MODULE ONE: OPERATING SYSTEM PROTECTION MECHANISMS

Introduction of Operating System

An operating system acts as an intermediary between the user of a computer and computer
hardware. The purpose of an operating system is to provide an environment in which a user can
execute programs conveniently and efficiently.
An operating system is a software that manages computer hardware. The hardware must provide
appropriate mechanisms to ensure the correct operation of the computer system and to prevent
user programs from interfering with the proper operation of the system.
Operating System – Definition:

 An operating system is a program that controls the execution of application programs and
acts as an interface between the user of a computer and the computer hardware.
 A more common definition is that the operating system is the one program running at all
times on the computer (usually called the kernel), with all else being application programs.
 An operating system is concerned with the allocation of resources and services, such as
memory, processors, devices, and information. The operating system correspondingly
includes programs to manage these resources, such as a traffic controller, a scheduler, a
memory management module, I/O programs, and a file system.
Functions of Operating system – Operating system performs three functions:

1. Convenience: An OS makes a computer more convenient to use.

2. Efficiency: An OS allows the computer system resources to be used efficiently.
3. Ability to Evolve: An OS should be constructed in such a way as to permit the effective
development, testing, and introduction of new system functions at the same time without
interfering with service.
4. Throughput: An OS should be constructed so that It can give maximum throughput
(Number of tasks per unit time).
Major Functionalities of Operating System:
 Resource Management: When parallel accessing happens in the OS means when multiple
users are accessing the system the OS works as Resource Manager, Its responsibility is to
provide hardware to the user. It decreases the load in the system.
 Process Management: It includes various tasks like scheduling, termination of the process.
OS manages various tasks at a time. Here CPU Scheduling happens means all the tasks
would be done by the many algorithms that use for scheduling.
 Storage Management: The file system mechanism used for the management of the
storage. NIFS, CFS, CIFS, NFS, etc. are some file systems. All the data stores in various
tracks of Hard disks that all managed by the storage manager. It included Hard Disk.
 Memory Management: Refers to the management of primary memory. The operating
system has to keep track, how much memory has been used and by whom. It has to decide
which process needs memory space and how much. OS also has to allocate and deallocate the
memory space.
 Security/Privacy Management: Privacy is also provided by the Operating system by means
of passwords so that unauthorized applications can’t access programs or data. For example,
Windows uses Kerberos authentication to prevent unauthorized access to data.
The process operating system as User Interface:
1. User
2. System and application programs
3. Operating system
4. Hardware
Every general-purpose computer consists of the hardware, operating system, system programs,
and application programs. The hardware consists of memory, CPU, ALU, and I/O devices,
peripheral devices, and storage devices. System program consists of compilers, loaders, editors,
OS, etc. The application program consists of business programs, database programs.

Fig1: Conceptual view of a computer system

Every computer must have an operating system to run other programs. The operating system
coordinates the use of the hardware among the various system programs and application
programs for various users. It simply provides an environment within which other programs can
do useful work.
The operating system is a set of special programs that run on a computer system that allows it to
work properly. It performs basic tasks such as recognizing input from the keyboard, keeping
track of files and directories on the disk, sending output to the display screen, and controlling
peripheral devices.
OS is designed to serve two basic purposes:
1. It controls the allocation and use of the computing System’s resources among the various
user and tasks.
2. It provides an interface between the computer hardware and the programmer that simplifies
and makes it feasible for coding, creation, debugging of application programs.
The Operating system must support the following tasks. The tasks are:

1. Provides the facilities to create, modification of programs and data files using an editor.
2. Access to the compiler for translating the user program from high-level language to machine
language.
3. Provide a loader program to move the compiled program code to the computer’s memory for
execution.
4. Provide routines that handle the details of I/O programming.
I/O System Management –
The module that keeps track of the status of devices is called the I/O traffic controller. Each I/O
device has a device handler that resides in a separate process associated with that device.
The I/O subsystem consists of

 A memory Management component that includes buffering caching and spooling.

 A general device driver interface.
Drivers for specific hardware devices.
Assembler –
The input to an assembler is an assembly language program. The output is an object program
plus information that enables the loader to prepare the object program for execution. At one time,
the computer programmer had at his disposal a basic machine that interpreted, through hardware,
certain fundamental instructions. He would program this computer by writing a series of ones
and Zeros (Machine language), place them into the memory of the machine.
Compiler –
The High-level languages- examples are FORTRAN, COBOL, ALGOL, and PL/I are processed
by compilers and interpreters. A compiler is a program that accepts a source program in a “high-
level language “and produces a corresponding object program. An interpreter is a program that
appears to execute a source program as if it was machine language. The same name (FORTRAN,
COBOL, etc.) is often used to designate both a compiler and its associated language.
Loader –
A Loader is a routine that loads an object program and prepares it for execution. There are
various loading schemes: absolute, relocating, and direct-linking. In general, the loader must
load, relocate and link the object program. The loader is a program that places programs into
memory and prepares them for execution. In a simple loading scheme, the assembler outputs the
machine language translation of a program on a secondary device and a loader places it in the
core. The loader places into memory the machine language version of the user’s program and
transfers control to it. Since the loader program is much smaller than the assembler, those make
more core available to the user’s program.
History of Operating system –
The operating system has been evolving through the years. The following table shows the history
of OS.

Generatio Year Electronic device used Types of OS Device

n
First 1945-55 Vacuum Tubes Plug Boards
Second 1955-65 Transistors Batch Systems
Third 1965-80 Integrated Circuits(IC) Multiprogramming
Fourth Since 1980 Large Scale Integration PC

Types of Operating System –

 Batch Operating System- Sequence of jobs in a program on a computer without manual
interventions.
 Time-sharing operating System- allows many users to share the computer resources. (Max
utilization of the resources).
 Distributed operating System- Manages a group of different computers and makes appear to
be a single computer.
 Network operating system- computers running in different operating systems can participate
in a common network (It is used for security purposes).
 Real-time operating system – meant applications to fix the deadlines.
Examples of Operating System are –
 Windows (GUI based, PC)
 GNU/Linux (Personal, Workstations, ISP, File and print server, Three-tier client/Server)
 macOS (Macintosh), used for Apple’s personal computers and workstations (MacBook,
iMac).
 Android (Google’s Operating System for smartphones/tablets/smartwatches)
 iOS (Apple’s OS for iPhone, iPad, and iPod Touch)

1. Batch Operating System –

This type of operating system does not interact with the computer directly. There is an operator
which takes similar jobs having the same requirement and group them into batches. It is the
responsibility of the operator to sort jobs with similar needs.

Advantages of Batch Operating System:

 It is very difficult to guess or know the time required for any job to complete. Processors of
the batch systems know how long the job would be when it is in queue
 Multiple users can share the batch systems
 The idle time for the batch system is very less
 It is easy to manage large work repeatedly in batch systems
Disadvantages of Batch Operating System:
 The computer operators should be well known with batch systems
 Batch systems are hard to debug
 It is sometimes costly
 The other jobs will have to wait for an unknown time if any job fails
Examples of Batch based Operating System: Payroll System, Bank Statements, etc.

2. Time-Sharing Operating Systems –

Each task is given some time to execute so that all the tasks work smoothly. Each user gets the
time of CPU as they use a single system. These systems are also known as Multitasking Systems.
The task can be from a single user or different users also. The time that each task gets to execute
is called quantum. After this time interval is over OS switches over to the next task.

Advantages of Time-Sharing OS:

 Each task gets an equal opportunity
 Fewer chances of duplication of software
 CPU idle time can be reduced

Disadvantages of Time-Sharing OS:

Reliability problem
 One must have to take care of the security and integrity of user programs and data
 Data communication problem
Examples of Time-Sharing OSs are: Multics, Unix, etc.
3. Distributed Operating System –
These types of the operating system is a recent advancement in the world of computer
technology and are being widely accepted all over the world and, that too, with a great pace.
Various autonomous interconnected computers communicate with each other using a shared
communication network. Independent systems possess their own memory unit and CPU. These
are referred to as loosely coupled systems or distributed systems. These system’s processors
differ in size and function. The major benefit of working with these types of the operating system
is that it is always possible that one user can access the files or software which are not actually
present on his system but some other system connected within this network i.e., remote access is
enabled within the devices connected in that network.

Advantages of Distributed Operating System:

 Failure of one will not affect the other network communication, as all systems are
independent from each other
 Electronic mail increases the data exchange speed
 Since resources are being shared, computation is highly fast and durable
 Load on host computer reduces
 These systems are easily scalable as many systems can be easily added to the network
 Delay in data processing reduces
Disadvantages of Distributed Operating System:
 Failure of the main network will stop the entire communication
 To establish distributed systems the language which is used are not well defined yet
 These types of systems are not readily available as they are very expensive. Not only that the
underlying software is highly complex and not understood well yet
Examples of Distributed Operating System are- LOCUS, etc.
4. Network Operating System –
These systems run on a server and provide the capability to manage data, users, groups, security,
applications, and other networking functions. These types of operating systems allow shared
access of files, printers, security, applications, and other networking functions over a small
private network. One more important aspect of Network Operating Systems is that all the users
are well aware of the underlying configuration, of all other users within the network, their
individual connections, etc. and that’s why these computers are popularly known as tightly
coupled systems.

Advantages of Network Operating System:

Highly stable centralized servers

 Security concerns are handled through servers
 New technologies and hardware up-gradation are easily integrated into the system
 Server access is possible remotely from different locations and types of systems
Disadvantages of Network Operating System:
 Servers are costly
 User has to depend on a central location for most operations
 Maintenance and updates are required regularly
Examples of Network Operating System are: Microsoft Windows Server 2003, Microsoft
Windows Server 2008, UNIX, Linux, Mac OS X, Novell NetWare, and BSD, etc.
5. Real-Time Operating System –
These types of OSs serve real-time systems. The time interval required to process and respond to
inputs is very small. This time interval is called response time.
Real-time systems are used when there are time requirements that are very strict like missile
systems, air traffic control systems, robots, etc.
Two types of Real-Time Operating System which are as follows:
 Hard Real-Time Systems:
These OSs are meant for applications where time constraints are very strict and even the
 shortest possible delay is not acceptable. These systems are built for saving life like
automatic parachutes or airbags which are required to be readily available in case of any
accident. Virtual memory is rarely found in these systems.
 Soft Real-Time Systems:
These OSs are for applications where for time-constraint is less strict.

Advantages of RTOS:
 Maximum Consumption: Maximum utilization of devices and system, thus more output
from all the resources
 Task Shifting: The time assigned for shifting tasks in these systems are very less. For
example, in older systems, it takes about 10 microseconds in shifting one task to another, and
in the latest systems, it takes 3 microseconds.
 Focus on Application: Focus on running applications and less importance to applications
which are in the queue.
 Real-time operating system in the embedded system: Since the size of programs are small,
RTOS can also be used in embedded systems like in transport and others.
 Error Free: These types of systems are error-free.
 Memory Allocation: Memory allocation is best managed in these types of systems.
Disadvantages of RTOS:
 Limited Tasks: Very few tasks run at the same time and their concentration is very less on
few applications to avoid errors.
 Use heavy system resources: Sometimes the system resources are not so good and they are
expensive as well.
 Complex Algorithms: The algorithms are very complex and difficult for the designer to
write on.
 Device driver and interrupt signals: It needs specific device drivers and interrupts signals
to respond earliest to interrupts.
 Thread Priority: It is not good to set thread priority as these systems are very less prone to
switching tasks.
Examples of Real-Time Operating Systems are: Scientific experiments, medical imaging
systems, industrial control systems, weapon systems, robots, air traffic control systems, etc.

Functions of Operating System

Prerequisite – Introduction of Operating System – Set 1
An Operating System acts as a communication bridge (interface) between the user and
computer hardware. The purpose of an operating system is to provide a platform on which a user
can execute programs in a convenient and efficient manner.
An operating system is a piece of software that manages the allocation of computer hardware.
The coordination of the hardware must be appropriate to ensure the correct working of the
computer system and to prevent user programs from interfering with the proper working of the
system.
Example: Just like a boss gives orders to his employee, in a similar way we request or pass our
orders to the Operating System. The main goal of the Operating System is to thus make the
computer environment more convenient to use and the secondary goal is to use the resources in
the most efficient manner.
What is an Operating System?
An operating system is a program on which application programs are executed and acts as a
communication bridge (interface) between the user and the computer hardware.

The main task an operating system carries out is the allocation of resources and services, such as
the allocation of memory, devices, processors, and information. The operating system also
includes programs to manage these resources, such as a traffic controller, a scheduler, memory
management module, I/O programs, and a file system.
Important functions of an operating System:
1. Security –
The operating system uses password protection to protect user data and similar other
techniques. it also prevents unauthorized access to programs and user data.

2. Control over system performance –

Monitors overall system health to help improve performance. records the response time
between service requests and system response to having a complete view of the system
health. This can help improve performance by providing important information needed to
troubleshoot problems.

3. Job accounting –
Operating system Keeps track of time and resources used by various tasks and users, this
 information can be used to track resource usage for a particular user or group of users.

4. Error detecting aids –

The operating system constantly monitors the system to detect errors and avoid the
malfunctioning of a computer system.

5. Coordination between other software and users –

Operating systems also coordinate and assign interpreters, compilers, assemblers, and other
software to the various users of the computer systems.

6. Memory Management –
The operating system manages the Primary Memory or Main Memory. Main memory is
made up of a large array of bytes or words where each byte or word is assigned a certain
address. Main memory is fast storage and it can be accessed directly by the CPU. For a
program to be executed, it should be first loaded in the main memory. An Operating System
performs the following activities for memory management:
It keeps track of primary memory, i.e., which bytes of memory are used by which user
program. The memory addresses that have already been allocated and the memory addresses
of the memory that has not yet been used. In multiprogramming, the OS decides the order in
which processes are granted access to memory, and for how long. It Allocates the memory to
a process when the process requests it and deallocates the memory when the process has
terminated or is performing an I/O operation.

7. Processor Management –
In a multi-programming environment, the OS decides the order in which processes have
access to the processor, and how much processing time each process has. This function of OS
is called process scheduling. An Operating System performs the following activities for
processor management.
Keeps track of the status of processes. The program which performs this task is known as a
traffic controller. Allocates the CPU that is a processor to a process. De-allocates processor
when a process is no more required.

8. Device Management –
An OS manages device communication via their respective drivers. It performs the following
activities for device management. Keeps track of all devices connected to the system.
designates a program responsible for every device known as the Input/Output controller.
Decides which process gets access to a certain device and for how long. Allocates devices in
an effective and efficient way. Deallocates devices when they are no longer required.

9. File Management –
A file system is organized into directories for efficient or easy navigation and usage. These
directories may contain other directories and other files. An Operating System carries out the
following file management activities. It keeps track of where information is stored, user
access settings and status of every file, and more… These facilities are collectively known as
the file system.
Moreover, Operating System also provides certain services to the computer system in one form
or the other.
The Operating System provides certain services to the users which can be listed in the following
manner:
1. Program Execution: The Operating System is responsible for the execution of all types of
programs whether it be user programs or system programs. The Operating System utilizes
various resources available for the efficient running of all types of functionalities.
2. Handling Input/Output Operations: The Operating System is responsible for handling all
sorts of inputs, i.e, from the keyboard, mouse, desktop, etc. The Operating System does all
interfacing in the most appropriate manner regarding all kinds of Inputs and Outputs.
For example, there is a difference in the nature of all types of peripheral devices such as mice
or keyboards, the Operating System is responsible for handling data between them.
3. Manipulation of File System: The Operating System is responsible for making decisions
regarding the storage of all types of data or files, i.e, floppy disk/hard disk/pen drive, etc. The
Operating System decides how the data should be manipulated and stored.
4. Error Detection and Handling: The Operating System is responsible for the detection of
any type of error or bugs that can occur while any task. The well-secured OS sometimes also
acts as a countermeasure for preventing any sort of breach to the Computer System from any
external source and probably handling them.
5. Resource Allocation: The Operating System ensures the proper use of all the resources
available by deciding which resource to be used by whom for how much time. All the
decisions are taken by the Operating System.
6. Accounting: The Operating System tracks an account of all the functionalities taking place
in the computer system at a time. All the details such as the types of errors that occurred are
recorded by the Operating System.
7. Information and Resource Protection: The Operating System is responsible for using all
the information and resources available on the machine in the most protected way. The
Operating System must foil an attempt from any external resource to hamper any sort of data
or information.
All these services are ensured by the Operating System for the convenience of the users to make
the programming task easier. All different kinds of Operating systems more or less provide the
same services.

MODULE TWO: OPERATING SYSTEMS PROTECTION MECHANISMS

Protection plays a very crucial role in a multiuser environment, where several users will be
making concurrent use of the computer resources such as CPU, memory etc. It is the duty of the
operating system to provide a mechanism that protects each process from others.

All the items that require protection in a multiuser environment are lc down as objects and those
that want to access these objects are known as subjects. The operating system grants different
'access rights' to different subjects.
These rights may include read, write, execute, append, delete etc.

1. Domain

A domain is a combination of different objects and a set of different 'access rights' that can be
granted to different subjects to operate on each of these objects. An operating system maintains
several such domains with different combinations of access rights. The user processes can
execute in one of those domains and can access the objects in that domain according to the
access rights given to those objects.

Protection domain

A user process executing in domain 0 has access to read from, write into and execute the file 0
and can write to printer P0. Similarly, the process executing in domain 1 has access to read from
file 1. The printer P1 is common to both domain 1 and domain 2. The processes executing in
domain 1 and domain 2 both can have access to printer P1

In matrix form, the above image can be represented as shown in the below image.
During the execution of a process, it may become necessary for it to access an object, which is in
another domain. If it has a right to access that object it switches to the new domain and accesses
that file. This process is known as domain switching.

2. Implementation of Access Matrix

The access matrix can be implemented by using either access control lists or capability lists.

Protection matrix

In ACL, the data is stored by column by the operating system. The information about the users
and their access rights for each file is maintained by the operating system. The empty entries are
discarded.

In capability lists, the access control matrix is sliced horizontally by a row. This implies that the
operating system will have to maintain for each user a list of all the objects that the user can
access and the ways in which he can access them. A combination of ACL and capability list
techniques may also be used to design protection mechanisms.

3. Encryption

It is one of the most powerful and important tools of protection. The process of encryption
involves two steps: encryption of the original data into some other form about which nothing is
known to the third person and decryption of the data into the original form from the encrypted
form.

The most commonly used methods to achieve encryption are: transposition ciphers and
substitution ciphers.

In transposition ciphers, the letters in the original message are not changed; only the order in
which they are contained in the original message gets changed. For example, consider that the
message 'it is raining' needs to be encrypted. It will become 'gniniar si ti' in the encrypted form
using a particular form of transposition ciphers algorithm.

The set of characters in the encrypted form will be different from the original ones if we use
substitution ciphers. Every letter may be replaced by its previous alphabet, for instance. Now the
message 'it is raining' would become, after encryption, 'hs hr qzhmhmf'.

It is very easy to implement these ciphers for characters. The varied forms of these algorithms
can be used to encrypt bit steams. For instance, a predetermined bit stream may be added to the
bits in the original stream at a particular position to obtain the encrypted message. The same bit
steam is subtracted at the destination so that the original stream is obtained. This addition and
subtraction may be accomplished with the help of simple adder and subtractor circuits.

The key idea behind the encryption schemes is that the encryption process must be restorable.
Means, once we encrypt the original message to a different form, there should be a way to
restore it to the original form.

Need of System Protection:

 To prevent access of unauthorized users and

 To ensure that resources are used only as specified policy by each active program or
mechanism in the scheme,
 To improve reliability by detecting latent errors.

Note that only the frameworks for implementing policies and maintaining stable systems are
supported by security systems. It is up to administrators and users to successfully, enforce such
processes.
(Example of System Protection in Operating System)

The function of security is to provide a mechanism that implements policies that determine the
computer system’s use of resources. At the time of system creation, some policies are defined,
some are designed by system management and some are defined by system users to protect their
own files and programs. A threat is a program that is malicious in nature and causes the device to
experience adverse effects. Some of the prevalent threats that happen in a system are –

 Virus: Small fragments of code inserted in a device are common viruses. They are very
risky and can corrupt data, delete information, crash systems, etc. By replicating
themselves as needed, they can also spread further.
 Trojan Horse: A Trojan horse is able to secretly access a system’s login data. These can
then be used by a malicious user to access the system as a harmless being and wreak
havoc.
 Trap Door: A trap door is a violation of security that may be present in a device without
the users’ knowledge. It can be abused by malicious people to damage the data or files in
a system.
 Worm: Through using its resources to extreme levels, a worm will kill a machine. It can
create several copies that assert all resources and do not enable them to be accessed by
any other processes. In this way, a worm can shut down a whole network.
 Denial of Service: These kinds (types) of attacks do not cause a device to be accessed by
legitimate users. It overwhelms the device with requests so that it is overloaded and other
users cannot operate properly.

Each application has different resource use policies and they can change over time, so device
security is not just a concern of the operating system (OS) designer. The security mechanism
should also be developed by the application programmer to protect their device from misuse. The
concept of least privilege dictates that only enough rights are provided to programs, users, and
systems to perform their tasks. It means that errors do the least amount of damage and cause the
least damage to be done.

Each user is typically granted their own account and only has ample rights to edit their own files.
The root account should not be used for regular day-to-day activities; the system administrator
should still have an ordinary account, and the root account should be reserved for tasks that
require root privileges only. The policy is distinct from mechanism; processes decide how to do
something and policies determine what to do. Over time and location to place, policies are
changed. For the flexibility of the system, the separation of mechanism and policy is essential.

The various techniques that can provide protection and security for various computer systems
are:

 Authentication: It deals with defining every consumer in the system and ensuring that
they are who they claim to be. The operating system ensures that before they enter the
system, all the users are authenticated.
 One Time Password: For authentication purposes, these passwords provide a lot of
protection. Any time a user wants to access the system, a one-time password can be
created exclusively for a login. It is not possible to use it more than once.

It is possible to interpret a machine as a set of processes and objects. The need to know principle
states that only those objects that it requires to accomplish its mission should be available to a
process and furthermore only in the modes for which it needs access and only during the time
frame when it needs access.

MODULE THREE: INTRUSION DETECTION SYSTEMS

Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious
activity and issues alerts when such activity is discovered. It is a software application that scans a
network or a system for harmful activity or policy breaching. Any malicious venture or violation
is normally reported either to an administrator or collected centrally using a security information
and event management (SIEM) system. A SIEM system integrates outputs from multiple sources
and uses alarm filtering techniques to differentiate malicious activity from false alarms.
Although intrusion detection systems monitor networks for potentially malicious activity, they
are also disposed to false alarms. Hence, organizations need to fine-tune their IDS products when
they first install them. It means properly setting up the intrusion detection systems to recognize
what normal traffic on the network looks like as compared to malicious activity.
Intrusion prevention systems also monitor network packets inbound the system to check the
malicious activities involved in it and at once sends the warning notifications.
 Classification of Intrusion Detection System:

Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network. It performs an observation of passing traffic on
the entire subnet and matches the traffic that is passed on the subnets to the collection of known
attacks. Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of an NIDS is installing it on the subnet where firewalls are located in
order to see if someone is trying crack the firewall.

1. Host Intrusion Detection System (HIDS):

Host intrusion detection systems (HIDS) run on independent hosts or devices on the network.
A HIDS monitors the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot of existing
system files and compares it with the previous snapshot. If the analytical system files were
edited or deleted, an alert is sent to the administrator to investigate. An example of HIDS
usage can be seen on mission critical machines, which are not expected to change their
layout.
2. Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would
consistently resides at the front end of a server, controlling and interpreting the protocol
between a user/device and the server. It is trying to secure the web server by regularly
monitoring the HTTPS protocol stream and accept the related HTTP protocol. As HTTPS is
un-encrypted and before instantly entering its web presentation layer then this system would
need to reside in this interface, between to use the HTTPS.
3. Application Protocol-based Intrusion Detection System (APIDS):
Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that
generally resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application specific protocols. For example, this would
monitor the SQL protocol explicit to the middleware as it transacts with the database in the
web server.
4. Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the combination of two or more approaches of
the intrusion detection system. In the hybrid intrusion detection system, host agent or system
data is combined with network information to develop a complete view of the network
system. Hybrid intrusion detection system is more effective in comparison to the other
intrusion detection system. Prelude is an example of Hybrid IDS.
5. Network-based intrusion prevention system (NIPS): It monitors the entire network for
suspicious traffic by analyzing protocol activity.

6. Wireless intrusion prevention system (WIPS): It monitors a wireless network for suspicious
traffic by analyzing wireless networking protocols.
7. Network behavior analysis (NBA): It examines network traffic to identify threats that
generate unusual traffic flows, such as distributed denial of service attacks, specific forms of
malware and policy violations.

8. Host-based intrusion prevention system (HIPS):

It is an inbuilt software package which operates a single host for doubtful activity by
scanning events that occur within that host.

Detection Method of IDS:

1. Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns such as number
of bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the basis
of the already known malicious instruction sequence that is used by the malware. The
detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in
system but it is quite difficult to detect the new malware attacks as their pattern (signature) is
not known.
2. Anomaly-based Method:
Anomaly-based IDS was introduced to detect the unknown malware attacks as new malware
are developed rapidly. In anomaly-based IDS there is use of machine learning to create a
trustful activity model and anything coming is compared with that model and it is declared
suspicious if it is not found in model. Machine learning based method has a better
generalized property in comparison to signature-based IDS as these models can be trained
according to the applications and hardware configurations.

Comparison of IDS with Firewalls:

IDS and firewall both are related to the network security but an IDS differs from a firewall as a
firewall looks outwardly for intrusions in order to stop them from happening. Firewalls restrict
access between networks to prevent intrusion and if an attack is from inside the network it don’t
signal. An IDS describes a suspected intrusion once it has happened and then signals an alarm.

Comparison of Intrusion Prevention System (IPS) Technologies:

The Table below indicates various kinds of IPS Technologies:
IPS Types of Malicious Scope per Strengths
Technology Activity Detected Sensor
Type
Network- Network, transport, and Multiple Only IDPS which can
Based application TCP/IP layer network analyze the widest range of
activity subnets application protocols;
and groups of
hosts
Wireless Wireless protocol activity; Multiple Only IDPS able to predict
unauthorized wireless wireless protocol activity
 local area networks (WLAN) WLANs and
in use
groups of
wireless
clients

NBA Network, transport, and Multiple Typically more effective

application TCP/IP layer network than the others at
activity subnets
identifying reconnaissance
that causes anomalous and groups of scanning and
network flows hosts
DoS attacks, and at
reconstructing major
malware infections
Host-Based Host application and Individual Can analyze activity that
operating system (OS) host
was transferred in end-to-
activity; network, transport,
end
and application TCP/IP layer
encrypted communications
activity

Detection Method of Intrusion Prevention System (IPS):

1. Signature-based detection:
Signature-based IDS operates packets in the network and compares with pre-built and
preordained attack patterns known as signatures.

2. Statistical anomaly-based detection:

Anomaly based IDS monitors network traffic and compares it against an established baseline.
The baseline will identify what is normal for that network and what protocols are used.
However, It may raise a false alarm if the baselines are not intelligently configured.

3. Stateful protocol analysis detection:

This IDS method recognizes divergence of protocols stated by comparing observed events
with pre-built profiles of generally accepted definitions of not harmful activity.

Comparison of IPS with IDS:

The main difference between Intrusion Prevention System (IPS) with Intrusion Detection
Systems (IDS) are:
1. Intrusion prevention systems are placed in-line and are able to actively prevent or block
intrusions that are detected.
2. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting
a connection or blocking traffic from the offending IP address.
3. IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams,
mitigate TCP sequencing issues and clean up unwanted transport and network layer options.

Approaches to Information Security Implementation

In order to determine the safety of data from potential violations and cyber-attacks, the
implementation of the security model has an important phase to be carried out. In order to ensure
the integrity of the security model can be designed using two methods:
1. Bottom-Up Approach:
The company’s security model is applied by system administrators or people who are working in
network security or as cyber-engineers. The main idea behind this approach is for individuals
working in this field of information systems to use their knowledge and experience in
cybersecurity to guarantee the design of a highly secure information security model.
 Key Advantages –
An individual’s technical expertise in their field ensures that every system vulnerability is
addressed and that the security model is able to counter any potential threats possible.
 Disadvantage –
Due to the lack of cooperation between senior managers and relevant directives, it is often
not suitable for the requirements and strategies of the organisation.
2. Top-Down Approach:
This type of approach is initialized and initiated by the executives of the organization.
 They formulate policies and outline the procedures to be followed.
 Determine the project’s priorities and expected results
 Determine liability for every action needed
It is more likely to succeed. That strategy usually provides strong support from top management
by committing resources, a consistent preparation and execution mechanism and opportunities to
affect corporate culture.
Security management issues have been handled by organizations in various ways. Traditionally,
companies adopted a bottom-up approach, where the process is initiated by operational
employees and their results are subsequently propagated to upper management as per the
proposed policies. Since management has no information about the threat, the effects, the idea of
resources, possible returns and the security method, this approach has occasionally created a
sudden and violent collapse.
On the contrary, the top-down approach is a highly successful reverse view of the whole issue.
Management understands the gravity and starts the process, which is subsequently collected
systematically from cyber engineers and operating personnel.

MODUL 4: NETWORK AND DISTRIBUTED SYSTEM SECURITY,

Providing security in communication was recognized long before the invention of computers,
when messengers used to carry information from one place to another. In those days, maintaining
the secrecy of information with the help of ciphering techniques was the prime goal. Over time,
advancements in computing and data communications technology resulted in the establishment
of computer networks to exchange information. In addition, standardization efforts have
increasingly given rise to large distributed systems which are mostly a collection of smaller
heterogeneous systems communicating through the network.
The use of these shared networks and computer systems to carry information with various
protection requirements is increasing. The very fact that communication is via the insecure
global network implies that a breach of security is inevitable. This necessitates the provision of a
number of different logical systems superimposed upon a common physical system, with a
guaranteed degree of separation between the various logical systems.
Network security can be seen as a collection of services which: l maintain the confidentiality and
integrity of the message as well as the network; l provide for the authentication of users and
services; and l make sure of non-repudiation by users and the nondenial of services. The system
may provide all or a subset of these services, depending on the requirements of the application.
Threats for communication security Security features obviously increase the cost of the system.
Therefore, before designing a secure system, it is important to identify the threats against which
protection is required. A threat is a potential violation of security. Those threats which do not
modify the information or the normal operation of the system are called passive threats. For
example, in the LAN environment, a station can capture all the packets on the network and learn
the content of someone else’s communication, perhaps for possible future misuse. On the
contrary, active threats result in the modification of messages or in the operation of the system.
Some of the possible security threats are described below:
Identity interception is the observation of the identity of one or more parties involved in a
communication for misuse. Replay attack is the recording and subsequent replay of a
communication at some later point in time. Masquerading is the impersonation of a user to gain
access to information, or to gain accidental privileges. This includes active attacks such as replay
and modification of messages. Data interception is the observation of user data during a
communication by an unauthorized user. Data manipulation is the unauthorized replacement,
insertion, deletion or disordering of user data during communication. Repudiation is the denial
by one of the entities involved in a communication of having participated in part or all of a
communication. This may be dangerous in the case of electronic commitments. Mis-routing is
the misrouting of a communication path intended for one user to another. Denial of service is the
prevention or interruption of a communication or the delay of time-critical operations. For
example, an intruder may suppress all messages directed to a particular destination or may
generate extra traffic. Traffic analysis is the observation of information about a communication
between users. The observation may include the absence/presence of traffic, frequency,
direction, sequence, type and amount of traffic.
Unauthorized access is the unauthorized usage of resources and access of classified data by an
intruder.
Security services
Many applications have requirements for security to protect against the threats to the
communication of information. The realization of security can be viewed in two ways: the first
one views security services as an integral part of the communicating system services; the second
sees security as the responsibility of the individual applications, i.e. the applications should
implement all the necessary security services themselves and the communication systems are
concerned only with the transmission of the PDUs.
There are two approaches to communication security, viz. a link-oriented approach and an end-
to-end approach. In the link-oriented approach, the message traffic is protected independently on
each communication link by encryption. If any one of the links is compromised, then the entire
system security will be compromised. Also, all the intermediate nodes between the source and
destination need to be trusted. The link-oriented approach is expensive in a network with a large
number of nodes. Obviously, this approach fits into the realm of providing security services as a
part of communicating system services.
In contrast to the link-oriented approach, the end-to-end approach views the network as a
medium for transporting the PDUs in a secure fashion from source to destination, irrespective of
the presence or absence of security measures in the intermediate nodes. This approach is less
expensive. End-to-end measures are achieved with the help of a basic set of security services,
and they can be implemented as part of the communicating system services or left to individual
applications to implement, depending upon their requirements. A basic set of security services or
functions are described below. Though these services are defined in the ISO-OSI Security
Architecture the discussion holds good for any layered architecture. a Conjidentiality service
provides protection of data from unauthorized disclosure, thus preventing interception. There can
be connection confidentiality and connectionless confidentiality services depending on whether
connection-oriented or connectionless data transfer service is used. Similarly, a traffic flow
confidentiality service, if used, provides protection against traffic flow analysis and identity
interception. Data integrity service provides proof of the integrity of data in a communication. It
can be used to detect and protect against manipulation. Here, too, as in the case of the
confidentiality service, there can be a connection integrity service ensuring the integrity of
stream data units over a connection for connection-oriented service, and a connectionless data
integrity service ensuring the integrity of data in a single data unit if a connectionless mode of
data transfer is being used. Peer entity authentication service makes sure that a user, on a certain
instance of communication, is indeed the one claimed. There can be two types of authentication:
one is single entity authentication, which involves data origin or data recipient authentication; the
other is mutual authentication, where both communicating users authenticate each other. This
service can be used to protect against masquerading and replay attacks. Non-repudiation service
provides proof of the integrity and origin of data, both in an unforgeable relationship which can
be verified by any third party at any time. This service can be used to protect against data
manipulation and repudiation threats, but mostly it is used for the latter. Access control protects
against the unauthorized use of resources.
Security mechanisms
The end-to-end mechanisms that may be used to provide the security services for applications to
protect against the threats. Examples of security mechanisms are encipherment, data integrity,
authentication exchange, access control and digital signature.
Encipherment: The cryptographic techniques used make the data in transit unintelligible to
everyone except the legitimate parties involved in the communication. This involves two
transformation functions: one is enciphering and the other is deciphering. The sender enciphers
the data before transmitting it to the receiver. The receiver applies the appropriate deciphering
function to get the original data back. There are two types of encryption mechanisms, viz.,
symmetric and asymmetric encryption.
Symmetric or shared key encryption Here we have two functions, Encrypt and Decrypt and an
encryption Key. A message encrypted with key k can only be decrypted with the same key k.
The process of encryption and decryption can be described as follows: If c = Encrypt (k, m) then
m = Decrypt (k, c) where m is the plain text message, k is the encryption key and c is the
encrypted text
Asymmetric or public key encryption in public key encryption, the key is divided into two
parts: the encryption key, which is usually made public; and the decryption key, which is kept
secret. The process of encryption and decryption can be described as follows: If c = Encrypt (k,
m) then m = Decrypt (k-‘, c) where m is the plain text message, k is the encryption (public) key,
k-’ is the decryption (secret) key and c is the encrypted text.
MODULE 5: DENIAL OF SERVICE (AND OTHER) ATTACK STRATEGIES,
Denial-of-Service Attack

What is a denial-of-service attack?

A denial-of-service (DoS) attack is a security threat that occurs when an attacker makes it
impossible for legitimate users to access computer systems, network, services or other
information technology (IT) resources. Attackers in these types of attacks typically flood web
servers, systems or networks with traffic that overwhelms the victim's resources and makes it
difficult or impossible for anyone else to access them.

Restarting a system will usually fix an attack that crashes a server, but flooding attacks are more
difficult to recover from. Recovering from a distributed DoS (DDoS) attack in which attack
traffic comes from a large number of sources is even more difficult.

DoS and DDoS attacks often take advantage of vulnerabilities in networking protocols and how
they handle network traffic. For example, an attacker might overwhelm the service by
transmitting many packets to a vulnerable network service from different Internet Protocol (IP)
addresses.

How does a DoS attack work?

DoS and DDoS attacks target one or more of the seven layers of the Open Systems
Interconnection (OSI) model. The most common OSI targets include Layer 3 (network), Layer 4
(transport), Layer 6 (presentation) and Layer 7 (application).
Layers 3, 4, 6 and 7 are the most common layers for attacks of the Open Systems Interconnection
model.

Malicious actors have different ways of attacking the OSI layers. Using User Datagram Protocol
(UDP) packets is one common way. UDP speeds transmission transferring data before the
receiving party sends its agreement. Another common attack method is SYN (synchronization)
packet attacks. In these attacks, packets are sent to all open ports on a server, using spoofed, or
fake, IP addresses. UDP and SYN attacks typically target OSI Layers 3 and 4.

Protocol handshakes launched from internet of things (IoT) devices are now commonly used to
launch attacks on Layers 6 and 7. These attacks can be difficult to identify and preempt because
IoT devices are everywhere and each is a discrete intelligent client.

Signs of a DoS attack

The United States Computer Emergency Readiness Team, also known as US-CERT, provides
guidelines to determine when a DoS attack may be in progress. According to US-CERT, the
following may indicate an attack is underway:

 slower or otherwise degraded network performance that is particularly noticeable when

trying to access a website or open files on the network;

 inability to access a website; or

 more spam email than usual.

Preventing a DoS attack
Experts recommend several strategies to defend against DoS and DDoS attacks, starting with
preparing an incident response plan well in advance.

An enterprise that suspects a DoS attack is underway should contact its internet service provider
(ISP) to determine whether slow performance or other indications are from an attack or some
other factor. The ISP can reroute the malicious traffic to counter the attack. It can also use load
balancers to mitigate the severity of the attack.

ISPs also have products that detect DoS attacks, as do some intrusion detection systems (IDSes),
intrusion prevention systems (IPSes) and firewalls. Other strategies include contracting with a
backup ISP and using cloud-based anti-DoS measures.

There have been instances where attackers have demanded payment from victims to end DoS or
DDoS attacks, but financial profit is not usually the motive behind these attacks. In many cases,
the attackers wish to harm the business or reputation of the organization or individual targeted in
the attack.

Types of DoS attacks

DoS and DDoS attacks have a variety of methods of attack. Common types of denial-of-service
attacks include the following:

 Application layer. These attacks generate fake traffic to internet application servers,
especially domain name system (DNS) servers or Hypertext Transfer Protocol (HTTP)
servers. Some application layer DoS attacks flood the target servers with network data;
others target the victim's application server or protocol, looking for vulnerabilities.

 Buffer overflow. This type of attack is one that sends more traffic to a network resource than
it was designed to handle.

 DNS amplification. In a DNS DoS attack, the attacker generates DNS requests that appear
to have originated from an IP address in the targeted network and sends them to
misconfigured DNS servers managed by third parties. The amplification occurs as the
intermediate DNS servers respond to the fake DNS requests. The responses from
 intermediate DNS servers to the requests may contain more data than ordinary DNS
responses, which requires more resources to process. This can result in legitimate users being
denied access to the service.

 Ping of death. These attacks abuse the ping protocol by sending request messages with
oversized payloads, causing the target systems to become overwhelmed, to stop responding
to legitimate requests for service and to possibly crash the victim's systems.

 State exhaustion. These attacks -- also known as Transmission Control Protocol (TCP)
attacks -- occur when an attacker targets the state tables held in firewalls, routers and other
network devices and fills them with attack data. When these devices incorporate stateful
inspection of network circuits, attackers may be able to fill the state tables by opening more
TCP circuits than the victim's system can handle at once, preventing legitimate users from
accessing the network resource.

 SYN flood. This attack abuses the TCP handshake protocol by which a client establishes a
TCP connection with a server. In a SYN flood attack, the attacker directs a high-volume
stream of requests to open TCP connections with the victim server with no intention of
completing the circuits. A successful attack can deny legitimate users access to the targeted
server.

 Teardrop. These attacks exploit flaws like how older operating systems (OSes) handled
fragmented IP packets. The IP specification enables packet fragmentation when the packets
are too large to be handled by intermediary routers, and it requires packet fragments to
specify fragment offsets. In teardrop attacks, the fragment offsets are set to overlap each
other. Hosts running affected OSes are then unable to reassemble the fragments, and the
attack can crash the system.

 Volumetric. These DoS attacks use all the bandwidth available to reach network resources.
To do this, attackers must direct a high volume of network traffic at the victim's systems.
Volumetric DoS attacks flood a victim's devices with network packets using UDP or Internet
Control Message Protocol (ICMP). These protocols require relatively little overhead to
generate large volumes of traffic, while, at the same time, the victim's network devices are
overwhelmed with network packets, trying to process the incoming malicious datagrams.
What is DDoS and how does it compare to DoS?
Many high-profile DoS attacks are actually distributed attacks, where the attack traffic comes
from multiple attack systems. DoS attacks originating from one source or IP address can be
easier to counter because defenders can block network traffic from the offending source. Attacks
from multiple attacking systems are far more difficult to detect and defend against. It can be
difficult to differentiate legitimate traffic from malicious traffic and filter out malicious packets
when they are being sent from IP addresses seemingly located all over the internet.

In a distributed denial-of-service attack, the attacker may use computers or other network-
connected devices that have been infected by malware and made part of a botnet. DDoS attacks
use command-and-control servers (C&C servers) to control the botnets that are part of the attack.
The C&C servers dictate what kind of attack to launch, what types of data to transmit, and what
systems or network connectivity resources to target with the attack.

History of denial-of-service attacks

DoS attacks on internet-connected systems have a long history that arguably started with
the Robert Morris worm attack in 1988. In that attack, Morris, a graduate student at
Massuchusetts Institute of Technology (MIT), released a self-reproducing piece of malware --
a worm -- that quickly spread through the internet and triggered buffer overflows and DoS
attacks on the affected systems.

Those connected to the internet at the time were mostly research and academic institutions, but it
was estimated that as many as 10% of the 60,000 systems in the U.S. were affected. Damage was
estimated to be as high as $10 million, according to the U.S. General Accounting Office (GAO),
now known as the Government Accountability Office. Prosecuted under the 1986 Computer
Fraud and Abuse Act (CFAA), Morris was sentenced to 400 community service hours and three
years' probation. He was also fined $10,000.

DoS and DDoS attacks have become common since then. Some recent attacks include the
following:

 GitHub. On Feb. 28, 2018, GitHub.com was unavailable because of a DDoS attack. GitHub
said it was offline for under 10 minutes. The attack came "across tens of thousands of
 endpoints … that peaked at 1.35 terabits per second (Tbps) via 126.9 million packets per
second," according to GitHub.

 Imperva. On April 30, 2019, network security vendor Imperva said it recorded a large DDoS
attack against one of its clients. The attack peaked at 580 million packets per second but was
mitigated by its DDoS protection software, the company said.

 Amazon Web Services (AWS). In the AWS Shield Threat Landscape Report Q1 2020, the
cloud service provider (CSP) said it mitigated one of the largest DDoS attack it had ever seen
in February 2020. It was 44% larger than anything AWS had encountered. The volume of the
attack was 2.3 Tbps and used a type of UDP vector known as a Connection-less Lightweight
Directory Access Protocol (CLDAP) reflection. Amazon said it used its AWS Shield to
counter the attack.

MODULE 6: WORMS AND VIRUSES

Introduction

Viruses, worms, Trojans, and bots are all part of a class of software called "malware." Malware
is short for "malicious software," also known as malicious code or "malcode." It is code or
software that is specifically designed to damage, disrupt, steal, or in general inflict some other
"bad" or illegitimate action on data, hosts, or networks.

There are many different classes of malware that have varying ways of infecting systems and
propagating themselves. Malware can infect systems by being bundled with other programs or
attached as macros to files. Others are installed by exploiting a known vulnerability in an
operating system (OS), network device, or other software, such as a hole in a browser that only
requires users to visit a website to infect their computers. The vast majority, however, are
installed by some action from a user, such as clicking an email attachment or downloading a file
from the Internet.

Some of the more commonly known types of malware are viruses, worms, Trojans, bots,
ransomware, backdoors, spyware, and adware. Damage from malware varies from causing minor
irritation (such as browser popup ads), to stealing confidential information or money, destroying
data, and compromising and/or entirely disabling systems and networks.

In addition to damaging data and software residing on equipment, malware has evolved to target
the physical hardware of those systems. Malware should also not be confused with defective
software, which is intended for legitimate purposes but contains errors or "bugs."
 Classes of Malicious Software

Two of the most common types of malware are viruses and worms. These types of programs are
able to self-replicate and can spread copies of themselves, which might even be modified copies.
To be classified as a virus or worm, malware must have the ability to propagate. The difference
is that a worm operates more or less independently of other files, whereas a virus depends on a
host program to spread itself. These and other classes of malicious software are described below.

Ransomware

Ransomware is a type of malicious software that threatens to publish the victim's data or
perpetually block access to it unless a ransom is paid. While some simple ransomware may lock
the system in a way that is not difficult for a knowledgeable person to reverse, more advanced
malware uses a technique called cryptoviral extortion, which encrypts the victim's files, making
them inaccessible, and demands a ransom payment to decrypt them.

Viruses

A computer virus is a type of malware that propagates by inserting a copy of itself into and
becoming part of another program. It spreads from one computer to another, leaving infections as
it travels. Viruses can range in severity from causing mildly annoying effects to damaging data
or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to
an executable file, which means the virus may exist on a system but will not be active or able to
spread until a user runs or opens the malicious host file or program. When the host code is
executed, the viral code is executed as well. Normally, the host program keeps functioning after
it is infected by the virus. However, some viruses overwrite other programs with copies of
themselves, which destroys the host program altogether. Viruses spread when the software or
document they are attached to is transferred from one computer to another using the network, a
disk, file sharing, or infected email attachments.

Worms

Computer worms are similar to viruses in that they replicate functional copies of themselves and
can cause the same type of damage. In contrast to viruses, which require the spreading of an
infected host file, worms are standalone software and do not require a host program or human
help to propagate. To spread, worms either exploit a vulnerability on the target system or use
some kind of social engineering to trick users into executing them. A worm enters a computer
through a vulnerability in the system and takes advantage of file-transport or information-
transport features on the system, allowing it to travel unaided. More advanced worms leverage
encryption, wipers, and ransomware technologies to harm their targets.

Trojans

A Trojan is another type of malware named after the wooden horse that the Greeks used to
infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked
into loading and executing it on their systems. After it is activated, it can achieve any number of
attacks on the host, from irritating the user (popping up windows or changing desktops) to
damaging the host (deleting files, stealing data, or activating and spreading other malware, such
as viruses). Trojans are also known to create backdoors to give malicious users access to the
system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they
self-replicate. Trojans must spread through user interaction such as opening an email attachment
or downloading and running a file from the Internet.

Bots

"Bot" is derived from the word "robot" and is an automated process that interacts with other
network services. Bots often automate tasks and provide information or services that would
otherwise be conducted by a human being. A typical use of bots is to gather information, such
as web crawlers, or interact automatically with Instant Messaging (IM), Internet Relay Chat
(IRC), or other web interfaces. They may also be used to interact dynamically with websites.

Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware
designed to infect a host and connect back to a central server or servers that act as a command
and control (C&C) center for an entire network of compromised devices, or "botnet." With a
botnet, attackers can launch broad-based, "remote-control," flood-type attacks against their
target(s).

In addition to the worm-like ability to self-propagate, bots can include the ability to log
keystrokes, gather passwords, capture and analyze packets, gather financial information,
launch Denial of Service (DOS) Attacks, relay spam, and open backdoors on the infected host.
Bots have all the advantages of worms, but are generally much more versatile in their infection
vector and are often modified within hours of publication of a new exploit. They have been
known to exploit backdoors opened by worms and viruses, which allows them to access
networks that have good perimeter control. Bots rarely announce their presence with high scan
rates that damage network infrastructure; instead, they infect networks in a way that escapes
immediate notice.
Advanced botnets may take advantage of common internet of things (IOT) devices such as home
electronics or appliances to increase automated attacks. Crypto mining is a common use of these
bots for nefarious purposes.

Distribution Channels for Malware

Advanced malware typically comes via the following distribution channels to a computer or
network:

 Drive-by download—Unintended download of computer software from the Internet

 Unsolicited email —Unwanted attachments or embedded links in electronic mail
 Physical media—Integrated or removable media such as USB drives
 Self propagation—Ability of malware to move itself from computer to computer or
network to network, thus spreading on its own
For a complete listing of malware tactics from initial access to command and control,
 Ten Best Practices for Combating Malware

1. Implementing first-line-of-defense tools that can scale, such as cloud security platforms
2. Adhering to policies and practices for application, system, and appliance patching
3. Employing network segmentation to help reduce outbreak exposures
4. Adopting next-generation endpoint process monitoring tools
5. Accessing timely, accurate threat intelligence data and processes that allow that data to be
incorporated into security monitoring and eventing
6. Performing deeper and more advanced analytics
7. Reviewing and practicing security response procedures
8. Backing up data often and testing restoration procedures—processes that are critical in a
world of fast-moving, network-based ransomware worms and destructive cyber weapons
9. Conducting security scanning of microservice, cloud service, and application
administration systems
10. Reviewing security systems and exploring the use of SSL analytics and, if possible, SSL
decryption

MODULE 7: TRANSFER OF FUNDS/VALUE ACROSS NETWORKS

What Is a Wire Transfer?
The term wire transfer refers to an electronic transfer of funds via a network that is administered
by banks and transfer service agencies around the world. Wire transfers involve a sending and
receiving institution and require information from the party initiating the transfer, such as the
receiver's name and account number. These transfers don't actually involve the physical
exchange of cash but are settled electronically.1 Types of wire transfers include those facilitated
between domestic banks and international ones.2

KEY POINTS

 A wire transfer facilitates money transfers electronically across a network of banks or

transfer agencies around the world.
 Senders pay for the transaction at the remitting bank and provide the recipient's name,
bank account number, and the amount transferred.
 Most wire transfers can take as long as two business days to process.
 International wire payments are monitored by the Office of Foreign Assets Control to
ensure the money isn't being wired to terrorist groups or for money laundering purposes.
 All transfers go through a domestic Automatic Clearing House before they are settled.

Understanding Wire Transfers

Wire transfers, which are also known as wire payments, allow money to be moved quickly and
securely without the need to exchange cash. They allow two parties to transfer funds even if
they're in different (geographic) locations safely. A transfer is usually initiated from one bank
or financial institution to another. Rather than cash, the participating institutions share
information about the recipient, the bank receiving account number, and the amount transferred. 3

The sender pays for the transaction upfront at their bank. This party must provide their bank with
the following information:

 the recipient's name, address, contact number, along with any other personal information
required to facilitate the transaction
 the recipient's banking information, including their account number and branch number
 the receiving bank's information, which includes the institution's name, address, and bank
identifier (routing number or SWIFT code)
 the reason for the transfer1

Once the information is documented, the wire transfer can begin. The initiating firm sends a
message to the recipient's institution with payment instructions through a secure system, such
as Fedwire or SWIFT. The recipient's bank receives the information from the initiating bank and
deposits its own reserve funds into the correct account. The two banking institutions then settle
the payment on the back end after the money has been deposited.1

Wire transfers are important tools for anyone who needs to send money quickly and securely—
especially when they aren't in the same location. They also allow entities to transfer a large
amount of money. Firms do limit the amount that can be transferred, but these caps tend to be
fairly high. For instance, one company may use a wire transfer to pay for a large purchase from
an international supplier.4

Non-bank wire transfers do not require bank account numbers. One popular non-bank wire
transfer company is Western Union, whose international money transfer service is available in
more than 200 countries.
Types of Wire Transfers
There are two types of wire transfers: domestic and international. Both can be inter- or intra-
bank. The former refers to transfers within the same bank while the latter involves transactions
that take place between two different institutions.

Domestic Wire Transfers

A domestic wire transfer is any type of wire payment that takes place between two different
banks or institutions within the same country. Domestic transfers can be either inter- or intra-
bank. Senders may require a code or the recipient's branch number if they want to execute a
transaction.2

These transactions are generally processed on the same day it is initiated and can be received
within a few hours. That's because a domestic wire transfer only has to go through a
domestic Automated Clearing House (ACH) and can be delivered within a day.
 International Wire Transfers

International wire transfers are initiated in one country and settle in another. Senders must
initiate international transfers even when they send money to someone in another country who
has an account at the same bank. These payments require a routing or SWIFT code.2

These wire transfers are normally delivered within two business days. This extra day is required
because international wires must clear a domestic ACH and also its foreign equivalent.

Domestic wire transfers can cost between $25 and $35 per transaction or more. International
wire transfers often cost much more. Some receiving institutions also charge a fee, which is
deducted from the total amount received by their customer.2

Risks Associated With Wire Transfers

Wire transfers are generally safe and secure, provided you know the person who's receiving
them. If you use a legitimate wire transfer service, each person involved in a wire
transfer transaction should be required to prove their identity so that anonymous transfers are
impossible.

International wire transfers that originate in the United States are monitored by the Office of
Foreign Assets Control, an agency of the U.S. Treasury. The agency makes sure the money sent
overseas is not being used to fund terrorist activities or for money laundering purposes. In
addition, they are also tasked with preventing money from going to countries that are the subject
of sanctions by the U.S. government.5

If the agency suspects that any of these scenarios are true, the sending bank has the authority
to freeze the funds and stop the wire transfer from going through.5

Wire transfers may be flagged for several reasons, alerting officials to possible wrongdoing by
either the recipient or the sender:

 transfers to safe-haven countries

 transfers to non-account holders
 regular transfers for no viable reason
 incoming and outgoing wires with the same dollar amount
 large amounts wired by cash businesses

How Is a Wire Transfer Done?

A wire transfer is most often used to transfer funds from one bank or financial institution to
another. No physical money is transferred between banks or financial institutions when
conducting a wire transfer. Instead, information is passed between banking institutions about the
recipient, the bank receiving account number, and the amount transferred.

The sender first pays for the transaction upfront at their bank. The sending bank sends a message
to the recipient's bank with payment instructions through a secure system, such as Fedwire or
SWIFT. The recipient's bank receives all the necessary information from the initiating bank and
deposits its own reserve funds into the correct account.

The two banking institutions then settle the payment on the back end (after the money has
already been deposited).

What Are the Advantages of Wire Transfers?

Wire transfers allow for the individualized transmission of funds from individuals or entities to
others while still maintaining the efficiencies associated with the fast and secure movement of
money. The sender can initiate a wire transfer quickly and the recipient can access the funds
immediately as there are usually no bank holds on the money. Wire transfers also allow people in
different locations to safely transfer money to locales and financial institutions around the globe.

How Safe Are Wire Transfers?

A wire transfer is generally safe and secure, provided you know the recipient. A legitimate
service will vet the identity of each entity involved in a transaction so that anonymous transfers
are impossible.

International wire transfers that originate in the United States are monitored by the Office of
Foreign Assets Control, an agency of the U.S. Treasury. This agency makes sure the money
being sent overseas is not being used to fund terrorist activities or for money laundering
purposes. They are also tasked with preventing money from going to countries that are the
subject of sanctions by the U.S. government.

MODULE 8: ELECTRONIC VOTING

Electronic voting, a form of computer-mediated voting in which voters make their selections
with the aid of a computer. The voter usually chooses with the aid of a touch-screen display,
although audio interfaces can be made available for voters with visual disabilities. To understand
electronic voting, it is convenient to consider four basic steps in an election process:
ballot composition, in which voters make choices; ballot casting, in which voters submit their
ballots; ballot recording, in which a system records the submitted ballots; and tabulation, in
which votes are counted. Ballot casting, recording, and tabulation are routinely done with
computers even in voting systems that are not, strictly speaking, electronic. Electronic voting in
the strict sense is a system where the first step, ballot composition (or choosing), is done with the
aid of a computer.

There are two quite different types of electronic voting technologies: those that use
the Internet (I-voting) and those that do not (e-voting).
I-voting

As use of the Internet spread rapidly in the 1990s and early 21st century, it seemed that the
voting process would naturally migrate there. In this scenario, voters would cast their choices
from any computer connected to the Internet—including from their home. This type of voting
mechanism is sometimes referred to as I-voting. Beyond voting in regularly scheduled elections,
many saw in the emergence of these new technologies an opportunity to transform democracy,
enabling citizens to participate directly in the decision-making process. However, many
countries decided that the Internet was not secure enough for voting purposes. Limited I-voting
trials have been undertaken in some countries, including Estonia, Switzerland, France, and the
Philippines. The case of Estonia is especially enlightening: although the
country’s infrastructure for digital democracy is highly developed, use of the Internet has been at
times massively disrupted by denial-of-service attacks. This has forced the country to maintain
its traditional voting infrastructure alongside the I-voting option.

Besides denial-of-service attacks on the Internet, security experts worry that many personal
computers are vulnerable to penetration by various types of malware (malignant software). Such
attacks can be used to block or substitute legitimate votes, thereby subverting the electoral
process in a possibly undetected way.

Get a Britannica Premium subscription and gain access to exclusive content.Subscribe Now
A third concern about I-voting relates to the possibility of voter coercion and vote selling, which
in principle can more easily occur when voting does not take place in a controlled environment.
However, there is no consensus about the seriousness of this problem in stable democracies.
Furthermore, this objection also applies to absentee ballots, which have been broadly used in the
past, as well as vote-by-mail.

E-voting

Because of security and access concerns, most large-scale electronic voting is currently held in
designated precincts using special-purpose machines. This type of voting mechanism is referred
to as e-voting. There are two major types of e-voting equipment: direct recording electronic
(DRE) machines and optical scanning machines.

A typical DRE is composed of a touch screen connected to a computer. Ballots are presented to
the voters on the touch screen, where they make their choices and cast their ballot. The touch-
screen display can be used to assist the voter in a variety of ways, which include displaying large
fonts and high contrast for those with limited vision, alerting the voter to undervotes, and
preventing overvotes.

A DRE directly records the cast ballots and stores the data in its memory. Thus, a single machine
is used for composition, casting, and recording of votes. The third step, recording of the cast
ballot in a memory device, is invisible to the voter. Assurance that the vote is recorded as cast
relies on testing of the machine’s hardware and software before the election and confidence that
the software running during the election is the same software as the one tested before the
election. Both of these are subjects of much controversy.

Whereas testing for faults in hardware or unintentional errors in software can be highly reliable,
the same is not true for malicious software. Most security professionals believe that an insider
attack at the software development stage could make it to the final product without being
detected (although there is disagreement about the likelihood of such an attack). This problem
is compounded by the fact that source code is usually not made available for public scrutiny.

Cryptographic techniques can partially solve the problem of software authentication. When the
software is evaluated and certified, a cryptographic hash (a short string of bits that serves as a
type of “signature” for the computer code) can be computed and stored. Just before running the
election, the hash is recomputed. Any change in the certified software will cause the two hashes
to be distinct. This technique, however, may fall short of preventing all attacks on
software integrity.

Computer viruses can infect a machine during an election. For this to happen, the machine must
somehow interact with another electronic device. Thus, connection to the Internet or to wireless
devices is usually disallowed. However, a voting session is typically initiated through the use of
an activation card. A poll worker, upon verification of eligibility, sets the card to enable one
voting session. After the session the voter returns the card to the poll worker for reuse. At least
one DRE system has been shown to be vulnerable to infection using the activation card. An
infected machine can be made to record votes not as they were cast.

The threat of DREs not recording the votes as cast has led some individuals and organizations to
argue that a paper audit record must be produced for each cast ballot. DRE manufacturers
responded by adding a printer capability to their DREs. The resulting systems produce both an
electronic record and a paper record. However, problems in handling and monitoring the paper
record, both by voters and by election officials, have led to much criticism of these hybrid
systems. Many jurisdictions have discarded them in favour of optical scanning technology.

In some optical scanning systems the voter fills out a paper ballot and inserts it into an electronic
scanning device. Scanners can reject improperly marked ballots, allowing the voter to start over,
thereby reducing discarded votes.

In other optical scanning systems voters compose their votes on a computer screen. Once a ballot
is completed, the computer prints an optical scanning ballot. The voter verifies the ballot and
then inserts it in another device that scans and tabulates the vote. Both these systems are
considered electronic voting systems.

None of the above electronic voting systems is completely secure. Opinions differ widely on
whether the posited threats are realistic enough to warrant forgoing the added functionalities of
electronic voting in favour of the perceived security of nonelectronic voting systems.
Cryptographers, on the other hand, have devised systems that allow voters to verify that their
votes are counted as cast. Additionally, these systems do not enable the voter to prove to a third
party how they voted (thus reducing the risks of vote selling and coercion). These cryptographic
systems, called end-to-end (E2E) secure, are the preferred systems from a security point of view.
Thus, there is considerable academic interest in fully developing these systems. On the other
hand, some people argue against E2E systems on the grounds that their mathematical
underpinnings are not comprehensible to the average voter.

MODULE 9: SECURE APPLICATIONS,

Building secure applications: application security best practices

1. Follow the OWASP top ten

The OWASP Top Ten, contains the most critical web application security vulnerabilities, as
identified and agreed upon by security experts from around the world.

These security vulnerabilities target the confidentiality, integrity, and availability of an

application, its developers, and its users. They cover such attack vectors as injection
attacks, authentication and session management, security misconfiguration, and sensitive data
exposure.

By being aware of them, how they work, and coding in a secure way the applications that we
build stand a far better chance of not being breached. Doing so also helps you avoid being on
any end of year hack list or feature in the list of recent top breaches.

The list, surprisingly, doesn’t change all that often. Sadly, many of the same issues seem to
remain year after year, despite an ever growing security awareness within the developer
community.

This is both a blessing and a curse. As they don’t change often, you can continue to review the
preparedness of your application in dealing with them. Here’s the latest list of the top ten web
application security vulnerabilities.

2. Get an application security audit

Let’s assume that you take the OWASP Top Ten seriously and your developers have a security
mindset. Let’s also assume that they self-test regularly to ensure that your applications are not
vulnerable to any of the listed breaches. You may even have a security evangelist on staff.
While these are all excellent, foundational steps, often they’re not enough. This is because of
preconceived biases and filters. Your team lives and breathes the code which they maintain each
and every day. Because of that, over time, they’ll not be able to critique it objectively.
Increasingly, your team will be subjective in their analysis of it.

It’s for this reason that it’s important to get an independent set of eyes on the applications. By
doing so, they can be reviewed by people who’ve never seen them before, by people who won’t
make any assumptions about why the code does what it does, or be biased by anything or anyone
within your organization either.

Additionally, they will be people with specific, professional application security experience, who
know what to look for, including the obvious and the subtle, as well as the hidden things. They’ll
also be abreast of current security issues and be knowledgeable about issues which aren’t
common knowledge yet.

This can be potentially daunting if you’re a young organization, one recently embarking on a
security-first approach. But, setting concerns aside, security audits can help you build secure
applications quicker than you otherwise might.

3. Implement proper logging

Now that you’ve gotten a security audit done, you have a security baseline for your application
and have refactored your code, based on the findings of the security audit, let’s step back from
the application.

Invariably something will go wrong at some stage. There’ll be a bug that no one saw (or
considered severe enough to warrant particular attention) — one that will eventually be
exploited.

When that happens, to be able to respond as quickly as possible — before the situation gets out
of hand — you need to have proper logging implemented.

Doing so provides you with information about what occurred, what lead to the situation in the
first place, and what else was going on at the time. As the saying goes: proper preparation
prevents poor performance.
To do so, first, ensure that you’ve sufficiently instrumented your application. Depending on your
software language(s), there is a range of tools and services available,
including Tideways, Blackfire, and New Relic.

Secondly, store the information so that it can be parsed rapidly and efficiently when the time
comes. There is a range of ways to do this. From simple solutions such as the Linux syslog, to
open source solutions such as the ELK stack (Elasticsearch, Logstash, and Kibana), to SaaS
services such as Loggly, Splunk, and PaperTrail.

Regardless of what you use, make sure that the information is being stored and that it’s able to
be parsed quickly and efficiently when the time comes to use it.

4. Use real-time security monitoring and protection

Any consideration of application security would be incomplete without taking classic firewalls
and web application firewalls (WAFs) into consideration.

WAFs fall short for a number of reasons, including that they can generate a large number of false
positives and negatives, and can be costly to maintain. However, they do afford some level of
protection to your application.

So, if you want to use a WAF, It is suggested that you either use them in addition to a Runtime
Application Self-Protection (RASP) tool, or use Application Security Management
platforms such as Sqreen that can provide RASP and in-app WAF modules tuned to your needs,
to provide real-time security monitoring and protection.

That way, you can protect your application from a range of perspectives, both internal and
external.

5. Encrypt everything

Now that your application’s been instrumented and has a firewall solution to help protect it, let’s
talk about encryption. And when I say encryption, I don’t just mean using HTTPS and HSTS.
I’m talking about encrypting all the things.

I believe it’s important to always use encryption holistically to protect an application. This might
seem a little Orwellian, but it’s important to consider encryption from every angle, not just the
obvious or the status quo.
It’s great that services such as Let’s Encrypt are making HTTPS much more accessible than it
ever was before. And it’s excellent that such influential companies as Google are rewarding
websites for using HTTPS, but this type of encryption isn’t enough.

It’s important to also make sure that data at rest is encrypted as well. HTTPS makes it next to
impossible for Man In The Middle (MITM) attacks to occur.

But if someone can get to your server (such as a belligerent ex-staffer, dubious systems
administrator, or a government operative) and either clone or remove the drives, then all the
other security is moot.

So, please don’t look at security in isolation, or one part of it. Look at it holistically and consider
data at rest, as well as data in transit.

6. Harden everything

Now that all traffic and data is encrypted, what about hardening everything? From operating
systems to software development frameworks you need to ensure that they’re sufficiently
hardened.

This is too complex a topic to cover in the amount of space I have available in this article. So
let’s instead consider a concise list of suggestions for both operating systems and frameworks.

 Is your web server using modules or extensions that your application doesn’t need?
 Is your software language using modules or extensions that it doesn’t need?
 Does your software language allow remote code execution, such as exec and proc to occur?
 What’s the maximum script execution time set to?
 What access does your software language have to the filesystem?
 Where is session information being stored?
 Are the servers, services (such as MySQL, PostgreSQL, and Redis) and software language
configuration files write protected?
 Are your servers using security extensions such as SELinux or AppArmor?
 Is incoming and outgoing traffic restricted?
 What users are allowed to access the server and how is that access managed?

How do your servers, services, and software language configurations fare? This is a complex
topic. So, here is a short list of best practice guides to refer to:
 Ruby on Rails Security Guide
 PHP Security Checklist
 Ruby Security Handbook
 Python Security
 Node.js Security Handbook
 Hardening the Linux server

7. Keep your servers up to date

In addition to ensuring that your operating system is hardened, is it up to date? It could very well
be hardened against the current version, but if the packages are out of date (and as a result
contain vulnerabilities), then there’s still a problem.

Make sure that your servers are set to update to the latest security releases as they become
available. I’m not suggesting updating each and every package, but at least the security-specific
ones.

Depending on your organization’s perspective, you can elect to automate this process.
Alternatively, you can review and approve updates individually.

If you want to automatically install security upgrades, you can use:

 UnattendedUpgrades on Debian-related distributions

 yum-cron with “update_cmd = minimal-security-severity:Important”
 The Automatic Updates feature in Windows

If you’re not using one of these, please refer to the documentation for your operating system or
distribution.

8. Keep your software up to date

As well as keeping the operating system up to date, you need to keep your application
framework and third party libraries up to date as well.

Some people may scoff at the thought of using a framework. That’s not a debate that I’m going
to engage in today, suffice to say that they both have their place, and when used well, can save
inordinate amounts of time and effort.
Frameworks and third-party software libraries, just like operating systems, have vulnerabilities.
If they’re properly supported, then they will also be rapidly patched and improved. Given that,
it’s important to ensure that you’re using the latest stable version — if at all possible.

Most languages, whether dynamic ones such as PHP, Python, and Ruby, or static ones such
as Go, have package managers. These tools make the process of managing and maintaining
external dependencies relatively painless, as well as being automated during deployment.

Ensure that you take advantage of them and stay with as recent a release as is possible.

9. Stay abreast of the latest vulnerabilities

This is strongly tied to the previous point. Given the number of attack vectors in play today,
vectors such as Cross-site scripting, code injection, SQL injection, insecure direct object
references, and cross-site request forgery it’s hard to both stay abreast of them as well as to
know what the new ones are.

But, such is life. Given the world in which we live and the times in which we operate, if we want
to build secure applications we need to know this information. Gladly, there are a range of ways
in which we can get this information in a distilled, readily consumable fashion.

Sqreen does a bi-weekly newsletter roundup of interesting security articles you can subscribe to.
Here is a list of blogs and podcasts you can regularly refer to, to stay up to date as well:

Blogs

 Troy Hunt: The Australian Microsoft Regional Director and MVP. He also tweets
at @troyhunt.
 Krebs on Security by Brian Krebs. Brian is an independent investigative journalist,
specializing in cybercrime. He also tweets at @briankrebs.
 Dark Reading: one of the most widely read cybersecurity news sites. It reports on attacks
and the key ways to defend yourself against them.
 The Guardian’s Data and Computer Security section. An excellent source of the latest
information on what’s happening around the world with respect to security.
 Schneier on Security by Bruce Schneier. Bruce’s been writing about security since 2004 and
is the Chief Technology Officer of Resilient and a board member of the EFF (Electronic
Frontier Foundation).

Podcasts
 OWASP Podcast
 Crypto-Gram Security Podcast
 Risky Business
 Down the Security Rabbithole
 Defensive Security

10. Never stop learning

Finally, perhaps this is a cliché, but never stop learning. You may be all over the current threats
facing our industry. But that doesn’t mean that new threats aren’t either coming or being
discovered.

Given that, make sure that you use the links in this article to keep you and your team up to date
on what’s out there. Then, continue to engender a culture of security-first application
development within your organization.

That way, you’ll always have it as a key consideration, and be far less likely to fall victim to
security or data breaches.

What is application security?

Learn how to mitigate threats by shrinking the application attack surface across environments

Application security describes security measures at the application level that aim to prevent
data or code within the app from being stolen or hijacked. It encompasses the security
considerations that happen during application development and design, but it also involves
systems and approaches to protect apps after they get deployed.

Application security may include hardware, software, and procedures that identify or minimize
security vulnerabilities. A router that prevents anyone from viewing a computer’s IP address
from the Internet is a form of hardware application security. But security measures at the
application level are also typically built into the software, such as an application firewall that
strictly defines what activities are allowed and prohibited. Procedures can entail things like an
application security routine that includes protocols such as regular testing.

Application security definition

 Application security is the process of developing, adding, and testing security features within
applications to prevent security vulnerabilities against threats such as unauthorized access and
modification.

Why application security is important

Application security is important because today’s applications are often available over various
networks and connected to the cloud, increasing vulnerabilities to security threats and breaches.
There is increasing pressure and incentive to not only ensure security at the network level but
also within applications themselves. One reason for this is because hackers are going after apps
with their attacks more today than in the past. Application security testing can reveal weaknesses
at the application level, helping to prevent these attacks.

Types of application security

Different types of application security features include authentication, authorization, encryption,
logging, and application security testing. Developers can also code applications to reduce
security vulnerabilities.

 Authentication: When software developers build procedures into an application to ensure that
only authorized users gain access to it. Authentication procedures ensure that a user is who they
say they are. This can be accomplished by requiring the user to provide a user name and
password when logging in to an application. Multi-factor authentication requires more than one
form of authentication—the factors might include something you know (a password), something
you have (a mobile device), and something you are (a thumb print or facial recognition).
 Authorization: After a user has been authenticated, the user may be authorized to access and use
the application. The system can validate that a user has permission to access the application by
comparing the user’s identity with a list of authorized users. Authentication must happen before
authorization so that the application matches only validated user credentials to the authorized
user list.
 Encryption: After a user has been authenticated and is using the application, other security
measures can protect sensitive data from being seen or even used by a cybercriminal. In cloud-
based applications, where traffic containing sensitive data travels between the end user and the
cloud, that traffic can be encrypted to keep the data safe.
 Logging: If there is a security breach in an application, logging can help identify who got access
to the data and how. Application log files provide a time-stamped record of which aspects of the
application were accessed and by whom.
 Application security testing: A necessary process to ensure that all of these security controls
work properly.

Application security in the cloud

Application security in the cloud poses some extra challenges. Because cloud environments
provide shared resources, special care must be taken to ensure that users only have access to the
data they are authorized to view in their cloud-based applications. Sensitive data is also more
vulnerable in cloud-based applications because that data is transmitted across the Internet from
the user to the application and back.

Mobile application security

Mobile devices also transmit and receive information across the Internet, as opposed to a private
network, making them vulnerable to attack. Enterprises can use virtual private networks (VPNs)
to add a layer of mobile application security for employees who log in to applications remotely.
IT departments may also decide to vet mobile apps and make sure they conform to company
security policies before allowing employees to use them on mobile devices that connect to the
corporate network.

Web application security

Web application security applies to web applications—apps or services that users access through
a browser interface over the Internet. Because web applications live on remote servers, not
locally on user machines, information must be transmitted to and from the user over the Internet.
Web application security is of special concern to businesses that host web applications or provide
web services. These businesses often choose to protect their network from intrusion with a web
application firewall. A web application firewall works by inspecting and, if necessary, blocking
data packets that are considered harmful.

What are application security controls?

Application security controls are techniques to enhance the security of an application at the
coding level, making it less vulnerable to threats. Many of these controls deal with how the
application responds to unexpected inputs that a cybercriminal might use to exploit a weakness.
A programmer can write code for an application in such a way that the programmer has more
control over the outcome of these unexpected inputs. Fuzzing is a type of application security
testing where developers test the results of unexpected values or inputs to discover which ones
cause the application to act in an unexpected way that might open a security hole.

What is application security testing?

Application developers perform application security testing as part of the software development
process to ensure there are no security vulnerabilities in a new or updated version of a software
application. A security audit can make sure the application is in compliance with a specific set of
security criteria. After the application passes the audit, developers must ensure that only
authorized users can access it. In penetration testing, a developer thinks like a cybercriminal and
looks for ways to break into the application. Penetration testing may include social engineering
or trying to fool users into allowing unauthorized access. Testers commonly administer both
unauthenticated security scans and authenticated security scans (as logged-in users) to detect
security vulnerabilities that may not show up in both states.

MODULE 10: HOMELAND CYBER SECURITY POLICY

Summary: The Department of Homeland Security’s Cybersecurity Strategy

Wednesday, June 27, 2018, 10:10 AMWith an anticipated 20 billion devices connected to the
internet by 2020, cybersecurity has become a core component of homeland security.
Complicating the threat picture, nation-states have begun to use proxies, and malicious actors
with apparent criminal and nation-state affiliations now engage in online criminal activity. In
2015, an intrusion into a federal agency resulted in the compromise of over 4 million federal
employees’ personnel records, affecting nearly 22 million people. The proliferation of internet-
of-things devices increases the chances that cyberactivity and ransomware incidents—such
as WannaCry and NotPetya—will have serious kinetic consequences.

The strategy document identifies five pillars of a department-wide risk-management approach to

cybersecurity. The first pillar aims to better understand the threats facing the U.S. The second,
third and fourth pillars work to reduce the frequency and damage of cyberthreats. Finally, the
fifth pillar aims to make cyberspace more defensible.

Pillar I: Risk Identification

Goal 1: Assess Evolving Cybersecurity Risks

Central to Homeland Security’s strategy is a better understanding of global cyberthreats and how
they affect the United States. The department plans to work with sector-specific agencies, such
as the Department of Defense and the General Services Administration, and cybersecurity firms
that are not affiliated with the federal government. DHS will develop plans both to address gaps
in its preparedness to handle existing threats and to predict future risks.

Pillar II: Vulnerability Reduction

Goal 2: Protect Federal Government Information Systems

DHS will work to reduce organizational and systemic vulnerabilities across the federal
government and empower its stakeholders to better manage their cybersecurity risks. DHS works
with the Office of Management and Budget (OMB) to address risks across agencies. In leading
the effort to secure the federal government, as well as protecting its own information systems,
DHS intends to triage the risks the government faces. Additionally, DHS will continue close
collaboration with the General Services Administration, the National Institute of Standards and
Technology, and those entities responsible for protecting military and intelligence networks.

In order to reduce federal agencies’ vulnerabilities, DHS plans to improve the governance model
for federal cybersecurity, information-security policies, and oversight. DHS will continuously
provide feedback on federal information-technology policies and government-wide policies and
programs that affect cybersecurity. It will further clarify the distribution of responsibilities
between OMB, DHS and other agencies, with the goal of developing and implementing a clear
governance model for federal cybersecurity. DHS will also try to increase compliance with
information-security policies and accountability for missteps, and assess federal government and
individual-agency risks.

Additionally, the department plans to preempt cyberthreats to itself and other government
agencies. DHS plans to centralize protective capabilities and offer additional cybersecurity tools
and services to agencies in response to emerging or identified threats. In addition, DHS will
create performance metrics to measure the effectiveness of its cybersecurity capabilities, tools,
and services. Last, as it increasingly leverages cloud and shared services, DHS will continue to
explore new ways to protect DHS systems that may be scalable across the federal government.

Goal 3: Protect Critical Infrastructure

To address significant national risks to critical infrastructure, DHS plans to evaluate its current
cybersecurity risk-management offerings, identify and prioritize gaps in those offerings and in
personnel engagement, and address the gaps by providing tools and services to critical-
infrastructure owners and operators. To effectively leverage field personnel to adopt
cybersecurity risk management best practices, including the National Institute of Standards and
Technology’s Framework for Improving Critical Infrastructure Cybersecurity, DHS is prepared
to engage with officials at the appropriate levels.

To improve the sharing of cyberthreat indicators, defensive measures, and other cybersecurity
information, DHS intends to expand automated mechanisms that receive, analyze, and share
threat information. The department also plans to improve its own ability to analyze, correlate and
enrich cybersecurity information, and improve its information-sharing mechanisms, including
those that allow access to U.S. government information.

DHS intends to maintain relevant expertise, mature existing partnerships, and continue to
integrate resources for the ten critical-infrastructure sectors for which it is responsible. It will
assess and update DHS policies and regulations to address cybersecurity risk, and it will support
each sector in integrating cyber and physical resources.

Pillar III: Threat Reduction

Goal 4: Prevent and Disrupt Criminal Use of Cyberspace

DHS intends to reduce cyberthreats by countering transnational criminal organizations and
sophisticated cyber criminals. As financial fraud, money laundering, theft of intellectual
property, selling of illicit goods and child exploitation are increasingly conducted online, nearly
all criminal investigations require investigators to have knowledge of computer forensics, digital
investigations, and the cyber tradecraft. DHS plans to leverage its capabilities for targeting
financial and international cyber crime, and to collaborate more closely with its law-enforcement
partners. To that end, DHS will investigate cyber crimes and illicit uses of cyberspace by
transnational criminal organizations. It intends to focus its core investigative responsibilities on
financial services and payment systems, computer fraud and abuse, cross-border transmission of
illicit materials, human trafficking and child exploitation, intellectual property violations, misuse
of cryptocurrencies, and other violations of customs law.

In the past, DHS has been a leader in integrating traditional law-enforcement methods to
strengthen cybersecurity, as demonstrated through its electronic crimes task forces. DHS further
plans to prevent, disrupt, and counter cybersecurity threats to persons, events, and infrastructure
through strengthening its ability to apply its full range of authorities and implementing detection
and protection measures to appropriately secure key systems and assets.

DHS plans to collaborate with other law enforcement agencies, strengthen its collaboration with
private industry and academia, and bolster its international law enforcement partnerships and
their capabilities for cyber crime investigations and digital forensics.

DHS will invest in cutting-edge technical resources and advanced law enforcement capabilities
for both itself and its partners.

Pillar IV: Consequence Mitigation

Goal 5: Respond Effectively to Cyber Incidents

DHS will limit the impact of cyber incidents through coordinated, community-wide response
efforts. When cyber incidents occur, DHS currently assists through both asset response—
technical assistance to affected entities and other at-risk assets—and threat response—
investigating the underlying crimes. DHS plans to implement information-sharing mechanisms
to ensure that asset and threat responders communicate with each other, sector-specific agencies,
and the private sector; in the case of significant cyber incidents, DHS will ensure preparedness
for a coordinated government-wide response.

To better assist victims after cyber incidents,, DHS plans to encourage voluntary reporting of
cyber incidents and improve victim notification.. As the lead agency for asset response, part of a
Cyber Unified Coordination Group, and a support to the White House-led Cyber Response
Group, DHS provides critical asset-response assistance following cyber incidents. To expand
asset response capabilities and mitigate cyber incidents, DHS plans to establish a common
operating picture across the department and with other stakeholders, and to support emergency
management efforts under the National Response Framework.
To increase coordination between incident responders, DHS will leverage both DHS and non-
DHS investigative resources to provide incident and threat attribution information to federal
incident responders and sector-specific agencies. DHS will also develop holistic assessments of
adversaries, threats, and incidents, increase field-level collaboration, and coordinate federal
response assistance where appropriate.

Pillar V: Enable Cybersecurity Outcomes

Goal 6: Strengthen the Security and Reliability of the Cyber Ecosystem

DHS will support policy and operational efforts that make the “cyber ecosystem” more secure
and reliable. DHS describes the cyber ecosystem as including not only cyberspace—the
interdependent network of information technology infrastructure—but also the people,
environment, norms, and conditions that influence that space. DHS plans to invest in research
and development efforts that support its mission, and to more quickly expand its cyber personnel
programs.

To strengthen the security and reliability of the ecosystem, DHS aims to foster improved
cybersecurity in software, hardware, services, and technologies, and to build more resilient
networks. DHS will support the development of technical, operational, and policy innovations,
and develop solutions to identify and manage supply chain risks for stakeholders. DHS further
plans to engage with stakeholders to enhance the cybersecurity of cloud infrastructure, internet-
of-things products, and other emerging technologies.

Additionally, DHS plans to prioritize research, development, and technology transition activities
that support incident response, information sharing, and other cybersecurity objectives. It will
identify, develop, and transition new capabilities that will enable DHS to protect critical systems,
investigate cyber crimes, and respond to cyber incidents.

DHS also plans to expand international collaboration to advance its objectives and promote an
open, interoperable, secure, and reliable internet. DHS aims to improve international cooperation
and build capacity by sharing best practices, cybersecurity information, expertise, and technical
assistance. Its anticipates that the expansion of this international collaboration will result in
shared global approaches to cybersecurity and increased risk management capabilities.

With a critical shortage of cybersecurity talent globally, DHS also endeavors to improve
recruitment, education, training, and retention to develop a world-class cyber workforce. DHS
will continue to support efforts to increase the supply of cybersecurity talent through cyber
education programs and the National Initiative for Cybersecurity Education. It will also continue
to develop and promote cybersecurity training programs, working in particular to drive
approaches to recruitment and retention. DHS plans to develop a cutting-edge network protection
and cyber investigative workforce.

Goal 7: Improve Management of DHS Cybersecurity Activities

DHS plans to integrate department-wide cybersecurity policy development, strategy, and
planning activities. DHS will establish internal mechanisms to ensure consistency across
cybersecurity policy and strategic plans through the DHS Office of Strategy, Policy, and Plans,
and in collaboration with the DHS Management Directorate and affected components.

DHS aims to prioritize and evaluate the effectiveness of its cybersecurity programs and activities
in accordance with its Cybersecurity Strategy. It will then identify and address gaps within the
strategy, ultimately ensuring that the cybersecurity programs address the department’s goals and
objectives.

MODULE 11: GOVERNMENT REGULATION OF INFORMATION TECHNOLOGY

NIGERIA NATIONAL CYBER SECURITY POLICY

DOCUMENT