INF 140 Introduction to Cyber Security PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document is a set of practice questions and quizzes for an Introduction to Cyber Security course. It covers topics including cryptography (symmetric and asymmetric), user authentication, and network security, and is organized by modules and specific chapters. The document emphasizes important concepts in cybersecurity.
Full Transcript
INF 140 - Introduction to Cyber Security Oppbygning av dokument: Har gått gjennom quizene (svar markert i rødt) og holder på med tidligere eksamener (svar markert i oransj). Suplert med forelesningsnotater, deler fra boken og chat. Det ligger ikke fasit ute til eksamene :/, så der er chat kilden:)....
INF 140 - Introduction to Cyber Security Oppbygning av dokument: Har gått gjennom quizene (svar markert i rødt) og holder på med tidligere eksamener (svar markert i oransj). Suplert med forelesningsnotater, deler fra boken og chat. Det ligger ikke fasit ute til eksamene :/, så der er chat kilden:). Painsum Module 1 - overview Quiz 1 Ch. 1.1-1.2, 1.8 Module 2 - cryptographic tools - symmetric primitives Quiz 2 Ch. 2.1, 2.2, 20.1, (pp.628-630), 20.3, 20.5 Module 3 - cryptographic tools - Public key crypto Quiz 3 Ch. 2.3, 2.4, 21.4, (pp.669-672), 21.5, (pp.675-678) Module 4 - user authentication Quiz 4 Ch. 3.1-3.4 Module 5 - access control and auditing Quiz 5 Ch. 4.1-4.6 Module 6 - network protocols and attacks Quiz 6 Module 7 - firewalls Quiz 7 Ch. 9.1-9.3 Module 8 - securty protocol - application security and TLS Ch. 22.3, 22.4 Module 9 - network authentication and WLAN security Module 10 - intrudiusion detection system (IDS) Ch. 8.1-8.6 Module 11 - malware Ch. 6 Quiz 1 - Overview Cybersecurity Q1. Cybersecurity deals with the protection of five important security attributes, which cover different aspects of assets in the cyberspace. Which of the following refers to the property of being genuine, and being able to be verified and trusted? (Security properties/ attributes (CIA Triad) Q2. A security attack refers to the action of certain security threat. refers to that an entity deceives another by falsely denying responsibility for an act? (Threat consequences and the types of threat actions that cause each consequences) Q3. In order to achieve and maintain sounding security, organisations should follow several fundamental security design principles. For instance, as advised by the U. S. Department of Homeland Security, the following principles should be followed: Open design, Separation of privilege, Least privilege, Psychological acceptability, Layering, Isolation, Modularity, etc refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave the system unprotected. Layering Q4. is a general term for individual, group, organization, or government that conducts or has the intent to conduct detrimental activities against security attributes of assets in a compute system. (Computer security terminology) Q5. refers to techniques that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems. (Computer security terminology) Q6. refers to a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (Computer security terminology) Q7. Which of the following threat actions lead to unauthorized disclosure, which is a circumstance or event whereby an entity gains access to data for which the entity is not authorized. (Threat consequences and the types of threat actions that cause each consequences) Q8. Which of the following threat actions lead to deception, which is a circumstance or event that may result in an authorized entity receiving false data and believing it to be true. (Threat consequences and the types of threat actions that cause each consequences) Q9. Which of the following threat actions lead to disruption, which is a circumstance or event that interrupts or prevents the correct operation of system services and function. (Threat consequences and the types of threat actions that cause each consequences) Q10. Which of the following threat actions lead to usurpation, which is a circumstance or event that results in control of system services or functions by an unauthorised entity. (Threat consequences and the types of threat actions that cause each consequences) Quiz 2 - Symmetric Crypto Q1. Suppose in a stream cipher, the key stream is a 8-bit string 01010011. Then a binary string 00110110 operated by this key stream gives ciphertex (Classification of symmetric ciphers) Q2. Suppose the Playfair cipher use the following encryption matrix from the keyword CRYPTO: What is the ciphertext for the plaintext SECURITY? (Playfair cipher) Q3. Suppose Vigenere cipher uses a key CRYPTO. What is the ciphertext for CYBERSECURITY? (Vigenere cipher) Q4. What is the ciphertext of the following plantext “the railfence cipher is a very easy cipher to break” under the rail fence cipher with key depth 3? (The space is removed in the plaintext.) (Rail fence cipher ) Q5. The Enigma machine is a cipher device developed and used in the early- to mid-20th century to protect commercial, diplomatic, and military communication. Enigma machine has many attractive features. A remarkable one is that it enables probabilistic encryption: same letters are encrypted to different letters under a same setting (regarded as a key). Open this Enigma simulator, set the machine as follows: 3 rotors with UKW-B, rotors I, II, III ring setting: I, N, F, initial position A, A, A wired connection: A-Q, E-S With this setting, what is the ciphertext of EEEEE EEEEE? (Enigma machine) Q6. Modern block ciphers typically iterate insufficiently-strong round function several times to strengthen the security of the design. For instance, the Advanced Encryption Standard (AES) iterates on the operations of 1. SubBytes 2. ShiftRows 3. MixColumns 4. AddRoundKey The SubBytes component works as substitution cipher according to a look-up 8x8 Sbox. According to the Sbox (click here), what is the corresponding encrypted hexadecimal for the hexadecimal c6? (Rijndael S-box) Q7. In order to sufficiently protect data confidentiality with block ciphers, it is important to use correct mode of operations. Otherwise, even with AES-256, we may not be able to achieve sounding security. There are different modes of operations, which enable probabilistic encryption (namely, same plaintext blocks will be encrypted to different ciphertext blocks even with a same encryption/cipher key). Which of the following does not enable probabilistic encryption? 1) Cipher Block Chain (CBC) 2) Output Feedback (OFB) 3) Cipher Feedback (CFB) 4) Counter Mode (CTR) 5) Electronic Codebook (ECB) (Electronic Codebook (ECB)) Q8. Which of the following statements on symmetric ciphers, cryptographic Hash functions and MAC is wrong? 1) Sender and receiver need to use pre-shared key for using symmetric ciphers and MAC 2) When a cryptographic Hash function is used in combination of a block cipher, the hash output should double length of the cipher's secret for achieving same security level 3) MAC algorithms should be reversible since the receiver needs to verify the integrity of received data 4) Secure design of symmetric ciphers, Hash functions and MAC should have the "avalanche effect" (MAC algorithms) Q9. The only difference between a block cipher and a MAC algorithm is that the data input for a block cipher should have a fixed-length data block as its input. (MAC algorithms) Quiz 3:Asymmetric Crypto Q1. Of the following statements about public-key cryptography (PKC) are correct? - PKC schemes are more secure than symmetric cryptographic schemes since PKC use longer keys - PKC schemes can totally replace symmetric cryptographic schemes in practice - PKC makes the key sharing more convenient than symmetric cryptography - PKC enables non-repudiation which cannot be offered by symmetric cryptography (Public- key cryptography (PKC)) Q2. Public cryptographic schemes relies on one-way functions. True or false? (Public- key cryptography (PKC) Q3. The security of RSA cryptosystem replies on the hardness of integer factorization. True or false? (RSA) Q4. In RSA cryptosystem, the public key e should be coprime to n=p*q. (RSA) Q5. Suppose an RSA cryptosystem has the following setting: public key: (n=p*q, e) = (2491, 5) private key: (p, q, d) = (47, 53, 957), the message of user A is encoded as m = 45 What is the ciphertext of the message m? (RSA) Q6. Suppose Alice generates the following parameters to carry out digital signature: public key: (n=p*q, e) = (2491, 5) private key: (p, q, d) = (47, 53, 957) Alice signs a message m = 2318 with her private key and obtains the signature s. Alice sends m||s to Bob, and Bob will verify the signature s. Which of the following is a valid signature for Alice's message m? (RSA) Q7. Alice and Bob plan to use DH scheme to change a secret key, and they proceed with the following steps: 1. They agree on the global parameters p = 499, generator g = 7 2. Alice generates her private key prikey1 = 36 and sends Bob her public key pubkey1 = gprikey1 mod p = 440 3. Bob generates his private key prikey1 = 276 and sends Alic his public key pubkey2 = gprikey2 mod p = 351 4. Alice and Bob both calculate the shared key pubkey2prikey1 mod p, pubkey1prikey2 mod p, respectively What is the shared key between Alice and Bob in the above process? (Diffie- Hellman Scheme (DH) Q8. A secure key sharing with public key cryptography relies on the the authenticity of sender's public key. True or False? (Public- key cryptography (PKC) Q9. Digital signature scheme provides authenticity, integrity and authenticity. Therefore it should replace MAC scheme in practice. (Digital signatures) Q10. In digital signature, it is acceptable to use MD5 since it's faster than many schemes in the SHA family. (Digital signatures) Quiz 4 - User Authentication Q1. Nowadays multi-factor authentication is a common practice of user authentication. This practice follows the principle of multi-layer protection. In general it is more secure than single-factor authentication practice. Is this statement true? (Multi Factor authentication) Q2. Martin works in a consultant company. Each day he needs to use his employee card and input his pin code in order to enter into the building where he works. Which of the following factors are deployed in this example for user authentication? 1) what a user knows 2) what a user is 3) what a user has 4) what a user does (User Authentication) Q3. Olav, a developer, will use the common practice: userID, salt, Hash(salt, password) to store users' passwords in a system. Suppose he made a careless mistake: restricting users' passwords to be composed of 8 digits. Unfortunately this mistake was detected by a determined attacker, Christoff, who has already gotten the password file in the system. Christoff has the following password entry in the file: $6$9VC0m3IIUvTpG7Y6$yKEKJPF6/H3ZPnDC6pmfDb02FMlkpat5JgEPGWIZglL4.VIc kM.vz.f6hIuENVzLAH9FdewSzRksEG.7ZNBh10 He knows that hashcat is a handy tool to crack password. By the pattern of user's password: 8 digits, he manages to find the user's password with hashcat. Which of the following is the unlucky user's password? (Hashcat) Q4. The following password entry was generated by Windows LAN Manager (LM) and NTLM where thee character set is composed of all lower-case and upper-case English letters: Tobias::43F40EDFD0B04FB2AAD3B435B51404EE:4126D649453FF99E83177A4ACE F3B74A::: Which of the following is Tobias's password? (Hash logarithm) Q5. In common password storage: userID, salt, Hash(salt, pwd), the salt is used to increase the difficulty of brute-force attack on user's pwd in case the hashed password falls in a wrong hand. (Hash functions) Q6. The common practice of password storage in today's computer systems uses salted hash for storing user's password. The extra salt in such practices increases the difficulty of dictionary attack. (Hash functions) Q7. In biometric authentication, refers to the situation that samples from the same source are erroneously assessed to be from different sources. 1) true match 2) false nonmatch 3) true nonmatch 4) false match (Biometric authentication) Q8. Biometric information can be used for both user authentication and forensic. For high level of security, the system design should choose low false nonmatch rate, while forensic applications should choose low false match rate. (Biometric authentication) Quiz 5 - Access Control Q1. The control of accessing resource in computer system is achieved by difference access control models. Which of the following statements are correct? - ABAC controls access based on attributes of the user, the resource to be accessed, and current environmental conditions - One computer system can only adopt one access control model - DAC controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do - RBAC controls access based on attributes of the user, the resource to be accessed, and current environmental conditions - MAC controls access based on comparing security labels, indicating how critical resources are, with security clearances, indicating system entities are eligible to access certain resources (Access Control) Q2. An administer needs to grant users access to different servers based on their job functions. Which Access Control model is the BEST choice to use? (Access Control) Q3. Below is the output of the command ls -l /sbin in Linux system. Which of the following is incorrect? lrwxrwxrwx 1 root root 8 Sep 4 2022 /sbin -> usr/sbin 1) The file permission indicates that it belongs to a root user 2) The numeric value for this file is 777 3) The file sbin is actually a link, directing to the folder /usr/sbin 4) Normal user has no permission to run the command: cd /sbin (Linux system) Q4. In computer system a/an ["subject", "access right", "object", "asset"] is an entity capable of accessing a resource, termed a/an ["entity", "subject", "access right", "object"] , based on an access control list. (Access Control) Q5. What is the numerical representation of the permission drwxr-xr-x of a directory? (drwxr-xr-x) Q6. In Linux umask is a command that determines the settings of a mask that controls how file permissions are set for newly created files. By default the umask value for a directory is 022, which results into default directory permissions are 755 and default file permissions are 644. Basically, in the 9 bits of access right (read, write, execute), they follow bitwise arithmetic below directory: for each bit of permissions, the permission bit = 1 - the umask bit file: for each bit of read and write permissions, the permission bit = 1 - the umask bit; the permission bit for execute is 0 Suppose for a directory, we want to control all permissions for newly create directories as rwxrwxr--. What value should we set the umask? (drwxr-xr-x) Q7. Which of the following statements about RBAC are correct - assign access rights to roles instead of individual users - RBAC models define a role as a job function within an organization - RBAC is based on the roles that users assume in a system rather than the user’s identity - RBAC uses one access matrix to define access rights - (Access Control) Q8. Which of the following statements about ABAC are correct? - The strength of the ABAC approach is its flexibility - ABAC have many advantages over other access control models. In many computer system, current existing AC models should be replaced with ABAC model - define authorizations that express conditions on properties of both the resource and the subject - ABAC relies upon the evaluation of attributes of the subject, attributes of the object, and access control rules (Access Control) Q9. Cor confidentiality, most MAC models enforce the principle of no write up and no read down. (Access Control) Quiz 6 - Network protocols and attacks Q1. List the layers of TCP/IP model from top to down: (Core protocols) Q2. is used to assign IP address to a new device in a network. (Core protocols) Q3. is used to get the physical MAC address of a device associated to an IP address in a network. (Core protocols) Q4. In decapsulation process of the TCP/IP model, which of the following identifier is used at the transport layer to find the correct application? (Core protocols) Q5. xxx is network protocol used for the transfer of files from one host to another over a TCP-based network. (Core protocols) Q6. Xxx is a stardardized protocol for servers to send and receive mail messages. (Core protocols) Q7. Xxx is a network protocol to enable secure system administration and file transfers over insecure networks. (Core protocols) Q8. A denial of service (DoS) is refers to actions that xxx the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), xxx , xxx , and disk space. (Protocol-based network attacks) Q9. Xxx attack targets the table of TCP connections on the server. (Protocol-based network attacks) Q10. Xxx sends packets to a known service on the intermediary with a spoofed source address of the actual target system. (Protocol-based network attacks) Quiz 7 - Firewalls Q1. Suppose a firewall is set at a device with IP address 4.4.4.47 and the default rule is ACCEPT. Suppose the admin has a goal to block SSH requests from all other machines. Create a rule to achieve this goal below. **Choose one for each** Source IP addr: [2.2.2.99], [any], [3,3,3,*], [4.4.4.0/24] Source Port: , [any], , Destination IP addr: [4.4.4.0/24], [any], [2.2.2.0/24], [4.4.4.47] Destination port: ,, [any], Protocol: [TCP], [any], [ICMP], [IP] Action:[any],[drop],[allow],[rermit] (Firewalls) Q2. iptables is a command-line firewall utility in Linux. For the rule in the above question, which of the following command can realize it in Linux system? 1) sudo iptables -A INPUT -d 4.4.4.47 -p tcp --dport 22 -j DROP 2) sudo iptables -A INPUT -s 4.4.4.47 -p tcp --dport 22 -j DROP 3) sudo iptables -A INPUT -s 4.4.4.0/24 -p tcp -j DROP 4) sudo iptables -A OUTPUT -d 4.4.4.47 -p tcp --dport 22 -j DROP (Firewalls) Q3. Suppose the admin wants to know the existing firewall rules for incoming traffic towards the device 4.4.4.47. What is the corresponding iptables command for this purpose? ( Firewalls) Q4. Another firewall is placed at Router C to protect an internal network 1.1.0.0/16 from the other networks. Suppose a website is maintained at address 1.1.15.0/24 and the admin has a goal to only allow traffic associated with HTTPS. Fill-in the following blanks to achieve this goal below (Firewalls) Source IP Source Port Destination Destination Protocol Action addr IP addr Port Any Any Any Any Q5. Which of the following are limitations of packet filtering firewalls? 1) They are susceptible to security breaches caused by improper configurations. 2) They usually do not support advanced user authentication schemes 3) They cannot prevent attacks that employ application-specific vulnerabilities or functions. 4) They are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack 5) They introduce significant processing overhead on each sliced connection (Firewalls) MA4 - quiz Q1. Suppose a device connects to a local area network and gets the following information. - IP address: 192.168.3.14 - DNS address: 192.168.4.2 - Subnet mask: 255.255.255.0 The common broadcast IP address for this network is _____ (Firewalls) Q2. ____ is a type of attack in which a malicious actor sends falsified address resolution message over a local area network, which leads to the linking of a MAC address of an attacking machine with a legitimate servers`s IP address. (Protocol-based network attacks) Q3. Which of the following statements about DNS spoofing are correct? - it is a process of poisining DNS responses to redirect a targeted user to a wrong IP address. - it can cause Man-in-the-middle attack - it can cause DoS attack - it can lead to a target user to phising websites. (Protocol-based network attacks) Q4. Which of the following attacks spoof the source address of IP packets sent by the attacker? - reflection attack - amplification attack - TCP SYN flood attack - DNS spoofing (Protocol-based network attacks) Q5. In Kali Linuz, different tools can retrieve the relevant IP address of a domain. Use the dig command to the domain Bergens Tidende. Which of the following IP addresses you see in the ANSWER SECTION? - 104.18. 33.55 - 104.18.33.53 - 172.64.154.201 - 172.64.154.101 (Core protocols) Q6. IN Kali Linux, nmap tool is used to scan ports of a domain. Which of the following ports are open in the domain www.uib.no? - 80/tcp - 443/udp - 21/tcp - 443/tcp (Core protocols) Q7. Ping is known as a diagnostic tool to test network connections. It sends out a number of ICMP requests within IP packets, for which the number of total ICMP requests and the time between sending each packet can be customized. Suppose Maria wants to use ping to send out in total 10 ICMP requests to www.uib.no with 6 seconds between sending each packet. How to achieve this goal with the ping command? (Core protocols) Exam h2020 Part 1. Multiple-choice questions (with single correct alternative) Security awareness, terminologies, attacks and controls (Secitons 1- 3) 1. Unexpectedly, you get an email from a colleague who requests you to urgently click on an email link which they have sent you. What is the safest option? A. The link is from a known person therefore its safe to open. B. If the link was malicious the organisations rewall would have agged or blocked it, therefore its safe to open. C. Reply to the sender to double-check if the link is safe to open as they might have sent it accidentally. D. Do not click the link. Phone the sender for veri cation. (Module 1: Overview) 2. Who are the targets of modern day hackers? A. Banks and finance companies who process a lot of payments. B. Any organisation or individual is liable to be the victim of hackers. C. Companies which hold a lot of proprietary information. D. Companies which hold credit card numbers of customers. (Module 1: Overview) 3. According to the CIA Triad, which of the below-mentioned element is not considered in the triad? A. Condentiality B. Integrity C. Authenticity D. Availability (Security properties/ attributes (CIA Triad) 4. Why the elements confidentiality, integrity, authentication, authorization and availability considered fundamental? A. They help understanding hacking better B. They help understanding threats better C. They help understands security and its components better D. They help to understand the cyber-crime better (Security properties/ attributes (CIA Triad) 5. The integrity of data is not related to which of the following? A. Unauthorized manipulation or changes to data B. The modi cation of data without authorization C. The intentional or accidental substitution of data D. The extraction of data to share with unauthorized entities (Security properties/ attributes (CIA Triad) 6. Existence of weakness in a system or network is called A. Threat B. Vulnerability C. Exploit D. Attack (Computer security terminology) 7. Suicide Hackers are those ___ A. who break a system for some specific purpose with or without keeping in mind that they may suffer long term imprisonment due to their malicious activity B. individuals with no knowledge of codes but an expert in using hacking tools C. who know the consequences of their hacking activities and hence try to prevent them by erasing their digital footprints D. who are employed in an organization to do malicious activities on other rms (Hackers) 8. The full form of Malware is ___ A. Malfunctioned Software B. Multipurpose Software C. Malicious Software D. None of above (Module 11 - Malware) 9. Trojans normally do not do one of the following. What is that? A. Deleting Data B. Protecting Data C. Modifying Data D. Copying Data (Module 11 - Malware) 10. A___ is a method in which a computer security mechanism is bypassed untraceable for accessing the computer or its information. A. front-door B. backdoor C. clickjacking D. key-logging (Other Malware) 11. Backdoors cannot be designed as ___ A. the hidden part of a program B. as a part of Trojans C. embedded code of the firmware D. embedded with anti-malware (Other Malware) 12. The intent of a ___ is to overkill the targeted servers band width and other resources of the target website. A. Phishing attack B. DoS attack C. Website attack D. MiTM attack (Protocol-based network attacks) 13. A DoS attack coming from a large number of IP addresses, making it hard to manually lter or crash the tra c from such sources is known as a ___ A. GoS attack B. PDoS attack C. DoS attack D. DDoS attack (Protocol-based network attacks) 14. Which of the following is a type of transport layer DoS? A. HTTP flooding B. Ping flooding C. TCP flooding D. DNS query flooding (Protocol-based network attacks) 15. ___is a naming system given to different computers which adapt to human-readable domain names. A. HTTP B. DNS C. WWW D. ISP (Core protocols) 16. ____is a means of storing & transmitting information in a specific format so that only those for whom it is planned can understand or process it. A. Malware Analysis B. Cryptography C. Reverse engineering D. Exploit writing (CISSP Domains) 17. ___ are difficult to identify as they keep on changing their type and signature. A. Non-resident virus B. Boot Sector Virus C. Polymorphic Virus D. Multipartite Virus (Virus classification) 18. A ___ is a small malicious program that runs hidden in a legitimate like software. A. Virus B. Trojan C. Shareware D. Adware (Malware) 19. ___ is not an attack technique where numerous TCP segments are spoofed with a bogus source address which is then sent to a server. A. SYN flooding attack B. ACK flooding attack C. Fin flooding attack D. Ping flooding attack (Protocol-based network attacks) 20. Which of the protocol is not used at the network layer of the TCP/IP model? A. ICMP B. IP C. IGMP D. HTTP (Core protocols) Part 2. Multiple-response questions with multiple correct alternatives Security attacks and controls (Section 4) 1. Which of the following characteristics are provided by the RADIUS? A. accountability B. authorization C. availability D. authentication E. aggregation F. anti-malware (RADIUS) 2. Which statements about public-Key certificate are correct? A. it is used to authenticate an entity in a network B. it is widely used because public-key ciphers are more secure than symmetric ciphers C. it is widely used because it makes key distribution more easily in the Internet D. it is used to prevent man-in-the-middle attack in a network (Public key certificates) 3. Which of the following firewalls act both client and server roles in controlling network tra c? A. packet filtering firewalls B. stateful packet inspection firewalls C. application-proxy firewalls D. circuit-proxy firewalls (Firewalls) 4. Suppose a users password is hashed with SHA256 and the hash is then stored in a system. In practice, which of the following will significantly reduce the quality of the hash and may lead to a successful password cracking? A. the users password consists of only 20 lower-case letters B. upper-case letters in the users password are converted to lower case letters before the password is hashed C. SHA256 is replaced with a fast hash function with 64-bit digest D. the users password has length < 8 E. a dynamically varing salt is added the the calculation of the password hash F. the users password is a combination of lower-case letters, upper case letters, digits, punctuations and its length is 6 (Hash functions) 5. Which of the following are the type of preventative security control? A. user authentication B. data encryption C. data backup D. firewall E. intrusion detection system F. anti-malware system G. least-privilege access control (Computer security terminology) 6. Which of the following are common features of a computer virus and a trojan horse? A. residing in a software B. replicating itself in the infected system and network C. exploiting system aws and vulnerabilities in a system D. running itself when a certain condition is triggered E. sending message to a remote controller (Malware) 7. Which of the following are security controls of user authentication? A. a person uses a room card to open a hotel room B. a person provides user name and password when login to a website C. a person enters the letters from the image of I am not a robot in a login page D. a person opens his/her mobile phone with fingerprint E. a user in a system is promted Permission Denied when he/she opens a le in the system (User Authentication) 8. Which of the following belong to the social engineering attack? A. an attacker uses a telephone system to gain access to private personal and financial information from the public B. anattacker sends an e-mail that appears to come from a legitimate business requesting verification of information C. an attacker pretends to be another person with the goal of gaining access physically to a system or building D. an attacker sends highly customized emails to few end users to obtain their private information E. an attacker sends an advertisement to a large number of recipents F. an attacker inserts a virus-infected USB stick to a le system (Malware) 9. Which of the following processes use an access control list? A. a student logins mittuib with his/her student credentials B. a student downloads some lecture slides at mittuib C. a student check his/her grade for a course at mittuib D. a student wants to see a student fellows grade at mittuib but is rejected E. a lecture uploads lecture notes for his/her course at mittuib (Access Control) 10. Which of the following security controls are based on cryptographic primitives? A. accountability B. authorization C. authentication D. availability (Security attributes by cryptography) Part 3. Text-entry Questions Access Controls and Network Security (Section 5) Question 1 (5pt). In a computer system, access is the flow of information between two entities. A/An ____is an active entity that requests access to a/an ____ A/An ___is a passive entity that contains information or needed functionality. Access control is a broad term that covers several di erent types of mech anisms that enforce access control features on computer systems, networks, and information. When a user wants to access a system, progressively, there will be four security controls in the system: ____ ,___,, ____and ___. An access control mechanism dictates how subjects access objects. There are di erent access models. A system that uses _____enables the owner of the resource to specify which subjects can access specific resources. In ______, users do not have the discretion of determining who can access objects. Instead, this model greatly reduces the amount of rights, permissions, and functionality a user has for security purposes. Question 2 (5pt). The Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of protocols that governs the way data travels from one device to another. Different from the Open Systems Interconnection (OSI) model, the TCP/IP model has ve layers, which from bottom to top are _____,_____ ,_____ and _____. Cryptography plays a critical role in secure communications. In the TLS/SSL protocol suit, both RSA and Diffie-Hellman are used for key exchange between the client and the server. Suppose the client and the server choose Diffie-Hellman for key exchange. The public parameter is set as p =1013 withgenerator 2. Assume the client generates a private key Kc = 13 and the server generates a private key Ks = 11. Then the clients public key is _______and the servers public key is_____ After they exchange these public keys, they share a secret information:____. If the shared secret information, with ASCII encoding, is taken as the input for MD5 to generate a 128-bit encryption key for AES, then the encryption key in hex adecimal form is ______ Part 4. Text-type Questions Question 1 (10 pt). Given the following topology of a network Assume the firewall is on node 3, i.e. the router connecting the two subnets together. Nodes 1 and 2 are inside and nodes 4 and 5 are outside. Try to write rules as general as possible. (Although there are only two nodes outside, try to write rules such that the policy is achieved even if there were more than two nodes outside.) Write packet filtering rules for the following goals with default policy as ACCEPT: (a) Rule 1 that blocks ping (icmp) packets being forwarded between the two subnets (b) Rule 2 that blocks ping packets coming into the firewall (c) Rule 3 that blocks ping packets coming out of the firewall (d) Rule 4 that prevents Node 1 from SSHing to any outside nodes Change the default policy as DROP and write packet filtering rules for the following golas: Rule 5: inside hosts can access outside websites Question 2 (10 pt). (a) Explain the difference between a worm and virus. (b) Explain the difference between a normal virus, a metamorphic virus and a polymorphic virus. (c) Which of the three types of virus (normal, metamorphic, polymorphic) is hardest to detect by anti-virus software? (d) Describe an example of a phishing attack. (e) List at least three techniques with respect to anti-virus software, and explain one of them in more details. Explanation/answers/syllabus Module 1: Overview Cybersecurity is the protection of cyberspace (consisting of computer systems and networks) from the theft of or damage to their hardware, software or electronic data, as well as from the disruption or misdirection of the services they provide. U.S NIST: protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (CIA Triad/ Attributes). Security properties/ attributes (CIA Triad) Confidentiality: preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. Integrity: guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Availability: ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. … two more attributes Authenticity: the property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source. Accountability: the security goal that generates the requirement for actions of an entity to be uniquely to that entity. Security attacks **A and B are communication on internet or other common facilities, and C is an attacker** 1. Passive attack: make use of information, but not affect system resources, e.g. Passive attacks are very hard to detect, but easier to prevent. Example: release message contents, traffic analysis. - Release message contents: unauthorized disclosure breaches confidentiality. A and B are talking, and C are reading the contents of the Message. - Traffic analysis: unauthorized disclosure breaches. C are observing pattern of message from A to B. 2. Active attack: alter system resources or operation, e.g. Relatively hard to prevent, but easier to detect. Example: masquerade, replay, modification, denial of service. - Masquerade attack: message from C that appears to be from B. - Replay attack: B sends something to A. C capture message from B to A; later replay message to A. A trust the message but believes the second message. - Modification attack: C modifies message from B to A. - Denial of service: attack of availability. C disrupts service provided by the server. Threat consequences and the types of threat actions that cause each consequences How to achieve security? Types of security controls: 1. Administrative: - Personnel (awareness) training - Law/regulation/ policy enforcement 2. Physical - Fence, locked gates/doors/rooms - Security guard - Physically secured computers and communication channels. 3. Technical (our focus) - Cryptography: encryption, hash, digital signature, MAC - Security protocols: SSL/TLS, SSH, VPN, Tor - System mechanism: firewall, access control, IDS/IPS, anti-malware, software Hackers In the context of hackers, various categories are recognized based on their motives, methods, and goals. Here are the main types: 1. White Hat Hackers: These are ethical hackers who use their skills to improve system security. They often work with organizations to find and fix vulnerabilities before malicious hackers can exploit them. They may be employed by companies or work as independent security consultants. 2. Black Hat Hackers: These hackers are typically malicious and break into systems for illegal purposes, such as stealing data, causing harm, or disrupting services. They are often driven by personal gain, political motives, or just the challenge of breaking into secure systems. 3. Gray Hat Hackers: These individuals fall somewhere between white and black hat hackers. They might find vulnerabilities in systems without permission, but instead of exploiting them, they might report the findings to the organization—sometimes for a fee or recognition. They may also unintentionally break the law while trying to help. 4. Hacktivists: Hackers with political or social motives. Their goal is often to promote their beliefs by disrupting services, exposing sensitive information, or bringing attention to a cause. These hackers might target government websites, corporations, or other organizations they see as harmful to their cause. 5. Script Kiddies: These are individuals with limited knowledge of hacking techniques who use pre-written tools or scripts to carry out attacks. They often lack the deep technical skills of more advanced hackers but still pose a significant risk due to their use of readily available tools. 6. Suicide Hackers: These are hackers who knowingly engage in illegal activities, fully aware of the severe consequences, such as long-term imprisonment. They may be driven by personal vendettas, political motives, or other causes. 7. Cybercriminals: These hackers are motivated by financial gain. They might engage in activities such as identity theft, stealing credit card information, or conducting ransomware attacks to extort money from individuals or organizations. 8. Insider Threats: These are individuals within an organization who exploit their access to systems for malicious purposes. They might steal data, sabotage operations, or leak sensitive information to outsiders. Computer security terminology General categories of vulnerabilities of a computer system or network asset: - Corrupted: the system does the wrong thing or gives wrong answers - Leaky: someone who should not have access to some or all the information available through the network obtains such access. - Unavailable: using the system or network becomes impossible or impractical. Security control functions 1. Preventive control (firewalls, IPS, antivirus) 2. Detective (IDS, honeypots) 3. Corrective (patching, system reboot, quarantine a virus) 4. Deterrent (mostly physical) 5. Recovery (OS and date restore from backups) Security Security is a general term that covers several attributes of assets. Privacy Privacy is a relatively vague term for individuals. The control of what kind of information to be disclosed to whom/which entity to what extent. Rather control than hide personal information. Assets Assets refer to entities in the internet-connected information system, so-called cyberspace, which includes hardware, operating systems, software, data/information, processes, etc. CISSP Domains Access control: A collection of mechanisms that work together to create a security architecture to protect the assets of the information system. In access control we look at; identification, authentication, authorization and accountability. Application development security: Addresses the important security concepts that apply to application software development. It outlines the environment where software is designed and developed and explains the critical role soft ware plays in providing information system security. Business continuity and disaster recovery planning: For the preservation and recovery of business operations in the event of outages. Cryptography: The principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity. Information security governance and risk management: The identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines. Management tools such as data classification and risk assessment/analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented. Legal, regulations, investigations and compliance: Computer crime laws and regulations. The measures and technologies used to investigate computer crime incidents. Operations security: Used to identify the controls over hardware, media, and the operators and administrators with access privileges to any of these resources. Audit and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate indi vidual, group, or process. Physical (environmental) security: Provides protection techniques for the entire facility, from the outside perimeter to the inside office space, including all of the information system resources. Security architecture and design: Contains the concepts, principles, structures, and standards used to design, monitor, and secure operating systems, equip ment, networks, applications, and those controls used to enforce various levels of availability, integrity, and confidentiality. Telecommunications and network security: Covers network structures; trans mission methods; transport formats; security measures used to provide avail ability, integrity, and confidentiality; and authentication for transmissions over private and public communications networks and media ANSWER TO QUESTION Q1: Authenticity ANSWER TO Q2: Repudiation ANSWER FROM Q4: Adversary ANSWER FROM Q5: Countermeasures ANSWER FROM Q6: Vulnerability ANSWER TO Q7: Inference, interception, intrusion and exposure ANSWER TO Q8: Masquerade, falsification and repudiation ANSWER TO Q9: Corruption, obstruction and incapacitation. ANSWER TO Q10: Misappropriation and misuse. ANSWER TO H20 P1 Q1: Do not click the link. Phone the sender for verification ANSWER TO H20 P1 Q2: any organisation or individual is liable to be the victim of hackers: ANSWER TO H20 P1 Q3: authenticity ANSWER TO H20 P1 Q4: They help understands security and its components better While they also help in understanding hacking (A), threats (B), and cyber-crime (D), their primary role is in shaping the understanding of security itself, making C the most accurate answer. ANSWER TO H20 P1 Q5: The extraction of data to share with unauthorized entities. Integrity refers to the accuracy and consistency of data, ensuring that data is not altered, manipulated, or substituted without proper authorization ANSWER H20 P1 Q6: Vulnerability ANSWER TO H20 P1 Q7: who break a system for some specific purpose with or without keeping in mind that they may suffer long term imprisonment due to their malicious activity ANSWER H20 P2 Q2: The following are types of preventive security controls: A. User authentication: It prevents unauthorized access by ensuring that only legitimate users can log into systems. B. Data encryption: Prevents unauthorized parties from reading sensitive information by encoding data in transit or at rest. D. Firewall: Prevents unauthorized access to or from a private network by controlling incoming and outgoing traffic. G. Least-privilege access control: Ensures users only have the minimum access rights necessary for their job, limiting the potential damage from security breaches. The following are not preventive but rather detective or corrective controls: C. Data backup: It is corrective, as it helps in recovering data after an incident. E. Intrusion detection system (IDS): It is detective, as it monitors and alerts when unauthorized access occurs. F. Anti-malware system: Depending on its function, anti-malware can be both preventive (blocking malware) and corrective (removing malware after detection). ANSWER H20 P1 Q16: cryptography Cryptography is the practice of securing information by transforming it into an unreadable format, making it accessible only to those with the proper decryption keys. It ensures that sensitive data remains private and protected during storage or transmission. ____________________________________________________________________________ Module 2: Cryptographic Tools (quiz 2: symmetric crypto) Symmetric key crypto: key 1 is the same as key 2 Public-key crypto (asymmetric): key 1 is different from key 2 Security attributes by cryptography 1. Confidentiality: render data unintelligible to unauthorized user 2. Integrity: detect unauthorized modifications 3. Authentication: verifying the identity of entity 4. Non-repudiation: sender cannot deny sending a message Encryption for confidentiality Aim: assure confidential information not made available to unauthorised individuals (data confidentiality). How: encrypt the original data: anyone can see the encrypted data, but only authorised individuals can decrypt to see the original data. Used for both sending data across network and storing data on a computer system. Terminology Plaintext: original message Ciphertext: encrypted or coded message Encryption: convert from plaintext to ciphertext (enciphering) Decryption: restore the plaintext from ciphertext (deciphering) Key: information used in cipher known only to sender/receiver. Cipher: a particular algorithm (cryptographic system) Cryptography: study of algorithms used for encryption Cryptanalysis: study of techniques for decryption without knowledge of the key Cryptology: cryptography + cryptanalysis Types of Encryption 1. Symmetric Encryption: This type of encryption uses the same key for both encryption and decryption. The key must be kept secret and shared securely between the sender and recipient. ○ Examples: AES (Advanced Encryption Standard), DES (Data Encryption Standard). 2. Asymmetric Encryption: Also known as public-key cryptography, this type uses a pair of keys—a public key (known to everyone) and a private key (known only to the recipient). The public key encrypts the data, while the private key decrypts it. ○ Examples: RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve Cryptography). Cryptography Cryptographic systems are generically classified along three independent dimensions: 1. The type of operations used for transforming plaintext to ciphertext. All encryption algorithms are based on two general principles: substitution, in which each element in the plaintext (bit, letter, group of bits or letters) is mapped into another element, and transposition, in which elements in the plaintext are rearranged. The fundamental requirement is that no information be lost (i.e., that all operations be reversible). Most systems, referred to as product systems, involve multiple stages of substitutions and transpositions. 2. The number of keys used. If both sender and receiver use the same key, the system is referred to as symmetric, single-key, secret-key, or conventional encryption. If the sender and receiver each use a different key, the system is referred to as asymmetric, two-key, or public-key encryption. 3. The way in which the plaintext is processed. A block cipher processes the input one block of elements at a time, producing an output block for each input block. A stream cipher processes the input elements continuously, producing output one element at a time, as it goes along. Classification of symmetric ciphers Block ciphers Stream ciphers Definition process one block of process input elements elements at a time, continuously, producing producing an output block for output one element at a time, each input block. as it goes along. Plaintext Encrypt plaintext block by Encrypt plaintext by block, typically 64 or 128 bits bits/bytes/words Performed by Encryption performed by Encryption performed by scrambling plaintext and key XOR plaintext with keystream (permutes plaintext blocks). (created by pseudo-random number generator). Used Different modes of operation with probabilistic encryption for improved security. Widely used in e-commerce The XOR operation follows these rules: - 0 XOR when 0 = 0 - 1 XOR when 0 = 1 - 0 XOR when 1 = 1 - 1 XOR when 1 = 0 Fast algorithms/ implementations in hardware and Cannot reuse the keystream Playfair cipher A Playfair cipher is uses a 5x5 grid of letter and encrypts the message by splitting the word into pairs of letters. We will first make the 5x5 grid by filling in the key at the first row, and further fill out remaining rows with the alphabet. We will treat I and J as the same letter, and we get the 5x5 grid shown underneath. C R Y P T O A B D E F G H I K L M N Q S U V W X Z General rules: - When the plaintext pairs are in the same row we replace them with the letters to the right. - When they are located in two different rows and columns, we will replace the letters in the same row as the letter and the same column as the other plaintext letter - When in same column, replace with letters below Vigenere cipher Vigenere cipher is a method to encrypt alphabetic text, and I will use the table underneath. The horizontal colon will be used for the plain text, and the vertical colon will be used for the key. Rail fence cipher The Rail Fence Cipher is a type of transposition cipher where letters of the message are written in a zigzag pattern across multiple rails, and then the letters are read of row by row to create the cipher. Enigma machine The Enigma machine was a field unit used in World War II by German field agents to encrypt and decrypt messages and communications. Similar to the Feistel function of the 1970s, the Enigma machine was one of the first mechanized methods of encrypting text using an iterative cipher. Rijndael S-box The AES S-box (Substitution box) is a crucial component in the Advanced Encryption Standard (AES), used during the SubBytes step of the AES encryption and decryption process. Its primary function is to provide non-linearity and diffusion, making it harder for an attacker to find patterns or linear relationships in the encrypted data Electronic Codebook (ECB) Electronic codebook (ECB) is the simplest approach to multiple block encryption. The method handles plaintext b bits at a time, where each plaintext is encrypted with the same key. Therefor the length of the message could trigger a security weakness. If the cryptanalyst knows that the message starts out with a predefined variable, it makes it easier to detect a pattern in the encrypted data. Therefor ECB may not be secure and cannot provide sufficient confidentiality. Cipher block chaining (CBC) is a method where the plaintext is the XOR of the previous ciphertext block before being encrypted. The method uses the same key for each block and adds an element of feedback. One of the weaknesses with this approach is that it reuses the same initialization vector for several messages. MAC algorithms One authentication technique involves the use of a secret key to generate a small block of data, known as a message authentication code, that is appended to the message. The MAC is a function of an input message and a secret key. This technique assumes that two communicating parties, say A and B, share a common secret key KAB. When A has a message to send to B, it calculates the message authentication code as a complex function of the message and the key: MACM F(KAB, M). The message plus code are transmitted to the intended recipient. The recipient performs the same calculation on the received message, using the same secret key, to generate a new message authentication code. The received code is compared to the calculated code. Public key certificates In essence, a certifi cate consists of a public key plus a user ID of the key owner, with the whole block signed by a trusted third party. The certificate also includes some information about the third party plus an indication of the period of validity of the certificate. Typically, the third party is a certificate authority (CA) that is trusted by the user commu nity, such as a government agency or a financial institution. A user can present his or her public key to the authority in a secure manner and obtain a signed certifi cate. The user can then publish the certificate. Anyone needing this user’s public key can obtain the certificate and verify that it is valid by means of the attached trusted signature ANSWER TO QUIZ 2 Q1: The keystream: 01010011 The plaintext(binary string): 00110110 This gives us ciphertext 01100101 ANSWER TO QUIZ 2 Q2: Keyword: crypto Plaintext: security We then start to pair the letters in the plaintext “security”. In this case we will pair “s” with “e”, “c” with “u” etc. Using this technique we will get the following pairs: SE – CU – RI – TY Ciphertext: ZK - OC - PG - CP ZKOCPGCP ANSWER TO QUIZ 2 Q3: We will first find the letter “C” along the colon for plaintext and then find the letter “I” along the colon for the key. Then we will find the point of intersection, that is “K” in this case, that will be the ciphertext. We repeat this process for all the letters in the plaintext. Plaintext: CYBERSECURITY Key: CRYPTO Cipher: EPZTKGGTSGBHA ANSWER TO QUIZ 2 Q4: Plaintext: the railfence cipher is a very easy cipher to break. Plaintext without space: therailfencecipherisaveryeasyciphertobreak. Key deth: 3 rows ANSWER TO QUIZ 2 Q5: The settings for the model is shown in the picture in the text above. The ciphertext is KAHPG NSXBC ANSWER TO QUIZ 2 Q6: To find the corresponding encrypted hexadecimal value for the given input using the AES S-box, we follow a simple lookup procedure. First, we are given the input hexadecimal value c6. The AES S-box is an 8x8 lookup table, typically expressed with a 16x16 matrix. The value c6 is represented by two hexadecimal digits: 1) the first hex digit c (which is 12 in decimal) corresponds to the row in the S-box. The second hex digit 6 corresponds to the column of the S-box. C6 gives the value b4. ANSWER QUIZ 2 Q7: ECB ANSWER TO QUIZ 2 Q8: MAC algorithms should be reversible since the receiver needs to verify the integrity of received data ANSWER TO QUIZ 2 Q9: FALSE ANSWER H20 P2 Q10: Authentication. Cryptographic primitives, such as hashing algorithms, encryption, and digital signatures, play a critical role in ensuring authentication. Authentication uses these cryptographic techniques to verify the identity of users or systems. For example, digital certificates and public/private key pairs are cryptographic tools used in authentication processes. ANSWER H20 P2 Q2: A. It is used to authenticate an entity in a network: Public-key certificates are commonly used in systems like HTTPS and email encryption to authenticate the identity of entities, ensuring that communication is securely established between trusted parties. C. It is widely used because it makes key distribution easier in the Internet: Public-key certificates simplify the process of distributing keys because users can trust the certificates issued by a trusted certificate authority (CA), avoiding the need to share private keys directly. D. It is used to prevent man-in-the-middle attacks in a network: Public-key certificates help prevent man-in-the-middle (MITM) attacks by verifying the identity of the communication endpoints. A trusted certificate authority ensures that the public key belongs to the entity it claims to represent, mitigating the risk of interception by malicious actors. ________________________________________________________________________________ Module 3: Public key crypto (quiz 3: asymmetric crypto) Public- key cryptography (PKC) Public-key algorithms are based on mathematical functions rather than on simple operations on bit patterns, such as are used in symmetric encryption algo rithms. More important, public-key cryptography is asymmetric, involving the use of two separate keys, in contrast to symmetric encryption, which uses only one key. The use of two keys has profound consequences in the areas of confidentiality, key distribution, and authentication. Public key certificate In essence, a certifi cate consists of a public key plus a user ID of the key owner, with the whole block signed by a trusted third party. The certificate also includes some information about the third party plus an indication of the period of validity of the certificate. Typically, the third party is a certificate authority (CA) that is trusted by the user commu nity, such as a government agency or a financial institution. RSA One of the first public-key schemes was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT and first published in 1978 [RIVE78]. The RSA scheme has since reigned supreme as the most widely accepted and implemented approach to public-key encryption. RSA is a block cipher in which the plaintext and ciphertext are integers between 0 and n – 1 for some n. Diffie- Hellman Scheme (DH) The first published public-key algorithm appeared in the seminal paper by Diffie and Hellman that defined public-key cryptography [DIFF76] and is generally referred to as Diffie-Hellman key exchange. A number of commercial products employ this key exchange technique. The purpose of the algorithm is to enable two users to exchange a secret key securely that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of the keys. The beauty of this protocol is that even if someone intercepts the messages exchanged between Alice and Bob, they cannot compute the shared key without knowing the private keys. Digital signatures Main goal of signatures is to prove to anyone that a message originated at (or is approved by) a particular user. Symmetric key cryptography: - Two users, A and B, share a secret key K - Receiver of message (user A) can verify that message came from the other user B. - User C cannot prove that the message came from B ( it may also have came from A). - Public key cryptography can provide signature: only one user has the private key. How it work: digital signature of a message M is the hash of that message encrypted with the signer`s private key, i.e. S = E(PR, H(M)). Entity receiving a message with an attached digital signature knows that the message originated by the signer of the message. Key management Key management is the process of generating, distributing, storing, protecting, and managing cryptographic keys that are used to secure data and communications. It is a critical aspect of cryptographic systems, ensuring that keys are kept safe and used appropriately to maintain the security of sensitive information. Key management involves various functions, such as: 1. **Key Generation**: Creating cryptographic keys, either symmetric (used for both encryption and decryption) or asymmetric (public and private key pairs). 2. **Key Distribution**: Safely distributing keys to authorized users or systems. 3. **Key Storage**: Ensuring that keys are stored securely, typically in hardware security modules (HSMs) or secure software environments, to prevent unauthorized access. 4. **Key Rotation**: Regularly changing keys to reduce the risk of compromise over time. 5. **Key Backup and Recovery**: Ensuring that keys can be backed up securely and recovered in the event of data loss or system failure. 6. **Key Revocation and Expiry**: Ensuring that keys can be disabled or expire when no longer needed or if they are compromised. Effective key management is crucial for maintaining the integrity, confidentiality, and authenticity of data in systems that rely on encryption. ANSWER TO QUIZ 3 Q1: [x] PKC schemes are more secure than symmetric cryptographic schemes since PKC use longer keys [x] PKC schemes can totally replace symmetric cryptographic schemes in practice [v] PKC makes the key sharing more convenient than symmetric cryptography [v] PKC enables non-repudiation which cannot be offered by symmetric cryptography ANSWER TO QUIZ 3 Q2: FALSE ANSWER TO QUIZ 3 Q3: FALSE ANSWER TO QUIZ 3 Q4: TRUE ANSWER TO QUIZ 3 Q5: To compute the ciphertext in an RSA cryptosystem, we use the following formula: Ciphertext= C =me mod n Where: m - is the message(here; 45), e - is the pubic exponent (here;5), n- is the modulus(here;2491) First, we will find the ciphertext of m and plaintext of c. We use the public parameters e and n to encrypt the m. We then get: C = 455 mod 2 491 This gives the ciphertext 2 318. ANSWER TO QUIZ 3 Q6: In an RSA digital signature scheme, the signature s is generated using the private key d and the message m. The signature s is calculated as: s= md mod n Where: m-message=2 318, d-private exponent=957, n=p x q= 2 491. To find the signature s, we calculate 2318^957 mod 2491. Since 2318>2491, we first reduce 2318 mod 2491. 2318 mod 2491=2318 Now, we need to calculate 2318^957 mod 2491. Given that this is a large exponent, we can use modular exponentiation to efficiently compute the result. Using 2318 mod 2491=2318 compute 2318^957mod 2491.After obtaining sss, Bob would verify the signature by computing s^e mod n and checking if it matches the original message m. The signature s = 45 ANSWER TO QUIZ 3 Q7: Alice and Bob agree on two values: 1) a prime number p, and 2) a generator g. These values are not secret, and everyone knows them. In the question p=499 and g=7. Alice chooses a private key prikey1, which is a random number that she keeps secret ( Alice`s privave key is 36). Alice then computes her public key using the formula: pubkey1=g^(prikey1) mod p → 7^36 mod 499=440 and sends 440 to Bob. Similarly, Bob chooses his privat key prikey2, which is a random number that he keeps a secret (Bob`s private key is 276). Bob computes his public key (351) and sends it to Alice. After exchanging public keys, Alice and Bob can each compute the shared secret key using their own private key and the other person`s public key. The shared key is 444. ANSWER QUIZ 3 Q8: TRUE The security of key sharing in public key cryptography, such as in RSA or Diffie-Hellman, relies on the authenticity of the sender's public key. If an attacker can impersonate the sender by providing a fake public key (a man-in-the-middle attack), they could intercept and decrypt sensitive information, breaking the security of the communication. To ensure secure key exchange, the public key must be verified, typically through digital certificates or trusted certificate authorities (CAs) that authenticate the public key's ownership ANSWER TO QUIZ 3 Q9: FALSE While digital signatures offer more comprehensive security features, including non-repudiation, they are not a replacement for MACs. Each scheme has its own use case based on the requirements of the system in terms of performance, security, and functionality. Therefore, both are important in different scenarios. ANSWER TO QUIZ 3 Q10: FALSE Using MD5 for digital signatures is no longer considered acceptable due to its vulnerabilities. It is strongly recommended to use more secure hashing algorithms from the SHA-2 or SHA-3 family (e.g., SHA-256) to ensure the security and integrity of the digital signature. ____________________________________________________________________________ Module 4- User Authentication (quiz 4) User Authentication User authentication: ability to prove that a user or application is genuinely who that person or what that application claims to be. Technically, this is a process that verifies the binding between a claimed identity and some attributes/information, such as Password, PIN etc. An authentication process consists of two steps: 1. Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.) 2. Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier. There are four general means of authenticating a user’s identity, which can be used alone or in combination: 1. Something the individual knows: Examples includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. 2. Something the individual possesses: Examples include electronic key cards, smart cards, and physical keys. This type of authenticator is referred to as a token. 3. Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face. 4. Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. Multi Factor authentication Multi-factor authentication: aims to combine two or more authentication techniques to provide stronger authentication assurance. Storing password in plaintext à ID, P Storing password encrypted à ID, E (K, P) Storing password Hashed à ID, H (P) Salting Passwords: when ID and password initially created, generate random s-bit value (salt), concatenate with password and then hash. à ID, Salt, H (P || Salt) The salt serves three purposes: 1. It prevents duplicate passwords from being visible in the password file. Even if two users choose the same password, those passwords will be assigned different salt values. Hence, the hashed passwords of the two users will differ. 2. It greatly increases the difficulty of offline dictionary attacks. For a salt of length b bits, the number of possible passwords is increased by a factor of 2b, increasing the difficulty of guessing a password in a dictionary attack. 3. It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them. Hashcat hashcat is a password cracking tool that works by attempting a large number of password combinations, hashing them, and checking if they match the target hash. Given that the password is constrained to 8 digits (i.e., numbers only), there are only 10^8 (100,000,000) possible combinations, which is manageable for modern computing power. Hash functions Hash functions A hash function is a mathematical algorithm that takes an input (or "message") and returns a fixed-size string of characters, which is typically a sequence of numbers and letters. The output is called the hash value, hash code, or digest. Hash functions are widely used in computer science, particularly in data structures (like hash tables), cryptography, and data integrity checks SHA-256 SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function that produces a fixed-size output (256 bits, or 64 hexadecimal characters) from an input of any length. It's part of the SHA-2 family of hashing algorithms, which were designed by the National Security Agency (NSA) to provide more security than their predecessors (such as SHA-1). Windows LAN Manager (LM) and NTLM Windows LAN Manager (LM) and NT LAN Manager (NTLM) are authentication protocols used by Microsoft Windows systems to authenticate users and secure their passwords. Although both have been largely replaced by more secure methods, they were widely used in earlier versions of Windows. Biometric authentication A biometric authentication system attempts to authenticate an individual based on his or her unique physical characteristics, such as facial characters, fingerprints etc. In biometric authentication, a false match (or Type II error) refers to the situation where samples from different sources (i.e., two different individuals) are incorrectly assessed to be from the same source (i.e., the system incorrectly accepts a fraudulent user). True match: The system correctly identifies biometric data as belonging to the same individual. False nonmatch: The system incorrectly rejects a legitimate user (false rejection). True nonmatch: The system correctly identifies biometric data as belonging to different individuals. False match: The system incorrectly accepts biometric data as belonging to the same individual when it actually belongs to someone else. ANSWER QUIZ 4 Q1: TRUE Multi-factor authentication provides multi-layer protection, making it significantly more secure than single-factor authentication. By requiring multiple forms of verification, MFA dramatically increases the difficulty for attackers to gain unauthorized access, especially in the face of common threats like password theft or phishing attacks. ANSWER QUIZ 4 Q2: What a user knows & what a user has In the example where Martin uses his employee card and inputs his pin code to enter the building, the following factors are deployed for user authentication: 1. What a user has: This is represented by Martin's employee card, which he physically possesses. 2. What a user knows: This is represented by the PIN code that Martin knows and inputs to authenticate himself ANSWER QUIZ 4 Q3: The password entry in the file follows a common format used by bcrypt or SHA-512-based hash schemes with a salt. In this case, the entry provided is: $6$9VC0m3IIUvTpG7Y6$yKEKJPF6/H3ZPnDC6pmfDb02FMlkpat5JgEPGWIZglL4.VIckM.vz.f6hIuENVzLAH9FdewSzRksEG.7ZNBh10 This represents the following structure: $6$ indicates the hashing algorithm used, which in this case is SHA-512. 9VC0m3IIUvTpG7Y6 is the salt. yKEKJPF6/H3ZPnDC6pmfDb02FMlkpat5JgEPGWIZglL4.VIckM.vz.f6hIuENVzLA H9FdewSzRksEG.7ZNBh10 is the hashed password (the result of hashing the combination of the salt and the password). Steps to Cracking the Password: 1. Salt: The salt is 9VC0m3IIUvTpG7Y6. 2. Hashing Method: SHA-512 with a salt is being used to hash the password. 3. Password Format: We are told that the user's password is restricted to 8 digits. This is a critical piece of information because it limits the possible combinations for Christoff's cracking attempt using tools like hashcat. The password: 55584013. This is the 8-digit password that, when combined with the salt (9VC0m3IIUvTpG7Y6) and hashed with the SHA-512 algorithm, matches the hash provided in the password entry. In practical terms, this password would be the correct one used by the system, and it can be verified by running it through the same hash function along with the salt. ANSWER QUIZ 4 Q4: To solve this, we need to understand the format of the password entry generated by Windows LAN Manager (LM) and NTLM hashing algorithms. Let's break down the entry and figure out how to identify Tobias's password: Structure of the Entry: The entry provided is in the following format: Tobias::43F40EDFD0B04FB2AAD3B435B51404EE:4126D649453FF99E83177A4ACEF3B 74A::: This follows the typical structure for an NTLM or LM hash: Tobias: The username. The first hash (43F40EDFD0B04FB2AAD3B435B51404EE) is the NTLM hash of the password. The second hash (4126D649453FF99E83177A4ACEF3B74A) is related to the LAN Manager (LM) hash (though LM is rarely used in modern systems, this is part of the entry). The double colons (:::) indicate that the entry includes empty or unused fields (related to LM, etc.). Understanding NTLM and LM Hashes: 1. NTLM Hash: The NTLM hash is the result of hashing the password using the MD4 algorithm after converting it to uppercase. This hash is case-insensitive, meaning the password is converted to uppercase before being hashed. 2. LAN Manager (LM) Hash: The LM hash is created by converting the password into uppercase, padding it to 14 characters, and splitting it into two 7-character segments. Each segment is hashed separately using DES. LM hashes are very weak and are rarely used anymore due to security issues. Given the NTLM Hash: The NTLM hash is the one we care about for finding the password. The hash is 43F40EDFD0B04FB2AAD3B435B51404EE, and we know that it corresponds to the uppercase version of Tobias's password. Cracking the Password: To identify Tobias's password, we can try using a tool like hashcat or John the Ripper, which are commonly used for password cracking by trying various password combinations. Since the character set is composed of lowercase and uppercase English letters, the possible characters for the password are: A-Z (uppercase) a-z (lowercase) Conclusion: The password would be a combination of lowercase and uppercase English letters that, when hashed using the NTLM algorithm, produces the hash 43F40EDFD0B04FB2AAD3B435B51404EE. Password: ekEEr ANSWER QUIZ 4 Q5: FALSE ANSWER QUIZ 4 Q6: FALSE Dictionary attack can be applied no matter salt is used or not. A dictionary attack involves using a pre-constructed list (the dictionary) of common passwords, which the attacker hashes and compares to the stored password hashes. Without salt, if two users choose the same password, their hashes would be identical, making it easier for an attacker to crack both passwords by simply looking up the hash. Salt does indeed make dictionary attacks more difficult by ensuring that the hashes of identical passwords are unique across different users, but it's important that the salt is both random and unique for each user to fully protect against dictionary attacks. ANSWER QUIZ 4 Q7: False nonmatch False nonmatch (also known as a Type I error) occurs when biometric samples from the same source (the same individual) are incorrectly assessed as being from different sources. This means the system falsely rejects a legitimate user, which is often referred to as a false rejection. ANSWER QUIZ 4 Q8: TRUE 1. For User Authentication (High Security): False Nonmatch Rate (Type I Error): This refers to situations where the system incorrectly rejects a legitimate user, i.e., samples from the same source (the same person) are erroneously assessed as coming from different sources. High security in user authentication requires ensuring that only authorized users are granted access. A low false nonmatch rate (or low false rejection rate) ensures that legitimate users are not falsely rejected, minimizing the risk of unauthorized denial of access. In other words, you want to reduce the chances of a legitimate user being denied access due to a false rejection. 2. Forensic Applications (Identification or Investigation): False Match Rate (Type II Error): This refers to situations where the system incorrectly accepts a sample from a different source (a different individual) as matching the same source. In forensic applications, a false match would mean the system incorrectly links two different individuals, which could have serious consequences in legal or criminal investigations. For forensic applications, you want to minimize the false match rate to ensure that the system doesn't mistakenly match two individuals who are not the same. A low false match rate (or low false acceptance rate) ensures that a suspect or individual is not falsely implicated by the system. ANSWER H20 P2 Q4: The options that significantly reduce the quality of the hash and may lead to a successful password cracking are: A. The user's password consists of only 20 lower-case letters: Using only lower-case letters limits the complexity and increases vulnerability to brute-force attacks. B. Upper-case letters in the user's password are converted to lower case letters before the password is hashed: This reduces entropy and weakens security by limiting character variation. C. SHA-256 is replaced with a fast hash function with 64-bit digest: A 64-bit digest provides much weaker security than the 256-bit digest of SHA-256. D. The user's password has length < 8: Short passwords are easier to crack via brute-force methods. ANSWER H20 P2 Q7: The following are examples of security controls of user authentication: B. A person provides a username and password when logging into a website: This is a classic form of user authentication based on knowledge (something the user knows). C. A person enters letters from the image of "I am not a robot" on a login page: This is a CAPTCHA mechanism, a type of authentication to verify the user is human (a challenge-response test). D. A person opens his/her mobile phone with a fingerprint: This is biometric authentication, where physical characteristics (something the user is) are used to authenticate. ______________________________________________________________________ Module 5: Access Control and auditing (quiz 5) Access Control Access control: the prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. Granting access right or permission at a more granular level. Identification: claim of entity`s identity. Authentication: verification that the credentials of a user or other entity are valid. Authorization: granting of a right or permission to a system entity to access a resource, access control puts authorization policies to work. Audit: independent review of system records and activities in order to test for adequacy of system control, ensure compliance to policy, detect breaches and recommend changes. Access control list: (ACL) is a mechanism that defines which users or system processes are granted access to specific resources, like files or data, based on permissions. Basic elements of access control system Subject: entity capable of access resources. Typically three classes of subject; owner, group and world. Object: resource to which access is controlled. Access right: describes way in which a subject may access in object. Access rights could include the following; read, write, execute, delete, create and search. Access control policies An access control policy, which can be embodied in an authorization database, dictates what types of access are permitted, under what circumstances, and by whom. Access control policies are generally grouped into the following categories: DAC – Discrentionary Access Control DAC: the object`s owner can determine who should have access rights to an object and what those rights should be. A general approach to DAC, as exercised by an operating system or a database management system, is that of an access matrix. Access Matrix: specifies access rights of subjects on objects. on e dimension of the matrix consist of identified subjects that may attempt data access to the resource, the other dimension lists the object that may be accessed. MAC – mandatory access control MAC: based on multilevels security (MLS). controls access based on comparing security labels with security clearances. RBAC – Role-based access control RBAC: permitted actions on resources are identified with roles rather than with individual subject identities. ABAC – Attribute-based access control ABAC: access decisions are based on attributes of any component of or action on the system. RADIUS RADIUS stands for Remote Authentication Dial-In User Servic. RADIUS is widely used for managing access to network resources and services, especially in organizations that require secure remote access for employees or customers. Accountability - auditing Audit: independent review of system records and activities in order to test for adequacy of system control, ensure compliance to policy, detect breaches and recommend changes. Accountability: provides the means to trace activities in our environment back to their source. Implemented by monitoring, logging and auditing. Security benefits of accountability: Non repudiation: situation in which sufficient evidence exists to prevent an individual from successfully denying. Deterrence: laying out clear rules about how resources should be accessed. Announcing clearly that all access activities are monitored, and there will be penalties for acting against the rules. Intrusion detection: performs strictly as a monitoring and alert tool, only notifying us that an attack or undesirable activity is taking place. Intrusion prevention: often working from information sent by the intrusion detection, can actually take action based on what is happening in the environment. Linux file permissions Inode: a data structure that stores important information about a file or directory. Directory: a file that lists an entry for each file in that directory. Permissions (rwx) R: read that file, list the contents of the directory. W: write to the file, create and remove files in the directory. X: execute the file, enter the directory and access its files. Categories of users (ugo) U: user that owns the file G: users in the file`s group O: other users ANSWER QUIZ 5 Q1: [v] ABAC controls access based on attributes of the user, the resource to be accessed, and current environmental conditions [V] MAC controls access based on comparing security labels, indicating how critical resources are, with security clearances, indicating system entities are eligible to access certain resources ANSWER QUIZ 5 Q2: RBAC Role-Based Access Control (RBAC) assigns permissions to roles rather than directly to individual users. Each user is then assigned one or more roles based on their job function. This makes it easier to manage permissions across a large number of users, as changes to permissions are made at the role level, not individuall ANSWER QUIZ 5 Q4: In computer system a/an ["subject", "access right", "object", "asset"] is an entity capable of accessing a resource, termed a/an ["entity", "subject", "access right", "object"] , based on an access control list. ANSWER QUIZ 5 Q7: - Assign access rights to roles instead of individual users - RBAC models define a role as a job function within an organization - RBAC is based on the roles that assume in a system rather than the user`s identify. ANSWER TO QUIZ 5 Q8: - [v] define authorizations that express conditions on properties of both the resource and the subject - [v] ABAC relies upon the evaluation of attributes of the subject, attributes of the object, and access control rules ANSWER TO QUIZ 5 Q9: FALSE For secrecy, the principle of no write-down, no read-up is enforced. For data integrity, the principle of no write-up, no read-down is enforced. ANSWER H20 P2 Q1: Accountability, Authorization, Authentication ANSWER H20 P2 Q9: B. Student downloads lecture slides: ACLs could control this if permissions are set on who is allowed to download or access the content. C. Student checks their own course grade: ACLs manage this process by restricting access so only the student can view their own grades. D. Student tries to see a fellow student's grade but is rejected: ACLs are in use here to ensure that students cannot access grades they are not authorized to see. E. Lecturer uploads lecture notes: ACLs could control this process by allowing only lecturers to upload course materials. ANSWER TO QUIZ 5 Q3: "The file permission indicates that it belongs to a root user": Correct. The ownership information in the ls -l output shows that both the owner (root) and group (root) own the file, which indicates that it belongs to the root user and group. "The numeric value for this file is 777": Correct. The permissions lrwxrwxrwx correspond to a symbolic link (l) with read (r), write (w), and execute (x) permissions for the owner, group, and others. In numeric form, this is 777. "The file sbin is actually a link, directing to the folder /usr/sbin": Correct. The file /sbin is a symbolic link (l) as indicated by the first character of the permission string (l), and it points to /usr/sbin. "Normal user has no permission to run the command: cd /sbin": Incorrect. Normal users can use the cd /sbin command because the symbolic link itself has read (r) and execute (x) permissions for everyone (rwxrwxrwx). As long as the permissions on the target directory /usr/sbin also allow access, a normal user can navigate to it. The ability to execute a directory means you can change into it. ANSWER QUIZ 5 Q5: d: Indicates it's a directory (not part of the numeric value). rwx (owner): The owner has read (r), write (w), and execute (x) permissions.Numerical value: 7 (read = 4, write = 2, execute = 1 → 4 + 2 + 1 = 7). r-x (group): The group has read (r) and execute (x) permissions, but no write permission. Numerical value: 5 (read = 4, write = 0, execute = 1 → 4 + 1 = 5). r-x (others): Others (everyone else) have read (r) and execute (x) permissions, but no write permission.Numerical value: 5 (read = 4, write = 0, execute = 1 → 4 + 1 = 5). Final numeric value: 755. ANSWER TO QUIZ 5 Q6: Step 1: Understanding the options We want to set the directory permissions to rwxrwxr--, which means: Owner: rwx (7 in octal) Group: rwx (7 in octal) Others: r-- (4 in octal) So, the default directory permissions are 777 (rwxrwxrwx), and we want to subtract the desired permissions 775 (rwxrwxr--). Step 2: Calculate the umask for the desired permissions The umask can be found by subtracting the desired permissions from the default permissions: Default: 777 Desired: 775 Subtracting: 777 - 775 = 002 → So, the umask required is 002. Step 3: Check the options Now, let's check the provided options: 1. 122: This umask would result in 755 for directories (since 777 - 122 = 755), which is not the desired rwxrwxr--. 2. 003: This umask would result in 774 for directories (since 777 - 003 = 774), which is not the desired rwxrwxr--. 3. 021: This umask would result in 756 for directories (since 777 - 021 = 756), which is not the desired rwxrwxr--. 4. 222: This umask would result in 555 for directories (since 777 - 222 = 555), which is not the desired rwxrwxr--. Conclusion None of the options directly match the required umask 002. However, based on your goal of setting permissions to rwxrwxr--, the closest match would be 003 (as it gives you a permission similar to what you're aiming for, though it also impacts other settings). If possible, you should manually set the umask to 002 for the exact result. ____________________________________________________________________________ Module 6 - Network protocols and attacks ( Core protocols TCP/IP model When you have two parties that wants to communicate over the internet, they typically use a protocol called TCP/IP. In order to take part in TCP/IP, you have to engage in “TCP three way handshake”. The normal process of establishing a connection between a client and a server is as follows: 1. The Client sends a SYN packet to the Server. In this case the SYN message stands for “synchronize”. 2. The Server then sends back a SYN-ACK packet to the Client, where the SYN-ACK packet acknowledges the first message. 3. The Client receives the SYN-ACK and sends back an ACK packet to the server, and the connection is established. DHCP - Dynamic host configuration protocol Application-layer protocol. End system dynamically gets IP addresses from a DHCP server (mostly router): host, mask, DNS server, default gateway. ARP - address resolution protocol Data link-layer protocol. ARP helps hosts to get MAC address corresponding to certain IP address ( mostly of the gateway router). FTP - file transfer protocol FTP is a standard communication protocol used to transfer computer files from a server to a client on a computer network. DNS- domain name system protocol NAT- network address translation SMTP - simple mail transfer protocol SMTP is an internet standard communication protocol for electronic mail transmission. SSH - secure shell protocol SSH is a cryptographic network protocol for operating network services securely over an unsecured network. ICMP- internet control message protocol Denial of service (DoS) Attack Denial of Service has the abbreviation DoS and is an action that prevents or impairs the authorized use of networks, systems, or application by exhausting resources such as central processing units (CPU), memory, bandwidth and disk space (book, page 242). A DoS attack targeting system resources typically aims to overload or crash its network handling software. The simplest classical DoS attack is a flooding attack on an organization. The aim of this attack is to overwhelm the capacity of the network connection to the target organization. Along with the basic flooding attack, the other common classic DoS attack is the SYN spoofing attack. This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections. Spoofing: creating fake IP addresses. Attacker sends packets with fake (or spoofed) source address. Target does not (immediately) know who performed attack. Responses are not sent to attacker. Spoof addresses to hide attacker and redirect traffic to others. Flooding attacks Flooding attacks take a variety of forms, based on which network protocol is being used to implement the attack. In all cases the intent is generally to overload the network capacity on some link to a server. Common flooding attacks use any of the ICMP, UDP, or TCP SYN packet types. It is even possible to flood with some other IP packet type..Indirect attack types that utilize multiple systems include - Distributed denial-of-service attacks - DDoS - Reflector attacks - Amplifier attacks Distributed denial of service attacks - DDoS A Distributed Denial-of-Service (DDoS) attack is a method where multiple compromised systems, known as zombies, are used to overwhelm a target with traffic, effectively disrupting its normal operations. This type of attack is more powerful than a standard Denial-of-Service (DoS) attack because it uses numerous systems to generate a large amount of traffic. Zombies are compromised computers (often user workstations) that attackers control remotely. Attackers gain access to these systems by exploiting vulnerabilities in their operating systems or applications, installing malicious software to take full control. Once enough zombies are compromised, they form a botnet, a network of compromised systems that the attacker can control. Typically, a control hierarchy is established, where a small number of handlers control a larger number of zombie agents. The attacker sends commands to the handlers, who distribute these commands to the agents, allowing for coordinated attacks on a target. This hierarchical model reduces the complexity of controlling large botnets and obscures the attacker's identity. A famous DDoS tool called Tribe Flood Network (TFN), created by a hacker named Mixter, is one of the early examples of such an attack. TFN agents could launch various types of attacks, including ICMP, SYN, and UDP floods, which exploit different internet protocols to overwhelm the target. While TFN did not use address spoofing, it relied on the large number of zombies to mask the attacker's identity. Later versions, such as TFN2K, included encrypted communication between handlers and agents to make the attack traffic harder to detect. More recent DDoS tools have adopted new methods of communication, using IRC or instant messaging servers to coordinate attacks, along with cryptographic authentication to prevent analysis of command traffic. Preventing DDoS attacks involves securing systems against compromise by applying security patches and maintaining strong security practices. Once a system is part of a botnet, it can be difficult to detect its involvement in a DDoS attack. For victims of DDoS attacks, defense strategies involve mitigating the flood of traffic, often with more advanced methods due to the scale and complexity of DDoS attacks. TCP SYN flood attack with IP spoofing and TCP SYN reflection attack. TCP SYN flood is a type of DDoS attack that exploits the TCP connection process. When you have two parties that wants to communicate over the internet, they typically use a protocol called TCP/IP. In order to take part in TCP/IP, you have to engage in “TCP three way handshake”. The normal process of establishing a connection between a client and a server is as follows: 1. The Client sends a SYN packet to the Server. In this case the SYN message stands for “synchronize”. 2. The Server then sends back a SYN-ACK packet to the Client, where the SYN-ACK packet acknowledges the first message. 3. The Client receives the SYN-ACK and sends back an ACK packet to the server, and the connection is established. The TCP SYN spoofing attack and the TCP SYN reflection attack differ in the way they are executed. TCP SYN spoofing attack is providing a spoofed IP address. A spoofed IP address is a fake IP address, that gives the server a fake location on where the client is located. The server will the react by sending SYN-ACK packets to the fake IP address and expecting a ACK in return. Since the IP address is spoofed, the packets never arrive, and the connection is left half-open. The server will be overloaded, and in some cases crash. On the other hand, in a TCP SYN reflection attack the attacker sends several SYN packets with a spoofed IP address to intermediary servers appearing as the victim. The intermediary servers will then respond by sending SYN-ACK packets to the victim`s IP address. The victim will receive multiple packets from different serves as a response to one single SYN request. The two attacks differ in the way they are executed and whom the victim is. The TCP SYN spoofing overloads the server, in contrast to the TCP SYN reflection attack that overwhelms the client. Ping Flood Attack A ping flood is a type of DDoS attack that overwhelms a target with ICMP requests. Attacker continuously sends echo request to the target by ping -f target. The target network would be flooded by echo reply to the requests. Flood the server: attacker uses ping to send many ICMP requests tot target server. Botnet: Refle