—snooping and traffic analysis.
• The revealing of the information may harm the sender or the receiver
of the message, but the system is not affected.
• For this reason, it is difficult to detect this type of attack until the
sender or receiver finds out about the leaking of confidentiality
information.
• Active attack: This attack may change the data or harm the system.
• Attacks that threaten the integrity and availability are active attacks.
• Active attacks are normally easier to detect than to prevent, because
an attacker can launch them in a variety of ways.
Attacks…
• Malware : In fact, the word Malware is a combination of two words
“malicious” and “software” and there is no a better way to describe it.
• This type of cyber attack includes all sorts of harmful software, including
Trojans, viruses and what not.
• It can get to your computer either from emails, system vulnerabilities and
all sorts of downloads.
• Phishing: Phishing is a type of cyber attacks that plays with you altruism
and naivety.
• Most commonly you receive an email from a third party, who asks you to
follow the link and enter some personal data.
• They steal your personal information and use it in all ways possible.
• DoS Attacks: DoS stands for “denial of service” and the service meant
is service to a network.
• During such attack, too many requests are sent to the website, so the
network is overloaded and can no longer function.
• Most common type of DoS attack is DDoS, which stands for
distributed denial of service.
• It uses a number of hijacked computers to send traffic and in many
cases, owners of the computers might even not suspect it.
• MITM:MITM, or Man in the Middle, is not as funny as it sounds.
• The essence of it is that it implements a spy between data endpoints,
which provides access to all the secure information you and your users
provide the system with.
• This type of cyber attack is especially sensitive for industries like finance or
eCommerce.
• Drive-by downloads : Drive-by downloads are a type of malware, which is
automatically downloaded to your computer.
• Usually, it is a snippet of code, which, once downloaded, brings the other
parts through the network.
• And then the cyber party begins.
• Malvertising : Malvertising resembles malware a lot.
• The only difference is that it gets to your computer via an ad.
• Once a User clicks on a malicious ad, malware is downloaded to the
computer.
• SQL Injection Attack – Structured Query Attack aka SQL attack is
done by sending malicious SQL statements.
• By doing so the hacker can take over servers and can steal data or
even create havoc in the web system.
• Brute force (also known as brute force cracking) : is a trial and error
method used by application programs to decode encrypted data such as
passwords or Data Encryption Standard keys, through exhaustive effort
(using brute force) rather than employing intellectual strategies.
• Zero Day Vulnerability:A zero day vulnerability refers to a hole in software
that is unknown to the vendor.
• This security hole is then exploited by hackers before the vendor becomes
aware and hurries to fix it—this exploit is called a zero day attack.
• Uses of zero day attacks can include infiltrating malware, spyware or
allowing unwanted access to user information.
• WannaCry:WannaCry was a ransomware attack that spread rapidly in May
of 2017.
• Like all ransomware, it took over infected computers and encrypted the
contents of their hard drives, then demanded a payment in Bitcoin in order
to decrypt them.
• Backdoor: this is not a virus in itself, but rather a gaping security hole in
your computer that can be used against you.
• Sometimes a different virus will create a backdoor, but it can also be done
by hand.
• Generally this will be a hidden administrator account that you don’t even
know exists, and a hacker can log into this account remotely and do
whatever they want.
• Rootkit: this attack uses a conventional virus like we mentioned
before, but it assembles the virus into memory as the computer starts
up.
• If you delete the actual files of the virus, it is already running in the
memory so it can just recreate itself in a different location.
Cyber crime vs Computer based crime…
• The crime that involves and uses computer devices and Internet, is known
as cybercrime.
• Cybercrime can be committed against an individual or a group; it can also
be committed against government and private organizations.
• It may be intended to harm someone’s reputation, physical harm, or even
mental harm.
• Cybercrime can cause direct harm or indirect harm to whoever the victim
is.
• However, the largest threat of cybercrime is on the financial security of an
individual as well as the government.
• Cybercrime causes loss of billions of USD every year.
Types of Cybercrime…

• Hacking:It is an illegal practice by which a hacker breaches the computer’s

security system of someone for personal interest.
• Unwarranted mass-surveillance: Mass surveillance means surveillance of a
substantial fraction of a group of people by the authority especially for the
security purpose, but if someone does it for personal interest, it is
considered as cybercrime.
• Child pornography:It is one of the most heinous crimes that is brazenly
practiced across the world. Children are sexually abused and videos are
being made and uploaded on the Internet.
• Child grooming:It is the practice of establishing an emotional connection
with a child especially for the purpose of child-trafficking and child
prostitution.
• Copyright infringement: If someone infringes someone’s protected copyright
without permission and publishes that with his own name, is known as copyright
infringement.
• Money laundering: Illegal possession of money by an individual or an
organization is known as money laundering. It typically involves transfers of
money through foreign banks and/or legitimate business. In other words, it is the
practice of transforming illegitimately earned money into the legitimate financial
system.
• Cyber-extortion: When a hacker hacks someone’s email server, or computer
system and demands money to reinstate the system, it is known as cyber-
extortion.
• Cyber-terrorism: Normally, when someone hacks government’s security system
or intimidates government or such a big organization to advance his political or
social objectives by invading the security system through computer networks, it is
known as cyber-terrorism.
http vs https…
• HTTP stands for Hypertext Transfer Protocol: At it’s most basic, it allows
for the communication between different systems.
• It’s most commonly used to transfer data from a web server to a
browser in order to allow users to view web pages.
• It’s the protocol that was used for basically all early websites.
• HTTPS stands for Hypertext Transfer Protocol Secure: The problem with
the regular HTTP protocol is that the information that flows from server to
browser is not encrypted, which means it can be easily stolen.
• HTTPS protocols remedy this by using an SSL (secure sockets layer)
certificate, which helps create a secure encrypted connection between the
server and the browser, thereby protecting potentially sensitive
information from being stolen as its transferred between the server and
the browser.
• The most important difference between the two protocols is the SSL
certificate.
• In fact, HTTPS is basically an HTTP protocol with additional security.
However, this additional security can be extremely important, especially for
websites that take sensitive data from its users, such as credit card
information and passwords.
• How HTTPS works? The SSL certificate encrypts the information that users
supply to the site, which basically translates the data into a code.
• Even if someone manages to steal the data being communicated between
the sender and the recipient, they would not be able to understand it due
to this encryption.
Operating System fingerprinting…
• Operating system fingerprinting is the process of learning what
operating system is running on a particular device.
• By analyzing certain protocol flags, options, and data in the packets a
device sends onto the network, we can make relatively accurate
guesses about the OS that sent those packets.
• By pinpointing the exact OS of a host, an attacker can launch a precise
attack against a target machine.
• In a world of buffer overflows, knowing the exact flavour and
architecture of an OS could be all the opportunity an attacker needs.
• “TCP/IP stack fingerprinting (or OS fingerprinting) is the process in
computing of determining the identity of a remote host’s operating system
by analyzing packets from that host.”
• When an attacker is trying to hack into any computer, he starts to gather
information about the computer (target) as much as possible.
• Major Key information is the operating system the target is running on.
• As long as this information is not revealed, the attacker is limited in the
variety of attacks, probes and exploits.
• Therefore the focus on initial information gathering is finding out the
operating system.
• There are several approaches to finding out the running operating
system of an unknown host without having an account or any other
way of logging in directly on this machine.
• Some of the many OS Fingerprinting techniques are:
oDirect Banner Grabbing (Classical Fingerprinting)
oActive IP Packet Fingerprinting.
oPassive IP Packet Fingerprinting
Classical Fingerprinting…
• Even without using any automated techniques of any kind, hosts will
often announce their OS to anyone making a connection to them
through welcome banners or header information.
• For example, when connecting to a host via the standard Telnet
protocol the OS version is often sent to the client as part of a
welcome message.
• Example from “Techniques in OS-Fingerprinting” by Nostromo:
• In UNIX like platforms, when using Telnet Protocol.
• When analyzing the output a lot of information is revealed from the single
line that was returned by the server.
• Now it is up to an attacker to find an exploit for this specific version of the
Microsoft Exchange Server 2003.
• Active IP Packet Fingerprinting:
• Active operating system fingerprinting is the method of actively
determining a targeted network node’s underlying operating system by
probing the targeted system with several packets and investigating the
response.
• The traditional approach is to examine the TCP/IP stack behavior (IP, TCP,
UDP, and ICMP protocols) of a targeted network element when probed
with several legitimate packets.
• We can automate this technique using “nmap” software tool.
• According to “Techniques in OS-Fingerprinting” published by Nostromo;
“nmap begins its OS detection by sending an ICMP ping request to the
target.
• Then it connects to port 80 (HTTP) to see if the target is responding and
running at all.
• Then nmap does the actual portscan, searching for at least one open (an
application listening and waiting for connections) and one closed (no
application is listening on this specific port) port.
• To gain exact information about the underlying OS nmap sends several
special crafted TCP packets and records the replies.
• It then makes a lookup in the OS-detection fingerprint file and detects the
Operating System which the target is running on.”
Passive IP Packet Fingerprinting…
• Passive fingerprinting is based on sniffer traces from the remote system.
• Instead of actively querying the remote system, all it needs to do is capture
packets sent from the remote system.
• Based on the sniffer traces of these packets, you can determine the
operating system of the remote host.
• Just like in active fingerprinting, passive fingerprinting is based on the
principle that every operating system's IP stack has its own individual
characteristic.
• By analyzing sniffer traces and identifying these differences, you may be
able determine the operating system of the remote host.
• “Ettercap” is a package that is available for most common operating
systems (Windows, Mac OS X, Linux, and FreeBSD) which collects and
dissects packets from a network.
• According to Ettercap official web site: “Ettercap is a suite for man in the
middle attacks on LAN”.
• It features sniffing of live connections, content filtering on the fly and many
other interesting tricks.
• It supports active and passive dissection of many protocols (even ciphered
ones) and includes many features for network and host analysis. ”
• osfingerprinting-120126020829-phpapp02.pdf
Verify the Identity …
• When browsing the web, you may have encountered a "certificate"
warning from your browser.
• This happens when you're connecting to a site using encryption, and
the browser can't verify the identity of that site.
• Every browser or operating system comes with a preset list of
"Certificate Authorities."
• These authorities could be governments, companies, or other entities
that issue identity certificates to websites.
• This is all part of the SSL encryption process, and it verifies that you're
securely connected to the right place.
Verifying your identity…
• If you have even slightest idea about TLS/SSL certificates, you’d know
that there’s a thing called ‘Identity verification’ or the ‘verification
process’.
• Basically, it’s a process that’s used to validate the identity of the
certificate’s recipient.
• In simpler words, it’s done to make sure that the person/organization
wanting to have the certificate issued is real and trustworthy.
• Whether it’s the most basic SSL certificate, DV or the most advanced,
EV, vetting process forms a significant part of the SSL purchase
process.
• Suppose you want to purchase a zombie survival kit (not kidding) on the
internet.
• What you do is you go on a website, add it to your cart, and make an online
payment.
• Now, what is the guarantee that the website you’re on is a genuine website
and more importantly, a real, legitimate business?
• What if it’s a fake website, you don’t get your kit and zombies attack you
the very next day?
• You’d be in a bit of trouble, right? Well, that’s where the SSL identity
verification comes into play.
• Had the website been a genuine, verified website, you could have fought
off the zombies and become a real-life hero.
• That is why SSL verification is so important.
• Depending upon the type of SSL certificate you want to purchase, the
certificate authority will conduct a verification.
• This verification is to make sure that only legitimate people and
organizations get the certificate.
• If this process is not conducted, we would be in utter chaos.
• An SSL Certificate is a web server authentication certificate that offers
the highest level of encryption security.
• SSL Certificates confirm the identity of the registered domain and
encrypts all information between its server and its visitors.
• “Comodo” is one of the most popular and trusted Certificate
Authorities (CAs) and it offers a diverse set of SSL products.
• But, before you can select the right one, you need to be familiar with
the different types and features of SSL.
Why Different Types of SSL?
• Because different websites have different needs.
• In today’s marketplace, businesses of all sizes are growing quickly, so it is
essential to separate SSL Certificates in terms of their feature, price and
usability.
• All Comodo SSL Certificates offer 256-bit encryption with the latest SHA2
hash algorithm, but they are different in terms of requirements.
• Comodo offers a full range of SSL security solutions to give users
confidence in sharing personal information on the internet.
• Certificates range from a free 90-day solution to a packaged certificate that
can cover multiple domains and sub-domains.
• Every certificate comes with visual indicators that inform users that the site
uses SSL encryption.
Domain Validation (DV):
• It’s easy to obtain a Domain Validation SSL Certificate, you simply have to
verify domain ownership through an email, phone call or WHOIS records.
• In some cases, CAs (Certificate Authorities) may perform an additional
fraud check to prevent the issuance of a certificate to a domain which may
be similar to a high value domain (i.e. Micros0ft.com, g00gle.com,
yah00.com).
• With Domain Validation you can get an HTTPS Security Certificate within
minutes without any company registration documents.
• And due to the automatic domain validation process, it can be done at a
low cost.
• It’s the ideal choice for small-medium sized web sites.
Organization Validation (OV):
• An Organization Validation SSL certificate provides instant identity
assurance and strong encryption.
• The validation of OV SSL is not as easy as DV because the CA validates
the company’s name, domain name and other information.
• The CA may also require additional validation methods to make sure
that the information provided by you is accurate and legal.
• The certificate displays the domain name and company name, which
provides double trust for visitors.
Extended Validation (EV):
• EV SSL is the highest assurance certificate that is available and is only
issued after a strict authentication process.
• The CA puts the registrant’s website through rigorous evaluation
procedures and meticulous documentation checks to confirm its
authenticity and ownership.
• The CA only issues the EV SSL Certificate if the applicant meets
the Extended Validation Standard (a set of guidelines prescribed for CAs).
• This special type of SSL is widely used to boost and maintain customer
confidence in ecommerce by providing visual confirmation to the user of
the highest level of security.
• EV Certificates are widely used in online stores, ecommerce websites or by
banks that wish to build a trusted environment.
SSL Certificate based on Types & their features:

• Single Domain SSL Certificate: A single domain SSL Certificate secures a single
domain name like yourdomain.com or mail.yourdomain.com but not both. It
secures one Fully Qualified Domain Name on a single certificate. It provides
authentication and encryption for one domain only. It’s widely suitable for small
and medium size business.
• Multi Domain SSL Certificate (MDC): A Multi Domain SSL gives you the option to
protect multiple domain names with a single Certificate. It can secure
mydomain.com, secure.mydomain.net, myotherdomain.com,
mail.mydomain.com. You can secure up to 100 fully-qualified domains on one
cert. An MDC SSL is ideal for organizations that want to secure multiple domains
hosted on a single server. It saves you time as well as money with the highest
level of encryption.
• What if you want to change your Domain name? Don’t worry, you can add, edit
or remove SAN Names at any time during the certificate lifecycle.
• Unified Communications Certificate (UCC): Comodo UCC SSL Certificates are
expressly designed to secure Microsoft® Exchange and Office Communications
environments. A single Exchange (UCC) SSL Certificate allows you to protect a
number of different domains. A Unified Communications SSL Certificate also
includes Microsoft Exchange Autodiscover service.
• Wildcard SSL Certificate: A Wildcard SSL Certificate can protect a website’s
common name and all sub-domains, for instance, www.yourdomain.com,
blog.yourdomain.com, mail.yourdomain.com etc. It works like a regular SSL
Certificate does not require you to process any further procedures.
• Multi Domain Wildcard SSL Certificate: An ideal solution to protect multiple
domains & sub-domains with a single certificate. You can get both features of a
multi domain SSL and Wildcard SSL Certificate in a single SSL Certificate and can
secure up to 100 unique names along with unlimited subdomains. In addition,
you can save more money and expand certificate functionality using the
combination of a Wildcard & SAN Certificate.
• Code Signing Certificate: A code signing certificate allows developers
to digitally sign their software or applications.
• Code signing certificates confirm the software author/vendor and
guarantee that the code has not been altered or corrupted since it
was signed.
• Code Signing proves the signed software is legitimate and protects
the software from tampering.
Hardening operating system…
• Default OS configurations are for ease of use
• Measures have to be done at all stages
• Installing and patching
• Configuring
• Remove unnecessary applications, services and protocols
• Users, groups, controls and privileges
• Install additional software (anti-virus, firewall, intrusion detection system,
etc.)
• Test Security
• Installation
• Machines should not connect to network until secured
• However removable media may be infected as well
• Limited network (firewall) is acceptable, ideally:
• No inbound connections
• Only out to certain key sites
• Install only required services and drivers (from trusted sources)
• Set up automatic updates (only if update time is not an issue)
• Booting
• Protect BIOS changes with password
• Disable some bootable media
• Cryptographic hard drives? Pros and Cons
• Software have vulnerabilities, hence more software = more
vulnerabilities
• Better to not install it at all
• Uninstallers sometimes fail to clean all dependency
• Disabled software may be enabled by an attacker upon control acquisition
• Disabling can be done via msconfig command (Windows), yast or
equivalent (Linux) or Control Panel (Windows / Linux)
• Define user types and privileges
• Admin (ideally only temporary)
• Normal
• Limited
• Authentication
• Force default password change
• Password definition
• Password lifespan
• Remove or disable old accounts
• Allow for remote connections?
• Anti-virus
• Firewalls, IDS, IPS
• White list
• If attackers manage to install a program what will happen?
• Run some test cases which attempt to break security (stress testing),
good hackers make a lot of money here
Patch management…
• Security patch refers to the supporting data in order to fix or improve it.
• It comprises of fixing security vulnerabilities as well as other bugs.
• While a security patch is implemented in an android device, it makes the security
part faster, but what it looks for the permission for location, using camera, etc.
• A patch is a small snippet of code aimed to improve existing software or fix bugs.
• Similarly security patch is a code that strengthens the security of a device by
closing loop holes in the software thus secures us from online threats like
hacking, viruses or malware.
• On Android security patch level is nothing but the last security patch your device
got updated with.
• You can check latest android security patch level on android website and see
whether device has latest security patch.
• There are 2 types of updates:
• for operating systems and server software, which are used to
maintain an adequate level of security and eliminate security
problems;
• for application software (for example, Microsoft Office, Adobe
Acrobat, or client parts of business applications) that are needed to
solve problems with frequently used or important libraries and other
parts of the source code.
• The stages of the Patch Management process are:
1. Preparation of test clients
2. Creating update sheets
3. Deployment in a test environment (LAB Deployment)
4. Deploying to pilot users (PRE Deployment stage)
5. Deploy tested updates in a production information environment
(PRO Deployment).
• Who can forget the recent, rather appropriately named, ransomware
attack WannaCry that infected hundreds of computers all over the
world.
• One of the biggest reasons for the vulnerability was unpatched
Windows machines.
• It took advantage of an exploit for Windows known as "EternalBlue".
• Unfortunately at the time the attack started many systems were still
unpatched and legacy Windows systems such as Windows XP and
Windows Server 2003 were left without a patch for the vulnerability.
CNA…
• MITRE announced that The Document Foundation, the home of
LibreOffice, has been approved as CVE Numbering Authority (CNA)
• These are organizations that operate under the auspices of the CVE
program to assign new CVE IDs to emerging vulnerabilities that affect
devices and products within their scope.
• These are organizations from around the world that are authorized to
assign CVE IDs to vulnerabilities affecting products within their
distinct, agreed-upon scope, for inclusion in first-time public
announcements of new vulnerabilities.
• These CVE IDs are provided to researchers, vulnerability disclosers,
and information technology vendors.
• Participation in this program is voluntary, and the benefits of
participation include the ability to publicly disclose a vulnerability
with an already assigned CVE ID, the ability to control the disclosure
of vulnerability information without pre-publishing, and notification
of vulnerabilities in products within a CNA's scope by researchers who
request a CVE ID from them.
• In a federated CNA structure, CNAs are categorized as Program Root (Primary), Root, and
Sub-CNAs (or just “CNAs”, generically).
• Multiple Sub-CNAs may operate under the oversight of a Root CNA, while the Root CNAs
operate under the oversight of a single, Program Root CNA (Primary CNA) or another
Root CNA.
• Sub-CNAs only assign CVEs for vulnerabilities in their own products or their domain of
responsibility, hereinafter referred to as scope.
• Root CNAs manage a group of Sub-CNAs within a given domain or community, train and
admit new Sub-CNAs, and are the assigners of last resort (i.e., no Sub-CNA exists for the
scope) within that domain or community.
• The CVE Program Root CNA (Primary CNA) oversees the CVE Program, coordinates Root
CNAs and Sub-CNAs, trains and admits new Root CNAs and Sub-CNAs, enables Root
CNAs to administer their CVE scope, and is the assigner of last resort for requesters that
are unable to have CVEs assigned at the Sub- or Root CNA levels.
• In cases where requests or issues cannot be resolved by a given CNA, the
issues are escalated to the next higher-level CNA.
• Examples of such issues would be a CNA being unresponsive beyond
expected timeframes or a disagreement with a CNA over whether or not an
issue is a vulnerability.
• Requests and issues at the Sub-CNA level can be elevated to Root CNAs,
and requests and issues at the Root CNAs can be elevated to the Program
Root CNA (Primary CNA).
• The same flow, from Sub-CNAs to Root CNAs to the Program Root CNA
(Primary CNA), is followed to alert the next higher CNA when CVEs are
assigned, or when reporting other programmatic data.
• The Program Root CNA (Primary CNA) provides blocks of IDs to Root CNAs,
and Root CNAs provide blocks of IDs to Sub-CNAs.
[CVEID]: CVE-2016-123455

[PRODUCT]: BIGCOMPANYSOFT SOFTWARE PRODUCT

[VERSION]: All versions prior to version 2.5

[PROBLEMTYPE]: Arbitrary Code Execution

[REFERENCES]: http://bigcompanysoft.com/vuln/v1232.html

[DESCRIPTION]: CoreGraphics in BIGCOMPANYSOFT SOFTWARE PRODUCT before 2.5 allows remote

attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted BMP
image.

[ASSIGNINGCNA]: BigCompanySoft
CVE(common vulnerability exposures)
• The Common Vulnerabilities and Exposures glossary (CVE) is a security
project focused on publicly released software, funded by the US Division of
Homeland Security and maintained by the MITRE Corporation.
• The CVE glossary uses Security Content Automation Protocol (SCAP) to
collect information about security vulnerabilities and exposures, cataloging
them according to various identifiers and providing them with unique IDs.
• Once documented, MITRE provides each vulnerability with a unique ID.
Several days after publication in the Mitre vulnerability database,
the National Vulnerability Database (NVD)publishes the CVE with a
corresponding security analysis.
• The CVE list is defined by MITRE as a glossary or dictionary of publicly
available vulnerabilities and exposures, rather than a database, and as
such is intended to serve as an industry baseline for communicating
and dialoguing around a given vulnerability.
• CVE numbers are given to each new CVE issue by MITRE. However, it
is worthwhile noting that MITRE is not the only one.
• CVEs may receive their numeric ID from commercial numbering
authorities (non-governmental) who will number vulnerabilities and
exposures found in their own products.
• As of December 2018, 93 commercial entities are authorized to act
as CVE Numbering Authorities (CNA), including Adobe, Apple, Cisco,
Linux,Google, HP, IBM, Microsoft, Mozilla, Oracle, and Red Hat.
• The third and final numbering authority is the emergency response
team known as CERT Coordination Center which is also certified to
assign CVE numbers.
• Each CVE receives a CVSS score from the NVD, indicating its security
severity.
• The NVD’s security severity ranking helps responders including developers,
DevSecOps and security teams determine how to approach the
vulnerability and when.
• Remediation resources are allocated based on severity prioritization.
• The CVSS score follows a formula made up of several security metrics.
• The metrics involved in determining the severity of a vulnerability include
its access vector, the attack complexity, the confidentiality of data
processed by the system containing the vulnerability, the integrity of the
exploited system.
• Apache Struts REST Plugin
• CVE-2018-1327
• Vulnerability Score: Medium — 5.0
• Affected versions: 2.1.1 - 2.5.14.1
• A year and a month after the disclosure of the infamous Struts 2
vulnerability that Equifax ignored, a security vulnerability was discovered in
the XStream handler in the Apache Struts REST plug-in.
• The vulnerability allows remote attackers to create denial of service
conditions by sending a specially crafted XML request using the XStream
handler with the Struts REST plugin, causing the targeted software to stop
functioning.
• Linux Kernel netfilter: xt_TCPMSS
• CVE-2017-18017
• Vulnerability score: High — 9.8
• Versions: Linux kernel before 4.11, and 4.9.x before 4.9.36
Computer Network Exploitation vs. Computer
Network Attack
• Computer Network Exploitation refers to the ability to exploit data or
information a person has gathered on a target for his or her own
purposes, and it is the phase of cyber warfare being experienced
globally today.
• Computer network exploitation (CNE) is a technique through which
computer networks are used to infiltrate target computers' networks
to extract and gather intelligence data.
• It enables the exploitation of the individual computers and computer
networks of an external organization or country in order to collect any
sensitive or confidential data, which is typically kept hidden and
protected from the general public.
CNA…
• Operations to disrupt, deny, degrade, or destroy information resident in co
mputers and computer networks, or the
computers and networks themselves.
• Electronic attack (EA) can be used against a computer , but it is not
computer network attack (CNA).
• CNA relies on the data stream to execute the attack while EA relies on the
electromagnetic spectrum.
• An example of the two operations is the following:
• sending a code or instruction to a central processing unit that
causes the computer to short out the power supply is CNA.
• Using an electromagnetic pulse device to destroy a
computer's electronics and causing the same result is EA also called as
CAN.
• Computer network attacks take many forms, including system
compromises, information theft, and denial-of-service attacks
intended to disrupt services.
Advantage of host based firewall…
• Flexibility – applications and VMs (virtual machines) can be moved
between cloud environments, taking their host-based firewalls along
with them.
• Customisation – a single device can be configured for individual
circumstances using custom firewall rules.
• Mobility – a laptop or mobile device with a firewall provides security
for the device in different physical locations.
• Internal protection – a customised host-based firewall can prevent
attack from within an organisation by only allowing authorised
employee access to particular devices.
Advantages of network based firewall…
• Greater security – if an attacker circumvents a host-based firewall, they can gain direct access to
the host (i.e. via a Trojan) and could then use administrator privileges to turn off the firewall or
install malicious code undetected by the IT department. However, the detection and prevention
systems operating on a network-based firewall would be more likely to notice suspicious traffic
generated by a Trojan as it crosses the network barrier.
• Scalability – unlike host-based firewalls that must be replaced when bandwidth exceeds firewall
throughput, network-based firewalls can be scaled up as client bandwidth demands increase.
• Availability – network-based firewall providers offer high availability (uptime) through fully
redundant power, and network services, while host-based firewalls are only as reliable as your
existing IT infrastructure.
• Reach – thanks to interconnection agreements between network-based firewall providers,
protection can extend well beyond the boundaries of a single service provider network.
• Affordability – network-based firewalls offer much better value for money as they do not require
the labour-intensive IT involvement of host-based firewalls, such as individual installation and
maintenance on every server.
Phishing …
• Phishing attack is a method used to trick people into divulging
confidential information by responding to an email.
• Especially for obtaining or attempting to obtain certain banking
information (e.g. username, password, credit card numbers etc).
• Job Roles of Phishing Attackers
• Mailers
• Collectors
• Cashers
• How does Phishing take place?
• Mailers send out a large number spoofed emails with a link to the
fake website
• These emails direct users to fraudulent websites
• Collectors set up fake websites. These websites "fool" users into
divulging confidential information
• Cashers use the confidential information to achieve a "pay-out".
• Mailers, Collectors and Cashers share the money.
• Spear phishing is an email sent to the potential victim or to a specific
target individual in a company or simply an individual this is usually
someone the cybercriminals knows that he will have a great access to
a great amount of information that the criminal need to meet his
objectives by getting the user to click on a link that will install
malware (viruses, Trojan horse, spyware, ransomware etc.) on their
computer.
• Generally, for conducting a phishing attack requires a fake website but not
all phishing attack require a fake website by conducting any of the phishing
attack technique the main aim of the cybercriminal is to gain access to
one‟s confidential data such as user name, password, bank account
number, credit card number etc.
• In this part we are going to discuss the several different types of phishing
attack techniques used by the cyber criminals:
oDeceptive Phishing-- “Deceptive” meaning is misleading and it is one of
the most common way of conducting the phishing attack.
oIn this the phishers will send you an email pretending from a recognized
source (banks, online shopping websites) which request you to make
payment, to change yours existing password, re-enter your login username
and password, verify your account information etc.
• Phishing by malware software. - The phishers use malicious software to attack on a user after the
installation of these infected software the phishers succeed in performing unauthorized actions, like
transferring funds, accessing user‟s private data etc.
• Search Engine Phishing. - In this phishers create a fake website with attractive or pleasing offers
and append legally with the search engines. The user come across these websites while searching
for their desired products and are being fooled into giving up their information.
• Man-in-the-middle Phishing. – In this the phisher places himself in between the user and the
legal website or system. The phisher notes the entered information and later can use or sell the user
information when the user is not active.
• Phishing attack by Appending malign content. – In this the phisher attaches malevolent content
into a normal website.
• Phishing attack by Key loggers and Screen loggers. – In this the phisher use different type of
malwares that keep record or track the keyboard input that is continuously monitor the key being
pressed by the user and send this information to the phisher by the help of Internet.
Phishing countermeasures…
• Spotting and Preventing Phishing emails:In this we will see different signs to recognize
phishing that can reduce the chances of getting caught in a scam.
• So let‟s have a look at some the signs.
• First we have to look at the sender‟s email address.
• Often criminals use different technique here: one they will insert company‟s real logo
before the @sign and other is the use of a web address which is much more similar or
near to the original one.
• For example: - Genuine Website email
• https://www.vodafone.com info@vodafone.com
• Scam Websites email
• https://www.vodfone.com
• info@vodfone.com https://www.vodapone.com info@vodapone.com
https://www.v0daf0ne.com info@v0daf0ne.com
• Always be cautious of emails with generic greetings eg. „Dear
Customer‟ and ones with faulty grammar and spellings.
• But some time Phishers try their level best to make the email as
authentic to the original one by using the names of the peoples who
work in that company and other using the sense of haste, by using
that your account will be deactivated, you‟ll be fined if now acted,
there‟s a time etc.
• All these kind of cases could be used to create a state of panic in
victims‟ mind.
Spotting and Preventing Social Engineering
Attacks…
• It happens when someone tries to trick you into doing something that
may cause harm to one.
• It can be like downloading malicious software, sharing of one‟s
personal information (username, password, bank/credit details etc.).
• Then it becomes quiet important to detect these Social Engineering
emails because scammer generally use emails, popular websites, ads
etc. that look much more genuine to the original one that people
often use in their day to day life.
• The scammer sends you email as if it is being send from your bank,
social engineering websites, credit card provider etc but in original
they are not the one who has send the mail.
How to avoid Social engineering attacks on
web…
• Many of us sometime or the other might have seen some websites saying
that they have find some issues (viruses, files) that is making your system
or mobile slow and to download software in order to correct the issues but
in reality a website cannot detect if your machine is being compromised or
not.
• So when visiting a website one must surely check the page‟s URL and
especially look if it looks like original website like the case one we
discussed in the above section that how genuine website and scam website
can look before you enter your personal information on the website also
check if the URL starts with HTTPS or not here „S‟ indicates that the
connection is encrypted and secure.
• Do watch for the browser warnings when you visit a website indicating it‟s
not secure so pay attention to these kind of warnings before entering
personal information.
Preventing Man-in-the-Middle Attack…
• These kind has caused the loss of millions of dollars worldwide.
• As we already know that in Man-in-the-Middle attack the hacker
places himself in between two authentic communicating parties so
the hacker tries to hack the communication between the two parties
either by DNS spoofing, ARP poisoning or through email phishing.
• In an executed Man-in-the-Middle attack the communicating parties
may have no idea that their communication is being watched over.
• So one can prevent this Man-in-the-Middle attack through three ways
as discussed below:
• VPN (Virtual Private Network)- VPN broadens one‟s private network
across a public network.
• With the help of VPN, we can protect our sensitive data when we are
browsing over a public network like public Wi-Fi and also on secure
websites where we don‟t want them to know our location or IP
address.
• When we join a VPN our connection gets encrypted and secure by
making us anonymous online preventing the hackers to monitor your
communication.
• It is being creating by building a virtual point-to-point connection by
the use of a dedicated connection.
• Proxy Server with Data Encryption--It uses reliable and secure proxy server
and encrypt the transmission between the communicating parties.
• One can use software like OpenVPN, Tor Browser, I2P Hide My IP.
• Secure Shell Tunneling--A Secure Shell (SHH) is mainly used for logging into
a remote machine and to execute commands but it can also support
forward TCP and X11 connections.
• It is consisting of a tunnel which is being encrypted through SSH protocol.
• Use can set up SSH tunnels to transfer unencrypted traffic over a network
through an encrypted channel.
• Preventing Key Loggers Phishing attack. – “A key logger is a type of
surveillance software (considered to be either software or spyware) that
has the capability to record every keystroke you make to a log file, usually
encrypted.
• A key logger recorder can record instant messages, e-mail, and any
information you type at any time using your keyboard.
• The log file created by the key logger can then be sent to a specified
receiver.
• Some key logger programs will also record any e-mail addresses you use
and Web site URL‟s you visit.
• So how we must prevent key logger phishing attack?
• This can be done by the use of software tools like- Key Scrambler, Spy
Shelter etc.
To avoid phishing…
• Filters emails for phishing threats.
• Update client side operating systems,softwares and plugins.
• Harden your clients.
• Detect malware on end points.
• Implement 2 factor authentication.
• Train your employees on security awareness.
• Educate your employees and conduct training sessions with mock phishing scenarios.
• Deploy a SPAM filter that detects viruses, blank senders, etc.
• Keep all systems current with the latest security patches and updates.
• Install an antivirus solution, schedule signature updates, and monitor the antivirus status
on all equipment.
• Develop a security policy that includes but isn't limited to password expiration and
complexity.
• Deploy a web filter to block malicious websites.
• Encrypt all sensitive company information.
• Convert HTML email into text only email messages or disable HTML email messages.
• Require encryption for employees that are telecommuting.
 Virus…
• A computer virus is malicious code that replicates by copying itself to
another program, computer boot sector or document and changes
how a computer works.
• The virus requires someone to knowingly or unknowingly spread the
infection without the knowledge or permission of a user or system
administrator.
• A virus can be spread by opening an email attachment, clicking on
an executable file, visiting an infected website or viewing an infected
website advertisement.
• It can also be spread through infected removable storage devices,
such USB drives.
• Once a virus has infected the host, it can infect other system software
or resources, modify or disable core functions or applications, as well
as copy, delete or encrypt data.
• Some viruses begin replicating as soon as they infect the host, while
other viruses will lie dormant until a specific trigger causes malicious
code to be executed by the device or system.
• The purpose of creating a computer virus is to infect vulnerable
systems, gain admin control and steal user sensitive data.
• Hackers design computer viruses with malicious intent and prey on
online users by tricking them.
Types of virus…
• File infectors. Some file infector viruses attach themselves to program
files, usually selected .com or .exe files.
• Some can infect any program for which execution is requested,
including .sys, .ovl, .prg, and .mnu files.
• When the program is loaded, the virus is loaded as well.
• Other file infector viruses arrive as wholly contained programs
or scripts sent as an attachment to an email note.
Macro viruses…
• These viruses specifically target macro language commands in applications
like Microsoft Word and other programs.
• In Word, macros are saved sequences for commands or keystrokes that are
embedded in the documents.
• Macro viruses can add their malicious code to the legitimate macro
sequences in a Word file.
• Microsoft disabled macros by default in more recent versions of Word; as a
result, hackers have used social engineering schemes to convince targeted
users to enable macros and launch the virus.
• Microsoft added a new feature in Office 2016 that allows security
managers to selectively enable macro use for trusted workflows only, as
well as block macros across an organization.
Overwrite viruses…
• Some viruses are designed specifically to destroy a file or application's
data.
• After infecting a system, an overwrite virus begins overwriting files
with its own code.
• These viruses can target specific files or applications or systematically
overwrite all files on an infected device.
• An overwrite virus can install new code in files and applications that
programs them to spread the virus to additional files, applications
and systems.
Polymorphic viruses. ..(also called stealth
virus)
• A polymorphic virus is a type of malware that has the ability to
change or mutate its underlying code without changing its basic
functions or features.
• This process helps a virus evade detection from many antimalware
and threat detection products that rely on identifying signatures of
malware; once a polymorphic virus' signature is identified by a
security product, the virus can then alter itself so that it will no longer
be detected using that signature.
Resident viruses. ..
• This type of virus embeds itself in the memory of a system.
• The original virus program isn't needed to infect new files or
applications; even if the original virus is deleted, the version stored in
memory can be activated when the operating system loads a specific
application or function.
• Resident viruses are problematic because they can evade antivirus
and antimalware software by hiding in the system's RAM.
Rootkit viruses. ...
• A rootkit virus is a type of malware that installs an
unauthorized rootkit on an infected system, giving attackers full
control of the system with the ability to fundamentally modify or
disable functions and programs.
• Rootkit viruses were designed to bypass antivirus software, which
typically scanned only applications and files.
• More recent versions of major antivirus and antimalware programs
include rootkit scanning to identify and mitigate these types of
viruses.
System or boot-record infectors. ..
• These viruses infect executable code found in certain system areas on a disk.
• They attach to the DOS bootsector on diskettes and USB thumb drives or the Master Boot Record
on hard disks.
• In a typical attack scenario, the victim receives storage device that contains a boot disk virus.
• When the victim's operating system is running, files on the external storage device can infect the
system; rebooting the system will trigger the boot disk virus.
• An infected storage device connected to a computer can modify or even replace the existing boot
code on the infected system so that when the system is booted next, the virus will be loaded and
run immediately as part of the master boot record.
• Boot viruses are less common now as today's devices rely less on physical storage media.
• It infects the boot sector of the system, executing every time system is booted and before
operating system is loaded.
• It infects other bootable media like floppy disks.
• These are also known as memory virus as they do not infect file system.
Boot sector Virus :
• Armored Virus : An armored virus is coded to make it difficult for
antivirus to unravel and understand. It uses a variety of techniques to
do so like fooling antivirus to believe that it lies somewhere else than
its real location or using compression to complicate its code.
• Tunneling Virus : This virus attempts to bypass detection by antivirus
scanner by installing itself in the interrupt handler chain. Interception
programs, which remain in the background of an operating system
and catch viruses, become disabled during the course of a tunneling
virus. Similar viruses install themselves in device drivers.
 Signs you may be infected with a computer virus…
• The following are indications that a computer might be infected by a
virus:
• The computer takes a long time to start up and performance is slow.
• The computer experiences frequent crashes, or shutdown and error
messages.
• The computer behaves erratically, such as not responding to clicks or
opening files on its own.
• The computer’s hard drive is acting strangely; for example, constantly
spinning or making continual noise.
• Email is corrupted.
• The amount of storage on the computer is reduced.
• Files and other data on the computer have gone missing.
 Famous computer viruses…
• The "Archiveus" Trojan, which debuted in 2006, was the first known case of
a ransomware virus that used strong encryption to encrypt users' files and data.
Archiveus targeted Windows systems, used RSA encryption algorithms (earlier
versions of ransomware used weaker and easily defeated encryption
technology) and demanded victims purchase products from an online
pharmacy.
• "Cabir" virus is the first verified example of a mobile phone virus for the now
defunct Nokia Symbian operating system. The virus was believed to be created
by a group from the Czech Republic and Slovakia called 29A, who sent it to a
number of security software companies, including Symantec in the United
States and Kapersky Lab in Russia. Cabir is considered a proof-of-concept
virus, because it proves that a virus can be written for mobile phones,
something that was once doubted.
• The Melissa virus, which first appeared in 1999, was distributed as an
email attachment. If the infected systems had Microsoft Outlook, the
virus would be sent to the first 50 people in an infected user's contact
list. The "Melissa" virus also affected macros in Microsoft Word and
disabled or lowered security protections in the program.
• The "Jerusalem" virus, also known as the "Friday the 13th" virus, was
discovered in 1987 and spread throughout Israel via floppy disks and
email attachments. The DOS virus would infect a system and delete all
files and programs when the system's calendar reached Friday the
13th.
 How does a computer virus attack?
• Once a virus has successfully attached to a program, file, or document, the virus
will lie dormant until circumstances cause the computer or device to execute its
code. In order for a virus to infect your computer, you have to run the infected
program, which in turn causes the virus code to be executed.
• This means that a virus can remain dormant on your computer, without showing
major signs or symptoms. However, once the virus infects your computer, the
virus can infect other computers on the same network. Stealing passwords or
data, logging keystrokes, corrupting files, spamming your email contacts, and
even taking over your machine are just some of the devastating and irritating
things a virus can do.
• While some viruses can be playful in intent and effect, others can have profound
and damaging effects. This includes erasing data or causing permanent damage
to your hard disk. Worse yet, some viruses are designed with financial gains in
mind.
Stages of virus…
• Dormant phase.
• The virus is idle, The virus program has managed to access the target user's
computer or software, but during this stage, the virus does not take any action. The
virus will eventually be activated by the "trigger" which states which event will
execute the virus, such as a date, the presence of another program or file, the
capacity of the disk exceeding some limit or the user taking a certain action (e.g.,
double-clicking on a certain icon, opening an e-mail, etc.). Not all viruses have this
stage.
• Propagation phase.
• The virus places an identical copy of itself into other programs or into certain system
areas on the disk. The copy may not be identical to the propagating version; viruses
often "morph" or change to evade detection by IT professionals and anti-virus
software. Each infected program will now contain a clone of the virus, which will
itself enter a propagation phase.
• Triggering phase.
• The Virus is activated to perform the function for which it was intended
caused by a variety of system events. The triggering phase can be caused by a
variety of system events, including a count of the number of times that this
copy of the virus has made copies of itself.
• Execution phase.
• The virus function is performed. It can be destructive such as deleting files on
disk, crashing the system, or corrupting files or relatively harmless such as
popping up humorous or political messages on screen.
Worms…
• A computer worm is a type of malicious software program whose
primary function is to infect other computers while remaining active
on infected systems.
• A computer worm is self-replicating malware that duplicates itself to
spread to uninfected computers.
• Worms often use parts of an operating system that are automatic and
invisible to the user.
• It is common for worms to be noticed only when their uncontrolled
replication consumes system resources, slowing or halting other
tasks.
How computer worms spread…
• A computer worm infection spreads without user interaction.
• All that is necessary is for the computer worm to become active on an
infected system.
• Before widespread use of networks, computer worms were spread
through infected storage media, such as floppy diskettes, which,
when mounted on a system, would infect other storage devices
connected to the victim system.
• USB drives are still a common vector for computer worms.
• Stuxnet, one of the most notorious computer worms to date, consists
of a worm component for propagation of the malware through the
sharing of infected USB devices, as well as malware that
targets supervisory control and data acquisition systems, which are
widely used in industrial environments, including power utilities,
water supply services, sewage plants and elsewhere.
How to tell if your computer has a worm…
• If you suspect your devices are infected with a computer worm, run a virus
scan immediately. Even if the scan comes up negative, continue to be
proactive by following these steps…
• Keep an eye on your hard drive space. When worms repeatedly replicate
themselves, they start to use up the free space on your computer.
• Monitor speed and performance. Has your computer seemed a little
sluggish lately? Are some of your programs crashing or not running
properly? That could be a red flag that a worm is eating up your processing
power.
• Be on the lookout for missing or new files. One function of a computer
worm is to delete and replace files on a computer.
Difference between virus and worm…
• Worms are self-replicating files that reside in the memory of an
infected computer.
• It often distinguishes itself as a system files to avoid detection.
• It is similar to a virus by design and a sub-class of it.
• Worms differ from a virus in some way where it can be triggered
automatically without any human action.
Propagation of worms…
• It spreads through one computer to another via email, network, etc.
• Worms can transfer itself from one computer to another by using the
user’s mail address book.
• It may cause the system resources to slow down or completely halt
the task.
Trojan horse…
• A Trojan horse or Trojan is a type of malware that is often disguised as legitimate
software.
• Trojans can be employed by cyber-thieves and hackers trying to gain access to
user’s systems.
• Once activated, Trojans can enable cyber-criminals to spy on you, steal your
sensitive data, and gain backdoor access to your system.
• These actions can include:
o Deleting data
o Blocking data
o Modifying data
o Copying data
o Disrupting the performance of computers or computer networks.
• Backdoor Trojan
• This Trojan can create a “backdoor” on your computer. It lets an attacker access your
computer and control it. Your data can be downloaded by a third party and stolen. Or
more malware can be uploaded to your device.
• Distributed Denial of Service (DDoS) attack Trojan
• This Trojan performs DDoS attacks. The idea is to take down a network by flooding it with
traffic. That traffic comes from your infected computer and others.
• Downloader Trojan
• This Trojan targets your already-infected computer. It downloads and installs new
versions of malicious programs. These can include Trojans and adware.
• Fake AV Trojan
• This Trojan behaves like antivirus software, but demands money from you to detect and
remove threats, whether they’re real or fake.
• Game-thief Trojan
• The losers here may be online gamers. This Trojan seeks to steal their
account information. This type of program steals user account
information from online gamers
• Infostealer Trojan
• As it sounds, this Trojan is after data on your infected computer.
• Mailfinder Trojan
• This Trojan seeks to steal the email addresses you’ve accumulated on
your device.
• Ransom Trojan
• This Trojan seeks a ransom to undo damage it has done to your computer. This
can include blocking your data or impairing your computer’s performance. This
type of Trojan can modify data on your computer – so that your computer
doesn’t run correctly or you can no longer use specific data.
• Remote Access Trojan
• This Trojan can give an attacker full control over your computer via a remote
network connection. Its uses include stealing your information or spying on you.
• Rootkit Trojan
• A rootkit aims to hide or obscure an object on your infected computer. Often
their main purpose is to prevent malicious programs being detected in order to
extend the period in which programs can run on an infected computer.
• SMS Trojan
• This type of Trojan infects your mobile device and can send and intercept
text messages. Texts to premium-rate numbers can drive up your phone
costs.
• Trojan banker
• This Trojan takes aim at your financial accounts. It’s designed to steal your
account information for all the things you do online. That includes banking,
credit card, and bill pay data.
• Trojan IM
• This Trojan targets instant messaging. It steals your logins and passwords
on IM platforms.
• That’s just a sample. There are a lot more.
• Trojan-Dropper
These programs are used by hackers in order to install Trojans and /
or viruses – or to prevent the detection of malicious programs. Not all
antivirus programs are capable of scanning all of the components
inside this type of Trojan.
• Other types of Trojans include:
• Trojan-ArcBomb
• Trojan-Clicker
• Trojan-Notifier
• Trojan-Proxy
• Trojan-PSW
Examples of Trojan malware attacks…
• Emotet banking Trojan. After a long hiatus, Emotet’s activity increased in
the last few months of 2017, according to the Symantec 2018 Internet
Security Threat Report. Detections increased by 2,000 percent in that
period. Emotet steals financial information, among other things.
• Rakhni Trojan.This malware has been around since 2013. More recently, it
can deliver ransomware or a cryptojacker (allowing criminals to use your
device to mine for cryptocurrency) to infected computers. “The growth in
coin mining in the final months of 2017 was immense,” the 2018 Internet
Security Threat Report notes. “Overall coin-mining activity increased by
34,000 percent over the course of the year.”
• ZeuS/Zbot. This banking Trojan is another oldie but baddie. ZeuS/Zbot
source code was first released in 2011. It uses keystroke logging —
recording your keystrokes as you log into your bank account, for instance
— to steal your credentials and perhaps your account balance as well.
Spyware…
• Spyware is software that is installed on a computing device without
the end user's knowledge. Any software can be classified as spyware
if it is downloaded without the user's authorization.
• Spyware is a kind of malware that secretly gathers information about
a person or organization and relays this data to other parties.
• In some cases, these may be advertisers or marketing data firms,
which is why spyware is sometimes referred to as “adware.”
• It is installed without user consent by methods such as a drive-by
download, a trojan included with a legitimate program or a deceptive
pop-up window.
• Spyware uses your internet connection to relay personal information
such as your name, address, browsing habits, preferences, interests
or downloads.
• Other forms of spyware hijack your browser to point it to another
website, cause your device to place calls or send texts automatically,
or serve annoying ads even when you are offline.
• Spyware that steals your username, password or other credentials is
referred to as a “keylogger” – an insidious prerequisite for cyber
crime.
• Spyware is a type of malware (or “malicious software”) that collects
and shares information about a computer or network without the
user’s consent.
• It can be installed as a hidden component of genuine software
packages or via traditional malware vectors such as deceptive ads,
websites, email, instant messages, as well as direct file-sharing
connections.
Types of spyware…
• Password stealers are applications designed to harvest passwords from
infected computers. The types of collected passwords may include stored
credentials from web browsers, system login credentials, and sundry
critical passwords. These passwords may be kept in a location of the
attackers’ choosing on the infected machine, or may be transmitted to a
remote server for retrieval.
• Banking Trojans (e.g. Emotet) are applications designed to harvest
credentials from financial institutions. They take advantage of
vulnerabilities in browser security to modify web pages, modify transaction
content, or insert additional transactions, all in a completely covert fashion
invisible to both the user and host web application. Banking Trojans may
target a variety of financial institutions, including banks, brokerages, online
financial portals, or digital wallets. They might also transmit collected
information to remote servers for retrieval.
• Infostealers are applications that scan infected computers and seek out a variety
of information, including usernames, passwords, email addresses, browser
history, log files, system information, documents, spreadsheets, or other media
files. Like banking Trojans, Infostealers may exploit browser security
vulnerabilities to collect personal information in online services and forums, then
transmit the information to a remote server or store it on your PC locally for
retrieval.
• Keyloggers, also referred to as system monitors, are applications designed to
capture computer activity, including keystrokes, websites visited, search history,
email discussions, chatroom dialogue, and system credentials. They typically
collect screenshots of the current window at scheduled intervals. Keyloggers may
also collect functionality, allowing for stealthy capture and transmission of images
and audio/video from any connected devices. They might even allow attackers to
collect documents that are printed on connected printers, which can then be
transmitted to a remote server, or stored locally for retrieval.
 Adware…
• Adware is any software application in which advertising banners are
displayed while a program is running.
• The ads are delivered through pop-up windows or bars that appear
on the program's user interface.
• Adware is commonly created for computers, but may also be found
on mobile devices.
• The justification for adware is that it helps recover programming
development costs for the software developer, and reduces or
eliminates the cost for the user.
• It redirect your search requests to advertising websites and collect
marketing-type data about you – for example, the types of websites
that you visit – so that customised adverts can be displayed.
• Other than displaying advertisements and collecting data, Adware
doesn’t generally make its presence known.
• Usually, there will be no signs of the program in your computer’s
system tray – and no indication in your program menu that files have
been installed on your machine.
• There are two main ways in which Adware can get onto your
computer:
• Via freeware or shareware
Adware can be included within some freeware or shareware
programs – as a legitimate way of generating advertising revenues
that help to fund the development and distribution of the freeware or
shareware program.
• Infected websites
A visit to an infected website can result in unauthorised installation of
Adware on your machine. Hacker technologies are often used. For
instance, your computer can be penetrated via a browser
vulnerability, and Trojans that are designed for stealthy installation
can be used. Adware programs that work in this way are often called
Browser Hijackers.
 Fireball…
• Fireball made news in 2017 when a study ordered by an Israeli software company
found that more than 250 million computers and one-fifth of corporate networks
around the world were infected with it.
• Developed by Rafotech, a Chinese digital marketing agency, Fireball is a browser
hijacker. It is bundled with other software created by Rafotech – including
Mustang Browser and Deal Wifi – and installed along with these programs
unbeknownst to the user. When it affects your computer, it takes over your
browser. It changes your homepage to a fake search engine (Trotux) and inserts
obtrusive ads into any webpage you visit. To make matters worse, it prevents you
from modifying your browser settings.
• There’s still no proof that this adware does anything else besides hijacking your
browser and flooding it with ads. However, experts are worried that if Rafotech
decided to launch a cyber attack using Fireball, the consequences would be
devastating simply based on the number of infected systems worldwide.
 Appearch…
• Appearch is another very common adware program that acts as a browser
hijacker. Usually bundled with other free software, it inserts so many ads
into the browser that it makes surfing next-to-impossible.
• Whenever you attempt to visit a website, you will be taken to
Appearch.info instead. Even if you manage to open a webpage, Appearch
will convert random blocks of text on it into links, so whenever you select
text, a pop-up will appear offering you to download software updates.
• In addition to ads, Appearch will sometimes show you a message telling
you that the access to the website you want to visit is limited. It will then
ask you to subscribe to notifications to access it. If you click on “Allow”, you
will start seeing pop-up ads on your screen even when your browser is
closed. Once you subscribe, the program will override your browser
settings to prevent you from opting out.
• “Social Engineering is a non-technical kind of intrusion relying heavily
on human interaction which often involves tricking other people into
breaking normal security procedures” the attacker uses social skills
and human interaction to obtain information about an organization or
their computer systems.
• Social engineering has been used to gain unauthorized access into
several huge organizations. A hacker who spends several hours trying
to break passwords could save a great deal of time by calling up an
employee of the organization, posing as a helpdesk or IT employee,
and can just asking for it
1. Footprinting…
• It is the technique of accumulating information regarding the target(s) and the
surrounding environment.
• Footprinting can reveal the individuals related to the target with whom the attacker has
to establish a relationship, so as to improve the chances of a successful attack.
• The information gathering during the Footprinting phase includes but is not limited to:
List of employee names and phone numbers.
Organization Chart.
Department Information.
Location information Footprinting generally refers to one of the pre-attack phases; tasks
performed prior to doing the actual Social Engineering attack.
Some of the tools like creepy, SET and Maltego make Social Engineering engagements
easier.
2. Establishing Trust…
• Once the possible targets have been listed out, the attacker then
moves on to develop a relationship with the target who is usually an
employee or someone working in the business so as to develop a
good rapport with them.
• The trust that the social engineer is gaining will later be used to unveil
confidential pieces of information that could cause severe harm to
the business.
3. Psychological Manipulation…
• In this step, the social engineer manipulates the trust that he has
gained in the previous phase so as to extract as much confidential
information or get sensitive operations related to the target system
performed by the employee himself so as to penetrate into the
system with much ease.
• Once all the required sensitive information has been collected, the
social engineer may move on to the next target or move towards
exploiting the actual system under consideration.
4. The Exit…
• Now, after all the actual information has been extracted, the Social
Engineer has to make a clear exit in such a way so as not to divert any
kind of unnecessary suspicion to himself.
• He makes sure to not leave any kind of proof of his visit that could
lead a trace-back to his real identity nor link him to the unauthorized
entry into the target system in the future.
The Human Behavior
• Every Social Engineer targets specific behavioral traits in the victim so as to
extract maximum information out of him. These behavioral traits include
but are not limited to:
• Excitement of Victory:::Mr. X gets an e-mail stating, “You have won 1
Million Dollars and to claim the winning amount, fill in the attached
document and forward it to the email id: XXXX@XXXX.com.
• Switch off your antivirus as it may block the download due to highly
encrypted Digital Signature of the documents”. Out of Excitement he
switches off his Antivirus and proceeds as ordered and downloads the
document and opens it but finds it corrupted.
• Little does he know that he has just downloaded a malware on his machine
which allows the email sender to gain remote access to his machine.
Fear of Authority…
• Many people are apprehensive in the presence of someone they
perceive as an authority figure, it is not that person they are
apprehensive about but most likely the position and power of the
person that intimidates them and makes them.
• The attackers take on roles of authority figures such as law
enforcement officers or high ranking company officials to extract
sensitive organizational information from the victims.
Desire to be helpful…
• Keith A. Rhodes, chief technologist at the U.S. General Accounting
Office, which has a Congressional mandate to test the network
security at 24 different government agencies and departments said in
one of his interviews that, "Companies train their people to be
helpful, but they rarely train them to be part of the security process.
• We use the social connection between people, their desire to be
helpful.”
• People in their desire to be helpful and to solve other peoples
queries, give out a lot of information that otherwise should not be
disclosed to an outsider as it could give an attacker a chance to get
unauthorized access to the target system causing a possible loss.
Fear of Loss…
• Mr. X gets an e-mail stating, “You have won 1 Million Dollars and to claim
the winning amount, deposit $75,000 in Account number: XXXXXX in 10
days from receiving this e-mail, failing to which the winning amount would
be declared unclaimed and there would be a nee lucky-draw to decide the
next winner”. Out of fear that he might lose such a good
• opportunity, he deposits the amount to the account number provided.
When his future replies to the e-mail address goes unanswered for the next
two months nor does the 1 Million Dollar gets deposited to his account, he
understands that he has been scammed.
•
Laziness…
• All of us have come across some or the other job that requires us to
do only a specified set of activities and not linger around looking for
better ways of doing that activity.
• This causes boredom to the person who performs the same task
repeatedly on daily basis and over the time learns “shortcuts” to do
the tasks using minimal efforts and still meeting the targets.
• Such individuals over a period of time become lazy and are
susceptible to attackers who target such individuals as they know that
they would get the required information with much ease due to the
laid back attitude of these individuals towards their work.
Ego…
• Many a times, the attacker makes the person more emotionally sure
of himself/herself and thus removing the logical awareness of the
security breach that is occurring.
• The result is that, the person being hacked senses no harm in
providing whatever it is that the attacker is requesting.
• The reason that such an attack succeeds is that the attacker is a
receptive audience for victims to display how much knowledge they
have
Insufficient knowledge…
• Knowledge about the target system is one of the key factors that
differentiate the attacker from other employees of the organization.
• Many a times, due to lack of proper training, the employees are
themselves not sure if they have complete knowledge about the
product and Social Engineers take advantage of such situations by
creating a sense of urgency and not allowing the employee much
time to think and understanding the fact that they are under attack.
The Weapons of a Social Engineer…
• The old-fashioned technical way of breaking into the computer
systems by brute-forcing the user logins or ports have now been
replaced by sophisticated methods that not only are easier, but yield
better and faster results based on human psychology.
• These attacks can help the attacker get access to any system
irrespective of the platform, software or hardware involved.
• How exactly goes a person to carry out Social Engineering attack?
• The figure below shows some of the most popular techniques used to
perform a Social Engineering attack:
Shoulder Surfing…
• Shoulder surfing is a security attack where-in, the attacker uses
observational techniques, such as looking over someone's shoulder,
to get information while they are performing some action that
involves explicit usage of sensitive, visible information.
• This can be performed at a close range as well as at a long range using
binoculars or other vision enhancing devices.
Dumpster Diving…
• Many a times, huge organizations dump items like company phone
books, system manuals, organizational charts, company policy
manuals, calendars of meetings, events and vacations, printouts of
sensitive data or login names and passwords, printouts of source
code, disks and tapes, company letterhead and memo forms, and
outdated hardware carelessly into the company dumpsters.
• The attacker can use these items to get a huge amount of information
about the company organization and network structure.
• This method of searching through the dumpster, looking for
potentially useful information discarded by a company‟s employees is
known as Dumpster Diving.
Trojan horses…
• It is one of the most predominant methods currently used by hackers
that involve tricking the victims to download a malicious file to the
system, which on execution creates a backdoor in the machine that
can be used by the attacker any time in the future and thus having
complete access of the victim‟s machine.
Role playing…
• It is one of the key weapons for a Social Engineer.
• It involves persuading or gathering information through the use of an
online chat session, emails, phone or any other method that your
company uses to interact online with the public, pretending to be a
helpdesk, employee, technician, helpless or an important user to
divulge in confidential information.
Phishing…
• It is the act of creating and using Websites and e-mails designed to
look like those of well known legitimate businesses, financial
institutions and government agencies to deceive Internet users into
disclosing their personal information and falsely claiming to be an
established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity theft.
Surfing Organization Websites & Online
forums…
• Huge amount of information regarding the organization structure,
email ids, phone numbers are available openly on the company
website and other forums.
• This information can be used by the attacker to refine his approach
and create a plan on whom to target and the method to be used.
Reverse Social Engineering…
• A reverse social engineering attack is an attack in which an attacker
convinces the target that he has a problem or might have a certain problem
in the future and that the attacker, is ready to help solve the problem.
Reverse social engineering involves three parts:
• Sabotage: After the attacker gains a simple access to the system, he
corrupts the system or gives it an appearance of being corrupted. When
the user sees the system in the corrupted state, he starts looking for help
so as to solve the problem.
• Marketing: In order to make sure that the user approaches the attacker
with the problem, the attacker advertises himself as the only person who
can solve the problem.
• Support: In this step, he gains the trust of the target and obtains access to
sensitive information.
Defense against Social Engineering …
• Security Awareness Trainings :Security Awareness is the simplest solution
to prevent Social Engineering attacks. Every person in the organization
must be given basic security awareness training on timely basis that he/she
should never give out any information without the appropriate
authorization and that he/she should report any suspicious behavior.
• Background Verification There is many a chance that attacker may join the
company as an employee so as to gather insider information about the
company. This makes background screening a really important part of
company policies to counter Social Engineering attack. It should not only
be limited to internal employees but must also be extended to vendors and
other contractual workers too before they become the part of the
organization or are given access to the organization network.
• Physical security There should be proper access control mechanism in
place to make sure that only authorized people are allowed access to
restricted sections of the organization. There should be no tail-
tagging.
• Limited data leakage There should be constant monitoring as to what
all information about the organization is floating on the World Wide
Web. Any kind of irregularity should be immediately taken care of.
This will make passive information gathering difficult for the attacker.
• Mock Social Engineering drills Special Social Engineering activities
should be performed on the internal employees of the organization
by either the security team or by the vendor so as to keep track of the
security awareness levels in the organization.
• Data Classification policy There should be proper classification of
data on the basis of their criticality levels and the access personnel.
Data classification assigns a level of sensitivity to company
information. Each level of data classification includes different rules
for viewing, editing and sharing of the data. It helps to deter social
engineering by providing employees a mechanism for understanding
what information can be disclosed and what cannot be shared
without proper authorization.
 UNIT-III
• A Denial-of-Service (DoS) attack is an attack meant to shut down a
machine or network, making it inaccessible to its intended users.
• DoS attacks accomplish this by flooding the target with traffic, or sending it
information that triggers a crash.
• In both instances, the DoS attack deprives legitimate users (i.e. employees,
members, or account holders) of the service or resource they expected.
• There are two general methods of DoS attacks: flooding services or
crashing services.
• Flood attacks occur when the system receives too much traffic for the
server to buffer, causing them to slow down and eventually stop.
• Popular flood attacks include:
• The basic types of DoS attack include:
• Flooding the network to prevent legitimate network traffic
• Disrupting the connections between two machines, thus preventing
access to a service
• Preventing a particular individual from accessing a service.
• Disrupting a service to a specific system or individual
• Disrupting the state of information, such resetting of TCP sessions
• Another variant of the DoS is the smurf attack.
• This involves emails with automatic responses. If someone emails
hundreds of email messages with a fake return email address to
hundreds of people in an organization with an auto responder on in
their email, the initial sent messages can become thousands sent to
the fake email address.
• If that fake email address actually belongs to someone, this can
overwhelm that person's account.
• A few common historic DoS attacks include:
• Smurf attack - a previously exploited DoS attack in which a malicious
actor utilizes the broadcast address of vulnerable network by sending
spoofed packets, resulting in the flooding of a targeted IP address.
• Ping flood - this simple denial-of-service attack is based on
overwhelming a target with ICMP (ping) packets. By inundating a
target with more pings than it is able to respond to efficiently, denial-
of-service can occur. This attack can also be used as a DDoS attack.
• Ping of Death - often conflated with a ping flood attack, a ping of
death attack involves sending a malformed packet to a targeted
machine, resulting in deleterious behavior such as system crashes.
• Buffer overflow attacks – the most common DoS attack. The concept
is to send more traffic to a network address than the programmers
have built the system to handle. It includes the attacks listed below, in
addition to others that are designed to exploit bugs specific to certain
applications or networks
• SYN flood – sends a request to connect to a server, but never
completes the handshake. Continues until all open ports are
saturated with requests and none are available for legitimate users to
connect to.
• Volumetric attacks:
• This is an Attack where the entire bandwidth of a network is consumed so
the authorized clients will not be able to get the resources. This is achieved
BY flooding the network devices like hubs or switches with numerous ICMP
echo request/reply packets so the entire bandwidth is consumed, and no
other clients are able to connect with the target network.
• Syn flooding:
• Is another attack where an attacker compromises multiple zombies and
simultaneously floods the target with multiple SYN packets. The target will
be overwhelmed by the SYN requests, either it goes down or its
performance is reduced drastically.
• Fragmentation attacks:
• This is an attack that fights against the reassembling ability of the target.
Numerous fragmented packets are sent to the target, making it difficult for the
target to reassemble them; thereby, denying access to the valid clients.
• TCP-State exhaustion attack:
• The attacker sets up and tears down TCP connections and overwhelms the stable
tables; thereby, causing a DOS attack.
• Application Layer Attacks:
• The attacker takes advantage of the programming errors in the application to
cause the denial of service attack. It is achieved by sending numerous application
requests to the target to exhaust the target’s resources so it will not be able to
service any valid clients. A programming error in the case of buffer overflow
attack- if the memory allocated to a variable is smaller than the requested, then it
may lead to memory leakage or crashing the entire application.
• Method 1: Get help recognizing attacks
• Companies often use technology or anti-DDoS services to help defend themselves. These
can help you recognize between legitimate spikes in network traffic and a DDoS attack.
• Method 2: Contact your Internet Service provider
• If you find your company is under attack, you should notify your Internet Service Provider
as soon as possible to determine if your traffic can be rerouted. Having a backup ISP is a
good idea, too. Also, consider services that can disperse the massive DDoS traffic among
a network of servers. That can help render an attack ineffective.
• Method 3: Investigate black hole routing
• Internet service providers can use “black hole routing.” It directs excessive traffic into a
null route, sometimes referred to as a black hole. This can help prevent the targeted
website or network from crashing. The drawback is that both legitimate and illegitimate
traffic is rerouted in the same way.
• Method 4: Configure firewalls and routers
• Firewalls and routers should be configured to reject bogus traffic.
Remember to keep your routers and firewalls updated with the latest
security patches.
• Method 5: Consider front-end hardware
• Application front-end hardware that’s integrated into the network
before traffic reaches a server can help analyze and screen data
packets. The hardware classifies the data as priority, regular, or
dangerous as they enter a system. It can also help block threatening
data.
 Spamming…
• Spam refers to the use of electronic messaging systems to send out
unrequested or unwanted messages in bulk.
• The difficulty with stopping spam is that the economics of it are so
compelling. While most would agree that spamming is unethical, the
cost of delivering a message via spam is next to nothing.
• If even a tiny percentage of targets respond, a spam campaign can be
successful economically.
 Port Scanning…
• Port Scanning is the name for the technique used to identify open
ports and services available on a network host.
• It is sometimes utilized by security technicians to audit computers for
vulnerabilities, however, it is also used by hackers to target victims.
• It can be used to send requests to connect to the targeted computers,
and then keep track of the ports which appear to be opened, or those
that respond to the request.
• A port scan is a series of messages sent by someone attempting to
break into a computer to learn which computer network services,
each associated with a "well-known" port number, the computer
provides.
 Port Sweeping…
• Port sweeping is regarded by certain systems experts to be different
from port scanning.
• They point out that port scanning is executed through the searching
of a single host for open ports.
• However, they state that port sweeping is executed through the
searching of multiple hosts in order to target just one specific open
port.
 Types of port scans methods include:
• Essentially, a port scan consists of sending a message to each port, one at a
time.
• The kind of response received indicates whether the port is used and can
therefore be probed for weakness.
• Vanilla– the most basic scan; an attempt to connect to all 65,536 ports one
at a time. A vanilla scan is a full connect scan, meaning it sends a SYN flag
(request to connect) and upon receiving a SYN-ACK (acknowledgement of
connection) response, sends back an ACK flag. This SYN, SYN-ACK, ACK
exchange comprises a TCP handshake. Full connect scans are accurate, but
very easily detected because full connections are always logged by
firewalls.
• Strobe - An attempt to connect to only selected ports (typically, under 20)
• XMAS and FIN Scans– an example of a suite of scans used to gather
information without being logged by the target system.
• In a FIN scan, an unsolicited FIN flag (used normally to end an established
session) will be sent to a port.
• The system’s response to this random flag can reveal the state of the port
or insight about the firewall.
• For example, a closed port that receives an unsolicited FIN packet, will
respond with a RST (an instantaneous abort) packet, but an open port will
ignore it.
• An XMAS scan simply sends a set of all the flags, creating a nonsensical
interaction.
• The system’s response by can be interpreted to better understand the
system’s ports and firewall.
• FTP Bounce Scan– allows for the sender’s location to be disguised by
bouncing the packet through an FTP server. This is also designed for
the sender to go undetected.
• Sweep scan– pings the same port across a number of computers to
identify which computers on the network are active. This does not
reveal information about the port’s state, instead it tells the sender
which systems on a network are active. Thus, it can be used as a
preliminary scan.
• Stealth scan - Also referred to as a half-open scan, it only sends a
SYN, and waits for a SYN-ACK response from the target. If a response
is received, the scanner never responds. Since the TCP connection
was not completed, the system doesn’t log the interaction, but the
sender has learned if the port is open or not.
• FTP Bounce Scan - Attempts that are directed through an File Transfer
Protocol server to disguise the cracker's location.
• Fragmented Packets - Scans by sending packet fragments that can get
through simple packet filters in a firewall
• UDP - Scans for open User Datagram Protocol ports.
• In general, port scanning attempts to classify ports into one of three
designations:
• Open: the destination responds with a packet indicating it is listening
on that port, which also indicates that whatever service was used for
the scan (commonly TCP or UDP) is in use as well
• Closed: the destination received the request packet but responds
with a reply indicating that there is no service listening at the port
• Filtered: the port might be open, but the packet has been filtered out
by a firewall and dropped, so no reply is received
 Creating isolated network presence using
virtualization…
• The term network virtualization refers to the creation of logical
isolated network partitions overlaid on top of a common enterprise
physical network infrastructure.
• Each partition is logically isolated from the others, and must provide the same
services that are available in a traditional dedicated enterprise network.
• The end user experience should be as if connected to a dedicated network
providing privacy, security, an independent set of policies, service level, and even
routing decisions.
• At the same time, the network administrator can easily create and modify virtual
work environments for various user groups, and adapt to changing business
requirements adequately.
• The latter is possible because of the ability to create security zones that are
governed by policies enforced centrally; these policies usually control (or restrict)
the communication between separate virtual networks or between each logical
partition and resources that can be shared across virtual networks.
• Because policies are centrally enforced, adding or removing users and services to
or from a VPN requires no policy reconfiguration.
• Meanwhile, new policies affecting an entire group can be deployed centrally at
the VPN perimeter.
• Thus, virtualizing the enterprise network infrastructure provides the benefits of
using multiple networks but not the associated costs, because operationally they
should behave like one network.
• Network virtualization provides multiple solutions to business problems and
drivers that range from simple to complex.
• Simple scenarios include enterprises that want to provide Internet access to
visitors (guest access).
• The stringent requirement in this case is to allow visitors external Internet access,
while simultaneously preventing any possibility of unauthorized connection to
the enterprise internal resources and services.
• This can be achieved by dedicating a logical "virtual network" to handle the entire
guest communication path.
• The architecture of an end-to-end network virtualization solution
targeted to satisfy the requirements listed above can be separated in
the following three logical functional areas:
• Access control
• Path isolation
• Services edge
Hosting different operating systems virtually
and networking amongst these…
• To share files between a host computer and a virtual machine or between two
virtual machines, you use the networking features of VMware ESX Server.
• If you know how to share files between two physical computers on a network,
you already know how to share files with a virtual machine.
• This section describes four scenarios for sharing files between a two systems,
either a host computer and a virtual machine or two virtual machines, where
• Both systems run Windows operating systems, using Windows file sharing
• You are connecting from a Linux sytem to a Windows system, using smbmount
• You are connecting from a Windows sytem to a Linux system, using Samba
• Both systems run Linux operating systems, using NFS, FTP and telnet
• Network Virtualization—Access Control Design
Guide (http://www.cisco.com/en/US/docs/solutions/Enterprise/Netw
ork_Virtualization/AccContr.html)—Responsible for authenticating
and authorizing entities connecting at the edge of the network; this
allows assigning them to their specific network "segment", which
usually corresponds to deploying them in a dedicated VLAN.
• Network Virtualization—Services Edge Design
Guide (http://www.cisco.com/en/US/docs/solutions/Enterprise/Netw
ork_Virtualization/ServEdge.html)—Central policy enforcement point
where it is possible to control/restrict communications between
separate logical partitions or access to services that can be dedicated
or shared between virtual networks.
• The path isolation functional area is the focus of this guide.
• This guide mainly discusses two approaches for achieving virtualization of
the routed portion of the network:
• Policy-based network virtualization—Restricts the forwarding of traffic to
specific destinations, based on a policy, and independently from the
information provided by the control plane. A classic example of this uses
ACLs to restrict the valid destination addresses to subnets in the VPN.
• Control plane-based network virtualization—Restricts the propagation of
routing information so that only subnets that belong to a virtual network
(VPN) are included in any VPN-specific routing tables and updates. This
second approach is the main core of this guide, because it allows
overcoming many of the limitations of the policy-based method.
Path Isolation Overview…
• Path isolation refers to the creation of independent logical traffic paths
over a shared physical network infrastructure.
• This involves the creation of VPNs with various mechanisms as well as the
mapping between various VPN technologies, Layer 2 segments, and
transport circuits to provide end-to-end isolated connectivity between
various groups of users.
• The main goal when segmenting the network is to preserve and in many
cases improve scalability, resiliency, and security services available in a
non-segmented network.
• Any technology used to achieve virtualization must also provide the
necessary mechanisms to preserve resiliency and scalability, and to
improve security.