ECSS EXAM

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

PKI (Public Key Infrastructure) components

1. Certificate Management System Generates, distributes, stores, and verifies certificates 2. Digital Certificates Establishes credentials of a person when doing online transactions 3. Validation Authority (VA) Stores certificates (with their public keys) 4. Certificate Authority (CA) Issues and verifies digital certificate 5. End User Requests, manages, and uses certificates 6. Registration Authority (RA) acts as the verifier for the certificate authority

Impact social engineering on an organization

1. Economic losses 2. Damage of goodwill. 3. Dangers of terrorism. 4. Lawsuits and arbitration. 5. Temporary or permanent closure. 6. Loss of privacy.

Types of Social Engineering

1. Human-based social engineering. This involves interaction with humans to exploit trust, fear, and the helping nature of humans. 2. Computer-based social engineering 3. Mobile-based social engineering This attack carried out with the help of mobile applications.

How an identity can be stolen?

1. Physical theft: such as wallets, computer laptops, and cell phones 2. Internet searching 3. Social engineering 4. Dumpster diving 5. Phishing 6. Hacking 7. Wardriving 8. Mail theft and rerouting 9. Shoulder surfing 10. Skimming 11. Pretexting 12. Pharming 13. Keyloggers and password stealers(Malware)

Countermeasures of spamming

1. Review email header to identify the owner of the email 2. Configure the router to block incoming packets from the specified address 3. Augment the logging capabilities to detect or alert of such activity

Evolution of computer forensics 2

1984 Computer Analysis and Response Team (CART) was developed to provide support to FBI field offices in the search of computer evidence 1993 First International Conference on computer evidence was held 1995 International Organization on Computer Evidence (IOCE) formed 1998 International Forensic Science Symposium (IFSS) formed to provide forum for forensic manager 2000 First FBI Regional Computer Forensic Laboratory was established

Computer Forensics Report

A computer forensics report is a report that provides detailed information on the complete forensics investigation process. It can be prepared by the computer forensic investigator. The computer forensic investigator collects all the information involved in the case, investigates it, and prepares the final report. It can be used to communicate the results of the forensic investigation. It can be used not only to present the facts but also to communicate an expert opinion. The following are the exhibits relevant to the computer forensics report: Photographs or diagrams Curriculum vitae of the witness. The investigative report should contain: Description of how the incident occurred . Technically sound and clear-to-understand content. Proper formatting, page and paragraph numbering for easy reference. Unambiguous conclusions, opinions, and recommendations supported by figures and facts. Adherence to local laws of the land to be admissible in courts. Be submitted in a timely manner.

Symmetric and Asymmetric encryption

Symmetric key encryption uses same key for encryption and decryption whereas asymmetric key encryption uses different keys for encryption and decryption. Private key encryption is an example of symmetric and asymmetric example is a public key encryption

Antiphishing toolbar (NetCraft)

The Netcraft Toolbar provides updated information about sites users visit regularly and blocks dangerous sites. The toolbar provides you with a wealth of information about the sites you visit. This information will help you make an informed choice about the integrity of those sites. Features: Protect your savings from Phishing attacks. Observes the hosting location and risk rating of every website visited (as well as other information). Helps in defending the Internet community from fraudsters. Checks if a website supports Perfect Forward Secrecy (PFS). Observes if a website is affected by the aftermath of the Heartbleed vulnerability.

NAT (Network Address Translation) pros and cons

Advantages Network address translation helps to enforce the firewall's control over outbound connections. It restricts incoming traffic and allows only packets that are part of a current interaction initiated from the inside. Helps hide the internal network's configuration and thereby reduces the success of attacks on the network or system. Disadvantages The NAT system has to guess how long it should keep a particular translation, which is impossible to guess correctly every time. The NAT interferes with encryption and authentication systems to ensure security of the data. Dynamic allocation of ports may interfere with packet filtering.

Tailgating human-based social engineering

Any unauthorized person who is wearing a fake ID badge and enters a secured area by closely following an authorized person through a door requiring key access.

Why we should report cybercrime

Companies might be reluctant to share information regarding the impact to their business and the sensitivity of the data involved Only by sharing information with law enforcement and appropriate industry groups, cyber criminals will be identified and prosecuted New cyber security threats will be identified, and successful attacks on critical infrastructures and economy will be prevented Law enforcement's ability to identify coordinated threats is directly tied to the volume of reporting

Organizations that deals with incident response

Computer Emergency Response Team (CERT) Computer Security Incident Response Team (CSIRT) Forum for Incident Response and Security Teams (FIRST) Computer Incident Response Team (CIRT) Incident Response Center (IRC) Security Emergency Response Team (SERT) Security Incident Response Team (SIRT) Information Analysis Infrastructure Protection (IAIP) CERT Coordination Center (CERT/CC) Information Sharing and Analysis Center (ISAC)

Antennas

An antenna is a device designed to efficiently radiate and receive electromagnetic waves An antenna is a crucial element in the successful design of any radio system It converts electrical impulses into radio waves and vice versa An antenna is a collection of metal rods and wires that capture radio waves and translate them into electrical current

Snort configuration

The file that contains all the required configuration settings is Snortpath/etc/snort.conf To configure Snort, open "snort.conf" in a text editor such as Notepad or Edit Type configure settings into the text editor - the working of Snort would be hampered if incorrect settings are typed. The proper functioning of Snort requires the correct configuration of the following settings Network settings Rules settings Output settings Include settings

What TLS record protocol manages?

Fragments outgoing data into manageable blocks, and reassembles incoming data Optionally compresses outgoing data and decompresses incoming data Applies Message Authentication Code (MAC) to the outgoing data, and uses MAC to verify the incoming data Encrypts outgoing data and decrypts incoming data The record protocol sends the outgoing encrypted data to the TCP layer for transport.

Mac OS X file systems

Hierarchical File System (HFS) The Hierarchical File System (HFS) is a file system developed by Apple Computer to support Mac OS. Originally, it was designed to be used on floppy and hard disks, but its use has expanded to read-only media, such as CD-ROMs. HFS divides a volume into logical blocks of 512 bytes. These logical blocks are then grouped together into allocation blocks, which can hold one or more logical blocks depending on the total size of the volume. HFS uses a 16-bit value to address allocation blocks, limiting the number of allocation blocks to 65,536. There are five structures that make up an HFS volume: Logical blocks 0 and 1 of the volume are the boot blocks, which include system startup information, for example, the names of the system and shell files, which are loaded at startup. Logical block 2 contains the Master Directory Block (MDB). This defines a wide variety of data about the volume itself, for instance, date and time stamps for when the volume was created; the location of the other volume structures, such as the volume bitmap' or the size of logical structures, such as allocation blocks. There is also a duplicate of the MDB called the Alternate Master Directory Block (Alternate MDB) located at the opposite end of the volume in the second to last logical block. This is intended mainly for use by disk utilities and is only updated when either the catalog file or extents overflow file grow in size. Logical block 3 is the starting block of the volume bitmap, which keeps track of which allocation blocks are in use and which are free. Each allocation block on the volume is represented by a bit in the map; if the bit is set then the block is in use, if it is clear then the block is free to be used. Since the volume bitmap must have a bit to represent each allocation block, its size is determined by the size of the volume itself. The extents overflow file is a B*-tree including extra extents that record which allocation blocks are allocated to which files, once the initial three extents in the catalog file are used up. Later versions also added the ability for the extents overflow file to store extents that record bad blocks, to prevent a machine from trying to write to them. The catalog file is another B*-tree that holds records for all the files and directories stored in the volume. It stores four types of records. Each file is made up of a file thread record and a file record, while each directory is made up of a directory thread record and a directory record. Files and directories in the catalog file are to be found by their unique catalog node ID. HFS Plus (HFS+) HFS Plus (HFS+) is a successor of HFS and is used as a primary file system in Macintosh. UFS (UNIX File System) UFS is a file system utilized by many UNIX and UNIX-like operating systems. It is derived from the Berkeley Fast File System, which is an abstract of FS, the first version of UNIX developed at Bell Labs. A UFS file system is composed of the following parts: A few blocks at the beginning of the partition reserved for boot blocks (which must be initialized separately from the file system). A super block, including a magic number identifying this as a UFS file system, and some other vital numbers describing this file system's geometry and statistics and behavioral tuning parameters. A collection of cylinder groups, of which each cylinder group has the following components: o A backup copy of the superblock. o A cylinder group header, with statistics, free lists, etc., about this cylinder group, similar to those in the superblock. o Several inodes, each containing file attributes. o Several data blocks.

Email Terminology

IMAP (Internet Message Access Protocol) IMAP (Internet Message Access Protocol) is a method used to access bulletin board messages or retrieve emails stored on a server without downloading them to the local hard drive. These emails (both sent and received) can be checked by the users from different computers, as the mails are stored on the server. BCC (Blind Carbon Copy) In this type of email, the receiver will not be able to view the email address of the BCC (Blind Carbon Copy). When an email address is added in the BCC field for a recipient, this is not visible to the recipients listed in the 'To' and 'CC' fields. It is usually used when the sender does not intend to reveal the identity of the person in the BCC field to the rest of the recipients. SMTP (Simple Mail Transfer Protocol) SMTP (Simple Mail Transfer Protocol) is used for the outgoing mail server, which allows a user to send emails to a valid email address. SMTP cannot be used to receive emails. However, in conjunction with POP or IMAP, SMTP as well can be used to receive emails with proper configuration, i.e., the email client should be configured to access the SMTP server as "yourdomain.com" or "IP address." he SMTP server validates the configuration and then permits a computer that is trying to send an email. The message is sent to the stated destination and is tracked to confirm its delivery. In case the delivery is unsuccessful, the email is sent back to the sender with an error message. SMTP has an enhanced version called as Extended SMTP (ESMTP), which allows sending emails with graphics and attachments. Attachment An email attachment refers to a computer file or document that is sent along with an email message. Depending upon the size of the file, one or more files can be attached to an email message, as there is a size limit for the attachments. An email attachment is a simple method to share Word documents, Excel spreadsheets, images, etc. HTTP (Hypertext Transfer Protocol) HTTP (Hypertext Transfer Protocol) is a set of guidelines used to transfer request and information between servers and browsers over the Internet; a web browser is an HTTP client. It is an application protocol that executes using TCP/IP protocols. For responses to the queries from a user, requests are made by HTTP through the HTTP client (browser). The HTTP protocol is also called web-based email, as this can be used to send and retrieve emails but is not dedicated only for email communications. Hotmail is a good example of using HTTP as an email protocol. Email Client An email client is an application installed on a user's computer that can communicate with a local or remote server with the user account to send and receive emails. Email clients run on a simple interface that allows a user to access his or her email account. There are many email clients available, such as Outlook, Outlook Express, Webmail, etc. POP3 (Post Office Protocol 3) POP3 (Post Office Protocol, version 3) is a simple method adapted for email delivery. When emails are received, they are filtered by POP3 mail servers into their respective user-defined folders. Once the user connects to the mail server to recover his or her mail, the messages are automatically downloaded from the mail server to the user's hard disk. The type of mail server used by the mail account needs to be specified when a user configures his or her email client, like Outlook (Windows) or Mail (Mac OS X). The POP3 server address is something like "mail.servername.com" or "pop.servername.com." If the email account is on a POP3 mail server, the correct POP3 server address with a valid user name and password is needed to set up the email program. Standard port for POP3 is 110. Email Server An email server is a computer within a network that acts as a virtual post office. A mail server contains a storage area to store emails for local users. The mail server responds to a message based on the user-defined rules set according to the particular message as well as its destination. The mail server recognizes the database of the user accounts to deal with it locally, and the components of the communications modules handle the relocation of messages to and from other mail servers and email clients. sers responsible for the maintenance of the email server (to edit users, to monitor system activity) are also called postmasters. Mail servers are normally intended to operate without any manual intervention. Mails are transported by programs that run on large sites and at ISPs connected to the Internet. A typically used mail server is sendmail MTA (mail transfer agent).

Types of cyber crime

Identity Theft According to the U.S. Department of Justice (USDOJ), identity theft refers to all types of crimes in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. Identity theft occurs when someone steals another's name and other personal information for fraudulent purposes. The attacker steals another person's identity by stealing email, eavesdropping on transactions over the Internet, or stealing the information from computer databases. Common forms of identity theft include shoulder surfing, dumpster diving, spamming, spoofing, phishing, and skimming. Hacking Hacking is a practice used to obtain illegal access to computer systems owned by private corporations or government agencies to modify computer hardware and software. People who are involved in hacking are often referred to as hackers. Computer Viruses and Worms Viruses and worms are software programs with malicious code. These programs are designed to spread from one computer to another. Viruses affect the system and try to affect other vulnerable systems through applications such as an email client. Worms try to reproduce themselves over the network, which not only creates malfunctions but also hogs resources. The intruder can retain access to a compromised machine with the help of Trojan horses and backdoors. Cyber Stalking Cyberstalking can be defined as any ominous or wrong behavior where cyber criminals use the Internet and other communications methods to victimize people. With the easy availability of computers and online services, cyberstalkers target victims and make unwanted advances. Cyberstalkers target and harass people after collecting their personal information through emails, chat rooms, message boards, discussion forums, and so on. Drug Trafficking Drug trafficking refers to the selling of illegal substances over the Internet. Drug traffickers take advantage of Internet technologies such as encrypted email, and use Internet cafes and courier websites to sell illegal substances. Program Manipulation Fraud In a program manipulation fraud, a perpetrator changes existing computer programs, either by modifying or by inserting new programs and routines. A Trojan horse is one of the most common methods of program manipulation used by cyber criminals. Credit Card Fraud Source: http://topics.law.cornell.edu Credit card fraud involves the unauthorized use of another person's credit card information to make purchases on or withdraw funds from the victim's account. This type of crime comes under identity theft. With online purchasing becoming commonplace, thieves no longer need a physical card to make unauthorized purchases; for a cyber-thief, knowing the name of the cardholder, the credit card number, and its expiration date is sufficient. Online Auction Fraud Online auctions make purchasing easy if the vendor is trusted. A number of online transactions today involve fraudulent techniques that are used to deceive the customer. According to the Internet Crime Complaint Center (IC3), auction fraud involves: Misrepresentation of a product or manufactured goods advertised for sale through online auction websites. Non-delivery of an item purchased through online auction websites. Email Bombing and Spam In email bombing, the abusers repeatedly send an email message to a particular address at a specific victim's site. Email spamming refers to sending email (junk mail) to hundreds or thousands of users. Email bombing/spamming may be integrated with email spoofing, making it difficult to determine who is sending the email. Theft of Intellectual Property Intellectual property theft includes any act that would allow individuals to gain access to patents, trade secrets, customer data, sales trends, and any other confidential information for monetary gain. For example, if an individual was to get access to trade secrets of a particular organization and then sell this information to a rival company, it would be considered a crime. Forensic investigators might deal with many cases involving theft of intellectual property, and the losses incurred to the company due to this crime can range from $100 to $1,000,000 depending on the size of the company. Denial of Service (DoS) Attacks DoS attacks are the most common attacks that are employed against company networks. DoS attacks aim at stopping legitimate requests to a network over the Internet by subjecting the network to illegitimate requests. DoS attacks occur when several systems take up useful network resources, thereby rendering the network inaccessible. These messages overload the communications interface and make it impossible to connect to the Internet. Debt Elimination According to the Internet Crime Complaint Center (IC3), debt elimination schemes generally involve websites advertising a legal way to dispose of mortgage loans and credit card debts. Debt elimination is a process that involves sites advertising an authorized way to dispose of finance loans and credit card debts. In this process, the participant is to send all the information related to the loan along with other personal information. Debt elimination is a fast growing scam. There is a potential risk of identity theft associated with debt elimination because the participant has to disclose his or her personal details. Perpetrators of this type of scam benefit by taking advantage of people's personal information and commit different identity theft crimes. Web Jacking In web jacking, hackers or attackers gain access and control over others' websites and change the information on the sites. Internet Extortion Internet extortion means making demands to a person by threatening to cause harm to him or her. It is often monetary in nature. According to the Internet Crime Complaint Center (IC3), Internet extortion involves hacking into and controlling various industry databases, promising to release control back to the company if funds are received or the subjects are given web administrator jobs. Similarly, the subject will threaten to compromise information about consumers in the industry database unless funds are received. Investment Fraud According to the Internet Crime Complaint Center (IC3), investment fraud is an offer using false or fraudulent claims to solicit investments or loans, or providing for the purchase, use, or trade of forged or counterfeit securities. This often results in loss to the investors. Escrow Services Fraud According to the Internet Crime Complaint Center (IC3), in an effort to persuade a wary Internet auction participant, the perpetrator will propose the use of a third-party escrow service to facilitate the exchange of money and merchandise. The victim is unaware that the perpetrator has actually compromised a true escrow site and, in actuality, created one that closely resembles a legitimate escrow service. The victim sends payment to the phony escrow and receives nothing in return. Or, the victim sends merchandise to the subject and waits for his or her payment through the escrow site, which is never received because it is not a legitimate service. Cyber Defamation Cyber defamation is the act of defaming individuals or organizations on the Internet. Cyber defamation is done in order to harm the reputation of businesses or individuals. Software Piracy Software piracy can be defined as unauthorized copying of software, music, or movies from the Internet, or uploading copies to the Internet to sell. Piracy is illegal, and a person found committing piracy could be convicted under copyright laws. Counterfeit Cashier's Checks The "counterfeit cashier's check scam" is a nasty scheme that hinges on people's longstanding belief that cashier's checks are as "good as gold." In this type of scam, people are contacted by email or regular mail, even if they are not selling anything online. One example is a sweepstakes or lottery, where the victim is told they have won a huge prize. The scammers send a cashier's check for $3,000, for example, which the victim must cash and send them for "processing fees." When the bank discovers the counterfeit, the victim is responsible for cashing the bad check. This type of scam could also occur in a chat room, where someone promises friendship with you through a chat room, and then asks you to deposit a cashier's check into his account. There are endless variations of this scheme cropping up. Embezzlement Embezzlement is defined as a type of crime in which one person fraudulently converts the property of another for the legal possession of that property. This type of crime generally involves trustful relations such as a trustee, fiduciary, agent, treasurer, or attorney.

SSH1 protocol features

SSH1 is more vulnerable to attacks due to the presence of structural weaknesses It is an issue of the man-in-the-middle attack It is supported by many platforms It supports hosts authentication It supports varied authentication The performance of SSH2 is better than SSH1

Need for security

1. Evolution of technology, focused on ease of use 2. Decreasing skill level needed exploits 3. Increased network environment and network based applications 4. Direct impact of security breach on the corporate assets base and goodwill 5. Increasing complexity of computer infrastructure administration and management

Types of Proxy Servers

1. Transport Proxy 2. Non transport proxy 3. Application 4. Socks Proxy 5. Anonymous Proxy 6. Reverse Proxy

Local Area Network (LAN)

A network in which the nodes are located within a small geographic area.

False-positive in IDS

An event that triggers the IDS to raise an alarm when there is no real threat

Anonymous Proxy

Anonymous proxy does not transfer the information about the IP-address of its user, and thus hides the information about user and his surfing interests. Pros: A user can surf the internet privately by using an anonymous proxy With the help of an anonymous proxy server, user can access even the censored websites. Cons: Using an anonymous proxy server may decrease the speed at which web pages open and downloads complete The use of anonymous proxy servers to bypass Internet censorship is illegal in some countries

Gateway (Network)

Any device or computer that network traffic can use to leave one network and go to a different network.

Types of network security policy 1

Data policy: identifies sensitive data and plans measures to safeguard them. Security policy: enumerates the technical requirements for security on systems and network devices. Internet usage policy: this must be defined only for official purposes and not for personal use. Computer usage policy: shows by whom and how the systems are used.

Fragility of Digital Evidence

Digital evidence is fragile in nature. During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently. If the computer is connected to the Internet, the person involved in the crime may delete the evidence by deleting the log files. After the incident, if a user "writes" any data to the system, it may overwrite the crime evidence.

Why do we use computer forensics?

Gather evidence of computer crimes in a forensically sound manner To protect organization from similar incidents in future To minimize the tangible and intangible losses to the organization To support prosecution of perpetrator of an incident.

Disadvantages of network

Initial cost of setting network - hardware and software Maintenance cost Data security concerns Vulnerability to attacks

Computer network

Is a group of computers linked together to share data and resources

Spamming

Is a method of sending unsolicited bulk emails

Integrity

Is the trustworthiness of data or resources in the prevention of improper and unauthorized changes - the assurance that information is sufficiently accurate for its purpose

Form-Based Authentication

It is a authentication mechanism that uses a form, usually composed of HTML. Forms-based authentication does not rely on features supported by the basic web protocols such as HTTP and SSL. It is the most popular authentication technique deployed on the Internet. Advantages: The user interface of the form is customisable. For web based applications, the authentication process can be embedded in the code. disadvantages: Applications using form based authentication need to implement their own protections against possible attacks. While designing forms, the password field should never be prefilled field, or else the password can be easily misused.

Public key encryption

It uses two keys to encrypt and decrypt the data. Data is encrypted using public key of the user which is known to everybody. The data can be decrypted only by private key of the user whose public key is used to encrypt the message.

HoneyPot tool: KFSensor

KFSensor is a host-based honeypot Intrusion Detection System (IDS). By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone. You can use KFSensor in a Windows-based corporate environment and contains many innovative and unique features such as remote management, a Snort-compatible signature engine, and emulations of Windows networking protocols. Features: Signature attack identification Detects unknown threats and Windows networking attacks Remote Administration and real time detection Security in-depth Advanced server simulation Extendable architecture No false positives and low overhead

Pharming

Pharming, also known as domain spoofing, is an advanced form of phishing in which the attacker redirects the connection between the IP address and its target server. The attacker may use cache poisoning (modifying the Internet address to that of a rogue address) to do so. When the users type in the Internet address, it redirects them to a rogue website that resembles the original website.

Steganography Techniques

Steganography techniques are classified into six groups based on the cover modifications applied in embedding process. Substitution Techniques In this technique, the attacker tries to encode secret information by substituting insignificant bits with the secret message. If the receiver has the knowledge of the places where the secret information is embedded, then he/she can extract the secret message, but as only minor modifications are made in the embedding process, it becomes difficult for the passive attacker to find the exact location of substitution. Transform Domain Techniques A transformed space is generated when the file is compressed at the time of transmission. This transformed space is used for hiding the data. The three transform techniques used when embedding a message are Discrete Cosine Transform (DCT), the Discrete Fourier Transform, and the Wavelet Transform. The techniques embed secret data in the cover at the time of the transmission process. The transformation can be applied to the entire carrier file or to its subparts. The embedding process is performed by modifying the coefficients, selected based on the protection required. The hidden data in the transform domain is present in more robust areas, and it gives high resistance against signal processing attacks on steganography. Example: Images sent through the Internet mostly use the JPEG format, since it compresses itself when they close. To do so, the extra bits in the image have to be removed. JPEG makes an approximation of itself to reduce the file's size. This change and approximation results in transformed space that can be used to hide information. Spread Spectrum Techniques This technique encodes a small band signal into a wide band cover. The encoder modulates a small band signal over a carrier. There are two types of spread spectrum techniques: Direct sequence: In direct sequence, the information is divided into small parts that are allocated to the frequency channel of the spectrum. The data signal and a higher data rate bit sequence are combined during transmission which divides the data based on the predetermined spread ratio. The redundancy nature of the data rate bit sequence code is useful to the signal resist interference, and it allows the original data to be recovered during the time of the damaged data bits. Frequency hopping: This technique is used to divide the bandwidth's spectrum into many possible broadcast frequencies. The devices of frequency hopping require less power and are cheaper, but they are less reliable when compared to the direct sequence spectrum system. Statistical Techniques This method uses a 1-bit stenographic scheme. It embeds one bit of information in only the digital carrier, creating a statistical change. A statistical change in the cover is indicated as "1" and "0" indicates when it is left unchanged. The work is based on the receiver's ability to differentiate between modified and unmodified covers. Distortion Techniques This technique creates a change in the cover object in order to hide information. The encoder does a sequence of modifications to the cover which corresponds to a secret message. The secret message is recovered by comparing the distorted cover with the original one. The decoder in this technique needs access to the original cover file. Cover Generation Techniques Unlike other techniques where a cover is selected to hide a message, in this technique a new cover file is generated solely for the purpose of hiding data. A picture is created which has a decent message in it. The picture acts as a cover to convey the message to others. In the modern form of file generation, a spam mimic program is used. A spam mimic embeds the secret message into a spam message that can be emailed to the destination. This spam email makes enough sense to be believed by the destination user, so that they get the secret message.

Types of Network Attacks

The following are several types of network attacks: IP Address Spoofing IP spoofing is a technique that is used to gain unauthorized access to a computer. Here, the messages to the computer will be sent by the interloper with an IP address that indicates the messages are coming from a trusted host. Packet Sniffing In packet sniffing, the packets are captured in the computer network. Various software tools known as "packet sniffers" are used for this purpose. Data Modification Attacks Once the intruder gets access to sensitive information, his or her first step is to alter the data. This problem is referred to as a data modification attack. Port Scanning Systematically scanning the ports of a computer is known as port scanning. Attackers use such methods to identify the possible vulnerabilities in order to compromise a network. It is one of the most popular methods that hackers use for investigating the ports used by the victims. Session Sniffing In session sniffing, an attacker uses packet sniffers to redirect the traffic through his or her host when the HTTP traffic is encrypted. Enumeration Enumeration prepares for an attack. It may be defined as the process of gathering information about a network that may help in an attack on the network. Enumeration is generally carried out over the Internet. The following information is collected during enumeration: Topology of the network List of live hosts Architecture and the kind of traffic (for example, TCP, UDP, IPX) Potential vulnerabilities in host systems Man-in-the-Middle Attack In man-in-the-middle attacks, the attacker makes independent connections with the users/victims and relays messages between them, making them believe that their conversation is direct, though the entire conversation is controlled by the attacker. Denial-of-Service (DoS) Here, the intruder makes the computer resources unavailable to the intended user. Gaining access to the network, an attacker can send invalid data to network services; flood the network or system with traffic to overload the network and shut it down; or block the traffic, which leads to the loss of access to network resources by the users who are authorized. Buffer Overflow Buffers have data storage capacity. If the data count exceeds the original capacity, a buffer overflow occurs. Buffers are developed to maintain finite data; additional information can be directed wherever it needs. The extra information may overflow into neighboring buffers, destroying or overwriting the legal data. Trojan Horse A Trojan horse is a program that contains or installs a malicious program into the targeted system. These programs serve as backdoors and are often used to steal information from a system. Email Infection This attack uses emails as a means to attack a network. Email spamming and other means can be easily used to flood a network and cause a DoS attack. Malware Attacks Malware is a kind of malicious code or software that is designed to damage the system. Attackers try to install the malware on the targeted system; once the user gets trapped and installs it, the system gets damaged. Virus and Worms Viruses are a major cause of shutdown of various network components. A virus is a software program written to change the behavior of a computer or other device in the network running some kind of application, without the permission or knowledge of the user. A Worm is a malicious program that can infect both local and remote machines. Worms spread automatically by infecting system after system in a network, and even spread further to other networks. Therefore, worms have a greater potential for causing damage because they do not rely on the user's actions for execution.

Snort testing tools

The tools used for testing Snort include Snot Sneeze Stick Mucus

Internal threats

Threats happen within the organization

Goals of forensic readiness

To collect acceptable evidence without interfering with the business processes To gather evidence targeting the potential crimes and disputes that may adversely impact an organization To allow an evidence makes a positive impact on the outcome of any legal action investigation to proceed at a cost in proportion to the incident To ensure that an evidence makes a positive impact on the outcome of any legal action.

WPAN (Wireless Personal Area Network)

WPAN is a network for interconnecting devices close to an individual person's workspace in which the connections are wireless It allows communication within a short range, i.e. about 10 meters This network can be made possible with network technologies such as IrDA andBluetooth Bluetooth is the best example of a WPAN

WWAN (Wireless Wide Area Network)

A WWAN is similar to a WLAN ,but covers more area than WLAN Its coverage is offered on a nationwide level with wireless network infrastructure provided by a wireless service carrier It allows users to have access to the Internet, email, and corporate applications and information even while away from their office

Who is a hacker?

A hacker is a person who illegally breaks into a system or network without any authorization to destroy, steal sensitive data, or perform malicious attacks.

Salient Features of a Good Report 2

A good report should have the following features: Explaining methods: A detailed explanation of how the problem was approached should be given. Examination procedures, materials or equipment used, analytical or statistical techniques, and data collection of sources are a few subsections that can be included to make the reader understand the investigation process. Data collection: The data collection process is a critical factor from the examination point of view, so it is important to present data in a well-organized format. While preparing the lab report, data such as observations should be recorded in a laboratory notebook. All the tables used for presenting data should be labeled. Including calculations: It is advisable to include all calculations that are done during the investigation in a summarized form. One should provide the common name of the calculations, such as Message Digest 5 (MD5) hash. Give a brief description of the standard tools and their cited sources that are used for calculation. Providing for uncertainty and error analysis: A statement of uncertainty and error analysis during observation needs to be given while preparing the report. During a computer investigation, it is necessary to provide the limitations of knowledge to protect integrity. For example, if a time stamp for a certain file is retrieved from a computer, one should state explicitly that a time stamp can be reset easily, so one should not rely solely on the results. Explaining results: All the results should be explained in a logical order using subheadings with text addressing the purpose of the report. Use tables and figures within the writing to enhance the presentation. Results should be presented in such a way that any reader who has no knowledge of the case can understand the whole investigation process based solely on the investigative report. Discussing results and conclusions: Discussing results and conclusions is a must for further improvement. One should reframe all findings in light of an overall examination. Significance of the research should be established in this section. The answer to questions such as how the case developed, what were the problems, and how they were approached should be provided. Providing references: List the references, such as people and publications, in alphabetical order. Sufficient detail should be provided to track down the information. A standard format should be followed regarding writing style among various kinds of references. List books, journal articles, leaflets, websites, and other materials referred to in the report. Go through the appropriate standards for referencing visual material, websites, etc. Cite all the source material in text references and when any quote, paraphrase, or summarization of another's opinion is made. A report should include a list of references with the author's name in alphabetical order to provide complete details. For the citations in text, the author's surname and year of publication for the material cited is sufficient. Page numbers are necessary only for quotes, paraphrases, or when providing a list of figures from sources. Write the titles of books, journals, and other major works in italics. Use single quotation marks for titles of articles and smaller works. The citation of another's opinion indicates acceptance of another's point of view so if a quote is made, it should be clear that one is aware of differences of opinion or interpretation of data. Including appendices: Appendices contain extra material that is referred to in the report. Appendices should be included in the table of contents within the report. Appendices include: charts, diagrams, graphs, transcripts, and copies of materials. In addition to the relevant figures, they also contain proper description of all collected items and a reference to exhibits comprising the documents supporting all collected items. Arrange appendices in the same order as they are referred to in the report. Some portions of the appendices may be optional and some may be required. For example, exhibits are required. Providing acknowledgement: An acknowledgement is not a dedication but generally a gesture of thanking people who helped during the research. For example, some people may contribute in analysis and some in proofreading. Acknowledgement is optional.

Metropolitan area network(MAN)

A network infrastructure developed for a large city

Data Backup Software: AOMEI Backupper.

AOMEI specialized Windows backup solution software to support the following types of data back up facilities: File Backup System Backup Disk Backup Partition/Volume Backup Automatic/Schedule Backup Incremental & Differential Backup Backup to NAS.

True negative in IDS

An event where no attack is detected and no alarm is raised

Social engineering IN Person technique

Attackers may disguise themselves as a courier or delivery guy, a janitor to look for passwords on terminals, important papers lying on desks, or the may overhear confidential conversation.

Basic Authentication

Basic authentication is the simple form of authentication available to the web applications It begins with a client making a request to the web server for a protected resource with the authentication credentials Server matches the username-password pair supplied by the client

Email Crime

Before starting an email investigation, one should understand what email crime is. Email crime is a serious offense. In the last few years, email has become the most preferred method of communication because of ease of use and speed. But these advantages have made email a powerful tool for criminals. Email crimes and violations depend on the cyber laws created by the government of the place from where the email originates. For example, spamming is a crime in Washington State but not in other states. Email crime can be categorized in two ways: one committed by sending emails and the other supported by emails. A cybercrime involves email, whether it is selling narcotics, stalking, fraud, child pornography, or child abduction that is supported by email, or whether it is spamming, fake email, mail bombing, or mail storms committed by sending email.

Computer Forensics Report Template

Computer forensic investigators around the world use different types of computer forensics report templates, yet all of these standard templates contain some common points, including: Summary Objectives Date and time the incident allegedly occurred Date and time the incident was reported to the agency's personnel Name of the person or persons reporting the incident Date and time the investigation was assigned Nature of the claim and information provided to the investigator Location of the evidence List of the collected evidence Preservation of the evidence Initial evaluation of the evidence Investigative techniques Analysis of the computer evidence Relevant findings Supporting expert opinion

Choosing right backup solution

Does it meet the organization's recovery objectives, including RTO and RPO? How easy and reliable is data restoration? Does it store data off-site in case of a disaster? Does it comply with the organization's existing disaster recovery plan? Are the data secure and encrypted? What is the labor and maintenance requirement? When will the data be backed up? How much does the solution cost, including labor, maintenance, and support?

Email System

Electronic mail is abbreviated to "email," which is used for sending, receiving, and saving messages over an electronic communication system. An email system is the basic architecture of the electronic communication system. An email system consists of the mail clients to send or fetch mails and two different SMTP and POP3 or IMAP servers running on a server. An email system works as follows: Jane composes a message using her mail user agent (MUA), writes the email address of the person she wants to correspond with, Peter, and hits the Send button. Jane's MUA formats the message in Internet email format and uses SMTP to send the message to the local mail transfer agent (MTA). The destination address provided in the SMTP protocol is looked at by the MTA. To find out whether the email exchange server accepts the messages for Peter's domain, the domain name in the Domain Name System (DNS) is looked at by the MTA. The DNS server responds with a mail exchange record of Peter's domain. Jane's SMTP sends the message to the mail exchange of Peter's domain. Peter checks his mail with the Get Mail button in his MUA using the POP3 server.

Rules of evidence

Evidence that is to be presented in the court must comply with the established rules of evidence Before the investigation process, the investigator must understand the rules of evidence Definition: Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration The trier of fact may be a judge or a jury, depending on the purpose of the trial and the choices of the parties

Types of wireless wireless network (1)

Extension of a Wired Network A user can create an extension of a wired network by placing APs between the wired network and the wireless devices. A wireless network can also be created by using an AP. Types of APs include: Software APs Hardware APs. In this type of network, the AP acts like a switch, providing connectivity for computers that use a wireless network interface card (NIC). The AP can connect wireless clients to a wired LAN, which allows wireless computer access to LAN resources, such as file servers or Internet connections. To summarize; Software APs (SAPs) can be connected to a wired network, and run on a computer equipped with a wireless NIC. Hardware APs (HAPs) support most wireless features.

Bypass firewall using proxy server

Find an appropriate proxy server In the Port box, type the port number that is used by the proxy server for client connections (by default, 8080) On the Tools menu of any Internet browser, go to LAN of Network Connections tab, and then click LAN/Network Settings Click to select the bypass proxy server for local addresses check box if you do not want the proxy server computer to be used when connected to a computer on the local network Under Proxy server settings, select the use a proxy server for LAN In the Address box, type the IP address of the proxy server. Click OK to close the LAN Settings dialog box Click OK again to close the Internet Options dialog box.

How Steganography Works?

Following are the steps representing the steganography work process: Step 1: Alice (sender) embeds the secret message into the cover message (original message). Step 2: Stego message (message containing secret message) is sent via secured channel to Bob (receiver). Step 3: Bob receives the stego message. Step 4: Stego message is decoded through a key. Step 5: Willie (third person) who observes the communication process between Alice and Bob thinks that the message sent is a normal message.

What is hacking?

Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to the system resources. The motive behind hacking could be to steal critical information and/or services, for the thrill, intellectual challenge, curiosity, experiment, knowledge, financial gain, prestige, power, peer recognition, vengeance and vindictiveness, and so on.

Identification based on hand geometry

Hand geometrics is a biometric process used to identify user by the shape of their hand. During scanning, the user places his/her hand on the metal surface that has a guidance page on it. The use of this technique requires special hardware and can be integrate into any system or device. According to http://maincc.hufs.ac.kr/~argus/no343/t_c2.htm, depending on the data used to identify a person, hand reading technologies generally fall into one of three categories: Application to the palm. The pattern of veins in the hand. The geometrical analysis of fingers.

Incident reporting

Incident reporting is the process of reporting an encountered security breach in a proper format. The incident should be reported to receive technical assistance and raise security awareness that would minimize the losses. Organizations may not report computer crimes due to negative publicity and potential loss of customers. Incident reporting should include: Intensity of the security breach Circumstances, which revealed the vulnerability Shortcomings in the design and impact or level of weakness Entry logs related to the intruder's activity

Information as business asset

Information asset is a piece of information that is important for any business process The loss of information may affect the investment of organization in different business activities Information asset can be a trade secret, patent information, employee/personnel information, or an idea to develop the business for an organization Characteristics of Information Assets: It is recognized to be of value to the organization It requires cost, skill, time, and resource It is a part of the organization's corporate identity.

Eavesdropping

Intercepting and viewing the contents and communications in an authorized way. This could happen by the use of electronic transmitting or recording devices or other techniques such as using phone lines, email, and instant messaging.

Virus

Is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector, or document. Viruses are generally transmitted through file downloads, infected disk/flash drives, and as an email attachment.

Confidentiality

Is the assurance that the information is accessible only to those authorized to have access

Encryption

Is the conversion of data into form called a cipher text, that connect be easily understood by unauthorized people.

Security policy

Is the specification of how objects in a security domain are allowed to interact

SSH Authentication

It authenticates with the help of one or more of the following: Password (the /etc/passwd or /etc/shadow in UNIX) User public-key (RSA or DSA, depending on the release) Kerberos (for SSH1) Host-based (.rhosts or /etc/hosts. equiv in SSH1 or public key in SSH2)

Digest authentication

It is similar to basic authentication, except that the password is sent to server in an encrypted form. On receiving digest session key, the user sends the password in an encrypted form Digest authentication uses an encryption algorithm or hashing algorithm to encrypt the data The user requests the server for accessing the services, the server replies with a digest session key Advantages: More secure compared to basic authentication as password is always encrypted while transmitted Disadvantages: The digest authentication is not used widely

RC6 Algorithm

RC6 is similar to the RC5 algorithm in that it is a parameterized algorithm with a variable block size, key size, and number of rounds. Two features that differentiate the RC6 algorithm from RC5 are integer multiplication (which is used to increase the diffusion achieved in fewer rounds and increased speed of the cipher), and the use of four 4-bit working registers rather than two 2-bit registers. The RC6 algorithm uses Four 4-bit registers in place of the two 2-bit registers because the block size of the AES is 128 bits.

RSA (Rivest Shamir Adleman)

RSA is a public-key cryptosystem. is an Internet encryption and authentication system that uses an algorithm developed by Ron Rivest, Adi Shamir, and Leonard Adleman It uses modular arithmetic, and elementary number theories to perform computations using two large prime numbers RSA encryption is widely used and is the de-facto encryption standard

Email security protocols

S/MIME: commonly known as secure/multi-purpose internet email extension, it provides security to e-mails. Open PGP: the PGP protocol provides security to the data through the method of encryption and decryption

Web security protocols

SSL: the SSL protocol provides security to the communication between a client and server. SSH HTTP: secure HTTP provides security to the data traversing through the World Wide Web. HTTPS: the HTTPS ensures the security of data in the network

Dumpster diving

Searching for sensitive information at the user's trash bins, printer trash bins, and user desk for sticky notes.

Sguil

Sguil (pronounced sgweel) is built by network security analysts for network security analysts Sguil provides Access to real-time events, session data, and raw packet captures Network Security Monitoring and event-driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, macOS, and Win32)

Advantages of SAN (Storage Area Network)

Storage consolidation. LAN-free and server-free data movement. Ease of data sharing. LAN-Free & Server-Free Backup. Improved backup and recovery. High availability server clustering. Reliable and secure centralized data storage. Data integrity and decrease in LAN load. High performance and low latency. Disaster tolerance.

TLS Handshake Protocol

TLS Handshake Protocol TLS Handshake Protocol allows the client and server to authenticate each other, and to select an encryption algorithm and cryptographic keys before data exchange by the application protocol. It provides connection security that has three basic properties: The peer's identity can be authenticated using asymmetric cryptography. This can be made optional, but mostly required for at least one of the peers. The negotiation of a shared secret is secure. The negotiation is reliable. The TLS handshake protocol operates on top of the TLS record layer and is responsible to produce cryptographic parameters of the session state. At the start of communication, the TLS client and server agree on a protocol version, select cryptographic algorithms, optionally authenticate each other, and use asymmetric cryptography techniques to create shared secrets.

GFIRST (government forum of incident response and security teams)

The GFIRST is an acronym for Government Forum of Incident Response and Security Teams The major responsibility of the GFIRST is to protect the information technology systems of the government It supports proactive and preventative security measures. The need for GFIRST is to Provide technical guidance to their team members Enhance the operations of the incident response Share technical information about the incident with trusted U.S Government organizations

IDS placement

The IDS maybe placed either outside or inside the firewall, depending on the end purpose of deployment If the purpose of deploying the IDS is to monitor unauthorized attempts to enter a network or to check users who are authorized to connect, it is placed If the purpose of deploying IDS is to monitor insider threats, it is placed inside the firewall outside the firewall.

VPN via concentrator

The VPN concentrator is used for remote access VPNs and allows the users to use an encrypted tunnel to securely access a corporate or any other kind of network via the Internet. Concentrator models differ depending upon the number of users and amounts of throughput. A VPN concentrator is also used to encrypt WLAN or wired traffic. Concentrator must not be mistaken to a gateway or a firewall. It is a specialized device that receives connection from VPN peers by authenticating them. It enforces the security policies with regards to virtual private networking. It takes overhead of VPN management and encryption off gateways and local hosts.

Availability

The assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users

Authenticity

The characteristic of a communication, document, or any data that ensures the quality of being genuine or uncorrupted

Understanding filesystem

The computer not only computes data but also stores data. The issue of file structure and data storage is of prime concern. To solve this issue, a system is introduced for effective storing and organization of the data on the computer. This system is known as a file system. Using the file system, the data can easily be found and accessed. Data storage devices like hard disks or CD-ROMs can be used by the file system to store the data. The files are divided into smaller pieces and then stored to hard disks or flash memory in clusters. A file system is a set of data types employed for: Storage Hierarchical categorization Management Navigation Access Recovering the data Major file systems include FAT, NTFS, HFS, Ext2, Ext3, etc. Users can access the files using the graphical user interfaces or command line user interfaces. File systems are organized in the form of tree-structured directories. These are generally file cabinets and folders. Directories require authorized permission to access.

Deploying the IDS

The following factors determine the deployment of the IDS: 1. How to protect the critical assets? 2. The reactions to take when an attack is imminent. 3. Configuring the IDS in sync with the security policies of the organization. 4. Preserving the evidence of attack for legal obligations.

Information Security

The protection of information from accidental or intentional misuse by persons inside or outside an organization

Step 3: Classification and Prioritization

The structured approach is required to respond to the incident in a proper way. The IRT manager should classify and prioritize the incidents based on the level (high, medium, or low). High-priority incidents should be attended to first, then medium priority, and then low priority.

Who to contact at the law enforcement?

There is no single answer for which law enforcement agency to contact in the event of a cyber-security breach The FBI and U.S. Secret Service share jurisdiction for computer crimes that cross state lines However, most law enforcement agencies, including the FBI and USSS, encourage people to: Pre-establish contact with someone in law enforcement who is trained in and responsible for dealing with computer crime Work with the person or people you have the best relationship with

Data link layer

This layer is responsible for communications between adjacent network nodes by encoding ad decoding the data packets into bits by. Hubs and switches operate at this layer. Standards at which operate at this layer are Ethernet, frame, WiFi and PPP(point to point protocol. The data link layer is logically divided into two sub-layers: 1. Media Access Control(MAC) which handles addressing on the LAN. 2. Logical Link Control(LLC) sub-layer takes care of synchronizing frames, error checking, and flow control.

SMTP Server

This server listens on port number 25 and handles all outgoing mail. When you send any mail, the SMTP server from your host interacts with the other SMTP host to whom you have to send the message. Consider you have an account with myicc.com, and you have to send an email to your friend at [email protected] through a client such as Outlook Express. The procedure works as follows: When you click the Send button, the Outlook Express client connects to the server of myicc.com at port 25. This client tells the SMTP server the sender, recipient's address, and body of the message. The SMTP server breaks the recipient's address into: The recipient's name (john) The domain name (mybird.com) This SMTP server contacts the DNS and asks about the IP address of the SMTP server of mybird.com. The DNS replies to it and gives one or more IP addresses. The SMTP server from myicc.com connects with the SMTP server of mybird.com using port 25 and gives the message to it. The SMTP server at mybird.com gets the message and transfers it to the POP3 server.

Common targets of social engineering

1. Users and clients. 2. Vendors of the target organization. 3. Technical support executive. 4. System Administrator. 5. Receptionists and desk personnel.

Security Threats

An action or even that may compromise security. A threat is potential violation of security

Piggybacking and electronic piggybacking

An attacker can slip behind a legitimate employee and gain access to a secure area that would usually be locked or require some type of biometric access for entrance and control mechanism to open a door lock, etc. Electronic piggybacking can be achieved in a network or workstation where access to computer systems is limited to those individuals who have the proper user ID and password.

False-negative in IDS

An event where an attack is not detected by the IDS

Concentrator

Concentrator: Expert mechanism that allows connections from VPN peers Validates its clients Insists on security policies of VPN Reduces operating cost of VPN administration and encryption from gateways, local hosts.

PKI (Public Key Infrastructure)

Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures required to create, manage, distribute, use, store, and revoke digital certificates

Syslog

Syslog is a de-facto standard for logging system events. It is a client/server protocol used for forwarding log messages across an IP network to the syslog receiver. This syslog receiver is also called as syslog server, syslog daemons, or syslogd. The term "syslog" refers to both the syslog protocol and the application or library sending syslog messages. In general, the syslog is used to manage and monitor computer system and security auditing. Syslog uses either TCP or UDP to transfer messages. The log messages are sent in a clear text format. It is supported by different devices and receivers across multiple platforms.

Global Area Network (GAN)

Type of communications network links different interconnected networks over an unlimited geographical region

Malware attacks

short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising

hardening

the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services. In addition, configuring of a machine to a particularly secure level that will oppose an attack.

Objective of cryptography

1. Confidentiality 2.Integrity 3. Authentication 4. Non-Repudiation

Why is social engineering effective?

1. Security policies are as strong as their weakest link, and human are the most susceptible factor. 2. It's difficult to detect social engineering attempts 3. There is no method to ensure complete security from social engineering attacks. 4. There is no specific software or hardware for defending against a social engineering attack.

TCP/IP Model

Transmission Control Protocol/Internet Protocol (TCP/IP) is a communication protocol used to connect different hosts in the Internet. Every system that sends and receives information has a TCP/IP program, and the TCP/IP program has two layers: Higher Layer: It manages the information sent and received in the form of small data packets sent over Internet and joins all those packets as a main message. Lower Layer: It takes care of the address of every packet so that they all reach the right destination

Selecting an operating system for Bastion Host

UNIX Advantages Provides variety of tools to create bastion hosts Popular in Internet services and provides software for audit and development. Disadvantages Highly time consuming Frequent updating is required. WINDOWS Advantages Consistent and widely used as servers Disadvantages Complex to implement bastion host

Exploring Unix/Linux Data Structures

Unix comes in different varieties such as IBM AIX, HP-UX, and Sun Solaris. Linux is considered to be the most popular Unix-like operating systems as the GNU General Public License (GPL) regulates it. It labels Linux as open source software, providing freedom to the users to use and distribute the software without owing royalties or licensing fees to another party.

Selecting an IDS

While selecting an IDS, organizations need to consider the following concerns The level of privacy required. The budget that would be allotted. Internal restrictions on the type of software that could be used. The IDS characteristics such as Detection, response capabilities Signature/anomalous detection Effectiveness

identification

a procedure or a technology connected with users, groups or other entities with single or multiple identifiers

Network Virtual Terminal

is a software system of the actual terminal and it permits users to enter the system that is distantly located for remote accessing

computer security incident response team (CSIRT)

is team of trained professionals who are responsible for responding to an incident encountered by an organization. The primary job function of CSIRT is to review, receive, and respond to incidents. A computer security incident response team is the team of expert professionals trained in dealing with security matters related to intrusions and incidence. The team is necessary because it contributes to improve business and prospects to the organization by securing its network from foreign attacks. It also trains the employees about the techniques to handle incident and take necessary measures and methods of reporting an incident when an incident occurs. The incident response team must be present within an organization to ensure network security in the organization.

defense in depth (DiD)

Defense in depth is a security strategy in which security professionals use several protection layers throughout an information system. This strategy uses the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense in depth helps to prevent direct attacks against an information system and its data because a break in one layer leads the attacker only to the next layer. If a hacker gains access to a system, defense-in-depth minimizes any adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent a recurrence of intrusion.

Networking

Described the processes involved in designing, implementing, upgrading

Stages of virus life

Design: using a programming language or construction kit to build it. Replication: virus replicates itself within the targeted system over some time. Detection: a virus is identified as a threat infecting targeted systems. Incorporation: antivirus software developers assemble defenses against the virus. Elimination: users are advised to install antivirus software updates thus creating awareness among user groups.

Network security policy

Is a framework within which an organization establishes the controls required to ensure required levels of information security. And it is a set of rules and principles that determines: What is the scope of the network? What security should be available from the network? Acceptable means of using network Who is responsible for the management and security of the network

Non-Repudiation

Is a way to guarantee that the sender of a message cannot later deny having sent the message, and that the recipient cannot deny having received the message

Decryption

Is the process of converting encrypted data or cipher text into its original form so it can be understood

Metadata

Metadata is structured data that gives information about certain characteristics of electronic data including the time and the person that created, accessed, and modified data. It cannot be seen without using special applications, and users can inadvertently share confidential information when sending or providing files in electronic forms. Example metadata include: Organization name and author name Computer name and network name Hidden text or cells Document versions Template information Personalized views Non-visible portions of embedded OLE objects It is important to collect the data, as it provides information about: Hidden information about the document Who tried to hide, delete, or obscure the data Correlated documents from different sources

Importance of Electronic Records Management

Electronic records management may be defined as a set of computer programs used for tracking and storing electronic records for legal, fiscal, administrative, and other business purposes resulting in the systematic control of the creation, receipt, maintenance, use, and disposition of electronic records. The importance of electronic records management is as follows: It helps in investigation and prosecution of email crimes. It acts as a deterrent for abusive and indecent materials in email messages. It helps in non-repudiation of electronic communication so that someone cannot deny being a source of communication.

Firewall identification : port scanning

Firewall Identification: Port Scanning Ports are places from which computers send or accepts information from network resources. Finding open ports is an attacker's first step toward access to the target system. To do so, the attacker systematically scans the target's ports, to identify possible vulnerabilities. Attackers sometimes use automated port-scanning utilities to do so, many of which are available. How Attackers Scan Ports Port-scanning consists of sending messages to each port, one at a time. The kind of response received indicates whether the system is using the port, and leaving it open to the discovery of weaknesses. Some firewalls will uniquely identify themselves using simple port scans. For example, Check Point's FireWall-1 listens on TCP ports 256, 257, 258, and 259 and Microsoft's Proxy Server usually listens on TCP ports 1080 and 1745.

Pretexting

Fraudsters may pose as executives from financial institutions, telephone companies, and so on, who rely on "smooth-talking" and wins the trust of an individual to reveal sensitive information.

Shoulder surfing

Looking at either the user's keyboard or screen while he/she is logging in.

Why is it necessary to categorize incidents?

In order to clearly communicate security incidents and events across different departments in an organization or members of an IRT, it is necessary to adopt a common set of terminology and to categorize the incidents. Incidents are generally categorized according to their severity or origin. This categorization helps in understanding the severity, the time needed to resolve the issue, and the priority it needs to be given. Organizations may also develop their own set of categories to distinguish between different security incidents.

FAT Structure file system in windows

In the FAT file system, the file allocation table and root folder are stored in a permanent location. The volume that is formatted with the FAT file system is allocated in a cluster. The cluster size is determined by the size of the formatted volume. The cluster number for the FAT file system is fit in 16 bits and is in the power of two. The file allocation table contains information about each cluster on the volume, such as: Unused cluster (0x0000) Cluster in use by a file Bad cluster (0xFFF7) Last cluster in a file (0xFFF8-0xFFFF)

Why is computer security so important?

Information in the modern age is a strategic resource that can also generate income. This is why organizations spend a significant amount of their budgets on protecting their information systems. Computers, networks, and information are intertwined, and the security provided to them is asset protection itself. Threats to information security come from various sources such as human error, disgruntled employees, dishonest employees, external unauthorized access, attacks from hackers, and malware.

Other types of Bastian hosts continued

Non-routing Dual-homed: Hosts They operate with multiple network connections, but the network connections don't interact with each other Victim machine: Victim machines allow any user to login They are useful in testing new applications whose security flaws are not yet known and to run services which are not secure External service hosts: Bastion hosts are visible to everyone, which makes them vulnerable to attack They require only minimum access privileges to the internal network, providing only a few services. One-box firewalls: If a machine is constructed as a firewall, it is prone to more attacks The entire site's security relies on this single machine, so it is necessary to guarantee that this machine is absolutely secure.

Choosing The Right Location For Backup

Onsite Data Backup Storing backup data at onsite data storage only Advantage: Onsite backup data can be easily accessible and restored It is less expensive Disadvantage: Risk of data loss is more. Offsite Data Backup Storing backup data on remote location in fire-proof, indestructible safes Advantage: Data security from physical security threats such as fire, floods, etc. Disadvantage: Problem in regular data backup schedule. Cloud Data Backup Storing backup data on data storage provided by online backup provider Advantages: The data is encrypted and free from physical security threats Data can be accessible from everywhere Disadvantages: No direct control on data backup Takes more time to backup

password guessing

The attacker takes a set of dictionary words and names, and tries all the possible combinations to crack the password. It's time consuming, requires huge amounts of network bandwidth, easily detected.

Legal Use of Steganography

Steganography is used by law enforcement forces in certain crimes, such as monitoring the trade materials, child pornography, accounting fraud, identity theft, and terrorism. Still in certain cases steganography is not considered as standard evidence submitted in the court and needs to be approved. Law enforcement agencies use steganography to: Steganographically watermark intermediation materials after authorization and under the public prosecutor control with predefined marks. Trace trade materials. Provide network nodes where trade material is monitored. Build an international data bank to collect data on trading controlled by investigative bodies.

Password cracking

Techniques are used to recover passwords from computer systems to gain unauthorized access. As passwords are weak or easily guessable attackers are successfully crack them.

Session layer

The fifth layer in the OSI model. This layer establishes and maintains communication between two nodes on the network. If a session gets disconnected the session layer tries to recover the connection. The network device used by this layer is the gateway. Examples of session layer implementations are Zone Information Protocol(ZIP), AppleTalk Protocol and Session Control Protocol(SCP)

Transport proxy

The transparent proxy is the proxy through which the client system connects to the server, without its knowledge With the transparent proxy, all the web clients have to be configuring manually Most of the networks have the routers which connect the internal LAN to the Internet The transparent proxies have some disadvantages, such as it is not possible to automatically detect the FTP or HTTPs connections Can be configured to be totally invisible to an end user The transparent proxy works on port 80

Eavesdropping countermeasures

1. Implement several layers of encryption 2. Implement WEP for wireless networks 3. Deploy security protocols such as IPSec, SSH, or SSL. 4. Never access email using POP or IMAP protocols in case of the wireless network.

Exploit

A defined way to breach the security of an IT system

True positive in IDS

A genuine attack that triggers the IDS to raise an alarm in case of a threat

Campus area network(CAN)

Covers only limited geographical areas This kind of network is applicable for University campus

Cryptography

Cryptography is the conversion of data into a scrambled code that is decrypted and sent across a private or public network.

Where is cryptography word comes from?

Cryptography" comes from the Greek words kryptos, meaning "concealed, hidden, veiled, secret, or mysterious," and graphia, "writing"; thus, cryptography is "the art of secret writing."

Vulnerability in security

Existence of a weakness, design, or implementation error that can lead to an unexpected and undesirable event compromising the security of the system

General indications of network intrusions

General indications of network intrusions include: A sudden increase in bandwidth consumption is an indication of intrusion Repeated probes of the available services on your machines Connection requests from IPs other than those in the network range, indicating that an unauthenticated user (intruder) is attempting to connect to the network You can identify repeated attempts to log in from remote machines A sudden influx of log data could indicate attempts at denial-of-service attacks, bandwidth consumption, and distributed denial-of-service attacks.

Application layer protocol examples

HTTP, HTTPS, FTP, SMTP, DNS, DHCP, SNMP are all examples of application layer protocols

IP address spoofing

IP address spoofing is a hijacking technique in which an attacker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain unauthorized access to a network Attackers modify the addressing information in the IP packet header and the source address bits field in order to bypass the firewall. For example, let's consider three hosts: A, B and C Host C is a trusted machine of host B Host A masquerades to be as host C by modifying the IP address of the malicious packets that he intends to send to the host B When the packets are received, host B thinks that they are from host C, but are actually from host A.

network

Is a cluster of computer hardware connect together physically and logically

Trojan

It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage. Trojan enables attackers to get access to the stored passwords in the trojened computer and would be able to read personal documents, delete files, and display pictures. And/or show messages on the screen.

Combining Firewalls and VPN

It is advantageous to combine VPN and firewalls since they are more modularized. Moreover, it secures architecture stresses as well as accessible services. Packet filtering offers basic framework for integrating IPSec modules. IPSec security parameters can be used as filtering criteria. Many companies install VPNs with firewalls to secure communications as well as administering the communications between the corporate network and the remote end users.

Selecting an operating system for Bastian Host (1)

It is recommended that administrator should have thorough knowledge of the operating system used on the bastion host. If a site is running on only one operating system, the administrator can find it difficult to provide all the required services. An operating system should be able to meet all the services and security criteria.

Social Engineering

It is the act of obtaining unauthorized access to a network by manipulating the authorized users into traveling their passwords and accessing information. Social engineering relies on communication skills. In social engineering, the attacker uses the telephone to convince and also uses confidential data or information for unauthorized access to the network.

NAT (Network Address Translation)

Network address translation separates IP addresses into two sets and enables LAN to use the addresses for internal and external traffic respectively. It has the ability to change the address of the packet and make it as if it has arrived from a valid address. It also works with router as the packet filtering does, but at the same time it will modify the packets that router sends.

Application layer services

Network virtual terminal Transferring of files and file management Directory services Mail services

OSSEC

OSSEC is an open source host-based Intrusion Detection System OSSEC performs Log analysis File integrity checking Policy monitoring Rootkit detection Real-time alerting and active response

Common encryption algorithm

RSA, MD5, SHA, DES, AES etc.

Scanning

Scanning is a process of identifying the systems, open ports, and services running in a network. It's used to devise an attack strategy.

Vulnerability Assessment

The process of identifying, quantifying, and prioritizing the vulnerabilities in a system.

Disadvantages of SAN (Storage Area Network)

Very costly to implement Disaster recovery issues.

Wireless security protocols

WEP

Worms

Worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction.

Objectives of computer forensics

To recover, analyze, and preserve computer and related materials in such a way that they can be presented as evidence in a court of law To identify the evidence quickly, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator

UltraSurf

Ultrasurf is a free software that enables users to visit websites safely and freely through a secure, encrypted tunnel. Features: Helps you to circumvent internet censorship to access websites and content you cannot normally access Encrypts communication from your computer to Ultrasurf proxy servers Hides your IP address from the websites you visit; websites only see Ultrasurf proxy servers IP addresses

Types of wireless encryption

WEP: It is an old and original wireless security standard which can be cracked easily. WPA: Uses a 48 bit IV, 32 bit CRC and TKIP encryption for wireless security. WPA2: WPA2 uses AES (128 bit) and CCMP for wireless data encryption. WPA2 Enterprise: It integrates EAP standards with WPA encryption. TKIP: A security protocol used in WPAas a replacement for WEP. AES: It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP. EAP: Uses multiple authentication methods, such as token cards, Kerberos, certificates,etc. LEAP: It is a proprietary WLAN authentication protocol developed by Cisco. RADIUS: It is a centralized authentication and authorization management system. 802.11i: It is an IEEE standard that specifies security mechanisms for 802.11 wireless networks. CCMP CCMP utilizes 128-bit keys,with a 48-bit initialization vector (IV) for replay detection.

reverse social engineering

a perpetrator assumes the role of a person in authority and has employees asking him or her for information. The attacker usually manipulates the types of questions asked to get the required information. The social engineer first creates a problem, and then presents himself or herself as the expert of such a problem through general conversation, encouraging employees to ask for solutions.

Windows log files

are used by the forensic investigator while investigating a PC on which the Windows operating system is installed. The Windows log file is stored in the following location: Windows 10 %systemroot%\System32\winevt\Logs\ System.evtx Security.evtx Application.evtx Or, check the Event Viewer file in Control Panel System and Security Administrative Tools. Tools used for auditing these log files are: Event Log Explorer (http://www.eventreporter.com) Event Reporter (http://eventlogxp.com) Kiwi Log Viewer (http://www.kiwisyslog.com) EventLog Analyzer (https://www.manageengine.com)

Ciphers and their types

ciphers are of two types: classical and modern. Classical Ciphers Classical ciphers are the most basic type of ciphers, which operate on alphabets (A-Z). Implementation of these ciphers is generally either by hand or with simple mechanical devices. Because these ciphers are easily deciphered, they are generally unreliable. Design of modern ciphers helps to withstand a wide range of attacks. Modern ciphers provide message secrecy, integrity, and authentication of the sender. The user can calculate the modern ciphers with the help of a one-way mathematical function that is capable of factoring large prime numbers.

Key steps in computer forensic investigation

entify the computer crime Obtain court warrant for seizure (if required) Seize evidence at the crime scene Create two bit stream copies of the evidence Collect preliminary evidence Perform first responder procedures Transport evidence to the forensic laboratory Generate MD5 checksum on the images Maintain a chain of custody Analyze the image copy for evidence Submit the report to the client Store the original evidence in a secure location Prepare a forensic report If required, attend the court and testify as an expert witness

Man-in-the-Middle Attack

When two parties are communicating, the man-in-middle attack can take place. In this case, a third party intercepts the communication between the two parties, assuring the two parties that they are communicating with each other. Meanwhile, the third party alters the data or eavesdrops and passes the data along. To carry this out, the man in middle has to sniff from both sides of the connection simultaneously. This type of attack is often found in telnet and wireless technologies.

VoIP (Voice over Internet Protocol)

protocol that transmits phone calls over the same data lines and networks that make up the Internet; also called Internet telephony

Personal area network(PAN)

provides communication for devices owned by a single user that work over a short distance (computer to mouse, sync calendar, etc.)

Social engineering countermeasures

Password policies: Periodic password change Avoiding guessable passwords Account blocking after failed attempts Length and complexity of passwords Secrecy of passwords Physical policies: Identification of employees by issuing of ID cards, uniforms, etc. Escorting the visitors Accessing area restrictions Proper shredding of useless documents Employing security personnel

Classification of Steganography

Steganography is classified into two areas, according to technique: technical and linguistic. Technical steganography hides a message using scientific methods, whereas linguistic steganography hides it in a carrier, the specific medium used to communicate or transfer messages or files. The steganography medium is the combination of hidden message, carrier, and steganography key.

Computer forensics

According to Steve Hailey of the Cyber Security Institute, computer forensics is "The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found."

Best evidence rule

Best evidence rule is established to prevent any alternation of digital evidence either intentionally or unintentionally It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy, but the duplicate will be allowed as evidence under the following conditions: Original evidence destroyed due to fire/flood Original evidence destroyed in the normal course of business Original evidence in possession of a third party

Selecting backup media

Choosing the best backup media should be done based on the following factors: Cost: Organization should have backup storage mediums that best suits their budget. Backup media should have more storage space than the data contained. Reliability: Most of the organizations depend on the copies of data stored on backup media. Hence, organizations should select media's that are highly reliable and are not susceptible for any damage or loss. Speed: Organizations should select those backup mediums that require less human interaction during backup process. Speed becomes a concern if backup cannot be done during the time where workstations remain idle. Availability: Unavailability of backup medium may pose as an issue after any data loss or damage. Hence, organizations should decide on medium that are available, at any time. Usability: Organizations should select those media's that are easy to handle and use. The mediums should be flexible during the backup process.

Good security policy

Clear communication Brief and clear information Defined scope applicability Enforceable by law Recognizes areas of responsibility Sufficient guidance Top management involvement

Introduction on wireless standards

IEEE Standard 802.11 has evolved from an extension technology for wired LAN into more complex and capable technology. When it first came out in 1997, the wireless local area network (WLAN) standard specified operation at 1 and 2 Mb/s in the infrared, as well as in the license-exempt 2.4-GHz Industrial, Scientific, and Medical (ISM) frequency band. An 802.11 network in the early days used to have few PCs with wireless capability connected to an Ethernet (IEEE 802.3) LAN through a single network access point. 802.11 networks now operate at higher speeds and in additional bands. With its growth, new issues have risen such as security, roaming among multiple access points, and even quality of service. These issues are dealt with by extensions to the standard identified by letters of the alphabet derived from the 802.11 task groups that created them.

Salient Features of a Good Report 1

Salient Features of a Good Report A good investigative report should be easily understood by the reader, as it contains a wealth of digital information. Sometimes, it includes interviews of two or more subjects. Some of the salient features of a good report are: Truly defines the details of an incident. Clear and understandable to decision makers. Able to hold up to legal inspection. Clear-cut and not open to confusion. Easily referenced. Contains all information required to explain the conclusion. Created in a timely manner.

Signs of an incident

Signs of an incident fall into one of the two categories: 1. A precursor is a sign of incident that may happen in the future. 2. An indication is a sign of incident that have already occurred or may be in progress. Examples of Precursors: Irregular log entries in webserver which show web scanner scanning for vulnerabilities An announcement of a new exploit that targets a vulnerability of the organization's mail server Threats from a hackers stating to attack the organization. Examples of Indications: An alert of infection by a worm or virus from antivirus software Users complain regarding abusive email messages IDS and IPS show unusual log entries and network traffic.

Windows Forensics Tool: X-Ways Forensics

Source: http://www.x-ways.net X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. It runs under Windows XP/2003/Vista/2008/7/8/8.1/2012/10*, 32 Bit/64 Bit, standard/PE/FE. X-Ways Forensics is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. Features: Disk cloning and imaging. Ability to read partitioning and file system structures inside raw (.dd) image files, ISO, VHD and VMDK images. Complete access to disks, RAIDs, and images more than 2 TB in size (more than 232 sectors) with sector sizes up to 8 KB. Built-in interpretation of JBOD, RAID 0, RAID 5, RAID 5EE, and RAID 6 systems, Linux software RAIDs, Windows dynamic disks, and LVM2. Automatic identification of lost/deleted partitions. Native support for FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®️, CDFS/ISO9660/Joliet, UDF. Superimposition of sectors, e.g. with corrected partition tables or file system data structures to parse file systems completely despite data corruption, without altering the original disk or image. Access to logical memory of running processes. Various data recovery techniques, lightning fast and powerful file carving. Well maintained file header signature database based on GREP notation. Data interpreter, knowing 20 variable types. Viewing and editing binary data structures using templates. Hard disk cleansing to produce forensically sterile media. Gathering slack space, free space, inter-partition space, and generic text from drives and images. File and directory catalog creation for all computer media. Easy detection of and access to NTFS alternate data streams (ADS). Mass hash calculation for files (Adler32, CRC32, MD4, ed2k, MD5, SHA-1, SHA-256, RipeMD-128, RipeMD-160, Tiger-128, Tiger-16, Tiger-192, TigerTree, ...) Lightning fast powerful physical and logical search capabilities for many search terms at the same time. Recursive view of all existing and deleted files in all subdirectories. Automatic coloring for the structure of FILE records in NTFS

Physical layer

The lowest, or first, layer of the OSI model. Protocols in this layer generate and detect signals so as to transmit and receive data over a network medium. These protocols also set the data transmission rate and monitor data error rates, but do not provide error correction. Protocols used in this layer are ISDN, POTS, Bluetooth.

Email Spamming

Unsolicited commercial email (UCE) or junk mail can be defined as spam. Spam mail involves sending the same content to a huge number of addresses at the same time. Spamming or junk mail fills mailboxes and prevents users from accessing their regular emails. These regular emails start bouncing because the server exceeds its capacity limit. Spammers hide their identities by forging the email header. To avoid getting responses from annoyed receivers, spammers provide misleading information in the FROM and REPLY-TO fields and post them to a mailing list or newsgroup.

What makes a good penetration tester?

What Makes a Good Penetration Test? The following activities will ensure a good penetration test: Establishing the parameters for the penetration test, such as objectives, limitations, and justifications of the procedures Hiring highly skilled and experienced professionals to perform the pen-test Appointing a legal penetration tester who follows the rules in the nondisclosure agreement Choosing a suitable set of tests that balances costs and benefits Following a methodology with proper planning and documentation Documenting the results carefully and making them comprehensible to the client. The penetration tester must be available to answer any queries whenever there is a need. Clearly stating findings and recommendations in the final report

Reverse Proxy

A reverse proxy is usually situated closer to the server(s) and will only return a configured set of resources. A reverse proxy can optimize content by compressing it in order to speed up loading times. The client is unaware of presence of reverse proxy. A reverse proxy server is an intermediate server that sits between a client and the actual web server.

Backup Types

Types of backup Full Backup: Full backup is also called as normal backup. The full backup occurs automatically as per the set schedule. It copies all the files; the copied files are compressed to save the storage space. Full backup is efficient in providing data protection to the copied data. Incremental Backup: An Incremental Backup takes backup of only that data that was changed during the last backup. The last backup can be any type of backup. Before incremental backup can be performed, the system should have been gone through full backup. Differential Backup: Differential backup is the combination of full backups and incremental backups. A differential backup takes backup of all the changes made since the last full backup.

Authentication

Authentication is the process of determining whether someone or something is, in fact, who or what the individual or entity claims to be.

General indications of filesystem intrusions

By observing system files, you can identify the presence of an intrusion. System files record the activities of the system. Any modification or deletion in the file attributes or the file itself is a sign that the system was a target of attack: If you find new, unknown files/programs on your system, then there is a possibility that your system has intruded. The system can be compromised to the point that it can, in turn, compromise other network systems. When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When the intruder obtains Administrator privilege, he/she could change file permissions, for example, from Read-Only to Write. Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all of your system files. Presence of rogue suid and sgid files on your Linux system that do not match your master list of suid and sgid files could indicate an attack. You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions. Missing files are also a sign of a probable intrusion/attack.

OSI ( open systems interconnection)

Defines the communication of data over network. It is a framework that portrays the flow of data from one device to another over network. It has seven group of layers.

Step 1: Preparation for Incident Handling and Response

Determine the need For Incident Handling & Response (IH&R) Processes. Define IH&R Vision Obtain Management Approvals and Funding. Develop IH&R Plan, Core Policies, Procedures Define Incident Handling Criteria Create IRT Team and Organize Resources Implement IH&R Plan Evaluate the Current Security Posture Harden Information System Security

Definitely tion of digital evidence

Digital evidence is defined as "any information of probative value that is either stored or transmitted in a digital form" Digital information can be gathered while examining digital storage media, monitoring the network traffic, or making the duplicate copies of digital data found during forensics investigation Digital evidence is found in files such as: Graphics files Audio and video recording and files Internet browser histories Server logs Word processing and spreadsheet files Emails Log files

Identifying critical business data

Every organization has an abundance of data. An organization should identify critical data or files that requires backup. The criticality of the data is decided based on the importance it serves to the organization. It requires analyzing which information is important for the functioning of the organization. The critical data can consist of organization revenue, organization emerging trends, marketing plans, database, files including documents, spreadsheet, e-mails, etc. Loss of such critical data can affect the organization enormously.

IDS VS Firewalls

Firewalls limits access between the networks to prevent intrusion and they do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. It also watches for attacks that originate from within a system.

Evolution of computer forensics

Francis Galton (1822-1911) Made the first recorded study of fingerprints. Leone Lattes (1887-1954) Discovered blood groupings (A, B, AB, and 0). Calvin Goddard (1891-1955) Allowed firearms and bullet comparison for solving many pending court cases. Albert Osborn (1858-1946) Hans Gross Developed essential features of document examination. Hans Gross (1847-1915) Made use of scientific study to head criminal investigations. FBI (1932) A lab was set up to provide forensic services to all field agents and other law authorities across the country

Optical Disks (CD, DVD, Blu-ray)

Optical Disks (CD, DVD, Blu-ray) DVD recordable disks can store up to 8.55 GB and are readily available in the market. CD's and DVD's can store more data and available at affordable rates. However, the use of CD's and DVD's has been reduced these days, reasonable prices and can store more data than CD/ DVD disks. Blu-ray is compatible on both PC and consumer electronic environments. The data encoding feature in Blu-ray allow more data storage. Advantages: o Less expensive and easy to store. Disadvantages: o Slow in storing data.

RC4 Algorithm

RC4 is a variable key-size symmetric-key stream cipher with byte-oriented operations that depends on the use of a random permutation. According to some analyses, the period of the cipher is likely to be greater than 10,100. Each output byte uses eight to sixteen system operations, meaning the cipher has the ability to run fast when used in software. Products like RSA SecurPC use this algorithm for file encryption. RC4 enables safe communications such as traffic encryption (which secures Web sites) and for Web sites that use the SSL protocol.

Computers Facilitated Crimes

With today's world more focused on cyberspace and its networked computers, anonymous crimes are rising. Computer crimes are rapidly increasing with the advancement in Information and Communications Technology (ICT). The first computer crime was reported in the year 1969. Computer use can create or facilitate crimes such as spamming, corporate espionage, identity theft, writing or spreading computer viruses and worms, Denial of Service attack, distribution of pornography, cyber theft, hacking, data transfer theft, software piracy, etc. Computer crimes pose new challenges for investigators due to their: Speed Anonymity Fleeting nature of evidence

How to configure Proxy

any web browser like Chrome, Internet Explorer (IE), Netscape, Mozilla, Opera , etc. For configuring proxy server we need Hosting account. Software capable of running a proxy server. Hosting allows to setup and create the proxy server to be used for surfing the internet . The hosting needs to be proxy compatible and powerful The software should offer anonymity and cover the tracks of the users' IP activity.

Wireless standards part 3

802.11 are used for real-time applications such as voice and video. To ensure that these time-sensitive applications have the network resources when they need them, it is working on extra mechanisms to ensure quality of service to Layer 2 of the reference model, the medium-access layer, or MAC. 802.11 standards have developed from the small extension points of wired LANs into multiple access points. These access points must communicate with one another to allow users to roam among them. This task group is working on extensions that enable communication between access points from different vendors. This task group is working on high-speed extensions to 802.11b. The current draft of 802.11g contains PSCC and CCK OFDM along with old OFDM as modulation schemes. Development of this extension was marked by a great deal of contention in 2000 and 2001 over modulation schemes. A breakthrough occurred in November 2001, and the task group worked to finalize its draft during 2002.

The importance of IDS

1. 85% of all security threats come in the form of insider threats such as disgruntled employees misusing the network resource. 2. The other source of attacks remain intruders with denial of service attacks or intruders who try to penetrate the network defenses. 3. The IDS are the only possible solution to detect and monitor threats from within the network and outside. 4. DS is an integral part of the network defense system along with firewalls to protect the information assets of organizations.

VPN (Virtual Private Network) vulnerabilities

1. Erroneous SIP processing vulnerabilities 2. IPSec client authentication processing vulnerability 3. SSL VPNmemory leak vulnerability 4. URL processing error vulnerability in SSL VPNs 5. Potential information disclosure in clientless VPNs

Challenging aspects of evidence

1. Forensics investigators face many challenges while preserving the digital evidence as it is a chaotic form of evidence and it is critical to handle it correctly. 2. During the investigation, it can be altered maliciously or unintentionally without leaving any traces 3. Digital evidence is circumstantial, which makes it difficult for a forensics investigator to trace the system's activity. 4. It is an abstraction of some events, when the investigator performs some task on the computer, the resulting activity creates data remnants that gives an incomplete view of the actual evidence

Aspects of organizational security

1. IT Security: Application security Computing security Data security Information security Network security 2. Physical Security: Facilities security Human security Border security Biometric security 3. Financial Security Security from frauds Phishing attacks Botnets Threats from cyber criminals Credit card fraud 4. Legal Security National security Public security Defamation Copyright information Sexual harassment

Limitations of proxy server

1. If proxy is not properly secured, then it may become point of failure in an event of attack. 2. Increase in workload since proxy must be configured for each and every service it provides. 3. If we attempt to change the default settings, the proxy server might not function properly. 4. Proxy servers have to reroute information, thus web pages can sometimes load slowly. 5. If the proxy server is attempting to bypass suspicious software, some elements of a page may not load. 6. Since personal information is passed through an external server that could be accessed by someone else, data security can be compromised.

Setting up Bastian host

1. Install a clean operating system, fix all the errors, to make the system secure. 2. Enable only the essential services. Lesser the number of services, more secure would be the host. 3. The bastion host can be configured to provide a particular service or fixed number of services 4. Reconfigure the machine from a configuration suitable for development into its final running state 5. Run a security audit and establish a baseline for future audits 6. Connect the machine to the network and monitor it

How to defend against web servers attacks

1. Ports: Audit the ports on server regularly to ensure that an insecure or unnecessary service is not active on your web server Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL) Encrypt or restrict intranet traffic. 2. server certification: Ensure that certificate data ranges are valid and that certificates are used for their intended purpose Ensure that the certificate has not been revoked and certificate's public key is valid all the way to a trusted root authority. 3. machine.config: Ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed Ensure that tracing is disabled and debug compiles are turned off. 4. Code access security: Implement secure coding practices Restrict code access security policy settings Configure IIS to reject URLs with "../" and install new patches and updates.

Basic principles for building a bastion host

1. Provide minimum services with least privilege rights 2. Be prepared to compromise with the situation 3. Locate bastion host between internal servers and outside network 4. Administrators should be alerted in case of attacker's attempt 5. On failure of bastion hosts, internal servers must verify services provided by the bastion host

Proxy server-to-Proxy server linking

1. Provides the facility to run a proxy server as a local cache on behalf of a particular department. 2. Each such department has control over the server and cache. 3. These departmental proxy servers connect to a proxy server on a firewall between the Internet and the configuration. 4. Linking proxy server offers higher degree of separation between the real server and the user.

Characteristics of IDS

1. The IDS should be able to run continuously even without human intervention. 2. The IDS should not be an overload to the system. 3. The IDS should be able to detect any behavior that is not normal. 4. As new applications are added to the system, the IDS must be able to adapt to the system behavior

Benefits of proxy servers

1.Filtering Content: Prevents any malicious content from entering the server. 2. Hidden client: Client's IP address does not appear on the Internet. 3. Caching Document: Provides a file directory structure and a mapping mechanism within the file directory structure. 4. single point of logging: For re-creating an entire session of web browsing for a user to detect problems. 5. Blocks URLs The proxy server can restrict the access to certain websites by using a database of restricted sites or flagging websites containing certain keywords. 6. Safeguards Email Servers: Increases anonymity in sending and receiving mails. 7. Enhances Performance: The proxy server stores commonly requested pages in cache This improves the user response time and saves band width. 8. Provides Security Assurance: Proxies are capable of encrypting information like passwords etc. while transmitting. 9. Offers User Authentication Helps in making access to the applications more secure.

Biometrics authentication

A biometric system is a critical pattern recognition system that verifies the identity of its user. It consists of a database in which the user's details are maintained. The system validates the user against this database. Authentication of a user is generally based on the characteristics as follows: Something the user knows (such as a password or personal identification number) Something the user has (a security token or smart card) Something the user is (a physical characteristic, such as a fingerprint, called a biometric) Biometric authentication is considered reliable because duplicating the identity of a user is not possible. This is a trusted authentication mechanism, since biometric characteristics are said to be "distinctive". Another advantage of biometric authentication, as opposed to a more traditional method, is that biometric measurements cannot be lost or forgotten. The biometric authentication involves four stages: Enrolment Storage Acquisition Matching

Popular windows file system

A file system is the directory structure and methods for organizing a partition. Different file systems reveal different operating system requirements and their performance assumptions. File systems are assigned to different logical partitions on the physical drive. Different file systems can be maintained in one disk. FAT (File Allocation Table) The FAT file system is the File Allocation Table, a method of organization of internal data that resides at the beginning of the volume. It is a 16-bit file system and was developed for DOS and further supported by all operating systems. It consumes little memory and is simple and reliable. The files in the file system are named as NAME.EXT. It limits the file name to 8 characters, with 3 characters for the extension. Its main shortcomings are that it supports a maximum of 64 K allocation units and becomes less efficient on partitions above 32 megabytes. Due to its limitations, it is not suitable for file servers. FAT32 It is a 32-bit version of the FAT file system using smaller clusters and resulting in efficient storage capacity. It supports drive size up to 2 terabytes. It can move the root directory to a new place and use the backup copy instead of default copy. One of the main features is that it can dynamically resize a FAT32 partition. NTFS (New Technology File System) The NTFS file system is an entirely different file system from FAT. It provides for enhanced security, file-by-file compression, quotas, and even encryption. It is developed to rapidly carry out standard file operations such as read, write, search, and file system recovery. On formatting a disk volume with the NTFS file system, it creates the Master File Table (MFT) and several system files. MFT is the first file on an NTFS volume and holds information about all the files and folders on it. The first information that it holds is about the partition boot sector, which begins at sector zero and can be up to 16 sectors long. NTFS is the standard file system of Windows NT and its descendants Windows XP, Vista, Windows 7, Windows 8.1, Windows 10, Server 2003, Server 2008, and Server 2012. It has five versions: v1.0 (found in Windows NT 3.1), v1.1 (Windows NT 3.5), and v1.2 (Windows NT 3.51 and Windows NT 4). v3.0, found in Windows 2000. v3.1, found in Windows XP, Windows Server 2003, Windows Vista, and Windows 7.

Alert/Alarm in IDS

An indication that the system or network is under attack

Document Steganography: wbStego and SNOW

As with image steganography, document steganography is the technique of hiding secret messages transferred in the form of documents. It includes addition white spaces and tabs at the end of the lines. Stego-document is a cover document comprising hidden message. Steganography algorithms, referred to as the "stego system, are employed for hiding the secret messages in the cover medium at the sender end. The same algorithm is used for extracting the hidden message from the stego-document by the recipient. WbStego Source: http://wbstego.wbailer.com WbStego is an open source application for Windows and Linux. It can hide any type of file in the following types of carrier files: Windows bitmaps with 16, 256 or 16.7M colors ASCII or ANSI text files HTML files Adobe PDF files The data is stored in the carrier files without modifying them for the viewer. WbStego4 provides two types of user interfaces. The Wizard mode can be used for encoding and decoding, and the Flowchart mode is for advanced users to make all settings in one time saving overview flowchart. SNOW Source: http://www.darkside.com.au The SNOW program helps to conceal messages in ASCII text by appending white space to the end of lines. Because spaces and tabs are generally not visible in text viewers, one can effectively hide the message from casual observers. Moreover, if the built-in encryption is used, the receiver cannot read the message if it is detected.

Investigating cyber crime

Determine if an incident has occurred Find and interpret the clues left behind Conduct a preliminary assessment to search for the evidence Search and seize the computer's equipment Collect evidence that can be presented in the court of law or at a corporate inquiry

VPN Security Protocols

IPSec: the IPSec protocol authenticates the packets during the transmission of data. PPTP L2TP

Modes of attacks

Insider Attacks: Breach of trust from employees within the organization. External Attacks: Attackers either hired by an insider or by an external entity to destroy the competitor's reputation.

Identity theft

The Identity Theft and Assumption Deterrence Act of 1998 defines identity theft as the illegal use of someone's means of identification.

Recycle Bin

The Recycle Bin exists as a metaphor for throwing files away, it also allows user to retrieve and restore files When a file is deleted, subdirectory is created for the user within the Recycler directory and named with the user's security identifier For example: C:\RECYCLER\S-1-5-21-1454471165-630328440-725345543-1003> Index number of the deleted file serves as a reference to the original filename maintained in the INFO2 file INFO2 file contains records that correspond to each deleted file in the Recycle Bin Each record contains the record number, the drive designator, the timestamp of when the file was moved to the Recycle Bin, the file size, and the file's original name and full path, in both ASCII and Unicode.

Ways to detect an intrusion

Three ways to detect an intrusion: 1. Signature recognition: It is also known as misuse detection. Signature recognition tries to identify events that misuse a system. 2. Anomaly detection: It detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system. 3. Protocol anomaly detection: In this type of detection, models are built on TCP/IP protocols using their specifications.

Modern cipher types

Types of Modern ciphers: Based on the type of key used Symmetric key algorithms (Private-key cryptography): Uses same key for encryption and decryption. Asymmetric key algorithms (Public-key cryptography): Uses two different keys for encryption and decryption. Based on the type of input data Block ciphers: Deterministic algorithm operating on block (group of bits) of fixed size with an unvarying transformation specified by a symmetric key. Most modern ciphers are block ciphers. These are widely used to encrypt bulk data. Examples include DES, AES, IDEA, etc. Stream ciphers: Symmetric key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). Here, the user applies the key to each bit, one at a time. Examples include RC4, SEAL, etc.

Ways of computer getting infected by virus

1. Not running the latest antivirus application. 2. Not updating and not installing new versions of plug-ins. 3. Installing pirated software. 4. Opening infected email attachments. 5. When a user accepts files and downloads without checking properly from the source.

Presentation Layer

Capture data from the application layer, convert it into the network format, and vice versa. Responds to service requests from the application layer and issues service requests to the session layer. Gateway redirector operates in this layer. The layer is responsible for defining the syntax which two network hosts should use to communicate. The main function of this layer encryption, decryption, compression, and protocol conversion. Some of the protocols operating at this layer are HTTP, SMTP, SNMP

SSH protection against attacks

A remote host sending out packets which pretend to come from another trusted host (IP spoofing). SSH protects against a spoofer on the local network, who can pretend to be the user's router to the outside. A host pretending that an IP packet comes from another trusted host (IP source routing). An attacker forging name server records (DNS spoofing). Capturing of passwords and other data by the intermediate hosts. Exploitation of data by the people who control the intermediate hosts. Attacking by listening to X authentication data and spoofing connections to the X11 server A remote host sending out packets which pretend to come from another trusted host (IP spoofing). SSH protects against a spoofer on the local network, who can pretend to be the user's router to the outside. A host pretending that an IP packet comes from another trusted host (IP source routing). An attacker forging name server records (DNS spoofing). Capturing of passwords and other data by the intermediate hosts. Exploitation of data by the people who control the intermediate hosts. Attacking by listening to X authentication data and spoofing connections to the X11 server A remote host sending out packets which pretend to come from another trusted host (IP spoofing). SSH protects against a spoofer on the local network, who can pretend to be the user's router to the outside. A host pretending that an IP packet comes from another trusted host (IP source routing). An attacker forging name server records (DNS spoofing). Capturing of passwords and other data by the intermediate hosts. Exploitation of data by the people who control the intermediate hosts. Attacking by listening to X authentication data and spoofing connections to the X11 server

IPSec services

Authentication Header Protocol (AHP) This protocol provides authenticity and integrity by using cryptographic hash. It covers the entire packet including static header fields. If any part of the original message gets modified, it will be detected. It can be used to authenticate and can also prevent IP spoofing. AH also offers anti-playback capability by using an incremental sequence number. Duplicated packets and packets with wrong sequence numbers are kept away. AH specifies a header to be added to the IP packets. It identifies which algorithms and keys are to be utilized for IPSec for processing. It also identifies which algorithms and keys are to be utilized for IPSec processing. Encapsulating Security Protocol (ESP) This protocol provides integrity and confidentiality for the IP packets during transmission. It provides traffic flow confidentiality in tunnel mode. It makes use of symmetric encryption and MACs based on secret keys shared between the end points.

Wireless terminologies part 1

BSSID The MAC address of an access point (AP) or base station that has set up a Basic Service Set (BSS) is a Basic Service Set Identifier (BSSID). Usually users are unaware of the BSS to which they belong. When a user moves a device from one place to another, the BSS used by the device could change because there is a variation in the range covered by the AP, but which may not affect the connectivity of the wireless device. Bandwidth Usually, bandwidth refers to the data transfer rate. The unit of measuring the bandwidth is bits (amount of data) per second (bps). Direct-sequence Spread Spectrum (DSSS) DSSS is a spread spectrum technique that multiplies the original data signal with a pseudo random noise spreading code. Also referred to as a data transmission scheme or modulation scheme, the technique protects signals against interference or jamming.

Web applications threats 3

Broken Account Management Vulnerable account management functions including account update, forgotten or lost password recovery or reset, and other similar functions that might weaken valid authentication schemes. Insecure Storage Web applications need to store sensitive information such as passwords, credit card numbers, account records, or other authentication information in a database or on a file system. If users do not maintain the proper security of their storage locations, then the application may be at risk, as attackers can access the storage and misuse its information. Insecure storage of keys, certificates, and passwords allow the attacker to gain access to the web application as a legitimate user. Platform Exploits Users can build various web applications by using different platforms such as BEA Web logic and ColdFusion. Each platform has its various vulnerabilities and exploits associated with it. Insecure Direct Object References When developers expose various internal implementation objects such as files, directories, database records, or key-through references, the result is an insecure direct object reference. For example, if a bank account number is a primary key, there is chance of the application being compromised by attackers taking advantage of such references. Insecure Cryptographic Storage Sensitive data stored in a database should be properly encrypted using cryptography. However, some cryptographic encryption methods contain inherent weakness. Thus, developers should use strong encryption methods to develop secure applications. At the same time, they must take care to store the cryptographic keys securely. If these keys are stored in insecure places, then attackers can obtain them easily and decrypt the sensitive data. Authentication Hijacking To identify a user, every web application employs user identification such as an ID and password. However, once attackers compromise a system, various malicious things such as theft of services, session hijacking, and user impersonation can occur. Network Access Attacks Network access attacks can majorly affect web applications, including basic level of service. They can also allow levels of access that standard HTTP application methods could not grant.

Email terminology 2

CC (Carbon Copy) CC (Carbon Copy) is a field in the email header that directs a copy of the message to another recipient. CC is used to indicate that the message is a copy of a note sent to a recipient other than the main recipient. This reveals the email address list to all the recipients. Encoding Encoding is a method of sending binary (non-text) files with emails. Common encoding options include Uuencode, BinHex, MIME, etc. In order to ensure that control characters are sent over the Internet, encode the text format before sending any email attachments. The email text is saved as a series of readable alphanumeric characters. Graphics, spreadsheets, video files, and Word documents can be represented and stored in 1's and 0's in any of the 256 different combinations that make up an 8-bit byte. Examples of different combinations are shown below: 01000010 01101101 01011011 The above combinations represent the characters "B", "m", and "[", respectively. Alphanumeric characters comprise less than 100 of the 256 total byte combinations. Email programs filter out zero-length files and avoid them by encoding attached files irreversibly before mailing to eliminate non-readable bytes from getting into the process. When the attachment is received by the recipient's email program, it is automatically downloaded to the user's system and decoded according to a standard procedure to rebuild the original file. An instruction included in the encoded file tells the email recipient about the type of encoding program. MIME (Multipurpose Internet Mail Extensions) It is the most common standard used for email encoding. MIME encodes a file into the following 64 alphanumeric characters: ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz0123456789+/ Uuencode (UNIX-to-UNIX encode) It is a universal protocol used to transfer files between different platforms such as UNIX, Windows, and Macintosh. It is used to send email attachments.

Stages of hacking cycle

Reconnaissance: This is the phase where the attacker gathers information about a target using active or passive means. Scanning: In this phase, the attacker begins to actively probe the target for vulnerabilities that can be exploited. Gaining Access: If vulnerability is detected, the attacker can exploit it to gain access into the system. Maintaining Access: Once access is gained, the attacker usually maintains access to fulfill the purpose of his/her entry. Clearing Tracks: In this phase, the attacker tries to destroy all evidence of the attack to evade legal punitive actions.

Electronic device: types and collecting potential evidence

Computer Systems The computer system comprises the central processing unit (CPU)—the most significant base unit, a monitor (visual display unit), mouse, data storage devices, and keyboard. Computer systems might or might not be connected to a network. Types of computer systems include minicomputers, desktops, mainframe computers, and laptops. Some additional components used are modems, printers, scanners, docking stations, and external data storage devices. For example, a desktop is a computer system consisting of a motherboard, CPU, case or cabinet, mouse, and data storage, with an external keyboard. Computer systems uses span all types of computing functions and data storage, including word processing, calculations, communications, and graphics development. Electronic evidence can be found in several types of electronic devices, and you will come across a large variety of the electronic devices at crime scenes. Electronic devices use electrical power—either AC or DC—to retain data in a volatile form embedded in electronic circuit chips; therefore, memory sustains only when there is electrical power. Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices, and media such as CDs, DVDs, cartridges, and tape. User-created Files User-created files can provide significant evidence of criminal activities or verify the criminal's connection. Photographs can provide clues or be evidence of a crime themselves, and email or documents might be evidence of communication between criminals or with victims. Some types of evidence where you can obtain information of investigative value include: Address books Database files Audio or video files Documents or text files Image or graphics files Internet bookmarks or favorites Spreadsheet files User-protected Files Users hide evidence in a variety of ways, such as encoding or password-protecting the important data. The files also could be hidden on a hard disk or within other folders, or they could be deliberately given names unrelated to their content. Some types of files include the following: Compressed files Misnamed files Encrypted files Password-protected files Hidden files and steganography Computer-created Files These are files created by the system itself, often when it is booted or connected to the Internet. Some types of common computer-created files are: Backup files Log and configuration files Printer spool files Cookies Swap and Hidden files System files History and temporary files

Understanding System Boot Sequence

Computer waits for the power-good signal. The booting of the operating system is controlled by BIOS (Basic Input/Output System). Processor executes the BIOS boot program. BIOS performs Power On Self-Test (POST). BIOS initializes the system's settings from CMOS settings. PCI initializes and displays the configuration and status of the devices. BIOS locates and loads Disk operating system (DOS). BIOS then loads the Master Boot Record (MBR). Volume boot sector is loaded and tested. IO.SYS is loaded and executed. IO.SYS searches for MSDOS.SYS, loads it, and executes the file. COMMAND.COM is loaded and executed for interpreting and reading CONFIG.SYS and AUTOXEC.BAT.

Web applications 4

Cookie Snooping Attackers use cookie snooping on victim systems to analyze users' surfing habits and sell that information to other attackers, or to launch various attacks on the victims' web applications. Web Services Attacks Attacker can get into the target web applications by exploiting an application integrated with vulnerable web services. An attacker injects a malicious script into a web service and is able to disclose and modify application data. Insufficient Transport Layer Protection Use SSL/TLS authentications for websites; otherwise, attackers can monitor network traffic to steal authenticated users' session cookies, making them vulnerable to threats such as account theft and phishing attacks. Hidden Manipulation Attackers attempting to compromise e-commerce websites mostly use these types of attacks. They manipulate hidden fields and change the data stored in them. Several online stores face this type of problem every day. Attackers can alter prices and conclude transactions, designating the prices of their choice. DMZ Protocol Attacks The DMZ ("demilitarized zone") is a semi-trusted network zone that separates the untrusted Internet from the company's trusted internal network. An attacker who is able to compromise a system that allows other DMZ protocols has access to other DMZs and internal systems. This level of access can lead to: Compromise of the web application and data Defacement of websites Access to internal systems, including databases, backups, and source code Unvalidated Redirects and Forwards Attackers lure victim and make them click on unvalidated links that appear to be legitimate. Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass, leading to: 1. Session fixation attacks 2. Security management exploits 3. Failure to restrict URL access 4. Malicious file execution

Web applications threats 2

Denial of Service A denial-of-service (DoS) attack is an attacking method intended to terminate the operations of a website or server and render it unavailable to legitimate users. For instance, a website related to a banking or email service is not able to function for a few hours or even days, resulting in loss of time and money. Broken Access Control Broken access control is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, and then compromises the network. Cross-Site Request Forgery The cross-site-request forgery method is a kind of attack in which an authenticated user in made to perform certain tasks on the web application that an attackers chooses. For example, a user clicking on a particular link sent through an email or chat. Information Leakage Information leakage can cause great losses to a company. Hence, organizations must protect all sources such as systems or other network resources from information leakage by employing proper content-filtering mechanisms. Improper Error Handling It is necessary to define how a system or network should behave when an error occurs. Otherwise, the error may provide a chance for an attacker to break into the system. Improper error handling may lead to DoS attacks. Log Tampering Web applications maintain logs to track usage patterns such as user login credentials and admin login credentials. Attackers usually inject, delete, or tamper with web application logs to engage in malicious activities or hide their identities. Buffer Overflow A web application's buffer overflow vulnerability occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Broken Session Management When security-sensitive credentials such as passwords and other important data are not properly secured, attackers can easily compromise them. Security Misconfiguration Developers and network administrators should check the configuration of their entire application stack to avoid security misconfiguration at any level, including its platform, web server, application server, framework, and custom code. Automated scanners detect missing patches, misconfigurations, use of default accounts, and so on attackers could exploit to compromise web application security.

Web applications threats 5

Failure to Restrict URL Access An application often safeguards or protects sensitive functionality and prevents the displays of links or URLs for protection. Attackers access those links or URLs directly and perform illegitimate operations. Obfuscation Application Attackers usually work hard at hiding their attacks and avoid detection. Network and host-based intrusion detection systems (IDSs) are constantly looking for signs of well-known attacks, driving attackers to seek different ways to remain undetected. The most common method of attack obfuscation involves encoding portions of the attack with Unicode, UTF-8, or URL encoding. Unicode is a method of representing letters, numbers, and special characters to properly display them, regardless of the application or underlying platform. Security Management Exploits Some attackers target security management systems, either on networks or on the application layer, in order to modify or disable security enforcement. An attacker who exploits security management can directly modify protection policies, delete existing policies, add new policies, and modify applications, system data, and resources. Session Fixation Attack In a session fixation attack, the attacker tricks or attracts the user to access a legitimate web server using an explicit session ID value. Malicious File Execution Malicious file execution vulnerabilities are present in most applications. The cause of this vulnerability is because of unchecked input into a web server. Because of this, attackers execute and process files on a web server and initiate remote code execution, install the rootkit remotely, and—in at least some cases—take complete control over systems.

Feature of firewalls

Restricts unauthorised people from entering the network. Records the network's activities. Provides security policy. Limits exposure of the organisation to others. Prevents attackers from getting close to other defenses. Protects sensitive data from the attackers over the Internet.

Wireless terminologies part 2

Frequency-hopping Spread Spectrum (FHSS) FHSS, also known as Frequency-Hopping Code Division Multiple Access (FH-CDMA), is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels. It decreases the efficiency of unauthorized interception or jamming of telecommunications. In FHSS, a transmitter hops between available frequencies using a specified algorithm in a pseudorandom sequence known to both sender and receiver. Orthogonal Frequency-division Multiplexing (OFDM) OFDM is a method of digital modulation of data in which a signal at a chosen frequency is split into multiple carrier frequencies that are orthogonal (occurring at right angles) to each other. OFDM maps information on changes in carrier phase, frequency, or amplitude, or combination of these, and shares bandwidth with other independent channels. It produces a transmission scheme that supports higher bit rates than a parallel channel operation. It is also a method of encoding digital data on multiple carrier frequencies.

Selecting Backup Types: Advantages and Disadvantages.

Full Backup Advantages: o It is easy to restore, as the restore process requires only file name and location. o Full backup maintains different versions of the data. Disadvantages: o It is a time-consuming process as each file is backed up every time the full backup process is done. o Consumes lot of storage space. Incremental Backup Advantages: o It is much faster than a full backup. o Incremental backup makes an efficient utilization of storage, as there is no duplication of data. Disadvantages: o Restoration of data is time consuming and complex as the restoration is done first of full backup and then of incremental backup. Differential Backup Advantages: o It is much faster than a full backup. o Utilizes the storage more efficiently than a full backup, as the backup is done of only the changes made at regular instances. o Restoration of data is faster than incremental backup. Disadvantages: o The backup process is slower than incremental backup. o Restoration of differential backup is slower than a full backup.

Steps involved in TLS handshake protocol

Initially, the client sends a "Client hello" message, accompanied by the client's random value and supported cipher suites to the server. The server responds to the client by sending a "Server Hello" message accompanied by the server's random value. The server sends its certificate to the client to authenticate and may request the client's certificate. The server sends the "Server hello done" message. The client sends its certificate to the server, if requested. The client generates a random Pre-Master Secret and encrypts it with the Server's public key; it then sends the encrypted Pre-Master Secret to the server. The server receives the Pre-Master Secret. Thereafter, the client and server each create the Master Secret and session Keys based on the Pre-Master Secret. The client sends "Change cipher spec" notification to the server to indicate that it will start using the new session keys for hashing and encrypting messages. The client also sends "Client finished" message. The server receives "Change cipher spec" from the client and switches its record layer security state to symmetric encryption using the session keys. The server sends "Server finished" message to the client. Now, the client and server can exchange application data over the secure channel they have established and all the messages being exchanged between the client and server are encrypted using a session key.

Issues in Information Hiding

Levels of Visibility A message that is embedded can result in the data being perceptible or imperceptible. To reduce the likelihood of theft of the data, the presence of the watermark is publicized. Publicizing the presence of the watermark also allows various methods to be implemented to alter or disable the watermark. When the visibility of the data is increased, then the likelihood of manipulations of the data also increases. To raise the level of survival, multiple instances of the watermark are embedded throughout the image. Robustness vs. Payload This involves the size of the embedded message versus the resilience to distortion (robustness). For a robust method of embedding a message, redundancy should be maintained to resist changes made to the cover. If the robustness of the message is increased, then the payload is less, and if the robustness is less, the payload is more. File Format Dependence The conversion of files that have lossless information to compressed lossy information destroys the secret information present in the cover. Some processes embed the data depending on the file format of the carrier while others do not depend on the file's format. The tool that depends on the file format is Jsteg-jpeg. Example: The conversion of an uncompressed bitmap to a compressed estimated JPEG changes the bits to include bits containing the embedded message.

Linux overview

Linux Kernel This low-level software manages computer hardware and provides a library (POSIX) interface for user-level software. Similar to Unix, the Linux kernel runs on different platforms such as Intel x86 and IA-64, Alpha, MIPS, HP PARISC, PowerPC, IBM S/390, SPARC, and Motorola 680x0. GNU/Linux OS It is an integration of the Linux kernel and utility software that gives a useful working environment. Linux Distributions The combination of the Linux Kernel, the GNU/Linux OS, and other software makes Linux easy to install, configure, and use. Linux is an operating system developed by a programmer from Norway named Linus Torvald. Linux is freely available and the source code is open for usage. Anyone can work on the Linux operating system and then post a new code to improve it. This concept is known as open source. Linux is adopted as a standard in IBM for developing open source software. Numerous application programs have been written for Linux, some of them by the GNU project. The architecture of Linux is like LNA that creates a more reliable system. The systems, which use protected memory and follow multitasking, are regarded as more stable. Linux can be customized and updated rapidly as total cost of ownership is also low. This flexibility of being updateable and customizable has enabled Linux to run on everything from handheld and embedded systems to clusters of hundreds of servers. Linux is also used for mobile phones, pocket PCs, and PDA'.

Factors of Authentication

Single Factor Authentication: As the name suggests only one parameter is used e.g. password based, basic authentication, certificate based, token based, biometrics Two Factor Authentication: Exactly two parameters are used for authentication. It is relatively difficult for hackers to forge the authentication e.g. combination of any two single factor authentication Multi-Factor Authentication: It is used in environments where sensitive information is involved. As three or more parameters are involved it is difficult to hack into. E.g., for accessing a secure laboratory, employees need to use their electronic identity cards, fingerprints, and retina scan.

Mail Bombing/Mail Storm

Mail Bombing According to www.cert.org, "email bombing is characterized by abusers repeatedly sending an email message to a particular address at a specific victim's site. In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources. Multiple accounts at the target site may be abused, increasing the denial of service impact." Mail bombing is an intentional act of sending multiple copies of identical content to the same recipient. The primary objective behind mail bombing is to overload the email server and degrade the communication system by making it unserviceable. Usually, a mail bomber and the victim know each other. Newsgroup postings that do not agree with the recipient's opinion also result in mail bombing. The target of a mail bomber can be either a specific machine or a particular person. Mail bombing is more abusive than spamming because it not only sends mails in excessive amounts to a particular person, but it also prevents other users from accessing their email using the same server. Mail Storms A mail storm occurs when computers start communicating without human intervention. The flurry of junk mail sent by accident is a mail storm. Usage of mailing lists, auto-arding emails, automated response, and the presence of more than one email address are the various causes for a mail storm. Malicious software code is also written to create mail storms such as the "Melissa, I-Love-u" message. Mail storms hinder communication systems and also make them inoperable.

Types of Wireless Networks (2)

Multiple APs This type of network connects computers wirelessly by using multiple APs. If single AP cannot cover an area, multiple APs or extension points can be established. Each AP's wireless area needs to overlap its neighbor's area. This provides users the ability to move around seamlessly using a feature called roaming. Some manufacturers develop extension points that act as wireless relays, extending the range of a single AP. Multiple extension points can be strung together to provide wireless access to locations far from the central AP. LAN-to-LAN Wireless Network APs provide wireless connectivity to local computers, and local computers on different networks can be interconnected. All hardware APs have the capability to interconnect with other hardware APs. However, interconnecting LANs over wireless connections is a complex task. 3G/4G Hotspot A 3G hotspot is a type of wireless network that provides Wi-Fi access to Wi-Fi-enabled devices including MP3 players, notebooks, tablets, cameras, PDAs, netbooks, and more.

POP3 and IMAP Servers

POP3 (Post Office Protocol) Servers These types of servers handle incoming email. The server contains one text file for each mail account. The POP3 server acts as an intermediary between the email client and the text file, which contains the message. When the message comes, the POP3 server attaches that message at the bottom of the recipient's file. This POP3 server needs the account name and the password. When you log in, your client connects with the POP3 server via port 110. This server opens your text file and permits you to access it. It then deletes the messages from the server. The POP3 server can understand simple commands such as: USER: enter your user ID PASS: enter your password QUIT: quit the POP3 server LIST: list the messages and their size RETR: retrieve a message, according to a message number DELETE: delete a message, according to a message number IMAP (Internet Mail Access Protocol) Servers IMAP servers are similar to POP3 servers. Like POP3, IMAP handles the incoming mail. The email client connects with this server at port 143. IMAP servers allow multiple concurrent client connections to the same mailbox. It enables accessing and fetching MIME message parts, maintaining message state information at server, creating and manipulating multiple mailboxes on the server and Server-side searches. This protocol keeps your mail on the server after you download from it. You can also arrange your mail into folders and store it on the server.

Portable Hard drives/ USB Flash Drives

Portable Hard drives/ USB Flash Drives Portable hard drives are considered a better medium for data backup when compared with CD or DVD. They are available in high capacities and may be used in storing even r portable hard drive available contains two or more hard drives. Second drive may be used to copy data stored in the first drive. This is enabled using RAID technology, which allows preserving important data. Here, any change in the data will be automatically reflected in other drives as well. Advantages o High storage capacities along with very high speeds. Disadvantages o Expensive than normal CD/DVD. It is less recommended for small backup.

Computer forensic investigation methodology

Preservation The forensic investigator must preserve the integrity of the original evidence. The original evidence should not be modified or damaged. The forensic examiner must make an image or a copy of the original evidence and then perform the analysis. The examiner must also compare the copy with the original evidence to identify any modifications or damages. Identification The first and foremost step that a forensic examiner needs to take before starting with an investigation is to identify the evidence and its location. For example, evidence may be contained in hard disks, removable media, or log files. Every forensic examiner must understand the difference between actual evidence and evidence containers. Locating and identifying information/data is a challenge for the digital forensic investigator. Various examination processes such as keyword search, log file analysis, and system check help in the investigation. Extraction The next immediate step after identifying the evidence is to extract data from it. Since volatile data can be lost at any time, the forensic investigator must extract this data from the copy made from the original evidence. This extracted data must be compared with the original evidence and analyzed. Interpretation The most important role played by a forensic examiner during investigations is to interpret what he/she has actually found. The analysis and inspection of the evidence must be interpreted lucidly. Documentation relating to the evidence must be maintained from the beginning of the investigation until the end, where the evidence is presented before the court of law. The documentation will comprise the chain of custody form and documents relating to the evidence analysis.

SSL (secure socket layer) channel security

Private channel - All the messages are encrypted after a simple handshake is used to define a secret key. Authenticated channel - The server endpoint of the conversation is always encrypted, whereas the client endpoint is optionally authenticated. Reliable channel - message transfer has an integrity check.

Advantages of firewall

Properly configured firewall can protect the computer from the outsiders and also from attackers. It keeps logs of all the authorized as well as unauthorized access. It protects private LANs from intrusion from the Internet. It provides the network administrators to offer access to the specific types of Internet services to the individuals in the network. It might grant privileges according to the need of the individuals.

Tape drives

Tape Drives Tape Drive is considered as the best source of media for data backup. It facilitates data backup at the enterprise level. Tape Drives are used for storing programs and data. Advantages o Easy to store and transport. Requires no user intervention as tape backup is completely automatic. Disadvantages o Very expensive for home users. Home computers require hardware and software updatess to use tape drives.

Wireless standards part 2

The 802.11a extension defines requirements for a physical layer (which determines, among other parameters, the frequency of the signal and the modulation scheme to be used) operating in the Unlicensed National Information Infrastructure (UNII) band, at 5 GHz, at data rates ranging from 6 Mb/s to 54 Mb/s. The layer uses a scheme called orthogonal frequency-division modulation (OFDM), which transmits data on multiple subcarriers within the communications channel. It is in many ways similar to the physical layer specification for HiperLAN II, the European wireless standard promulgated by the European Telecommunications Standards Institute. Commercially trademarked in 1999 by the Wireless Ethernet Compatibility Alliance (WECA) as Wi-Fi, this extension made 802.11b a household word. It defines operation in the ISM 2.4GHZ band at 5.5 Mb/s and 11 Mb/s (as well as the fallback rates of 1 Mb/s and 2 Mb/s). This physical layer uses the modulation schemes complementary code keying (CCK) and packet binary convolutional coding (PBCC). WECA is an organization created to certify interoperability among 802.11b products from diverse manufacturers. This task group's work on wireless LAN bridging has been folded into the 802.11 standard. This task group enhances the 802.11 specifications by spelling out its operation in new regulatory domains, such as countries in the developing world. In its initial form, the standard covered operation only in North America, Europe, and Japan.

Functioning of Proxy servers

The client first requests a web page and recognizes the server that contains the web page. The request for the web page is passed on to the proxy server. The proxy server does not work as a router and forwards the packet. It checks the packet with its set of conventions regarding this service and decides if the request is to be granted or not. Once the proxy has made the decision to allow the request, a new packet is formed with a source IP address of the proxy server. This new packet is the request for the web page from the destination server. The web server receives the request, and returns the web page to the requesting host. When the proxy receives the web page, it verifies its rules to see if this page is to be allowed or not. Once the selection is made to proceed, the proxy makes a new packet with the web page as the payload, and sends this to the original client. This type of service increases the security of the network significantly, as no packets can go straight from the client to the server.

Benefits of data backup

There are many benefits of performing data backup: Offers access to critical data even in the event of a disaster, hence giving peace of mind in the workplace. Backup of critical data prevents the organization from losing its business. Helps them to retrieve data anytime. Data recovery helps organizations to recover lost data and hence helps in maintaining their business.

Wireless standards part 4

This task group is working on modifications to the 802.11a physical layer to ensure that 802.11a may be used in Europe. The task group is adding dynamic frequency selection and power control transmission, which are required to meet regulations in Europe. The original version of 802.11 incorporated a MAC-level privacy mechanism called Wired Equivalent Privacy (WEP), which has proven inadequate in many situations. This task group is busy with improved security mechanisms. The present draft includes Temporal Key Integrity Protocol (TKIP) as an improvement over WEP. 802.11a represents the third generation of wireless networking standards and technology. 802.11i standard improves WLAN security. The encrypted transmission of data between 802.11a and 802.11b WLANS is best described by 802.11i. A new encryption key protocol such as Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES) is defined by 802.11i. TKIP is an enhancement of WLANs. The other name for AES in cryptography is Rijndael. The U.S government adopted AES as the key for the encryption standard.

Best practices for creating a CSIRT

To report security incidents, a 24/7 hotline should be established. Stay calm. Identify the immediate problem. Identify the critical systems that are affected. If the incident is still underway, it has to be stopped. Notify the appropriate people. Assess the situation before taking any action. Measure the damage and scope of intrusion. Identify the people to handle the incident. Establish classifications of security incidents that require an investigation. Create a resolution plan for the identified incident. Document everything. As per the recognized procedures, all the evidence relating to computer security incidents should be collected and documented. In accordance with the established procedures, let the chain of custody for all the evidence be maintained. Alert the users of the correct procedures to ensure the protection of evidence. Analyze the evidence to confirm the occurrence of the incident. All the evidence should be reported to management after examining it. Preserve evidence from the incident. Identify and mitigate all vulnerabilities. Wipe out all effects of the incident. Prevent reoccurrence of the incident. Review the causes and resolution. Confirm that the operations have been restored to the normal mode. Create a final report for all the stakeholders. Alert the users about all the safety measures that contain a security incident. The responses to similar incidents or affected technology should be synchronized. Updates to the company's security policy should be made, if necessary. Provide the appropriate information to the proper criminal and legal authorities.

Types of SAN (storage area network)

Types of SAN 1. Virtual Storage Area Network (VSAN): VSAN designed by Cisco is a logical partitioning that is within the physical storage area network. VSAN allows the allocation of some or entire storage network to logical SANs. VSAN is mainly used in cloud computing and virtualization environment. It can be used to build a virtual storage. The working of VSAN is similar to traditional SAN, since it has a virtualized environment, the addition or relocation of end users can take place. This will not affect or change the physical layout of the network. Implementation of VSAN enhances the security of the entire network. 2. Unified SAN: Unified SAN is also known as network unified storage or multiprotocol storage. It allows the applications and files to perform actions through a single device. It handles data storage and block based input/output operations. It merges files and block based access in a single storage network. Unified SAN is cost effective as it saves the expense of hardware requirements. Storing the combined modes in a single device, unified SAN is easily manageable. Although it is advisable to deploy the critical applications on block-based storage systems. 3. Converged SAN: A converged SAN uses a common network arrangement for network and SAN traffic. This reduces the cost and complexity of the SAN technology. Converged SANs depend on 10 Giga bit Ethernet and network ports.

Authorization

"the process of permitting or refuting entrée to network resources". Accessing to network resources is based on two-step process. The first step is authentication where it is verified whether a user is authorized or not based on the username and password. The second step is authorization where access to various resources is provided if he is an authorized user.

Non-transport proxy

A non-transparent proxy is a proxy that modifies the request or response The non-transparent proxy deployment is a deployment in which the client is made aware of the proxy's existence The entire requested URL is sent to the proxy that has the host name It provides added services to the user agent Group Annotation Services Media Type Transformation Protocol Reduction Anonymity Filtering

Auditing Bastion Host

1. Auditing the host for the very first time creates benchmark or baseline for performance measurement. 2. Tools like IPSentry can be used to monitor the network performance and send alerts in case of trouble. 3. Every time an audit is performed on the bastion host, compare the results with the baseline level performance to ensure the functionality. 4. Comparing the results can reveal How skilfully the hosts handle the attacks How adeptly bastion hosts secure the internal LAN from the attack.

Increasing awareness of digital evidence

1. Businesses are facing the need for gathering evidence on their networks in reply to computer crime 2. Many organizations are taking into account the legal remedies when attackers target their network and focus on gathering the digital evidence in a way that will hold up in court 3. Government organizations are also paying attention in using digital evidence to identify terrorists' activities and prevent future attacks 4. As a result, there is a greater expectation that computer forensic investigators have complete knowledge of handling digital evidence

Hardware requirements for Bastion Host

1. Choose a base machine and moderate peripherals, so that they support the functioning of bastion host. 2. Bastion host does not require much of CPU processing power 3. A system with less graphics capability can serve as bastion host 4. A DVD-ROM will be useful for installing operating system or other programs 5. The bastion host should be configured with its own tape backup device for regular backups. 6. The functions performed by bastion host are memory intensive. Thus a large amount of memory and free disk space is required

Importance of Logs in Forensics

1. Logs help to capture evidence on a system or a network. 2. They can help in event reconstruction as they are time stamped. 3. Logs are often introduced in courts to corroborate criminal activity. 4. Logs can help to identity the nature of attacks on a system. 5. They can help to establish the identity and intent of the perpetrator.

Maintaining the IDS

1. Maintenance of the IDS includes monitoring it regularly. 2. Policies must be in place for the IT staff to react quickly in case of intrusions or alerts. 3. The software updates must be installed regularly to keep the IDS current. 4. The required personnel must be trained to operate and maintain the IDS. 5. A properly maintained IDS gives warnings about impending attacks and also reports whether the other network devices such as firewalls are secure

Need for bastion host

1. Minimize the chances of penetration by intruders and attackers 2. Avoids vulnerability to the transfer of customer data through public FTP servers 3. In case of an attack, 4. bastion host acts as scapegoat Bastion hosts provide an additional level of security

Types of IDSs

1. Network-Based Intrusion Detection: These mechanisms typically consist of a black box that is placed on the network in the promiscuous mode, listening for patterns indicative of an intrusion. 2. Host-Based Intrusion Detection: These mechanisms usually include auditing for events that occur on a specific host These are not as common, due to the overhead they incur by having to monitor each system event. 3. Log File Monitoring: These mechanisms are typically programs that parse log files after an event has already occurred, such as failed log in attempts. 4. File Integrity Checking: These mechanisms check for Trojan horses, or files that have otherwise been modified, indicating an intruder has already been there, for example, Tripwire.

SSID (Service Set Identifier)

1. SSID is a token to identify a 802.11 (Wi-Fi) network; by default it is the part of the frame header sent over a wireless local area network (WLAN). 2. It acts as a single shared identifier between the access points and clients. 3. Access points continuously broadcasts SSID, if enabled, for the client machines to identify the presence of wireless network. 4. SSID is a human-readable text string with a maximum length of 32 bytes. 5. SSID of the network is changed, reconfiguration of the SSID on every host is required, as every user of the network configures the SSID into their system. 6. A non-secure access mode allows clients to connect to the access point using the configured SSID, a blank SSID, or an SSID configured as "any". 7. Security concerns arise when the default values are not changed, as these units can be compromised. 8. The SSID remains secret only on the closed networks with no activity, that is inconvenient to the legitimate users.

Role of firewalls in network security

1. Single point contact: Firewall acts as single point of contact between the networks which means the data traffic should flow through the single point of contact Controlled traffic: Firewall controls the data traffic by allowing them access to the internet only for the users who are authenticated by a valid user name and password. Logged traffic: the data that is passed through the firewall gets logged

Types of Bastian host: internal Sebastian host

1. They reside inside the internal network of an organization. 2. It can be single-homed or multi-homed. 3. The internal network devices communicate with the internal bastion host.

Bypass Blocked Sites Using IP Address in place of URL

1. This method involves typing the IP address directly in browser's address bar in place of typing the blocked website's domain name. 2. For example, to access Orkut, type its IP address instead of typing domain name. 3. Use services such as Host2ip to find the IP address of the blocked website. 4. This method fails if the blocking software tracks the IP address sent to the web server.

Need for identification, authentication, authorization

1. To control access to a system or application 2. To bind some sensitive data to an individual, such as for encryption 3. To establish trust between multiple parties to form some interaction with them 4. To assure that a piece of information is genuine 5. Authentication provides an additional level of security 6. It ensures that resources are not misused easily by unauthorized access 7. Control or monitor user access to the system or application

Why Investigate Network Traffic?

1. To know who is generating the troublesome traffic, and where the traffic is being transmitted to or received from. 2. to locate suspicious network traffic. 3. To identify network problems

IDS for an organization

1. organizational sectors today from government to business are reliant on networks and their very existence depends on secure computer practices 2. Many organizations depend on IDSs to check if their networks or resources have been compromised 3. IDS has become a key element in the enterprise-wide security layer which helps in real-time detection to avoid compromise and damage to the networks.

Forensic laws

18 USC §1029 - Fraud and related activity in connection with access devices 5 18 USC §1030 - Fraud and related activity in connection with computers 6 18 USC §1361-2 - Prohibits malicious mischief Rule 402 - Relevant evidence generally admissible; Irrelevant evidence inadmissible Rule 901 - Requirement of authentication or identification Rule 608 - Evidence of character and conduct of witness Rule 609 - Impeachment by evidence of conviction of crime Rule 502 - Attorney-Client privilege and work product; Limitations on waiver

VPN (Virtual Private Network)

A VPN is a network that provides secure access to the network through the internet. Used for connecting wide area networks (WAN). It allows computers of one network to connect to computers on another network. It employs encryption and integrity protection helping you to use a public network as a private network. A VPN performs encryption and the decryption outside the packet-filtering perimeter to allow the inspection of packets coming from other sites. A VPN encapsulates packets sent over the Internet. A VPN is an attempt to combine both the advantages of public and private networks. VPNs have no relation to firewall technology, but firewalls are convenient for adding VPN features as they help in providing secure remote services. All virtual private networks that run over the Internet employ these principles: Encrypts the traffic Checks for integrity protection Encapsulates into new packets, which are sent across the Internet to something that reverses the encapsulation Checks the integrity Then finally, decrypts the traffic

WMAN (Wireless Metropolitan Area Network)

A WMAN is a wireless communication network that covers a metropolitan area It connects the multiple WLANs over a range of 50 km It offers broadband network access via exterior antennas It normally uses wireless infrastructure or optical fiber connections to link its sites

Wireless network

A Wireless LAN is one in which a mobile user can connect to a local area network (LAN) through a wireless (radio) connection. A standard, IEEE 802.11, specifies the technologies for wireless LANs. The standard includes an encryption method, the Wired Equivalent Privacy algorithm. It offers a feasible way to provide data connectivity to an existing building where wiring may not be practical due to construction design, location, or expense involved. Apart from offering mobility and freedom from the location restraints, WLANs are gaining popularity due to their ease of use. Typical problems associated with the physical aspects of the wired LAN connections do not arise frequently with a wireless network. Nevertheless, WLANs do raise the issue of security due to certain inherent features such as radio waves being easier to be intercepted than the physical wires, etc. However, the user's authentication and data encryption system known as Wired Equivalent Privacy, or WEP, is being used; by itself, it falls short of providing adequate security. Another point to bear in mind is that each access point in a Wi-Fi network shares a fixed amount of bandwidth amongst all the users who are currently connected to it on a first-come, first-served basis. Since one of the major benefits of wireless networking is user mobility, an important issue to consider is whether users can move seamlessly between access points without having to log in again and restarting their applications. Seamless roaming is only possible if the access points have a way of exchanging information as a user's connection is handed off from one to another

Bastion Host

A bastion host is a computer that is completely vulnerable to attacks. It has a server, which has an interface on the Internet, which is cynical and configured to offer a wide range of services. The computer is in the demilitarized zone (DMZ), i.e. on the public side, insecure with firewall router. These are the roles usually vital to the computer's network system. Firewalls and routers can be regarded as bastion hosts. As these components are exposed to a great deal of risk, it requires enormous effort in designing and configuring the bastion hosts to minimize the probability of attacks. Various other types of bastion hosts are web, mail, DNS, and FTP servers. A few system administrators intentionally expose a sacrificial lamb as bastion hosts; these systems are deliberately exposed to the attackers to delay them and make it possible to track the attempted burgle into the system. The various purposes are: It is used as the packet filtering. It provides proxy services.

Cache, Cookie, and History Analysis: Google Chrome

A cache is a place to store something temporarily. The files a user automatically requests by looking at a web page are stored on the hard disk in a cache subdirectory under the browser directory. When the user returns to a page he or she recently looked at, the browser can get it from the cache quickly instead of going to original server, saving the time and the network burden of some additional traffic. A cookie is information that a website puts on the user's hard disk so that it can remember something about it at a later time. Typically, a cookie records user preferences when using a particular site. Each request for a web page is treated as independent of all other requests when Hypertext Transfer Protocol (HTTP) is used. Because of this, the web page server does not maintain a history of pages being sent to a user previously or anything about the user's previous visits, as it does not have memory to do so. The following are the directories to view cache, cookie, and history analysis in Google Chrome: History, Downloads and Cookies Location C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default Cache Location C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default\Cache

Circuit-level gateway firewall

A circuit-level gateway firewall works at the session layer of the OSI model or TCP layer of TCP/IP. It forwards data between networks without verifying it, and blocks incoming packets into the host, but allows the traffic to pass through itself. Information passed to remote computers through a circuit-level gateway will appear to have originated from the gateway, as the incoming traffic carries the IP address of the proxy (circuit-level gateway). A circuit-level gateway gives controlled access between network services and host requests. For detecting whether or not a requested session is valid, it checks TCP handshaking between packets. Circuit-level gateways do not filter individual packets. They are relatively inexpensive and hide the information about the private network that they protect.

Evidence Gathering via Sniffing

A computer connected to the LAN has two addresses. The first is the MAC address, which is stored in the network card and uniquely identifies every node in a network. It is used by the Ethernet protocol to transfer data from a system while building frames. The other address, the IP address, is used by applications. At the Data-link layer, the MAC address is used for addressing instead of the IP address. The MAC address is mapped to the respective IP address at the Network layer. The Data-link layer looks for the MAC address of the destination machine in a table, which is commonly known as the ARP cache. If the IP address is not found, then an ARP broadcast goes out to all machines on the network to find the machine with the right IP address, which responds to the source machine with its MAC address. The ARP cache of the source machine adds the MAC address of the destination machine and further communication is done with this MAC address.

digital signature

A digital signature is a cryptographic means of authentication. Public key cryptography, which uses an asymmetric key algorithm, is used for creating the digital signature. The two types of keys in public key cryptography are the private key (which is known only to the signer and used to create the digital signature), and the public key (which is more widely known and is used by a relying party to verify the digital signature). "Hash Function" is a process, or an algorithm, which is used in creating and verifying a digital signature. This algorithm creates a digital representation of a message, which is also known as a "fingerprint". This fingerprint is of a "hash value" of a standard length, which is much smaller than the message, but is unique to it. If any change is made to the message, it will automatically produce a different hash result; it is not possible to derive the original message from the hash value in case of a secure hash function, which is also known as the "One-Way Hash Function".

Exploring Microsoft File Structures

A file system can be chosen as per the storage needs of the organization and the type of the operating system used The various file systems that being used are File Allocation Tables (FAT) New Technology File System (NTFS) Encryption File System (EFS) High Performance File system Windows support two types of file systems on CD-ROM and Digital Versatile Disk (DVD) Compact Disc File System (CDFS) Universal File System (UDF)

FILESYSTEM TYPES

A file system can defined as the structure a computer uses to organize data on media such as hard disks, CDs, DVDs, and many other storage devices. It can also be thought of as an index or database that contains the physical location of every piece of data on a hard drive or storage devices. Following are the different types of file systems: Disk File Systems A disk file system is a technique designed for storing and recovering the file on a storage device, usually a hard disk, which is directly or indirectly connected to the computer. A few examples of the disk file system are FAT, NTFS, ext2, ISO 9660, ODS-5, and UDF. Network File Systems A network file system is a type of file system that is created to access the files on other computers that are connected by a network. The file systems are transparent to the user. A few examples of network file systems are NFS, CIFS, and GFS. Database File Systems A new method of storing data on the computer has been introduced for effective management of the file system; this method is the database file system. Earlier file systems used hierarchical structured management but in the database file system, files thor, or similar metadata. Therefore, a file can be searched by formulating the SQL query or in natural speech. For example, if the documents written by ABC are to be searched, then the query "documents written by ABC" will show the results. Flash File Systems This system is designed to store the files or data in flash memory devices. In today's world these file systems are becoming prevalent with the increasing number of mobile devices. With these file systems, the cost per memory size decreases, and the capacity of flash memory will increase. Tape File Systems It is designed to store files on tape in a self-describing form. Magnetic tapes works as sequential storage media with significantly longer random data access times than disks, posing challenges to the creation of a general-purpose file system with efficient management. Tape drives require a linear motion to unwind and wind potentially very long reels of media. This might take several seconds or minutes to move the read/write head. Shared Disk File Systems A shared disk file system works on the principle of accessing an external disk subsystem (SAN) through a number of servers. The file system arbitrates access to that subsystem, to prevent write collisions. Special Purpose File Systems A special-purpose file system is the file system where the files are organized during the run time by software and projected for uses such as communication between computer processes or temporary file space. These systems are used by file-centric operating systems such as UNIX. Any file system that is not a disk file system or network file system is considered to be a special-purpose file system. Examples, such as '/proc' in UNIX, can be utilized to get information regarding processes and other operating system features.

Firewalls

A firewall is a program or hardware device. According to Search Security, a firewall is a set of related programs located at the network gateway server that protects the resources of a private network from users on other networks. Firewall software is a basic requirement for anyone who is using the Internet to prevent hacking, virus, and other security risks. It is a hardware/software solution that is placed between two networks, ensuring controlled and secured access between the networks. It is a set of related programs located at the network gateway server that protects the resources of a private network from other networks. Firewalls are a set of tools that monitor the flow of traffic between networks. A firewall placed at the network level filters all network packets to determine whether to forward them towards their destination or not. A firewall is often installed away from the rest of the network so that no incoming request can get directly to a private network resource. If configured properly, systems on one side of the firewall are protected from systems on the other side of the firewall. Hence, firewall software comes in a number of forms, offering a variety of features, protection capabilities, scalability, and cost.

Honeypot

A honeypot is a system that is intended to attract and trap people who try unauthorized or illicit utilization of the host system. Whenever there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with many different security applications. Some honeypots can be used to help prevent attacks; others can be used to detect attacks; while a few honeypots can be used for information gathering and research. Examples: Installing a system on the network with no particular purpose other than to log all attempted access. Installing an older unpatched operating system on a network. For example, the default installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the system and further track what the intruder attempts to do with the system once it is compromised. Install special software designed for this purpose. It has the advantage of making it look like the intruder is successful without really allowing him/her access to the network. Any existing system can be "honeypot-ized." For example, on WinNT, it is possible to rename the default administrator account and then create a dummy account called "administrator" with no password. WinNT allows extensive logging of a person's activities, so this honeypot tracks users who are attempting to gain administrator access and exploit that access.

Smurf Attack (DoS)

A smurf attack is a form of a DDoS attack that causes packet flood on the victim by exploiting/abusing ICMP protocol. When deployed, large packets are created using a technique called "spoofing". The phony source address that is now attached to these packets becomes the victim, as their IP is flooded with traffic. The intended result is to slow down the target's system to the point that it is inoperable, and vulnerable.The Smurf DDoS Attack took it's name from exploit tool called Smurf widely used back in 1990s. The small ICMP packet generated by the tool causes big trouble for a victim, hence the name Smurf. Smurf attacks originate from the attacker's computer. To begin, they target a router that interacts with a high number of devices. The attacker then deploys large ICMP requests to the router, causing the connected devices to respond to the ping. The spoofed IP address that is attached to these packets is forced to absorb the echoes, a result of connected devices responding to the ping. Essentially, any device connected to this router that is trained to respond to the ping will be unable to recognize the spoofed IP addresses. As a result, the original request is amplified, and the victim's server will be crippled.

Trojan Horse

According to Greek mythology, the Greeks won the Trojan War by entering in to the fortified city of Troy hiding in a huge, hollow wooden horse. The Greeks built a huge wooden horse for their soldiers to hide in. They left the horse in front of the gates of Troy. The Trojans thought it to be a gift from the Greeks, who had withdrawn from the war, and so they transported the horse into their city. At night, the Spartan soldiers broke through the wooden horse, and opened the gates for their soldiers who eventually destroyed the city of Troy. The term Trojan is coined as a "malicious, security-breaking program that is disguised as something nonthreatening." A computer Trojan horse is used to enter a target computer undetected, allowing the attacker unrestricted access to the data stored on that computer and causing immense damage to the victim. For example, a user downloads what appears to be a movie, or a music file, but when he or she runs it, it unleashes a dangerous program that may erase the unsuspecting user's disk, or send his or her credit card numbers and passwords to a stranger. A Trojan can also be included into a legitimate program, which means that this program may have hidden functionality that the user is unaware of. In another scenario, a victim may be used as an intermediary to attack others—without his or her knowledge. Attackers can use the victim's computer to pull criminal DoS attacks such as those that disrupted the DALnet IRC network for months on end. (DALnet is an Internet relay chat [IRC] network that is a form of instant communication over the network.) Trojan horses work on the same level of privileges that the victim user has. If the victim had the privileges, a Trojan can delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege-elevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If a Trojan horse is successful, it will operate with increased privileges and might install other malicious code on the victim's machine. It may affect the other systems on the network by compromising any one system on the network. Authentication credentials such as passwords transmitted by the systems are particularly vulnerable over shared networks in clear text or in a trivially encrypted form. If a network is compromised on such a system, the interloper may be able to record the sensitive information, such as user names, passwords, etc. In addition to this, a Trojan may wrongly involve the remote system by spoofing it as the source of an attack, causing the remote system to incur liability.

Tunneling

According to Webopedia.com, Tunneling is: "A technology, that enables one network to send its data via another network's connection. Tunneling works by encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP technology enables organizations to use the Internet to transmit data across a VPN. It does this by embedding its own network protocol within the TCP/IP packets carried by the Internet. Tunneling is also called encapsulation." Tunneling Process VPN technology is structured on the basis of tunneling. It comprises of setting up and upholding a logical network connection. The packets built in a particular VPN protocol design are put in a nutshell inside another base or carrier protocol. They are then transmitted between the VPN client and the server and de-encapsulated finally on the receiving side. Packets in one of the numerous VPN protocols are encapsulated within IP packets, in the case of Internet-based VPNs. VPN protocols assist in authentication and encryption to maintain security of the tunnels.

Forensics Science

According to the Handbook of Forensic Pathology by the College of American Pathologists, forensic science is defined as, "Application of physical sciences to law in the search for truth in civil, criminal, and social behavioral matters to the end that injustice shall not be done to any member of the society." The main aim of any forensic investigation is to determine the importance of evidence at the crime scene and related evidence associated with it. Forensic scientists play a major role in forensic investigation by properly analyzing the physical evidence, providing expert testimony/proof in court, and training for the proper recognition, collection, and preservation of physical evidence.

Signs of an incident

Accurately detecting and assessing incidents is the most challenging and essential part of the incident response process Typical indications of the security incidents include 1. Suspicious entries in system or network accounting or other accounting inconsistencies. 2. Unauthorized operation of a program or sniffer device to capture network traffic. 3. System crashes or poor system performance. 4. A system alarm or similar indication from an intrusion-detection. 5. Attempt to logon to a new user account. 6. DoS attack or users not able to log into an account.

AES (Advanced Encryption Standard)

Advanced Encryption Standard is also called as RIJNDAEL; it is a block Cipher which is used as an encryption standard by the US government. The predecessor of the AES is Data Encryption Standard. It is the first choice for all the information that requires the superior data security flexible variable keys and different data block sizes. It is implemented in hardware and/or software to secure digital information - data, voice, video, and images from attacks, impersonation, or electronic eavesdropping.

advantages and disadvantages of Application Proxy

Advantages Proxy services can be good at logging because they can understand application protocols and allow logging in an effective way. Proxy services reduce the load on network links as they are capable of caching copies of frequently requested data and allow it to be directly loaded from the system instead of the network. Proxy systems perform user-level authentication, as they are involved in the connection. Proxy systems automatically provide protection for weak or faulty IP implementations as it sits between the client and the internet and generates new IP packets for the client. Disadvantages Proxy services lag behind non proxy services until suitable proxy software is available. Each service in a proxy may use different servers. Proxy services may require changes in the client, applications, and procedures.

VPN (Virtual Private Network) pros and cons

Advantages VPNs provide some security advantages such as: A VPN hides all the traffic that flows over it, ensures encryption, and protects the data from snooping. It provides remote access for protocols without letting people attack from the Internet at large. Disadvantages As the VPN runs on a public network, the user will be vulnerable to an attack on the destination network.

Certificate-Based Authentication

Among certificate-based authentication and the previously discussed authentication mechanisms, this is the strongest method of them all. Certificate-based authentication uses public key cryptography, and a digital certificate to authenticate users. Public key cryptography is the most common method on the Internet for authenticating a message sender or encrypting a message. Among certificate-based authentication and the previously discussed authentication mechanisms, this is the strongest method of them all. Certificate-based authentication uses public key cryptography, and a digital certificate to authenticate users. Public key cryptography is the most common method on the Internet for authenticating a message sender or encrypting a message. X.509 is the widely-used standard for digital certificates. Digital certificates are used extensively. Some examples of how they are used for authentication include: Email: Digital certificates that are used to digitally sign email messages enhance confidentiality and security by its in-built encryption mechanism. Network Security: Smart cards and other technologies that use digital certificates are deployed by enterprises as a security mechanism to protect their corporate network.

Features of Snort IDS

Among its features includes the ability to: Detect and alert, based on pattern matching for threats including buffer overflows, stealth port scans, CGI attacks, SMB probes, NetBIOS queries, NMAP and other portscanners, well-known backdoor and system vulnerabilities, DDoS clients etc. Develop new rules quickly once the pattern (attack signature) is known for the vulnerability. Records packets in human-readable form from the offending IP address in a hierarchical directory structure. Used as an existing workstation to monitor a home DSL connection, or on a dedicated server to monitor a corporate website.

Evading IDS: Evasion

An "evasion" attack occurs when the IDS discards packets while the host that has to get the packets accepts them. Evasion attacks devastates to the accuracy of the IDS. An evasion attack at the IP layer allows an attacker to attempt arbitrary attacks against hosts on a network, without the IDS ever realizing it. The attacker sends portions of the request in packets that the IDS mistakenly rejects, allowing the removal of parts of the stream from the ID system's view. For example, if the attacker sends malicious sequence byte by byte, and if the IDS rejects only one byte, it cannot detect the attack. Here, the IDS gets fewer packets than the destination. One example of an evasion attack occurs when an attacker opens a TCP connection with a data packet. Before any TCP connection can be used, it must be "opened" with a handshake between the two endpoints of the connection. An important fact about TCP is that the handshake packets can themselves bear data. The IDS that does not accept the data in these packets is vulnerable to an evasion attack.

Evading IDS: Insertion attack

An IDS blindly believes and accepts a packet that an end system rejects. An attacker exploits this condition and inserts data into the IDS. This attack occurs when NIDS is less strict in processing packets.Attacker obscures extra traffic and IDS concludes traffic is harmless. Hence, the IDS gets more packets than the destination. An attacker sends one-character packets to the target system via the IDS with varying TTL such that some packets reach to the IDS but not the target system. This will result in the IDS and the target system having two different character strings.

SSL handshake protocol flow

An SSL session is responsible for carrying out the SSL handshake protocol to organize the states of the server and clients, thus ensuring the consistency of the protocol. SSL Handshake Protocol Flow The SSL handshake protocol works on top of the SSL record layer. The processes executed in the three-way handshake protocol are as follows: 1. The client sends a hello message to the server, which the server must respond to with a hello message or the connection will fail due to the occurrence of a fatal error. The attributes established due to the server and client hello are protocol version, session ID, cipher suite, and compression method. 2. After the connection is established, the server sends a certificate to the client for authentication. In addition, server might send a server-key exchange message. On authentication of server, it may ask the client for the certificate (if appropriate to the cipher suite selected). 3. The server sends a "hello done" message to inform the client that the handshake phase is complete and waits for the client's response. 4. If the client receives a certificate-request message, the client must respond to the message by sending a certificate message or "no certificate" alert. The server sends the client key-exchange message. The content of the message depends on the public-key algorithm between the server hello and client hello. If the certificate sent by the client has signing ability, a digitally signed certificate verifies the message and the client transmits it. 5. The client transmits the changed cipher-spec message and copies the pending cipher spec into the current cipher spec. The client sends a message to initiate the completion of the message under the new algorithm, keys, and secrets. 6. In response, the server replies by sending its own changed cipher-spec message, transfers the pending cipher spec to the current cipher spec, and initiates the completion of the message under the new cipher spec. At this point, the handshake is complete and the server starts to exchange the application-layer data.

Application Proxy

An application level proxy works as a proxy server. It is a type of server that acts like an interface between the user workstation and the Internet. It correlates with the gateway server and separates the enterprise network from the Internet. It receives the request from a user to provide the internet service and responds to the original request only. A proxy service is an application or program that helps forward user requests (for example, FTP or Telnet) to the actual services. The proxies are also called an application level gateway, as they renew the connections and act as a gateway to the services. Proxies run on a firewall host that is either a dual-homed host or some other bastion host for security purposes. Some proxies, named caching proxies, run for the purpose of network efficiency. They keep copies of the requested data of the hosts they proxy. Such proxies can provide the data directly when multiple hosts request the same data. Caching proxies helps in reducing load on network connections whereas proxy servers provide both security and caching. A proxy service is available between the user in the internal network, the service on the outside network (Internet) and is transparent. Instead of direct communication between each, they talk with the proxy and it handles all the communication between users and the internet services. Transparency is the advantage of proxy services. To the user, a proxy server presents the illusion that they are dealing directly with the real server whereas with the real server, the proxy server presents the illusion that it is dealing directly with the user.

Email Clients

An email client is the computer program for reading, sending, and organizing the emails. It is also known as the mail user agent. There are a number of standalone and web based email clients such as: Standalone: Microsoft Outlook and Thunderbird Web-based: Gmail and Yahoo! Mail An email client has the following functionalities: It displays all the messages in your inbox. The message header shows date, time, subject of the mail, who sent the mail, and its size. You can select the message and read the data in the message. You can create and send emails to others. You can add the attachment to the message that you want to send and you can save the attachments you receive from others.

Characteristics of Digital Evidence

Believable: Evidence must be clear and understandable by the judges Admissible: Evidence must be related to the fact being proved Authentic: Evidence must be real and related to the incident in a proper way Complete: Evidence must prove the attacker's actions or his innocence Reliable: There must be no doubt about the authenticity or veracity of the evidence

Scope and limitations of Ethical Hacking

An ethical hacker should know the penalties of unauthorized hacking into a system. No ethical hacking activities associated with a network-penetration test or security audit should begin until a signed legal document giving the ethical hacker express permission to perform the hacking activities is received from the target organization. Ethical hackers need to be judicious with their hacking skills and recognize the consequences of misusing those skills. Security experts broadly categorize computer crimes into two categories: crimes facilitated by a computer and those in which the computer is the target. Ethical hacking is a structured and organized security assessment, usually as part of a penetration test or security audit. Ethical hackers determine the scope of the security assessment according to the client's security concerns. Many ethical hackers are members of a "tiger team." A tiger team works together to perform a full-scale test covering all aspects of the network, as well as physical and system intrusion. The ethical hacker must follow certain rules to fulfill the ethical and moral obligations. An ethical hacker must do the following: Gain authorization from the client and have a signed contract giving the tester permission to perform the test. Maintain and follow a nondisclosure agreement (NDA) with the client in the case of confidential information disclosed during the test. Maintain confidentiality when performing the test. The information gathered may contain sensitive information. The ethical hacker must not disclose information about the test or confidential company data to a third party. Perform the test up to but not beyond the agreed-upon limits. For example, ethical hackers should perform DoS attacks only if they have previously been agreed upon with the client. Loss of revenue, goodwill, and worse could befall an organization whose servers or applications are unavailable to customers because of the testing. The following steps provide a framework for performing a security audit of an organization, which will help in ensuring that the test is organized, efficient, and ethical: Talk to the client, and discuss the needs to be addressed during the testing. Prepare and sign NDA documents with the client. Organize an ethical hacking team, and prepare a schedule for testing. Conduct the test. Analyze the results of the testing, and prepare a report. Present the report findings to the client.

What do Ethical Hackers do?

An ethical hacker's evaluation of a client's information system security seeks answers to three basic questions: 1. What can an attacker see on the target system? Normal security checks by system administrators will often overlook several vulnerabilities. An ethical hacker will have to think about what an attacker would see during the reconnaissance and scanning phases of an attack. 2. What can an intruder do with that information? The ethical hacker needs to discern the intent and purpose behind the attacks to determine appropriate countermeasures. During the gaining-access and maintaining-access phases of an attack, the ethical hacker needs to be one step ahead of the hacker in order to provide adequate protection. 3. Are the attackers' attempts being noticed on the target systems? Sometimes attackers will try for days, weeks, or even months to breach a system. Other times attackers will gain access, but will wait before doing anything damaging, instead taking their time in assessing the potential use of exposed information. During these periods, the ethical hacker should notice and stop the attack. After carrying out attacks, hackers may clear their tracks by modifying log files and creating backdoors, or by deploying Trojans. Ethical hackers need to investigate whether such activities have been recorded and what preventive measures have been taken. This not only provides them with an assessment of the attacker's proficiency, but also gives them insight into the existing security measures of the system being evaluated. The entire process of ethical hacking and subsequent patching of discovered vulnerabilities depends on questions such as: What is the organization trying to protect? Against whom or what are they trying to protect it? How much time, effort, and money is the client willing to invest to gain adequate protection? Sometimes, in order to save on resources or prevent further discovery, the client might decide to end the evaluation after the first vulnerability is found; therefore, it is important that the ethical hacker and the client work out a suitable framework for investigation beforehand. The client must be convinced of the importance of these security exercises through concise descriptions of what is happening and what is at stake. The ethical hacker must also remember to convey to the client that it is never possible to guard systems completely, but they can always be improved.

IDS (Intrusion Detection System)

An intrusion detection system (IDS) inspects all inbound and outbound network activities. The IDS identifies any suspicious pattern that may indicate an attack that could compromise the system. The IDS acts as a security check on all transactions that take place in and out of the system. This allows the user to keep a close check on the authenticity and reliability of the activity taking place in the network. An intrusion detection system (IDS) gathers and analyzes information from various areas within a computer, or network, in order to identify possible violations of the security policy, including unauthorized access as well as misuse. IDS are also referred to as a "packet-sniffer", which intercepts packets traveling along various communication mediums and protocols, usually TCP/IP. The packets are analyzed in a number of different ways after they are captured. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. In 1980, James Anderson suggested a way to monitor packets passing through computer networks. In the paper "Computer Security Threat Monitoring and Surveillance", the notion of intrusion detection was born. Since then, several crucial events in IDS technology have advanced intrusion detection to its current state. This paper highlighted the need to detect misuse, and specific users, as the events were unfolding. Anderson's insights into data auditing and its importance led to tremendous improvements in the auditing subsystems of virtually every operating system. Anderson's conjecture also provided the foundation for future intrusion detection system design and development. His work was the start of host-based intrusion detection and IDS in general.

Analysis Tools

Analysis Tool for Google Chrome ChromeCookiesView Source: http://www.nirsoft.net ChromeCookiesView displays the list of all cookies stored by Google Chrome Web browser, and allows you export the cookies into a text/CSV/html/XML file. It displays information such as Host Name, Path, Name, Value, Secure (Yes/No), HTTP Only Cookie (Yes/No), Last Accessed Time, Creation Time, and Expiration Time for each cookie. ChromeCacheView Source: http://www.nirsoft.net ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache. It displays the information like URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, etc.

Bypass Blocked Sites using anonymous website surfing sites.

Anonymous web-surfing sites help you to browse the Internet anonymously and unblock blocked sites (i.e., evade firewall restrictions). By using these sites, you can surf restricted sites anonymously, without using your IP address. There are a number of anonymous web-surfing sites available, some of which provide options to encrypt website URLs. Here is a list of eight proxy servers that can help you to access blocked websites: Anonymous Website Surfing Site 1: (http://anonymouse.org) This service allows you to surf the web without revealing any personal information. Anonymous Website Surfing Site 2: (http://www.anonymizer.com) Anonymizer Universal keeps your online activities safe, private, and secure. Anonymous Website Surfing Site 3: (http://www.webproxyserver.net) Webproxyserver.net is an SSL or secured proxy server that helps user to change their IP address online and protect your identity. It has the capability to bypass restrictions thus giving more advantage to the user.

Cyber criminals

Anyone who commits a crime online is known as a cyber-criminal. Cyber criminals have developed very refined and stylish ways to use trust to their advantage and to earn income. Cyber criminals are increasingly being associated with organized crime syndicates to take advantage of their refined techniques. Cyber criminals are independently developing malware for financial gain, and now they operate in groups. There are organized groups of cyber criminals who develop plans for different kinds of attacks and offer criminal services. Organized groups create and rent botnets and offer such activities as writing malware hacking bank accounts, and creating massive DoS attacks against any target for a price. The increase in malware puts an extra load on security systems. The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hactivism is a matter of concern for national security agencies.

Why Ethical Hacking is necessary?

As technology is growing at a faster pace, so is the growth in the risks associated with it. To beat a hacker, you need to think like one! Ethical hacking helps to predict the various possible vulnerabilities well in advance and rectify them without incurring any kind of attack from outsiders. As hacking involves creative thinking, vulnerability testing and security audits cannot ensure that the network is secure. To achieve security, organizations need to implement a "defense-in-depth" strategy by penetrating their networks to estimate vulnerabilities and expose them.

Impact of web server attacks

Attackers can cause various kinds of damage to an organization by attacking a webserver. The damage includes: Compromise of user accounts: Webserver attacks are mostly concentrated on user account compromise. If the attacker is able to compromise a user account, then the attacker can gain a lot of useful information. Attacker can use the compromised user account to launch further attacks on the webserver. Data tampering: An attacker can alter or delete the data, and can even replace the data with malware in order to compromise whoever connects to the webserver. Website defacement: Attackers completely change the appearance of the website by replacing the original data. They change the website look by changing the visuals and displaying different pages with messages of their own. Secondary attacks from the website: An attacker who compromises a webserver can use the server to launch further attacks on various websites or client systems. Data theft: Data is one of the main assets of the organization. Attackers can get access to sensitive data like financial records, future plans, or the source code of a program. Root access to other applications or server: Root access is the highest privilege one gets to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server. Attackers can perform any action once they get root access to the server.

Session Sniffing

Attackers can use packet sniffers as in the man-in-the-middle situation. The attacker can redirect the traffic through his or her host when the HTTP traffic is unencrypted. This unencrypted data carries session IDs, user names, and passwords in plain text, which makes it easy for the session hijacker to obtain the information. The attacker captures a valid token session called a "Session ID" using a sniffer and then the attacker uses the valid token session to gain unauthorized access to the web server.

Audio Steganography

Audio steganography refers to hiding secret information in audio files such as .MP3, .RM, .WAV, etc. Hiding information in an audio file can be done by using LSB or by using frequencies that are inaudible to the human ear. Using frequencies more than 20,000 Hz to hide information make it undetectable by the human ear. Musical tones are another way of hiding information by using a substitution scheme. For example, a tone F refers "0", and a tone C refers "1". Here a simple musical piece is composed with a secret message or an existing piece is used with an encoded scheme that represents a message.

Firewall identification : Banner Grabbing

Banners are announcements generated by services in response to access attempts. They identify which service is running on the system. Attackers use banner grabbing to fingerprint services and thereby discover what services are running on firewalls. The three main services that send out banners are FTP, Telnet, and web servers. A firewall does not block banner grabbing, because the connection between the attacker's system and the target system looks legitimate. An example of SMTP banner grabbing is telnet mail.targetcompany.org 25. The syntax is " " Banner grabbing used for specifying banners and application information. For example, when the user opens a telnet connection to a known port on the target server and presses Enter a few times, if required, it displays the following result: C:\>telnet www.corleone.com 80 HTTP/1.0 400 Bad Request Server: Netscape - Commerce/1.12 This system works with many other common applications that respond on a set port. The information generated through banner grabbing can enhance the attacker's efforts to further compromise the system. With information about the version and the vendor of the web server, the attacker can further concentrate on employing platform-specific exploit techniques. Services on ports of such as FTP, Telnet, and web servers should not kept open, as they are vulnerable to banner grabbing.

Advantages and disadvantages of basic authentication

Basic authentication is supported by all web browsers Relatively simple to implement. However, The connection between the client and server is not always secure and cannot be trusted The browser stores the information regarding authentication till the user closes the browser or clears the history. Basic authentication is widely open for eavesdropping attacks

Digital evidence examination process step 1: evidence assessment

Before starting an investigation, the first thing to be determined is the occurrence of any incident and its impact. It is necessary to verify the complaint related to any intrusion, as some may be hoaxes. An intrusion detection system alert may only indicate an attempted, unsuccessful intrusion, or might be a false alarm. It is therefore necessary to weigh the strengths, weaknesses, and other known nuances related to the sources and include human factors as well as digital. Permission for conducting a search at the site of crime should be sought from the judiciary branch of that particular area. Evidence that may help the case should be looked for at the crime scene. A computer can be the source of information, which can be helpful to law enforcement in solving the case. Sometimes, a computer and its related components can determine the chain of events leading to a crime and can provide evidence that can lead to a conviction. You should do a preliminary assessment to search for the evidence. After the assessment is over, collect and seize the equipment used in committing the crime and then document the items collected such as Blu-ray disks, CDs, DVDs, etc. A snapshot of the crime scene should also be taken before collecting the evidence. After getting all the information, the investigator can list the steps taken during the investigation and then begin the actual investigation. The important thing to consider while assessing evidence is that digital evidence must be systematically measured in determining the course of action with respect to the scope of the case to follow. Procedure: Perform a detailed assessment by reviewing the official agreement, search warrant, complete case detail, hardware and software characteristics, probable evidence required, and the conditions nearby the acquisition of the evidence to be examined. While assessing the evidence: Prioritize the evidence where necessary: Location of evidence at the crime scene Stability of media to be examined Establish how to document the evidence (e.g., photograph, sketch, notes). Evaluate storage locations for electromagnetic interference. Determine the state of the evidence after packaging, transport, or storage. Evaluate the necessity of providing unregulated power supply to battery-operated devices.

CERT (Computer Emergency Response Team)

CERT stands for Computer Emergency Response Team (CERT) CERT's program helps to train people to be better prepared to respond to emergency situations in their communities CERT's members can give critical support to first responders by Providing immediate assistance to victims Organizing spontaneous volunteers at a disaster site.

CA (Certification Authority)

Certification authorities are trusted entities that issue digital certificates. The digital certificate certifies the possession of the public key by the subject (user, company, or system) specified in the certificate. This aids others to trust signatures or statements made by the private key that is associated with the certified public key

How to defend against wireless attacks?

Change the default SSID after WLAN configuration Set the router access password and enable firewall protection Disable SSID broadcasts Disable remote router login and wireless administration Enable MAC Address filtering on your access point or router Enable encryption on access point and change passphrase often Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone Do not use your SSID, company name, network name, or any easy to guess string in passphrases Place a firewall or packet filter in between the AP and the corporate Intranet Limit the strength of the wireless network so it cannot be detected outside the bounds of your organization Check the wireless devices for configuration or setup problems regularly Implement a different technique for encrypting traffic, such as IPSEC over wireless.

Step 4: Notification and Planning

Communication plays a major role when swiftly responding to an incident. It helps in reducing the impact of incident by facilitating better coordination between different stakeholders affected by the incident. The severity of the incident should be communicated with the key person who plays a major role in responding to an incident. The IRT should discuss the incident with legal representative to file a lawsuit against the perpetrators.

Step 6: Forensic Investigation

Computer frauds, insider threats, malware attacks, and hacker attacks are all common these days. Organizations can go bankrupt due to such security issues. Incident handling helps organizations contain security events, but a computer forensic investigation lets investigators find the root cause of the security issue. Forensic investigation is the process of gathering evidence related to an incident from systems and networks. It helps organizations prosecute the culprit of serious computer security issues in a court of law. Courts usually depend on solid evidence against the accused according to the seriousness of the security issue. A computer forensic investigation can find the evidence, but a reasonable amount of time should be allocated.

Computer Security Logs

Computer security logs contain information about the events occurring within a network and its devices. They are a collection of log entries where every log record contains information about a specified event that has occurred. They are used to check system optimization, network performance, and user actions. Logs are usually created upon a set of conditions that have some significance to the computer security. For instance, logs contain information on network devices such as routers, switches, etc. These logs can be used to investigate how well the computer is secured. Generally, log sources run continuously and create on a regular basis, but some sources are executed occasionally and create entries in batches. Computer security logs can be categorized as: Operating System Logs: Operating system (OS) logs contain records for workstations, servers, and network equipment such as switches, hubs, cables, routers, etc. They also provide details about security software and other backend applications running on the system. Application Logs: Application logs contain logs for the applications running on systems and servers such as an email server, database server, etc. Security Software Logs: Security software logs contain logs of network and host-based security software. Some examples of security software are antimalware software, remote access software, and vulnerability management software.

Step 5: Containment

Containment focuses on limiting the scope and extent of an incident. It deals with information and computing services. The aim of the containment stage is to reduce losses and damages due to attacks by eliminating threat sources. If the systems, networks, or workstations are compromised by a security incident, the IRT has to determine whether to shut down the system, disconnect the network, or continue the operations in order to monitor the system's activities. The response to all of these situations depends on the type and magnitude of the incident.

Why the need for CSIRT?

Creating an incident response team is one of the primary tasks in the incident response process that follows the incident response methodology. Incident response team helps organizations to recover from computer security breaches and threats. This team is dedicated to understand the incident response process and take necessary actions when needed. It is a formalized team that performs incident response work as its major job function. The team contains trained experts who will fix the problems whenever an incident occurs.

The RSA signature scheme

Cryptography uses RSA for both public key encryption and for a digital signature (to sign a message and verify it). The RSA signature scheme is the first technique used to generate digital signatures. It is a deterministic digital signature scheme that provides message recovery from the signature itself, making it the most practical and versatile technique available. RSA involves both a public key and a private key. The public key, as the name indicates, means any person can use it for encrypting messages. The messages that user encrypts with the public key require the private key for decryption. Consider that John encrypts his document M using his private key SA, thereby creating a signature Sjohn(M). John sends M along with the signature Sjohn(M) to Alice. Alice decrypts the document using Alice's public key, thereby verifying John's signature.

Types of computer security incidents

Cyber Espionage: A modern intelligence gathering technique using computers, networks, and various tools to gather sensitive information. Data Breach: Insider Threat When an organization's confidential data falls into unauthorized hands. Sexual Harassment/Cyber Harassment: Involves unwelcomed pursuit of an individual for sexual intentions using technology, including the Internet and other communication mediums. Insider Threat: When an organization's confidential data falls into unauthorized hands A hacker who is an employee or ex-employee that is misusing his or her given credentials for malicious intentions or activities.

Cyber crime

Cybercrime is defined as "any illegal act that involves a computer, its systems, or its applications." Once investigators go about investigating a crime scene, they must remember that under computer forensics, cybercrimes are most often intentional and not accidental. Cybercrimes are generally categorized according to: Tools of the crime The target of the crime Attackers use the system as a tool for cracking passwords; to escalate privileges; to launch Trojans, worms, and botnets; email snooping; phishing; etc. A system becomes the target for different reasons—stealing, modifying or destroying the data, Trojan attacks, unauthorized access, a Denial of Service attack (DoS), a Man in the Middle attack (MITM), etc. The tools of the crime involve various hacking tools that have been used to commit the crime, and include the computer or workstation from which the crime has been committed. Forensic investigators usually take the whole system that has been used into custody. This would include hardware such as the keyboard, mouse, and monitor. The tools of the crime are considered the evidence that the forensic investigator must analyze, process, and then document. The target of the crime refers to the victim of a cybercrime. The victim can be corporate organizations, websites, consulting agencies, and government bodies. The target of the crime is usually the location where the computer forensic investigator goes about the process of examining the crime scene. This can be a virtual environment when investigators are dealing with digital evidence but not the physical evidence. Cybercrime in today's world Cybercrime in today's world is made up of individuals who are more organized when committing crimes. Cyber criminals are often considered more technically advanced when compared to agencies that plan to thwart cyber criminals.

Data backup

Data backup is the process of copying or storing important data. This backup copy will help you in restoring the original data when data is lost or corrupted. Backup is a mandatory process for small and large organizations. The process of retrieving the lost files from the backup is known as restoring or recovery of files. The main aim behind data backup is to protect data and information, and recover the same after data loss. Data backup is mainly used for two purposes: To reinstate a system to its normal working state after any damage or to recover data and information after any data loss or data corruption. Data loss in small and large organizations may affect the finance, customer relationship, and company data. Data loss in personal computers may lead to loss of personal files, images, and other important documents saved in the system. There are several reasons for data loss: Human error: Deletion of data purposefully or accidently, misplacement of data storage devices, errors administering databases. Crimes: Stealing or making modifications to critical data in an organization. Natural causes: Power failures, sudden software or hardware damage. Natural disaster: Floods, earthquakes, fire etc.

Data Classification

Data classification is the process of classifying data based on the level of sensitivity as it is created, modified, improved, stored, or transmitted. Data classification helps in identifying the data for business operations Data can be classified into five levels: Public documents. Information for internal use. Proprietary information. Confidential information. Top secret.

Denial-of-Service Attack

Denial-of-service (DoS) is an attack that prevents authorized users from accessing a computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving the legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available operating system resources, so that the computer cannot process legitimate users' requests. An Analogy Consider a company (say, Target Company) that delivers pizza upon receiving a telephone order. The entire business depends on telephone orders from customers. Suppose a person intends to disrupt the daily business of this company. If this person came up with a way to keep the company's telephone lines engaged in order to deny access to legitimate customers, obviously Target Company would lose business. DoS attacks are similar to the situation described above. The objective of the attacker is not to steal any information from the target; rather it is to render its services useless. In the process, the attacker can compromise many computers (called zombies) and virtually control them. The attack involves deploying the zombie computers against a single machine to overwhelm it with requests and finally crash the target in the process.

Digital certificate

Digital certificate is an electronic card that provides credential information when doing some online transactions on the web It acts as an electronic counterpart to driving license, passport, or membership cards It provides a complete security solution and guarantees the identity of all users involved in the online transaction A digital certificate generally contains Details of the owner's public key Owner's name Expiration date of the public key Name of the Certificate Authority (CA) who issued the digital certificate Serial number of the digital signature Digital signature of the CA (issuer)

MD5 Hash Calculators: HashCalc, MD5 Calculator, and HashMyFiles

Discussed below are MD5 hash calculators that use different hash algorithms to convert plain text into its equivalent hash value. HashCalc Source: http://www.slavasoft.com HashCalc utility allows to compute message digests, checksums, and HMACs for files, as well as for text and hex strings. It offers different types of hash and checksum algorithms (MD2, MD4, MD5, SHA-1, SHA-2 (256, 384, and 512), RIPEMD-160, PANAMA, TIGER, ADLER32, CRC32) for calculations. MD5 Calculator Source: http://www.bullzip.com MD5 Calculator allows to calculate the MD5 hash value of the selected file. Right click the file and choose "MD5 Calculator," the program will calculate the MD5 hash. The MD5 Digest field contains the calculated value. To compare this MD5 digest to another, one can paste the other value into the Compare To field. Obviously, an equals sign ("=") appears between the two values if they are equal; otherwise, the less than ("<") or greater than (">") sign will tell you that the values are different. MyFiles Source: http://www.nirsoft.net HashMyFiles is small utility that allows to calculate the MD5 and SHA1 hashes of one or more files in the system. It allows to copy the MD5/SHA1 hashes list into the clipboard, or save them into text/html/xml file. One can launch HashMyFiles from the context menu of Windows Explorer, and display MD5/SHA1 hashes of the selected file or folder.

Desk Encryption

Disk encryption works similar to text message encryption. With the use of an encryption program for the user's disk, the user can safeguard and all, information burned onto the disk and save it from falling into wrong hands. A computer disk is a round plate onto which data is recorded and/or burned. If the user needs to store information on a disk, and keep it safe, it is recommended that an encryption program should be used. Encryption software, for disks, scrambles the information burned on the disk into an illegible code. It is only after the disk information is decrypted, that it can be read and/or used. Encryption for disks is useful when the user needs to send the sensitive information through the mail. For instance, if the user needs to mail his/her friend a disk, but cannot take the risk of it being stolen and the information are being compromised. In this case, the user could simply encrypt the information on the disk and then rest assured, even if the disk is lost or stolen, the information on it would not be compromised. In addition, disk encryption can also be useful in protecting the real-time exchange of information from getting compromised. When the exchange of information is made in an encrypted form, the chances of the information being compromised are minimised. The only way the attacker can access the information is by decrypting the message, which can only be done via the authentication process.

How to defend against web servers attacks 4

Do use a dedicated machine as a Web server. Do not install the IIS server on a domain controller. Use server side session ID tracking and match connections with time stamps, IP addresses, etc. Use security tools provided with web server software and scanners that automate and make the process of securing a web server easy. Create URL mappings to internal servers cautiously. If a database server, such as Microsoft SQL Server, is to be used as a backend database, install it on a separate server. Screen and filter the incoming traffic request. Do physically protect the web server machine in a secure machine room. Do configure a separate anonymous user account for each application, if you host multiple web applications. Do not connect an IIS Server to the Internet until it is fully hardened. Do not allow anyone to locally log on to the machine except for the administrator. Limit the server functionality in order to support the web technologies that are going to be used.

Network Vulnerabilities

Due to technological advances in networking, complexity and vulnerabilities of networks are increasing too. The only thing that a user can do is minimize these vulnerabilities, as the entire removal of the vulnerabilities is not possible. There are various internal and external factors that make the network vulnerable. There are two types of vulnerabilities to the network, as follows: Internal Network Vulnerabilities Internal network vulnerabilities occur due to the overextension of bandwidth and bottlenecks. Overextension of bandwidth: Overextension of bandwidth occurs when user need exceeds total resources. Bottlenecks: Bottlenecks usually occur when user need exceeds resources in particular network sectors. These problems can be directed by the network management systems and software such as traceroute, which allows system administrators to point out the location of network slowdowns. With this information, the traffic can be rerouted within the network architecture to increase the speed and functionality of the network. External Network Vulnerabilities External network vulnerabilities occur due to threats such as DoS/DDoS attacks and network data interception. DoS and DDoS attacks result from one or numerous attacks. These attacks are designed in such a way that they slow down or disable the network, considered one of the most serious threats that a network faces. This attack can be minimized by monitoring network performance using tools that alert the user or the administrator as soon as the attack is detected. Data interception is a common vulnerability among LANs and WLANs. In this type of attack, an attacker infiltrates a secure session and thus monitors or edits the network data to access or edit the network operation. In order to minimize these attacks, the user or an administrator needs to apply user authentication systems and firewalls to keep unauthorized users from accessing the network.

How WPA2 works?

During CCMP implementation, additional authentication data (AAD) is generated using a MAC header, and is included in the encryption process that uses both AES and CCMP encryptions. Due to this, it protects the non-encrypted portion of the frame from any alteration or distortion. The protocol uses a sequenced packet number (PN) and a portion of the MAC header to generate a nonce that it uses in the encryption process. The protocol gives plaintext data, temporal keys, AAD and Nonce as an input to the encryption process that uses both AES and CCMP algorithms. A PN is included in the CCMP header to protect against replay attacks. The resultant data from AES and CCMP algorithms produces encrypted text and an encrypted MIC value. Finally, the assembled MAC header, CCMP header, encrypted data and encrypted MIC forms the WPA2 MAC frame. The following diagram depicts the workings of WPA2.

Investigative Report Format

Each firm, such as a law firm or a computer forensics firm dealing with report writing, has its own established report format. Follow any previous sample while writing your report. Before writing the report, review all the collected evidence to decide what to include and what to eliminate from the report. The information should be carefully examined to ensure it is relevant for proving whether an allegation is authenticated or not. The final report must contain all the important evidence, even the evidence that does not support the conclusion. It is essential to project objectivity in the report and document the findings in a proper, impartial, and accurate manner. Try to find flaws in thinking or examination. Do not develop an agenda, except finding truth, during report writing. An investigative report format has basically four sections: Section 1 is the administrative section listing the investigating officials, how to contact them, and where the working papers are placed. Section 2 is dedicated to the background and summary. It includes a summary of the complainant's allegations, optional information (to help the user to get added information and to understand the case), the outcome of the case, and the list of claims. Section 3 is reserved for the introduction of the first allegation. It presents the facts, analyzes and discusses the facts, and, if appropriate, makes a recommendation. A conclusion can be stated in this section and it can also include the deposition to document proper action that the answerable authority took about any substantiated allegations. Address each allegation in the same way if there is any. More sections can be introduced depending on the allegations. Section 4 (or Last Section) lists and provides detailed information about the interviewees, the documents reviewed, and any other vital evidence collected.

Email Message

Electronic mail, universally called email, is a process of transmitting messages through various computer networks from one or more recipients. The messages can be typed from a keyboard or files stored on disk. An email message is composed of three parts: Header: The header is described as follows: The email header contains information about the email origin such as the address from where it came, the routing, time of the message, and the subject line. Some of the header information is kept hidden by the email software; it is usually important to a technician. Body: Body contains the actual message. Signature: The sender uses a signature to provide information to the recipient about the sender. Email programs can be set to enter this line automatically on all the emails sent.

Reasons for testing Snort

The reasons for testing Snort may include To know if the Snort installation works To check if Snort is dropping unacceptable number of packets To check how the rules written for Snort are affecting Snort's performance To understand how intruders try to evade Snort

Email Server

Email or mail server is a computer within the network that works as a virtual post office. An email server connects and serves several email clients. Email servers exchange email with the SMTP server. When an email is sent, the client application first directs it to the email server. This contacts the addressee's email server and carries out a conversation in accordance with the rules defined by SMTP over the Internet. The email server checks for the validity of the username with the other email server. If validated, it transfers the email and the receiving email server stores it until the addressee logs on and downloads it. An email server works as follows: The server has a number of email accounts; each person has one account. It contains the text file for each account, such as if you have account name MTony, then the text file is MTONY.TXT, and for your friend Mary who has the account JMary, it becomes JMARY.TXT. Now consider that you are sending messages to your friend. For example, you write, "Mary, how are you? Tony" using an email client. When you press the Send button, the email client connects to the email server and passes the name of the sender (Tony) and the recipient (Mary) with the body of the message to the email server. The server formats that information and attaches it to the bottom of the JMARY.TXT file. The entry in the file may look like: From: MTony To: JMary Mary, how are you? Tony The server also saves the time, date of receipt, and subject line into the file. If Mary wants to see the message in the email client, then she has to send the request to the server.

Email Spoofing

Email spoofing is a fake email activity hiding the original sender of the email, creating an idea that the message originated from somewhere other than the actual source. It is a technique in which a spammer and phisher hide the origin of the email messages. The action of email spoofing is successful when frauds are able to deliver emails by changing email sender information. The prime reason for email spoofing includes advertising. However, some spammers intend to spread viruses or gather personal banking information through email spoofing. To hide the actual source, spammers and perpetrators of phishing change the email header fields such as: From Return-Path Reply-To

VPN Security

Encryption: Encryption in VPN ensures data integrity and privacy It allows only authorized users to see the confidential information VPN encryption is fast to be even noticed compared to the Internet delays. IPsec Server: The IPsec server provides advanced security features such as better encryption algorithms and more comprehensive authentication IPsec server contains two encryption modes: Tunnel mode encrypts the header and payload of each packet Transport mode encrypts the only payload

Enumeration

Enumeration is the term coined as the process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are processed in an intranet environment. The previous methods highlight the necessary information regarding the attacker's target without really going on the wrong side of the legal barrier. If all these attempts fail to generate relevant or useful information discussed previously, then the attacker can extend his or her efforts by actually examining the target. This is remarkable because the attacker crosses over the target territory to unearth information about the network, shares, users, groups, applications, and banners. The attacker's main target is to identify proper user accounts or groups where he or she can remain inconspicuous once the system has been compromised. Enumeration is involved in making active connections to the target system or subjecting it to direct queries. Normally, an alert and secure system will log such attempts. Often the information gathered is what the target might have made public, such as a DNS address; however, it is possible that the attacker stumbles upon a remote IPC share, such as IPC$ in Windows, that can be probed with a null session allowing shares and accounts to be enumerated. After ascertaining the security posture of the target, the attacker can turn this information to his or her advantage by exploiting a resource sharing protocol or compromising an account. The type of information enumerated by attackers can be loosely grouped into the categories as follows: Network resources and shares Users and groups Applications and banners Auditing settings

Skills of an Ethical Hacker

Ethical hackers require the skill profile of a computer expert. They should also have strong computer knowledge including programming and networking. They should be proficient at installing and maintaining systems using the popular operating systems (e.g. UNIX, Windows or Linux). Detailed knowledge of the hardware and software provided by the popular computer and networking hardware vendors complement this basic knowledge. It is not always necessary that ethical hackers possess any additional specialization in security. However, it is an advantage to know how various systems maintain their security. Management skills pertaining to these systems are necessary for actual vulnerability testing and for preparing the report after the testing is carried out. An ethical hacker should possess immense patience as the analysis stage consumes more time than the testing stage. The time frame for an evaluation may vary from a few days to several weeks, depending on the nature of the task. When an ethical hacker encounters a system with which he/she is not familiar, it is imperative to take the time to learn everything about the system and try to find its vulnerable spots.

What is Ethical Hacking?

Ethical hacking is the practice of employing computer and network skills in order to assist organizations with testing their network security for possible loopholes and vulnerabilities. White hats (also known as security analysts or ethical hackers) are the individuals or experts who perform ethical hacking. Nowadays, most organizations (private companies, universities, government organizations, etc.) are hiring white hats to assist them in enhancing their cyber security. They perform hacking in ethical ways, with the permission of the network/system owner and without the intention to cause harm. Ethical hackers report all vulnerabilities to the system and network owner for remediation, thereby increasing the security of an organization's information system. Ethical hacking involves the use of hacking tools, tricks, and techniques typically used by an attacker, to verify the existence of exploitable vulnerabilities in the system security. Today, the term hacking is closely associated with illegal and unethical activities. There is continuing debate as to whether hacking can be ethical or not, given the fact that unauthorized access to any system is a crime. Consider the following definitions: The noun "hacker" refers to a person who enjoys learning the details of computer systems and stretching his or her capabilities. The verb "to hack" describes the rapid development of new programs or the reverse-engineering of existing software to make it better or more efficient in new and innovative ways. The terms "cracker" and "attacker" refer to persons who employ their hacking skills for offensive purposes. The term "ethical hacker" refers to security professionals who employ their hacking skills for defensive purposes. Most companies use IT professionals to audit their systems for known vulnerabilities. Although this is a beneficial practice, crackers are usually more interested in using newer, lesser-known vulnerabilities, so these by-the-numbers system audits will not suffice. A company will need someone who can think like a cracker, keeps up with the newest vulnerabilities and exploits, and can recognize potential vulnerabilities where others cannot. This is the role of the ethical hacker. Ethical hackers usually employ the same tools and techniques as hackers, with the important exception that they do not damage the system. They evaluate system security, update the administrators regarding any discovered vulnerabilities, and recommend procedures for patching those vulnerabilities. The important distinction between ethical hackers and crackers is consent. Crackers are attempting to gain unauthorized access to systems, while ethical hackers are always completely open and transparent about what they are doing and how they are doing it. Ethical hacking is therefore always legal.

Event correlation

Event correlation is the process of relating a set of events that have occurred in a predefined interval of time. This event correlation technique identifies a few events that are really important among the large number of events. During the process of event correlation, some new events may be added and some existing events may be deleted from the event stream. In general, the event correlation process is carried out on a log management platform. Examples of event correlation are: If a user gets 10 login failure events in 5 mintues, this generates a security attack event. If both the external and internal temperatures of a device are too high and the event "device is not responding" occurs within 5 seconds, replace them with the event "device down due to overheating." Simple event correlator software is used to implement the event correlation process. The event correlator tool is often made available with events orginating from monitoring tools, managed elements, or the trouble ticket system. This tool will process the relevant events that are important and discard the events that are not relevant while receiving the events. Event correlation is divided into four different steps as, follows: Event Aggregation Event aggregation compiles the repeated events to a single event. It avoids duplication of the same event. It is also called event de-duplication. Event Masking Event masking refers to missing events related to systems that are downstream of a failed system. It avoids the events that cause the system to crash or fail. Event Filtering Through event filtering, the irrelevant events are filtered or discarded by the event correlator. Root Cause Analysis Root cause analysis is considered the most complex part in event correlation. It analyzes the relationship among events depending on the environment model and dependency graphs to identify whether events can be explained by others.

Event Logs

Event logs are essential files within the file system, but they can change. In fact, depending on how they are configured and what events are being audited, they can change quite rapidly. Depending on how the audit policies are configured on the "victim" system and how investigators are accessing it as the first responder, entries can be generated within the event logs. Tools such as psloglist.exe can be used to retrieve the event records, or the .evt files themselves may be copied off the system. PsLogList Source: http://technet.microsoft.com PsLogList shows the contents of the System event log on the local computer.

Benefits of forensic readiness

Evidence can be gathered to act in the company's defense if subject to a lawsuit In the event of a major incident, a fast and efficient investigation can be conducted and corresponding actions can be followed with minimal disruption to the business Forensic readiness can extend the target of information security to the wider threat from cybercrime, such as intellectual property protection, fraud, or extortion Fixed and structured approach for storage of evidence can considerably reduce the expense and time of an internal investigation It can improve and simplify law enforcement interface In case of a major incident, proper and in-depth investigation can be conducted

Gathering Evidence on Windows Systems

Evidence location means that the user should look for all those files, which can provide the investigator the information that can be of legal importance to the cyber-crime that has occurred. The data thus gathered helps to track the perpetrator for the crime that he or she has done. There are some places in Windows based system that is recommended for evidence gathering. The first is hidden files. Looking for hidden files are quite of help for the system investigators. File attribute is also an important source of information about the hackers and the crime that he or she has done or is trying to do. The perpetrator would change the files attributes to hide important data present in the systems. The common areas to look for evidence are: Files and slack space Swap file and unallocated clusters Unused and hidden partitions Assessing file attributes to find file signature The registry Searching Index.dat files

Role of digital evidence

Examples of cases where digital evidencemay assist the forensic investigator in prosecution or defense of a suspect: Names and addresses of contacts Malicious attacks on the computer systems themselves Records of movements Unauthorized transmission of information Theft of commercial secrets Use/abuse of the Internet Production of false documents and accounts Encrypted/password protected material Abuse of systems Email contact between suspects/conspirators

FIRST (global forum for incident response and security teams)

FIRST is a global forum for incident response and security teams that was established in the year 1990 The members of FIRST are capable of handling and responding to a computer security incident It supports incident prevention programs and provides best computer security practices The members of FIRST develop and share tools, methodologies, processes, and technical information

face recognition

Face recognition works by picking the unique characteristic of human face, and matching that against facial images in a database Facial characteristics that a recognition system looks for are Size of eyes Distance between the eyes Depth of the eye sockets Location of the nose Size of the nose Location of the chin Size of the chin Jaw line Size, position, and shape of the cheekbone During the process of facial recognition, various physical characteristics of the face such as the shape, infrared patterns of facial heat emission, facial expressions, and the hair are captured. Most facial recognition systems require the user to be stationary while the image is captured. In some systems that are based on a real-time process, the head and face are automatically detected. Facial recognition involves identifying facial statistics. The geometry of the face is identified in various dimensions (2D, 3D. . .) This process identifies: Skin pattern recognition: Visual Skin Print. Facial thermogram: Uses an infrared camera to map face temperatures. Smile: Recognises the wrinkle changes when smiling.

Why penetration testing?

Identify the threats facing an organization's information assets Reduce an organization's expenditure on IT security and enhance Return On Security Investment (ROSI) by identifying and remediating vulnerabilities or weaknesses Provide assurance with comprehensive assessment of organization's security including policy, procedure, design, and implementation Gain and maintain certification to an industry regulation (BS7799, HIPAA etc.) Adopt best practices in compliance to legal and industry regulations. For testing and validating the efficacy of security protections and controls For changing or upgrading existing infrastructure of software, hardware, or network design Focus on high-severity vulnerabilities and emphasize application-level security issues to development teams and management Provide a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation Evaluate the efficacy of network security devices such as firewalls, routers, and web servers.

FAT VS NTFS

File Allocation Table (FAT) Source: http://searchexchange.techtarget.com A File Allocation Table (FAT) is a table that an operating system maintains on a hard disk that provides a map of the clusters (the basic units of logical storage on a hard disk) that a file has been stored in. When you write a new file to a hard disk, the file is stored in one or more clusters that are not necessarily next to each other; they may be rather widely scattered over the disk. Features: Available in versions such as FAT12, FAT16, and FAT32. Supported in all versions of Windows operating systems. Does not support large file names. Does not support large storage media. Does not support file system recovery. New Technology File System (NTFS) Source: http://searchwinit.techtarget.com NTFS (NT file system; sometimes New Technology File System) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk. NTFS is the Windows NT equivalent of the Windows 95 file allocation table (FAT) and the OS/2 High Performance File System (HPFS). Features: NTFS is the only available version. Supports all the operating systems after Windows 2000. Supports large file names. Supports large storage media. Supports file system recovery.

Firewall identification : firewalking

Firewalking is a method used to collect information about remote networks behind firewalls. It probes ACLs on packet filtering routers/firewalls using the same method as tracerouting. Firewalking involves sending TCP or UDP packets into the firewall with TTL value is one hop greater than the targeted firewall. If the packet makes it through the gateway, the system forwards it to the next hop, where the TTL equals one and prompts an ICMP error message at the point of rejection with a "TTL exceeded in transit" message. Using this method, possible access to the firewall can be determined if successive probe packets are sent. Firewalk is a well-known application used for firewalking. It has two phases: a network discovery phase and a scanning phase. It requires three hosts: Firewalking Host: The firewalking host is the system outside the target network, from which the data packets are sent to the destination host to gain more information about the target network. Gateway Host: The gateway host is the suspected firewall system on the target network, through which the data packet passes on its way to the target network. Destination Host: The destination host is the target system on the target network to which the data packets are addressed.

Firwall architecture

Firewall architecture consists of three elements Bastion Host: The bastion host designed for defending the network against attacks. It acts as a mediator between inside and outside networks. A bastion host is a computer system designed and configured to protect network resources from attack. Screened Subnet: A screened subnet is a protected network created with a two-or three-homed firewall behind a screening firewall, and is a name commonly used to refer to the DMZ. When using a three-homed firewall, connect the first interface to the Internet, the second interface to the DMZ, and the third to the intranet. The advantage of screening a subnet away from the intranet is that public requests can be responded to without allowing traffic into the intranet. A disadvantage with the three-homed firewall is that if it compromised, both the DMZ and intranet can also be compromised. A safer technique is to use multiple firewalls to separate the Internet from the screened subnet (DMZ), and then to separate the DMZ from the intranet. Multi-homed Firewall: A multi-homed firewall is a node with multiple NICs that connects to two or more networks. Connect each interface to the separate network segments logically and physically. A multi-homed firewall helps in increasing efficiency and reliability of an IP network. In the multi-homed firewall, more than three interfaces are present that allow for further subdividing the systems based on the specific security objectives of the organization. However, the model that adds depth of protection is the back-to-back firewall.

Digital evidence examination process step 2: evidence acquisition

For the acquisition of evidence, all the actions and outcomes of the previous phases of the digital evidence examination process should be determined. A document should contain the information of each step performed in the evidence assessment phases such as the starting point, findings, and final report. Documentation that helps in preparing for evidence acquisition includes: Impact of the computer crime incident on the organization's business. A complete network topology diagram that shows affected computer systems and gives complete information about how those computer systems are affected. Complete information of interviews with users and network or system administrators. Results of any legal or third-party interactions if involved. A complete report of outcomes of the tools used during the evidence assessment phase. A proposed course of action.

Digital evidence examination process step 4: evidence examination

Forensic principles should be enforced for examination of digital evidence. Depending on the type of case and media involved, corresponding examination methodologies are used. Proper training must be given to those who conduct examinations. When conducting an examination Use accepted forensic procedures. Avoid conducting the exam on the original evidence. Preparation This allows you to prepare the working directory or directories on separate media to which evidentiary files and data can be recovered or extracted. Extraction There are two different types of extraction, physical and logical. The physical extraction phase identifies and recovers the data across the entire physical drive without regard to the file system. The logical extraction phase identifies and recovers files and data based on installed operating system(s), file system(s), and/or application(s).

When do we use computer forensics

If a breach of contract occurs If copyright and intellectual property theft/misuse happens Employees' disputes Damage to resources

Gathering volatile evidence on windows

Gathering volatile data is important. Computer forensics is concerned because data gathering process can be crucial. When a Windows based system is investigated for gathering evidence and relevant facts, it involves several steps for collecting volatile data. Volatile data contains the current information about the machines, registers, caches etc. The volatile data is the data that is stored temporarily in the disk. That means whenever there is a power loss, the information is lost. In a non-volatile memory, the data is not lost during power cuts. Volatile memory is also an important part to check into the facts and gather evidence. There are few important areas to look in for volatile data, these are: registers, caches, physical and virtual memory, network connections, and running processes and disk. External devices associated with computers should also be considered; floppy, tape, CD/ROM, and printing activities. All the relevant data gathered should be gathered and saved in removal devices because these devices can be kept offline safely at another location. So, it is always advisable to gather evidence and keep them safely in any removable devices and should be kept in the locker. According to RFC 3227, the order of volatility in a Windows based system would be: Registers, cache Routing table, ARP cache, process table, kernel statistics Temporary file systems Disk Remote logging and monitoring data that is relevant System in question Physical configuration, network topology Archival media

VPN deployment

Generally, a VPN can be deployed in two ways. Internal LAN VPNs connect two office LAN's together via the Internet. Each remote office has its own connection with the Internet. A VPN gateway device is usually installed at each office between the inside and outside part of the LAN next to the Internet router. The VPN gateway often acts as the firewall to protect the LAN. It encrypts packets that are intended to the other remotely located office and not packets that are forwarded to the Internet. Remote access VPNs connects an individual remote user to a central LAN site through the Internet. VPN encryption for packets destined to the central LAN site is offered through special client software on the user's computer. A VPN gateway device situated at the central site provides VPN termination. A VPN's technical foundation is extensive. The current paradigm for VPN connectivity is based on IPSec, which offers a channel for conciliation of key exchange and choosing of encryption methods. To decrease the complicatedness of IPSec, there are many new standards emerging these days.

What is a penetration testing?

Hacking is the ability to invent previously unknown ways of doing things. In this context, advocating a specific methodology to simulate a real-world hack might come across as a contradiction. The reason behind advocating a methodology in penetration testing arises from the fact that most hackers follow a common underlying approach when it comes to penetrating a system. Penetration test (or "pen-testing") exposes the gaps in the security model of an organization and helps organizations reach a balance between technical prowess and business functionality from the perspective of potential security breaches. This can help in disaster recovery and business continuity planning. It simulates methods used by intruders to gain unauthorized access to an organization's networked systems and then compromise them. It involves using proprietary and open-source tools to conduct the test. Apart from automated techniques, penetration testing involves manual techniques for conducting targeted testing on specific systems to ensure that there are no security flaws that previously might have gone undetected. In the context of penetration testing, the tester is limited by resources: namely, time, skilled resources, and access to equipment as outlined in the penetration testing agreement. Penetration testing involves an active analysis of system configurations, design weaknesses, network architecture, technical flaws, and vulnerabilities. On completion of the penetration testing process, pen-testers deliver a comprehensive report with details of vulnerabilities discovered and suite of recommended countermeasures to the executive, management, and technical audiences. A penetration tester is different from an attacker only by intent, lack of malice, and authorization. Incomplete and unprofessional penetration testing can result in a loss of services and disruption of business continuity. Therefore, employees or external experts must not conduct pen-tests without proper authorization. The management of the client organization should provide clear written permission to perform penetration testing. This approval should include a clear scope, a description of what to test, and when the testing will take place. Because of the nature of pen-testing, failure to obtain this approval might result in committing a computer crime, despite one's best intentions.

Introduction to IPSec Protocol

IP Security is a set of protocols devised by the Internet Engineering Task Force (IETF). This is used to aid secure exchange of data packets at the IP layer. It has been deployed widely to employ virtual private networks. It is a set of multiple associated protocols, which can be used a complete VPN protocol solution. It can also be used as the encryption scheme within L2TP or PPTP. IPSec exists at the network layer in the OSI model. IPSec aids two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the data portion of each packet. On the receiving side, an IPSec-compliant device decrypts each packet. To aid the working of IPSec, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allow the receiver to obtain a public key and authenticate the sender using digital certificates. Its two main services are AH (authentication header protocol) and ECP (encapsulating security protocol).

IP Address Spoofing

IP spoofing is a method used by the attackers to forge the IP address. This method is used by an attacker to hide his or her identity. The hacker collects the IP address and alters packet headers. It is also used to direct the users to a false web page by hijacking a browser. The misguided user provides sensitive information such as a credit card number, password, etc.

Tools used in firewalls

IPsenty: is the monitoring software that provides constant monitoring of your network infrastructure and triggers alerts, notifications, and corrective actions. Monitoring Features, General Features, Alerting and Notification Features, Statistics and Reporting Features, Support, and Maintenance.

Web applications countermeasures 2

Implement the following countermeasures against Insufficient transport layer protection, directory traversal, and cookie-or session-poisoning web application attacks. Insufficient Transport Layer Protection: Insufficient transport layer protection would allow attackers to obtain unauthorized access to sensitive information as well as perform attacks such as account theft, phishing, and compromise admin accounts. Encrypt all communications between the website and the client to prevent attacks occurring because of insufficient transport layer protection. Directory Traversal: Directory traversal enables attackers to exploit HTTP, gain access to restricted directories, and execute commands outside the web server's root directory. Developers must configure web applications and their server with appropriate file and directory permissions to avoid directory traversal vulnerabilities. Cookie/Session Poisoning: Browsers use cookies to maintain a session state. They also contain sensitive, session-specific data (e.g. user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs). Attackers engage in cookie/session poisoning by modifying data in the cookie to gain escalated access or otherwise maliciously affect a user session. Developers must thus follow secure coding practices to secure web applications against such poisoning attacks. Apart from the countermeasures mentioned above in the slide, developers must use proper session-token generation mechanisms to issue random session IDs.

Web applications countermeasures 3

Implement the following countermeasures against security misconfiguration, LDAP injection, and file-injection web app attacks. Security Misconfiguration Security misconfiguration makes web applications potentially vulnerable and may provide attackers with access to them, to files, and to other application-controlling functions. LDAP Injection Attacks An LDAP injection attack is similar to SQL injection: attacks on web apps co-opt user input to create LDAP queries. Execution of malicious LDAP queries in the apps creates arbitrary queries that disclose information such as username and password, thus granting attackers unauthorized access and admin privileges. File Injection Attack Attackers use scripts to inject malicious files into the server, allowing them to exploit vulnerable parameters and execute malicious code. This kind of attack enables temporary data theft and data manipulation, and can provide attackers with persistent control of the server.

Incident Response

Incident response is a process of responding to incidents that may have occurred due to security breach in the system or network It plays a major role when the security of the system is compromised The goal of the incident response is to handle the incidents in a way that minimizes the damage and reduces recovery time and costs. 1. Responding to incidents systematically so that the appropriate steps are taken 2. Helping personnel to recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services 3. Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data 4. Dealing properly with legal issues that may arise during incidents.

Why there is a need for incident response?

Incident response is needed to identify the attacks or incidents that have compromised the personal and business information in the system. The main purpose of incident response is to minimize the loss of life and property and recover from a security incident in the shortest possible time. It is essential to respond to an incident using a systematic process. The systematic process ensures an organization's ability to carry out steps that are required to handle an incident, maintain criminal evidence, and prosecute the perpetrators.

Volatile Information

Investigators are very interested in volatile information. Volatile information is lost the moment power is removed from the system. Volatile information usually exists in physical memory, or Random Access Memory (RAM), and consists of information about processes, network connections, the contents of the clipboard, etc. The same information describes the state of the system at the time when it is handed over to the investigator. When performing live response, one of the first thing investigators want to collect is the contents of RAM. When investigators take Locard's Exchange Principle into account, it is clear that by collecting the contents of RAM first, they minimize the impact on the contents of the RAM. From that point on, investigators know that the other tools they are running to collect other volatile information are going to be loaded into memory, modifying the contents of the memory. Specific volatile information that is required to be collected includes: System time Logged-on user(s) Open files Network information Network connections Process information Process-to-port mapping Process memory Network status Clipboard contents Service/driver information Command history Mapped drives Shares

Fingerprint-Based authentication

It is a popular biometric technology used for criminal identification It uses a scanning device to scan fingerprints. Fingerprint scanners are of two types: 1. The optical scanner begins the process by acquiring the visual image of fingerprint. 2. The capacitance uses the semiconductor to generate electrical field, which represents the finger. The skin on the finger is made of a series of friction ridges, with pores (sweat glands) and minutiae points. The friction ridges remain the same in shape, except in size, on people during their lifetime. The fingerprint is stored in a virtual storage area in a computer via the use of laser technology. Every day, innumerable fingerprints are stored for various purposes including forensics, access control, and driver license registration. Identity is verified by matching the fingerprint against the one stored in the database. The fingerprint identification method is used as commonly as automatic teller machines and security locks. Fingerprint matching techniques are of two kinds: Minutiae-based Identifies and relatively maps the minutiae points on the finger. The drawback is that a low quality fingerprint makes it difficult to extract the minutiae points. Correlation-based This is an enhancement of the Minutiae-based technique. The limitation with this method is that it requires specification of the registration point, and is distorted by image translation and rotation.

application-level firewall

It is also called as proxy server. It works at the application layer, the top of the OSI model. It acts as a special-purpose computer that executes proxy services for each application permitted to pass through it. Once a packet is received, all the headers will be removed, contents will be verified, and a new set of packets are formed on a new connection to the target host. The following are the advantages and limitations: Advantages It provides good security. It is configured to allow or deny the specific format. It provides full application layer awareness. Disadvantages It breaks client-server model. It has restricted application support. Privacy is hard to achieve.

CSIRT steps to handle cases

Keep a log book: Written records of the security breach incidents like date and time of incident occurrence, name of the programs, systems or networks that have been affected etc. should be mentioned in the log book Maintain a list of contacts: ISO , CSO , CSA, Security/Duty Office etc. Inform stake holders: It is very important to inform appropriate people about the incident who might be affected due to the occurrence of the incident. Release the information: Proper information should be provided especially when the news media is involved. Follow up analysis: After the successful handling of the incidence, a set of recommendations should be given to the management to prevent future incidents

Types of Honeypots

Low-interaction honeypot They work by emulating services and programs that would be found on an individual's system If the attacker does something that the emulation does not expect, the honeypot will simply generate an error Captures limited amounts of information, mainly transactional data and some limited interaction. Ex: Specter, Honeyd, and KFSensor. High-interaction honeypot Entire system or network of computers, to have a controlled area in which the attackers can interact with real applications and programs Rely on the border devices to control traffic so that attackers can get in, but outbound activity is tightly controlled Captures far more information, including new tools, communications, or attacker keystrokes Ex: Symantec Decoy Server and Honeynets

Incident Categories

Low-level incidents Low-level incidents are the least harmful incidents and it is better to handle them within one working day. Low-level incidents can be identified by the following symptoms: Loss of personal password. Unsuccessful scans and probes in the network. Request to review security logs. Presence of any computer virus or worms. Failure to download antivirus signatures. Suspected sharing of the organization's accounts. Minor breaches of the organization's acceptable usage policy. Compromise of the system password. Unknown sharing of the company's account. Misuse of the computer peripherals. Middle-level incidents Middle-level incidents are more serious kind of incidents and should be handled within a few hours on the day of their occurrence. Middle-level incidents are identified by the following symptoms: In-active external/internal unauthorized access to systems. Access violation when attempted to access the computer or network equipment as a super user. Unauthorized storing and processing of data. Destruction of property related to a computer incident. Localized worm/virus outbreak Personal theft of data related to a computer incident. Computer virus or worms of comparatively larger intensity. Illegal access to physical buildings. Breach of the organization's acceptable usage policy. High-level incidents High-level incidents are the most severe kind of incidents. These incidents are to be handled immediately. The severity of these incidents is high and can threaten a company's business operation. The following are generally identified as high-level incidents: DoS attacks. Suspected break-in in any computer of a company. The presence of harmful viruses, worms, and Trojan horses which can lead to serious corruption or loss of data. Unauthenticated modifications to system hardware, firmware, and software. Personal theft exceeding $100,000 and illegal electronic fund transfer or download/sale.

Message Digest Function (MD5)

MD2, MD4, and MD5 are message-digest algorithms used in digital signature applications to compress document securely before the system signs it with a private key. The algorithms can be of variable length, but the resulting message digest is always 128 bits. The structures of all three algorithms appear similar, although the design of MD2 is reasonably different from MD4 and MD5. MD2 supports 8-bit machines, while MD4 and MD5 support 32-bit machines. The algorithm pads the message with extra bits to ensure that the length of the bits is divisible by 512. The extra bits may include a 64-bit binary message. Attacks on versions of MD4 have become increasingly successful. Research has shown how attacker launches collision attacks for the full version of MD4 under a minute on a typical PC. MD5 is slightly more secure, but is slower than MD4. However, both the message-digest size and padding requirements remain the same. MD5 algorithm is a widely used cryptographic hash function that takes a message of arbitrary length as input and outputs a 128-bit (16-byte) fingerprint or message digest of the input. MD5 algorithm comes into use in a wide variety of cryptographic applications and is useful for digital signature applications, file integrity checking, and storing passwords. On the other hand, MD5 is not collision resistant; therefore, it is better to use the latest algorithms, such as SHA-2 and SHA-3.

Audio Steganography: DeepSound

Source: http://jpinsoft.net DeepSound allows you to hide any kind of secret data in audio files (WAV and FLAC). You can use this tool to embed your secret message in the audio file. It will also allow you to extract secret files directly from audio CD tracks when you are at the other end. In addition, it is able to encrypt secret files, thus enhancing security. To access the data in a carrier file, you simply browse to the location with the DeepSound file browser and right-click the audio file to extract your secret file(s).

Message Digest Function: MD5

MD2, MD4, and MD5 are message-digest algorithms used in digital signature applications to compress document securely before the system signs it with a private key. The algorithms can be of variable length, but the resulting message digest is always 128 bits. The structures of all three algorithms appear similar, although the design of MD2 is reasonably different from MD4 and MD5. MD2 supports 8-bit machines, while MD4 and MD5 support 32-bit machines. The algorithm pads the message with extra bits to ensure that the length of the bits is divisible by 512. The extra bits may include a 64-bit binary message. Attacks on versions of MD4 have become increasingly successful. Research has shown how attacker launches collision attacks for the full version of MD4 under a minute on a typical PC. MD5 is slightly more secure, but is slower than MD4. However, both the message-digest size and padding requirements remain the same. MD5 algorithm is a widely used cryptographic hash function that takes a message of arbitrary length as input and outputs a 128-bit (16-byte) fingerprint or message digest of the input. MD5 algorithm comes into use in a wide variety of cryptographic applications and is useful for digital signature applications, file integrity checking, and storing passwords. On the other hand, MD5 is not collision resistant; therefore, it is better to use the latest algorithms, such as SHA-2 and SHA-3. To calculate the effectiveness of hash functions check the output produced when the algorithm randomizes an arbitrary input message. The following are examples of minimally different message digests: echo "There is CHF1500 in the blue bo" | md5sum e41a323bdf20eadafd3f0e4f72055d36 echo "There is CHF1500 in the blue box" | md5sum 7a0da864a41fd0200ae0ae97afd3279d echo "There is CHF1500 in the blue box." | md5sum 2db1ff7a70245309e9f2165c6c34999d Even minimally different texts produce radically different MD5 codes. Quick Checksum Verifier Source: http://www.bitdreamers.com Checksum Verifier generates and checks file integrity by secure time-proven algorithms like MD5 and SHA-1. One can create checksums (the digital fingerprints) of files and verify their integrity in the future.

Why MD5 Calculation?

MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks (sixteen 32-bit little endian integers), and the message is padded so that its length is divisible by 512. The padding is done as follows: First, a single bit, 1, is appended to the end of the message. It is followed by as many zeros as are required to bring the length of the message up to 64 bits if it is not a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message, in bits. The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted as A, B, C, and D. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block, and, in turn, each block modifies the state. The processing of a message block consists of four similar stages, called rounds. Each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation.

Digital evidence examination process step 5: documenting the evidence

Maintaining the record of the digital evidence examination is a continuous process; at the time of examination, each step needs to be suitably verified. The forensic examiner is responsible for documenting his or her findings and the results of the forensic investigation process. The report should be written simultaneously with the examination, and presentation of the report should be consistent with departmental policies. All documents in the report should be complete, correct, and comprehensive. The forensic examiner should document all the steps that took place during the forensic investigation and also document the brief summary of all findings. He or she should write a summary of the result obtained in the forensic investigation.

Exploring Microsoft File Structures: Cluster

Many personal computers use Microsoft compatible software products in the present scenario. When windows is examined for forensic evidences, one has to explore the hidden places to determine whether the files or the parts of files which might serve as an evidence of crime or policy violation. In Microsoft file structures, the sectors (memory chunks) are combined together to create a cluster. Clusters are the smallest amount of space allocated by the operating system to hold the file. Cluster sizes might be 512, 1024, 2048, 4096 or even more bytes. There is no default size for the clusters. Clusters form a large memory unit when combined. The number of sectors in a cluster varies with the size of the disk. A double side floppy has a sector per cluster. A hard disk has four sectors per cluster. Numbering of clusters is done sequentially starting with two because the first section contains the system area, boot record, and file structure database. The addresses to the clusters are allocated by the operating system. These addresses are called as the Logical Addresses. Sectors are called as the physical addresses as they reside at the firmware or Hardware level.

Rules of forensic investigation

Minimize the option of examining the original evidence Follow rules of evidence Do not tamper with the evidence Always prepare for a chain of custody Handle evidence with care Never exceed the knowledge base Document any change in evidence

Application Logs

Most of the information on program event logs is controlled by application logs. Often, software programs are developed by programmers specifically reflecting that events should be determined by application logs. Client requests and server responses These are useful in regenerating the sequence of events and determining the outcome. When the application logs users' authentication successfully, then the users who made the requests can be determined. Often, applications also perform certain other functions like recording logs of an email server, sender and receiver information, and attachment names on emails as well as web server recordings, URL logging requests, server response type, and business applications recording the financial data accessed by the users. Account information Account information provides details about authentication attempts, such as success or failure. It searches for security events like guessing passwords, brute force, and privilege escalation. It can also identify applications used by a person and when the person used them. Usage information Usage information details the number of transactions that occurred in a specific time and the size of the transactions. This information is used for security monitoring. For example, a ten times increase in email activity shows an email-borne threat, and an irregularly large outbound email message shows an inappropriate release of information. Significant operational actions This action conveys information about application login and logout processes, application configuration changes, and application failures. It also helps in detecting compromises in security and operational failures.

Video Steganography: OmniHide PRO

Source: http://omnihide.com OmniHide PRO allows you to hide any secret file within an innocuous image, video, music files, etc. The user can use or share the resultant Stego file like a normal file without anyone knowing the hidden content, thus this tool enables you to save your secret file from prying eyes. It also enables you to add a password to hide your file to enhance security. Features: This allows you to hide your files in Photos, Movies, Documents, and Music etc. It puts no limitation on file type and size you want to hide

Evading IDS: DoS Attack

Multiple types of DoS attack will work against IDS systems. The attacker identifies a point of network processing that requires the allocation of a resource, causing a condition to occur that consumes all of that resource. The resources affected by the attacker are CPU cycles, memory, disk space, and network bandwidth. Attackers monitor and attack the CPU capabilities of the IDS. This is because IDS needs half of the CPU cycle to read the packets, detecting what the purpose of their existence is, and then comparing them with some location in the saved network state. An attacker can verify the most computationally expensive network processing operations and then compel the IDS to spend all its time carrying out useless work. An IDS requires memory for a variety of things. For generating a match for the patterns, save the TCP connections, maintain reassembly queues, and generate the buffers of the data. In the initial phase, the system requires memory so that it can read the packets. System will allocate the memory for network processing operations. An attacker can verify the processing operations that require the IDS to allocate memory and force the IDS to allocate all of its memory for meaningless information. In certain circumstances, the IDS store activity logs on the disk. The stored events occupy most of the disk space. Most computers have limited disk space. The attackers can occupy a major part of the disk space on the IDS by creating and storing a large number of useless events. This renders the IDS useless in terms of storing real events. Network IDS systems record the activity on the networks they monitor. They are competent because networks are hardly ever used to their full capacity; few monitoring systems can cope with an extremely busy network. The IDS system, unlike an end system, must read everyone's packets, not just those sent specifically to it. An attacker can overload the network with meaningless information and prevent the IDS system from keeping up with what is actually happening on the network. Many IDSes today employ central logging servers that are used exclusively to store IDS alert logs. The central server's function is to centralize alert data so that it viewed as a whole rather than on a system-by-system basis. However, if attackers know the central log server's IP address, they could slow it down or even crash it using a DoS attack. After shutting down the server, attacks could go unnoticed because the alert data is now no longer logged.

NAS(Network Attached Storage)

NAS is a file based data storage service and a dedicated computer appliance shared over the network NAS is a high performance file server optimized for file serving (storing, retrieving, serving files) NAS servers consist of proprietary or open-source operating systems optimized for file serving. Advantages: Users with different OSes can easily share files without any compatibility issues NAS can be connected to LAN using plug and play feature Minimal administration unlike Unix or NT file server Centralized usage; cheaper backup and maintenance than SAN Quicker response than DAS (Direct Attached Storage). Disadvantages: network gets clogged incase of applications that need intense data transfer Data transfer is inefficient (uses TCP/IP protocol instead of specialized data transfer protocols) Cannot trust storage service guarantee for mission critical operations If sharing quotas are not assigned by administrators then a user may hog others' storage space.

NTFS (New Technology File System) architecture

NTFS Architecture At the time of formatting the volume of the file system, the Master Boot Record is created. It contains some executable code called a master boot code and information about the partition table for the hard disk. When a new volume is mounted, the Master Boot Record runs the executable master boot code. It also transfers control to the boot sector on the hard disk, which allows the server to boot the operating system on the file system of that particular volume. Components of the NTFS architecture: Hard disk: It contains one or more partitions. Master Boot Record: It contains executable master boot code that the computer system BIOS loads into memory; this code is used to scan the Master Boot Record to locate the partition table to find out which partition is active/bootable. Boot sector: It is a bootable partition that stores data related to the layout of the volume and the file system structures. Ntldlr.dll: It reads the contents of the Boot.ini file. Ntfs.sys: It is a computer system file driver for NTFS. Kernel mode: It is the processing mode that permits the executable code to have direct access to all the system components. User mode: It is the processing mode in which an executable program or code runs.

Network Forensics

Network forensics is defined as sniffing, recording, acquisition, and analysis of network traffic and event logs in order to investigate a network security incident. Capturing network traffic over a network is simple in theory, but relatively complex in practice due to many inherent reasons, as the amount of data flow is generally very large and Internet protocols are complex in nature. Recording network traffic involves a lot of resources. It is often not possible to record all the data flowing through the network due to the large volume. Again, these recorded data need to be backed up to free recording media and for future analysis. The analysis of recorded data is a most critical and time-consuming task. Though there are many automated analysis tools that can be used for forensic purposes, they are not sufficient, as there is no foolproof method to recognize bogus traffic generated by an attacker from a pool of genuine traffic. Human judgment is critical also because, with automated traffic analysis tools, there is always a chance of false positives. Network forensics is necessary in order to determine the type of attack over a network and to trace the culprit. A proper investigation process needs to be followed so that the evidence recovered during the investigation can be produced in a court of law. Forensics can reveal the following information Source of security incidents and network attacks Path of the attack and intrusion techniques used by attackers Traces and evidence

Evading IDS: obfuscating

Obfuscation means to make code harder to understand or read, generally for privacy or security purposes. A tool called an obfuscator converts a straightforward program into one that works the same way but is much harder to understand. A threat can evade an IDS by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. An attacker manipulates the path referenced in the signature to fool the HIDS. Using the Unicode character, an attacker could encode attack packets that the IDS would not recognize, but an IIS web server would decode. Polymorphic code is another means to circumvent signature-based IDSes by creating unique attack patterns, so that the attack does not have a single detectable signature. Attackers perform obfuscated attacks on encrypted protocols such as HTTPS.

Steps to configure Proxy server

On the Tools menu in Internet Explorer, click Internet Options, click the Connections tab In the Internet Options window, click the Connections tab, and then click LAN Settings In the LAN Settings dialog box, click to select the Use a proxy server for your LAN check box from Proxy server field In the address box, type the IP address of the proxy server. In the Port box, type the port number that is used by the proxy server for client connections (by default, 80) You can click to select the Bypass proxy server for local addresses check box if you do not want the proxy server computer to be used when you connect to a computer on the local network Click OK to close the LAN Settings dialog box Click OK again to close the Internet Options window

Operating System Logs

Operating system logs contain logs for log records on workstations, servers, and network equipment such as switches, firewall, hubs, cables, routers, etc. These logs successfully examine, classify, and analyze any inappropriate activities related to a specific host. A log also contains information about security software and other backend applications running on the system. After identifying the suspicious activity, these logs are used to get more details about the suspicious activity. For instance, if network security equipment successfully identifies an attack against a particular host, then the operating system logs give the information about when the user logged on at the time of attack. Common operating system related logs are as follows: Event logs: Event logs contain information about operational functions executed by the operating system components, such as shutting down the computer system or running a networking service. The operating system allows the system administrator to know exactly which form of security events are running on the network. Event logs generally contain information about status, error codes, service name, and account information related to an event. Audit Logs: Audit logs contain complete information about security events, like successful and failed authentication attempts, file access details, changes in the security policy, and changes in account. The operating system allows the system administrator to state which types of security events should be checked, and whether successful and/or unsuccessful attempts to carry out particular actions should be logged.

Popular Linux file system

Popular Linux File Systems Linux is a single hierarchical tree structure representing the file system as one single entity. It supports many different file systems. It implements a basic set of common concepts that were actually developed for UNIX. Some of the Linux file system types are minix, ext, ext2, ext3, xia, msdos, umsdos, vfat, /proc, nfs, iso 9660, hpfs, sysv, smb, and ncpfs. Minix was Linux's first file system. The following are some of the most popular file systems: Ext (Extended File System) The ext file system was released in April 1992. It was an elaborate extension of the Minix file system. It has a maximum partition size of 2 GB and a maximum file name size of 255 characters. It has removed the two major Minix limitations of 64 MB partition size and short file names. The major limitation of this file system was that it did not support separate access, inode modification, and data modification timestamps. It kept an unsorted list of free blocks and inodes, and the file system was also fragmented. It was soon replaced by the second extended file system. Ext2 (Second Extended File System) Ext2 was introduced in January of 1993. It extended the features of ext. It improved algorithms, which greatly enhanced its speed and maintained additional date stamps. It maintained a special field in the super block that kept track of the status of the file system as clean or dirty. A dirty file system will automatically scan the file system for errors. It had a maximum file size of 4 TB (1 terabyte is 1024 gigabytes). It was portable to other operating systems because drivers and other tools exist that permit accessing ext2 data. Its major shortcomings were that it posed a risk of file system corruption when writing to ext2 and it was not a journaling file system. Ext3 (Third Extended File System) The ext3 or third extended file system is a journaling version of the ext2 file system and greatly used in GNU/Linux operating systems. It added a journal, without which the file system is a valid ext2 file system. It can be mounted and used as an ext2 file system and all the utilities of ext2 are used in it.

Popular VPN stunning protocols

Popular VPN Tunneling Protocols: Point-to-Point Tunneling Protocol (PPTP) PPTP encloses data within PPP packets and encapsulates the PPP packets within the IP packets for transfer through an Internet based VPN tunnel. It supports authentication, encryption, and packet filtering. This type of PPTP authentication utilizes PPP based protocols such as EAP, CHAP, and PAP. This also assists in packet filtering on VPN servers. The only disadvantage of PPTP is its failure to select a single standard for authentication and encryption. Layer Two Tunneling Protocol (L2TP) It is a combination of L2F and PPTP, which was created in an attempt to improve on L2F. L2TP exists at the data link layer of the OSI model. Internet Protocol Security (IPsec) It is a set of multiple associated protocols which can be used as a complete VPN protocol solution. It can also be used as the encryption scheme within L2TP or PPTP. IPSec exists at the network layer in the OSI model.

Digital evidence examination process step 3: handling digital evidence

Proper handling of digital evidence is important in computer forensics during the preservation and transportation of evidence. The forensic investigator preserves all the evidence that relates to the scene of the crime. It is his or her responsibility to ensure that the evidence is not tampered with or damaged. To accomplish this, follow these steps for handling digital evidence: Wear protective latex gloves for all searching and seizing operations at the crime site. Store the electronic evidence in a secure area and weather-controlled environment. Use wireless StrongHold bags to block wireless signals from getting to the electronic devices. Avoid folding and scratching storage devices such as diskettes, DVD-ROMs, and tape drives. Pack the magnetic media in antistatic packaging. Protect the electronic evidence from magnetic fields, dust, vibrations, and other factors that may damage the integrity of the electronic evidence. Avoid materials that generate static electricity, e.g., standard plastic bags. Avoid storing electronic evidence in vehicles for long periods. Ensure that the computers and any other electronic devices are not packed in containers. Make sure all evidence avoids any sources of magnetism or similar sources of power that could affect the integrity of the electronic evidence.

Proxifier

Proxifier is a program that allows network applications that do not support working through proxy servers to operate through an HTTPS or SOCKS proxy or a chain of proxy servers. Proxifier allows you to: Run any network applications through a proxy server. No special configuration is required for the software; the entire process is completely transparent. Access the Internet from a restricted network through a proxy server gateway. Bypass firewall restrictions. "Tunnel" the entire system Resolve DNS names through a proxy server. Use flexible Proxification Rules with hostname and application name wildcards. Secure privacy by hiding your IP address. Work through a chain of proxy servers using different protocols. View information on current network activities in real-time. Maintain log files and traffic dumps

What are proxy servers?

Proxy server is a server that is located between a client's application and a real server. It interrupts all requests of the real server to look if it can handle the requests itself, if not it will pass the requests to the real server. There are so many uses of the proxy servers. The primary one is to permit internal clients to access the Internet from behind the firewall. Now anyone who is at the back of the firewall can access the web with less effort. HTTP server is a special kind of web server. Through packet filtering, security of the network has increased. The security of the network can be increased by a number of ways; one of the techniques is to add the services of the proxy server. At first, proxy servers are used to catch the commonly visited web pages, to increase the network speed and for Internet use. They have now become a part of the network security system. The proxy server works at the application layer of the OSI model and it can provide services to the network. It acts as a gateway for the packets that go through that way. It is also called as application gateway. There is no direct point - to -point connection between a client and server for a properly configured proxy. The proxy server does not allow direct communication, while a packet filter allows such kind of communication. The main difference between a proxy server and the packet filter is that the proxy server can know what application is being used and packet filters cannot know. Based on the function the user is performing, proxy servers can allow or deny the access permissions.

proxy server VS Packet filters

Proxy servers: 1. Proxy server examines the data payload of the packet 2. Creates detailed log file listings, since they scan the entire data of IP packets. 3. Restructures the packet with new source IP data. 4. In the case of failure of a proxy server, all network communications would cease. Packet filter: 1. Packet filters examine the routing information of the packet. 2. Logs only the header information of the IP packets 3. Allows or blocks the data depending on the packet filter rules 4. In the case of failure of a packet filter, all packets may be allowed to pass through the internal network.

RC5 Algorithm

RC5 is a fast symmetric-key block cipher designed by Ronald Rivest for RSA Data Security (now RSA security). The algorithm is a parameterized algorithm with a variable block size, key size, and number of rounds. The block sizes can be 32, 64, or 128 bits. The range of the rounds can vary from 0 to 255, and the size of the key can vary from 0 to 2,040 bits. This built in variability can offer flexibility at all levels of security. Routines used in RC5 are key expansion, encryption, and decryption. In the key expansion routine, the secret key that a user provides is expanded to fill the key table (the size of which depends on the number of rounds). The RC5 uses key table for both encryption and decryption. The encryption routine has three fundamental operations: integer addition, bitwise XOR, and variable rotation. The intense use of data-dependent rotation, plus the combination of different operations, makes RC5 a secure encryption algorithm.

How to defend against web servers attacks 3

Registry: Apply restricted ACLs and block remote registry administration Secure the SAM (Stand-alone Servers Only). Shares: Remove all unnecessary file shares including the default administration shares if they are not required Secure the shares with restricted NTFS permissions. IIS Metabase: Ensure that security related settings are configured appropriately and access to the metabase file is restricted with hardened NTFS permissions Restrict banner information returned by IIS. ISAPI Filters: Remove unnecessary ISAPI filters from the web server. Sites and Virtual Directories: Relocate sites and virtual directories to non-system partitions and use IIS Web permissions to restrict access. Script Mappings: Remove all unnecessary IIS script mappings for optional file extensions to avoid exploiting any bugs in the ISAPI extensions that handle these types of files. Auditing and Logging: Enable a minimum level of auditing on your webserver and use NTFS permissions to protect the log files.

Retina Scanning

Retinal recognition is identified to offer a stable biometric authentication mechanism. The Retina scan captures the unique retina characteristics using low-intensive infrared light. The unique pattern of the blood vessels in the area called the "face" of the retina is captured. The scan requires the user to stand still while the scan is in progress, which is inconvenient. The human retina is tough to forge, since the retina of a deceased person decays fast enough so that it cannot fraudulently bypass a retinal scan. The retinal scan is inefficient in cases of users suffering from cataracts or blindness.

SAN (storage area network)

SAN is a specialized, dedicated and discrete high speed network that connects storage devices (disks, disk arrays, tapes, servers, etc.) with a high speed I/O interconnect (Fibre Channel, SAS, Ethernet, etc.) SANs are preferred in large scale enterprises because of reliable data transfer and the flexibility to scale SAN supports data archival, backup, restore, transfer, retrieval, migration, mirroring, etc. from one storage device to another Communication Infrastructure Layer provides physical connections to the network devices, Management Layer organizes the connections, storage elements, and computer systems Storage layer hosts storage devices

Temporal Key Integration Protocol (TKIP)

TKIP is a security protocol designed with the IEEE 802.11i. These protocols are the part of the requirements to the Wi-Fi networks, which are used to replace the WEP. TKIP was devised to substitute the WEP without substituting the legacy hardware. This is important because the damage in the WEP has created a breach in the Wi-Fi networks without feasible link layer security. Only replacing the hardware can solve the problem. To overcome this problem, TLKP is introduced which uses RC4 encryption and it encrypts every packet with a separate encryption key. It also augments the complexity of decoding the keys by minimizing the data exposure to the cracker.

SHA cryptographic different functions

SHA encryption is a series of five different cryptographic functions, and it currently has three generations: SHA-1, SHA-2, and SHA-3. SHA-0 A retronym applied to the original version of 160-bit hash function published in the year 1993 under the name SHA, which was withdrawn from the trade due to undisclosed "significant flaw" in it and was replaced with slightly revised version SHA-1. SHA-1 It is a 160-bit hash function that resembles the former MD5 algorithm developed by Ron Rivest. That is it produces a 160-bit digest from a message with a maximum length of (264 − 1) bits. It was designed by the National Security Agency (NSA) to be part of the Digital Signature Algorithm (DSA). It is most commonly used in security protocols such as PGP, TLS, SSH, and SSL. As of 2010, SHA-1 is no longer approved for cryptographic use because of cryptographic weaknesses. SHA-2 SHA2 is a family of two similar hash functions, with different block sizes, namely, SHA-256, which uses 32-bit words, and SHA-512, which uses 64-bit words. Truncated versions of each standard are SHA-224 and SHA-384. SHA-3 SHA-3 uses the sponge construction in which message blocks are XORed into the initial bits of the state, which the algorithm then invertibly permutes. It supports the same hash lengths as SHA-2 and differs in its internal structure considerably from the rest of the SHA family.

HoneyPot tool: Specter

SPECTER is a honeypot or deception system. It simulates a complete system and provides an interesting target to lure hackers away from production systems. It offers common Internet services such as SMTP, FTP, POP3, HTTP, and TELNET, which appear perfectly normal to attackers. However, it is a trap for an attacker by messing them so that he leaves some traces knowing that they had connected to a decoy system that does none of the things it appears to do; but instead, it logs everything and notifies the appropriate people. Furthermore, SPECTER automatically investigates attackers while they are still trying to break in. It provides massive amounts of decoy content and it generates decoy programs that cannot leave hidden marks on the attacker's computer. Automated weekly online updates of the honeypot's content and vulnerability databases allow the honeypot to change constantly without user interaction. Advantages: Suspicious interest in the network, and computers, can be detected immediately. Administrators are notified of hostile activity when it happens, so that they can immediately look at the problem and take action. The system is very easy to set up and configure while providing sophisticated features. Fully automated online updates of the honeypot's content and vulnerability databases allow the honeypot to change constantly without user interaction. There cannot be false alerts, as a legitimate user cannot connect to the honeypot. Specter runs on 14 different operating systems.

Secure Shell (SSH)

Secure Shell is a program that is used to log onto another computer over the network, to transfer files from one computer to another. It offers good authentication and a secure communication channel over an insecure media. It might be used as a replacement for telnet, login, rsh, and rcp. In SSH2, sftp is a replacement for ftp. In addition, SSH offers secure connections and secure transferring of the TCP connections. SSH1 and SSH2 are completely different protocols. SSH1 encrypts the user's server and hosts keys to authenticate where H2 only uses host keys, which are different packets of keys. SSH2 is more secure than the SSH1. It should be noted that the SSH1 and SSH2 protocols are in fact different and not compatible with each other. SSH2 is more secure and has an improved performance than SSH1 and is also more portable than SSH1.

Security Software Logs

Security software is mainly used to secure systems and data, detect malicious activities, and support incident response efforts. Common types of network and host-based security software include: Antimalware Software Antimalware software is a type of antivirus software that collects instances of malware found, file and system disinfection attempts, and file quarantines. Other sources of security information are antispyware, rootkit detectors, etc. Intrusion Detection and Intrusion Prevention Systems Intrusion prevention and detection systems accumulate comprehensive information on suspicious behavior and discovered attacks on the network. Logs record actions taken by the intrusion prevention system to prevent the malicious activities from running. A file integrity checking application, which is part of the intrusion detection system, functions at regular intervals rather than endlessly and produces log entries in groups rather than on a regular basis. Remote Access Software Remote access is governed and protected by Virtual Private Networking (VPN). In VPN, the system records successful and unsuccessful login attempts with date, time, and session logs of the user, as well as data received and sent in a session. A VPN that supports granular access control—like a Secure Sockets Layer (SSL) VPNs—has complete information on resource usage. Web Proxies Web proxies act as an intermediate host through which websites are accessed. Web proxies request web pages on behalf of the user. A web proxy maintains cache copies of the retrieved web pages for efficient access to the additional pages. It is useful to restrict web access and add a protection layer between the web clients and the web servers. Web proxies maintain a record of the URLs accessed through them. Vulnerability Management Software It is a combination of patch management and vulnerability assessment software. It records a history of installation patches, and host vulnerability status with known vulnerabilities and updates of missing software. Vulnerability management software records added information about the host's configuration. This software runs on an occasional basis and generates large batches of log entries. Authentication Servers Authentication servers along with directory servers and single sign-on servers record information about every validation attempt, including source, username, successful or unsuccessful login attempts, and time and date. Routers Routers are configured to allow or block some of the network traffic depending on the policies. Routers blocking traffic are configured to log most basic characteristics of the blocked activity. Firewalls Firewalls are also used to allow or block activities, but firewalls are more sophisticated than routers. Firewalls track the state of network traffic and perform content inspection. The primary function of a firewall along with blocking malicious code is to monitor the status of the network traffic and perform content inspection. Firewalls consist of complex policies and generate more detailed logs. Network Quarantine Servers Network quarantine servers are used to check each remote host's security posture before joining the network. Hosts that fail to respond to the server reviews are quarantined to a virtual local area network (VLAN) segment. The network quarantine server collects information about status checks, quarantined hosts, and reasons behind the quarantine.

WEP (Wired Equivalent Privacy) limitations

Security with WEP is limited for the below mentioned reasons: Keys used in WEP are static Key stream generated by RC4 algorithm is relatively small WEP does not support cryptographic integration

Selecting Appropriate Backup Method

Select backup method, based on cost and ability depending upon your organization need. Hot Backup(Online) Backup is taken when the application, database or system is still running and is available for users It is used when service level downtime is not allowed Advantage: Immediate switch over of data backup is possible Disadvantage: It is very expensive Cold Backup(Offline) Backup is taken when the application, database or system is in shutdown state and not available for users It is used when service level downtime is allowed and full backup is needed Advantage: It is least expensive Disadvantage: Switch over of data backup requires more time. Warm Backup (Nearline) It is a combination of hot and cold backup Advantages: It is less expensive than hot backup Takes less time to the switch over data backup compared to cold backup, but more time than hot backup Disadvantage: It is less accessible than hot backup

Evading IDS: Session Splicing

Session splicing is an IDS evasion technique that exploits how some IDSs do not reconstruct sessions before pattern-matching the data. It is a network-level evasion method that divides the string across several packets. The attacker divides the data in the packets into small portions of bytes and while delivering the data evades the string match. Attackers uses this technique to deliver the data into several small sized packets. The IDS cannot handle too many small sized packets and fails to detect the attack signatures. If attackers know what IDS system is in use, they could add delays between packets to bypass reassembly checking. Many IDS reassemble communication streams, so if a packet not received within a reasonable period, many IDSs stop reassembling and handling that stream. If the application under attack keeps a session active longer than an IDS will spend on reassembling it, the IDS will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to malicious data theft by attackers. Attackers can use different tools such as Nessus and Whisker for session-splicing attacks.

Firewall Technologies

Several firewall technologies are available for organizations to implement their security through. Sometimes, firewall technologies are combined with other technologies to build another firewall technology. For example, NAT is a routing technology but when combined with a firewall, it is considered a firewall technology instead. The various firewall technologies used are: Bastion Host DMZ (demilitarized zone) Proxies NAT (Network Address Translation) VPN (Virtual Private Network) Honeypot

Secure Hashing Algorithm (SHA)

The NIST has developed the Secure Hash Algorithm (SHA), specified in the Secure Hash Standard (SHS) and published as a federal information-processing standard (FIPS PUB 180). It generates a cryptographically secure one-way hash. Rivest developed the SHA, which is similar to the message-digest algorithm family of hash functions. It is slightly slower than MD5, but its larger message digest makes it more secure against brute-force collision and inversion attacks.

Registry Settings

Several registry values and settings could impact the subsequent forensic analysis and investigation. Although these settings are non-volatile themselves, they could have an effect on how an investigator chooses to proceed when conducting an investigation or even whether he or she would continue with the investigation at all. There are several tools for collecting information from the registry. Reg.exe is a command line tool for accessing and managing the registry. Some of the important registry values that need to be noted down include: ClearPageFileAtShutdown This particular registry value tells the operating system to clear the page file when the system is shut down. Because Windows uses a virtual memory architecture, some memory used by processes will be paged out to the page file. When the system is shut down, the information within the page file remains on the hard drive and can contain information such as decrypted passwords, portions of IM conversations, and other strings and bits of information that might provide important leads in an investigation. However, if this file is cleared during shutdown, this valuable information will be more difficult to obtain. DisableLastAccess Windows has the ability to disable the updating of the last access times on files. This was meant as a performance enhancement, particularly on high-volume file servers. On normal workstations and the sort of desktops and laptops most people are using, this setting does not provide any noticeable improvement in performance.

Snort IDS

Snort is a software-based, real-time network intrusion detection system, developed by Martin Roesch that notifies an administrator of a potential intrusion attempt. It is a "lightweight" NIDS, which is non-intrusive, easily configured, utilizes familiar methods for rule development, and it can be installed on the system within few minutes. It includes the ability to detect more than 1100 potential vulnerabilities.

Snort Rules

Snort without the rules would just be equivalent to a packet sniffer Snort rules describe the patterns and criteria Snort would use to detect the potentially malicious traffic on a network Since rules are open for anyone to inspect and can be written according to the necessity The open format of Snort rules allows users to Verify if a rule provides complete protection to a vulnerability Create new rules according to the requirements or enhance the functionality of the existing rules Snort rule base is available is in Snortpath\rules

SnortSam

SnortSam is a plugin for Snort which allows for automated blocking of IP addresses on various firewall. White-list support of IP addresses that will never be blocked. Time-override list Maximum block time ceiling as well as minimum block time definition for reporting entities Flexible, per rule blocking specification, including rule dependent blocking time interval. A SID filter list of allowed or denied SIDs based on reporting entity Misuse/Attack detection engine (including roll-back support) that attempts to mitigate the risk of a self-inflicted Denial-Of-Service in the IDS-Firewall integration File logging and email notification of events

WEP (Wired Equivalent Privacy) flaws

Some basic flaws undermine WEP's ability to protect against a serious attack: No defined method for encryption key distribution: Pre-shared keys are set once at installation and are rarely (if ever) changed It is easy to recover the number of plaintext messages encrypted with the same key RC4 was designed to be used in a more randomized environment than WEP utilized: As the pre-shared key is rarely changed, the same key is used over and over An attacker monitors the traffic and finds different ways to work with the plaintext message With knowledge of the ciphertext and plaintext, an attacker can compute the key Attackers analyze the traffic from passive data captures and crack WEP keys with the help of tools such as AirSnort, WEPCrack, and dweputils. Key scheduling algorithms are also vulnerable to attack.

Source Routing

Source routing allows the sender of a packet to partially or completely specify the route, the packet takes through the network As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination In source routing, the sender makes some or all of these decisions on the router E The figure shows source routing, where the originator dictates eventual route of traffic.

Network Forensics Analysis Mechanism

Source: Building Evidence Graphs for Network Forensic Analysis - By Wei Wang, Thomas E. Daniels This network forensics analysis mechanism includes presenting the evidence, manipulating, and automated reasoning. Analyst Interface The analyst interface provides visualization of the evidence graph and reasoning results to the analyst, who passes the feedback to the graph generation and reasoning components. Evidence Collection Evidence Collection collects intrusion evidence from networks and hosts under investigation. Evidence Preprocessing Evidence Preprocessing analyzes assertive types of evidence, such as intrusion alerts, into the appropriate format and reduces the repetition in low-level evidence by aggregation. Evidence Depository After preprocessing, the intrusion evidence that is collected is stored in the evidence depository. Evidence Graph Generation Evidence graph manipulation generates and updates the evidence graph using intrusion evidence from the depository. Attack Reasoning Attack reasoning performs automated reasoning based on the evidence graph. Attack Knowledge Base The attack knowledge base includes knowledge of prior exploits. Asset Knowledge Base The asset knowledge base includes knowledge of the networks from the fundamentals and hosts under investigation. In the initial phase, the evidence collected is pre-processed and is stored in the evidence depository. The graph generation module builds the evidence graph with the evidence retrieved from the depository. Next, the reasoning module performs the automated inference based on the evidence graph and presents the results to the analyst. Through the interface module, the analyst can provide expert opinions and out-of-band information mainly in two approaches: Edit the evidence graph directly Send queries to retrieve specific evidence The reasoning process is then performed on the updated evidence graph for better results.

Network Addressing Schemes

Source: http://docs.hop.cm There are two methods of network addressing. LAN Addressing LAN addressing is used to find nodes on the shared Data-link layer LAN. Each node into the LAN has a unique Media Access Control (MAC) given to the network interface card (NIC). That address may be: Static Address This is a 48-bit unique addresses built by the Ethernet board manufacturer into the hardware of the computer. This address is permanent and changes only if you change the computer. Configurable Address These are the addresses that are given during the initial installation of the hardware, and become static after that. They can be set with the help of switches or jumpers on the circuit board, or with the help of the diagnostic software. Dynamic Address This is the address that is decided when the computer is powered on and connected to the network. Due to this, there are chances that a number of systems have the same IP address. In LAN addressing, one node transmits the data packets that are addressed to another node, while in the case of broadcasting, one node sends the data packets to all the nodes connected into the LAN. Broadcasting is used to find the services or devices in the network. Internetwork Addressing An internetwork is the network where a number of LANs or other networks are connected with the help of routers. Each network in this internetwork has a unique network ID or network address. Routers use these addresses when data packets are transmitted from a source to a target into the internetwork. Each node in the network has its own unique address known as the host address or node ID. The internetwork address is a combination of both a network address and host address. It finds the particular node into the internetwork. The address contains the two parts, i.e., the network address and the host address. When a data packet is transmitted from one host to another in the internetwork, the router does not know the host address, but it knows the network address of the network to which that host belongs. After transmitting the packet to the network, it gets transmitted to the destination host.

Image Steganography: QuickStego

Source: http://quickcrypto.com QuickStego lets you hide secret messages in images so that only other users of QuickStego can retrieve and read them. Once you hide a secret message in an image, you can still save it as picture file; it will load just like any other image and appear just as before. The user can save, email, upload the image to the web, and the only difference will be that it contains hidden message. Features: Conceals information in folders, images, and sounds. Keeps all online and offline passwords safe. Recovers deleted files on NTFS and FAT systems. Prevents recovery of sensitive files (even already deleted). Removes temporary & audit files. Views and shreds internet browser tracing files. Tests passwords and attempt password recovery. Monitors system for potential security flaws.

Configuring Windows Logging

Source: http://www.cmu.edu The steps for setting the Windows event logs are as follows: 1. Right-click on the Start button and click Control Panel. 2. Click System and Security Administrative Tools, and then double-click Event Viewer. 3. In the left pane of Event Viewer window, click Windows Logs Application. 4. In the right pane of Event Viewer window, click Properties from the Actions field. 5. In the Log Properties window, set the following: Maximum log size: 30720 KB Select Overwrite events as needed checkbox 6. Click Apply to save the settings and then OK to close the Log Properties window. 7. In the left pane of Event Viewer window, click Windows Logs Security: Repeat the steps from 4 to 6. 8. In the left pane of Event Viewer window, click Windows Logs System: Repeat the steps from 4 to 6.

Case Report Writing and Documentation

Source: http://www.crime-research.org Write all your conclusions and findings of the computer media analysis in an "Investigative Analysis Report," which is then sent directly to a case officer. This report should have the following documents: Forms Analysis notes Items that come as a result during analysis, i.e., printouts and CDs Copy of a search warrant Evidence listing Media analysis worksheet Keyword lists Support requests Recognize the files that are relevant to the investigation and make a printout. If you find a large number of files related to the investigation, discuss with the attorneys whether making printouts of the files is necessary.

Windows Forensics Tool: OSForensics

Source: http://www.osforensics.com OS Forensics is system information gathering software that extracts forensic data from computers and uncovers everything hidden inside a PC. It identifies suspicious files and activity with hash matching, makes drive signature comparisons, and looks into emails, memory, and binary data. It analyzes the results in the form of a file listing, a thumbnail view, or a timeline view, which allows you to determine where significant file change activity has occurred.

Forging Headers

Source: http://www.owlriver.com An increasingly common trick used by forgers of email is to add spurious Received: headers before sending the offending mail. This means that a hypothetical email sent from turmeric.com might have Received: lines that looked something like this: Received: from galangal.org ([104.128.23.115]) by mail.bieberdorf.edu (8.8.5)... Received: from nowhere by fictitious-site (8.8.3/8.7.2)... Received: No Information Here, Go Away! The last two lines are complete nonsense, written by the sender and attached to the message before it was sent. Since the sender has no control over the message once it leaves turmeric.com, and Received: headers are always added at the top, the forged lines have to appear at the bottom of the list. This means that someone reading the lines from top to bottom, tracing the history of the message, can safely throw out anything after the first forged line; even if the Received: lines after that point look plausible, they are guaranteed to be forgeries.

Recover My Email software

Source: http://www.recovermyemail.com Recover My Email is mail recovery software that can recover deleted email messages from either Microsoft Outlook PST file or Microsoft Outlook Express DBX files. If you use Microsoft Outlook (PST recovery) Recovery of mail with Microsoft Outlook is as follows: Recover deleted email messages and attachments from your Personal Storage File (PST). Save mail recovery results, including messages, contacts, and attachments. Open and read corrupt Outlook PST files and recover email and attachments. If you use Microsoft Outlook Express (DBX recovery) Recovery of mail with Microsoft Outlook Express is as follows: Recover deleted email messages and attachments from your individual Outlook Express DBX files. Save the email recovery messages and attachments and import them back into Outlook Express.

Syslog-ng OSE

Source: https://www.balabit.com The syslog-ng application is a flexible and highly scalable system logging application that is ideal for creating centralized and trusted logging solutions. The main features of syslog-ng are summarized below. Reliable log transfer: The syslog-ng application enables you to send the log messages of your hosts to remote servers using the latest protocol standards. The logs of different servers can be collected and stored centrally on dedicated log servers. Transferring logs messages using the TCP protocol ensures that no messages are lost. Secure logging using TLS: Log messages may contain sensitive information that should not be accessed by third parties. Therefore, syslog-ng supports the Transport Layer Security (TLS) protocol to encrypt the communication. TLS also allows the mutual authentication of the host and the server using X.509 certificates. Direct database access: Storing your log messages in a database allows you to easily search and query the messages and interoperate with log analyzing applications. The syslog-ng application supports the following databases: MSSQL, MySQL, Oracle, PostgreSQL, and SQLite. Heterogeneous environments: The syslog-ng application is the ideal choice to collect logs in massive heterogeneous environments using several different operating systems and hardware platforms, including Linux, Unix, BSD, Sun Solaris, HP-UX, Tru64, and AIX. Filter and classify: The syslog-ng application can sort the incoming log messages based on their content and various parameters like the source host, application, and priority. Directories, files, and database tables can be created dynamically using macros. Complex filtering using regular expressions and boolean operators offers almost unlimited flexibility to forward only the important log messages to the selected destinations. Parse and rewrite: The syslog-ng application can segment log messages to named fields or columns, and modify the values of these fields. IPv4 and IPv6 support: The syslog-ng application can operate in both IPv4 and IPv6 network environments; it can receive and send messages to both types of networks.

Metadata Analysis Tool: Metashield Analyzer

Source: https://www.elevenpaths.com Metashield Analyzer is an online tool to analyze the metadata contained in a file. This tool revels the details like Creation and Modification date, Users found and the name of the application worked on, Number of times Edited and the paths found. A file can be analyzed by using the following procedure. 1. Click Select File select the required file. 2. Click Analyze, accept the Terms and conditions in the Pop-up. 3. Click on Analyze to view the output i.e. the Metadata of the file.

Limitations of firewalls

The following are the disadvantages of the firewalls: Difficult to be configured correctly. It might slow down the application by making use of the system's resources. Difficult to completely uninstall a firewall. It should be in conjunction with other forms of protections. Decreases the network's performance, because it should check every packet. Managing cost of the firewall is high. Does not offer protection against new viruses.

Stateful Multilayer Inspection Firewall

Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. With the use of stateful packet filtering, you can overcome the limitation of packet firewalls that can only filter on IP address, port, and protocol, and so on. This multilayer firewall can perform deep packet inspection. Features of the Stateful Multilayer Inspection Firewall: This type of firewall can remember the packets that passed through it earlier and make decisions about future packets based on the stated of the conversation. These firewalls provide the best of both packet filtering and application-based filtering. Cisco PIX firewalls are stateful. These firewalls track and log slots or translations.

Unethical Use of Steganography

Steganography can be used for many unethical purposes, including fraud, hacking, gambling, and pornography, harassment, intellectual property offenses, virus, and pedophilia. If terrorists use steganography, how can common criminals are prevented from using this technology? They cannot. Crime syndicates can communicate with each other by using steganography. Many cases have been reported against criminals who are using steganography to commit crimes. They have used steganography to steal credit card numbers on a hacked web page and replaced the bullets with images that contain credit card numbers. Other criminals can transfer files containing secret bank account numbers and information about drug shipments by using the same method. Steganography can also be used for fraudulent purposes. Steganography cannot be identified or detected as can encryption. Steganography is mainly used to supplement encryption or when encryption is not allowed. This way, criminals can use steganography to hide information inside an image that is able to detect any sensitive web resources in the victim's system. This would include electronic payments and other means of fraud. In today's world, steganography is also used by attackers to lay trap doors within the victim's system or network for attackers to gain access. Steganography can be used as a form of harassment; individuals can hide harassing messages within a picture, and send it to the victim. The victim would then open the image not knowing what it contains. Steganography can be used for many other cases, such as gambling, pornography, and injection of virus.

Types of Steganography

Steganography is the art and science of writing hidden messages in such a way that no one other than the intended recipient knows of the existence of the message. The increasing uses of electronic file formats with new technologies have made data hiding possible. Basic steganography can be broken down into two areas: data hiding and document making. Document making deals with protection against removal. It is further classification of cover medium includes watermarking and fingerprinting. The different types of steganography are as follows: Image Steganography Images are the popular cover objects used for steganography. In image steganography, the user hides the information in image files of different formats such as .PNG, .JPG, .BMP, etc. Document Steganography In the Document steganography, user adds white spaces and tabs in the end of the lines. Folder Steganography Folder Steganography refers to hiding one or more files in a folder. In this process, user moves the file is physically but still keeps associated to its original folder for recovery. Video Steganography Video steganography is a technique to hide any kind of files in any extension into a carrying Video file. One can apply video steganography to different formats of files such as .AVI, .MPG4, .WMV, etc. Audio Steganography In audio steganography, user embeds the hidden messages in digital sound format. Whitespace Steganography In the white space steganography, user hides the messages in ASCII text by adding white spaces to the end of the lines. Web Steganography In the web steganography, a user hides web objects behind another objects and uploads them to a webserver. Spam/Email Steganography One can use spam emails for secret communication by embedding the secret messages in some way and hiding the embedded data in the spam emails. This technique refers to Spam/Email steganography. DVDROM Steganography In the DVDROM steganography, user embeds the content in audio and graphical. Natural Text Steganography Natural text steganography is converting the sensitive information into a user-definable free speech such as a play. Hidden OS Steganography Hidden OS Steganography is the process of hiding one operation system into other. C++ Source Code Steganography In the C++ source code steganography, user hides the set of tools in the files.

What is Steganography?

Steganography, the art of hidden writing, has been in use for centuries. It involves embedding a hidden message in some transport or carrier medium and has been used by mathematicians, military personnel, and scientists. They all engage in changing the common language and transferring it through secret and hidden communication. The history of steganography dates back to the Egyptian civilization. Today, the use of steganography is more often digital in nature, with the emergence of the Internet and multimedia. According to www.webopedia.com, steganography is defined as "The art and science of hiding information by embedding messages within other, seemingly harmless messages. It works by replacing bits of useless or unused data in regular computer files with bits of different, invisible information. This hidden information can be plain text, cipher text, List of the compromised Servers, Communication and coordination channel, Source code for the hacking tool, Plans for future attacks, or even images." Generally, forensics investigators in law and cyber forensics deal with steganography when encryption is restricted. When a file cannot be encrypted, the next best option for safe transfer would be steganography. The best way to protect sensitive information is to camouflage it, instead of encrypting it. It is basically a supplement or alternative for encryption. However, an encrypted file can still hide information by using steganography. This way, there would be a double measure of protection, as the encrypted file, once deciphered, would not allow the hidden message to be seen. One has to use special steganography software to decipher the hidden message. Many websites allow people to download steganography software; they can be freeware or trial software. Usually, steganography involves messages which are out in the open for many people to view. This can go unnoticed, as the very existence of the message is secret. Steganography is "hidden in plain sight," unlike cryptography. In cryptography, the message cannot be read as it is jumbled; therefore, it is correct to state that the existence of the message is often known. This also protects the information that is present in the cipher. When the message is intercepted, it is quite damaging as it informs the enemy about its two-way communication. Steganography takes the exact opposite approach, as the uninformed have no idea that there is communication going on.

Types of classical cipher

Substitution cipher: The user replaces units of plaintext with ciphertext, according to a regular system. Units may be single letters, pairs of letters, or combinations of them, and so forth. The recipient performs inverse substitution to decipher the text. Examples include Beale cipher, autokey cipher, Gronsfeld cipher, and Hill cipher. For example, "HELLO WORLD" can be encrypted as "PSTER HGFST" (i.e., H = P, E = S, etc.). Transposition cipher: Here, rearranging letters in the plain text, according to a regular system produces the cipher text. For example, "CRYPTOGRAPHY" when encrypted becomes "AOYCRGPTYRHP." Examples include Rail Fence Cipher, Route cipher, and Myszkowski transposition.

SIV (system integrity verifies)

System Integrity Verifiers (SIV) monitors system files to determine whether an intruder has changed the system files. An integrity monitor watches key system objects for change. For example, a basic integrity monitor uses system files, or registry keys, as "bait" to track changes by an intruder. Although they have limited functionality, integrity monitors can add an additional layer of protection to other forms of intrusion detection. The most popular integrity monitor is Tripwire, available for both Windows and UNIX. It can monitor a number of attributes, including file additions, deletions, and modifications, file flags, last access time, last write time, create time, file size, hash checking, etc. An SIV can watch other components as well, such as the Windows registry, and cron configuration, in order to find well-known signatures. It can also detect when a normal user somehow acquires root/administrator-level privileges.

The two layers in TLS protocol

TLS Record Protocol The TLS Record Protocol is a layered protocol. It provides secured connections with an encryption method such as Data Encryption Standard (DES). It secures application data using the keys generated during the handshake and verifies its integrity and origin. The TLS Record Protocol provides connection security that has two basic properties: 1. The connection is private: Uses symmetric cryptography for data encryption (e.g., DES and RSA). The protocol generates unique keys for symmetric encryption for each connection, depending on a secret negotiated by another protocol (such as the TLS Handshake Protocol). One can use the Record Protocol without encryption. 2. The connection is reliable: It provides a message integrity check at the time of message transport using a keyed MAC. Secure hash functions (e.g., SHA, MD5) help to perform MAC computations.

Technical Steganography

Technical steganography uses invisible ink, microdots, and other means, using physical or chemical methods to hide message existence. It is almost difficult to categorize all these methods by which these goals are achieved, but some of these include: Invisible Ink Invisible ink, or "security ink," is one of the methods of technical steganography. It is used for invisible writing with colorless liquids and can later be made visible by certain pre-negotiated manipulations such as lighting or heating. For example, if you use onion juice and milk to write a message, the writing will be invisible, but when heat is applied, it turns brown and the message becomes visible. Applications of Invisible ink: o Used in espionage o Anti-counterfeiting o Property marking o Hand stamping for venue re-admission o Marking for the purpose of identification in manufacturing Microdots A microdot is text or an image considerably condensed in size (with the help of a reverse microscope), up to one page in a single dot, to avoid detection by unintended recipients. Microdots are usually circular, about one millimeter in diameter, but are changeable into different shapes and sizes. Computer-Based Methods A computer-based method makes changes to digital carriers to embed information foreign to the native carriers. Communication of such information occurs in the form of text, binary files, disk and storage devices, and network traffic and protocols, and can alter the software, speech, pictures, videos or any other digitally represented code for transmission.

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. It also helps to encrypt digital information such as telecommunications, financial, and government data. US government agencies have been using it to secure sensitive but unclassified material. AES consists of a symmetric-key algorithm: both encryption and decryption are performed using the same key. It is an iterated block cipher that works by repeating the defined steps multiple times. It has a 128-bit block size, with key sizes of 128, 192, and 256 bits, respectively, for AES-128, AES-192, and AES-256. The design of AES makes its use efficient in both software and hardware. It works simultaneously at multiple network layers. AES Pseudocode Initially, the system copies the cipher input into the internal state and then adds an initial round key. The system transforms the state by iterating a round function in a number of cycles. Depending on the block size and key length, the number of cycles may vary. After completing rounding, the system copies the final state into the cipher output

The DSA and Related Signature Schemes

The DSA has become a U.S. Federal Information Processing Standard (FIPS 186) called the Digital Signature Standard (DSS) Digital signature is a mathematical scheme used for the authentication of digital messages. Computation of the digital signature uses a set of rules (i.e., the DSA) and a set of parameters, in that the user can verify the identity of the signatory and integrity of the data. Processes involved in DSA: Signature Generation Process: The private key is used to know who has signed it. Signature Verification Process: The public key is used to verify whether the given digital signature is genuine. DSA is a public-key cryptosystem as it involves the use of both private and public keys.

What is the DMZ?

The Demilitarized Zone (DMZ) is a semi-trusted network zone that separates the untrusted Internet from the company's trusted internal network. To enhance the security of the DMZ and reduce risk, most companies limit the protocols allowed to flow through their DMZ. End-user protocols, such as NetBIOS, would introduce a great security risk to the systems and traffic in the DMZ. Most organizations limit the protocols allowed into the DMZ to the following: File Transfer Protocol (FTP) - TCP ports 20 and 21 Simple Mail Transport Protocol (SMTP) - TCP port 25 DNS - TCP port 53 and UDP port 53 Hyper Text Transfer Protocol (HTTP) - TCP port 80 HTTPS - TCP port 443 In addition to these protocols, SSH may be required for system management. Of course, the complexity of older web applications may require the use of insecure protocols and broad ranges of open ports for management, interaction with other components, and performing backups. Many firewalls employ an"allow any" outbound rule base, due to dynamic port requirements and other problems with these legacy protocols.

Computer Forensics Report Template 2

The Executive Summary is the section that gives a brief introduction on the circumstances that led to investigation of a computer incident. It gives an overview of the investigation summary and includes the important aspects of the case. Supporting details mainly focus on the path of the investigation and how conclusions were made or arrived at. It also includes the important files reviewed, URLs and emails reviewed, string search results obtained, and other case-related information. Summary: Case number Name and social security number of author, investigators, and examiners Why was the investigation undertaken? List of significant findings Signature analysis Other supporting details: Attacker's methodology User's applications Internet activity Recommendations

Step 8: Post-Incident Activities

The IRT as well as the organization can learn a lot from its past security mistakes and vulnerabilities. Incident handling does not only involve effectively handling an incident, but it also involves the process of learning and improving. Organizations that conduct a meeting after an incident to let all the staffs know the lessons learned from the previous incident have found them to be beneficial. This learning process also involves the policies which were responsible for the security failure. An update or review of all the security policies can help the organization to build a robust network that is highly difficult to penetrate. The IRT should document various processes while handling and responding to an incident. The evidence gathered as well as the documents prepared should be safeguarded in the protect evidence phase. Proper documentation is necessary for the prosecution of the offender; hence, the documentation should be precise, clear, and verifiable.

RSA SecureID Token

The SecurID authentication mechanism consists of a 'token,' which is a piece of hardware, assigned to a user. The token generates an authentication code every sixty seconds using a built-in clock and the card's factory-encoded random key. The code is known as the "seed" and often provided as a *.asc file. Each token has a different code, and is loaded into the corresponding SecurID server called the 'ACE Server,' as the tokens are purchased. Some SecurID deployments may use 30-second rotations. A user authenticating to a network resource - for example, a dial-in server or a firewall - needs to enter both a PIN and the number being displayed at that moment in time on his SecurID token. Advantages: The password generated by token is short-lived so even if copied, it cannot be used to gain access. Disadvantages: Token is physical device can be lost, stolen or damaged. Tokens expire after a period of time so need to be replaced.

SSL(Secure Sockets Layer)

The Secure Sockets Layer (SSL) is a protocol used to provide a secure authentication mechanism between two communicating applications, such as a client and a server. The SSL requires a reliable transport protocol, such as TCP, for data transmission and reception. Any application-layer protocol that is higher than SSL, such as HTTP, FTP, and telnet, can form a transparent layer over the SSL. SSL acts as an arbitrator between the encryption algorithm and session key; it also verifies the destination server prior to the transmission and reception of data. The SSL encrypts the complete data of the application protocol to ensure security. An SSL session is responsible for carrying out the SSL handshake protocol to organize the states of the server and clients, thus ensuring the consistency of the protocol.

Session Hijacking

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognise every user's connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorised access to the Web Server.

Data Encryption Standard (DES)

The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control of a 56-bit key DEA. DES is the archetypal block cipher — an algorithm that takes a fixed-length string of plaintext bits and transforms it into a cipher-text bit-string of the same length Due to the inherent weakness of DES with today's technologies, some organizations repeat the process three times (3DES) for added strength, until they can afford to update their equipment to AES capabilities

Web applications component

The components of web applications are listed as follows: Login: Most of the websites allow authentic users to access the application by means of login. It means that to access the service or content offered by the web application user needs to submit his/her username and password. Example gmail.com The Web Server: It refers to either software or hardware intended to deliver web content that can be accessed through the Internet. An example is the web pages served to the web browser by the web server. Session Tracking Mechanism: Each web application has a session tracking mechanism. The session can be tracked by using cookies, URL rewriting, or Secure Sockets Layer (SSL) information. User Permissions: When you are not allowed to access the specified web page in which you are logged in with user permissions, you may redirect again to the login page or to any other page. The Application Content: It is an interactive program that accepts web requests by clients and uses the parameters that are sent by the web browser for carrying out certain functions. Data Access: Usually the web pages will be contacting with each other via a data access library in which all the database details are stored. The Data Store: It is a way to the important data that is shared and synchronized between the children/threats. This stored information is quite important and necessary for higher levels of the application framework. It is not mandatory that the data store and the web server are on the same network. They can be in contact or accessible with each other through the network connection. Role-level System Security Application Logic: Usually web applications are divided into tiers of which the application logic is the middle tier. It receives the request from the web browser and gives it services accordingly. The services offered by the application logic include asking questions and giving the latest updates against the database as well as generating a user interface. Logout: An individual can shut down or log out of the web application or browser so that the session and the application associated with it end. The application ends either by taking the initiative by the application logic or by automatically ending when the servlet session times out.

Evidence Examiner Report

The evidence examiner must write the report of all activities that took place during the forensic investigation of digital evidence. The following common consideration list helps the examiner throughout the documentation process: Take notes when discussing with the case investigator. Preserve a copy of the search authority and a chain of custody documentation. Write notes in detail about each action taken. Include the date, time, complete description, and result of each action taken in the documentation. Document if any irregularities are encountered during the examination. Include the operating system name, software, and installed patches. Include the information about network topology, list of legal users, and so on. Document all the changes that are made to the computer system during the investigation. Document all information found during the investigation about remote storage, remote user access, and offsite backup.

Web applications countermeasures

The following are countermeasures against various web-application security attacks: Unvalidated Redirects and Forwards Generally, web applications redirect and forward users to other pages and websites. Therefore, if a web application does not validate the data, then attackers can redirect users to malicious websites or use forwarding to access unauthorized pages. Therefore, to prevent such attacks, it is best not to allow users to directly supply parameters to redirect and forward in web application logic. Cross-Site Request Forgery Using a CSRF attack, attackers entice a user's browser to send a fake HTTP request, including the user session cookie and other authentication information, to a legitimate (vulnerable) web application to perform malicious activities. Broken Authentication and Session Management Flaws in authentication and session management application functions allow attackers to either: Gain passwords, keys, and session tokens, or Exploit other implementation vulnerabilities to gain other users' credentials Session cookies are destined to client IPs by delivering a validation cookie, which includes a cryptographic token that validates that the client IP is the one to which the session token was issued. Therefore, to perform the session attack, the attacker must steal the IP address of the target user. Insecure Cryptographic Storage Many web applications do not properly protect sensitive data such as credit cards, SSNs, and authentication credentials with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit-card fraud, or other crimes.

How Web Applications Work?

The main function of web applications is to fetch user-requested data from a database. When a user clicks or enters a URL in a browser, the web application immediately displays the requested website content in the browser. This mechanism involves the following step-by-step process: First, the user enters the website name or URL in the browser, and then the web application sends the request to the web server. On receiving the request, the web server checks the file extension: If the user requests a simple web page with an HTM or HTML extension, the web server processes the request and sends the file to the user's browser. If the user requests a web page with the extension CFM, CFML, or CFC, then the web application server must process the request. Therefore, the web server passes the user's request to the web application server, which processes the user's request. The web server accesses the database to perform the requested task by updating or retrieving the information stored on it. After processing the request, web application server sends the results to the web server, which in turn sends the results to the user's browser.

Aspects of a Good Report

The main objective of a cybercrime investigation is to identify the evidence and facts. A good investigation report gives a detailed account of the incidents, emphasizing the discrepancies in the statements of the witnesses. It should be a well-written document that focuses on the circumstances of the incident, statements of the witnesses, photographs of the crime scene, reference material leading to the evidence, and schematic drawings of the computer system and the network to be an approved forensic analysis report. Conclusions should be drawn based on the actual facts. Opinions of the investigators are not taken into account. An investigator should also keep in mind the fact that documentation will be thoroughly scrutinized by the defense; therefore, caution should be maintained while drafting the report. Aspects of a good investigative report are: It should answer all the questions posed to the forensic investigator and define the purpose of the forensic investigator's engagement. It should assist decision makers in prosecuting perpetrators of the crime and implement effective controls to protect against such crimes in future. A decision-maker must rely on the facts that were presented in the report. Facts presented in the report should be supported by relevant appendices. The facts should be based on the evidence in the file. It must be clear and written in a neutral language so that the decision makers and other readers will be able to understand it. It should be concise and must convey the necessary information. It should be structured in such a way so that anyone can easily locate the evidence information.

How IDS works?

The main purpose of the IDS is to recognize and provide real-time monitoring of intrusions. Additionally, reactive IDSs (and IPs) can intercept, respond to, and/or prevent the intrusions. An IDS works in the following way: IDSs have sensors to detect malicious signatures in data packets, and some advanced IDSs have behavioral activity detection, to determine malicious traffic behavior. Even if the packet signatures do not match perfectly with the signatures in the IDS signature database, the activity detection system can alert administrators about possible attacks. If the signature matches, the IDS performs predefined actions such as terminating connection, blocking the IP address, dropping the packet, and/or signaling an alarm to notify the administrator. When signature matches, anomaly detection will skip; otherwise, the sensor may analyze traffic patterns for an anomaly. When the packet passes all tests, the IDS will forward it into the network. The administrator must also be able to identify the methods and techniques used by the intruder and the source of the attack.

Limitations of IDS

The major limitations of IDS are: It cannot provide total security. Produces false positive i.e., false alarms. Produces false negative i.e., failed to alarm. Large-scale attacks can overwhelm a sensor. NIDS cannot properly protect high-speed networks. It is unable to provide: Well-managed firewall. Regular security policy. Strong security policy. Detect an ever-growing number of serious problems New signatures are added New methods are being developed IDs look for known weaknesses with patterns or normal behavior Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.

Why Synchronize Computer Times?

The most important function of a computer security system is to regularly identify, examine, and analyze the primary log file system as well as check log files generated by intrusion detection systems and firewalls. Problems faced by the user/organization when the computer times are not synchronized include: If computers display different times, then it is difficult to match actions correctly on different computers. For example, consider the chat option via any messenger. Two systems with different clocks are communicating, and as the clocks are different, the logs show different times. Now if an observer checks the log files of both the systems, he or she would face difficulty in reading the conversation. If the computers connected in the internal (organization) network have the times synchronized but the timings are wrong, the user or an investigator may face difficulty in correlating logged activities with outside actions, such as tracing intrusions. Sometimes, on a single system, there are a few applications that leave the user puzzled when the time jumps backward or forward. For example, the investigator cannot identify the timings in database systems that are involved in e-commerce transactions or crash recovery, etc.

Step 7: Eradication and Recovery

The next step in incident handling after any containment strategy is to eradicate the components that helped attackers breach the organization's network. This includes canceling breached user accounts and deactivating malicious code. The eradication stage removes or eliminates the root cause of the incident whereas in the recovery stage, all the affected information systems are restored back to normal. A vulnerability analysis determines whether the network is still vulnerable to such attacks. If so, the network is hardened per the required standards. Recovery involves various techniques such as network perimeter security, tightening user ID credentials, effective patch management, renewed file and software versions, and rebuilding the systems. This stage also involves listing countermeasures to thwart further damage to the network, thereby securing the organization's assets.

Examine Email Headers

The primary information required for starting an email investigation is the unique IP address, which can be retrieved by examining the email header. The email header also provides additional information such as the date and time the message was sent, attachments, and the unique message, which are helpful for email tracking. The message header can provide significant information if examined properly. Know how to find emails headers in various command-line, Web-based, and GUI clients. Open the email headers, copy and paste the headers to a text document. A sample message header with added line numbers is shown on the following page to explain the examination of the header.

SOCKS Proxy

The socks is an IETF (Internet Engineering Task Force ) standard It is like a proxy system which supports the proxy aware applications The socks proxy server doesn't allow the external network components to collect the information of the client which had generated the request. SOCKS is a proxy server that does not have special caching abilities of a caching HTTP proxy server. It is considered as an Internet toolkit, which allows only TCP-based applications to execute on proxy servers. Socks protocol uses "Sockets" internally which helps to keep track of all clients' individual connections. The function of a sock server is to handle all clients' request inside a company's firewall and based on the requested Internet destination or the user identification, it allows or rejects the connection request. If the requested connection is valid then it "binds" the request and the information is exchanged with the usual protocol (HTTP). The SOCKS package includes or contains the following components: 1. A SOCK server for the specified operating system. 2. A client program such as FTP, telnet, or the Internet browser. 3. A client library for the SOCKS.

VPN via SSH and PPP

There are a number of benefits to set up a PPP-SSH VPN. It is relatively simple when compared to the other types. PPP and SSH are built-in with most distributions, and most kernels present are pre-configured to utilize them well. If the SSH protocol presently crosses your firewall, then PPP over SSH will cross your firewall too. PPP-SSH VPNs do not have any problems with dynamic IP addresses. Setting up a VPN over a dialup connection will not be a problem in the case of PPP-SSH VPNs. Multiple tunnels to a single computer can be set up. The user must need to make sure that the IP address for each tunnel's network interface is discrete. For establishing a SSH connections, VPN client and servers are required. Both client and server have PPP daemons that will communicate through the SSH connection.

Why web servers compromised?

There are inherent security risks associated with webservers, the local area networks that host websites, and the users who access these websites using browsers. Webmaster's Concern: From a webmaster's perspective, the biggest security concern is that the webserver can expose the Local area network (LAN) or the corporate intranet to threats the Internet poses. These may be in the form of viruses, Trojans, attackers, or the compromise of information itself. Bugs in software programs are often the source of security lapses. Webservers that are large complex devices also come with these inherent risks. In addition, the open architecture of the webservers allows arbitrary scripts to run on the server side while replying to the remote requests. Any CGI script installed at the site may contain bugs that are potential security holes. Network Administrator's Concern: From a network administrator's perspective, a poorly configured webserver poses another potential hole in the local network's security. While the objective of a web is to provide controlled access to the network, too much control can make a web almost impossible to use. In an intranet environment, the network administrator has to be careful about configuring the webserver, so that the legitimate users are recognized and authenticated, and groups of users are assigned distinct access privileges. End User's Concern: Usually, the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user's system. In addition, active content from a website browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network

Evading IDS: False Positive Generation

This mode does not attack the target; instead, it does something relatively normal. In this mode, the IDS generates an alarm when no condition is present to warrant one. Another attack similar to the DoS method is to generate a large amount of alert data that the IDS will log. Attackers construct packets known to trigger alerts within the IDS, forcing it to generate a large number of false reports. This type of attack creates a great deal of log "noise" in an attempt to blend real attacks with the false. Attackers know all too well that when looking at log data, it can be very difficult to differentiate between legitimate attacks and false positives. If attackers know the IDS system, they can even generate false positives specific to that IDS.

Obtain a Search Warrant and Seize the Computer and Email Account

To carry out the on-site examination of the computer and email server, the search warrant application must include the appropriate language. Then, conduct a forensics test on only that equipment that is permitted in the warrant. Seize all the computers and email accounts suspected to be involved in the crime. Email accounts can be seized by just changing the existing password of the email account, either by asking the victim his or her password or from the mail server. After it is established that an email crime has been committed, evidence is required to prove the crime. To obtain evidence, access to the victim's computer is needed, which contains the email that the victim received. It is recommended to imagine the victim's computer first. Then, physically access the victim's computer and use the email program used by the victim to read the email. If required, getting the user name and password from the victim and logging into the email service can be done to open protected or encrypted files. In case physical access to a victim's computer is not feasible, instruction to the victim can be given to open and print the copy of an offending message, including the header. The header of the email message has a key role to play in email tracing because it contains the unique IP address of the server that sent the message.

How to defend against web servers attacks 2

UrlScan: is a security tool that restricts the types of HTTP requests that IIS will process By blocking specific HTTP requests, the UrlScan security tool helps to prevent potentially harmful requests from reaching applications on the server UrlScan screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Services: UrlScan can be configured to filter HTTP query string values and other HTTP headers to mitigate SQL injection attacks while the root cause is being fixed in the application. It provides W3C formatted logs for easier log file analysis through log parsing solutions like Microsoft Log Parser 2.2

General indications of system intrusion

To check whether the system is attacked, you need to check certain parameters that clearly indicate the presence of an intruder on the system. When an intruder attempts to break into the system, he or she attempts to hide his or her presence by modifying certain system files and configurations that indicate intrusion. Certain signs of intrusion include: System's failure in identifying valid user Active access to unused logins Logins during non-working hours Rogue user accounts Modifications to system software and configuration files using Administrator access and the presence of hidden files Gaps in system audit files, which indicate that the system was idle for that particular time; the gaps actually indicate that the intruder has attempted to erase the audit tracks The system's performance decreases drastically, due to consumption of CPU time System crashes suddenly and reboots without user intervention The system logs are too short and incomplete Timestamps of system logs are modified to include strange inputs Permissions on the logs are changed, including the ownership of the logs System logs are deleted Systems performance is abnormal, the system responds in unfamiliar ways Unknown processes are identified on the system Unusual display of graphics, pop-ups, and text messages observed on the system

The Red for computer forensics

To ensure the overall integrity and the continued existence of an organization's computer system and network infrastructure To extract, process, and interpret the factual evidence so that it proves the attacker's actions in the court To efficiently track down perpetrators from different parts of the world To protect the organization's money and valuable time

Encrypting File Systems (EFS)

To protect files from mishandling and to ensure their security, the files are encrypted. Encrypting File System (EFS) was first introduced in NTFS. EFS uses symmetric key encryption technology with public key technology for encryption. The user is supplied a digital certificate with a public key and private key pair. A private key is not used for the users who are logged on to the local systems. For this purpose, an EFS key is used to set the key for users who are logged on to the local systems. This encryption technology maintains a level of transparency to the users who have encrypted the file. There is no need for users to decrypt the file when they access it to make changes. Again, after the user is done with the file, and the systems saved the changes that the user has made, then the encryption policy is automatically restored. When any unauthorized user tries access the encrypted file, he or she receives an "Access denied" message. To enable encryption and decryption facilities in a Windows NT-based operating system, the user has to set the encryption attributes to files and folders that he or she wants to encrypt or decrypt. All the files and subfolders present in a folder are automatically encrypted. To take the best advantage of the encryption capability, experts recommend that encryption should be done at the folder level. That means a single particular file present in a folder should not be kept with other files that are not encrypted. The encryption is done using the graphical user interface in Windows, but a file or a folder can also be encrypted using a command line tool like Cipher. The easiest way to perform encryption is to use a GUI. A file or folder can be encrypted by using Windows Explorer and selecting proper options available in the menu. Encrypting a file, as NTFS protects files from unauthorized access and ensures a high level of security, is important to the files present in the system. A file encryption certificate is issued whenever a file is encrypted. If the person loses that certificate and related private key (through a disk or any other reason), data recovery is designated through the recovery key agent. In a Windows 2000 server-based network, which maintains Active Directory, the recovery agent is assigned by default to the domain administrator. There is an advance preparation of recovery for the files even before the files are encrypted. The recovery agent holds a special certificate and related private key. Using these, the data is recovered, giving a scope of influence of the recovery policy supported by new versions of Windows.

TLS (Transport Layer Security)

Transport Layer Security (TLS) is a protocol used to establish a secure connection between a client and a server and ensure privacy and integrity of information during transmission. It uses symmetric key for bulk encryption, asymmetric key for authentication and key exchange, and message authentication codes for message integrity. It uses the RSA algorithm with 1024-and 2048-bit strengths. With the help of TLS, one can reduce security risks such as message tampering, message forgery, and message interception. An advantage of TLS is that it is application-protocol independent. Higher level protocols can layer on top of the TLS protocol transparently.

Review policies and laws

Understand the Laws: It is essential to understand the laws that apply to the investigation including the internal organization policies before starting the investigation process. Identify Possible Concerns: Identify possible concerns related to applicable Federal statutes (such as the Electronic Communications Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (CCPA), both as amended by the USA PATRIOT ACT of 2001, and/or the Privacy Protection Act of 1980 (PPA)), State statutes, and local policies and laws. Best Practices: Determine the extent of the authority to search Determine the legal authorities for conducting an investigation Consult with a legal advisor with issues raised for any improper handling of the investigation Ensure the customer's privacy and confidentiality.

Evading IDS: Unicode Evasion Technique

Unicode is a character coding system that supports encoding, processing, and displaying of written texts for worldwide languages to maintain consistency in computer representation. Several standards such as Java, LDAP, and XML require Unicode, and many operating systems and applications support it. Attackers can implement an attack by different character encodings known as "code points" in the Unicode code space,. The most commonly used character encodings are Unicode Transformation Format (UTF)-8 and UTF-16. For Example: In UTF-16, character "/" can be represented as "%u2215," "e" as "%u00e9," and in UTF-8, "©️"as "%c2%a9" and "≠" as "%e2%89%a0." Problems with Unicode: In the Unicode code space, all the code points treated differently but it is possible that there could be multiple representations of a single character. There are also code points that alter the previous code points. Moreover, applications or operating systems may assign the same representation to different code points. Because of this complexity, some IDS systems handle Unicode improperly as Unicode allows multiple interpretations of the same characters. For example, "\" represents 5C, C19C, and E0819C, which makes writing pattern matching signatures very difficult. Taking this as an advantage, attackers can convert attack strings to Unicode characters to avoid pattern and signature matching in the IDS. Attackers can also encode URLs in HTTP requests using Unicode characters to bypass HTTP-based attack detection at the IDS.

Different ways to create DMZ

Use three network interface cards in a single firewall machine as follows: NIC1 for WAN: This is the entry and exit point to the Internet. Every packet enters and leaves through the network interface card. NIC2 for LAN: This is the NIC that has all the private assets (i.e., file servers, domain controllers, and dubious media controllers). NIC3 for DMZ: This is the place where all others can access the network on the Internet. Use a DMZ between two firewalls: This is usually called as the "Sandwich DMZ" This can be implemented by placing a DMZ (i.e., a hub or a switch between the first system and second system). This arrangement allows only those services that are offered to the users. This service can be an FTP server or a mail server. The user can construct a secured machine by not allowing unnecessary services. These are the ways to create the DMZ, but the first method is not one of the feasible ways to implement the DMZ because it can compromise all the NICs on the network and because the Internet comes into contact with the same computer. This determines the security issues of the LAN, which is not ideal.

VPN Registration and passwords

VPN registration is a must to ensure proper security and authentication to the VPN. For example, in the case of a VPN, requests are via an authenticated web form. Access can be allowed or denied through security groups. When users and the systems connect to the VPN, their logging is identified. This feature enhances the security of VPN. The VPN's client must be protected also. It requires a clear password for activation of the client. The user must not forget to disconnect the present connection when it is not required. Stand-by modes can be harmful to VPN security. The user can lock the screen during short-term absences. Passwords must be more secure if a VPN is to be secured through passwords. The password policy should impose certain possibilities such as assuring non-crackable block access if password is crackable. The account must be locked after 5 failed attempts. This would protect the account against brute force attacks. Use 128-bit encryption or MS-CHAPv2 for better security. It is the user's accountability if the password is not discovered.

VPN (Virtual Private Network)

VPN stands for Virtual Private Network. It is a means for ensuring private, secure communication between hosts over an insecure medium using tunneling. Tunneling is explained in details later in this module. A VPN characteristically makes use of the Internet as the transport backbone. It also uses Public Internet Protocol (IP) network infrastructures with private network protection. It substitutes expensive leased lines or frame relay circuits with Internet access, which would be cheaper than dedicated Remote access server connections (RAS). Virtual private networks are also used to expand communications to local and remote offices. It helps in setting up secure communications with business partners. These days, VPNs are renovating the daily process faster than other technologies in the business. It assists in securing communications between a company's internal departments and its branch offices. It provides scalability in management to assist rapidly growing new users, offices, and applications.

Step 2: Detection and Analysis

Various types of incidents occur daily. Imagine you are an employee of an organization financial management department. Data about the financial status of the organization was modified in the database without your permission. You cross-check the database to find out whether the data was really modified or not . You notice that the data indeed was modified without your permission. As an end user, you inform the help desk about the incident. The help desk accepts the request and does a preliminary examination to find whether the incident had really occurred or not. A help desk consists of experienced incident handlers with years of experience. If the help desk finds that this is an intrusion or breach from malicious sources, then a case is filed for further enquiry. If it is the duty of the help desk to find whether the incident is the reflection of any previous incidents, the incident is reopened for further examination. The incident is analyzed to note all the important incident events have happened and are happening. If the help desk does not check this, the handler records the details of the incident, analyzes the report, and responds to the incident.

Desk encryption took

VeraCrypt is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. The entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, metadata, etc.). Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted VeraCrypt volume. Similarly, files that are being written or copied to the VeraCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM.

Video Steganography

Video steganography involves hiding secret files of any extensions in a continuously flowing video file. Video files here act as the carrier to carry the secret information from one end to another end. It keeps your secret information more secure. As the carrier video file is a moving stream of images and sound, it is difficult for the unintended recipient to notice the distortion in the video file caused due to the secret message. It might go unobserved because of the continuous flow of the video. You can apply all the techniques available for image and audio steganography to video steganography. The information hidden in video files is nearly impossible to recognize by the human eye, as the change of a pixel color is negligible. This lessens the probability for the attacker to discover the hidden information from the running video file.

Types of Digital Data

Volatile data: can be modified It contains system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history. Non-volatile data: is used for the secondary storage and is long-term persisting It contains hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, and event logs. Transient data: contains information such as open network connection, user logout, programs that reside in memory, and cache data If the machine is turned off, all this information is lost permanently. Fragile data: is that information that is temporarily saved on the hard disk and can be changed It contains information such as last access time stamps, access date on files, etc. Temporarily accessible data: are stored on the hard disk and are accessible only for a certain time It contains data like encrypted file system information. Active data: is the data presently used by the parties for their daily operations This data is direct and straightforward to recognize and access using the current system. Backup data: refers to a copy of the system data This data can be used at any time of recovery process after disaster or system crash. Archival data: manages data for long-term storage and maintains records The data that is stored on a computer when a document is deleted is called residual data When a file is deleted, the computer tags the file space instead of cleaning the file memory The file can be retrieved until the space is reused Metadata maintains a record about a particular document The record includes the file format and how, when, and who created, saved, and modified the file

Non-Volatile Information

Volatile information gathering is not the only aim of the investigator. Investigators need detailed information; as such, evidence helps them to solve the case with ease. Non-volatile data remains unchanged when a system is shut down or loses power. Examples include emails, word processing documents, spreadsheets, and various "deleted" files. The investigator could decide what information needs to be extracted from the registry, or what information about (or from) files needs to be collected for additional analysis or because an attacker could be actively logged into the system. In such cases, the investigator may decide to track the attacker. An investigator wants to preserve certain information from being modified or deleted. Once a system has been started, there could have been modifications, such as drives mapped to or from the system, services started, or applications installed. These modifications might not be persistent across a reboot and therefore might need to be recorded and documented by the investigator. Non-volatile data usually resides in the hard drives; it also exists in swap files, slack space, and unallocated drive space. Other non-volatile data sources include DVDs, USB thumb drives, smart phones, memory, etc.

Type es of Tunnling

Voluntary Tunneling In this type of tunneling, managing of connection setup is carried out by the VPN client. The client would initiate a connection to the network provider and then the VPN client application creates the tunnel to a VPN server over this live connection. Compulsory Tunneling The network provider or the ISP manages the VPN connection setup. The carrier immediately manages a VPN connection when the client makes an ordinary connection to the network provider. This VPN connection is managed between the client and a VPN server. From the client's point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels. This type of tunneling authenticates clients and relates them with certain VPN servers using logic built into the broker's device. In this type of tunneling, the details of the VPN server's connectivity from the VPN clients are concealed and in fact the control is moved over the tunnels from the clients to the ISP or the network provider.

What is WEP encryption

WEP Encryption: WEP was an early attempt to protect wireless networks from security breaches, but as technology has improved, later it has become evident that information encrypted with WEP is vulnerable to attack. Let us get into details of WEP. What Is WEP Encryption? WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to provide confidentiality of data on wireless networks at a level equivalent to that of wired LANs, which can apply physical security to stop unauthorized access to a network. In a wireless LAN, a user or an attacker can access the network without physically connecting to the LAN. Therefore, WEP utilizes an encryption mechanism at the data link layer for minimizing unauthorized access on the WLAN. This is accomplished by encrypting data with the symmetric RC4 encryption algorithm—a cryptographic mechanism used to defend against threats. Role of WEP in Wireless Communication: WEP protects against eavesdropping on wireless communications It attempts to prevent unauthorized access to the wireless network It depends on a secret key. This key encrypts packets before transmission. A mobile station and an AP share this key. Performing an integrity check ensures that packets are not altered during transmission. 802.11 WEP encrypts only the data between network clients. Main Goals of WEP Confidentiality: It prevents link-layer eavesdropping Access Control: It determines who may access data Data Integrity: It protects the change of data by a third party Efficiency Key Points It was developed without: Academic or public review Review from cryptologists. It has significant vulnerabilities and design flaws WEP is a stream cipher that uses RC-4 to produce a stream of bytes that are XORed with plaintext The length of the WEP and the secret key are: 64-bit WEP uses a 40-bit key 128-bit WEP uses a 104-bit key size 256-bit WEP uses 232-bit key size

WEP vs WPA vs WPA2

WEP initially provided data confidentiality on wireless networks, but it was weak and failed to meet any of its security goals. WPA fixes most of WEP's problems. WPA2 makes wireless networks almost as secure as wired networks. WPA2 supports authentication, so that only authorized users can access the network. WEP should be replaced with either WPA or WPA2 in order to secure a Wi-Fi network. Both WPA and WPA2 incorporate protections against forgery and replay attacks. The previous slide provides a comparison between WEP, WPA, and WPA2 with respect to encryption algorithm used, size of Encryption Key and the initialization vector (IV) it produces, etc.

WPA(Wi-Fi Protected Access)

WPA stands for Wi-Fi Protected Access. It is compatible with the 802.11i security standard. It is a software upgrade, but may also require a hardware upgrade. In the past, the primary security mechanism used between wireless access points and wireless clients was WEP encryption. The major drawback for WEP encryption is that it still uses a static encryption key. The attacker can exploit this weakness by using tools that are freely available on the Internet. The Institute of Electrical and Electronics Engineers (IEEE) has defined WPA as "an expansion to the 802.11 protocols that can allow for increased security." Nearly every Wi-Fi company has decided to employ a standard for increased security called Wi-Fi Protected Access. Data encryption security is increased in WPA as messages are passed through Message Integrity Check (MIC) using the Temporal Key Integrity Protocol (TKIP) to enhance data encryption. The unicast traffic changes the encryption key after every frame using TKIP. The key used in TKIP changes with every frame, and is automatically coordinated between the wireless client and the access point. TKIP (Temporal Key Integrity Protocol): TKIP utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit message integrity check (MIC). TKIP mitigates the WEP key derivation vulnerability by using mixing functions. 128-bit Temporal Key: Under TKIP, the client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a key that is used to encrypt data via the RC4. It implements a sequence counter to protect against replay attacks. WPA Enhances WEP: TKIP enhances WEP by adding a rekeying mechanism to provide fresh encryption and integrity keys. Temporal keys are changed for every 10,000 packets. This makes TKIP protected networks more resistant to cryptanalytic attacks involving key reuse.

WPA2 (Wi-Fi Protected Access 2)

WPA2 (Wi-Fi Protected Access 2) is compatible with the 802.11i standard. It supports most of the security features that are not supported by WPA. It provides stronger data protection and network access control. It gives a high level of security, so that only authorized users can access it. It implements the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and gives government-grade security. WPA2 offers two modes of operation: WPA-Personal: This version makes use of a setup password (pre-shared key, PSK) and protects unauthorized network access. In PSK mode each wireless network device encrypts the network traffic using 128-bit key that is during the four-way handshake, and can be entered as a passphrase of 8 to 63 ASCOO characters. WPA-Enterprise: This confirms the network user through a server. It includes EAP or RADIUS for centralized client authentication using multiple authentication methods, such as token cards, Kerberos, certificates etc. Users are assigned login credentials by a centralized server which they must present when connecting to the network.

Web application threats 1

Web application threats are not limited to attacks based on URL and port 80. Despite using ports, protocols, and the OSI layer, vendors must protect the integrity of mission-critical applications from possible future attacks by being able to deal with all methods of attack. The various types of web application threats are as follows: Cookie Poisoning By changing the information inside a cookie, attackers bypass the authentication process; once they gain control over a network, they can modify its content, use the system for a malicious attack, or steal information from users' systems. Directory Traversal Attackers exploit HTTP by using directory traversal, which gives them access to restricted directories; they execute commands outside the web server's root directory. Unvalidated Input To bypass the security system, attackers tamper with http requests, URLs, headers, form fields, hidden fields, query strings, and so on. Users' login IDs and other related data are stored in cookies, which become a means of attack. Examples of attacks caused by unvalidated input include SQL injection, cross-site scripting (XSS), and buffer overflows. Cross-Site Scripting (XSS) Attackers bypass client-ID security mechanisms and gain access privileges, and then inject malicious scripts into specific web pages. These malicious scripts can even rewrite HTML website content. Injection Flaws Attackers inject malicious code, commands, or scripts in the input gates of flawed web applications in such a way that the applications interpret and run with the newly supplied malicious input, which in turn allows them to extract sensitive information. SQL Injection This is a type of attack in which attackers inject SQL commands via input data, and then tamper with the data. Parameter/Form Tampering This type of tampering attack manipulates the parameters exchanged between client and server to modify application data such as user credentials and permissions, and price and quantity of products. This information is actually stored in cookies, hidden form fields, or URL Query Strings. The web application use it to increase their functionality and control. Man in the middle (MITM) is an example of this type of attack. Attackers use tools such as Web scarab and Paros proxy for these attacks.

Web Application

Web applications are the application that run on the remote web server and send the output over the Internet. Web 2.0 technologies are used by all the applications based on the web-based servers such as communication with users, clients, third-party users, etc. A web application is comprised of many layers of functionality. However, it is considered a three-layered architecture consisting of presentation, logic, and data layers. The web architecture relies substantially on the technology popularized by the World Wide Web, Hypertext Markup Language (HTML), and the primary transport medium, e.g. Hyper Text Transfer Protocol (HTTP). HTTP is the medium of communication between the server and the client. Typically, it operates over TCP port 80, but it may also communicate over an unused port. Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser. Some of the popular web servers present today are Microsoft IIS, Apache Software Foundation's Apache HTTP Server, AOL/Netscape's Enterprise Server, and Sun One. Resources are called Uniform Resource Identifiers (URIs), and they may either be static pages or contain dynamic content. Since HTTP is stateless, e.g., the protocol does not maintain a session state, the requests for resources are treated as separate and unique. Thus, the integrity of a link is not maintained with the client. Cookies can be used as tokens, which servers hand over to clients to allow access to websites. However, cookies are not perfect from a security point of view because they can be copied and stored on the client's local hard disk, so that users do not have to request a token for each query. Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc. Organizations rely on web applications and Web 2.0 technologies to support key business processes and improve performance. New web technologies such as Web 2.0 provide more attack surface for web application exploitation. Attackers use different types of vulnerabilities that can be discovered in web applications and exploit them to compromise web applications. Attackers also use tools to launch attacks on web applications.

Web defecment

Web defacement occurs when an intruder maliciously alters visual appearance of a web page by inserting or substituting provocative and frequently offending data Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected Attackers uses variety of methods such as MYSQL injection to access a site in order to deface it.

What is computer security incident?

What is computer security incident? According to CERT, "A computer security incident might be any real or suspected adverse event in relation to the security of computer systems or networks." A computer security incident can be an event or set of events that threaten the security of computing systems and networks in any organization. There are various types of security attack incidents and security breaches. These include the following: Repeated unsuccessful login attempts to access the information assets of the organization. Unavailability of services and system resources due to DoS attacks. Unintentional modifications to software, hardware, firmware, etc. Unauthorized use of systems to process and store information. System and application crashes. Unauthorized use of another user's account. Gaining unauthorized administrator privilege to access the network and system.

Understanding Unix/Linux Boot process

When Unix system is switched on, the instruction code present at firmware in CPU is loaded into random-access memory (RAM). The firmware code is located into the read-only memory, so it is known as memory-resident code (ROM). Once firmware is loaded into the RAM, instruction code verifies the hardware for their presence and ability of operating. Then bus is checked to find out the device such as a hard disk, floppy disk, or CD that contains the boot program. After finding the boot device, boot program is loaded into the memory. The boot program loads the kernel and control from the boot program is passed to the kernel. The primary function of the kernel is to find out all the devices and configure them to start the system and related processes. Once kernel is functional, it boots the system in single-user mode that allows only one user to log on. The single-user mode comes with additional options that allow the user to access various modes such as a maintenance mode. After finishing the loading process, kernel finds out the root directory, system swap file, and dump files. Information such as the hostname and time zone are set. After these settings, consistency check is on and all partitions are mounted. The next step taken by kernel is to start network service daemons, fixing the network interface card (NIC) and then the user and system accounts are established.

Understanding Events

When events, such as a user logging on or off, occur, a record of these events is generated. Some events are recorded by default; others are recorded based on the audit configuration maintained in the PolAdEvt registry key. Other aspects of the event log configuration are maintained in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ Systems that are configured as domain controllers will also have File Replication and Directory Service event logs, and systems configured as domain name servers (DNSs) will have DNS event logs.

Common terminologies

Why does an incident handler need to know computer security terminology? An incident handler needs to know the basic differences between all these security terminologies as he or she uses these terms in his or her day-to-day life. Different types of attacks use different terminologies. Incident handlers need to addresses security issues over a wide variety of architectures and operating systems and pinpoint the exact cause of each security issue. This identification of the security issue helps in responding to the exact root cause by using strategies and techniques for that particular event. Vulnerability A vulnerability is a flaw or weakness in a system. If a vulnerability is exploited, it might result in undesirable events such as compromised security, violated system integrity, etc. The common vulnerabilities in a computer or network system include: Weak passwords Software bugs Virus or malware Script code injection or a SQL injection Threat A threat is an event, person, or circumstance that can damage the system by altering or deleting information, disclosing confidential information, etc. Examples of common threats are: Destruction of resources. Disclosure of personal information. Modification the system data. Attack An attack is the deliberate action that causes harm to the computer systems by exploiting known vulnerabilities and threats. It violates the security of the system. Examples of computer attacks include: Denial of Service (DoS) and Distributed DoS (DDoS) attack. Using/spreading malicious code attack such as a virus, worm, Trojan horse, etc. Hacker attack.

Wireless network topology

Wireless networking permits user across long distances to establish communication using infrared light or radio signals as the medium. Devices preferable for wireless network include laptop, desktop computer, PDAs, cellular phones, pagers, and pen-based computers. It has given freedom to businessmen who travel a lot by connecting them to Internet wherever they are. Wireless network follows the same hierarchy followed by the wired network. Wireless LANs are referred to a small network comprising of three or more devices whereas the global wireless network is known as the wireless Internet. A wireless networks can be divided into four categories: Wireless Local Area Network (WLAN): WLAN technologies connect users within a local area. Area can be a corporate or campus building, or a public space, such as an airport. Wireless Personal Area Network (WPAN): It is a short range and hoc network providing instantaneous connectivity to the user. Generally, it is known as Blue tooth. Wireless Metropolitan Area Network (WMAN): WMAN technologies allow users to communicate wirelessly between different locations within a metropolitan area. That area can encompass a university campus or multiple offices in a city. Wireless Wide Area Network (WWAN): It connects the notebooks and handheld computers to the Internet using digital cellular networks across far-reaching geographic areas.

packet-filtering firewall

investigates each individual packet passing through it and makes a decision whether to pass the packet or drop it. The traditional packet filters makes the decision based on the following information: Source IP address: It checks whether the packet is coming from the correct source or not. The IP header of the packet contains information about the source IP address, which indicates the source system's address. Destination IP address: The IP header of the packet contains the IP destination address, which is the destination address. It checks whether the packet is going to the correct destination or not and to check if the destination accepts these types of packets or not. Source TCP/UDP port: It checks the source port for the packet. Destination TCP/UDP port: Services to be denied and allowed will be checked at the destination port. TCP code bits: Checks whether the packet has a SYN, ACK, or other bits set for the connection to be made. Protocol in use: Checks whether the protocol that the packet is carrying should be allowed or not. This is because some networks do not allow the UDP protocol. Direction: It ensures that the packet is coming from the packet filter firewall. Interface: Checks whether the packet is coming from an unreliable site or not.

Wireshark tool network ananlyzer

is a GUI network protocol analyzer. It lets the user interactively browse packet data from a live network or from a previously saved capture file. Wireshark's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools. In addition, Wireshark can read capture files from snoop and atmsnoop, Shomiti/Finisar Surveyor, Novell LANalyzer, Network General/Network Associates DOS-based Sniffer (compressed or uncompressed), Microsoft Network Monitor, and so on. It is not required to tell Wireshark what type of file the user is reading; it will determine the file type by itself. Wireshark is also capable of reading any of these file formats if they are compressed by using gzip. Wireshark recognizes this directly from the file; the .gz extension is not required for this purpose. Like other protocol analyzers, Wireshark's main window shows three views of a packet. It shows a summary line, briefly describing what the packet is. A protocol tree is shown, allowing the user to drill down to the exact protocol, or field, that he or she is interested in. Finally, a hex dump shows the user exactly what the packet looks like when it goes over the wire. In addition, Wireshark has other features. It can assemble all the packets in a TCP conversation and show the user the ASCII (or EBCDIC, or hex) data in that conversation. Display filters in Wireshark are very powerful. Packet capturing is performed with the pcap library. The capture filter syntax follows the rules of the pcap library. This syntax is different from the display filter syntax. Compressed file support uses the zlib library. If the zlib library is not present, Wireshark will compile, but will be unable to read compressed files. The path name of a capture file to be read can be specified with the -r option, or it can be specified as a command-line argument.

EventLog Analyzer

is an IT compliance and Event Log Management software for SIEM. It allows organizations to automate the process of managing machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. It helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more. Features: Log Management Event Log Management Syslog Management Event Log Auditing Unix Auditing and Reporting Linux Auditing and Reporting Application Logs Management Windows Terminal Server Log Monitoring Universal Log Parsing & Indexing (ULPI) Event Log Monitoring Cloud Infrastructure Log Monitoring Database Auditing Application Log Reports Microsoft IIS Web server application Microsoft IIS FTP server application DHCP Windows application DHCP Linux application MS SQL database application Oracle database application (Audit) Apache web server application System and User Monitoring Log Reports Ready-built EventLog Reports Custom EventLog Reports Microsoft Internet Information Services (MS IIS) Server Log Reports IBM AS/400 Log Reports VMware Server Log Management Reports Active Directory Log Reports Privilege User Monitoring (PUMA) Reports User Session Monitoring Event Log Reports - Ask ME Historical Event Trends Advanced Search Result as Report Profile Security Information Management Agent-less Log Collection Agent based Log Collection Log Search Log Analysis Log Archiving Log Forensics Importing Event Logs User Authentication Network Device Monitoring Firewall Log Auditing Removable Disk Auditing

Understanding Linux Loader Linux loader (LILO)

is the Linux utility that initiates the Linux boot process. It loads Linux into the memory and starts the operating system. If the system is multi-operating system, LILO can be set up to start any of the system. When the system is turned on, LILO provides the user with the various available options for selecting the operating system. LILO utilizes a configuration file known as lilo.conf located in the /etc directory. This file is a script that provides the path of the boot device, the kernel image file such as vmlinux, and a delay timer specifying the time limit for the operating system selection. If /etc/lilo.conf, is edited or any files used by LILO are configured, these need to be applied before they will take effect otherwise booting of Linux will not be possible. For implementation of these changes, one has to log on as a Superuser. To apply changes, run the following command: /bin/lilo Response would appear like this: Added Linux * Added win The asterisk (*) denotes the default boot image LILO is fast, flexible, and independent since it does not require any other operating system to be present. This makes it the loader of choice for Linux-only systems.

List of wireless standards

low is the list of various wireless standards: 802.11a: More channels, high speed, and less interference 802.11b: Protocol of Wi-Fi revolution, de facto standard 802.11c: Operation of bridge connections 802.11d: Worldwide compliance with regulations for use of wireless signal spectrum 802.11e: Quality of Service (QoS) support 802.11f: Inter-Access Point Protocol 802.11g: 54 Mbps standard, 2.4 GHz signaling 802.11h: Supports European regulatory requirements 802.11i: Improves WLAN security 802.11j: Supports Japan regulatory requirements 802.11k: WLAN system management 802.11m: Maintains documentation 802.11n: Multiple Input, Multiple Output (MIMO) antennas 802.11p: Wireless Access for the Vehicular Environment 802.11r: Supports fast roaming 802.11s: Mesh networking 802.11t: Wireless Performance Prediction 802.11u: Internetworking with external networks 802.11v: Wireless network management 802.16: Long distance wireless infrastructure (WiMAX) Bluetooth: Cable replacement option 900 MHz: Low speed, coverage, and backward compatibility

Positioning the bastion host

physical location: Appropriate environmental controls against extreme weather Must be set up in a locked server cabinet with proper ventilation, cooling, and backup power. network location: Set on a special network also known as Demilitarized zone (DMZ) that does not carry sensitive data Avoid putting bastion host on internal networks Locate the bastion host on an additional layer known as perimeter network Attach packet filtering router.

Types of bastion hosts

single-homed: A firewall device with only one network interface All the incoming traffic and outgoing traffic is routed through the bastion host It tests the data against the security guidelines and act accordingly. multi-homed:A firewall device with at least two network interfaces This type of bastion host is capable of separating the internal and external networks , thus provides more security

Other Non-Volatile Information

that can include valuable evidence is registry entries, temporary files, cookies, browser cache and history, emails etc. Web Browser Cache The web browser cache allows users to cache the contents of web pages locally to speed future access to regularly visited sites. Downloaded content remains on the hard drive until deleted. Data remains in the unallocated space of the hard drive even after the cache is deleted. Web browsing cache is an important source of evidence in the computer forensics investigation. To accelerate the user's browsing experience, the web browsing cache mechanism is used by the web browsers. In the browser cache, all the browsing history and browsing pattern of the user will be revealed. Therefore, this cache can provide the investigators with abundant information that can contain valuable evidence. Cookies Cookies are small packages of data to track, validate, and maintain specific user information. Cookies may have an expiration date at which the browser deletes it; cookies without an expiration date are deleted at the end of a user session. Users may also delete cookie data. However, even after deleting cookies, data may remain in the unallocated space of the hard drive. Cookies are text files that contain user-browsing activity, browsing history, login information, etc. They are created and stored in the system during a user activity on the Internet. Cookie size can be less than 100 bytes and can be encrypted. The cookies are also stored in an encrypted form in an index.dat file that includes the date and time. The investigator can use this file to fetch the evidence. Temporary Files Temporary files are created by a program when it cannot allocate enough memory for the tasks or when the program is working on a large set of data. In general, when a program terminates, temp files are deleted. However, some programs create temp files and leave them behind. The different processes or functions that are being implemented on the Windows systems result in temporary files to be generated by Windows called Temp files. They are duplicates of the files on the system. The files that are in queue to be implemented also have their temporary files generated. These files when examined will reveal information about all the system processes.

WLAN (Wireless Local Area Network)

transmissions rather than wires to communicate between the nodes It is also referred as LAWN (Local Area Wireless Network) and is used in office buildings, on college campuses, or in houses The IEEE 802.11 group of standards specifies the technologies for wireless LANs High-frequency radio waves or infrared can be used as a carrier to communicate between the computer devices

Social engineering countermeasures part 3

Background checks of employees and proper termination process Before hiring new employees, check their background for criminal activity. Follow a process for terminated employees, since they may pose a future threat to the security of an organization. Two-Factor Authentication (TFA or 2FA) In the two-factor authentication (TFA) approach, the user or the person needs to present two different forms of proof of identity. If the attacker is trying to break in to a user account, then he or she needs to break the two forms of user identity, which is a bit difficult. Hence, TFA is also known as a defense in depth security mechanism. It is a part of the multi-factor authentication family. The two security pieces of evidence that a user should provide may include: a physical token, like a card, and typically something the person can commit to memory, such as a security code, PIN, or password. Antivirus/Anti-Phishing Defenses Use of multiple layers of antivirus defenses at end-user desktops and at mail gateways minimizes the threat against phishing and other social engineering attacks. Change Management A documented change-management process is more secure than an ad-hoc process.

Social engineering countermeasures part 2

Training: Periodic training sessions must be conducted to increase awareness on social engineering. An effective training program must include security policies and techniques for improving awareness. Operational Guidelines: Confidential information must always be protected from misuse. Measures must be taken to protect the misuse of sensitive data. Unauthorized users must not be given access to these resources. Classification of Information Information has to be categorized on a priority basis as top secret, proprietary, for internal use only, for public use, etc. Access privileges Access privileges must be created for groups such as administrators, users, and guests with proper authorization. They are provided with respect to reading, writing, accessing files, directories, computers, and peripheral devices. Proper Incidence Response System There should be proper guidelines to react in case of a social engineering attempt.

Data security threats over a network

1. Data interruption: occurs when the unauthorized end user intercepts data transmission on a network. As result, the transmitted data does not reach the intended recipient. 2. Data modification: this occurs when an unauthorized end user intercepts the transmitted data modifies it and then retransmits the modified data to the intended recipient. 3. Data fabrication: occurs when an unauthorized end user transmits data using the identity of an authorized sender 4. Data interception: occurs when the unauthorized end user intercepts data transmission. As result, the unauthorized end user, in addition to the intended recipient can access the transmitted data.

Types of network security policy 2

1. E-mail policy: the policy should explicitly mention the purpose of the email accounts like businesses, personal, or both. 2. System management policy: this collaborates the process of the security administration and the system administration to have a secure individual system and network in an organization. 3. Incident response policy: it enumerates the actions to be taken when a computer security incident occurs, in simple words, when the system is attacked.

Different forms of spam

1. Email spam 2. Instant messaging spam 3. Usenet newsgroup spam 4. Web search engine spams 5. Weblogs spam 6. Mobile messaging spam

Behaviors that are vulnerable to social engineering attacks

1. Human nature of trust is the basis of any social engineering attack. 2. Ignorance about social engineering and its effects on the workforce makes the organization an easy target. 3. Social engineers might threaten severe losses in case of non-compliance with their requests. 4. Targets are asked for help and they comply out of moral obligations. 5. Social engineers lure the targets to divulge information by promising something for nothing.

Social Engineering Through Impersonation on Social Networking Sites

1. Impersonation means imitating or copying the behavior or actions of others 2. Attackers can also use collected information to carry out other forms of social Contacts and Connections engineering attacks 3. Attackers can also use collected information to carry out other forms of social Contacts and Connections engineering attacks 4. Malicious users gather confidential information from social networking sites and create accounts in others' names.

Essentials for network security

1. Physical security 2. Network security 3. Access control 4. Authentication

Computer-based social engineering

1. Pop-up windows: Windows that suddenly pop up while surfing the Internet and ask for users' information to log in or sign-in. 2. Hoax letters: emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user's system. 3. Chain letters: emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons. 4. Instant chat messenger: Gathering personal information by chatting with a selected online user to get information such as birth dates and maiden names 5. Spam email: Irrelevant, unwanted, and unsolicited email to collect the financial information, social security numbers, and network information.

Basic network security procedures

1. Privilege assignment: least privilege requires that each subject be granted only those privileges needed to perform authorized tasks. This limits the damage that can result from accidents, errors, or unauthorized use. 2. Traffic analysis: traffic analysis can be used to gather information regarding who is talking to whom over a public network. Traffic analysis yields significant information even from the encrypted data. 3. End-to-End Access Control: this is structured to measure the new generation of complex threats. This provides users with a complete look at the mechanisms to counter threats in each part of the network.

Indication of virus attack

1. Programs take longer to load 2. The hard drive is always full even without installing any programs. 3. Unknown files keep appearing on the system 4. The keyboard or the computer emits strange or beeping sounds 5. The computer monitor displays strange graphics 6. File names turn strange, often beyond recognition. 7. The hard drive becomes inaccessible when trying to boot from the floppy drive. 8. A program's size keeps changing. 9. The memory on the system seems to be in use and the system slows down.

Virus history

1981 - the first virus is n the wiled called EIK cloner 1983 - first documented experimental virus 1986 - Brain virus was considered the first virus that the "Pakistani brothers" launched on MS-DOS PCs. First file virus "Virdem" was discovered in 1986. 1987 - "Lehigh virus", the first virus to infect command.com. "IBM Christmas worm" has a 500,00 replications rate per hour, hit IBM mainframes this year. 1988 - "MacMag" was the first Macintosh virus. 1898 - AIDS trojan is well known for locking up the user's data by encrypting the user's hard drive. 1990 - first virus exchange (VX) BBS went online in Bulgaria. Virus authors since then were able to trade code and exchange ideas. 1991 - Tequila was the first polymeric virus, which changed itself in an attempt to avoid detection and it was found first in Switzerland. 1992 - Michelangelo virus was the first popular and worldwide alert, which was about to be deployed for massive damage but it did not affect much.

Transport Layer

A layer that divides the data into small parts called data packet an facilitate data transfer from source to destination. It makes sure that the entire message is transmitted without any deletions or modifications by helping in fault control and transmission control. For security enhancement, this layer can maintain a connection between the end points. Responsibilities of this layer are addressing, isolation and re-gathering , link control, transmission control, error control. Major protocols are TCP and UDP. Bridge router, gateway and cable tester work on this layer.

Network Layer

A layer that establishes paths for data transfer through the network. Routers operate on this layer. Major protocols operating at this layer are IP and ICMP. Functions of this layer are Global addressing, routing data packets, fault handling, traffic control.

First layer(Application layer)

A layer that provides users to access the network It provides an interface communication and data transfer A layer functionality typically includes identifying communication partners, determining resources availability, ensuring authentication, privacy and synchronizing communication

Wide area network (WAN)

A network that connects devices in geographically separated areas.

Protocol

A set of rules governing the exchange or transmission of data between devices. As the communication between computers are complex, various protocols are used for this process. Collection of protocols are referred to as protocol stack. The protocols are capable of interacting with each other. Example: the protocol stack TCP/IP is for communicating over the internet. Browsers use TCP/IP protocol to communicate with web server.

Network Security

All the processes, policies, and techniques to detect and prevent unauthorized access of a network and other network resources.

TCP/IP Model

Application layer: responsible for coding of data packet. Combines the functions of application, presentation and session layers of OSI model. Transport layer: monitors end to end path selections of the packets and facilitates session management. Internet layer: responsible for sending packets through different networks. Network interface layer: the data link and physical layer of the OSI model are combined to form this layer. It is the closest layer to the network hardware.

Keylogger

Is a program that records all the keystrokes that are typed on the computer keyboard without the knowledge of the user.

Social Engineering

Is the art of convincing people to reveal confidential information

Advantages of network

Sharing of resources Data sharing Internet access Data security and management

Information Security in the legal sense

The legal obligations concerning maintaining or enhancing the technical information security and to the measures required by the law to protect and promote the efficiency of the information and the information processing dependent rights and freedoms.

Sniffing

The process of reading packets that are being transmitted on a network. Typical services that are sniffed are TELNET, FTP, SMTP(E-mail).

private key encryption

The user encrypts the message with the key and sends the encrypted message to the receiver and only one key is used for encryption and decryption

Social engineering their- party authorization technique.

To represent as an authorized agent by some authority figure to obtain information on behalf.


Set pelajaran terkait

STANDARD 7-1.3 Summarize the policy of mercantilism as a way of building a nation's wealth, including government policies to control trade.

View Set

Geometric Transformations Unit Test Review

View Set

Chapter 43: Caring Clients with Ear Disorders

View Set

4.4 - The French Revolution (1789 - 1799)

View Set

Chapter 10- The Endocrine System

View Set

chapter 16 foot, ankle & lower leg

View Set

small intestine المعي الدقيق "الأمعاء الدقيقة"

View Set