ASSIGNMENT 1 FRONT SHEET
Qualification

BTEC Level 5 HND Diploma in Computing

Unit number and title

Unit 5: Security

Submission date

05/08/2023

Date Received 1st submission

05/08/2023

Re-submission Date

17/08/2023

Date Received 2nd submission

17/08/2023

Student Name

Tran Duc Long

Student ID

GCH210562

Class

GCH1106

Assessor name

Ha Trong Thang

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid

P1

P2

P3

P4

M1

M2

D1


Page 1 of 95


 Summative Feedback:

 Resubmission Feedback:

2.1

2.3

Grade:
Lecturer Signature:

Assessor Signature:
2.4

Page 1 of 95

Date:

2.2


Table of contents
Introduction .................................................................................................................................................... 8
Task 1 - Identify types of security threat to organisations. Give an example of a recently publicized
security breach and discuss its consequences (P1) ........................................................................................ 8
1.


Define threats ...................................................................................................................................... 8

2.

Identify threats agents to organizations ............................................................................................. 9

3.

2.1.

User Domain............................................................................................................................... 10

2.2.

Wan Domain............................................................................................................................... 11

2.3.

Work Station Domain ................................................................................................................. 12

2.4.

Lan Domain ................................................................................................................................ 13

2.5.

Lan to Wan Domain.................................................................................................................... 13

2.6.


Remote Access Domain .............................................................................................................. 14

2.7.

System/Application Domain ...................................................................................................... 15

List type of threats that organizations will face .................................................................................... 15

4.

5.

6.

3.1.

Viruses ........................................................................................................................................ 15

3.2.

Worms ........................................................................................................................................ 16

3.3.

Trojans ........................................................................................................................................ 16

3.4.

Concealment .............................................................................................................................. 17


3.5.

Collect data ................................................................................................................................ 18

What are the recent security breachs? List and give examples with dates ...................................... 20
4.1.

Microsoft were hacked by Lapsus$ extortion group on March, 2022 ....................................... 20

4.2.

Block Confirms Cash App Data Breach on April 2022 ................................................................ 20

4.3.

Former Amazon Employee Convicted for Capital One Breach on June, 2022........................... 21

Discuss the consequences of this breach. ......................................................................................... 21
5.2.

Block Confirms Cash App Data Breach on April 2022. ............................................................... 22

5.3.

Former Amazon Employee Convicted for Capital One Breach on June, 2022........................... 22

Suggest solutions to organizations .................................................................................................... 23
6.1.

Microsoft were hacked by Lapsus$ extortion group on March, 2022 ....................................... 23


Page 2 of 95


6.2.

Block Confirms Cash App Data Breach on April 2022 ................................................................ 24

6.3.

Former Amazon Employee Convicted for Capital One Breach on June, 2022........................... 26

Task 2 - Describe at least 3 organisational security procedures (P2)........................................................... 28
1.

Change Control Procedures ............................................................................................................... 28

2.

Incident handling Procedures............................................................................................................ 29

3.

Anti-virus procedures ........................................................................................................................ 31

Task 2.1 - Propose a method to assess and treat IT security risks (M1) ...................................................... 33
1.

2.


3.

Discuss methods required to assess security threats? E.g., Monitoring tools .................................. 33
1.1.

Vendor-provided tools ............................................................................................................... 33

1.2.

Breach and attack simulation tool (BAS).................................................................................... 36

1.3.

Vulnerability Assessment scanning tools ................................................................................... 37

What is the current weakness or threats of an organization? .......................................................... 39
2.1.

Leadership Shapes the Cyber Security Culture .......................................................................... 40

2.2.

Cyber Security Challenges .......................................................................................................... 40

2.3.

Cybercriminal Targets ................................................................................................................ 40

2.4.


Popular Cyberattacks ................................................................................................................. 41

What tools will you propose to treat IT security risks? ..................................................................... 41
3.1.

What Is the OCTAVE Threat Model? .......................................................................................... 42

3.2.

Benefits of the OCTAVE Threat Model ....................................................................................... 42

3.3.

How to Implement the OCTAVE Threat Model .......................................................................... 43

3.4.

The Three Phases of Implementation ........................................................................................ 43

3.5.

Common Techniques to Utilize .................................................................................................. 44

3.6.

Best Practices to Follow ............................................................................................................. 45

Task 3 - Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS
(P3)................................................................................................................................................................ 45
1.


Discuss briefly firewalls and policies, their usage and advantages in a network ............................. 45
1.1.

Firewalls ..................................................................................................................................... 45

1.2.

Firewall Policies .......................................................................................................................... 46

Page 3 of 95


1.3.

Firewall benefit .......................................................................................................................... 47

2.

How does a firewall provide security to a network?......................................................................... 48

3.

Show with diagrams the example of how firewall works ................................................................. 49

4.

Define IDS, its usage, and show it with diagrams examples ............................................................. 50
4.1.


Define Intrusion Detection System (IDS) ................................................................................... 50

4.2.

IDS filter rules and advantages IDS ............................................................................................ 50

4.3.

Show with diagrams the example of how IDS works ................................................................. 51

5. Write down the potential impact (Threat-Risk) of a firewall and IDS if they are incorrectly
configured in a network............................................................................................................................ 52
5.1.

Comparison of IDS with Firewalls .............................................................................................. 52

5.2.

Impact of incorrect configuration of Firewalls........................................................................... 53

5.3.

Impact of incorrect configuration of IDS.................................................................................... 53

5.4.

Conclusion .................................................................................................................................. 54

Task 4 - Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can
improve Network Security (P4) .................................................................................................................... 55

1. Define and discuss with the aid of diagram DMZ. Focus on its usage and security function as
advantage ................................................................................................................................................. 55
1.1.

Define ......................................................................................................................................... 55

1.2.

How does a DMZ Network work ................................................................................................ 56

1.3.

Diagram of DMZ and explain...................................................................................................... 56

1.4.

Benefit of DMZ ........................................................................................................................... 58

1.5.

The Importance of DMZ Networks: How Are They Used? ......................................................... 58

1.6.

How DMZ can improve network security .................................................................................. 59

2. Define and discuss with the aid of diagram static IP. Focus on its usage and security function as
advantage. ................................................................................................................................................ 60
2.1.


Define ......................................................................................................................................... 60

2.2.

How static IP address work? ...................................................................................................... 60

2.3.

Diagram of static IP and explain................................................................................................. 61

2.4.

Benefit of static IP address ......................................................................................................... 62

Page 4 of 95


2.5.

Security....................................................................................................................................... 63

2.6.

How static IP can improve network security?............................................................................ 63

3. Define and discuss with the aid of diagram NAT. Focus on its usage and security function as
advantage ................................................................................................................................................. 64
3.1.

Define ......................................................................................................................................... 64


3.2.

How does Network Address Translation work? ......................................................................... 65

3.3.

Diagram of NAT and explain ...................................................................................................... 65

3.4.

Network Address Traslation (NAT) types ................................................................................... 66

3.5.

Benefit of NAT ............................................................................................................................ 67

3.6.

Security....................................................................................................................................... 68

Task 4.1 - Discuss three benefits to implement network monitoring systems with supporting reasons
(M2) .............................................................................................................................................................. 69
1. List some of the networking monitoring devices and discuss each of them ....................................... 69

2.

3.

1.1.


What is networking monitoring? ............................................................................................... 69

1.2.

Some of the networking monitoring devices ............................................................................. 70

Why do you need to monitor networks? .......................................................................................... 78
2.1.

Have visibility and command ..................................................................................................... 78

2.2.

Improve network dependability ................................................................................................ 78

2.3.

Increasing profitability ............................................................................................................... 79

2.4.

Increase performance through understanding capacity ........................................................... 79

2.5.

Maintain corporate compliance ................................................................................................. 79

What are the benefits of monitoring a network? ............................................................................. 79
3.1.


Network Visibility ....................................................................................................................... 79

3.3.

Preventing Downtime ................................................................................................................ 80

3.4.

Finding and Fixing Problems Quickly ......................................................................................... 80

3.5.

Uncovering Security Threats ...................................................................................................... 80

3.6.

Monitoring Bandwidth Utilization ............................................................................................. 81

3.7.

Capacity Planning ....................................................................................................................... 81

Page 5 of 95


3.8.

Deploying New Technologies ..................................................................................................... 81


3.9.

Freeing Up IT Teams ................................................................................................................... 81

3.10.

Producing Return on Investment ........................................................................................... 82

3.11.

Choosing the Right Network Monitoring Solution ................................................................. 82

Task 4.1.1 - Investigate how a ‘trusted network’ may be part of an IT security solution (D1) .................... 82
1. Discuss and explain what are trusted network .................................................................................... 82
2.

Give brief details with an example on its uses .................................................................................. 84

3.

How can it be a solution in IT security?............................................................................................. 87

Conclusion .................................................................................................................................................... 89
References .................................................................................................................................................... 89

Page 6 of 95


Table of figures
Figure 1: Threats ............................................................................................................................................. 9

Figure 2: Seven Domain ................................................................................................................................ 10
Figure 3: Windows file types that can be infected ....................................................................................... 16
Figure 4: Difference between viruses, worms and Trojans.......................................................................... 17
Figure 5: Computer infected with rootkit .................................................................................................... 18
Figure 6: Technologies used by spyware ...................................................................................................... 19
Figure 7: Ransomware message ................................................................................................................... 20
Figure 8: Change control procedures ........................................................................................................... 28
Figure 9: Vender-provided tools................................................................................................................... 33
Figure 10:Breach and attack simulation tool (BAS) ...................................................................................... 36
Figure 11: Vulnerability assessment ............................................................................................................. 37
Figure 12: Security scanning process ........................................................................................................... 38
Figure 13: Octave.......................................................................................................................................... 42
Figure 14: The OCTAVE method ................................................................................................................... 43
Figure 15: Firewall location .......................................................................................................................... 46
Figure 16: Border Firewall ............................................................................................................................ 49
Figure 17:Screened subnet ........................................................................................................................... 50
Figure 18: IDS as a firewall complement ...................................................................................................... 52
Figure 19: Basic NIDS as a firewall complemnt ............................................................................................ 52
Figure 20: IDS and Firewalls ......................................................................................................................... 53
Figure 21: DMZ ............................................................................................................................................. 55
Figure 22: DMZ with one firewall ................................................................................................................. 57
Figure 23: DMZ with two firewalls ............................................................................................................... 57
Figure 24: Static IP diagram .......................................................................................................................... 61
Figure 25: Private IP address ........................................................................................................................ 65
Figure 26: Network address translation ....................................................................................................... 66
Figure 27: Network monitoring Systems ...................................................................................................... 69
Figure 28: Auvik ............................................................................................................................................ 71
Figure 29 LogicMonitor ................................................................................................................................ 74
Figure 30 Nagios ........................................................................................................................................... 76
Figure 31: Trusted network .......................................................................................................................... 83

Figure 32: Trusted process Control Network ............................................................................................... 85

Page 7 of 95


Introduction
Security is an essential field that focuses on safeguarding valuables, data, and assets from a variety
of potential risks. This encompasses both digital security, which deals with the challenges of
defending digital systems and information from cyber-attacks, and physical security measures
designed to protect important resources. The procedures put in place by organizations to ensure
security play a crucial role in establishing a strong defense against potential dangers. Furthermore,
having a grasp of the different types of threats that organizations might face is vital for actively
reducing risks.
This essay will explore a specific facet of security that involves configuring firewall rules and
Intrusion Detection Systems (IDS). Mishandling the configuration of these crucial elements can
result in vulnerabilities, potentially putting IT security in jeopardy. Strengthening network security
can be achieved by implementing a Demilitarized Zone (DMZ), using static IP addresses, and
employing Network Address Translation (NAT), all of which offer significant advantages. A DMZ
creates a semi-isolated network for hosting public services, which helps restrict direct access to the
secure internal network. Static IP addresses provide stability and simplify access to hosted services,
while NAT conceals the internal device IP addresses from the public Internet, thereby enhancing
overall security. By thoroughly addressing these factors, organizations can establish a resilient
security stance, effectively safeguarding against the ever-changing landscape of threats and
ensuring uninterrupted operations.

Task 1 - Identify types of security threat to
organisations. Give an example of a recently
publicized security breach and discuss its
consequences (P1)
1. Define threats

The present-day security of data and information stored on computers and digital devices faces
an unprecedented array of attack types, with the frequency of threats and assaults steadily
increasing each day. The sections within this segment delineate these various threats.

Page 8 of 95


Subsequent chapters will delve into network security principles and tools essential for
thwarting or safeguarding against such attacks. (Ciampa, 2015)

Figure 1: Threats
Software attacks encompass viruses, worms, Trojan horses, and other forms of malware.
Although often confused as interchangeable terms by consumers, it is crucial to recognize that
they are distinct entities. The only shared trait among them is their malicious nature, as they
each operate in unique ways.
Malware refers to software that infiltrates a computer system without the user's awareness or
approval, carrying out undesired and typically detrimental activities. In essence, malware
utilizes a threat vector to introduce a malevolent "payload," which executes harmful functions
upon activation. Nevertheless, in common usage, malware serves as a broad term
encompassing various destructive software programs. (Ciampa, 2015)

2. Identify threats agents to organizations
Threat actors encompass individuals or entities that present a risk to an organization. It's
essential to identify these actors before proposing the appropriate countermeasures. The
effectiveness of the strategies to counter them largely relies on their accurate identification
(Ciampa, 2015).
Below are several examples of threat actors that can jeopardize organizations:
•

Hackers: Hackers refer to individuals or collectives aiming to achieve unauthorized entry

into an organization's computer system or network by exploiting security weaknesses.
These hackers can engage in various activities, such as data theft, causing damage to
computer systems or networks, or disrupting business activities.

•

Cyber criminals: Cybercriminals are individuals or groups with the intent to perpetrate
unlawful actions through computers or computer networks. Their activities encompass a
wide range, including financial theft, fraudulent schemes, and the dissemination of
malicious software.

Page 9 of 95


•

Nation-state adversaries: Nation-state adversaries refer to governments or entities aiming
to inflict harm upon other organizations or nations through the utilization of computers or
computer networks. These adversaries engage in various activities, such as espionage, acts
of sabotage, or launching cyberattacks.

•

Physical threats: Physical threats entail risks that inflict damage upon a computer system or
network through tangible methods, including causing harm to property, severing internet
connections, or targeting electrical grids.

•

Social engineering threats: Social engineering threats encompass attempts to deceive users

into divulging confidential information or engaging in detrimental actions. Examples include
phishing, spoofing, and attacks via social media.

Dangers will impact all seven domains within a standard IT infrastructure:

Figure 2: Seven Domain

2.1.

User Domain
The User Domain pertains to individuals utilizing an organization's information system.
The User Realm's role and objective involve facilitating users in accessing systems,
applications, and data within the confines of their designated access privileges. The
responsibility of utilizing company IT resources lies with the staff members. The Human
Resources department of a company holds the accountability of conducting essential
background checks on employees. Specific measures need to be implemented for
individuals who will be accessing sensitive information. (David Kim, Michael G. Solomon,
2018)

Page 10 of 95


Within the User Domain, various threat agents pose risks to the organization, including:
• Insufficient user awareness
• User indifference towards policies
• Users breaching security protocols
• Users introducing personal CDs/USBs
• Users downloading multimedia content
• Intentional destruction of systems, applications, and data by users
• Disgruntled employees launching attacks or engaging in sabotage against the

organization
• Employee involvement in blackmail or extortion.

2.2.

Wan Domain
The Wide Area Network (WAN) Domain serves as the connection between remote
locations. As network expenses decrease, organizations are able to invest in quicker
Internet and WAN connections. The duties of the WAN Domain encompass both the
physical components and the logical arrangement of routers and communication
devices. Among the divisions within an IT infrastructure, it stands as the second most
challenging sector to safeguard. (David Kim, Michael G. Solomon, 2018)
Responsibilities within the WAN Domain are overseen by either the network engineer
or the WAN group. This encompasses both cognitive and physical aspects. Network
engineers and security experts implement the indicated security measures following
established regulations. It's worth noting that numerous organizations now opt for
service providers to manage their WAN and routers due to the intricate nature of IP
network engineering. These services come with SLAs guaranteeing system availability
and swift problem resolution. In cases of WAN connection disruptions, customers can
reach the service provider's network operations center (NOC) via a toll-free number.
In terms of accountability, the IT network manager within your company bears the
responsibility of maintaining, updating, and offering technical support for the WAN
Domain. Typically, the IT security director ensures the organization's compliance with
WAN regulations.
Within the WAN Domain (Internet), there exist threat agents that pose risks to
organizations, including:
• Accessibility to open, public connections, accessible to anyone wishing to
connect
• Clear text transmission of most Internet traffic
• Vulnerability to eavesdropping and malicious attacks

• Susceptibility to DoS, DDoS, TCP SYN flooding, and IP spoofing attacks

Page 11 of 95


•

Prone to data and information corruption, especially with inherently unsafe
TCP/IP programs (like HTTP, FTP, TFTP)
• Receipt of Trojan, worm, and malicious software-laden emails from hackers and
attackers
Furthermore, within the WAN Domain (Connectivity), there are threats agents as well,
including:
• Mixing of WAN IP traffic on the same router and infrastructure as the service
provider
• Maintenance of high WAN service availability
• Enhancement of WAN throughput and performance
• Potential malicious use of SNMP network management tools and protocols
(ICMP, Telnet, SNMP, DNS, etc.)
• Continuous SNMP alerts and year-round security monitoring.

2.3.

Work Station Domain
Any apparatus that links to your network holds the potential to function as a
workstation, encompassing devices like desktop computers, laptops, specialized
terminals, and more. Workstation PCs frequently come in the forms of thin clients or
thick clients. A thin client is software or a computer that operates within a network,
devoid of a hard drive, relying entirely on a server for processing, data, and applications.
Thin clients are commonly utilized in environments such as libraries, schools, and large

corporations. In contrast, a thick client boasts hardware with richer features, including
a hard drive, and manages data and applications locally, transmitting files to the server
only for storage. A thick client resembles a traditional PC. Additionally, devices like
personal digital assistants (PDAs), cellphones, and tablet computers can also serve as
workstations. (David Kim, Michael G. Solomon, 2018)
The Work Station Domain shoulders responsibilities such as hardware configuration,
system fortification, and verification of antivirus files to ensure the integrity of both data
and user workstations. The task of enforcing policy compliance within the Workstation
Domain lies with the IT Security Director.
Within the Work Station Domain, there exist threat agents that pose risks to
organizations, including:
• Unauthorized access to workstations
• Unauthorized access to applications, systems, and data
• Vulnerabilities within the operating systems of desktops or laptops
• Potential flaws or updates within desktop or laptop applications
• Presence of malware, encompassing viruses and malicious software
• Introduction of CDs, DVDs, or USBs containing personal files
• Users acquiring images, music, or videos.

Page 12 of 95


2.4.

Lan Domain
A cluster of computers interlinked with one another or connected to a shared medium
constitutes a local area network (LAN). Various connection methods such as wires, fiberoptic cables, and radio waves can be employed for networking purposes. LANs are
typically organized based on departments or specific functions. Once established,
computers gain the ability to access systems, applications, potentially the Internet, and
data. (David Kim, Michael G. Solomon, 2018)

Roles and responsibilities—The LAN Domain encompasses both logically configured
services for users and the physical components of the network. Oversight of physical
elements includes tasks like managing cabling, network interface cards (NICs), LAN
switches, and wireless access points (WAPs). The administration of the LAN system
entails maintaining comprehensive lists of user accounts and their corresponding access
rights. In the LAN Domain, the implementation of two-step authentication might be
necessary. Similar to a gate requiring two keys, this method demands users to verify
their identity twice, effectively reducing the risk of unauthorized physical entry.
Management of the LAN Domain falls under the purview of the LAN support group,
encompassing both cognitive and physical aspects.
Accountability: The LAN manager holds the responsibility for optimizing the efficiency
and dependability of data within the LAN Domain. Generally, the Director of IT Security
ensures the LAN Domain's adherence to established policies.
Within the LAN Domain, there exist threat agents that pose risks to organizations,
including:
• Unauthorized users infiltrating WLANs
• Ensuring data confidentiality within WLANs
• Adhering to LAN server configuration guidelines and standards
• Preventing unauthorized physical access to the LAN
• Curtailing unauthorized access to systems, applications, and data
• Addressing vulnerabilities in LAN server operating systems
• Managing vulnerabilities in LAN server application software and software patch
updates.

2.5.

Lan to Wan Domain
The LAN-to-WAN Domain marks the point at which the IT infrastructure connects to a
wide area network and the Internet.
Roles and responsibilities within the LAN-to-WAN Domain encompass both the physical

components and the logical arrangement of security apparatus. This domain represents
one of the most challenging aspects of an IT system to secure, as security measures

Page 13 of 95


must be upheld while granting users the necessary access. Managing the physical
components is crucial to ensure uncomplicated service access, and the security
appliances must be configured logically to align with policy definitions. (David Kim,
Michael G. Solomon, 2018)
The network security team bears the responsibility for the LAN-to-WAN Domain,
encompassing both cognitive and physical aspects. Group members are tasked with
implementing the prescribed security controls.
Accountability: Oversight of the LAN-to-WAN Domain within the company falls under
the jurisdiction of the WAN network manager. Typically, the enforcement of security
regulations, standards, procedures, and guidelines for the LAN-to-WAN Domain is
overseen by the Director of IT Security.
Within the LAN-to-WAN Domain, there exist threat agents that pose risks to
organizations, including:
• Unauthorized probing and port scanning
• Unauthorized access attempts
• Exploitable weaknesses in the operating systems of IP routers, firewalls, and
network appliances
• Downloading of unfamiliar file types from unknown sources
• Exposure to unknown email attachments and embedded URL links received by
local users.

2.6.

Remote Access Domain

The Remote Access Domain enables distant users to connect with the organization's IT
infrastructure. Remote access is indispensable for personnel working from locations
outside the main office, such as sales representatives, technical support experts, or
healthcare professionals. With the prevalence of Wireless Fidelity (Wi-Fi) hotspots, it's
straightforward to access the Internet, email, and various business applications from
practically anywhere on a global scale. While having the Remote Access Domain is
crucial, it also entails risks, as it exposes the organization to numerous dangers and
threats originating from the Internet. (David Kim, Michael G. Solomon, 2018)
Its functions and duties involve linking mobile users to their IT systems over the public
Internet.
Responsibilities encompass the maintenance, updates, and troubleshooting of both the
hardware and the logical connections for remote access.
Accountability: Ensuring adherence to security strategies, requirements, procedures,
and regulations within the Remote Access Domain is paramount.

Page 14 of 95


Within the Remote Access Domain, various threat agents pose risks to organizations,
including:
• Brute-force attacks targeting user IDs and passwords
• Repeated login attempts and intrusion into access controls
• Unauthorized remote access to IT systems, applications, and data
• Compromised confidential data accessed remotely
• Leakage of data that breaches data classification standards.

2.7.

System/Application Domain
The crucial systems, applications, and data essential to the organization's operations

are all housed within the system/application domain. Some of the components within
this domain might be accessible to authorized users, potentially requiring secondary
authentication measures to ensure secure access.
The roles and tasks within the System/Application Domain encompass the hardware
and its logical structure, safeguarding mission-critical software, as well as preserving
valuable intellectual property assets both in terms of physical equipment and
intellectual content.
Responsibilities within this domain involve the management of server systems,
establishing access privileges for systems and applications, and overseeing databases.
Accountability: Upholding adherence to security policies, standards, guidelines, and
procedures is of paramount importance.
Within the System/Application Domain, various threat agents introduce risks to
organizations, including:
• Unauthorized intrusion into data centers, computer rooms, and wiring closets
• Downtime required for server maintenance
• Exploitable vulnerabilities in server operating systems
• Inherent security gaps in virtual environments of cloud computing
• Corruption or loss of data
Risk of backup data loss due to the reuse of backup media

3. List type of threats that organizations will face
3.1.

Viruses

This section we will explore computer viruses. A computer virus is a malicious code that selfreplicates on a computer without human involvement. It has the ability to infect executable
program files or data files, including macro viruses written in macro scripts. It is essential to
note that "virus" and "malware" are sometimes incorrectly used interchangeably, despite a

Page 15 of 95



virus being just one form of malware. Numerous file types on Microsoft Windows have the
potential to be susceptible to a virus infection. Figure 3 enumerates several of the 70 diverse
file types found on Microsoft Windows that have the potential to be infected by a virus.
(Ciampa, 2015)

Figure 3: Windows file types that can be infected

3.2.

Worms

A worm is a malicious program that propagates across computer networks by exploiting
vulnerabilities in applications or operating systems. Once it gains access to a computer, it seeks
out other vulnerable systems within the network to infect.
An example of an early worm occurred in 1988, impacting approximately 10% of internetconnected devices at that time. It capitalized on a misconfiguration and attempted to ascertain
user passwords. Early worms primarily aimed at rapid dissemination without causing significant
damage. However, modern worms can be more pernicious, leaving behind a harmful payload
on infected systems, similar to viruses. These actions may involve deleting files or enabling
remote control of the computer by an attacker.
The primary distinction between viruses and worms lies in their replication behavior. Viruses
reproduce solely on the host computer and do not spread to other computers, whereas worms
self-replicate and disseminate from one computer to another via networks. (Ciampa, 2015)

3.3.

Trojans

A computer Trojan horse, often referred to as a Trojan, is a type of executable program that

deceives users by appearing harmless while carrying out malicious actions. For instance, a user
might download a program advertised as a calendar application, but upon installation, it not
only sets up the calendar but also secretly installs malware. This malicious software scans the

Page 16 of 95


system for sensitive data like credit card numbers and passwords, connects to a remote system
through the network, and then transmits the stolen information to the attacker.
Unlike viruses that infect systems without user awareness or consent, a Trojan program is
knowingly installed on the computer by the user. The true danger lies in the Trojan's ability to
conceal its malevolent payload. (Ciampa, 2015)

Figure 4: Difference between viruses, worms and Trojans

3.4.

Concealment

We will discuss a particular kind of malware that possesses the ability to evade detection,
specifically focusing on hidden malware associated with music CDs. In 2005, Sony BMG
Music Entertainment gained attention when it covertly installed concealed software on
computers playing their music CDs. This software, known as a rootkit, was intended to
prevent CD copying. The rootkit established a hidden directory, installed its own device
driver on the computer, redirected normal functions to Sony's routines, and remained
hidden from users and the system.
A rootkit comprises a collection of software tools used to hide the actions or presence of
other types of software, whether harmless or malicious. Initially, the term "rootkit" referred
to modified tools in the UNIX operating system that enabled attackers to gain root privileges
and conceal malicious software. Today, rootkits are not limited to UNIX systems and are

found across various operating systems.

Page 17 of 95


Figure 5: Computer infected with rootkit

Rootkits can manipulate the operating system to disregard evidence of their malicious
activities. For instance, they might replace or modify operating system files to present false
information to scanning software, ensuring that the malicious files stay concealed. This
grants the rootkit control over the computer, making it untrustworthy for users as it
disguises its operations. (Ciampa, 2015)

3.5.

Collect data
Various categories of malware are specifically crafted to obtain essential data from the
user's computer and transfer it to the attacker. Such malware comprises spyware,
adware, and ransomware.
Spyware is a broad term referring to software that covertly monitors users, gathering
information without their knowledge or consent. According to the Anti-Spyware
Coalition, spyware encompasses tracking programs installed on computers without
adequate notice, consent, or user control. This software utilizes the computer's
resources, including pre-existing programs, to collect and share personal or sensitive
data. Figure 6 provides a list of various technologies employed by spyware. (Ciampa,
2015)

Page 18 of 95



Figure 6: Technologies used by spyware

Adware is a form of malware that delivers advertising content in an unexpected and unwelcome
manner to users. After installation, it commonly presents advertising banners, popup ads, or opens
new web browser windows at random times. Users often dislike adware due to several reasons:
Adware may display objectionable content, such as gambling sites or pornography.
Frequent popup ads can disrupt a user's productivity.
Popup ads can slow down a computer or even lead to crashes and data loss.
Unwanted advertisements can be a nuisance to users.

Ransomware is among the most recent and rapidly expanding forms of malware. It works by
disabling a user's device until a ransom is paid. One variation of ransomware locks the user's
computer and presents a message purportedly from a law enforcement agency. This message,
designed with official-looking visuals, accuses the user of illegal actions like downloading
pornography and demands an immediate fine payment online, requiring the entry of a credit card
number. The computer remains "held hostage" and locked, except for the numeric keys on the
keyboard, until the ransom is paid. Figure 2-6 illustrates a ransomware message from the Symantec
website in its Security Response Center. (Ciampa, 2015)

Page 19 of 95