Computer Security
Threats, Malware, Cryptography, Firewalls & Security Policy
Security Threats & Attacks
Understanding active vs passive threats and the attack taxonomy
Active vs Passive Attacks
Passive Attacks
Attacker only observes — does not modify data. Hard to detect because no data is changed.
- Eavesdropping — listening to network traffic
- Traffic analysis — inferring patterns from timing and volume
- Port scanning — discovering open network services
Active Attacks
Attacker modifies, blocks, or fabricates data. Easier to detect but more damaging.
- Man-in-the-Middle (MITM) — intercept and alter communication
- Replay attack — capture and re-send valid packets
- Denial of Service (DoS) — overwhelm target to block access
- SQL Injection — insert malicious database commands
4 Types of Security Attacks
| Attack Type | What Happens | Example | Category |
|---|---|---|---|
| Interruption | System resource is destroyed or unavailable | Cutting a network cable; DoS attack | Active |
| Interception | Unauthorised party gains access to data | Wiretapping; eavesdropping on WiFi | Passive |
| Modification | Unauthorized party modifies data in transit | Attacker changes a bank transfer amount | Active |
| Fabrication | Unauthorized party inserts counterfeit data | Fake DNS response; forged email from CEO | Active |
Common Security Threats
Unauthorized Access
Gaining entry to systems or data without permission. May use stolen credentials, brute force, or exploiting unpatched vulnerabilities.
Data Theft
Copying sensitive data (financial records, personal information, intellectual property) without authorization. Often exfiltrated through the network.
Denial of Service (DoS)
Flooding a server with requests until it can no longer serve legitimate users. Distributed DoS (DDoS) uses thousands of compromised machines.
Social Engineering
Manipulating people into revealing information or performing actions. Exploits human psychology rather than technical vulnerabilities.
Phishing
Fraudulent emails or websites impersonating trusted entities to steal credentials or install malware. Most common entry point for breaches.
Insider Threat
Malicious or negligent actions by employees, contractors, or others with legitimate access. Hard to detect — they already have credentials.
Threat vs Vulnerability vs Risk
Threat
A potential cause of an incident that may harm a system or organisation. eg: An attacker who wants to steal your data.
Vulnerability
A weakness in a system that could be exploited by a threat. eg: An unpatched web server running old software.
Risk
The probability that a threat will exploit a vulnerability, combined with the impact if it does. Risk = Threat × Vulnerability × Impact.
Exploit
The actual method or tool used to take advantage of a vulnerability. eg: A malware payload that exploits a buffer overflow.
Malicious Software & Viruses
The malware zoo — types, spread, and detection
Virus
Code that attaches itself to a legitimate host file and replicates when the host is executed. Cannot spread without human action (someone running the infected file). Types: boot sector (infects MBR), file (attaches to .exe), macro (inside Office documents), polymorphic (mutates to evade detection).
Worm
Self-replicating malware that spreads independently across networks WITHOUT needing a host file. Exploits network vulnerabilities or email. A single worm can infect millions of systems in hours. Examples: ILOVEYOU, WannaCry.
Trojan Horse
Malware disguised as useful legitimate software (a game, utility, or crack). Does NOT self-replicate — the user voluntarily installs it. Once inside, it performs hidden malicious actions: opening backdoors, downloading other malware, or stealing data.
Malware Types Reference Table
| Malware | Self-Replicates? | Needs Host? | Primary Goal | Example |
|---|---|---|---|---|
| Virus | Yes (with host) | Yes | Corrupt files, spread | Melissa, CIH |
| Worm | Yes (independent) | No | Spread, install payloads | WannaCry, Conficker |
| Trojan Horse | No | No (self-contained) | Backdoor, data theft | Zeus banking Trojan |
| Spyware | No | No | Steal credentials, monitor activity | FinFisher, Pegasus |
| Adware | No | No | Display ads, redirect browser | Fireball, DollarRevenue |
| Ransomware | No | No | Encrypt files, demand payment | WannaCry, LockBit |
| Rootkit | No | No | Hide malware, maintain access | Necurs, TDSS |
| Keylogger | No | No | Record keystrokes for theft | Ardamax, LokiBot |
| Botnet | Yes (via C&C) | No | DDoS, spam, crypto mining | Mirai, Emotet |
How Antivirus Works
Signature-Based Detection
Compares files against a database of known malware fingerprints (hashes). Fast and accurate for known threats. Fails against new (zero-day) malware and polymorphic viruses that constantly change their signature.
Heuristic Detection
Analyses the behaviour and structure of programs looking for suspicious patterns (eg: trying to access the registry, replicating itself, encrypting files). Can detect new malware not yet in the signature database. May produce false positives.
Sandboxing
Executes suspicious programs in an isolated virtual environment to observe what they actually do before allowing them to run on the real system. Used by enterprise and cloud security solutions.
Real-Time Protection
Monitors the file system and processes continuously, scanning files as they are created, downloaded, or executed. Intercepts threats before they can run. Must be kept updated to remain effective.
Cryptography & Digital Signatures
The mathematics of secrecy and identity
Cryptography
The science of converting plaintext (readable data) into ciphertext (unreadable scrambled data) using a mathematical algorithm and a key, so that only authorised parties can read it.
Plaintext
The original, readable message before encryption.
Ciphertext
The scrambled, unreadable output after encryption. Meaningless without the decryption key.
Key
A secret value used by the algorithm to encrypt or decrypt. The security of modern cryptography depends on the key being secret, not on the algorithm being secret.
Symmetric vs Asymmetric Encryption
| Feature | Symmetric | Asymmetric |
|---|---|---|
| Keys used | One shared key (same to encrypt and decrypt) | Key pair: public key + private key |
| Speed | Fast — suitable for bulk data | Slow — suitable for small data / key exchange |
| Key sharing problem | Yes — how do you share the key securely? | No — public key can be shared openly |
| Main algorithms | AES (128/256-bit), DES (outdated) | RSA, Elliptic Curve Cryptography (ECC) |
| Typical use | Encrypting files, disk encryption, VPN data | Digital signatures, SSL/TLS handshake, key exchange |
| Analogy | Same physical key opens and locks the door | A padlock anyone can click shut; only you have the key |
Hash Functions
What is a Hash Function?
A one-way function that produces a fixed-length output (digest) from any input. SHA-256 always produces a 256-bit hash regardless of input size. Even a single character change produces a completely different hash.
Properties: deterministic, one-way (cannot reverse), collision-resistant, avalanche effect.
Uses of Hash Functions
- Password storage — store hash, not plaintext password
- File integrity — verify downloaded files haven't been tampered with
- Digital signatures — sign the hash, not the whole document
- Blockchain — each block contains the previous block's hash
Common: SHA-256 (secure), MD5 (outdated, insecure)
Digital Signatures
A digital signature proves both the identity of the sender and that the message has not been altered. Process:
SSL/TLS — How HTTPS Works
HTTPS = HTTP + TLS (Transport Layer Security). When you visit a bank website, TLS creates a secure, encrypted channel. The process: (1) Browser requests HTTPS connection. (2) Server sends its SSL certificate (contains public key). (3) Browser verifies the certificate with a trusted Certificate Authority. (4) Browser and server use asymmetric encryption to exchange a symmetric session key. (5) All further communication uses the fast symmetric session key. Asymmetric for key exchange, symmetric for speed — best of both worlds.
Firewall & Intrusion Detection System
Network perimeter defense and threat monitoring
Firewall
A security system (hardware or software) that monitors and controls incoming and outgoing network traffic based on predefined security rules. Acts as a barrier between trusted internal networks and untrusted external networks.
Types of Firewalls
| Type | How It Works | Pros | Cons |
|---|---|---|---|
| Packet-Filtering Firewall | Examines each packet header (IP, port, protocol) against rules. Stateless. | Fast, low cost, hardware-level | Cannot inspect payload, no session awareness |
| Stateful Firewall | Tracks the state of active connections. Only allows packets that are part of established sessions. | Better security, aware of connections | Slower than packet-filtering |
| Application-Layer (Proxy) Firewall | Acts as intermediary, inspects full content at the application layer (HTTP, FTP, DNS). | Highest security, deep inspection | Slowest, complex to configure |
| Next-Generation Firewall (NGFW) | Combines stateful + application inspection + IDS/IPS + SSL decryption in one appliance. | Comprehensive, modern standard | Expensive, resource-intensive |
IDS vs IPS
IDS — Intrusion Detection System
Monitors network traffic and system activity for suspicious patterns and known attack signatures. Generates alerts when it detects potential threats.
Key point: IDS DETECTS — it only alerts. It does NOT automatically block the traffic. A human must respond to the alert.
IPS — Intrusion Prevention System
An IDS that also takes automated action — it can block, drop, or rate-limit suspicious traffic in real time without human intervention.
Key point: IPS DETECTS + BLOCKS. It sits inline in the network so it can intercept and drop malicious packets before they reach their target.
DMZ — Demilitarized Zone
A DMZ is a physically or logically separated network segment that sits between the public Internet and the internal private network. Public-facing servers (web, email, DNS) are placed in the DMZ so that even if they are compromised, attackers cannot directly reach the internal corporate network. Two firewalls are used: one between Internet and DMZ, one between DMZ and internal network.
User Authentication Methods
| Method | Factor Type | How It Works | Strength |
|---|---|---|---|
| Password | Something you know | User enters a secret string known only to them | Weak alone — can be guessed, stolen, or leaked |
| OTP / 2FA App | Something you have | Time-based one-time code sent to phone or generated by app | Strong — changes every 30 seconds |
| Biometrics | Something you are | Fingerprint, face recognition, iris scan | Very strong — hard to replicate, but privacy concerns |
| Smart Cards / Hardware Token | Something you have | Physical device stores cryptographic key | Very strong — requires physical possession |
| Multi-Factor Auth (MFA) | Two or more factors | Combines any two of the above categories | Strongest — one factor stolen is not enough |
Security Awareness & Policy
Rules, backup strategies, and Nepal's cyber law
Security Policy
A formal document that defines the rules and procedures governing how an organisation's IT resources and information assets must be protected, used, and managed. It is the foundation of an organisation's security posture.
Password Best Practices
Length
Minimum 12 characters. Longer passwords exponentially increase brute-force time. A 16-character password takes centuries to crack.
Complexity
Mix uppercase, lowercase, numbers, and symbols. Avoid dictionary words, keyboard patterns (qwerty), or personal information.
Uniqueness
Never reuse passwords across accounts. If one account is breached, unique passwords prevent credential stuffing attacks on other accounts.
Password Manager
Use a password manager (Bitwarden, 1Password) to generate and store unique passwords for every account. You only need to remember one master password.
Backup Strategy — The 3-2-1 Rule
Copies of data
Keep 3 total copies: the original + 2 backups. If one copy is lost or corrupted, you still have two others.
Different media types
Store copies on at least 2 different types of storage (eg: hard disk + cloud). Protects against media-specific failure.
Offsite copy
Keep at least 1 copy offsite (cloud, different location). Protects against fire, flood, or theft at the primary location.
Physical Security
Locked Server Rooms
Critical servers should be physically secured in locked rooms with access limited to authorised personnel only. Visitor logs should be maintained.
Cable Locks
Laptops and workstations in public areas should be secured with Kensington cable locks to prevent theft of the hardware itself.
CCTV Surveillance
Cameras in server rooms, data centres, and access points deter and record physical intrusions.
Tailgating Prevention
Secure access areas should have airlocks or card readers that ensure only one authorised person enters at a time.
Nepal Cyber Law — Electronic Transactions Act 2063 (2006)
Nepal's primary cyber law is the Electronic Transactions Act 2063 (2006 AD). Key provisions:
Digital Signatures: Legally recognises electronic signatures as valid for electronic documents and contracts — equal to handwritten signatures.
Unauthorized Computer Access: Makes unauthorized access to computer systems a criminal offence. Penalty: up to 3 years imprisonment or Rs 2 lakh fine, or both.
Hacking & Damage to Systems: Destroying, altering, or damaging computer systems or data is punishable by up to 5 years imprisonment or Rs 5 lakh fine.
Publishing Illegal Content: Criminalises publishing obscene, defamatory, or nationally harmful digital content.
Electronic Fraud: Fraudulent transactions using computers or networks are criminal offences.
Individual Privacy Act 2075 (2018): Added provisions for personal data protection, privacy rights, and data handling obligations for organisations.
Analytical Questions
Unit Summary
Core topics, important exam questions & syllabus coverage
Core Topics
CIA Triad — Confidentiality, Integrity, Availability
4 attack types: Interruption, Interception, Modification, Fabrication
Passive vs active attacks — eavesdropping vs modification
Malware taxonomy — virus, worm, Trojan, ransomware, spyware
Symmetric vs asymmetric encryption — AES vs RSA
Digital signatures — hash + private key → verification via public key
Firewall types — packet-filtering, stateful, application-layer, NGFW
IDS vs IPS — detect-only vs detect-and-block
Backup 3-2-1 rule — 3 copies, 2 media, 1 offsite
Nepal Cyber Law — ETA 2063 (2006), key penalties
Important Exam Questions
Q1. What is cryptography? Differentiate symmetric and asymmetric encryption.
Q2. Explain types of malware. How does antivirus detect and remove them?
Q3. What is a firewall? Explain its types and compare IDS vs IPS.
Q4. What is a digital signature? Explain the signing and verification process.
Q5. What is the CIA triad? Explain with examples in the context of network security.
Q6. Write short notes on: Nepal Electronic Transactions Act 2063.
Syllabus Coverage Checklist
Security threats — unauthorized access, data theft, DoS, phishing
Active vs passive attacks and the 4 attack categories
Malware types — virus, worm, Trojan, ransomware, spyware, rootkit
Antivirus detection — signature-based, heuristic, sandboxing
Cryptography — symmetric (AES), asymmetric (RSA), hash functions
Digital signatures and how HTTPS/TLS works
Firewalls — types and use cases
IDS vs IPS, DMZ concept
Security policy, password best practices, physical security
Nepal ETA 2063 — key offences and penalties
How to Remember This Unit
Mnemonics for security topics
Attack types: "IIMF"
I=Interruption (blocks) · I=Interception (peeks) · M=Modification (alters) · F=Fabrication (fakes). Active = IIM (first I and IM) · Passive = second I (Interception only)
Malware: "ViWoTrSpRaAdRoKe"
Virus(host) · Worm(self) · Trojan(disguise) · Spyware(watch) · Ransomware(encrypt) · Adware(ads) · Rootkit(hide) · Keylogger(record)
Virus vs Worm key difference
Virus = NEEDS a host file to attach to. Worm = needs NO host, spreads over networks independently.
Encryption: "Sym=Same, Asym=Pair"
Symmetric = Same key both ways (fast, AES) · Asymmetric = Public+Private pair (slow, RSA, solves key sharing)
Digital signature process: "Hash → Sign → Verify"
Sender hashes document → encrypts hash with PRIVATE key → receiver decrypts with PUBLIC key → re-hashes to compare
Firewall types (weakest to strongest)
Packet-filtering → Stateful → Application-layer (proxy) → NGFW
IDS vs IPS: "D for Detective, P for Police"
IDS = Detective (only detects, reports) · IPS = Police (detects AND blocks actively)
3-2-1 backup rule
3 copies total · 2 different media types · 1 copy offsite
Nepal Cyber Law
Electronic Transactions Act 2063 (2006) · Unauthorized access = 3 yr max · Hacking = 5 yr max
Firewall vs IDS/IPS placement
Firewall = at the EDGE (perimeter) · IDS/IPS = INSIDE the network monitoring traffic
Unit 6 Quiz
1. Which type of attack intercepts data in transit without modifying it?
2. A virus differs from a worm in that a virus:
3. In asymmetric encryption, a message encrypted with the sender's private key can be decrypted by:
4. A packet-filtering firewall makes decisions based on:
5. Nepal's Electronic Transactions Act was enacted in: