AKTU MCA II SEM CYBER SECURITY NOTES UNIT II

  Unit II:

Application Security - (Database, E-mail, and Internet), Data Security Considerations - (Backups, Archival Storage, and Disposal of Data), Security Technology - (Firewall, VPNs, Intrusion Detection System), Access Control. Security Threats - Viruses, Worms, Trojan Horse, Bombs, Trapdoors, Spoofs, E-mail Viruses, Macro Viruses, Malicious Software, Network and Denial of Services Attack.

Database security Database security concerns the use of a broad range of information security controls to protect databases (potentially including the data, the database applications or stored functions, the database systems, the database servers and the associated network links) against compromises of their confidentiality, integrity, and availability. It involves various types or categories of controls, such as technical, procedural/administrative, and physical. Security risks to database systems include, for example: • Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to sensitive data, metadata, or functions within databases, or inappropriate changes to the database programs, structures, or security configurations); • Malware infections causing incidents such as unauthorized access, leakage, or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems and the unanticipated failure of database services; • Overloads, performance constraints, and capacity issues resulting in the inability of authorized users to use databases as intended; • Physical damage to database servers caused by computer room fires or floods, overheating, lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures, and obsolescence; • Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities (e.g. unauthorized privilege escalation), data loss/corruption, performance degradation, etc.; • Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in database or system administration processes, sabotage/criminal damage, etc. Many layers and types of information security control are appropriate to databases, including: • Access control • Auditing • Authentication • Encryption • Integrity controls • Backups • Application security

Database Security applying Statistical Method Databases have been largely secured against hackers through network security measures such as firewalls, and network-based intrusion detection systems. While network security controls remain valuable in this regard, securing the database systems themselves, and the programs/functions and data within them, has arguably become more critical as networks are increasingly opened to wider access, in particular access from the Internet. Furthermore, system, program, function, and data access controls, along with the associated user identification, authentication, and rights management functions, have always been important to limit and in some cases log the activities of authorized users and administrators. In other words, these are complementary approaches to database security, working from both the outside-in and the inside-out as it were.

E-mail security

Email security can be defined as the use of various techniques to secure sensitive information in email communication and accounts against unauthorized access, loss, or compromise. In simpler terms, email security allows an individual or organization to protect the overall access to one or more email addresses or accounts.

Types of Email Attacks

Cybercriminals use many different tactics to hack email, and some methods can cause considerable damage to an organization’s data and/or reputation. Malware, which is malicious software used to harm or manipulate a device or its data, can be placed on a computer using each of the following attacks.

Phishing

A phishing attack targets users by sending them a text, direct message, or email. The attacker pretends to be a trusted individual or institution and then uses their relationship with the target to steal sensitive data like account numbers, credit card details, or login information.

Phishing comes in several forms, such as spear phishing, regular phishing, and whaling. Spear phishing targets a particular person, while a whaler targets someone high up in the organization by pretending to be someone they trust.

Spam

A phishing attack targets users by sending them a text, direct message, or email. The attacker pretends to be a trusted individual or institution and then uses their relationship with the target to steal sensitive data like account numbers, credit card details, or login information.

Phishing comes in several forms, such as spear phishing, regular phishing, and whaling. Spear phishing targets a particular person, while a whaler targets someone high up in the organization by pretending to be someone they trust.

Spoofing

Spoofing is a dangerous email threat because it involves fooling the recipient into thinking the email is coming from someone other than the apparent sender. This makes spoofing an effective business email compromise (BEC) tool. The email platform cannot tell a faked email from a real one because it merely reads the metadata—the same data the attacker has changed.

E-mail Security Protocol

Pretty Good Privacy (PGP)

Pretty Good Privacy provides confidentiality by encrypting messages to be transmitted or data files to be stored using an encryption algorithm such as Triple DES or CAST-128. Email messages can be protected by using cryptography in various ways, such as the following:

• Digitally signing the message to ensure its integrity and confirm the sender's identity.

• Encrypting the message body of an email message to ensure its confidentiality.

• Encrypting the communications between mail servers to protect the confidentiality of both message body and message header.

The first two methods, message signing and message body encryption, are often used together; however, encrypting the transmissions between mail servers is typically used only when two organizations want to protect emails regularly sent between them. For example, the organizations could establish a virtual private network (VPN) to encrypt communications between their mail servers. Unlike methods that only encrypt a message body, a VPN can encrypt all communication over the connection, including email header information such as senders, recipients, and subjects. However, a VPN does not provide a message signing mechanism, nor can it provide protection for email messages along the entire route from sender to recipient.

Message Authentication Code

A Message Authentication Code (MAC) is a cryptography method that uses a secret key to digitally sign a message. This method outputs a MAC value that can be decrypted by the receiver, using the same secret key used by the sender. The Message Authentication Code protects both a message's data integrity as well as its authenticity.

Internet Security

Internet security is a branch of computer security. It encompasses the Internet, browser security, website security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with a high risk of intrusion or fraud, such as online viruses, trojans, ransomware, and worms.

Countermeasures

Network Layer Security

TCP/IP protocols may be secured with cryptographic methods and security protocols. These protocols include Secure Sockets Layer (SSL), succeeded by Transport Layer Security (TLS) for web traffic, Pretty Good Privacy (PGP) for email, and IPsec for network layer security.

Internet Protocol Security (IPsec)

IPsec is designed to protect TCP/IP communication in a secure manner. It is a set of security extensions developed by the Internet Engineering Task Force (IETF). It provides security and authentication at the IP layer by transforming data using encryption. Two main types of transformation form the basis of IPsec: the Authentication Header (AH) and ESP. They provide data integrity, data origin authentication, and anti-replay services. These protocols can be used alone or in combination.

Basic Components Include:

• Security protocols for AH and ESP
• Security association for policy management and traffic processing
• Manual and automatic key management for the Internet Key Exchange (IKE)
• Algorithms for authentication and encryption

The algorithm allows these sets to work independently without affecting other parts of the implementation. The IPsec implementation is operated in a host or security gateway environment, giving protection to IP traffic.

Threat Modeling

Threat modeling tools help you proactively analyze the cybersecurity posture of a system or system of systems to prevent security threats.

Multi-factor Authentication: Multi-factor authentication (MFA) is an access control method in which a user is granted access only after successfully presenting separate pieces of evidence to an authentication mechanism – two or more from the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Internet resources, such as websites and email, may be secured using this technique.

Security Token: Some online sites offer customers the ability to use a six-digit code that randomly changes every 30–60 seconds on a physical security token. The token has built-in computations and manipulates numbers based on the current time. This means that every thirty seconds only a certain array of numbers validate access. The website is made aware of that device's serial number and knows the computation and correct time to verify the number. After 30–60 seconds, the device presents a new random six-digit number to log into the website.

E-mail Security: Firewalls: A computer firewall controls access to a single computer. A network firewall controls access to an entire network. A firewall is a security device — computer hardware or software — that filters traffic and blocks outsiders. It generally consists of gateways and filters. Firewalls can also screen network traffic and block traffic deemed unauthorized.

Web Security: Firewalls restrict incoming and outgoing network packets. Only authorized traffic is allowed to pass through it. Firewalls create checkpoints between networks and computers. Firewalls can block traffic based on IP source and TCP port number. They can also serve as the platform for IPsec. Using tunnel mode, firewalls can implement VPNs. Firewalls can also limit network exposure by hiding the internal network from the public Internet.

Browser Choice: The market share of web browsers can indicate the likelihood of hacker attacks. For instance, Internet Explorer 6, once a leading browser, faced significant attacks.

Protections: Antivirus: Antivirus software defends programmable devices by detecting and removing malware. Techniques include signature-based, heuristics, rootkit detection, and real-time scanning.

Password Managers: Password managers are software applications that create, store, and provide passwords for applications. They encrypt passwords, requiring users to remember only a master password.

Security Suites: Security suites, introduced in 2003 (e.g., McAfee), bundle firewalls, antivirus, anti-spyware, and more. They offer theft protection, safe portable storage, private Internet browsing, and cloud anti-spam. Some were free.

Data Security Considerations - Backups, Archival Storage, and Data Disposal:

Backups: Backups preserve data for recovery, an essential practice today.

Backups serve two purposes: recovering lost data and restoring data to a prior state based on retention policies. Backups are crucial for disaster recovery planning but aren't a complete solution.

Backup Techniques:

Data Repository Models: Backup data needs organized storage.

Unstructured: Simplest backup, lacking detailed information.

Full/System Imaging: Complete system images at specific times, aiding recovery.

Incremental: Organizes data changes between time points. Full backup first, followed by incremental backups.

Differential: Saves data changed since last full backup, requiring at most two data sets for restoration.

Reverse Delta: Stores recent mirror of source data and differences between mirror states.

Continuous Data Protection: Immediately logs host system changes, often at byte/block level rather than file level.

Archival Storage: Archival storage in computers refers to storing data not currently needed but retained for potential future use or record-keeping. Often, the same system used for backup storage is employed for archival storage. Retrieval of archival and backup storage generally involves a restore process.

In Library and Archival Science: Digital preservation is a formal effort to ensure continued access and usability of valuable digital information. It entails planning, resource allocation, and employing preservation methods and technologies. This encompasses policies, strategies, and actions to ensure access to reformatted and "born-digital" content, regardless of media failure and technological changes. The primary aim is to maintain authenticated content accurately over time. Digital preservation involves keeping digital material usable as technology evolves and original hardware/software specifications become obsolete.

Data Integrity: Data integrity is essential for digital preservation, ensuring data remains as originally intended and maintaining consistency upon retrieval. Preventing unintended data changes is crucial, and methods to detect and address unintentional changes must be in place.

Digital Sustainability: Digital sustainability covers various issues contributing to the longevity of digital information. Unlike temporary strategies, digital sustainability involves a continuous and active process. It emphasizes building a flexible infrastructure and approach, focusing on interoperability, ongoing maintenance, and continuous development. It involves present activities that facilitate future access and availability.

Data disposal

Data disposal erasure is a software-based method of overwriting that thoroughly obliterates all electronic data stored on a hard drive or other digital media. Its purpose is to prevent the leakage of sensitive data when an asset is retired or repurposed.

Also referred to as data clearing or data wiping, data erasure involves overwriting data using software to entirely destroy electronic information on a hard disk drive or digital media. Permanent data erasure surpasses basic file deletion commands, which only remove direct data pointers and allow data recovery with common software tools. Unlike degaussing or physical destruction, which render storage media unusable, data erasure eliminates all data while keeping the disk functional, thereby preserving IT assets and the environment.

Software-based overwriting employs a software application to write meaningless pseudorandom data across all sections of a hard drive. Data erasure has distinct advantages over other overwriting methods that might leave data intact, thereby increasing the risk of data breaches, identity theft, or regulatory non-compliance. Many data eradication programs offer multiple overwrites to adhere to recognized government and industry standards. Effective software should also provide data removal verification, a requirement for certain standards.

Security Technology - Firewall, VPNs, Intrusion Detection System (IDS), Access Control:

Firewall: A firewall is a network security system that manages and controls incoming and outgoing network traffic based on predefined security rules. It creates a barrier between a trusted network and an untrusted network like the Internet.

Types of Firewalls:

1. Packet Filtering Firewalls: These are basic firewalls that check data packets against rules for source/destination IPs, protocols, and ports. They lack the ability to analyze packet content and are limited in protecting against advanced threats.

2. Circuit-Level Gateways: Operating at the session layer, they establish and verify TCP connections, helping keep the identity and IP of internal users hidden. They're simplistic and cost-efficient but lack content inspection.

3. Stateful Inspection Firewalls: These verify and track established connections, perform packet inspection, and create dynamic rules based on connections. They provide advanced security but can consume resources and be vulnerable to DDoS attacks.

4. Application-Level Gateways (Proxy Firewalls): Implemented at the application layer, they act as intermediaries between external clients and internal devices. They perform deep packet inspection, protecting sensitive resources and identities, but can slow down traffic.

Virtual Private Networks (VPNs): VPNs create secure, encrypted connections over untrusted networks like the Internet. They ensure data privacy and security by routing traffic through a remote server, masking the user's IP address and encrypting data.

Intrusion Detection System (IDS): IDS monitors network traffic for suspicious activities or unauthorized access attempts. It analyzes traffic patterns and flags potential threats, generating alerts for further investigation.

Access Control: Access control restricts and manages user access to systems and resources. It involves authentication (verifying user identity) and authorization (granting appropriate permissions based on identity and role) to ensure data security and integrity.

VPN (Virtual Private Network): A virtual private network, or VPN, establishes an encrypted connection from a device to a network over the Internet. This encrypted connection ensures secure transmission of sensitive data and prevents unauthorized eavesdropping. VPNs enable remote work and are widely used in corporate settings.

How a VPN Works: A VPN masks your IP address by routing it through a remote server operated by a VPN host. This means the VPN server becomes the source of your data, concealing your online activities from ISPs and third parties. Even if someone gains access to your data, it remains unintelligible.

Types of VPN:

1. SSL VPN: Used when employees lack access to company laptops and need to work remotely. Accessed via an HTML-5-capable browser, typically guarded with a username and password. Often implemented with a hardware box.

2. Site-to-Site VPN: Creates a private network to hide intranets and enables secure access between different networks. Useful for companies with multiple locations or separate intranets.

3. Client-to-Server VPN: Allows employees to connect to the company network from remote locations using a VPN client. Data is encrypted before reaching the user, enhancing security. Common for public Wi-Fi use, preventing access by third parties and ISPs.

Advantages of VPN:

• Secure data transmission through encryption.
• Remote work and access to company resources.
• Anonymity and privacy by masking IP addresses.
• Bypassing restrictions on internet access (e.g., government restrictions).
• Enhanced security in public Wi-Fi settings.
• Efficient communication and universal access to resources.

• Intrusion Detection System (IDS): An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. It is a software application that scans a network or system for harmful activity or policy breaches. Any malicious action or violation is typically reported either to an administrator or centrally collected using a security information and event management (SIEM) system. A SIEM system integrates outputs from various sources and employs alarm filtering techniques to distinguish malicious activity from false alarms.

  While intrusion detection systems oversee networks for potentially malicious behavior, they are also prone to false alarms. Therefore, organizations must fine-tune their IDS products during initial installation. This involves appropriately configuring the intrusion detection systems to differentiate normal network traffic from malicious activity.

  Intrusion prevention systems also monitor inbound network packets to the system to identify malicious activities and promptly send warning notifications.

  Classification of Intrusion Detection System: IDS is categorized into five types:

  1. Network Intrusion Detection System (NIDS): NIDS is situated at a strategic point within the network to inspect traffic from all devices. It observes passing traffic across the entire subnet, comparing it against a collection of known attacks. When an attack is identified or abnormal behavior is detected, an alert is sent to the administrator. An example of NIDS implementation is placing it on the subnet with firewalls to detect attempts to compromise the firewall.

  2. Host Intrusion Detection System (HIDS): HIDS operates on independent hosts or devices within the network. It monitors incoming and outgoing packets from the device and alerts the administrator if suspicious or malicious activity is detected. It takes snapshots of system files, comparing them with previous snapshots. If system files are edited or deleted, an alert is sent to the administrator for investigation. HIDS is useful for mission-critical machines expected to maintain a consistent layout.

  3. Protocol-based Intrusion Detection System (PIDS): PIDS consists of a system or agent residing at the front end of a server, overseeing the protocol between a user/device and the server. It focuses on securing the web server by monitoring the HTTPS protocol stream and accepting the related HTTP protocol. As HTTPS is unencrypted, this system resides between the HTTPS and web presentation layer.

  4. Application Protocol-based Intrusion Detection System (APIDS): APIDS is a system or agent typically within a group of servers. It identifies intrusions by monitoring and interpreting communication on application-specific protocols. For example, it monitors the SQL protocol specific to middleware as it interacts with the database on the web server.

  5. Hybrid Intrusion Detection System: A hybrid IDS combines two or more approaches of intrusion detection. It integrates host agent or system data with network information to provide a comprehensive network view. Hybrid IDS is more effective compared to other intrusion detection methods. Prelude is an example of a Hybrid IDS.

  6. Detection Methods of IDS:

     1. Signature-based Method: The signature-based IDS detects attacks by analyzing specific patterns, such as the number of bytes, ones, or zeros in network traffic. It can also identify known malicious instruction sequences used by malware. These detected patterns are referred to as signatures. Signature-based IDS can effectively identify attacks with existing patterns (signatures) in the system. However, it struggles to detect new malware attacks since their unique patterns (signatures) are not yet known.

     2. Anomaly-based Method: The anomaly-based IDS was developed to detect unknown malware attacks, especially given the rapid development of new malware. This method employs machine learning to establish a model of legitimate activity, creating a baseline of normal behavior. Incoming data is compared against this model, and if it deviates, it's flagged as suspicious. Machine learning-based methods are more versatile compared to signature-based IDS, as these models can be trained to adapt to specific applications and hardware configurations. This approach enhances the ability to detect novel and evolving attacks.

     3. Access Control:

        Access control is a method for restricting entry to a system or physical/virtual resources. It's a process that governs users' ability to access and obtain specific privileges within systems, resources, or information. This security technique manages who can access various elements, what can be accessed, and who can utilize resources within a computing environment. Access control is a foundational security concept that mitigates risk for businesses and organizations.

        To establish secure systems, electronic access control systems are employed. These systems rely on user credentials, access card readers, auditing, and reports to monitor employee access to restricted areas. They utilize access control panels to prevent entry into sensitive zones, trigger alarms, and lockdown areas to thwart unauthorized access or operations.

        Access control systems carry out identification, authentication, and authorization of users and entities. This involves verifying login credentials, which can include passwords, pins, biometric scans, or other authentication factors. Multi-factor authentication, which demands multiple authentication elements, often plays a vital role in layered defense to safeguard access control systems.

        Authentication Factors:

        • Password or PIN
        • Biometric measurements (fingerprint & retina scan)
        • Card or Key

        Different access control models are employed based on compliance requirements and the security levels of protected information technology. Access control fundamentally falls into two types:

        1. Physical Access Control: Physical access control limits entry to campuses, buildings, rooms, and physical IT assets.

        2. Logical Access Control: Logical access control restricts connections to computer networks, system files, and data.

        Access control plays a pivotal role in ensuring the confidentiality, integrity, and availability of systems and resources, making it an essential component of comprehensive security strategies.

     4. Access Control Models:

     1. Attribute-based Access Control (ABAC): Access is granted or denied by assessing rules, policies, and relationships using attributes of users, systems, and environmental conditions.

     2. Discretionary Access Control (DAC): The data owner determines resource access by specifying who can access specific resources.

     3. History-Based Access Control (HBAC): Access decisions are based on the inquiring party's activity history, encompassing behavior, request timing, and content.

     4. Identity-Based Access Control (IBAC): Network administrators manage access and activity based on individual requirements using this model.

     5. Mandatory Access Control (MAC): Access rights are regulated by a central authority based on multiple security levels. Security Enhanced Linux uses MAC on the Linux OS.

     6. Organization-Based Access Control (OrBAC): This model allows policy designers to independently define security policies regardless of implementation.

     7. Role-Based Access Control (RBAC): Access is granted based on job titles, reducing discretion when providing object access. For instance, a human resources specialist shouldn't have permissions to create network accounts.

     8. Rule-Based Access Control (RAC): Access control is contextual. For example, only allowing students to access labs during specific times of the day.

     5. Security Threats - Viruses, Worms, Trojan Horse, Bombs, Trapdoors, Spoofs:

        Viruses: A virus is a computer program or software that attaches itself to another program or computer software to harm the computer system. When the infected program runs, the virus executes actions such as deleting files from the system. Viruses cannot be controlled remotely.

        Worms: Worms are also computer programs like viruses, but they do not modify existing programs. Instead, they replicate themselves extensively, causing a slowdown in the computer system. Worms have the capability to be controlled remotely.

        Trojan Horse: A Trojan Horse does not replicate itself like viruses or worms. It is a hidden piece of code designed to steal important user information. For instance, Trojan horse software might capture email IDs and passwords as they are entered into a web browser for login purposes.

        Bombs: A bomb is a malicious code that remains inactive until a specific condition is met, triggering harmful actions. Bombs are often used to initiate destructive processes at a predetermined time or under particular circumstances.

        Trapdoors: Trapdoors, also known as backdoors, are hidden vulnerabilities intentionally created by attackers or developers. These vulnerabilities allow unauthorized access to a system, enabling attackers to bypass security measures.

        Spoofs: Spoofing involves disguising oneself as someone else to gain unauthorized access or deceive users. This can include email spoofing, where an attacker sends emails that appear to be from a legitimate source, tricking recipients into revealing sensitive information or performing malicious actions.

        Difference between Virus, Worm, and Trojan Horse:

        Aspect	Virus	Worm	Trojan Horse
        Definition	Software or program that attaches to other software to harm the computer system.	Replicates itself to cause slowdown in the system.	Appears harmless but captures important information.
        Replication	Replicates itself.	Also replicates itself.	Does not replicate itself.
        Remote Control	Cannot be controlled remotely.	Can be controlled remotely.	Can be controlled remotely.
        Spreading Rate	Moderate spreading rate.	Faster spreading rate than virus.	Slow spreading rate compared to virus and worms.
        Objectives	Mainly modifies information.	Eats up system resources.	Steals information.
        Execution	Via executable files.	Exploits weaknesses in the system.	Executed through a program, disguised as utility software.

        Virus, worms, and Trojan Horses are distinct types of malicious software, each with its own characteristics and objectives in compromising computer systems and data.

     6. Types of Viruses:

        1. File Virus: This virus appends itself to the end of a file, altering the program's start so that control jumps to its code. After execution, control returns to the main program, making its presence discreet. It's termed a Parasitic virus since it modifies files while keeping the host functional.

        2. Boot Sector Virus: Infects the boot sector, executing during system boot before the operating system loads. It can spread to other bootable media like floppy disks, often referred to as memory viruses due to their operation outside of file systems.

        3. Macro Virus: Written in high-level languages like Visual Basic, these viruses trigger when programs capable of executing macros are run. Often found in files with macros, such as spreadsheets.

        4. Source Code Virus: Targets source code, modifying it to include the virus and aid its propagation.

        5. Polymorphic Virus: Changes its signature, a pattern used for identification, each time it's installed to evade antivirus detection. Functionality remains the same, but the signature varies.

        6. Encrypted Virus: Exists in encrypted form to avoid detection by antivirus software. Carries a decryption algorithm to execute after decryption.

        7. Stealth Virus: Alters its code to make detection challenging. It may change system calls, displaying original code when queried, even if infected.

        8. Tunneling Virus: Attempts to bypass antivirus scanners by installing itself in the interrupt handler chain or device drivers, disabling interception programs.

        9. Multipartite Virus: Infects multiple parts of a system, such as the boot sector, memory, and files, making detection and containment difficult.

        10. Armored Virus: Encoded to challenge antivirus analysis, using techniques like misdirection or compression to complicate its code.

        11. Browser Hijacker: Targets browsers, altering settings and redirecting users to malicious sites, potentially causing harm.

        12. Resident Virus: Resides in RAM and interferes with device operations, often attaching itself to anti-virus software files.

        13. Logic Bomb:

            A Logic Bomb is a segment of code that is intentionally embedded within software and designed to execute a malicious action when specific conditions are met. These conditions could be tied to certain events or triggers, such as a specific date, time, or action taken by the user. Logic bombs remain dormant until the predefined conditions are satisfied, at which point they activate and carry out their intended harmful effects. This can range from data deletion to initiating a security breach.

            Trap Door:

            A Trap Door, also known as a backdoor, is a hidden entry point or mechanism within a program or system that allows unauthorized access bypassing the regular authentication procedures. While trap doors can serve legitimate purposes, such as debugging and testing during development, they become security threats when exploited by malicious individuals to gain unauthorized access. It can provide an unauthorized user with the ability to circumvent normal security measures and gain entry to a system or application. Proper security measures, including thorough testing and ongoing monitoring, are essential to prevent trap doors from being exploited for malicious purposes.

        14. Email virus An email virus comprises malicious code distributed in email messages to infect one or more devices. This malicious code can be activated in various ways: when the email recipient clicks on an infected link within the message, opens an infected attachment, or interacts with the message in some other way. Macro Virus: In contrast to most viruses, which are scripted in a low-level language (such as C or assembly language), these are scripted in a high-level language like Visual Basic. These viruses are triggered when a program capable of executing a macro is run. For instance, macro viruses can be contained within spreadsheet files.

        15. Malicious software

            1. Alongside free downloads.
            2. Clicking on suspicious links.
            3. Opening emails from malicious sources.
            4. Visiting malicious websites.
            5. Failing to install an updated antivirus version on the system. Types:
            6. Virus
            7. Worm
            8. Logic Bomb
            9. Trojan/Backdoor
            10. Rootkit
            11. Advanced Persistent Threat
            12. Spyware and Adware

            13. What is a computer virus: A computer virus refers to a program that damages computer systems and/or deletes or corrupts data files. It is a malicious program that replicates itself by copying into another program. In essence, a computer virus spreads independently to other executable code or documents. The primary objective behind creating a computer virus is to infect vulnerable systems, gain administrative control, and steal sensitive user data. Hackers design computer viruses with malicious intent and deceive online users through trickery. Symptoms: • Letters appear to descend to the bottom of the screen. • The computer system experiences sluggishness. • Available free memory size decreases. • Hard disk space becomes insufficient. • The computer fails to boot. Types of Computer Virus: These are detailed as follows.

                1. Parasitic – These are executable (.COM or .EXE, starting at the first instruction). They propagate by attaching themselves to specific files or programs. Typically reside at the beginning (prepending) or end (appending) of a file, e.g., Jerusalem.
                2. Boot Sector – Spread via infected floppy or pen drives used for booting computers. During system boot, the boot sector virus is loaded into main memory and destroys data stored on the hard disk, e.g., Polyboot, Disk killer, Stone, AntiEXE.
                3. Polymorphic – It alters itself with each infection, generating multiple copies. Multipartite: employs more than one propagation method. Challenging for antivirus software to detect, e.g., Involutionary, Cascade, Evil, Virus 101, Stimulate. Comprises three main parts: encrypted virus body, decryption routine varying from infection to infection, and a mutation engine.
                4. Memory Resident – Installs code in computer memory. Activates when the OS runs and damages all files currently open, e.g., Randex, CMJ, Meve.
                5. Stealth – Conceals its path after infecting. It modifies itself, making detection difficult, and masks the size of the infected file, e.g., Frodo, Joshi, Whale.
                6. Macro – Associated with application software like Word and Excel. Upon opening the infected document, the macro virus loads into main memory and destroys data stored on the hard disk. Spreads exclusively through infected documents, e.g., DMV, Melissa, A, Relax, Nuclear, Word Concept.
                7. Hybrids – Combines features of various viruses, e.g., Happy99 (Email virus).
                8. Worm: A worm is a malicious program that inundates a computer system with self-replicating data, causing congestion that slows down or halts its operations.

                9. Types of Worm:

                   1. Email worm – Attaches to fake email messages.
                   2. Instant messaging worm – Utilizes instant messaging applications, exploiting network vulnerabilities.
                   3. Internet worm – Scans systems through OS services.
                   4. Internet Relay Chat (IRC) worm – Transfers infected files to websites.
                   5. Payloads – Deletes or encrypts files, installs backdoors, creates zombies, etc.
                   6. Worms with good intent – Downloads application patches. Logical Bomb: A logical bomb is a destructive program that executes an action when a specific condition is met. Hidden in programming code. Activates only upon meeting the designated condition, e.g., Jerusalem. Script Virus: Common script viruses are written using the Visual Basic Scripting Edition (VBS) and JavaScript programming language.
                   7. Trojan / Backdoor:
                   8. A Trojan Horse is a destructive program, often masquerading as computer games or applications. Executing it damages the computer system. Trojans frequently come with monitoring tools and keyloggers, activated only under specific conditions. They are concealed with packers, crypters, and wrappers, making them challenging to detect via antivirus. Manual removal or firewall precautions may be necessary.

                   RootKits:

                   Network Attacks:

                10. Network attacks involve unauthorized actions on digital assets within an organizational network. Perpetrators execute these attacks to alter, destroy, or steal private data. Network perimeters are often targeted to gain access to internal systems. There are two main types: passive and active. In passive network attacks, malicious parties access networks, monitor, and steal data without alterations. Active network attacks modify, encrypt, or damage data.

                11. A collection of tools enabling an attacker to take control of a system. • Can hide evidence of an attacker's presence and create a backdoor. • May include log cleaners to eliminate traces. • Divided into: – Application or file rootkits: replace binaries in Linux systems. – Kernel: target the OS kernel, known as a loadable kernel module (LKM). • Gain control via: – DLL injection: injecting malicious dynamic link library (DLL). – Direct kernel object manipulation: modify kernel structures, targeting trusted OS components. – Hooking: altering application execution flow.

                12. Advanced Persistent Threat:

                13. Crafted by well-funded, organized groups, nation-state actors, etc. Aims to compromise government and commercial entities, e.g., Flame: used for system reconnaissance and information gathering.

                14. Spyware and Adware:

                15. Usually installed alongside free software downloads. Spies on users, redirects them to specific sites. Main tasks: Behavioral surveillance and advertising with pop-up ads, leading to system slowdown.

                16. Denial-of-Service (DoS)

                17. A Denial-of-Service (DoS) attack is an attempt to disable a machine or network, rendering it inaccessible to its intended users. DoS attacks achieve this by overwhelming the target with traffic or sending it information that triggers a crash. In either case, the DoS attack prevents legitimate users (such as employees, members, or account holders) from accessing the expected service or resource. Typical targets of DoS attacks include web servers belonging to high-profile entities like banks, commerce and media companies, government agencies, and trade organizations. While DoS attacks generally don't lead to the theft or significant loss of information or assets, they can impose substantial time and financial costs on the victim to manage. Two primary methods of DoS attacks exist: service flooding and service crashing. Flood attacks occur when the server receives an excessive amount of traffic, overwhelming its buffering capabilities, resulting in slowdown or complete cessation. Notable flood attacks include: Buffer overflow attacks – the most prevalent DoS attack. This involves sending more traffic to a network address than the system was designed to handle. It encompasses the listed attacks below, along with others tailored to exploit specific application or network vulnerabilities. ICMP flood – exploits misconfigured network devices by dispatching spoofed packets that ping every computer on the targeted network, rather than a single machine. The network is then coerced into amplifying the traffic. This is also called the smurf attack or ping of death. SYN flood – issues a connection request to a server but never completes the handshake, persisting until all open ports are saturated with requests, leaving none accessible to legitimate users. Other DoS attacks exploit vulnerabilities causing the target system or service to crash. In these attacks, input is crafted to capitalize on target flaws that subsequently crash or severely destabilize the system, rendering it inaccessible or unusable. An additional DoS attack variant is the Distributed Denial of Service (DDoS) attack. A DDoS attack involves multiple systems orchestrating a synchronized DoS attack on a single target. The primary distinction is that instead of originating from a single source, the attack comes from numerous sources simultaneously. The distributed nature of a DDoS attack offers several advantages to the attacker: Leveraging a larger volume of machines to execute a highly disruptive attack Difficult detection due to the random geographic distribution of attacking systems (often globally dispersed) Increased difficulty in neutralizing multiple machines compared to a single one Obscured attacker identity as they hide behind multiple (often compromised) systems Modern security technologies have devised countermeasures against most DoS attack variations. However, due to the distinct characteristics of DDoS attacks, they continue to be perceived as an elevated threat and remain of heightened concern for organizations that fear becoming targets of such assaults.

        16. Malicious software (often referred to as malware) is any form of software intended to harm or compromise the user. Their intent may involve stealing your information, or they might act maliciously for various reasons. Malware is software that infiltrates the system without user consent, aiming to pilfer private and confidential user data, including bank details and passwords. It also generates bothersome pop-up ads and alters system settings. It gains entry into the system through several avenues: