NETAJI SUBASH UNIVERSITY OF TECHNOLOGY, EAST

CAMPUS GEETA COLONY, NEW DELHI - 110031

PRACTICAL FILE

Information Security & Risk Management

(CSISE14)

SUBMITTED BY: SUBMITTED TO:

Rahul Kumar Singh Dr. Suresh Kumar
2024RCP4006 Associate Professor
P.hd. (CSE) Department of CSE
 INDEX

Exp Title of Experiment Date Page No. Remarks

No.
1 Setting up and configuring a firewall using IPTables 1-3
on Artix Linux VMs

2 Segregating Networks using IP subnetting and 4-7

Python simulation

3 Creating and using a Password Policy using Python 8-10

4 Using encryption and decryption via the 11-13

cryptography library in Python

5 Installing Anti-malware and Anti-ransomware 14-16

Tools on Windows

6 Using Multi-Factor Authentication for Users 17-18

Accessing Systems

7 To assess and implement website security at server 19-21

and client side

8 Developing security and risk analysis based mobile 22-24

apps

9 Evaluate the effectiveness of the system using Java- 25-28

based permission analysis and scoring
 Experiment – 1

Aim: Setting up and configuring a firewall. Three virtual machines

running Linux (e.g artix linux with no X window – a bare console
setup with 256 MB RAM and single core). One of the VMs should
have two (virtualized) network interface (in host only mode) and
the other two could have two different interfaces.

Theory :-
Linux IPTables firewalls to do traffic filtering (a form for of network ACLs). It's a
user-space utility program that allows a system administrator to configure the IP
packet filter rules of the Linux kernel firewall. IPTables uses tables (like filter, nat,
mangle) and each table contains chains (like INPUT, OUTPUT, FORWARD)
which in turn contain rules.

Tools Used :-
· Artix Linux VM
· VirtualBox
· CLI

Procedure :-
a.​ Assign private IP addresses to each interface, such that the VMs can ping
one another. VM1 (iface1) and VM2 (iface1) should be in the same subnet.
VM2(iface2) and VM3 (iface1) should be in the same subnet.
 b.​ Setup IP forwarding on VM2 such that VM1 can ping both interfaces IPs of
VM2 and VM3. Make sure traffic from VM1 to VM3 goes via VM2 (can be
seen via traceroute).
c.​ On VM3 add another interface with which it can access the Internet. Install a
HTTP server (e.g. Apache, lighttp or nginix) on the VM3. Create a web
directory and add some files to it.

d.​ You need to use IPTables on VM2 and configure bi-directional Network
Address Translation on VM2. Thus, when VM1 access the webserver on
VM3, or when VM2 access the webserver on VM3, in both cases you should
observe connections coming from VM2. Similarly when responses go back
to VM1, it should appear that they are arriving from VM2 and not VM3.
You need to show screenshot outputs taken from Wireshark, showing the
bidirectional NATing.

e.​ Enable webserver process on port 80 and 443. Configure the firewall on
VM2 to restrict access only to those ports and not allow anything else. To
test correct functionality you could additionally install SSH server on VM3
and try to access it. Correct firewall functionality should restrict access to
port 22 (SSH).

f.​ Configure the firewall such that only connections from VM1 are allowed on
port 80 and 443 on the HTTP server on VM3. Access from VM2 should not
be allowed

Code :-
3 VMs running Artix Linux as per the specifications given(NOTE: This is a screen
shot of /etc/rc.local file after executing these commands on the cmd line).
VM1

VM2

VM3
Output :-
The final result is a bi-directional NAT keeping everything in mind.
 Experiment – 2
Aim: Segregating Networks

Theory :-
Network segregation is a fundamental concept in information security and
network management. It involves dividing a large network into smaller, isolated
segments or subnets. The main purpose of segregation is to enhance security,
improve performance, and simplify network management.
By isolating groups of devices (like HR, Finance, or Admin departments) into
separate subnets, we limit unnecessary communication and reduce the attack
surface in case of a security breach.
Segregation can be achieved through methods such as:
●​ Subnetting: Dividing IP address space into smaller logical networks.
●​ VLANs (Virtual Local Area Networks): Creating isolated virtual networks
at the data link layer.
●​ Firewalls and Access Control Lists (ACLs): Controlling traffic between
different segments.
In this practical, we simulate segregation using IP addressing and subnet masks.
We define devices in different subnets and check whether two devices can
communicate by comparing their network addresses derived from IP and subnet
mask.
Only devices in the same subnet can directly communicate, representing effective
network segregation.

Tools Used :-
●​ Python 3
●​ Basic IP and subnetting logic
●​ Object-Oriented Programming (OOP)
Procedure :-
1.​ Define a Device class in Python with properties such as name, IP address,
and subnet mask.
2.​ Implement a method to calculate the network address using the IP and
subnet mask.
3.​ Define multiple devices from different departments with appropriate IPs.
4.​ Create a function to check if two devices belong to the same subnet.
5.​ Print a communication matrix to show which devices can and cannot
communicate.

Code :-
class Device:
def __init__(self, name, ip, subnet_mask):
self.name = name
self.ip = ip
self.subnet_mask = subnet_mask

def network_address(self):
def ip_to_int(ip):
return [int(x) for x in ip.split('.')]

ip_parts = ip_to_int(self.ip)
mask_parts = ip_to_int(self.subnet_mask)

net = [ip & mask for ip, mask in zip(ip_parts, mask_parts)]

return '.'.join(str(x) for x in net)

def __repr__(self):
return f"{self.name} ({self.ip})"
def can_communicate(dev1, dev2):
return dev1.network_address() == dev2.network_address()

# Define devices
devices = [
Device("HR_PC1", "192.168.1.10", "255.255.255.0"),
Device("HR_PC2", "192.168.1.20", "255.255.255.0"),
Device("Finance_PC1", "192.168.2.10", "255.255.255.0"),
Device("Finance_PC2", "192.168.2.20", "255.255.255.0"),
Device("Admin_PC", "192.168.3.5", "255.255.255.0"),
]

# Test communication
print(" 🔍 Communication Matrix:")
for i in range(len(devices)):
for j in range(i + 1, len(devices)):
d1 = devices[i]
d2 = devices[j]
result = "Can communicate" if can_communicate(d1, d2) else "Segregated"
print(f"{d1.name} ↔ {d2.name}: {result}")
Output:-
 Experiment-3
Aim: Creating and using a password policy

Theory
A password policy ensures that passwords meet specific security standards, such as
length, complexity, and expiration
Define a Password Policy
A strong password policy typically includes:
●​ Minimum length (e.g., 8 characters)
●​ At least one uppercase letter
●​ At least one lowercase letter
●​ At least one digit
●​ At least one special character

Program
Implementing the password policy in python:

import re

class PasswordPolicy:
def init (self, min_length=8, require_upper=True, require_lower=True,
require_digit=True, require_special=True):
self.min_length = min_length self.require_upper = require_upper
self.require_lower = require_lower self.require_digit = require_digit
self.require_special = require_special

# Regular expression pattern for password validation self.pattern =

self._build_pattern()
def _build_pattern(self):
conditions = []
if self.require_upper:
conditions.append(r"(?=.*[A-Z])") # At least one uppercase if self.require_lower:
conditions.append(r"(?=.*[a-z])") # At least one lowercase if self.require_digit:
conditions.append(r"(?=.*\d)")​ # At least one digit if self.require_special:
conditions.append(r"(?=.*[@$!%*?C])") # At least one special character

conditions.append(fr".{{{self.min_length},}}") # Minimum length

return "^" + "".join(conditions) + "$"

def validate(self, password):

return bool(re.match(self.pattern, password))

# Example usage
policy = PasswordPolicy(min_length=10) password = input("Enter your password:
")

if policy.validate(password): print("Password is strong!")

else:
print("Password does not meet policy requirements.")
Output
 Experiment – 4
Aim: Using encryption and decryption

Theory :-
Encryption is the process of converting plaintext into ciphertext using a
cryptographic algorithm to prevent unauthorized access. Decryption is the reverse
process, converting ciphertext back into readable plain text using a key.
There are two types of encryption:
●​ Symmetric Encryption: The same key is used for both encryption and
decryption.​

●​ Asymmetric Encryption: Uses a pair of keys – a public key for encryption

and a private key for decryption.​

In this practical, we demonstrate symmetric encryption using Python’s

cryptography library. We encrypt and decrypt messages to simulate secure
communication.

Tools Used :-
●​ Python 3
●​ Cryptography library (Fernet module)

Procedure :-
1.​ Import the Fernet module from the cryptography package.
2.​ Generate a symmetric key.
3.​ Use the key to encrypt a plaintext message.
4.​ Decrypt the encrypted message using the same key.
5.​ Print the original message, encrypted message, and decrypted message.
Code :-
from cryptography.fernet import Fernet
key = Fernet.generate_key()
cipher = Fernet(key)
# Step 2: Original message
message = "Confidential data to be secured"
encoded_message = message.encode()
# Step 3: Encrypt the message
encrypted_message = cipher.encrypt(encoded_message)
# Step 4: Decrypt the message
decrypted_message = cipher.decrypt(encrypted_message).decode()

# Step 5: Output
print("Original Message:", message)
print("Encrypted Message:", encrypted_message)
print("Decrypted Message:", decrypted_message)
Output :-
 Experiment-5
Aim: Installing anti-malware and anti-ransomware tools

Step-by-Step: Installing Anti-Malware and Anti-Ransomware Tools on Windows

Step 1: Choose a Trusted Security Tool You need to select a good-quality
antivirus/anti-malware product. Some excellent choices include:

Step 2: Download the Software Safely

1. Open a trusted web browser like Google Chrome or Microsoft Edge.
2. Go to the official website of the product. o Example for Malwarebytes:
https://www.malwarebytes.com
3. Click on “Download” or “Free Download” button.
4. Save the installer file (usually ends with .exe) to your Downloads folder.

Step 3: Install the Software

1. Open the Downloads folder.
2. Double-click the installer file (e.g., mbsetup.exe for Malwarebytes).
3. If prompted by Windows (User Account Control), click “Yes” to allow the
installer to run.
4. Follow the on-screen steps:
Accept the license agreement.
Choose between Personal or Business use (if asked).
Click Next or Install.
5. Wait for the installation to complete.
6. Click Finish or Launch to open the software.

Step 4: Configure Real-Time Protection

1. Open the newly installed software (if not already open).
2. Navigate to Settings or Protection tab.
3. Enable the following:
Real-Time Protection
Web Protection
Ransomware Protection
Automatic Threat Scans
4. In Malwarebytes, go to “Security” > “Real-Time Protection” and ensure all
toggles are ON.

Step 5: Set Up Ransomware-Specific Protection

Some software may offer a separate section for ransomware protection.
For Malwarebytes:
• Go to Settings > Security > Ransomware Protection and make sure it’s ON.
For Windows Defender:
1. Go to Settings > Update & Security > Windows Security.
2. Click “Virus & threat protection”.
3. Under Ransomware protection, click Manage ransomware protection.
4. Turn on Controlled Folder Access.
5. Click Protected folders to add folders like Documents, Pictures, and Desktop.
Step 6: Update the Software
1. Open the software.
2. Look for a “Check for updates” or “Update” option.
3. Run it to make sure the tool is using the latest virus definitions.

Step 7: Run a Full System Scan

1. In the app, find the Scan button.
2. Choose Full Scan or Threat Scan.
3. Let it scan your computer (may take 20–60 mins).
4. If threats are found, follow instructions to quarantine or delete them.

Step 8: Enable Scheduled Scans (Optional but Recommended)

1. Open the software’s settings.
2. Look for Scan Scheduler or Automatic Scans.
3. Set it to scan daily or weekly at a time when your PC is usually on.

Step 9: Backup Important Files Just in case ransomware bypasses your

defenses:
• Use OneDrive, Google Drive, or an external hard drive.
• Set automatic backup for your important folders.
 Experiment-6
Aim: Using Multi-Factor Authentication for Users Accessing
Systems Theory

Multi-Factor Authentication (MFA) adds extra layers of security beyond just

username and password. Common factors include a password and a one-time
password (OTP) sent via email or phone.

Program

# Simulated MFA System

import random
def send_otp():
return random.randint(100000, 999999)
def login_system():
username = input("Enter username: ") password = input("Enter password: ")

if username == "admin" and password == "secure123": otp = send_otp()

print(f"OTP sent: {otp}") # In real apps, this is sent to email or phone user_otp =
int(input("Enter the OTP: "))
if user_otp == otp:
print("Login successful with MFA!") else:
print("Incorrect OTP. Access Denied.") else:
print("Invalid credentials.")
# Example usag

login_system()
Output
 Experiment:7
Aim: To assess and implement website security at server and
client side

Theory
This HTML code demonstrates client-side security practices in a login form. It
includes JavaScript functions to:
●​ Validate inputs: Ensures fields are not empty.
●​ Sanitize input: Uses DOM methods to escape harmful characters
and prevent Cross-Site Scripting (XSS) attacks.
●​ Secure form submission: Data is only submitted if validation
passes, improving security before it reaches the server.
This helps protect the user and server from malicious scripts injected through the
login form.
Program
<!-- login.html -->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Secure Login</title>
<script>
function sanitizeInput(input) {
const temp = document.createElement('div');
temp.textContent = input;
return temp.innerHTML;
}
 function validateForm() {
const username = document.getElementById('username').value;
const password = document.getElementById('password').value;

if (!username || !password) {

alert("All fields are required!");

return false;
}

// Sanitize input (prevent XSS)

document.getElementById('username').value = sanitizeInput(username);
document.getElementById('password').value = sanitizeInput(password);

return true;
}

</script>
</head>
<body>
<form action="/login" method="POST" onsubmit="return validateForm()">
<label>Username: <input type="text" id="username"
name="username"></label><br>
<label>Password: <input type="password" id="password"
name="password"></label><br>
 <input type="submit" value="Login">
</form>
</body>
</html>

Output:
 EXPERIMENT - 8
Aim: Developing security and risk analysis based mobile apps

Objective:
To design, develop, and evaluate mobile applications that can detect, assess, and
report security vulnerabilities and risk factors on mobile devices.

Hypothesis:
A mobile application equipped with real-time security and risk analysis
mechanisms can improve user awareness and protection against common mobile
threats such as malware, insecure network connections, and data leakage.

Materials & Tools:

●​ Android Studio / Xcode (for development)
●​ Programming languages: Java/Kotlin for Android, Swift for iOS
●​ Firebase / AWS for backend support
●​ Static and dynamic analysis tools (e.g., MobSF, QARK, Frida)
●​ Dataset of known mobile vulnerabilities (e.g., CVE database)
●​ Test devices (smartphones or emulators)
●​ Wireshark (for network traffic analysis)
●​ GitHub (for version control)

Methodology:
1.​Requirements Gathering

●​ Identify common mobile threats (malware, insecure APIs, unencrypted data

transmission, etc.).
●​ Review literature on mobile risk analysis techniques.
●​ Interview mobile users for awareness and needs.
2.​App Development

●​ Module 1: Vulnerability Scanner

o​ Scan installed apps and permissions.
o​ Check for known CVEs.
●​ Module 2: Network Monitor
o​ Analyze current network connections.
o​ Detect suspicious activities (e.g., MITM attacks).
●​ Module 3: Risk Assessment Engine
o​ Score risk levels using a defined risk matrix (likelihood vs impact).
●​ Module 4: Reporting & Recommendations
o​ Provide real-time alerts and suggest mitigation steps.
3.​Testing & Evaluation

●​ Use a group of 10–20 mobile users for testing.

●​ Evaluate app performance (CPU/memory usage, battery impact).
●​ Conduct penetration tests to assess app robustness.
●​ Measure user awareness before and after using the app via questionnaires.

Data Collection:
●​ User behavior logs (with consent).
●​ Detected threats and false positives.
●​ Pre/post user survey responses.

Results:
●​ A functional prototype capable of real-time threat detection and risk scoring.
●​ Measurable increase in user awareness and proactive behavior.
●​ Identification of common mobile security gaps.
Conclusion:
This experiment aims to create a foundation for user-friendly mobile apps that not
only detect security threats but also educate users about their risk posture in real-time.
 Experiment-9
Aim: Evaluate the effectiveness of the system

Theory

Risk Weights: Each sensitive permission is assigned a numerical weight (e.g.,

READ_SMS = 10, INTERNET = 2). These reflect how risky the permission is.
Risk Score Calculation: The app’s total risk score is calculated by summing the
weights of its requested permissions.
Risk Classification: If the score is above a threshold (e.g., 10), the app is classified as
risky, otherwise safe.
Evaluation Metrics: The system's effectiveness is evaluated using:
●​ Accuracy: Correct predictions overall
●​ Precision: Correctly identified risky apps out of all predicted risky
●​ Recall: Correctly identified risky apps out of all actual risky
●​ F1 Score: Balance between precision and recall

Program

import java.util.*; public class Main {

private static final Map<String, Integer> RISK_WEIGHTS = Map.of(
"android.permission.READ_SMS", 10,
"android.permission.ACCESS_FINE_LOCATION", 8,
"android.permission.RECORD_AUDIO", 7,
"android.permission.READ_CONTACTS", 6,
"android.permission.INTERNET", 2
);
public static int calculateRiskScore(List<String> permissions) { int score = 0;
for (String perm : permissions) {
score += RISK_WEIGHTS.getOrDefault(perm, 1);
}
return score;
}

static class TestCase { List<String> permissions; int expectedLabel;

TestCase(List<String> permissions, int expectedLabel) {

this.permissions = permissions; this.expectedLabel = expectedLabel;

}
}

public static void evaluateSystem(List<TestCase> testCases, int threshold) { int TP =

0, TN = 0, FP = 0, FN = 0;

for (TestCase test : testCases) {

int score = calculateRiskScore(test.permissions); int predicted = score >= threshold ?
1 : 0;

if (predicted == 1 && test.expectedLabel == 1) TP++;

else if (predicted == 0 && test.expectedLabel == 0) TN++; else if (predicted == 1
&& test.expectedLabel == 0) FP++; else if (predicted == 0 && test.expectedLabel ==
1) FN++;
}
double accuracy = (double)(TP + TN) / testCases.size(); double precision = TP + FP
!= 0 ? (double) TP / (TP + FP) : 0; double recall = TP + FN != 0 ? (double) TP / (TP +
FN) : 0;
double f1 = precision + recall != 0 ? 2 * precision * recall / (precision + recall) : 0;

System.out.println("Threshold: " + threshold); System.out.println("Accuracy: " +

accuracy); System.out.println("Precision: " + precision); System.out.println("Recall: "
+ recall); System.out.println("F1 Score: " + f1);
}

public static void main(String[] args) { List<TestCase> testCases = List.of(

new TestCase(List.of("android.permission.INTERNET"), 0),
new TestCase(List.of("android.permission.ACCESS_FINE_LOCATION"), 1), new
TestCase(List.of("android.permission.READ_SMS",
"android.permission.READ_CONTACTS"), 1),
new TestCase(List.of("android.permission.INTERNET",
"android.permission.READ_CONTACTS"), 1),
new TestCase(List.of("android.permission.BLUETOOTH"), 0)
);

evaluateSystem(testCases, 10);
}
}
Output