Authentication

Access Controls
The ability to permit or deny the use of an object by a subject.
It provides 3 essential services:
 Authentication (who can login)
 Authorization (what authorized users can do)
Accountability (identifies what a user did)
Access Controls
Users first must be identified as authorized user, such as by logging in with user name and
password to laptop computer
because laptop connects to corporate network that contains critical data, important also
to restrict user access to only software, hardware, and other resources for which user has
been approved
 these two acts—authenticating only approved users and controlling their access to
resources—are important foundations in information security
Access control - granting or denying approval to use specific resources; it is
controlling access
 physical access control - fencing, hardware door locks, and mantraps that limit contact with
devices
 Technical access control - technology restrictions that limit users on computers from accessing data
Access control terminology
identification - presenting credentials (example: delivery driver presenting
employee badge) , Username in computer system
authentication - checking credentials (example: examining the delivery driver’s
badge) , User provides the passwords
authorization - granting permission to take action (example: allowing delivery
driver to pick up package), User Authorized to view Dashboard after login
Access control model - hardware and software predefined framework that
custodian can use for controlling access
 access control models used by custodians for access control are neither created nor installed
by custodians or users; instead, these models are already part of software and hardware.
Access control model
 DAC - Discretionary access control
 least restrictive model,
 Every object has owner, who has total control over that object
 Owners can create and access their objects freely
MAC - Mandatory access control
 opposite of DAC and is most restrictive access control model
 Assigns users’ access controls strictly according to custodian’s desires and user has no freedom
to set any controls
UAC - Windows user account control
 user/admin level model that notifies or requires authentication prior to granting access
RBAC- Role Based Access Control
 Access based on user’s job function within organization
 Considered more “real-world” access control
RBAC- Rule Based Access Control
 Dynamically assign roles to subjects based on set of rules defined by custodian
Identification Vs Authentication
• Identification : Markers of a person’s identity are often public, well-
known as unprotected (or easy to guess)
• E.g a persons name, email address, phone numbers, userID
• These markers are known as identifiers
• Many people could easily obtain this information and claim to be you
simply by using one of your identifiers
• Authentication seeks to confirm that an entity is who he/she /it
claims to be
• Methods of authentication should be reliable
• Data used for identification is often public – data used for authentication
purposes should be kept private
Authentication
Authentication is any process by which a system verifies the
identity of a user who wishes to access it
Authentication may be implemented using
Credentials, each of which is composed of a User ID and Password.
Alternately, Authentication may be implemented with Smart Cards, an
Authentication Server or even a Public Key Infrastructure
Many Ways to Prove Who You Are
What you know – Passwords/Secret key
Where you are – IP address
What you are – Biometrics (e.g. fingerprint)
 What you have – Secure tokens/smart card/ ATM card
Authentication
A means to verify or prove a user’s identity
The term “user” may refer to:
 Person
Application or process
Machine or device
Identification comes before authentication
Provide username to establish user’s identity
To prove identity, a user must present either of the following:
 What you know (passwords, passphrase, PIN)
What you have (token, smart cards, passcodes, RFID)
Who you are (biometrics such as fingerprints and iris scan, signature or voice)
Authentication
Authentication
• Password-based authentication.
• Multi-factor authentication.
• Certificate-based authentication.
• Biometric authentication.
• Token-based authentication
Strong Authentication
• An absolute requirement
• Two-factor authentication
• Passwords (something you know)
• Tokens (something you have)
• • Examples:
• Passwords
• Tokens
• Tickets
• Restricted access
• PINs
• Biometrics
• Certificates
Multifactor Authentication
What if the Authentication Token device gets stolen
PIN numbers are used to generate a one-time passwords with the
authentication token devices
• Multifactor Authentication
• What you know
• Passwords/Secret key
• What you are
• Biometrics (e.g. fingerprint)
• What you have
• Secure tokens/smart card/ ATM card
Authentication Tokens
Password is a 1-factor authentication
 It is something you know
 Authentication Token are 2-factor authentication
 You must have something
 The authentication token itself
 You must know something
 PIN to protect it
Certificate Based Authentication
This is based on the Digital Certificates of the user
 In PKI, the digital certificates are used for secure digital
transactions.
The digital certificates in PKI can also be re-used for user
authentication as well
This is a stronger mechanism as compared to password based
authentication
 Issue
 Misuse of someone else’s certificate
 To tackle such issues, certificate based authentication is also made 2 factor
process (have something and know something)
Use of Smart Cards
The use of Smart Cards is related to Certificate Based
Authentication
This is because the smart cards allows the generation of public-
private key pairs within the card
They also support the storage of digital certificates within the
card
The private key always remain in the smart card in a secure
fashion
The public key and the certificate is exposed outside
Also the smart cards are capable of performing cryptographic
functions such as encryption, decryption, message digest
creation and signing within the card
 Thus during the certificate based authentication, the signing of random
challenge sent by the server can be performed inside the card
Biometric Authentication
A biometric device works on the basis of some human
characteristics, such as fingerprints, voice or the pattern of lines
in the iris of your eye
 The user database contains a sample of user’s biometric
characteristics
During the authentication, the user is required to provide
another sample of the users’ biometric characteristic.
 This is matched with the one in the database, and if the two
samples are same, the user is considered to be a valid one.
The samples produced during every authentication process can
vary slightly. (e.g. cuts on the finger)
An approximate match can be acceptable
Biometric Authentication
Any Biometric Authentication System defines two configurable
parameters:
 False Accept Ratio (FAR)
 It is a measurement of the chance that a user who should be rejected is actually
accepted by a system as good enough
 False Reject Ratio (FRR)
 It is a measurement of the chance that a user who should be accepted as valid is
actually rejected by a system as not good enough
Thus FAR and FRR are exactly opposite to each other
Best practices for access control
 establishing best practices for limiting access can help secure systems
and data
 a few best practices:
 separation of duties - not to give one person total control
 job rotation - individuals periodically moved between job responsibilities
 least privilege - limiting access to information based on what is needed to
perform a job function
 implicit deny - if condition is not explicitly met, access request is rejected •
 mandatory vacations - limits fraud, because perpetrator must be present daily to
hide fraudulent actions
Security Controls/Safeguards
Protecting Network System
One Categorization Another Categorization
• Physical Controls • Physical Controls
• Access Controls • Technical Controls
• Communication Controls • Administrative
• Business Continuity Controls
Planning
• Information Systems
Auditing
Security Controls
Physical Controls Access Controls
• Prevent unauthorized individuals from • Authentication
gaining access to a company’s facilities. • Something the user is
• Walls • Something the user has
• Doors • Something the user does
• Fencing • Something the user knows
• Gates • Passwords
• Locks • Authorization
• Badges • E.g. Role Based Access Controls
• Guards (RBAC)
• Alarm systems
Security Controls
Communication/Network Business Continuity
Controls Planning(BCP)
• Firewalls • Disaster Recovery(DR)
• Intrusion Detection System Plan and Backup Plans
• Intrusion Prevention System
• Hot Site
• Anti-malware Systems
• Whitelisting and Blacklisting • Cold Site
• Encryption
• Virtual Private Networking
• Secure Socket Layer
• Employee Monitoring Systems
Authentication Protocols
• An authentication protocol is a type of computer communications
protocol or cryptographic protocol specifically designed for transfer
of authentication data between two entities.
• User authentication is the first most priority while responding to the
request made by the user to the software application.
• There are several mechanisms made which are required to
authenticate the access while providing access to the data.
• An authentication protocol allows the receiving party (such as a
server) to verify the identity of another party (such as a person using
a mobile device to log in).
• Almost every single computer system uses some kind of network
authentication to verify users.
Authentication Protocols
• Kerberos :
• Kerberos is a protocol that aids in network authentication.
• This is used for validating clients/servers during a network employing a
cryptographic key.
• Lightweight Directory Access Protocol (LDAP) :
• It is a protocol that is used for determining any individuals, organizations, and
other devices during a network regardless of being on public or corporate
internet.
• It is practiced as Directories-as-a-Service and is the grounds for Microsoft
building Activity Directory.

https://www.geeksforgeeks.org/types-of-authentication-
protocols/
Authentication Protocols
• OAuth2 :
• OAuth as the name suggests it is an authorization framework that promotes
granting limited access to the user on its account through an HTTP service.
• When a user requests access to resources an API call is made and after the
authentication token is passed.
• If you've ever used a login from another site (like Facebook) to get into a new
site (like The New York Times), you've used OAuth 2.0. An application pulls
resources on your behalf, and you don't have to share credentials
Authentication Protocols
• SAML :
• SAML stands for Security Assertion Markup Language which is based on XML-
based authentication data format which provides the authorization between
an identity provider and service provider.
• It serves as a product of the OASIS Security Services Technical Committee
Authentication Protocols
• RADIUS :
• RADIUS stands for Remote Authentication Dial-In User Service.
• It is a network protocol that provides sufficient centralized Authentication,
Accounting, and Authorization for the users that use and network services.
• The functioning of the protocol occurs when the user requests access to
network resources, where the RADIUS server encrypts the credentials which
are entered by the user.
• After this, the user credentials are mapped through the local database and
• You provide a username and password, and the RADIUS system verifies the
information by comparing it to data in a database.
Authentication Protocols
• These are five other types of authentication protocols to know:
• Challenge-Handshake Authentication Protocol (CHAP): This system
reauthenticates users periodically, even within the same session. Each challenge
is different from the last version.
• DIAMETER: This protocol provides a framework for authentication and accounting
messages. It's derived from RADIUS, and it's considered an improvement upon
that protocol.
• Extensible authentication protocol (EAP): Wireless networks and point-to-point
connections often lean on EAP.
• Password authentication protocol (PAP): A user submits a username and
password, which the system compares to a database.
• TACACS: Accomplish IP-based authentication via this system. Later versions of this
protocol include encryption.
Network Security
• Network Security protects your network and data from breaches, intrusions
and other threats.
• This is a vast and overarching term that describes hardware and software
solutions as well as processes or rules and configurations relating to
network use, accessibility, and overall threat protection.
• A well designed network security solution reduces overhead expenses and
safeguards organizations from costly losses that occur from a data breach or
other security incident.
• Network Security involves following tools and techniques
• access control,
• virus and antivirus software,
• application security,
• network analytics,
• types of network-related security (endpoint, web, wireless),
• firewalls,
• VPN encryption and more.
Trusted Network
• Standard defensive-oriented technologies
• Firewall
• Perimeter / Gateway Firewall
• Web Application Firewall
• Intrusion Detection (IDS)
• Intrusion Prevention (IDS)
• Build TRUST on top of the TCP/IP infrastructure
• Strong authentication
• Public Key Infrastructure (PKI)
Defense in depth(DiD)
• Effective approach is
• to look at security from a holistic perspective and build a system that
minimizes the impact of any one protection being bypassed.
• It builds multiple layers of controls that complement each other
in protecting critical data
• The main idea is :
• if any one security control protecting critical systems or information is
compromised, another control is in place to stop or limit the impact of
the attack.
• This is also referred to as “layered security,”
• looking at how systems work together to offer protection, rather than
simply putting one control behind another.
Kerberos
• Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by using
secret-key cryptography.
• It has the following characteristics:
• It is secure: it never sends a password unless it is encrypted.
• Only a single login is required per session. Credentials defined at login are
then passed between resources without the need for additional logins.
• The concept depends on a trusted third party – a Key Distribution Center
(KDC). The KDC is aware of all systems in the network and is trusted by all of
them.
• It performs mutual authentication, where a client proves its identity to a
server and a server proves its identity to the client.
Kerberos
• In mythology, Kerberos (also known as Cerberus) is a large, three-
headed dog that guards the gates to the underworld to keep souls
from escaping.
• In our world, Kerberos is the computer network authentication
protocol initially developed in the 1980s by Massachusetts Institute of
Technology (MIT) computer scientists.
• The idea behind Kerberos is to authenticate users while preventing
passwords from being sent over the internet.
Kerberos
• Kerberos provides a centralized authentication server whose function is to
authenticate users to servers and servers to users.
• In Kerberos Authentication server and database is used for client
authentication.
• Kerberos runs as a third-party trusted server known as the Key Distribution
Center (KDC).
• Each user and service on the network is a principal.
• The main components of Kerberos are:
• Authentication Server (AS):
The Authentication Server performs the initial authentication and ticket for Ticket
Granting Service.
• Database:
The Authentication Server verifies the access rights of users in the database.
• Ticket Granting Server (TGS):
The Ticket Granting Server issues the ticket for the Server
Kerberos
• Kerberos introduces the concept of a Ticket-Granting Server (TGS).
• A client that wishes to use a service has to receive a ticket – a time-
limited cryptographic message – giving it access to the server.
• Kerberos also requires an Authentication Server (AS) to verify clients.
The two servers combined make up a KDC.
• Active Directory performs the functions of the KDC.
• The following figure shows the sequence of events required for a
client to gain access to a service using Kerberos authentication.
• Step 1: The user logs on to the workstation and requests service on the
host. The workstation sends a message to the Authorization Server
requesting a ticket granting ticket (TGT).
• Step 2: The Authorization Server verifies the user’s access rights in the
user database and creates a TGT and session key. The Authorization
Sever encrypts the results using a key derived from the user’s password
and sends a message back to the user workstation. The workstation
prompts the user for a password and uses the password to decrypt the
incoming message. When decryption succeeds, the user will be able to
use the TGT to request a service ticket.
• Step 3: When the user wants access to a service, the workstation client
application sends a request to the Ticket Granting Service containing
the client name, realm name and a timestamp. The user proves his
identity by sending an authenticator encrypted with the session key
received in Step 2.
• Step 4: The TGS decrypts the ticket and authenticator, verifies the
request, and creates a ticket for the requested server. The ticket
contains the client name and optionally the client IP address. It also
contains the realm name and ticket lifespan. The TGS returns the ticket
to the user workstation. The returned message contains two copies of
a server session key – one encrypted with the client password, and one
encrypted by the service password.
• Step 5: The client application now sends a service request to the server
containing the ticket received in Step 4 and an authenticator. The
service authenticates the request by decrypting the session key. The
server verifies that the ticket and authenticator match, and then grants
access to the service. This step as described does not include the
authorization performed by the Intel AMT device, as described later.
• Step 6: If mutual authentication is required, then the server will reply
with a server authentication message.
Intruders, viruses and worms
Intruders (hackers/crakers )
• The objective of the intruder is to gain access to a system or to
increase the range of privileges accessible on a system. Most initial
attacks use system or software vulnerabilities that allow a user to
execute code that opens a back door into the system.
• The intruder attempts to acquire information that should have been
protected.
• In some cases, this information is in the form of a user password.
• With knowledge of some other user’s password, an intruder can log
in to a system and all information available on system.
Intruders
• There are three classes of intruders:

• Masquerader: An individual who is not authorized to use the computer and

who penetrates a system’s access controls to exploit a legitimate user’s
account. The masquerader is likely to be an outsider.

• Misfeasor: A legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but
misuses his or her privileges. The misfeasor generally is an insider.

• Clandestine user: An individual who seizes supervisory control of the system

and uses this control to evade auditing and access controls or to suppress
audit collection. The clandestine user can be either an outsider or an insider.
Intruders
• Following are some examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
IDS (Intrusion Detection System)
• Passive monitoring solution for detecting cyber security threats/
breaches.
• IDS designed to aid in mitigating damage caused by hacking.
• IDS generates an alert
• notifies security personnel to investigate the incident and take remediative
action.
• Basic intent behind IDS: spot something suspicious on NW/system and
sound alarm.
• May look for data bits that indicate questionable activity or monitor
system logs.
• Events that sound alarm – may not be an intrusion; any abnormal
activity may trigger, depending on configuration.
• Open Source IDS: Snort, www.snort.org
 IDS
• All IDS have three things in
common:
• Sensors:
• collect traffic and user activity
data and sends to analyzer.
• Analyzer:
• Looks for suspicious activity.
• Administrator Interface:
• If analyzer detects suspicious
activity, sends an alert to the
Admin Interface.
Classification of HIDS
• The major classifications are
1. Active Vs passive IDS

2. Network Intrusion detection systems (NIDS) Vs Host Intrusion

detection systems (HIDS)

3. Knowledge-based (Signature-based) IDS Vs behavior-based

(Anomaly-based) IDS
Classification
• Based on Where to deployed/Functionality :
• Host based Intrusion Detection Systems (HIDS)
• monitors the host’s network traffic, running processes, logs, etc., or
• Installed on individual workstations/ servers
• Watches for abnormal activity NIDs understands and monitors NW traffic, HIDS
monitors the computer only on which it is installed.
• Generally, HIDS installed on critical servers only due to administrative overheads.
• Network Intrusion Detection Systems (NIDS),
• identify threats to the entire network.
• Uses sensors to monitor all NW traffic
• Cannot see the activities within the computer itself.
HIDS
• can be configured for:
• Watch for attacks
• Parse audit logs
• Terminate a connection
• Alert an admin as attacks are happening
• Protect system files
• Expose a hacker’s techniques
• Throw up vulnerabilities that need to be addressed
• Possibly help to track down hackers
Types of HIDS/NIDS
• Based on how they identify potential threats/ Detection Methods
• Signature based
• uses a library of signatures of known threats to identify them.
• Pattern matching
• Stateful matching
• Anomaly based
• builds a model of “normal” behavior of the protected system and reports on any
deviations.
• Statistical anomaly based
• Protocol anomaly based
• Traffic anomaly based
• Rule based
Intrusion prevention system (IPS)
• is an active protection system.
• IPS is a preventive device rather than a detective device (IDS).
• Intrusion Prevention System (IPS) is any device (hardware or software) that has the
ability to detect attacks, both known and unknown, and prevent the attack from being
successful.
• An IPS combines the prevent action of a FW with the in depth packet analysis function
of an IDS.
• Like the IDS,
• it attempts to identify potential threats based upon monitoring features of a
protected host or network and can use signature, anomaly, or hybrid detection
methods.
• Unlike an IDS,
• an IPS takes action to block or remediate an identified threat.
• While an IPS may raise an alert, it also helps to prevent the intrusion from occurring
IPS CLASSIFICATION
• HOST-IPS (HIPS)
• HIPS is installed directly on the system being protected
• It binds closely with the operating system kernel and services, it monitors and
intercepts system calls to the kernel in order to prevent attacks as well as log them
• It prevents the system from generic attacks for which no “signature” yet exists.
• NETWORK-IPS (NIPS)
• Has two network interfaces, one designated as internal and one as external
Packets passed through both interfaces and they determined whether the packet
being examined poses a threat
• If it detects a malicious packet, an alert is raised, the packets are discarded
immediately
• Legitimate packets are passed through to the second interface and on to their
intended destination.
Malware
• Ransomware, • Viruses and Worms,
• Drive-by Attacks, • Master Boot Record Rootkit,
• Trojans, • Horizontal and Vertical Privilege
• Adware, Escalation,
• Spyware, • IAT Hooking,
• Keystroke Loggers, • Zero-day exploit,
• Trojans and Backdoors,
Viruses and worms
• Malicious software can be divided into two categories:
• Those that need a host program and those that are independent.

• The former are essentially fragments of programs that can’t exist

independently of some actual application program, utility or system program.
Examples: Viruses, Logic bombs and backdoors.

• The latter are self-contained programs that can be scheduled and run by the
operating system. Examples: Worms and Zombie programs.
Malware
• Short for malicious software
• Covers all the different types of threats to y/our computer safety such
as viruses, spyware, worms, trojans, rootkits and so on.
• Malware is software that has a nefarious(wicked/evil) purpose, designed to
cause problems to an individual (for example, identity theft) or your
computer system or network .
• Malicious Software attacks a computer or network in the form of viruses,
worms, trojans, spyware, adware or rootkits.
• Malware is malicious software that enables unauthorized access to
networks for purposes of theft, sabotage, or espionage.
Malware : How malware spreads?

Malware is usually introduced into a network

through phishing, malicious attachments, or
malicious downloads, but it may gain access
through social engineering or flash drives as
well.
Malware : Types of Malware
• Viruses
• Trojan horses
• Worms
• Spyware
• Zombie
• Phishing
• Spam
• Adware
• Ransomware
Malware : Types of Malwares
Type What It Does
Ransomware disables victim's access to data by encrypting files until ransom is paid, Some ransomware
encrypts files called “cryptolocker”.
Fileless Malware makes changes to files that are native to the OS
Spyware collects user activity data without their knowledge
Adware serves unwanted advertisements
Trojan horse Allow the hackers to gain remote access of a target system. disguises itself as desirable code
Virus Small pieces of software that attach themselves to real programs, can destroy data, slow
down system resources and, must be triggered by the activation of their host;
Worms spreads through a network by replicating itself, A self-replicating program

Rootkits Activated each time your system boots up. gives hackers remote control of a victim's device,
Keyloggers monitors users' keystrokes
Bots launches a broad flood of attacks, Sophisticated types of crimeware. perform a wide variety
of automated tasks on behalf of their master (the cybercriminals) who are often safely located
somewhere far across the Interne
Mobile Malware infects mobile devices
Malware :Ransomware
• Ransomware is software that uses encryption to
disable a target’s access to its data until a ransom is
paid.
• partially or totally unable to operate until it pays, but
there is no guarantee that payment will result in the
necessary decryption key or that the decryption key
provided will function properly.
Malware :Drive-by Attack
• A drive-by download attack refers to the unintentional download of
malicious code to your computer or mobile device that leaves you open to
a cyberattack
• Cybercriminals make use of drive-by downloads to steal and collect
personal information, inject banking Trojans, or introduce exploit kits or
other malware to endpoints, among many others.
• Drive by downloads are designed to breach your device for one or more
of the following:
1.Hijack your device — to build a botnet, infect other devices, or breach yours
further.
2.Spy on your activity — to steal your online credentials, financial info, or identity.
3.Ruin data or disable your device — to simply cause trouble or personally harm
you.
Malware :Drive-by Attack
• There are two main ways malicious drive by downloads get into your
devices:
1.Authorized without knowing full implications: You take an action
leading to infection, such as clicking a link on a deceptive fake
security alert or downloading a Trojan.
2.Fully unauthorized without any notification: You visit a site and
get infected without any prompts or further action. These downloads
can be anywhere, even legitimate sites.
Malware :Fileless Malware
• Fileless malware doesn’t install anything initially, instead, it makes changes
to files that are native to the operating system, such as PowerShell or WMI.
• Because the operating system recognizes the edited files as legitimate, a
fileless attack is not caught by antivirus software — and because these
attacks are stealthy, they are up to ten times more successful than traditional
malware attacks.
• Fileless Malware Example:
• Astaroth is a fileless malware campaign that spammed users with links to a
.LNK shortcut file.
• When users downloaded the file, a WMIC tool was launched, along with a
number of other legitimate Windows tools.
• These tools downloaded additional code that was executed only in memory,
leaving no evidence that could be detected by vulnerability scanners.
• Then the attacker downloaded and ran a Trojan that stole credentials and
uploaded them to a remote server.
Malware :Spyware
• Spyware collects information about users’ activities without their
knowledge or consent.
• This can include passwords, pins, payment information and
unstructured messages.
• The use of spyware is not limited to the desktop browser: it can
also operate in a critical app or on a mobile phone.
• DarkHotel, which targeted business and government leaders using
hotel WIFI, used several types of malware in order to gain access
to the systems belonging to specific powerful people.
• Once that access was gained, the attackers installed keyloggers to
capture their targets passwords and other sensitive information
Malware : Adware
• tracks a user’s surfing activity to determine which ads to
serve them. Although adware is similar to spyware, it does
not install any software on a user’s computer, nor does it
capture keystrokes.
• The danger in adware is the erosion of a user’s privacy
• the data captured by adware is collated with data captured,
overtly or covertly, about the user’s activity elsewhere on the
internet and used to create a profile of that person which
includes who their friends are, what they’ve purchased, where
they’ve traveled, and more.
• That information can be shared or sold to advertisers
without the user’s consent.
Malware : Trojan
• A Trojan disguises itself as desirable code or software.
• “a malicious and security-breaking program which is designed as something benign”.
• Such a program is designed to cause damage, data leakage, or make the victim a
medium to attack another system.
• A Trojan will be executed with the same privilege level as the user who executes it;
nevertheless the Trojan may exploit vulnerabilities and increase the privilege.
• Once downloaded by unsuspecting users, the Trojan can take control of victims’
systems for malicious purposes.
• Trojans may hide in games, apps, or even software patches, or they may be embedded
in attachments included in phishing emails.
• An important point is that not only the connection can be online (so that the commands
or data are transmitted immediately between the hacker and victim), but also the
communication can be offline and performed using emails, HTTP URL transmits or as
the like.
Malware : backdoor
• A backdoor is a specific type of trojan that aims to infect a
system without the knowledge of the user.
• After the infection, a backdoor can remotely take over the
machine to execute programs, delete data, and steal
confidential files.
Types of Trojans
• Remote Access Trojans
• provides full or partial access and control over the victim system.
• The server application will be sent to the victim and a client listens on the hacker’s
system. After the server is started, it establishes the connection with the client through
a predefined port. Most of the Trojans are of this kind.
• Data Sending Trojan
• Using email or a backdoor, this type of Trojan send data such as password, cookies or
key strokes to the hacker’s system.
• Destructive Trojans
• These Trojans are to make destructions such as deleting files, corrupting OS, or make
the system crash.
• usually the purpose of such Trojans is to inactivate a security system like an antivirus
or firewall.
Types of Trojans
• DDos Attack Trojans
• This Trojans make the victim a Zombie to listen for commands sent from a DDos
Server in the internet.
• There will be numerous infected systems standby for a command from the server and
when the server sends the command to all or a group of infected systems, since all the
systems perform the command simultaneously, a huge amount of legitimate request
flood to a target and make the service stop responding.
• Proxy Trojans
• In order to avoid leaving tracks on the target, a hacker may send the commands or
access the resources via another system so that all the records will show the other
system and not the hacker’s identities.
• Trojans are to make a system works as a medium for attacking another system and
therefore the Trojan transfers all the commands sent to it to the primary target and does
not harm the proxy victim.
• Security Software Disabler Trojan
• This kind of Trojan disables the security system for further attacks. For instance they
inactivate the antivirus or make it malfunction or make the firewall stop functioning.
Types of Trojans
• Reverse Connection Trojan created by a RAT (Remote Administration Tool)
gives an Attacker the authority to access a Victim Machine and get a
complete remote access of it without any authentication and acts like a
Administrator
• That malicious code will give you the Reverse Connection of the Victim’s
Machine to the attacker’s machine
• A reverse connection is usually used to bypass firewall restrictions on open
ports. A firewall usually blocks incoming connections on open ports, but does
not block outgoing traffic
• For example, a backdoor running on a computer behind a firewall that blocks
incoming connections can easily open an outbound connection to a remote
host on the Internet. Once the connection is established, the remote host can
send commands to the backdoor.
Malware : Worms
• Worms target vulnerabilities in operating systems to install
themselves into networks.
• They may gain access in several ways: through backdoors built
into software, through unintentional software vulnerabilities, or
through flash drives.
• Once in place, worms can be used by malicious actors to
launch DDoS attacks, steal sensitive data, or conduct
ransomware attacks.
Malware :Virus
• A virus is a piece of code that inserts itself into an application and
executes when the app is run.
• A computer virus is a piece of code embedded in a legitimate
program
• Once inside a network, a virus may be used to steal sensitive
data, launch DDoS attacks or conduct ransomware attacks.
• Viruses vs. Trojans Vs Worms
• A virus cannot execute or reproduce unless the app it has infected
is running.
• This dependence on a host application makes viruses different
from trojans, which require users to download them, and worms,
which do not use applications to execute.
• Many instances of malware fit into multiple categories: for
instance, Stuxnet is a worm, a virus and a rootkit.
Common Types Of Computer Viruses
• File-infecting Virus
• A virus that attached itself to an executable program.
• It is also called a parasitic virus which typically infects files with .exe or .com extensions.
Some file infectors can overwrite host files and others can damage your hard drive’s
formatting
• Macro Virus
• These viruses are usually stored as part of a document and can spread when the files are
transmitted to other computers, often through email attachments.
• This type of virus is commonly found in programs such as Microsoft Word or Excel.
• Boot Sector Virus
• These viruses are once common back when computers are booted from floppy disks.
Today, these viruses are found distributed in forms of physical media such as external hard
drives or USB.
• If the computer is infected with a boot sector virus, it automatically loads into the memory
enabling control of your computer.
• These are also known as memory virus as they do not infect file system.
• Browser Hijacker
• Targets and alters your browser setting. It is often called a browser redirect virus because
it redirects your browser to other malicious websites that you don’t have any intention of
visiting
Common Types Of Computer Viruses
• Polymorphic Virus
• The capability to evade anti-virus programs since it can change codes every time an
infected file is performed.
• A virus signature is a pattern that can identify a virus. So in order to avoid detection by
antivirus a polymorphic virus changes each time it is installed. The functionality of virus
remains same but its signature is changed.
• Resident Virus
• stores itself on your computer’s memory which allows it to infect files on your computer.
This virus can interfere with your operating system leading to file and program corruption.
• Multipartite Virus
• It can infect multiple parts of a system including memory, files, and boot sector which
makes it difficult to contain.
• Web Scripting Virus
• What this virus does is overwrite code on a website and insert links that can install
malicious software on your device.
• Web scripting viruses can steal your cookies and use the information to post on your
behalf on the infected website.
Common Types Of Computer Viruses
• Source code Virus
• It looks for source code and modifies it to include virus and to help spread it.
• Encrypted Virus
• In order to avoid detection by antivirus, this type of virus exists in encrypted form. It
carries a decryption algorithm along with it. So the virus first decrypts and then
executes
• Armored Virus :
• An armored virus is coded to make it difficult for antivirus to unravel and understand.
• It uses a variety of techniques to do so like fooling antivirus to believe that it lies
somewhere else than its real location or using compression to complicate its code.
• Tunneling Virus :
• This virus attempts to bypass detection by antivirus scanner by installing itself in the
interrupt handler chain.
• Interception programs, which remain in the background of an operating system and
catch viruses, become disabled during the course of a tunneling virus.
• Similar viruses install themselves in device drivers.
Lifetime – Phases of Virus
• During it’s lifetime a typical virus goes through following 4 phases:
• Dominant Phase: The virus is idle. The virus will eventually be activated by some
event, such as a date, the presence of another program or file, or the capacity of
the disk exceeding some limit.
• Propagation Phase: The virus places an identical copy of itself into other
programs or into certain system areas on the disk.
• Triggering Phase: The virus is activated to perform the function for which it was
intended.
• Execution Phase: The function is performed. The function may be harmless of
damaging.
Time Bomb, Logical Bomb
• A time bomb is a virus program that performs an activity on a
particular date
• A logical bomb is a destructive program that performs an activity
when a certain action has occurred.
• Logic bombs are programmed threats that lie dormant in commonly used
software for an extended period of time until they are triggered; at this point,
they perform a function that is not the intended function of the program in
which they are contained.
• Logic bombs usually are embedded in programs by software developers who
have legitimate access to the system.
• Conditions required to trigger a logic bomb include the presence or absence
of certain files, a particular day of the week, or a particular user running the
application.
• The logic bomb might check first to see which users are logged in, or which
programs are currently in use on the system. Once triggered, a logic bomb
can destroy or alter data, cause machine halts, or otherwise damage the
system.
Malware :Keyloggers
• Keystroke logging is the act of recording which keys a user presses on their
keyboard.
• As its name indicates (“key”-“logger”), this term refers to a malicious computer
program that secretly records every keystroke made by a computer user.
Keyloggers are used to gain fraudulent access to confidential information such
as personal details, credit card data, access credentials, etc.
• A keylogger is a type of spyware that monitors user activity. Keyloggers have
legitimate uses;
• businesses can use them to monitor employee activity and families may use them to keep
track of children’s online behaviors.
• However, when installed for malicious purposes, keyloggers can be used to
steal password data, banking information and other sensitive information.
• Keyloggers can be inserted into a system through phishing, social engineering
or malicious downloads.
Malware Attacks :keyloggers
• Based on the method used to log keystrokes:
• software keyloggers
• hardware keyloggers.
Malware Attacks :keyloggers
• Hardware-based keyloggers
• are rare, as they require having physical access to the victim’s device in
order to manipulate the keyboard.
• are any physical device that can plug directly into a computer in order to
record the keys that are pressed on that computer's keyboard.
• A common hardware key logger takes the form of a flash drive that plugs
directly into the USB port of a computer.
• This flash drive contains special software that records the keystrokes of the
user in a text file.
• software-based keyloggers
• are much more common, and may affect any device that is not properly
protected.
• Usually, keyloggers are installed on target computers by other malware
specimens, such as Trojans or viruses.
• For example, an attacker may trick the victim into clicking a malicious link,
which then downloads the keylogger into the system.
Malware :Rootkits
• A root kit is software that gives malicious actors remote control
of a victim’s computer with full administrative privileges.
• Rootkits can be injected into applications, kernels, hypervisors,
or firmware.
• They spread through phishing, malicious attachments,
malicious downloads, and compromised shared drives.
• Rootkits can also be used to conceal other malware, such as
keyloggers.
Malware :Bots/Botnets
• A bot is a software application that performs automated tasks on command
allowing an attacker to take complete control remotely of an affected
• They’re used for legitimate purposes, such as indexing search engines, but
when used for malicious purposes, they take the form of self-propagating
malware that can connect back to a central server.
• Bots are used in large numbers to create a botnet,
• which is a network of bots used to launch broad remotely-controlled floods of
attacks, such as DDoS attacks.
• The compromised machine may also be referred to as a “zombie.”
• A collection of these infected computers is known as a “botnet.”
• For example, the Mirai IoT botnet ranged from 800,000 to 2.5M
computers.
Malware :Mobile Malware
• Mobile malware threats are as various as those targeting desktops and
include Trojans, ransomware, advertising click fraud and more.
• They are distributed through phishing and malicious downloads and
are a particular problem for jailbroken phones,
• which tend to lack the default protections that were part of those devices’
original operating systems.
Zero-Day Exploits
• “Zero-day” is a loose term for a recently discovered vulnerability or exploit for
a vulnerability that hackers can use to attack systems.
• These threats are incredibly dangerous because only the attacker is aware of
their existence.
• A zero-day (0 day) exploit is a cyber attack targeting a software vulnerability which is
unknown to the software vendor or to antivirus vendors.
• The attacker spots the software vulnerability before any parties interested in
mitigating it, quickly creates an exploit, and uses it for an attack.
• Such attacks are highly likely to succeed because defenses are not in place.
Zero-Day Exploits
• An attack vector is a method or pathway used by a hacker to access or
penetrate the target system
• Typical attack vectors for this type of exploits are Web browsers
(which are common targets due to their ubiquity) and email attachments
that exploit vulnerabilities in the application opening the attachment, or in
specific file types such as Word, Excel, PDF or Flash.
• zero-day malware — a computer virus for which specific antivirus
software signatures are not yet available, so signature-based antivirus
software cannot stop it.
Zero-day vulnerability detection
• By definition, no patches or antivirus signatures exist yet for zero-day
exploits, making them difficult to detect.
• Ways to detect software vulnerabilities:
• Machine learning as a long-term solution
• Advanced threat detection (ATD) / Advanced Threat Protection(ATP)
solutions use a combination of behavior analysis and signature detection
• Web Application Firewall (WAF) and Intrusion Prevention System (IPS)
prevents attacks before they ever reach your website.
• Web application firewall (WAF) one of the most effective ways to prevent
zero-day attacks is deploying a WAF on the network edge. A WAF reviews
all incoming traffic and filters out malicious inputs that might target
security vulnerabilities.
Zero-day vulnerability detection
• Input validation and sanitization
• Runtime application self-protection (RASP),
• RASP agents sit inside applications, examining request payloads with the context of the
application code at runtime, to determine whether a request is normal or malicious- enabling
applications to defend themselves.
• Vulnerability scanning can detect some zero-day exploits.
• Patch management ,
• deploy software patches as soon as possible for newly discovered software vulnerabilities.
• While this cannot prevent zero-day attacks, quickly applying patches and software upgrades
can significantly reduce the risk of an attack.
• Zero-day initiative
• A program established to reward security researchers for responsibly disclosing vulnerabilities
• create a broad community of vulnerability researchers who can discover security
vulnerabilities before hackers do, and alert software vendors.
Privilege escalation attacks
• Privilege escalation is an attack vector that many businesses face due to loss of
focus on permission levels. As a result, security controls are not sufficient to
prevent a privilege escalation.
• Privilege escalation attacks occur when a threat actor gains access to an
employee’s account, bypasses the proper authorization channel,
and successfully grants themselves access to data they are not supposed to
have.
• Hacker exploit weaknesses and security vulnerabilities with the goal of
elevating access to a network, applications, and mission-critical systems.
• Two types of privilege escalation attacks are:.
• Vertical attacks are when an attacker gains access to an account with the intent to
perform actions as that user.
• Horizontal attacks gain access to account(s) with limited permissions requiring an
escalation of privileges, such as to an administor role, to perform the desired actions.