UNIVERSITY OF ELDORET
SCHOOL OF SCIENCE
COMP 425 : NETWORK SECURITY AND CRYPTOGRAPHY
Course Content
LECTURE
1
2
3
4
5
6
7
8
9
10
11
12
Key concepts in Information Security. Threats and vulnerabilities in
Computer Networks, Authentication applications,
Electronic Mail security, IP security,
Web security, Other Web security issues:- Intruders and viruses,
firewalls, Digital cash, secret sharing Schemes,
Cat 1
Conventional Encryption :- Classical Systems, DES, 3DES, AES,
Symmetric Ciphers, RC4, RC5).
Zero-Knowledge Techniques, FolkLore.
Public Key cryptography:- Introduction to Number Theory, Key
Management, Message Authentication and Hash Functions.
Hash and MAC Algorithms, Digital Signatures, Passwords and
Password Management
Penetration testing
Trends in Network security.
Presentations
CAT II
Lecture 1:
.
Assessment
Continuous Assessment Tests (CATs): 30%
End of Semester Written Examinations: 70%
Learning Materials
Cryptography and Network Security – by Atul Kahate – TMH.
Data Communications and Networking- by Behourz A Forouzan
Cyber Security Operations Handbook – by J.W. Rittiaghouse and William M.Hancok –
Elseviers.
1
LECTURE 1
Key concepts in Information Security
Information security is the practice of defending information from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or destruction.
It is also defined as preservation of confidentiality, integrity and availability of information.
Other properties, such as authenticity, accountability, non-repudiation and reliability can also be
involved.
Security attack – Any action that compromises the security of information owned by an
organization. Security mechanism – A means used to detect, prevent or recover from a security
attack.
Security service –The tools intended to counter security attacks and make use of one or more
security mechanisms to provide the service.
Confidentiality - limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people."
Integrity - Maintaining and assuring the accuracy and consistency of data over its entire lifecycle.
Availability - This means that the computing systems used to store and process the information,
the security controls used to protect it, and the communication channels used to access it must be
functioning correctly.
Non-repudiation - It implies that one party of a transaction cannot deny having received a
transaction nor can the other party deny having sent a transaction.
Risk is the likelihood that something bad will happen that causes harm to an informational asset
(or the loss of the asset).
Vulnerability is a weakness that could be used to endanger or cause harm to an informational
asset.
A threat is anything (manmade or act of nature) that has the potential to cause harm. The
likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does
use a vulnerability to inflict harm, it has an impact
Cryptography - The art or science encompassing the principles and methods of transforming an
intelligible message into one that is unintelligible, and then retransforming that message back to
its original form
Network Vulnerabilities
Network vulnerabilities come in many forms but the most common types are:
1. Malware, short for malicious software, such as Trojans, viruses, and worms that are installed
on a user’s machine or a host server.
2. Social engineering attacks that fool users into giving up personal information such as a
username or password.
3. Outdated or unpatched software that exposes the systems running the application and
potentially the entire network.
4. Misconfigured firewalls / operating systems that allow or have default policies enabled.
5. Gaps in your application security: when applications are not kept up-to-date, tested and
patched, the doors are open to code injection, cross-site scripting, insecure direct object
references, and much more
2
TYPES OF CYBER SECURITY THREATS
There are numerous threats that can affect hardware, software, and the information you store.
Some of the major ones include the following:
 Viruses are designed in such a way that can be easily transmitted from one computer or
system to another. Often sent as email attachments, viruses corrupt and co-opt data, interfere
with your security settings, generate spam, and may even delete content.
 Computer worms are similar; they spread from one computer to the next by sending itself to
all of the user’s contacts and subsequently to all of the contacts’ contacts.
 Trojans – these malicious pieces of software insert themselves into a legitimate program.
Often, people voluntarily let trojans into their systems in the form of email messages from a
person or an advertiser they trust. As soon as the accompanying attachment is open, your
system becomes vulnerable to the malware within.
 Bogus security software that tricks users into believing that their system has been infected
with a virus. The accompanying security software that the threat actor provides to fix the
problem causes it.
 The adware tracks your browsing habits and causes particular advertisements to pop up.
 Spyware is an intrusion that may steal sensitive data such as passwords and credit card
numbers from your internal systems.
 Denial of service (DOS) attack: occurs when hackers deluge a website with traffic, making
it impossible for users to access its content. A distributed denial of service (DDOS) attack is
more forceful and aggressive since it is initiated from several servers simultaneously. As a
result, a DDOS attack is harder to mount defenses against.
 Phishing attacks are social engineering infiltrations whose goal is to wrongfully obtain
sensitive data: passwords and credit card numbers. Via emails or links coming from trusted
companies and financial institutions, the hacker causes malware to be downloaded and
installed.
 SQL injections are network threats that involve using malicious code to infiltrate cyber
vulnerabilities in data systems. As a result, data can be stolen, changed, or destroyed.
 Man-in-the-middle attacks involve a third party intercepting and exploiting
communications between two entities that should remain private. Not only does
eavesdropping occur but also information can be changed or misrepresented by the intruder,
causing inaccuracy and even security breaches.
This is a vulnerability that allows attackers to spy on or alter the communication between
devices in your network. A man-in-the-middle attack could lead to the installation of viruses,
warms, or Ransomware. Cybercriminals can carry out man-in-the-middle attack through:
 IP spoofing
 DNS spoofing
 HTTPS spoofing
 SSL hijacking
 Wi-Fi hacking
 Machine learning

Rootkit tools gain remote access to systems without permission and can lead to the
installation of malware and the stealing of passwords and other data.
3
Superuser accounts
Superuser accounts can turn into network vulnerabilities. These accounts have unlimited
privileges, data, and devices and are often used for administrative purposes by IT team
leaders.
The user can create, modify, and delete files, install software, or copy information. If a
cybercriminal gets hold of such an account, the damage to your network and your business
could be catastrophic.
Causes of Vulnerabilities
 Design and development errors: There can be flaws in the design of hardware and
software. These bugs can put your business-critical data at risk of exposure.
 Poor system configuration: This is another cause of vulnerability. If the system is poorly
configured, then it can introduce loopholes through which attackers can enter into the system
& steal the information.
 Human errors: Human factors like improper disposal of documents, leaving the documents
unattended, coding errors, insider threats, sharing passwords over phishing sites, etc. can lead
to security breaches.
 Connectivity: If the system is connected to an unsecured network (open connections) then it
comes in the reach of hackers.
 Complexity: The security vulnerability rises in proportion to the complexity of a system. The
more features a system has, the more chances of the system being attacked.
 Passwords: Passwords are used to prevent unauthorized access. They should be strong
enough that no one can guess your password. Passwords should not be shared with anyone at
any cost and passwords should be changed periodically. In spite of these instructions, at
times people reveal their passwords to others, write them down somewhere and keep easy
passwords that can be guessed.
 User Input: You must have heard of SQL injection, buffer overflows, etc. The data received
electronically through these methods can be used to attack the receiving system.
 Management: Security is hard & expensive to manage. Sometimes organizations lack
behind in proper risk management and hence vulnerability gets induced in the system.
 Lack of training to staff: This leads to human errors and other vulnerabilities.
 Communication: Channels like mobile networks, internet, telephone opens up security theft
scope.
Note
The threats are too great, too fast, and too powerful, and the day you are hacked will arrive much
sooner rather than later. Basic security is NOT ENOUGH.
Throw out any notion you might have that you will be able to completely eliminate risks. Shift
those security goals around minimizing and managing risks - keeping the impact of incidents low
and the efforts to resolve incidents as efficient as possible.
The tools you implement to make those goals possible is what makes it all work, including:
 Complete managed security including all your end points
 Encrypt EVERYTHING – in transit and at rest
 Secure EVERYTHING – with dual factor authentication
 Trust no one and no account (Zero trust!)
4





Patch, patch, and keep patching
Leverage third party specialists for audits and monitoring
Stay on top of patch management, revisit and validate alerting infrastructure at every point of
egress/ingress,
Use defense in depth (layered security measures), and
Teach users to protect their accounts and report suspicious events.
INTRUDERS
One of the most publicized attacks to security is the intruder, generally referred to as hacker or
cracker. Three classes of intruders are as follows:
Masquerader – an individual who is not authorized to use the computer and who penetrates a
system’s access controls to exploit a legitimate user’s account.
Misfeasor – a legitimate user who accesses data, programs, or resources for which such access is
not authorized, or who is authorized for such access but misuse his or her privileges.
Clandestine user – an individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection.
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the
clandestine user can be either an outsider or an insider.
Intruder attacks range from the benign to the serious. At the benign end of the scale, there are
many people who simply wish to explore internets and see what is out there. At the serious end
are individuals who are attempting to read privileged data, perform unauthorized modifications
to data, or disrupt the system. Benign intruders might be tolerable, although they do consume
resources and may slow performance for legitimate users. However there is no way in advance to
know whether an intruder will be benign or malign.
An analysis of previous attack revealed that there were two levels of hackers:
The high levels were sophisticated users with a thorough knowledge of the technology.
The low levels were the ‘foot soldiers’ who merely use the supplied cracking programs with little
understanding of how they work.
One of the results of the growing awareness of the intruder problem has been the establishment
of a number of Computer Emergency Response Teams (CERT). these co- operative ventures
collect information about system vulnerabilities and disseminate it to systems managers.
Unfortunately, hackers can also gain access to CERT reports.
In addition to running password cracking programs, the intruders attempted to modify login
software to enable them to capture passwords of users logging onto the systems.
Intrusion techniques
The objective of the intruders is to gain access to a system or to increase the range of privileges
accessible on a system. Generally, this requires the intruders to acquire information that should
be protected. In most cases, the information is in the form of a user password.
Typically, a system must maintain a file that associates a password with each authorized user. If
such a file is stored with no protection, then it is an easy matter to gain access to it. The password
files can be protected in one of the two ways:
One way encryption – the system stores only an encrypted form of user’s password.
In practice, the system usually performs a one way transformation (not reversible) in which the
5
password is used to generate a key for the encryption function and in which a fixed length output
is produced.
Access control – access to the password file is limited to one or a very few accounts.
The following techniques are used for learning passwords.
 Try default passwords used with standard accounts that are shipped with the system.
 Many administrators do not bother to change these defaults.
 Exhaustively try all short passwords.
 Try words in the system’s online dictionary or a list of likely passwords.
 Collect information about users such as their full names, the name of their spouse and
 children, pictures in their office and books in their office that are related to hobbies.
 Try user’s phone number, social security numbers and room numbers.
 Try all legitimate license plate numbers.
 Use a torjan horse to bypass restriction on access.
 Tap the line between a remote user and the host system.
Two principle countermeasures:
Detection – concerned with learning of an attack, either before or after its success.
Prevention – challenging security goal and an uphill bottle at all times.
INTRUSION DETECTION:
Inevitably, the best intrusion prevention system will fail. A system's second line of defense is
intrusion detection, and this has been the focus of much research in recent years.
This interest is motivated by a number of considerations, including the following:
1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the
system before any damage is done or any data are compromised.
2. An effective intrusion detection system can serve as a deterrent, so acting to prevent
intrusions.
3. Intrusion detection enables the collection of information about intrusion techniques that can
be used to strengthen the intrusion prevention facility.
4. Intrusion detection is based on the assumption that the behavior of the intruder differs from
that of a legitimate user in ways that can be quantified.
Approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the behavior of
legitimate users over a period of time. Then statistical tests are applied to observed behavior to
determine with a high level of confidence whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent of
user,for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide
that a given behavior is that of an intruder.
a. Anomaly detection: Rules are developed to detect deviation from previous usage
patterns.
b. Penetration identification: An expert system approach that searches for suspicious
behavior.
6
In terms of the types of attackers listed earlier, statistical anomaly detection is effective against
masqueraders. On the other hand, such techniques may be unable to deal with misfeasors. For
such attacks, rule-based approaches may be able to recognize events and sequences that, in
context, reveal penetration. In practice, a system may exhibit a combination of both approaches
to be effective against a broad range of attacks.
Audit Records
A fundamental tool for intrusion detection is the audit record.
Some record of ongoing activity by users must be maintained as input to an intrusion detection
system. Basically, two plans are used:
Native audit records: Virtually all multiuser operating systems include accounting software
that collects information on user activity. The advantage of using this information is that no
additional collection software is needed. The disadvantage is that the native audit records may
not contain the needed information or may not contain it in a convenient form.
Detection-specific audit records: A collection facility can be implemented that generates audit
records containing only that information required by the intrusion detection system.
One advantage of such an approach is that it could be made vendor independent and ported to a
variety of systems.
The disadvantage is the extra overhead involved in having, in effect, two accounting packages
running on a machine.
COMP 425 : INFORMATION SYSTEMS SECURITY
CAT 1
a) Explain the following:- IP spoofing, DNS spoofing , HTTPS spoofing , SSL hijacking, WiFi hacking.
[6 MKS]
b) Using a sketch diagram, explain the working principle of 3DES.
[6 MKS]
c) Explain how SQL injection works in a network.
[6 MKS]
d) Explain the various types of hackers in a network environment.
[6 MKS]
e) Which options do you have in executing a Denial of Service Attack?
[6 Mks]
7