The Red Users-Internship Task-1

By
Devadharshini S
[email protected]

Introduction to Network Security Basics

What is Network Threats?

Network threats are malicious activities that target online systems,

compromising their integrity and confidentiality. These threats can be executed by
individuals or groups aiming to gain unauthorized access to systems, steal sensitive
data, disrupt services, or manipulate information. Common types of network threats
include malware (like viruses and ransomware), phishing attacks, denial-of-service
attacks, and insider threats. Understanding these threats is crucial for implementing
effective security measures to protect sensitive information and maintain the
reliability of digital environments.

Types of Network Security Threats:

⚫ Phishing :
Phishing is a type of cyberattack that uses fraudulent emails, text messages,
phone calls or websites to trick people into sharing sensitive data, downloading
malware or otherwise exposing themselves to cybercrime. Phishing attacks are a
form of social engineering.

Case Study: Phishing Attack on Facebook and Google

Between 2013 and 2015, Facebook and Google fell victim to an extensive phishing
campaign that resulted in losses of approximately $100 million. The attacker
exploited the fact that both companies utilized Quanta, a Taiwan-based vendor, for
various services. By sending a series of fraudulent invoices that impersonated Quanta,
the phisher successfully tricked both companies into making payments for services
that were never rendered.

The scam remained undetected for a significant period, demonstrating how

sophisticated phishing techniques can deceive even large organizations. Once the
fraudulent activity was uncovered, Facebook and Google took swift action through
the US legal system. The attacker was apprehended and extradited from Lithuania,
leading to legal proceedings that allowed the companies to recover $49.7 million on
the stolen funds.

⚫ Computer Worm:
A computer worm is a type of malware that self-replicates and spreads to other
computers without human intervention. Unlike viruses, worms can propagate
independently by exploiting vulnerabilities in operating systems or software. They
often travel through networks, infecting multiple devices quickly, and may carry
harmful payloads that can delete files or steal data. Notable examples include the
Morris Worm and the ILOVEYOU Worm. To protect against worms, it’s essential to
keep systems updated, use firewalls, install antivirus software, and educate users
about safe computing practices. Understanding computer worms is crucial for
effective network security.

Case Study: The Code Red Worm Epidemic of 2001

On July 19, 2001, the Code-Red (CRv2) worm infected over 359,000 computers
connected to the Internet within 14 hours, causing an estimated $2.6 billion in
damages. This epidemic highlighted the difficulty in characterizing worm spread due
to challenges in collecting global data. A study was conducted over 45 days starting
July 2, 2001, to analyze the spread of Code-Red. The researchers traced infection and
deactivation rates, finding that infection peaked at over 2,000 hosts per minute. They
examined the characteristics of the infected population, revealing that the worm
primarily targeted home users and small businesses rather than large corporations.
 ⚫ Trojon horse
A Trojan horse attack is a type of malware attack that uses deception to
trick users into installing malicious software on their computers.

Trojan Infection Methods:

Here are common ways trojans can infect computers in your corporate network:

• A user is targeted by phishing or other types of social engineering, opens an

infected email attachment or clicks a link to a malicious website
• A user visits a malicious website and experiences a drive-by download
pretending to be useful software, or is prompted to download a codec to play a video
or audio stream
• A user visits a legitimate website infected with malicious code (for
example, malvertising or cross-site scripting)
• A user downloads a program whose publisher is unknown or unauthorized by
organizational security policies
• Attackers install a trojan by exploiting a software vulnerability, or through
unauthorized access.

Case Study: Tiny Banker Trojan: Discovered in 2012

 Tiny Banker Trojan (TBT), or Tinba, is a trojan that infects end-user devices
and attempts to compromise their financial accounts and steal funds.
The Tinba Trojan, also known as Tiny Banker, has posed significant
challenges for infected systems, impacting over 20 major US banking institutions. It
infects systems and browsers through various methods and captures data from
banking sites. When users log into their accounts, a fake pop-up appears, mimicking
the legitimate site to steal login credentials. Since its source code was published
online, new versions of the malware have emerged, making it one of the most
destructive strains affecting the banking industry since its peak in 2016. Its impact has
notably altered online banking security practices.

⚫ Rootkit
Rootkit malware is a collection of software designed to give malicious
actors control of a computer network or application. Once activated, the
malicious program sets up a backdoor exploit and may deliver additional malware,
such as ransomware, bots, keyloggers or trojans. Rootkits may remain in place for
years because they are hard to detect, due in part to their ability to block some
antivirus software and malware scanner software.

How a Rootkit Works:

⚫ Infection: A rootkit enters a computer through harmful downloads, phishing

scams, or by taking advantage of software flaws.
⚫ Gaining Control: After infection, it seeks to get higher permissions, allowing it to
access and control more parts of the system.
⚫ Hiding Itself: The rootkit disguises its presence by altering system files and
processes, making it difficult for users and security software to find.
⚫ Maintaining Access: It lets attackers perform actions like stealing data and
installing other malicious software, and it can stay active even after a restart.
⚫ Remote Access: The rootkit may open a backdoor, giving attackers the ability to
access the system from a distance.
⚫ Man in the Middle(MITM)
A man-in-the-middle (MITM) attack is a cyberattack where an attacker
secretly intercepts communications between two parties, typically a user and an
application. The attacker can then eavesdrop on the conversation, steal information, or
impersonate one of the parties.

Equifax Breach: A Case Study in Man-in-the-Middle

The Equifax breach in 2017 affected about 147 million people due to the company's
failure to patch a known vulnerability. Attackers accessed sensitive data, including
Social Security numbers and birth dates, going undetected from mid-May to July. The
breach raised serious concerns about data security, leading to financial losses and
legal actions against Equifax. In response, the company offered free credit monitoring
and improved its security practices. This incident highlighted the importance of timely
software updates and strong data protection measures.

⚫ SQL Injection attack

SQL injection is a code injection technique that can severely compromise your
database security. It’s one of the most common web hacking methods, allowing
attackers to insert malicious code into SQL statements through web page inputs. This
manipulation can lead to unauthorized access, data loss, or complete control over the
database, highlighting the critical need for secure coding practices to protect against
such vulnerabilities.

Real-World Example: The GhostShell Attack

A notable incident that underscores the dangers of SQL injection is the GhostShell
attack, executed by the APT group Team GhostShell. In this attack, hackers targeted
53 universities, exploiting vulnerabilities in their databases through SQL injection
techniques. They successfully stole and published 36,000 personal records belonging
to students, faculty, and staff.

This breach highlights the severe risks associated with inadequate database security
and serves as a cautionary tale for educational institutions. It emphasizes the critical
importance of implementing robust security measures, such as input validation and
the use of prepared statements, to protect against SQL injection vulnerabilities.

⚫ Adware
Adware is a type of malware that displays unwanted advertisements on a
device or computer. It can be bundled with free software or games, or downloaded
fraudulently. Adware can be dangerous and can cause issues with a system.

How Adware Works

Installation:

• Often bundled with legitimate software or downloaded unintentionally.

• Can be installed via deceptive ads or free software downloads.

Tracking User Behavior:

• Collects data on browsing habits, search queries, and interactions with ads.
• Uses this data to deliver targeted advertisements.

Ad Injection:

• Modifies web pages to inject ads into the content.

• Alters the HTML structure to display additional advertisements.

Pop-ups and Banners:

• Generates intrusive pop-up ads and banner ads within the browser.
• Disrupts the user experience and encourages unintentional clicks.

Revenue Generation:

• Developers earn money through pay-per-click (PPC) and pay-per-impression (PPI) models.
• Increased ad views and clicks lead to higher revenue.
Potential Security Risks:

• May collect sensitive information, compromising user privacy.

• Can install additional malware or redirect users to harmful websites.

Performance Impact:

• Slows down browser performance and overall system speed.

• Can lead to crashes or freezes due to excessive resource use.

User Experience:

• Creates a frustrating browsing experience filled with unwanted ads.

• Users may find it difficult to navigate websites due to constant interruptions.

Removal Difficulty:

• Some adware can be challenging to remove without dedicated anti-malware tools.

• Users may need to go through several steps to fully uninstall it.

Caution:

• Users should be vigilant during software installations and opt for custom installs to avoid
unwanted adware.
• Regularly using anti-malware tools can help detect and eliminate adware threats.

⚫ Spyware

Spyware is malicious software that infiltrates a user's computer to gather data from
both the device and the user, often sending this information to third parties without
consent. It operates stealthily, frequently without the user’s awareness, and can access
personal information such as browsing habits, passwords, and financial data.

A widely accepted definition of spyware describes it as a type of malware specifically

designed to access and compromise a device, potentially leading to significant privacy
breaches and security risks. Users may unknowingly install spyware through
deceptive downloads, malicious links, or bundled software.

Example: Keyloggers.
How Spyware Works

Installation:

• Deceptive Downloads: Spyware is often bundled with legitimate software or

downloaded via misleading ads or links.
• Phishing Attacks: Users may be tricked into installing spyware through
phishing emails that appear to come from trusted sources.

⚫ Stealth Operation:

• Background Execution: Once installed, spyware typically runs in the

background, making it difficult for users to detect.
• No User Consent: It operates without the user's knowledge or permission,
collecting data silently.

⚫ Data Collection:

• Keystroke Logging: Some spyware, like keyloggers, records every keystroke

made by the user, capturing sensitive information such as passwords and credit
card numbers.
• Screen Capture: Certain spyware can take screenshots of the user's activity,
further gathering personal information.

⚫ Monitoring Activity:

• Browsing Habits: Spyware tracks websites visited, search queries, and online
purchases to build a profile of the user’s behavior.
• Data Harvesting: It can collect information from applications, including
emails, chat messages, and documents.

⚫ Data Transmission:

• Sending Data: The collected information is often transmitted to remote

servers controlled by the attacker. This can occur through network connections,
making it difficult to trace.
• Real-Time Monitoring: Some spyware allows attackers to monitor user
activities in real-time, providing immediate access to sensitive information.

⚫ Persistence:

• Re installation Mechanisms: Some spyware includes features to reinstall

itself if removed, ensuring continued access to the infected device.
• Rootkits: Advanced spyware may use rootkits to hide its presence and
maintain control over the infected system.
 Understanding Basic Security Concepts

Firewall:
A Firewall is a network security device that monitors and filters incoming and
outgoing network traffic based on an organization's previously established security
policies. At its most basic, a firewall is essentially the barrier that sits between a
private internal network and the public Internet.
A firewall is a network security device, either hardware or software-based,
which monitors all incoming and outgoing traffic and based on a defined set of
security rules accepts, rejects, or drops that specific traffic.
• Accept: allow the traffic
• Reject: block the traffic but reply with an “unreachable error”
• Drop: block the traffic with no reply.

How a Firewall Works:

Traffic Monitoring:

• A firewall continuously monitors incoming and outgoing network traffic. It

examines the data packets transmitted over the network.
Packet Inspection:

• Each data packet contains information, such as the source IP address,

destination IP address, source port, destination port, and protocol type (e.g.,
TCP, UDP).
• The firewall analyzes this information to determine whether to allow or block
the packet based on predefined rules.

Rule-Based Filtering:

• Firewalls operate based on a set of rules defined by the network administrator.

These rules specify which traffic is permitted or denied.
• Rules can be based on:
o IP addresses (specific devices or ranges)
o Ports (specific services or applications)
o Protocols (TCP, UDP, ICMP, etc.)

Types of Filtering:

• Packet Filtering: The firewall examines packets individually and allows or

blocks them based on the defined rules. This method is fast but offers limited
context.
• Stateful Inspection: The firewall keeps track of the state of active
connections (e.g., established TCP sessions) and uses this context to determine
whether packets are part of an existing connection.
• Application Layer Filtering: Some firewalls can inspect the actual content of
the packets (e.g., HTTP requests) to identify specific applications or services,
providing more granular control.

Logging and Alerts:

• Firewalls typically log traffic data, including blocked connections and

potential threats. This logging helps administrators analyze traffic patterns and
respond to security incidents.
• Alerts can be configured to notify administrators of suspicious activity.

Default Behavior:

• Most firewalls have a default "deny all" rule, meaning that any traffic not
explicitly allowed by the rules is blocked. This principle of least privilege
helps enhance security.

Functionality:

• Packet Filtering: Inspects packets and allows or blocks them based on IP

addresses, ports, and protocols.
• Stateful Inspection: Keeps track of active connections and determines which
packets to allow through based on established connections.
• Proxy Service: Acts as an intermediary for requests from clients seeking
resources from other servers, providing an additional layer of security.
Types of Firewalls:

Hardware Firewalls:

• Standalone devices placed between the network and the internet, often
integrated into routers.
• Ideal for protecting entire networks.

Software Firewalls:

• Installed on individual devices (e.g., computers, servers).

• Provide protection for specific endpoints, monitoring traffic to and from that
device.

Encryption:

Encryption, is the process of protecting information or data by using

mathematical models to scramble it in such a way that only the parties who have the
key to unscramble it can access it.

Types of Encryption:

There are many types of encryption, but the most common are symmetric and
asymmetric encryption.
Symmetric encryption:

Uses the same key for both encryption and decryption. This method is less
expensive and faster than asymmetric encryption, but the key needs to be securely
transferred between the sender and recipient. If an unauthorized person gets the key,
they can decrypt any messages

Asymmetric encryption

Also known as public key cryptography, this method uses two different keys
for encryption and decryption. The public key is shared with everyone, while the
private key is kept secret by the owner. This method is more expensive than
symmetric encryption and takes more computing power, but it's considered more
secure.
 Types of data encryption
Triple DES:

The Triple Data Encryption Standard (DES), often written 3DES, is a version of the
original DES encryption algorithm that encrypts data three times. The Triple DES
uses three 64-bit keys, so the key length is 192 bits. Triple DES is a symmetric
encryption, and the key is private. Because it encrypts data in 64-bit segments, Triple
DES is considered a block cipher. Cipher Block Chaining (CBC), however, is an
encryption mode that struggles at high data rates.

RSA:

The RSA encryption key, named after creators Ron Rivest, Adi Shamir, and
Leonard Adelman, is the standard encryption technique for important data security.
RSA is asymmetric cryptography, so there is one public key and one private key. The
RSA algorithm uses prime factorization. Simply put, this key requires the
factorization of a product involving two large prime numbers. While it seems easy,
figuring out these two numbers can be difficult. Even for large computers, it can be
expensive and exhaustive to decrypt. While RSA can be very useful, it becomes
increasingly inefficient at higher security levels.

AES:

Because of an increase in brute-force attacks on the original DES, the

Advanced Encryption Standard (AES) was put into place in 2002. AES is a symmetric
block cipher that was originally named Rijndael. This block cipher uses three separate
keys: AES-128, AES-192, and AES-256. These three keys are used to encrypt and
decrypt information of 128 bits. Since its adoption, AES has been used to protect
classified government information and sensitive data.

Purpose Of Encryption:
Encryption is used to protect data from being stolen, changed, or
compromised and works by scrambling data into a secret code that can only be
unlocked with a unique digital key.
 Firewall Configuration:

Enable Windows Defender Firewall:

⚫ Step 1:
Go to control panel.

⚫ Step 2:
Click on System and Security.

⚫ Step 3:

✓ Click on Windows Defender Firewall.

✓ Ensure the firewall is turned on for both private and public networks.

⚫ Step 4:
Click on Advanced Settings.
 In the left pane, you can see Inbound Rules and Outbound Rules.

What is Inbound and Outbound Rules?

Inbound : Inbound traffic consists of data packets coming into your network or
device from external sources.

Examples:
When you visit a website, data (like HTML files, images, etc.) is sent
from the web server to your device.

Incoming emails from the internet to your email client.

Firewall Rules: Inbound rules determine whether to allow or block incoming traffic
based on specified criteria (like IP address or application).
Outbound : Outbound traffic consists of data packets leaving your network or device
to external destinations.

Examples:
Sending a request to a web server when you fill out a form on a website.

Uploading files or sending emails from your device to the internet.

Firewall Rules: Outbound rules govern the traffic that can leave your network,
determining which data packets are permitted to exit based on similar criteria.

Type Traffic Direction Purpose

Incoming data to the Control access from external sources to
Inbound Rules
network your network
Outbound Outgoing data from the
Control which data can leave your network
Rules network

By setting up a firewall is essential for keeping your network safe. It acts as a

barrier that protects your personal data from unauthorized access and potential
threats. Additionally, a firewall gives you valuable tools to monitor and manage
the traffic flowing in and out of your network. By filtering this traffic, you can
better identify suspicious activity and respond accordingly. Overall, configuring
a firewall is a crucial step in strengthening your overall security posture and
ensuring that your digital environment remains secure.

Monitor Network Traffic Using Wireshark

To capture and analyze network traffic generated by a ping command to google.com

using Wireshark in Kali Linux.
First, I launched Wireshark and selected the appropriate network interface for packet
capturing. After starting the capture, I executed the command ping google.com,
which sent ICMP Echo Request packets to the Google server, prompting it to respond
with Echo Replies.

As the ping command ran, I observed the captured packets in real-time. Once I had
enough data, I stopped the capture and filtered for ICMP traffic to isolate the relevant
packets. I examined the details of each packet, noting the source and destination IP
addresses, as well as the types of packets involved specifically the Echo Requests and
Replies.

THE END