Part-A

1. Write a short note on passive attacks.

Passive attacks involve monitoring and gathering information about a system without altering it.
Examples include:

 Eavesdropping: Interception of communication between two parties.

 Traffic analysis: Analyzing network traffic patterns to gain information about communication
patterns.

2. What is the CIA triad in cybersecurity?

The CIA triad represents three fundamental security principles:

 Confidentiality: Protecting information from unauthorized access.

 Integrity: Ensuring information is accurate and complete.

 Availability: Making information accessible to authorized users when needed.

3. Define threats and vulnerabilities.

 Threat: threats refer to potential dangers or risks that can exploit vulnerabilities in a system,
network, or application, leading to unauthorized access, data breaches, or damage to
information assets.

 Vulnerability: A vulnerability is a weakness or flaw in a system, network, application, or

process that can be exploited by threats to gain unauthorized access or cause harm.

4. What is a security breach?

A security breach occurs when unauthorized access or disclosure of sensitive information takes
place. This can lead to data loss, financial damage, and reputational harm.

5. Define ping sweep technique.

A ping sweep is a network scanning technique that sends ICMP echo requests (pings) to a range of IP
addresses to identify active hosts on a network.

6. What do you mean by banner grabbing?

Banner grabbing is a technique used to gather information about a system by analyzing the banner
messages displayed by network services. These banners often reveal the software version and other
details.

7. Define host-based intrusion detection.

Host-based intrusion detection (HIDS) is a security system that monitors and analyzes activity on a
specific host to detect signs of intrusion or malicious activity.

8. What is distributed intrusion detection?

Distributed intrusion detection (DIDS) involves deploying intrusion detection systems across multiple
network nodes to monitor and analyze network traffic for anomalies.

9. How does a firewall work?

A firewall acts as a barrier between a network and the internet, controlling incoming and outgoing
traffic. It examines each packet of data and filters it based on predefined rules, blocking unauthorized
traffic.

10. Why do you need an IPS?

An Intrusion Prevention System (IPS) is a security system that actively monitors network traffic and
takes steps to block or mitigate attacks in real time. It complements a firewall by providing additional
protection against advanced threats.

If you have any more questions or want further clarification on any of these points, feel free to ask!

Part-B

11.a)

Cyber Crime refers to illegal activities conducted via the internet or through computer systems. It
encompasses a wide range of offenses that exploit technology to commit fraud, theft, or other
criminal acts. Cyber crimes can target individuals, organizations, or governments, and they often
involve the theft of sensitive information, financial loss, or disruption of services.

Types of Cyber Crime:

1. Hacking: Unauthorized access to computer systems or networks to steal data, disrupt

services, or manipulate information.

2. Phishing: Fraudulent attempts to obtain sensitive information (like usernames, passwords, or

credit card details) by pretending to be a trustworthy entity in electronic communications.

3. Malware: Malicious software, including viruses, worms, and ransomware, designed to

damage, disrupt, or gain unauthorized access to computer systems.

4. Identity Theft: Stealing personal information to impersonate someone else for financial gain
or other fraudulent purposes.

5. Cyberstalking: Using the internet to harass or intimidate individuals, often involving repeated
threats or unwanted communications.

6. Denial of Service (DoS) Attacks: Overloading a system or network with traffic to make it
unavailable to users.

7. Online Fraud: Various scams conducted online, including auction fraud, advance-fee fraud,
and credit card fraud.

8. Child Exploitation: The production, distribution, or possession of child pornography or

engaging in online grooming of minors.

Related Punishments:

The punishments for cyber crimes vary depending on the jurisdiction and the severity of the offense.
Common penalties include:

1. Fines: Monetary penalties imposed on offenders, which can range from hundreds to millions
of dollars depending on the crime.
 2. Imprisonment: Offenders can face jail time, with sentences varying based on the nature and
impact of the crime. Serious offenses can lead to several years in prison.

3. Restitution: Courts may order offenders to compensate victims for losses incurred as a result
of the cyber crime.

4. Probation: Offenders may be placed on probation, requiring them to adhere to certain

conditions set by the court.

5. Civil Lawsuits: Victims of cyber crimes may pursue civil lawsuits against offenders for
damages.

6. Loss of Professional Licenses: Individuals convicted of certain cyber crimes may lose their
professional licenses or face restrictions on future employment in specific fields.

7. Mandatory Counseling or Education: Offenders may be required to undergo counseling or

educational programs related to their crimes.

Overall, laws and penalties for cyber crimes are evolving as technology advances, and many countries
have enacted specific legislation to address these offenses and protect individuals and organizations
from cyber threats.

12) a.

 Social engineering attacks are manipulative tactics employed by cybercriminals to deceive

individuals into divulging confidential information or performing actions that compromise
security.
 Unlike traditional hacking methods, which exploit technical vulnerabilities, social engineering
relies on psychological manipulation and human behaviour.
 Attackers exploit trust, fear, curiosity, or urgency to achieve their goals, making it crucial for
individuals and organizations to recognize and defend against such tactics.

Types of Social Engineering Attacks

1. Phishing

o Description: Phishing involves sending fraudulent emails that appear to be from

reputable sources to trick individuals into providing sensitive information.

o Example: An email that looks like it’s from a bank asking the recipient to verify their
account details via a link that leads to a fake website.

2. Spear Phishing

o Description: A targeted form of phishing aimed at specific individuals or

organizations, often using personal information to make the attack more convincing.

o Example: An email addressed to a specific employee, using details about their role or
recent activities to create a sense of authenticity.

3. Whaling
 o Description: A type of spear phishing that targets high-profile individuals, such as
executives or senior management.

o Example: An email that appears to come from the CEO, requesting sensitive financial
information from the finance department.

4. Vishing (Voice Phishing)

o Description: Vishing involves using phone calls to trick individuals into revealing
personal information.

o Example: A caller posing as a bank representative claiming there is suspicious activity

on the account and asking for verification details.

5. Smishing (SMS Phishing)

o Description: Smishing is a form of phishing that occurs via SMS text messages,
tricking individuals into clicking on malicious links or providing personal information.

o Example: A text message claiming to be from a delivery service asking the recipient
to confirm their address by clicking a link.

6. Pretexting

o Description: In pretexting, an attacker creates a fabricated scenario to obtain

information from the target.

o Example: An attacker posing as an IT support technician requesting login credentials

under the guise of performing routine maintenance.

7. Baiting

o Description: Baiting involves enticing victims with the promise of something

appealing to trick them into providing personal information or downloading
malware.

o Example: Leaving infected USB drives in public places, hoping someone will pick
them up and connect them to their computer.

8. Tailgating (Piggybacking)

o Description: Tailgating is a physical security breach where an unauthorized person

gains access to a restricted area by following an authorized individual.

o Example: An attacker waits for an employee to use their access card to enter a
secure building and then follows them inside.

9. Quizzes and Surveys

o Description: Attackers create fake quizzes or surveys that ask for personal
information, often using seemingly innocuous questions to gather data.

o Example: A social media quiz that asks for a user's first pet's name, which is often
used as a security question.

10. Rogue Software

 o Description: Attackers may create malicious software disguised as legitimate
applications, tricking users into downloading and installing them.

o Example: Fake antivirus software that claims to scan for viruses but actually installs
malware.

Prevention and Mitigation Strategies

1. Education and Training: Regular training for employees on recognizing social engineering
attacks is essential. This includes understanding phishing attempts, recognizing suspicious
communications, and knowing how to respond.

2. Verification Procedures: Establish clear procedures for verifying requests for sensitive
information or actions, especially when they come from unfamiliar sources.

3. Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security,

making it harder for attackers to gain unauthorized access even if they obtain login
credentials.

4. Regular Security Audits: Conduct audits and assessments to identify vulnerabilities in

systems and processes that could be exploited by social engineering attacks.

13)b

Host-Based Intrusion Detection Systems (HIDS) are security solutions designed to monitor and
analyze the activities on individual hosts or devices (such as servers, workstations, or laptops)
within a network. Unlike Network-Based Intrusion Detection Systems (NIDS), which monitor
traffic across the entire network, HIDS focuses on the specific activities occurring on a single
device. This allows for more detailed analysis of potential security incidents, system integrity, and
user activity.

Key Features of Host-Based Intrusion Detection Systems

1. Monitoring and Logging: HIDS continuously monitors system logs, file integrity, user
activities, and system processes to detect any anomalies or unauthorized actions. It logs
events for later analysis.

2. File Integrity Monitoring: HIDS can track changes to critical system files and directories. By
establishing a baseline of file integrity, it can alert administrators to unauthorized
modifications, which may indicate a compromise.

3. Real-Time Alerts: When suspicious activity is detected, HIDS can generate real-time alerts to
notify system administrators or security personnel, allowing for prompt investigation and
response.

4. User Activity Monitoring: HIDS can track user logins, logouts, and other activities to detect
unauthorized access or unusual behavior patterns that may indicate a security breach.

How Host-Based Intrusion Detection Works

1. Data Collection: HIDS collects data from various sources on the host, including system logs,
application logs, file system changes, and network activity.

2. Analysis: The collected data is analyzed using predefined rules, signatures, or anomaly
detection techniques. This analysis helps identify patterns that may indicate malicious
activity.

3. Alerting and Reporting: When suspicious activity is detected, HIDS generates alerts to notify
administrators. Detailed reports can also be generated for further analysis and
documentation.

4. Response Actions: Depending on the configuration, HIDS may take predefined actions in
response to detected threats, such as blocking user access, quarantining files, or executing
scripts to remediate issues.

Types of Detection Methods in HIDS

HIDS systems typically use one or more of the following methods to detect intrusions:

1. Signature-Based Detection

Signature-based HIDS works by comparing system activity to a database of known attack

signatures or patterns. If an activity matches a known attack pattern (such as an exploit or
malware behavior), the system will trigger an alert.

 Example: A HIDS might have a signature for detecting a known Trojan that tries to modify
system files. If the Trojan’s activity is detected, the system will flag it.

2. Anomaly-Based Detection

Anomaly-based detection works by establishing a baseline of normal system behavior, and then
looking for deviations from that baseline. If an activity falls outside the normal range (for
example, a process suddenly using high CPU), the system generates an alert.

 Example: If a legitimate user suddenly tries to access files they don't typically use or
executes a command that is outside their usual behavior, an alert will be triggered.

3. Heuristic-Based Detection
  Heuristic-based detection is a more advanced approach that looks for suspicious patterns of
behavior or characteristics that are commonly associated with attacks, even if the exact
attack signature is unknown.

 Example: A heuristic-based HIDS might detect a malicious process trying to escalate its
privileges by examining how the process behaves (e.g., trying to access restricted system
resources or inject code into other processes).

Advantages of HIDS:

1. Detects Internal Threats: Can identify attacks originating from within the host, such as
malware or insider threats.

2. Detailed Monitoring: Monitors activities on a specific system (files, processes, logs),

providing in-depth visibility.

3. Real-Time Alerts: Provides instant alerts about suspicious activity, helping admins respond
quickly.

4. Detects Sophisticated Attacks: Can catch advanced threats like rootkits or zero-day attacks
that evade network defenses.

Disadvantages of HIDS:

1. Resource Intensive: Uses CPU, memory, and storage, which can slow down the system.

2. Limited Scope: Only monitors individual hosts, so it can't detect attacks across the entire
network.

3. False Positives: May trigger alerts for harmless activities, leading to alert fatigue.

4. Complex Setup: Requires careful configuration and tuning to avoid false alarms and ensure
accurate detection.

14. a)

Hybrid Intrusion Detection Systems (Hybrid IDS) combine the features of Host-based Intrusion
Detection Systems (HIDS) and Network-based Intrusion Detection Systems (NIDS) to provide a more
comprehensive approach to security. By integrating both host and network monitoring, a Hybrid IDS
can offer better protection against a wider range of threats, combining the strengths of both
methods while attempting to mitigate their individual weaknesses.

Components of Hybrid IDS:

1. Host-based Intrusion Detection (HIDS): This part of the hybrid system monitors activity on
individual hosts or devices, such as servers, workstations, or routers. It looks for suspicious
activity like unauthorized access, abnormal system behavior, or malware infections specific to
that host.

o Examples: Monitoring file integrity, system logs, process behavior, and rootkit
detection.
 2. Network-based Intrusion Detection (NIDS): This part monitors network traffic for signs of
malicious activity. It analyzes the data packets flowing through the network to detect attacks
that originate from outside the network or that move across multiple systems.

o Examples: Detecting denial-of-service (DoS) attacks, network scans, or unusual traffic

patterns

How Hybrid Intrusion Detection Works

1. Data Collection: Hybrid systems collect data from multiple sources, including network traffic
(from routers, switches, and firewalls) and host activities (from servers, workstations, and
applications). This data is gathered in real-time for analysis.

2. Analysis and Correlation: The collected data is analyzed using various techniques, including
signature matching, anomaly detection, and behavior analysis. The system correlates events
from both network and host sources to identify potential security incidents.

3. Alerting and Reporting: When suspicious activity is detected, the hybrid system generates
alerts and provides detailed reports. These alerts can be prioritized based on severity,
helping security teams focus on the most critical threats.

4. Response Actions: Depending on the configuration, the hybrid system may initiate
automated response actions, such as blocking malicious traffic, quarantining affected hosts,
or notifying security personnel for further investigation.

Types of HIDS:

1. Signature-Based HIDS:

 Relies on a database of known attack signatures.

 Compares network traffic and system logs against these signatures to identify malicious
activity.

 Effective for detecting known attacks but may miss novel or zero-day attacks.

2. Anomaly-Based HIDS:

 Establishes a baseline of normal network and system behavior.

  Identifies deviations from this baseline as potential threats.

 Effective for detecting unknown attacks but may generate false positives.

3. Behavior-Based HIDS:

 Monitors user behavior and system processes to identify unusual activity.

 Can detect insider threats and other targeted attacks.

 Requires careful configuration and tuning to minimize false positives.

Advantages of Hybrid IDS:

1. Comprehensive Coverage: Monitors both network traffic and host activity, providing better
overall protection.

2. Improved Detection: Combines strengths of both systems to detect a wider range of attacks
(both internal and external threats).

3. Reduces Blind Spots: By using both host and network data, it covers more potential attack
vectors.

4. Better Accuracy: Combining methods helps reduce false positives and improves detection
accuracy.

Disadvantages of Hybrid IDS:

1. Resource Heavy: It requires more system resources (CPU, memory, etc.) because it's
monitoring both network and host activities.

2. Complex Setup: Setting up and managing a hybrid system is more complicated than using a
single IDS type.

3. Higher Cost: It can be more expensive due to the need for more hardware, software, and
maintenance.

4. Potential for Overlap: Some attacks may be detected by both host and network systems,
leading to redundant alerts or unnecessary work.

15. a)

An Intrusion Prevention System (IPS) is a critical component of network security that actively
monitors, analyzes, and takes action to prevent potential security threats.

Unlike an Intrusion Detection System (IDS), which only alerts administrators to suspicious activities,
an IPS can block or mitigate threats in real-time, thus providing a more proactive defense
mechanism.

Key Functions of IPS:

1. Traffic Inspection: Continuously monitors network traffic for suspicious patterns or known
attack signatures.
 2. Real-time Blocking: When a threat is detected, the IPS takes immediate action to prevent
the attack, such as dropping malicious packets or blocking the source of the attack.

3. Alerting: In addition to blocking threats, the IPS generates alerts and logs that inform
network administrators of the attack attempt.

4. Policy Enforcement: An IPS can enforce security policies, such as blocking access to
unauthorized services or preventing certain activities that violate security protocols.

Types of Intrusion Prevention Systems (IPS)

IPS solutions can be classified into different types based on their deployment models and methods of
threat detection. Below are the most common types:

1. Network-based Intrusion Prevention System (NIPS)

A Network-based IPS (NIPS) monitors and protects the entire network, usually placed at critical
network points like the perimeter or between network segments. It inspects network traffic to detect
and prevent attacks targeting the network.

How It Works:

 NIPS typically sits in-line at key network entry points (like firewalls, routers, or switches).

 It examines inbound and outbound network traffic, comparing it to known attack signatures
or looking for abnormal network behavior (such as DDoS attacks or port scanning).

 When an attack is detected, the NIPS can block or reroute the malicious traffic, preventing it
from reaching internal systems.

Advantages:

 Provides broad protection for the network as a whole.

  Effective at detecting and blocking network-based attacks (e.g., DoS, DDoS, and exploitation
attempts).

 Can monitor high-traffic volumes across the entire network.

Disadvantages:

 Can be performance-intensive due to the volume of data it needs to inspect.

 May struggle with encrypted traffic (e.g., SSL/TLS) unless equipped with decryption
capabilities.

2. Host-based Intrusion Prevention System (HIPS)

A Host-based IPS (HIPS) operates directly on individual host machines, such as servers, desktops, or
endpoints. It protects against threats specific to the host, such as malware, unauthorized system
changes, or local attacks.

How It Works:

 HIPS software is installed on individual devices and monitors the host for suspicious activity,
such as system file changes, malicious processes, or unauthorized access attempts.

 It can detect malicious activities like privilege escalation, malware execution, or the
exploitation of vulnerabilities specific to the host.

 HIPS can block malicious processes, terminate connections, or prevent certain activities
based on predefined security policies.

Advantages:

 Provides detailed, endpoint-level protection for individual devices.

 Can block threats that are not detected by network-based systems, such as local exploits or
zero-day attacks targeting a specific host.

 Does not require monitoring of network traffic, which is useful for environments where
network-based solutions are impractical.

Disadvantages:

 Limited to the protection of a single host; doesn’t detect network-wide attacks.

 May consume system resources, affecting the performance of the host.

 Requires installation and maintenance on each endpoint, which can be cumbersome in large
environments.

16) b

A malicious attack is any deliberate attempt to compromise the integrity, confidentiality, or

availability of a computer system, network, or data. These attacks are typically executed by
cybercriminals, hackers, or malicious insiders with the intent to cause harm, steal sensitive
information, disrupt services, or gain unauthorized access to systems.
Here are some common types of malicious attacks with examples:

1. Phishing Attacks

 Definition: Phishing attacks involve tricking users into revealing sensitive information such as
passwords, credit card numbers, or personal data.

 Example: An attacker sends an email that appears to be from a legitimate bank, asking the
user to click on a link to update their account information. The link leads to a fake website
that steals the user's login credentials.

2. Ransomware Attacks

 Definition: Ransomware attacks involve encrypting a victim's files and demanding payment
in exchange for the decryption key.

 Example: A user clicks on a malicious link or opens a infected email attachment, which
installs ransomware on their computer. The ransomware encrypts all files on the computer,
and the attacker demands a ransom in Bitcoin to restore access to the files.

3. SQL Injection Attacks

 Definition: SQL injection attacks involve injecting malicious SQL code into a web application's
database to extract or modify sensitive data.

 Example: An attacker submits a malicious input to a web application's search form, which
injects a SQL query that extracts all user passwords from the database.

4. Cross-Site Scripting (XSS) Attacks

 Definition: XSS attacks involve injecting malicious scripts into a web page to steal user data
or take control of the user's session.

 Example: An attacker injects a malicious script into a web page, which steals the user's login
credentials and sends them to the attacker's server.

5. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

 Definition: DoS and DDoS attacks involve flooding a network or system with traffic to
overwhelm it and make it unavailable to users.

 Example: An attacker uses a botnet to send a massive amount of traffic to a website,

overwhelming its servers and making it unavailable to users.

6. Man-in-the-Middle (MitM) Attacks

 Definition: MitM attacks involve intercepting communication between two parties to steal or
modify data.

 Example: An attacker sets up a rogue Wi-Fi hotspot, which intercepts all internet traffic from
users who connect to it. The attacker can then steal sensitive data, such as login credentials
or credit card numbers.

7. Malware and Trojan Attacks

 Definition: Malware and Trojan attacks involve installing malicious software on a user's
device to steal data or take control of the device.
  Example: A user downloads a free game from a suspicious website, which installs a Trojan
horse that steals their login credentials and sends them to the attacker's server.

8. Social Engineering Attacks

 Definition: Social engineering attacks involve tricking users into revealing sensitive
information or performing certain actions that compromise security.

 Example: An attacker calls an employee, claiming to be from the IT department, and asks for
their login credentials to "fix a security issue."

9. Insider Threats

 Definition: Insider threats involve attacks or data breaches carried out by individuals with
authorized access to an organization's systems or data.

 Example: A disgruntled employee accesses sensitive data and sells it to a competitor or uses
it for personal gain.

10. Advanced Persistent Threats (APTs)

 Definition: APTs involve sophisticated, targeted attacks carried out by nation-states or

organized crime groups to steal sensitive data or disrupt critical infrastructure.

 Example: A nation-state sponsored attacker uses a combination of phishing, malware, and

social engineering to gain access to a government agency's network and steal classified
information.