NMIS(NETWORK MANAGEMENT AND INFORMATION SYSTEMS) -. Introduction to Information Security

January-2004 [4] July-2004 [8]
1. a)What are four problems related to network security? Explain the meaning of each of them. [4]
1.a) Differentiate between passive and active attacks on a computer. [4]
An attempt to subvert or bypass a system's security.
Attacks may be passive or active.
Passive attacks try to intercept or read data without changing it.A "passive attack" attempts to learn or make use of information from the system but does not affect system resources. Only involve monitoring of the information(Interception) leading to loss of confidentiality or traffic analysis(monitoring exchange of information without knowing precise contents) and are hard to prevent
Ex; Passive attacks are Interception: Attacks Confidentially Eaves Dropping, Man-in-the-middle attacks
Traffic analysis Attacks Confidentially or anonymity . Can include traceback on a network, CRT Radiation.
Active attacks attempt to alter or destroy data. An "active attack" attempts to alter system resources or affect their operation.They involve intervention of information(interception,modification and fabrication) flow and are easy to detect
interception : Attacks availability
modification : Attacks integrity
fabrication : Attacks authenticity
Ex; Active attacks are Trojan horses , Reworked code

b) What is malicious code? What are its different types? What differentiates one type from another? [4]
Malicious code (also called vandals) is a new breed of Internet threat that cannot be efficiently controlled by conventional antivirus software alone. In contrast to viruses that require a user to execute a program in order to cause damage, vandals are auto-executable applications.
we will classify malicious code into three areas [23]:
A Virus is a self-replicating code segment which must be attached to a host executable. When the host is executed, the virus code may also execute. If possible, the virus will replicate by attaching a copy of itself to another executable. The virus may include an additional ``payload'' that triggers when specific conditions are met.
A Trojan horse is malicious code masquerading as a legitimate application. The goal of the code is to have the user believe they are conducting standard operations or running an innocuous application when in fact initiating its ulterior activities. There are many ways this attack manifests with the most frequent being reliance upon user naivety. A Trojan horse is similar to a virus, except a Trojan horse does not replicate.
A Worm is a self-replicating program. It is self-contained and does not require a host program. The program creates the copy and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other computer systems

January-2005 [4]
1.
a) List and describe three preventative measures that can be taken to minimize the risk of computer virus infection, other than the use of anti-virus software. [4]

The first thing that I recommend doing is to set Windows up to show file extensions. Windows is configured by default to hide the file extensions for known file types. A lot of virus authors take advantage of this by adding a false extension to an infected file. For example, if a virus was written in Visual Basic Script, it would have the .VBS extension. However, Windows knows the .VBS extension and therefore hides it. Many viruses use a filename like DOCUMENT.DOC.VBS. The idea is that since the .VBS is hidden, the user only sees the false extension .DOC, and assumes that the virus is a harmless document file.
Another step that you can take is to block file types that are potentially malicious. You can get away with because you’ve already asked the users what types of attachments they commonly receive.
First, you might begin by setting up a corporate policy that forbids users from bringing in any floppy disks or CDs from home. These foreign media could potentially carry viruses, and may also contain software that the company isn’t licenses to use. You might even go so far as to remove the floppy and CD drives from the workstations.
A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms

July-2005 [16]
1.
d) Differentiate between passive and active attacks on a computer. [4]
4.
b) What are Trojans? Give example of at least one commonly known Trojan? [6]

Trojan horses, otherwise referred to as trojans, are simply programs that pretend to be something else. Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Trojan.Vundo is a Trojan horse
c)Differentiate between worms and viruses. [6]
Worms
Viruses
Wo rms are programs that replicate themselves from system to system without the use of a host file.
Worm doesn'tneed any host programs . Worm uses network flaws to spread for example: if u have a email with a virus. To activate that virus u have to double click it. But this not the case if its a worm.
Virus requires host
program to spread .
A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person
A computer virus
attaches itself to a
program or file so it can spread from one computer to another, leaving infections as it travels
A worm takes advantage of file or information transport features on your system, which allows it to travel unaided

A worm is a type of virus that has an important and specific feature; it does not depend upon any form of human intervention to propagate. Since it can replicate and infect by itself, it is by far the most virulent type of virus, and can infect many millions of computers globally in a matter of hours.
A standard virus will
depend on some form
of human intervention to propagate, whether this is opening an email attachment, clicking a
malicious link, or
transferring an
infected disk from one
machine to another.
A virus copies itself around the system by gradually attaching the virus code to every common executable program available on the computer
A worm transfers
copies of itself across network links.
virus is a piece of program that attaches itself to the legitimate program , and it also modifies the host program & it need a host.
worm is a complete program that attaches itself to the legitimate program,but it doesnot
modifies the host
program

January-2006 [4]
1.e)Differentiate between active and passive attacks on a computer. [4]
2.What is the difference between passive and active attacks with respect to security threats faced in using the web. 4.a) How is a virus different from a worm? What are the various types of viruses? [8]

Computer viruses are generally defined as a program inputted into a computer that allows replication of the program installed. As it replicates, the program intentionally infects the computer, typically without even the user knowing about the damage being done. A virus, unlike worms or Trojan horses, needs an aid to transfer them to computers. Viruses usually take a large amount of computer memory, resulting into system crashes. Viruses are categorized to several parts based on its features.
Macro Viruses
A macro virus, often scripted into common application programs such as Word or Excel, is spread by infecting documents. Macro viruses are known to be platform-independent since the virus itself are written in language of the application and not the operating system. When the application is running, this allows the macro virus to spread amongst the operating systems. Examples of these viruses are: Melissa.A and Bablas. pc.
Network Viruses
Network viruses rapidly spreads through a Local Network Area (LAN), and sometimes throughout the internet. Generally, network viruses multiply through shared resources, i.e., shared drives and folders. When the virus infects a computer, it searches through the network to attack its new potential prey. When the virus finishes infecting that computer, it moves on to the next and the cycle repeats itself. The most dangerous network viruses are Nimda and SQLSlammer.
Logic Bombs
The logic bomb virus is a piece of code that are inputted into a software system. When a certain and specific condition is met, such as clicking on an internet browser or opening a particular file, the logic bomb virus is set off. Many programmers set the malicious virus off during days such as April Fools Day or Friday the 13th. When the virus is activated, then various activities will take place. For example, files are permanently deleted
Companion Viruses
Companion viruses takes advantage of MS-DOS. This virus creates a new file with typically the .COM extensions, but sometimes the .EXD extension as well. When a user manually types in a program they desire without adding .EXE or any other specific extention, DOS will make the assumption that the user want the file with the extension that comes first in alphabetical order, and thus running the virus. The companion virus is rare among Windows XP computers as this particular operating system does not use the MS-DOS.
Boot Sector Viruses
Boot sector viruses generally hide in the boot sector, either in the bootable disk or the hard drive. Unlike most viruses, this virus does not harm the files in the hard disk, but harm the hard disk itself. Boot sector viruses are uncommon at this day and age because these viruses are spread rapidly by floppy disks and not on CD-ROMs.
Multipartite Viruses
Multipartite viruses are spreaded through infected media and usually hides in the memory. Gradually, the virus moves to the boot sector of the hard drive and infects executable files on the hard drive and later across the computer system.

6.a) What is Trojan Horse? Explain some functions of the Trojan. Also suggest any three ways to detect Trojan. [7]

Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or
backdoor functions that allow a computer, unbeknownst to the owner, to be remotely
controlled from the network, creating a "zombie computer". Because Trojan horses often
have these harmful functions, there often arises the misunderstanding that such
functions define a Trojan Horse.
Trojans and backdoors typically setup a hidden server, from which a hacker with a client
can then log on to. They have become polymorphic, process injecting, prevention
disabling, easy to use and therefore abuse.
How do I detect them?
This is the best method to determine if your system has been compromised, but it requires that you:
A. have a basic understanding of the state of an "active connection" and
B. that you're familiar with the port numbers commonly used by the Trojans
Port scanning, traffic monitoring, process monitoring, any suspected activity shown on these
procedures can be sign of trojans.
Nearly all remote access trojans use TCP or UDP sockets, and in many cases trojans have a
default port that they listen to.
A simple netstat -a can reveal some trojans. However, you need some knowledge and
experience about TCP and services before you can get to the conclusion that your system is
infected.
Port scanning does have two distinct advantages - it can detect trojan ports even if the trojan
uses netstat stealth techniques, and it can be used both locally and remotely.Always keep in mind
that Firewalls, routers and Intrusion Detection Systems (IDS) can affect the results of a port scan.
TCPView is a free utility by Sysinternals which not only lists the IP addresses communicating with
your computer, it tells you what program is using that connection. Armed with this information you
can locate whatever program is sending data out of your machine and deal with it.

July-2007 [4]
1.d) Briefly explain confidentiality, Integrity and Availability with respect to information security [4]

Attributes of Information Security: Confidentiality, Integrity, Availability
A key aspect of Information Security is to preserve the confidentiality, integrity and availability of an organisation's information. It is only with this information, that it can engage in commercial activities. Loss of one or more of these attributes, can threaten the continued existence of even the largest corporate entities.
Confidentiality. Assurance that information is shared only among authorised persons or organisations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc. The classification of the information should determine is confidentiality and hence the appropriate safeguards.
Integrity. Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term Integrity is used frequently when considering Information Security as it is represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. Why? Because, by making one or more copies, the data is then at risk of change or modification.
Availability. Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.