Cyber Security [105713] – Notes
Module 1
Cyber Security Concepts: Essential Terminologies: CIA, Risks, Breaches, Threats, Attacks, Exploits. Information
Gathering (Social Engineering, Foot Printing & Scanning). Open Source/ Free/ Trial Tools: nmap, zenmap, Port
Scanners, Network scanners.
Introduction:
Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. Attackers are now using
more sophisticated techniques to target the systems. Individuals, small-scale businesses or large organization, are all
being impacted. So, all these firms whether IT or non-IT firms have understood the importance of Cyber Security and
focusing on adopting all possible measures to deal with cyber threats.
What is cyber security?
"Cyber security is primarily about people, processes, and technologies working together to encompass the full range
of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and
recovery policies and activities, including computer network operations, information assurance, law enforcement,
etc."
OR
Cyber security is the body of technologies, processes, and practices designed to protect networks, computers,
programs and data from attack, damage or unauthorized access.
The term cyber security refers to techniques and practices designed to protect digital data.
The data that is stored, transmitted or used on an information system.
OR
Cyber security is the protection of Internet-connected systems, including hardware, software, and data from cyber-
attacks.
It is made up of two words one is cyber and other is security.
Cyber is related to the technology which contains systems, network and programs or data.
Whereas security related to the protection which includes systems security, network security and application
and information security.
Why is cyber security important?
Listed below are the reasons why cyber security is so important in what’s become a predominant digital world:
Cyber-attacks can be extremely expensive for businesses to endure.
In addition to financial damage suffered by the business, a data breach can also inflict untold reputational
damage.
Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using more
sophisticated ways to initiate cyber-attacks.
Regulations such as GDPR are forcing organizations into taking better care of the personal data they hold.
Because of the above reasons, cyber security has become an important part of the business and the focus now is on
developing appropriate response plans that minimize the damage in the event of a cyber attack.
But, an organization or an individual can develop a proper response plan only when he has a good grip on cyber
security fundamentals.
CIA Triad
The CIA Triad is a fundamental security model that acts as a foundation in the development of security policies
designed to protect data. It is comprised of three tenets: Confidentiality, Integrity, and Availability.
Confidentiality:
Confidentiality is about preventing the disclosure of data to unauthorized parties. It also means trying to keep the
identity of authorized parties involved in sharing and holding data private and anonymous.
Often confidentiality is compromised by cracking poorly encrypted data, Man-in-the-middle (MITM) attacks,
disclosing sensitive data.
Standard measures to establish confidentiality include:
Data encryption
Two-factor authentication
Biometric verification
Security tokens
Integrity:
Integrity refers to protecting information from being modified by unauthorized parties.
Standard measures to guarantee integrity include:
Cryptographic checksums
Using file permissions
Uninterrupted power supplies
Data backups
Availability
Availability is making sure that authorized parties are able to access the information when needed.
Standard measures to guarantee availability include:
Backing up data to external drives
Implementing firewalls
Having backup power supplies
Data redundancy
Risk:
Cybersecurity risk is the probability of exposure, loss of critical assets and sensitive information, or reputational harm
as a result of a cyber-attack or breach within an organization’s network. Across industries, cybersecurity must remain
top of mind and organizations should work to implement a cybersecurity risk management strategy to protect against
constantly advancing and evolving cyber threats. Risk is the potential for loss, damage or destruction of assets or
data caused by a cyber threat.
Breaches:
A security breach is any incident that results in unauthorized access to computer data, applications, networks or
devices. It results in information being accessed without authorization.
Threats:
Threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include
computer viruses, data breaches, Denial of Service (DoS) attacks, and other attack vectors.
Where Do Cyber Threats Come From?
Hostile Nation-States: - National cyber warfare programs provide emerging cyber threats ranging from
propaganda, website defacement, espionage, disruption of key infrastructure to loss of life.
Terrorist Groups: - Terrorist groups are increasingly using cyber-attacks to damage national interests. They
are less developed in cyber-attacks and have a lower propensity to pursue cyber means than nation-states.
Hacktivists: - Hacktivist’s activities range across political ideals and issues. Most hacktivist groups are
concerned with spreading propaganda rather than damaging infrastructure or disrupting services.
Hackers: - Malicious intruders could take advantage of a zero-day exploit to gain unauthorized access to data.
Hackers may break into information systems for a challenge or bragging rights. In the past, this required a
high level of skill.
Attacks:
A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter computer
code, logic or data and lead to cybercrimes, such as information and identity theft.
A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information
system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting
the victim’s network.
A cyber attack is when an individual or an organization deliberately and maliciously attempts to breach the
information system of another individual or organization. While there is usually an economic goal, some
recent attacks show destruction of data as a goal.
Web-based attacks:
These are the attacks which occur on a website or web applications. Some of the important web-based attacks are
as follows-
Injection attacks: It is the attack in which some data will be injected into a web application to manipulate
the application and fetch the required information. Example- SQL Injection, code Injection, log Injection, XML
Injection etc.
DNS Spoofing: DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS
resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the attacker’s
computer or any other computer. The DNS spoofing attacks can go on for a long period of time without being
detected and can cause serious security issues.
Session Hijacking: It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have access to all of the
user data.
Phishing: Phishing is a type of attack which attempts to steal sensitive information like user login credentials
and credit card number. It occurs when an attacker is masquerading as a trustworthy entity in electronic
communication.
Brute force: It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal identification number.
This attack may be used by criminals to crack encrypted data, or by security, analysts to test an organization's
network security.
Denial of Service: It is an attack which meant to make a server or network resource unavailable to the users.
It accomplishes this by flooding the target with traffic or sending it information that triggers a crash. It uses
the single system and single internet connection to attack a server. It can be classified into the following-
o Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured in
bit per second.
o Protocol attacks- It consumes actual server resources, and is measured in a packet.
o Application layer attacks- Its goal is to crash the web server and is measured in request per second.
Dictionary attacks: This type of attack stored the list of a commonly used password and validated them to
get original password.
URL Interpretation: It is a type of attack where we can change the certain parts of a URL, and one can make
a web server to deliver web pages for which he is not authorized to browse.
File Inclusion attacks: It is a type of attack that allows an attacker to access unauthorized or essential files
which is available on the web server or to execute malicious files on the web server by making use of the
include functionality.
Man in the middle attacks: It is a type of attack that allows an attacker to intercepts the connection between
client and server and acts as a bridge between them. Due to this, an attacker will be able to read, insert and
modify the data in the intercepted connection.
Cross-site Scripting: A cross-site scripting attack sends malicious scripts into content from reliable websites.
The malicious code joins the dynamic content that is sent to the victim’s browser. Usually, this malicious code
consists of Javascript code executed by the victim’s browser, but can include Flash, HTML, and XSS.
System-based attacks:
These are the attacks which are intended to compromise a computer or a computer network. Some of the important
system-based attacks are as follows-
Virus: It is a type of malicious software program that spread throughout the computer files without the
knowledge of a user. It is a self-replicating malicious computer program that replicates by inserting copies of
itself into other computer programs when executed. It can also execute instructions that cause harm to the
system.
Worm: It is a type of malware whose primary function is to replicate itself to spread to uninfected computers.
It works same as the computer virus. Worms often originate from email attachments that appear to be from
trusted senders.
Trojan horse: It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It appears to be a
normal application but when opened/executed some malicious code will run in the background.
Backdoors: It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or other purposes.
Bots/Botnet: A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they receive specific
input. Common examples of bots program are the crawler, chatroom bots, and malicious bots.
Rootkits: Rootkits are installed inside legitimate software, where they can gain remote control and
administration-level access over a system. The attacker then uses the rootkit to steal passwords, keys,
credentials, and retrieve critical data.
Exploits:
An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by security
researchers as a proof-of-concept threat or by malicious actors for use in their operations. When used, exploits allow
an intruder to remotely access a network and gain elevated privileges, or move deeper into the network.
An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug
or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or
something electronic.
An exploit is not malware itself, but rather it is a method used by cybercriminals to deliver malware.
How do I defend against exploits?
Many software vendors patch known bugs to remove the vulnerability. Security software also helps by detecting,
reporting, and blocking suspicious operations. It prevents exploits from occurring and damaging computer systems,
regardless of what malware the exploit was trying to initiate.
The typical security software implemented by businesses to ward off exploits is referred to as threat defense as well
as endpoint, detection, and response (EDR) software. Other best practices are to initiate a penetration testing
program, which is used to validate the effectiveness of the defense.
Zero-day Exploit
A Zero-day Exploit refers to exploiting a network vulnerability when it is new and recently announced — before a
patch is released and/or implemented. Zero-day attackers jump at the disclosed vulnerability in the small window of
time where no solution/preventative measures exist. Thus, preventing zero-day attacks requires constant
monitoring, proactive detection, and agile threat management practices.
Information Gathering
Information Gathering means gathering different kinds of information about the target. It is basically, the first step
or the beginning stage of Ethical Hacking, where the penetration testers or hackers (both black hat or white hat) tries
to gather all the information about the target, in order to use it for Hacking.
To obtain more relevant results, we have to gather more information about the target to increase the probability of
a successful attack.
Information gathering can be classified into the following categories:
Footprinting
Scanning
Enumeration
Reconnaissance
Social Engineering
Social engineering is a manipulation technique that exploits human error to gain private information, access, or
valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading
malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other
interactions.
Foot Printing
In this technique, the information of a target network or system or victim is collected as much as possible. Foot
printing provides various ways to intrude on the system of an organization. The security posture of the target is also
determined by this technique. It can be active as well as passive. In Passive foot printing, the information of any user
is collected without knowing him. If the user's sensitive information gets released intentionally and consciously or by
the direct contact of the owner, active foot printing will be created.
Foot printing techniques are three types. These are as follows:
Open source foot printing: Open source foot printing is the safest foot printing. The limitation of footprinting
is illegal. It is illegal; that's why hackers can do open source footprinting without fear. Examples of open
source footprinting include DOB, phone number, search for the age, finding someone's email address, using
an automation tool scans the IP etc. Most companies provide information on their official websites related
to their company. Hackers will use the information provided by the company and take benefit from them.
Network-based foot printing: Network-based footprinting is used to retrieve information like network
service, information name within a group, user name, shared data among individuals, etc.
DNS interrogation: After gathering all the required information on various areas using different techniques,
the hacker uses the pre-existing tools to query the DNS.
Scanning
Another essential step of footprinting is scanning, which contains the package of techniques and procedures. In the
network, hosts, ports and various services are identified by it. It is one of the components of information gathering
mechanism and intelligence gathering, which is used by an attacker to create an overview scenario of the target. To
find out the possibility of network security attacks, pen-testers use vulnerability scanning. Due to this technique,
hackers can find vulnerabilities like weak authentication, unnecessary services, missing patches, and weak encryption
algorithms. So an ethical hacker and pen-tester provide the list of all vulnerabilities they found in an organization's
network.
There are three types of scanning:
Port scanning: Hackers and penetration testers use this conventional technique to search for open doors so
that the hackers can access the system of any organization.
Network scanning
Vulnerability scanning: Vulnerability scanning Vulnerability scanning is a proactive identification of
Vulnerabilities on the target network. Using some automatic scanning tools and some manual support,
vulnerabilities, and threats can be identified.
Enumeration:
Enumeration is the process in which information is extracted from the system like machine names, user names,
network resources, shares and services. In enumeration, an active connection is established with the system by the
hacker. Hackers use this connection and gain more target information by performing direct queries.
Open Source/Free/Trial Tools
NMAP:
Nmap is an open-source network scanner that is used to recon/scan networks. It is used to discover hosts, ports, and
services along with their versions over a network. It sends packets to the host and then analyzes the responses in
order to produce the desired results. It could even be used for host discovery, operating system detection, or
scanning for open ports. It is one of the most popular reconnaissance tools.
To use nmap:
Ping the host with the ping command to get the IP address
ping hostname
Open the terminal and enter the following command there.
nmap -sV ipaddress
Replace the IP address with the IP address of the host you want to scan.
It will display all the captured details of the host.
ZENMAP
It is another useful tool for the scanning phase of Ethical Hacking in Kali Linux. It uses the Graphical User Interface. It
is a great tool for network discovery and security auditing. It does the same functions as that of the Nmap tool or in
other words, it is the graphical Interface version of the Nmap tool. It uses command line Interface. It is a free utility
tool for network discovery and security auditing. Tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime are considered really useful by systems and network
administrators.
To use Zenmap, enter the target URL in the target field to scan the target.
Network scanners:
SYNScan: The three-way handshaking technique of TCP is not completed by an SYN scan or stealth. An SYN
packet is sent by the hacker to the target, and if the hacker receives back the SYN/ACK frame, the connection
would be completed by the target, and the port is able to listen anything. If the target retrieves the RST, it
will assume that the ports are not activated or closed. Some IDS system logs this as connection attempts or
an attack that why SYN stealth scan is advantageous.
XMASScan: This scan is used to send the packet containing PSH, FIN, and URG flags. The target will not
provide any response if the port is open. But an RST/ACK packet is responded by the target if the port is
closed.
FINScan: XMAS scan and FIN scan is almost the same except that it does not send a packet with PSH and URG
flags; it only sends packets with a FIN flag. The response and the limitations of the FIN scan are the same as
the XMAS scan.
IDLEScan: This scan determines the sequence number of IP header and port scan response and sends the
SYN packet to the target using the spoofed/hoax IP. The port is open or not depends upon the response of
the scan.
Inverse TCP Flag scan: In this scan, the TCP probe packet with no flags or TCP flags send by the attacker. If
the target does not provide any response, it means the port is open. If the RST packet is responded by the
target, it means the port is closed.
ACK Flag Probe Scan: In this scan, TCP probe packets are sent by the attacker where the ACK flag is set to a
remote device, analyzing the header information. The port is open or not signified by the RST packet. This
scan also checks the filtering system of the victim or target.