Prevention from cyber attacks
Algorithms and Techniques: The approach of prevention of cyber attacks falls in the three major activities
as listed below:
• Detection of cyberattacks
• Prediction of cyberattacks
• Prevention of cyberattacks
Every approach takes different algorithms for the prevention of the cyberattacks.
Two approaches mentioned in the diagram – cyberattack detection and predictions – commonly use similar types
of algorithms. Those algorithms include the evolutionary, statistical, and machine learning, while the cyber-attack
prevention approach uses the network traffic analysis algorithms to achieve the desired objectives.
Cyber attack Detection: The cyberattack detection uses three major types of algorithms as mentioned below:
• Machine learning algorithms
• Evolutionary algorithms
• Statistical algorithms
The software tools help in learning the traffic patterns, plain language learning, code detection, behavior detection,
body gesture detection, biometrics, facial recognition, and many other processes.
All these algorithms are now applied in the detection of the cyberattacks launched on any network, databases, or
other digital properties. As we know, machine learning is further divided into different categories and types, such
as supervised, semi-supervised, unsupervised, and reinforcement machine learning types.
The evolutionary algorithms of cyberattack detections are based on the genetic approach. In the genetic algorithm,
precisely referred to as (GA), the metaheuristics are defined with the help of natural selection process. Genetic
flow chart is shown below.
Another important approach for the detection of the cyberattack is known as statistical approach. This approach
uses different algorithms for detecting the cyberattacks or malicious activity on the network and on the cyber
infrastructures. In this approach, different algorithms, namely, principal component analysis (PCA), entropy analysis
(EA), and Markovian models are extensively used.
CyberattackPrediction: The major algorithms used in the security prediction system include the following:
• Machine learning-based algorithms
• Genetic algorithms
• Data analysis statistics algorithms
The main difference between cyberattack detection and prediction is that detection normally takes place once the
attack has already been launched. But the prediction of the cyberattack approach uses and analyzes the
vulnerabilities and possible loopholes in the security system from where the attacks can be launched.
In cyberattack prediction approach, different algorithms are used in a combination to construct a cyberattack tree.
This attack tree is constructed based on the critical episodes that overran the episode window. This model of
cyberattack prediction generates very efficient results. On an average, the accuracy of this model was measured as
about 95%.
CyberattackPrevention: The prevention of cyberattacks is the most critical aspect of the cybersecurity, which
includes the detection, prediction, and disaster recovery activities.
Other than the software systems installed to prevent any cyberattack before it can inflict substantial damage, the
security professionals and the entrepreneurs should also take their proactive responsibilities and implement the
standard cyberattack prevention measures effectively. Among such preemptive measures, the important ones are
listed below:
• Follow security guidelines strictly.
• Update all software applications and tools.
• Keep a close eye on the internal and external threats.
• Always backup the critical data and store safely.
• Make an emergency plan to cope with any disastrous situation.
The most important algorithm used in the cyberattack prevention approach is the sniffing and analysis of the
incoming traffic from different sources. The close monitoring of the traffic patterns, traffic type, and other
characteristics of the traffic will help you detect the intention of the traffic. Once the traffic nature is known, the
system can take the predefined actions to prevent the attackers to succeed in their malicious activities.
The suspected traffic once found is either blocked or redirected to the other dummy servers. The traffic analysis is a
very powerful component for the security professionals as well as for the operations team to monitor the quality,
condition, and performance of the communication.
Firewalls: As we know, firewall is the most important and first layer of defense for any online network. It has
been used extensively in the cybersecurity field for over 25 years now. A firewall basically acts as the filter for the
traffic, both incoming and outgoing.
A firewall checks and monitors the traffic continuously before the traffic enters into the network. It monitors and
analyzes the incoming traffic to avoid any attack originating from the external untrusted sources. Similarly, it
monitors the patterns and parameters of the traffic originating from the internal networks and going out to certain
networks.
Firewalls can either be a software program installed on the servers, computers, or routers to safeguard any
computer, server, or even the entire system, or be a dedicated hardware device loaded with the dedicated firewall
software on it. In our daily use, for PCs and mobile devices, we use the software firewalls installed on those devices
to protect us from external deliberate attacks by the hackers.
Big networks, such as enterprise networks, corporate networks, service providers, data centers, and government
departments normally use the dedicated firewall devices with specialized firewall programs running on those
devices.
Activating Windows Firewall:
Windows 10 firewall: Windows 10 comes with two types of firewalls. They are listed below:
• Windows Firewall
• Windows Defender Firewall
Windows Firewall should be enabled by default to protect your computer on Windows 10, and you should also
configure the Windows Defender Firewall by taking the following steps:
• Click the Start button.
• Choose the Settings option.
• Choose Update and Security option.
• Select Windows Security. Windows security page appears.
• Finally choose Firewall & Network Protection option.
• Turn the button to On position.
Windows 7 firewall: there are two firewall software embedded in the Windows 7 operating system. It is highly
recommended to enable and use both of the firewalls listed below:
• Windows 7 Firewall
• Windows Defender
To open the Windows 7 Firewall, take the following steps:
• Click the Start button.
• Choose the Control Panel option. All windows configuration options appear.
• Click the Windows Firewall link. Windows Firewall settings page appears.
• Click the “Allow a program or feature through Windows Firewall” link to add the ports and services through
Windows Firewall. You can also unselect the programs and features to set their direct access to the internal network
and resources.
• Click the “Change Notification Settings” link to modify the firewall settings for both the private and public
networks as shown in Figure.
• If you have any other program, which is not listed on the above list, but you want to add on the exception list, then
click the “Allow another program…” button.
• New pop-up window appears with the list of the other programs installed on your computer
• Choose the desired program that you want to add to the exception list.
• Click the “Browse…” to locate the desired program that does not appear in the list of the programs.
• Locate the desired program and include in the list.
• Finally click the “Add” button. The desired program will show up in the exception list of the Windows 7 Firewall.
• Select that desired program and change the configuration settings by clicking on the “Change Settings” button
located at the top of the window.
• For configuring the firewall advanced settings, click the “Advanced Settings” link in the left panel. The advanced
settings window appears as shown in Figure.
• On the advanced settings page, you can configure advance rules such as inbound traffic rules, outbound traffic
rules, connection security rules, and monitoring capabilities.
INTRUSION DETECTION/PREVENTION SYSTEMS
Intrusion Detection System (IDS): IDS is a combined system of devices or sensors and the software
application. An IDS system monitors the malicious activities and events on the network as well as on the host
operating system and its major registry files.
There are three major IDS systems:
• Network intrusion detection system, NIDS
• Host intrusion detection system, HIDS
• Application-based detection system
The network-based IDS monitors and analyzes the traffic patterns and other parameters on the network traffic. If
any anomaly in the traffic is found, it immediately alerts the network administrator or the security information and
event management system (SIEM) for the corrective measures to safeguard the data and take the effective
measures to avert any cyberattack.
The network-based IDS systems monitor and analyze the data packets passing through the network.
Intrusion detection system, IDS
The host-based IDS system monitors and analyzes the files and events on the operating system for detecting any
malicious activity. Two major detection methods are commonly used in the IDS systems; they are as follows:
• Anomaly-based detection
• Signature-based detection
Host-based IDS takes images of the file frequently and compares them with the previous one. If any anomaly is
found, it alerts the network administration or centralized security system for the subsequent actions.
Application-based IDS is precisely referred to as AppIDS. This is developed for a particular application that may
include content management system, database system, or accounting system.
The major functions of a good IDS include the following in the real-world sequential order:
• Data collection
• Feature selection
• Analysis of data
• Action
Intrusion Prevention System (IPS):
Firewall and intrusion detection are two major components of a security system in a network or on a host. But they
have their own shortcomings that do not make them a perfect security tool. For instance, firewall is only able to
block the traffic that uses the port numbers that are not configured for the authorized traffic in the system; that
means, it is able to block any port that is not in use for the genuine traffic. But a security firewall is unable to stop
the malicious traffic that is passing through the allowed port. If hackers exploit the vulnerabilities of the allowed
ports, firewall can easily be deceived.
On the other hand, the IDS is capable enough to analyze and detect the malicious traffic passing through the
allowed ports, but still not able to take any appropriate action against that breach. So, the security people needed
an advanced system that could automatically take actions against the intrusion into the system. Hence, IPS was
introduced that has advanced capabilities to detect, analyze, and prompt an appropriate action against any
intrusion.
Intrusion prevention system (IPS) – advanced IDS
The main advantages of the IPS system include the following:
• Offers a comprehensive network security.
• Offers robust protection against viruses.
• Offers details of the origination of the cyberattack.
• Automated response to the attacks and proper event recording.
• Provides instant alerts and preemptive actions.
• Stops access to email contacts
• Prevents reversal of the system directories.
• Protects all resources of the system and network.
Like IDS systems, there are two main types of IPS systems, which are given below:
• Host-based intrusion prevention system (HIPS)
• Network-based intrusion prevention system (NIPS)
The HIPSs are normally software-based IPS systems, but not all the time. Similarly, the NIPSs are normally
appliance-based systems, but not every time. The main approaches and algorithms used by both the HIPSs and
NIPSs are listed below.
• Protocol anomaly detection approach
• Detection of state-full signature approach
• Kernel-based approach
• Sandbox analysis approach
• Software-based heuristic approach
• Combined or hybrid approach
AUTHENTICATION USING HASH
Hashing is a type of computer process in which certain information in plain language is transformed into
fixed-length short codes that are not understandable for a normal reader without any help of computer and
processing through the hashing function. The hashing is used for the security and integrity of the messages
transported over the Internet.
Schematic diagram of hashing process
Authentication using hash is a type of authentication of the message to make sure that the data has not been
altered and the sender is the person that the receiver wants to receive data from.
The major hashing techniques include the following:
• Cryptographic hash functions (CHFs)
• Message authentication code (MAC)
• Digital signature (DS)
In the abovementioned hashing methods, the MAC and DS use the private key for the authentication of the
message at the receiving end. But the CHFs do not require private or secret key for the authentication of messages.
Examples algorithms are
• Message Digest 2 (MD2)
• Message Digest 4 (MD4)
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA)
The most commonly used cryptographic functions on SSL presently are: MD5 and SHA.
Message Digest 5: MD5 is a hashing algorithm most extensively used in the SSL encryption protocol. It is a
one-way hashing function that takes the message of any length as an input and returns a fixed length of encrypted
code.
The fixed output generated by the MD5 encryption algorithm is 128-bit message digest. At present, for high-tech
cybersecurity field, 128-bit encryption is not considered as the high level of security anymore. It is recommended
to use at least 256-bit or higher level of encryption methods. This series of encryption functions starting from MD2,
MD4, and MD5 have been designed by Ronald Rivest. The latest version in the market is MD6, which is 256-bit
based encryption.
Secure Hash Algorithm: SHA is a hashing algorithm. It has multiple versions in the series, such as SHA0,
SHA1, SHA2, and SHA3 with different capabilities and features. This algorithm was developed by the US National
Security Agency (NSA).
The latest standard SHA3 is capable of encrypting the data with 224-bit, 256-bit, 384-bit, and 512-bit encryption.
But the most commonly used SHA algorithm is SHA3 with 256-bit encryption.
MULTI-FACTOR AUTHENTICATION
In multi-factor authentication, the access to the digital resources such as computer system, web account, cloud
service, or any other digital access is not granted through just one credential like password. But you have to provide
more credentials other than the password.
The additional factors other than username/password can be generalized in three categories.
One factor should be the knowledge question, which relates to some knowledge that only you know, and the other
factor is referred to as biometric, which is unique and only you can be that. The third category of multi-factor
authentication is referred to as one-time password (OTP), which only you can have through email, mobile, or you
already have it as a hard key.
Those credentials are normally one-time-use codes to access the digital resources. Among such second factor for
the authentication may include the following factors:
• Short code sent through mobile phone
• A user-generated pin on the system
• One-time password (OTP)
• Digital signature
• Fingerprints
• Key fobs
• Digital card swiping
It has become comparatively easy to break the pass-word through brute force attacks. So, you need multiple factors
to make your digital resources secure.
For instance, some hacker has succeeded in breaking your password through super-processing devices, and he wants
to access your resources. He can easily access your account and hack your account if you do not have the multi
factor authentication activated. But if you have activated the multi-factor authentication on your digital account, the
hacker will be asked to enter the other authentication factors that you have enabled on your account such as
fingerprints, card swipe, OTP, or mobile code.
The hacker has no control over your phone number or other data. Thus, he/she will not be able to get access to
your account despite the fact that he has stolen your legitimate password.
Activating Two-Factor Authentication: The major cloud-based services offer the capabilities of
two-factor authentication; among such services, Google, Yahoo, Hotmail, Facebook, and YouTube etc.
Step-by-step procedure to enable a two-factor authentication on the most commonly used cloud service by Google.
Step #1: Login to your Google account by entering your username and pass-word. Or, click on the thumbnail image
of your account located at the right corner of your Gmail account. Whatever the interface is, more or less the steps
would remain the same.
Step #2: Click the Google Account button. The Google account settings page appears. Here on this page, you can
configure activa-tion and different features and capabilities along with enabling the two-factor authentication service
offered by the Google.
Step #3: Click the Security link on the left page of the Google account settings page. The Signing in to Google
option appears on the page.
Step #4: Click the 2-Step Verification link located in the signing in to Google block. The 2-Step Verification page
appears.
Step #5: Click the Get Started button. The account login verification page appears requiring you to enter your
active and valid password of the account. Enter the password to proceed. The 2-Step Verification wizard appears
Step #6: Select the country and enter the valid phone number that you want to use to receive the text message from
Google server. Also select the way you want to be contacted for the second factor security code. Google offers two
options – text message and phone call. Click the NEXT link.
Step #7: A five-digit random code will be sent to your mobile for one-time use. You need to enter that code in Enter
the Code field as shown in Figure 8.37, and click the NEXT link. The confirmation page will appear.
Step #8: Click the TURN ON link to confirm your selections. The desired two-factor authentication on your Google
account has been succeeded. You can modify your information or turn off the two-factor authentication, if you want.
Step #9: You can also choose to inform Google to login to your account without typing in the code by adding the
ADD GOOGLE PROMPT option. The pop-up window appears.
Step #10: Click the GET STARTED link on the pop-up message. The Add Phone option appears. Google supports
adding Android and iPhone for this service. Go to your desired phone and set your phone for the Google Yes to
login option. The phone that you added will automatically appear; if not, you need to click the “Click here to try
again” link.
Step #11: Click the NEXT link. And you will be asked to enter the code you received on your mobile. Go to the
mobile phone and click the “Yes” push noti-fication that you received from the Google server. You will be
automatically logged into your account without typing the code in your Google account.
Creating Application Specific Passwords:
To generate an application-specific password, take the following steps:
• Login to your Google account.
• Click the Avatar button and then choose the Google Account option. The account settings page appears.
• Click the Security link on the left pane of the page. The security settings appear.
• Click the App Passwords link. Google asks to verify your password.
• Enter your valid password and click the Next button. The App Password page appears as shown in.
• Select the desired app and the device type that you use from the drop-down arrows
• Click the GENERATE button. The app password will be generated as shown in.
• A full details of how to use the application-specific password is also described.
• Copy this application-specific password.
• Open the application on the selected device that you want to link with your Google account for using the
applications.
• Enter the application-specific password in the application and click the login button to login to that particular
application.
• All these app-specific passwords are saved for future use of that password on that particular application.
• You can create passwords for other applications by following the same procedure.
What If Your Phone with All Apps Enabled Is Lost?
Google offers a robust security for all your devices, but you have to be proactive enough to follow the security
measures in case you lose your mobile. First of all, you should revoke the application-specific passwords on any of
your device. To do so, take the following steps:
• Go to your account settings and click the Security link on the left pane.
• Click the App Passwords link. The existing application-specific passwords will appear.
• Click the icon to delete the application-specific passwords.
• Your applications will logout on your mobile device that you lost. You can create new application-specific
password on your new device.
• Change the password of your Google account and its backup numbers.
• It is always recommended to add backup phone number so that you can recover your Google account in case of
losing mobile device with the primary phone number.
• Another option is to save the codes that you generated on your computer.
MAC COMPUTER FIREWALL CONFIGURATION
Mac computers are brand names of Apple Inc. Mac computer runs on operating systems called OS X and macOS.
The Apple computers’ operating system evolved from its OS X 10 beta release in 2000. From there on, the OS X 10
releases continued till OS X 10.11 com-monly known as El Capitan (Gala), which was released in the month of
September, 2015.
Afterward, the OS X name was changed to macOS. The first version was named as macOS 10.12 Sierra. The latest
version of Apple computer operating system is macOS 10.14 released in September 2018.
The firewall functionalities are inbuilt in the macOS operating systems. By default, the firewall blocks any traffic
terminating on the unused ports. The open ports are normally exploited to scan the security and other settings of
your computer by the hackers. So, you should enable the firewall on your Apple computer to keep the hackers at
bay.
Configure and activate the exceptions on the enabled ports by taking the following step-by-step procedure.
• Open the Apple Menu and choose the System Preference option.
• Click the Firewall Options… button. The list of applications will appear.
• Select any application shown in the list and then click the (–) sign, if you want to remove from the list.
• Click on the (+) sign and choose the desired application that you want add into the list.
• Click the Enable Stealth Mode checkbox to enable the stealth mode for the hacker to respond to the probing
activities on the computer.
• Choose the Block all incoming connections checkbox to stop traffic to any port on your computer.
• Similarly, select/deselect the Automatically allow built-in software to receive incoming connections checkbox to
activate and deactivate this option on the firewall of Apple macOS computers.
• Click the OK button to enable the desired firewall settings.
• Close the firewall, privacy & security window to take effect the newly configured settings of the firewall.
SECURE SOCKETS LAYER
SSL is a type of security protocol for secure data transfer from web server to the browser and vice versa. The SSL is
a recognized and standard security protocol that establishes a secure and encrypted link between the web server
and the browser so that the transactions of data between the client and the server are fully secure and reliable.
There are two most commonly used types of data encryption methods. They are:
• Symmetric encryption
• Asymmetric encryption
Symmetric encryption uses the same key for the encryption and decryption of the data.
The asymmetric encryption uses two separate keys for encryption and decryption, respectively. Asymmetric
encryption uses 2,048-bit keys nowadays. Previously, it also used the 1,024-bit key, but now, it is not considered as
very safe encryption.
The most commonly used public and private key-based encryption algorithms are:
• Rivest, Shamir, Adleman (RSA) algorithm
• Elliptic Curve Cryptography (ECC) algorithm
The SSL encryption is based on the SSL certificate, which is normally installed on the web server. The SSL certificate
is purchased from the issuing authorities commonly known as Certificate Authority (CA) after proper verification of
the business and websites.
First of all, you need to generate a certificate signing request (CSR) via local browser on the web server. This report
is a file of data, which includes web server information and private key. This CSR is submitted to the certificate
authorities for issuance of certificate. When it is received from the issuing authorities, it is installed on the web
server.
When the SSL certificate is installed, the communication between browser and the server will take place on a
secure and encrypted link. On that link, the data travels in the encrypted form and hackers will not be able to
breach the integrity of the data while in transit over the secure link.
To establish a secure socket connection between server and web browser, the following steps take place:
• Browser sends the secure connection request through the “HTTPS” request through the https://websiteURL.
• The web server receives the request and responds with the SSL certificate to the browser that requested for the
certificate.
• The web browser authenticates and verifies that the SSL certificate is valid. This process is referred to as “SSL
handshake”.
• When the browser verifies the SSL certificate, a padlock icon appears in the address bar of the browser.
• A secure connection is established between browser and web server. Now, the communication over the link is
fully encrypted and secure.
VIRTUAL PRIVATE NETWORK
Virtual private network or VPN is a type of communication tunnel that is highly secure for
private services and communication over the Internet. It is also known as tunneling protocol on
the public networks.
The main characteristics of a VPN connection include the following:
• Secure, private, and anonymous routing through tunnel
• Encapsulation of one protocol over the other is done to hide the details of the origination and
termination of the communication
• Routing of your communication through a proxy server
• It hides your Internet activities from other external interceptions
• Your IP address is masked with the VPN number/address
• History is fully hidden from even service providers
• Hides your location
• Hides your device identity
• It is a complete connection from device to network
The communication over VPN is completely hidden, private, and secure passing through a
private tunnel, which is created on the public network. The communication over the VPN
connection is near to impossible to intercept and interpret.
VPN service is extensively used by the corporations and government organizations for remote
work so that the communication remains private and secure from the external interceptions. Two
major types of VPN connections are commonly used in our modern Internet services; they are as
follows:
• Site-to-site VPN connections
• Remote-access VPN connections
The site-to-site connections are normally used to connect multiple sites and locations of a
corporation or governmental organization through VPN connections.
The remote-access VPN connections are normally used for remote work. Any employee who is
traveling can access the corporate or other private networks through a VPN connection over the
Internet. His/her communication with the corporate network remains private for the other
Internet users.
VPN uses encryption to encrypt the data before transporting over the private tunnel. It also uses
other techniques and mechanism to hide the data from any breach. Then, the original
communication protocol is masked with the VPN protocol and transported over the secure tunnel
created between proxy server and the VPN-enabled device.
The original packet of information is encrypted at the network layer to disguise it from being
identified, and then the entire encrypted packet is repacked into an IP envelop to travel over the
Internet. Thus, the packet data and the message attributes are disguised in the tunneling process.
Virtual private network
The main advantages of VPN connection include the following:
• Higher level of privacy
• Greater data security
• Better reliability
• Anonymity
• Reduced cost of connection