Welcome to

Computer Network Security

(ATTP Course)
Instructor
Piyu Tripathy

NIST (Autonomous)
 Overview
 Security Components and Threats
 Security Policy and Issues
 Types of Malware and Attacks
 Security Mechanisms
 Network Security Audit
 The Orange Book
 Legal Issues
 References
1. Gert De Laet and Gert Schauwers,
“Network Security Fundamentals,” Cisco
Press, 2005.

2. Mark Stamp, Information Security:

Principles and Practices, John Wiley &
Sons, Hoboken, NJ, 2011.

3. Matt Bishop, Introduction to

Computer Security, Addison-Wesley,
2005.
 Security Components
 Confidentiality: Need access control,
Cryptography, Existence of data
 Integrity: No change, content, source,
prevention mechanisms, detection mechanisms
 Availability: Denial of service attacks,
 Confidentiality, Integrity and Availability (CIA)
 Threats
 Any circumstance or event with the potential to
cause harm to a networked system
 Disclosure, alteration, and denial (DAD)
 Disclosure or unauthorized access: snooping,
passive wiretapping,
 Deception or acceptance of false data: active
wiretapping (data modified), man-in-the-middle
attack, Masquerading or spoofing (impersonation),
repudiation of origin (denying sending), denial of
receipt
 Disruption or prevention of correct operation
 Usurpation or unauthorized control of some part
of a system: Delay, Infinite delay ⇒ Denial of
service
 Security Policy
 Statement of what is and what is not
allowed
 Security Mechanism: Method, tool or
procedure for enforcing a security
policy
 Elements of Network
Security Policy
1. Purchasing guidelines: Required security features
2. Privacy Policy: files, emails, keystrokes
3. Access Policy: Connecting to external systems, installing new
software
4. Accountability Policy: Responsibilities of
users/staff/management. Audit capability.
5. Authentication Policy: password policy
6. Availability statement: redundancy and recovery issues
7. Maintenance Policy: Remote maintenance? How?
8. Violations Reporting Policy: What and to whom?
9. Supporting Information: Contact information, handling
outside queries, laws,...

Ref: RFC 2196

 Security Issues
 Goals: Prevention, Detection, Recovery
 Assurance: Assurance requires detailed specs of desired/
undesired behavior, analysis of design of hardware/software,
and arguments or proofs that the implementation, operating
procedures, and maintenance procedures work.
 Operational Issues: Benefits of protection vs. cost of
designing/implementing/using the mechanisms
 Risk Analysis: Likelihood of potential threats
 Laws: No export of cryptography from USA until 2000. Sys
Admins can't read user's file without permission.
 Customs: DNA samples for authentication, SSN as passwords
 Organizational Priorities: Security not important until an
incident
 People Problems: Insider attacks
Steps in Cracking a Network
 Information Gathering: Public sources/tools.
 Port Scanning: Find open TCP ports.
 Network Enumeration: Map the network.
Servers and workstations. Routers, switches,
firewalls.
 Gaining Access: Keeping root/administrator
access
 Modifying: Using access and modifying
information
 Leaving a backdoor: To return at a later date.
 Hacker Categories
 Hacker - Cleaver programmer
 Cracker - Illegal hacker
 Script Kiddies - Starting hacker. May not target
a specific system. Rely on tools written by
others.
 White Hat Hackers - Good guys. Very
knowledgeable. Hired to find a vulnerability in a
network. Write own software.
 Black Hat Hackers - Bad guys. Desire to cause
harm to a specific system. Write own software.
 Cyber terrorists - Motivated by political,
religious, or philosophical agenda.
 Types of Malware
(Short form of Malicious Software)
 Viruses: Code that attaches itself to programs, disks, or
memory to propagate itself.
 Worms: Installs copies of itself on other machines on a
network, e.g., by finding user names and passwords
 Trojan horses: Pretend to be a utility. Convince users to
install on PC.
 Spyware: Collect personal information
 Hoax: Use emotion to propagate, e.g., child's last wish.
 Trap Door: Undocumented entry point for debugging
purposes.
 Logic Bomb: Instructions that trigger on some event in the
future
 Zombie: Malicious instructions that can be triggered
remotely. The attacks seem to come from other victims.
 Cyber Security Facts
 There is a hacker attack every 39 seconds.
 43% of cyber attacks target small business.
 The average cost of a data breach in 2020 will
exceed $150 million.
 In 2018 hackers stole half a billion personal
records.
 Over 75% of healthcare industry has been
infected with malware over last year.
 Large-scale DDoS attacks increase in size by
500%.
 Cyber Security Facts
 Approximately $6 trillion is expected to be spent
globally on cybersecurity by 2021.
 By 2020 there will be roughly 200 billion
connected devices.
 Unfilled cybersecurity jobs worldwide will reach
3.5 million by 2021.
 95% of cybersecurity breaches are due to human
error.
 More than 77% of organizations do not have a
Cyber Security Incident Response plan
 Total cost for cybercrime committed globally has
added up to over $1 trillion dollars in  2018
 Brief History of Malware
• 1971 Creeper: An experiment designed to test how a
program might move between computers.
• 1974 – Wabbit: A self-replicating program that made
multiple copies of itself on a computer until it bogs down
the system.
• 1982 –  Elk Cloner: One of the earliest widespread, self-
replicating viruses to affect personal computers.
• 1986 –  Brain Boot Sector Virus: Generally regarded as
the first virus to infect MS-DOS computers. Its origin stems
from two brothers in Pakistan who created it to test
loopholes in their company’s software.
• 1986 — PC-Write Trojan: Malware authors disguised one
of the earliest Trojans as a popular shareware program
called “PC-Writer.”
 Brief History of Malware
• 1988 — Morris Worm: This worm infected a substantial
percentage of computers connected to ARPANET. The
author, Robert Morris, became the first malware author
convicted for his crimes.
• 1991 — Michelangelo Virus: It was so named because the
virus was designed to erase information from hard drives on
March 6th, the birthday of the famed Renaissance artist.
• 1999 — Melissa Virus: Generally acknowledged as the
first mass-emailed virus.
• 2000 – ILOVEYOU Worm: Spreading by way of an email
sent with the seemingly benign subject line, “ILOVEYOU,”
the worm infected an estimated 50 million computers.
 Brief History of Malware
2001 – Anna Kournikova Virus: Emails spread this nasty virus
that purported to contain pictures of the very attractive female
tennis player, but in fact hid the malicious malware.
2003 – SQL Slammer Worm: One of the fastest spreading worms
of all time, SQL Slammer infected nearly 75,000 computers in ten
minutes.
2004 – Cabir Virus: Although this virus caused little if any
damage, it is noteworthy because it is widely acknowledged as the
first mobile phone virus.
2005 – Koobface Virus: One of the first instances of malware to
infect PCs and then propagate to social networking sites.
2008 – Conficker Worm: A combination of the words
“configure” and “ficker”, this sophisticated worm caused some of
the worst damage seen since Slammer appeared in 2003
 Brief History of Malware
2010 – Stuxnet Worm: The incredibly sophisticated worm is
believed to be the work of an entire team of developers.
2011 — Zeus Trojan: This Trojan has become one of the most
successful pieces of botnet software in the world, impacting
millions of machines.
2013 – Cryptolocker: One of many early ransomware programs,
Cryptolocker had a significant impact globally and helped fuel
the ransomware era.
2014 – Backoff: Malware designed to compromise Point-of-Sale
(POS) systems to steal credit card data.
2016 – Cerber: One of the heavy-hitters in the ransomware
sphere.
2017 – WannaCry Ransomware: Exploiting a vulnerability first
uncovered by the National Security Agency.
Attacks on Different Layers
Application Application
Layer 7: DNS, DHCP, HTTP,
IMAP, LDAP, NTP, Radius,
FTP,
Presentation SSH,
SMTP, SNMP, Telnet,
DNS TFTP
Poisoning, Phishing,
SQL injection, Spam/Scam

TCPTransport
Layer 5: SMB, NFS, Socks
attacks, Routing attack,
Session SYN flooding, Sniffing
Layer 4: TCP,
Transpor UDP
Internet
Layer 3: IPv4, IPv6, ICMP, IPSec
t Network Ping/ICMP Flood
Layer 2: ARP, Token
Ring
Data Link Network
ARP spoofing,Access
MAC flooding

Physical
 Types of Attacks
 Denial of Service (DoS): Flooding with
traffic/requests
 Buffer Overflows: Error in system programs.
Allows hacker to insert his code in to a program.
 Malware
 Brute Force: Try all passwords.
 Man-in-the-middle-attack: intercepts
messages that are intended for a valid device
 Port Scanning:
⇒ Disable unnecessary services and close ports
 Network Mapping (nmap)
 nmap
• network mapper is a utility for port scanning
large networks:
TCP connect() scanning,
TCP SYN (half open) scanning,
TCP FIN, Xmas, or NULL (stealth) scanning,
TCP ftp proxy (bounce attack) scanning
SYN/FIN scanning using IP fragments (bypasses some packet
filters),
TCP ACK and Window scanning,
UDP raw ICMP port unreachable scanning,
ICMP scanning (ping-sweep)
TCP Ping scanning
Direct (non portmapper) RPC scanning
Remote OS Identification by TCP/IP Fingerprinting (nearly 500)
Reverse-ident scanning.
 Why Do You Care?

• The more information you have,

the easier it will be to launch a
successful attack:
Map the network
Profile the devices on the network
Exploit discovered vulnerabilities
Achieve objective
 Social Engineering
 Reverse social engineering: User is
persuaded to ask Hacker for help.
 Phone calls:
o Call from tech support to update the
system.
o High-level VP calling in emergency.
o Requires employee training.
 Security Mechanisms
 Encipherment
 DigitalSignature
 Access Control
 Data Integrity
 Authentication Exchange
 Traffic Padding
 Routing Control
 Notarization
 Honey Pots
 Trap set for a potential system
cracker
 All the services are simulated
 Honey pot raises alert allowing
administrator to investigate
 See www.specter.com
 Network Security Audit
1. Pre-Audit Contact: Study security policy
2. Initial Meeting: Discuss scopes and objectives of audit
3. Risk Assessment: Find vulnerabilities.
4. Physical security Audit: locked doors, etc.
5. Network Configuration Audit: What devices are on the
network?
6. Penetration testing: attempts to crack the security
7. Backup recovery audit: Simulates a disaster to check
recovery procedures
8. Employee audit: Passive monitoring of employee activities to
verify policy enforcement
9. Reporting: Preparation of Audit Report and presentation to
the management.
 Orange Book
 Trusted Computing System Evaluation
Criteria (TCSEC), 1983
o Universally known as the “orange book”
o Name is due to color of it’s cover
o About 115 pages
o Developed by DoD (NSA)
o Part of the “rainbow series”
 Orange book generated a pseudo-religious
fervor among some people
o Less and less intensity as time goes by
 Orange Book Outline
 Goals
o Provide way to assess security products
o Provide guidance on how to build more
secure products
 Four divisions labeled D thru A
o D is lowest, A is highest
 Divisions split into numbered classes
 D and C Divisions
D --- minimal protection
o Losers that can’t get into higher division
C --- discretionary protection, i.e.,
don’t force security on users, have
means to detect breaches (audit)
o C1 --- discretionary security protection
o C2 --- controlled access protection
o C2 slightly stronger than C1 (both vague)
 B Division
B --- mandatory protection
 B is a huge step up from C
o In C, can break security, but get caught
o In B, “mandatory” means can’t break it
 B1 --- labeled security protection
o All data labeled, which restricts what
can be done with it
o This access control cannot be violated
 B and A Divisions
 B2 --- structured protection
o Adds covert channel protection onto B1
 B3 --- security domains
o On top of B2 protection, adds that code
must be tamperproof and “small”
A --- verified protection
o Like B3, but proved using formal methods
o Such methods still impractical (usually)
 Orange Book: Last Word
 Also a 2nd part, discusses rationale
 Not very practical or sensible, IMHO
 But some people insist we’d be better
off if we’d followed it
 Others think it was a dead end
o And resulted in lots of wasted effort
o Aside: people who made the orange book,
now set security education standards
 Common Criteria
 Successor to the orange book (ca. 1998)
o Due to inflation, more than 1000 pages
 An international government standard
o And it reads like it…
o Won’t ever stir same passions as orange book
 CC is relevant in practice, but only if you
want to sell to the government
 Evaluation Assurance Levels (EALs)
o 1 thru 7, from lowest to highest security
 EAL
 Note:product with high EAL may not be
more secure than one with lower EAL
o Why?
 Also,
because product has EAL doesn’t
mean it’s better than the competition
o Why?
 EAL 1 thru 7
 EAL1--- functionally tested
 EAL2 --- structurally tested
 EAL3 --- methodically tested, checked
 EAL4 --- designed, tested, reviewed
 EAL5 --- semiformally designed, tested
 EAL6 --- verified, designed, tested
 EAL7 --- formally … (blah blah blah)
 Common Criteria
 EAL4 is most commonly sought
o Minimum needed to sell to government
 EAL7 requires formal proofs
o Author could only find 2 such products…
 Who performs evaluations?
o Government accredited labs, of course
o For a hefty fee (like, at least 6 figures)
 Legal Issues
 Children's Online privacy protection act of
1998:
o Can ask only first name and age if under 13.
o Need parents permission for last name, home address,
email address, telephone number, social security
number, ...
 Gramm-Leach-Bliley Financial Modernization
Act of 1999 (GLB): Financial institutions can
share nonpublic personal information unless you
"opt-out.“
o Need to safeguard all such information on the network.
 Summary
 CIA: Confidentiality, Integrity, and
Availability
 DAD: Disclosure, Acceptance, Disruption
 Security Policy: Complete, clear, and enforced
 Malware: Virus, Worm, Spyware, Hoax, Root
kits, …
 Attacks: DoS, Man-in-the-middle,….
 Protection: Audit, Laws, Honey pots
 References
1. Jan L. Harrington, “Network Security,” Morgan Kaufmann,
2005, ISBN:0123116333
2. Gert De Laet and Gert Schauwers, “Network Security
Fundamentals,” Cisco Press, 2005, ISBN:1587051672
3. Eric Maiwald, “Fundamentals of Network Security,”
McGraw-Hill, 2004, ISBN:0072230932
4. William Stallings, “Cryptography and Network Security:
Principles and Practices,” 4th edition, Prentice Hall, 2006,
ISBN:0131873164
5. Charlie Kaufman, et al, “Network Security:Private
Communication in a public world,” 2nd edition, Prentice
Hall, 2002, ISBN:0130460192