Cyber Security and Digital Forensics

(MIT601 )
CSCSIT, TU

Unit 1: Introduction

Jagdish Bhatta
 Introduction
• Unit 1: Cybersecurity (4 Hrs.)
• Cyberspace, Cybersecurity; NIST Cybersecurity Framework;
Cybersecurity Management Process; Cybersecurity Threats
and Attacks; Cyber Kill Chain; Vulnerability Assessment;
Penetration Testing; Ethical Hacking; Cyber Law: Global and
Local

Jagdish Bhatta 3
 Cyberspace

• The NIST (National Institute of Standards and Technology)

definition of cyberspace is:
– A global domain within the information environment
consisting of the interdependent network of information
systems infrastructures including the Internet,
telecommunications networks, computer systems, and
embedded processors and controllers.
• Cyberspace consists of :
– artifacts based on or dependent on computer and
communications technology;
– the information that these artifacts use, store, handle, or
process; and
– the interconnections among these various elements.
Jagdish Bhatta 4
 Cyberspace
• Cyberspace is composed of hundreds of thousands of
interconnected computers, servers, routers, switches, and
fiber optic cables that allow our critical infrastructures to
work. Healthy functioning of cyberspace is essential to the
economy and national security.

Jagdish Bhatta 5
 Cyberspace
• Here are some of the components of cyberspace that are as
follows:

Jagdish Bhatta 6
 Cyberspace
• Components of Cyberspace consists of:
– Networks: The basis of cyberspace is computer network
architecture consisting of access networks, MANs, and
WANs that often extend to devices operating as channels
through which data are relayed. These networks may
involve local and global long distance network.
– The Internet: The Internet is undoubtedly the most
remarkable, a complex structure of structures essentially
used as a communication channel for the distribution of
information. The internet is like a mixture of cyberspace
that has web applications for business transactions,
online games and social networks, etc.

Jagdish Bhatta 7
 Cyberspace
• Components of Cyberspace consists of:
– Data: It is an integral part of Cyberspace. Data has
different formats that can be written, images, videos, or
files. It would be virtually impossible to expect any online
activity undertaken without data being exchanged or
compromised.
– Digital Platforms: It is a virtual world that exists in the
form of digital as well as online systems which provide
services, as well as resources via active interaction in the
web. Digital platform incorporates social media, search
platforms, cloud services, online marketplaces, etc.

Jagdish Bhatta 8
 Cyberspace
• Key characteristics of cyberspace
– Borderless: Cyberspace is beyond classifications and does
not have consideration of geographic location in its
connectivity instantaneously. This borderless condition
creates a high level of international cooperation as a
positive side and can raise many of the challenges to
cybersecurity as a disadvantage.
– Dynamic: Cyberspace is characterized by high strength,
arising from technological innovations, among the people
who access. The threat of cyber-attacks continuously
renews itself and lays new and new challenges as the
digital space changes dynamically.

Jagdish Bhatta 9
 Cyberspace
• Key characteristics of cyberspace
– Accessible: The cyberspace in which anyone with an
internet connection can gain access to the information
and resources easily.
– Anonymous: The users of the internet cannot be identified
in the digital space because the anonymity of virtual
presence allows them to know privately without
disclosing their real names. On one side, anonymity can
mean privacy and defense, it can also offer a great chance
for attackers to commit web crime like cybercrimes and
online harassment.

Jagdish Bhatta 10
 Cybersecurity
• Cybersecurity is the collection of tools, policies, security
concepts, security safeguards, guidelines, risk management
approaches, actions, training, best practices, assurance and
technologies that are used to protect the cyberspace
environment and organization and user’s assets.
• Organization and user’s assets include connected computing
devices, personnel, infrastructure, applications, services,
telecommunications systems, and the totality of transmitted
and/or stored information in the cyberspace environment.
• Cybersecurity strives to ensure the attainment and
maintenance of the security properties of the organization
and user’s assets against relevant security risks in the
cyberspace environment.

Jagdish Bhatta 11
 Cybersecurity
• Cybersecurity encompasses information security, with respect
to electronic information, and network security. Information
security also is concerned with physical (for example, paper-
based) information. However, in practice, the terms
cybersecurity and information security are often used
interchangeably.

• The general security objectives in cybersecurity comprise the

following:
– availability;
– integrity,
– authenticity and
– non-repudiation; and
– confidentiality. Jagdish Bhatta 12
Cybersecurity

Jagdish Bhatta 13
 Cybersecurity
• A list of cybersecurity objectives includes the following:
– Availability: The property of a system or a system resource
being accessible or usable or operational upon demand,
by an authorized system entity, according to performance
specifications for the system; that is, a system is available if
it provides services according to the system design
whenever users request them.
– Integrity: The property that data has not been changed,
destroyed, or lost in an unauthorized or accidental manner.
– Authenticity: The property of being genuine and being
able to be verified and trusted. This means verifying that
users are who they say they are and that each input
arriving at the system came from a trusted source.
Jagdish Bhatta 14
 Cybersecurity
• A list of cybersecurity objectives includes the following:
– Non-repudiation: Assurance that the sender of
information is provided with proof of delivery and the
recipient is provided with proof of the sender’s identity, so
neither can later deny having processed the information.
– Confidentiality: The property that data is not disclosed to
system entities unless they have been authorized to know
the data.
– Accountability: The property of a system or system
resource ensuring that the actions of a system entity may
be traced uniquely to that entity, which can then be held
responsible for its actions.

Jagdish Bhatta 15
 Cybersecurity
• The challenges in developing an effective cybersecurity
system are as follows:
– Scale and complexity of cyberspace: The scale and
complexity of cyberspace are massive. Cyberspace
involves mobile devices, workstations, servers, massive
data centers, cloud computing services, Internet of Things
(IoT) deployments, and a wide variety of wired and
wireless networks. The variety of individuals and
applications requiring some level of access to these
resources is also huge. Further, the challenges to achieving
cybersecurity constantly change as technologies advance,
new applications of information technologies emerge,
and societal norms evolve.

Jagdish Bhatta 16
 Cybersecurity
• The challenges in developing an effective cybersecurity
system are as follows:
– Nature of the threat: Organizational assets in cyberspace
are under constant and evolving threat from vandals,
criminals, terrorists, hostile states, and other malevolent
actors. In addition, a variety of legitimate actors, including
businesses and governments, are interested in collecting,
analyzing, and storing information from and about
individuals and organizations, potentially creating
security and privacy risks.

Jagdish Bhatta 17
 Cybersecurity
• The challenges in developing an effective cybersecurity
system are as follows:
– User needs versus security implementation: Users want
technology with the most modern and powerful features, that is
convenient to use, that offers anonymity in certain
circumstances, and that is secure. But there is an inherent
conflict between greater ease of use and greater range of
options on the one hand and robust security on the other. In
general, the simpler the system, and the more its individual
elements are isolated from one another, the easier it is to
implement effective security. But over time, people demand
more functionality, and the greater complexity that results
makes systems less secure. Users or groups within an
organization that feel inconvenienced by security mechanisms
will be tempted to find ways around those mechanisms or
demand relaxation of theJagdish
security
Bhatta requirements. 18
 Cybersecurity
• The challenges in developing an effective cybersecurity
system are as follows:
– Difficulty estimating costs and benefits: It is difficult to
estimate the total cost of cybersecurity breaches and,
therefore, the benefits of security policies and
mechanisms. This complicates the need to achieve
consensus on the allocation of resources to security.
• Because of these challenges, there is an ongoing
effort to develop best practices, documents, and
standards that provide guidance to managers
charged with making resource allocation decisions
as well as those charged with implementing an
effective cybersecurity framework
Jagdish Bhatta 19
 NIST Cybersecurity Framework
• NIST(National Institute of Standard and Technology) is a U.S.
federal agency that deals with measurement science,
standards, and technology related to the U.S. government and
to the promotion of U.S. private sector innovation. Despite
their national scope, NIST Federal Information Processing
Standards (FIPS) and Special Publications (SP) have a
worldwide impact. In the area of information security, the
NIST Computer Security Resource Center (CSRC) is the source
of a vast collection of documents that are widely used in the
industry.

Jagdish Bhatta 20
 NIST Cybersecurity Framework
• The NIST Cybersecurity Framework consists of three
components.
– Core: Provides a set of cybersecurity activities, desired
outcomes, and applicable references that are common
across critical infrastructure sectors
– Implementation tiers: Provide context on how an
organization views cybersecurity risk and the processes in
place to manage that risk
– Profiles: Represents the outcomes based on business
needs that an organization has selected from the
Framework Core categories and subcategories

Jagdish Bhatta 21
NIST Cybersecurity Framework

Jagdish Bhatta 22
 NIST Cybersecurity Framework
• The NIST Cybersecurity Framework consists of three
components.
– Core: Provides a set of cybersecurity activities, desired
outcomes, and applicable references that are common
across critical infrastructure sectors.
– Implementation tiers: Provide context on how an
organization views cybersecurity risk and the processes in
place to manage that risk.
– Profiles: Represents the outcomes based on business
needs that an organization has selected from the
Framework Core categories and subcategories.

Jagdish Bhatta 23
NIST Cybersecurity Framework

Jagdish Bhatta 24
NIST Cybersecurity Framework

Jagdish Bhatta 25
NIST Cybersecurity Framework

Jagdish Bhatta 26
 NIST Cybersecurity Framework
• Once an organization has clarity on the degree of
commitment to risk management (tiers) and an understanding
of the actions that can be taken to match that commitment,
security policies and plans can be put in place, as reflected in
a Framework profile.
• In essence, a profile is a selection of categories and
subcategories from the Framework Core. A current profile
reflects the cybersecurity posture of the organization. Based
on a risk assessment, an organization can define a target
profile and then categories and subcategories from the
Framework Core to reach the target.

Jagdish Bhatta 27
 NIST Cybersecurity Framework
• The current and target profiles enables management to
determine what has been done and needs to be maintained
and what new cybersecurity measures need to be
implemented to manage risk. The referenced guidelines,
standards, and practices for each subcategory provide
concrete descriptions of the work needed to meet the target
profile.
• The NIST Cybersecurity Framework is an important resource
for those involved in the planning, implementation, and
evaluation of an organization’s cybersecurity capability.

Jagdish Bhatta 28
 Cybersecurity Management Process
• An essential characteristic of cybersecurity provision is that it
is not a single end that is attained but an ongoing process.
• The goal of effective cybersecurity is constantly receding as
management strives to keep up with changes in the
cyberspace ecosystem, which comprises technology, threat
capability, applications, IT resources, and personnel.

Jagdish Bhatta 29
Cybersecurity Management Process

Jagdish Bhatta 30
 Cybersecurity Management Process
• The process is a reiterative cycle following major activities:
• Assess the risk, considering the following:
– Assets and their value or utility
– Threats and vulnerabilities associated with these assets
– Risk of exposure of these assets to the threats and vulnerabilities
– Risk and impacts resulting from this risk of exposure
• Address the risk(s), considering the following:
– Identification of available risk management options
– Selection of preferred risk management option
– Final risk management decision

Jagdish Bhatta 31
 Cybersecurity Management Process
• The process is a reiterative cycle following major activities:
• Implement the risk management decision, considering the
following:
– Selection of controls
– Allocation of resources, roles, and responsibilities
– Implementation of controls
• Monitor, review, and communicate the risks, considering the
following:
– Monitoring of the risk situation
– Risk-related measurements
– Review and re-assessment of the risks
– Communication of the risks

Jagdish Bhatta 32
 Cybersecurity Management Process
• The process is a reiterative cycle following major activities:
• Update and improve the controls:
– Updating controls
– Improving controls

Jagdish Bhatta 33
 Cybersecurity Management Process
• This repeating cycle is governed not only by the evolving
ecosystem of cyberspace but also by evolving standards and
best practices.
• At a broader perspective, there are in fact two cyclic
processes at work: one at the executive level, which focuses
on organizational risk, and one at the business level, which
focuses on critical infrastructure risk management.
• At the executive level, upper management defines mission
priorities, establishes acceptable risk tolerance, and
determines available resources. At the business level, IT
management translates these guidelines into controls for risk
management.

Jagdish Bhatta 34
 Cybersecurity Threats and Attacks
• Malware or malicious software is any program or code that is
created with the intent to do harm to a computer, network or
server.
• Malware is the most common type of cyberattack, mostly
because this term encompasses many subsets such as
ransomware, trojans, spyware, viruses, worms, keyloggers,
and any other type of malware attack that leverages software
in a malicious way.

Jagdish Bhatta 35
 Cybersecurity Threats and Attacks
• A Denial-of-Service (DoS) attack is a malicious, targeted attack that
floods a network with false requests in order to disrupt business
operations.In a DoS attack, users are unable to perform routine and
necessary tasks, such as accessing email, websites, online accounts
or other resources that are operated by a compromised computer
or network. While most DoS attacks do not result in lost data and
are typically resolved without paying a ransom, they cost the
organization time, money and other resources in order to restore
critical business operations.
• The difference between DoS and Distributed Denial of Service
(DDoS) attacks has to do with the origin of the attack. DoS attacks
originate from just one system while DDoS attacks are launched
from multiple systems. DDoS attacks are faster and harder to block
than DOS attacks because multiple systems must be identified and
neutralized to halt the attack.
Jagdish Bhatta 36
 Cybersecurity Threats and Attacks
• Phishing is a type of cyberattack that uses email, SMS, phone,
social media, and social engineering techniques to entice a
victim to share sensitive information — such as passwords or
account numbers — or to download a malicious file that will
install viruses on their computer or phone.
• Spoofing is a technique through which a cybercriminal
disguises themselves as a known or trusted source. In so
doing, the adversary is able to engage with the target and
access their systems or devices with the ultimate goal of
stealing information, extorting money or installing malware or
other harmful software on the device. Domain Spoofing,
Email Spoofing are popular ones.

Jagdish Bhatta 37
 Cybersecurity Threats and Attacks
• Identity-driven attacks are extremely hard to detect. When a
valid user’s credentials have been compromised and an
adversary is masquerading as that user, it is often very
difficult to differentiate between the user’s typical behavior
and that of the hacker using traditional security measures and
tools. Man-in-Middle Attack, Pass-the-Hash Attack, Brute
force Attack are few examples.
• Code injection attacks consist of an attacker
injecting malicious code into a vulnerable computer or
network to change its course of action. Malvertising, SQL
Injections, SEO Poisoning, etc. are few examples.

Jagdish Bhatta 38
 Cybersecurity Threats and Attacks
• A supply chain attack is a type of cyberattack that targets a
trusted third-party vendor who offers services or software
vital to the supply chain. Software supply chain attacks inject
malicious code into an application in order to infect all users
of an app, while hardware supply chain attacks compromise
physical components for the same purpose. Software supply
chains are particularly vulnerable because modern software
is not written from scratch: rather, it involves many off-the-
shelf components, such as third-party APIs, open source
code and proprietary code from software vendors.

Jagdish Bhatta 39
 Cybersecurity Threats and Attacks
• Social engineering attack is a technique where attackers use
psychological tactics to manipulate people into taking a
desired action. Through the use of powerful motivators like
love, money, fear, and status, attackers can gather sensitive
information that they can later use to either extort the
organization or leverage such information for a competitive
advantage. The popular social engineering attacks are like
Pretexting, Honeytrap, Disinformation Campaigns for
election, religion, war.

Jagdish Bhatta 40
 Cybersecurity Threats and Attacks
• Insiders: IT teams that solely focus on finding adversaries external
to the organization only see half the picture. Insider threats are
internal actors such as current or former employees that pose
danger to an organization because they have direct access to the
company network, sensitive data, and IP as well as knowledge of
business processes, company policies, or other information that
would help carry out such an attack.
• Internal actors that pose a threat to an organization tend to be
malicious in nature. Some motivators include financial gain in
exchange for selling confidential information, sabotage etc. But
some insider threats are not malicious in nature — instead, they
are negligent. To combat this, organizations should implement
a comprehensive cybersecurity training program that teaches
stakeholders to be aware of any potential attacks, including those
potentially performed by an insider.
Jagdish Bhatta 41
 Cybersecurity Threats and Attacks
• AI Powered:
• As AI and ML technology improves, the number of use cases
has also increased. Just as cybersecurity professionals
leverage AI and ML to protect their online environments,
attackers also leverage these tools to get access to a network
or steal sensitive information.
• Adversarial artificial intelligence and machine learning seek
to disrupt the operations of AI and ML systems by
manipulating or misleading them. They can do this by
introducing inaccuracies in training data.
• Deepfakes are AI-generated forgeries that appear very real
and have the potential to reshape public opinion, damage
reputations, and even sway political landscapes. These can
come in the form of fake images,
Jagdish Bhatta
videos, audio, or more. 42
 Cyber Kill Chain
• Cyber attack as an attack, via cyberspace, targeting an
enterprise’s use of cyberspace for the purpose of disrupting,
disabling, destroying, or maliciously controlling a computing
environment/infrastructure; or destroying the integrity of the
data or stealing controlled information.

• The cyber kill chain is the process by which perpetrators carry

out cyberattacks. Lockheed Martin adapted the concept of
the kill chain from a military setting to information security,
using it as a method for modeling intrusions on a computer
network. The cyber kill chain model has seen some adoption
in the information security community.

Jagdish Bhatta 43
 Cyber Kill Chain
• The cyber kill chain is intended to defend against
sophisticated cyberattacks, also known as advanced
persistent threats (APTs), wherein adversaries spend
significant time surveilling and planning an attack. Most
commonly these attacks involve a combination
of malware, ransomware, Trojans, spoofing and social
engineering techniques to carry out their plan.
• An advanced persistent threat (APT) is a sophisticated,
sustained cyberattack in which an intruder establishes an
undetected presence in a network in order to steal sensitive
data over a prolonged period of time. An APT attack is
carefully planned and designed to infiltrate a specific
organization, evade existing security measures and fly under
the radar.
Jagdish Bhatta 44
 Cyber Kill Chain
• Executing an APT attack requires a higher degree of
customization and sophistication than a traditional attack.
Adversaries are typically well-funded, experienced teams of
cybercriminals that target high-value organizations. They’ve
spent significant time and resources researching and
identifying vulnerabilities within the organization.
• The Advanced Persistent Threat (APT) Attack stages include:
– Infiltration
– Escalation
– Exfiltration

Jagdish Bhatta 45
 Cyber Kill Chain
• APT Phases
• Stage 1: Infiltration
• In the first phase, advanced persistent threats often gain
access through social engineering techniques. One indication
of an APT is a phishing email that selectively targets high-level
individuals like senior executives or technology leaders, often
using information obtained from other team members that
have already been compromised. Email attacks that target
specific individuals are “spear-phishing.”

Jagdish Bhatta 46
 Cyber Kill Chain
• APT Phases
• Stage 2: Escalation and Lateral Movement
• Once initial access has been gained, attackers
insert malware into an organization’s network to move to the
second phase, expansion. They move laterally to map the
network and gather credentials such as account names and
passwords in order to access critical business information.
• They may also establish a “backdoor” — a scheme that allows
them to sneak into the network later to conduct stealth
operations. Additional entry points are often established to
ensure that the attack can continue if a compromised point is
discovered and closed.

Jagdish Bhatta 47
 Cyber Kill Chain
• APT Phases
• Stage 3: Exfiltration
• To prepare for the third phase, cybercriminals typically store
stolen information in a secure location within the network
until enough data has been collected. They then extract, or
“exfiltrate” it without detection. They may use tactics like a
denial-of-service (DoS) attack to distract the security team
and tie up network personnel while the data is being
exfiltrated. The network can remain compromised, waiting for
the thieves to return at any time.

Jagdish Bhatta 48
Cyber Kill Chain

Jagdish Bhatta 49
 Cyber Kill Chain
• Reconnaissance
• In the first stage of a typical cyber attack, the attacker decides
whether the potential target is in fact a promising target and,
if so, the best means of attack. Ideally, the attacker looks for
a target that exhibits both serious vulnerabilities and
valuable data.
• If the target is particularly high value, the attacker can
attempt the attack even if there are few vulnerabilities.

Jagdish Bhatta 50
 Cyber Kill Chain
• Reconnaissance
• There are a number of potential sources of information about
a target:
– Names and contact details of employees online: Even if these are not
provided on the enterprise website, they may be available through
social networks. This information may be used for social engineering
purposes.
– Details about enterprise web servers or physical locations online:
These details are used for social engineering or to narrow down a list
of possible exploits that could be used break into the enterprise’s
environment.
– Emails and other network traffic: This information may be used for
social engineering or to gain insight into possible avenues of attack.

Jagdish Bhatta 51
 Cyber Kill Chain
• Reconnaissance
• The means of performing reconnaissance include the
following:
– Perform perimeter network reconnaissance/scanning
– Perform network sniffing of exposed networks
– Gather information using open source discovery of
organizational information
– Perform surveillance of targeted organizations over time to
examine and assess organizations and ascertain points of
vulnerability
– Perform malware-directed internal reconnaissance

Jagdish Bhatta 52
 Cyber Kill Chain
• Weaponization
• At this stage, an attacker prepares an attack payload and
crafts a tool to deliver the attack, using the gathered
information. This step happens at the attacker side, without
contact with the victim.
• Following are the types of attack tools:
– Phishing attacks
– Spear phishing attacks (Phishing that is targeted against a
group, a company, or individuals within a company.)
– Attacks specifically based on deployed information
technology environment
– Counterfeit/spoof website
– Counterfeit certificates
Jagdish Bhatta 53
 Cyber Kill Chain
• Delivery
• During the delivery phase, the attacker sends the malicious
payload to the victim by one of many intrusion methods.
• Possible methods of delivery include email, web traffic,
instant messaging, and File Transfer Protocol (FTP). The
payload can also be placed on removable media (for example,
flash drives) and social engineering techniques can be used to
persuade an employee to install the malware from the media
to the enterprise’s information systems.

Jagdish Bhatta 54
 Cyber Kill Chain
• Delivery
• A number of other delivery techniques, including the
following:
– Insert malware into common freeware, shareware, or commercial IT
products. This technique does not target a specific organization but is
a way to find targets of opportunity.
– Insert malware into organizational information systems and
information system components (for example, commercial
information technology products), specifically targeted to the
hardware, software, and firmware used by organizations (based on
knowledge gained via reconnaissance).
– Replace critical information system components with modified or
corrupted components. This is done through the supply chain, a
subverted insider, or some combination thereof.
– Place individuals in privileged positions within organizations who are
willing and able to carry out actions
Jagdish Bhatta to cause harm to organizational
55
 Cyber Kill Chain
• Exploit
• During the exploit phase, the delivered payload is triggered
and takes action on the target system to exploit a
vulnerability. This phase is concerned with gaining entry to
the system in order to begin the actual attack. This phase can
make use of a vulnerability known to the attacker, or the
initially delivered payload can search for and discover
vulnerabilities that enable continuing and expanding the
attack.
• A wide variety of attacks are possible at this stage,
encompassing all the threat categories like exfiltrating data,
modifying data, compromising availability, etc.

Jagdish Bhatta 56
 Cyber Kill Chain
• Installation
• During the installation phase, the attacker installs
components that permit permanent control of the target
system. The objective is to mount further attacks on the
enterprise. At this stage, the attacker can also elevate user
privileges of installed malware and install persistent payload.

Jagdish Bhatta 57
 Cyber Kill Chain
• Command and Control
• The attacker creates a command-and-control channel in order to
continue to operate the internal assets remotely. This step is
relatively generic and relevant throughout the attack, not only
when malware is installed. Among other actions at this stage, the
adversary can take actions to inhibit/prevent the effectiveness of
the intrusion detection systems or auditing capabilities within
organizations. The adversary can adapt behavior in response to
surveillance and organizational security measures.
• Actions
• The attacker performs the steps to achieve his or her goals inside
the victim’s network—to obtain information, destroy information,
or disrupt systems or networks. This can be an elaborate active
attack process that takes months and thousands of small steps to
achieve.
Jagdish Bhatta 58
 Cyber Kill Chain
• Dealing with the Reconnaissance Phase:
• A number of techniques can be used to detect reconnaissance
attempts. For websites, web analytics can detect behavior
that is more in line with an attacker than a benign user.
• For any type of traffic, scanning the source IP addresses for
those with known bad reputations is fruitful. Multiple events
occurring from the same address in a small time frame may
indicate a reconnaissance effort.
• Prevention methods include the use of firewalls, especially if
a default deny policy is used, whitelisting, and segmenting
enterprise networks.

Jagdish Bhatta 59
 Cyber Kill Chain
• Dealing with the Weaponization Phase
• As defined here, weaponization is a process that occurs at the
attacker site and thus cannot be detected by the target.
However, rapid patching and updating in addition to a
regular routine of vulnerability fixing can thwart a
weaponization effort by eliminating the vulnerability before
it is exploited. This highlights the necessity of obtaining and
acting on threat intelligence in a timely manner.
• Dealing with the Delivery Phase
• The key to preventing delivery is to maintain a robust security
training and awareness program so that social engineering
efforts are more likely to fail.

Jagdish Bhatta 60
 Cyber Kill Chain
• Dealing with the Delivery Phase
• A variety of technical tools are used to prevent delivery,
including the following:
– Antivirus software: Antivirus software is a program that monitors a
computer or network to identify all major types of malware and
prevent or contain malware incidents.
– Firewall: A firewall blocks delivery attempts from known or suspected
hostile sources.
– Web application firewall (WAF): A WAF is a firewall that monitors,
filters, or blocks data packets as they travel to and from a web
application.
– Intrusion prevention system (IPS): An IPS is a system that detects an
intrusive activity and also attempts to stop the activity—ideally before
it reaches its tar gets. It is similar to an intrusion detection system but
is proactive in attempting to block the intrusion.
Jagdish Bhatta 61
 Cyber Kill Chain
• Dealing with the Exploit Phase
• Countermeasures at the exploit stage include the following:
– Host-based intrusion detection systems (HIDS): Once an exploit is
inside the enterprise network and attacking hosts, a HIDS detects and
alerts on such attempts.
– Regular patching: Patching discovered vulnerabilities helps contain the
damage.
– Data restoration from backups: Once an exploit is discovered and
removed, it may be necessary to restore a valid copy of data from a
backup.

Jagdish Bhatta 62
 Cyber Kill Chain
• Dealing with the Installation Phase
• Tools that detect suspicious software or behavior, such as
antivirus software and HIDS, are appropriate at the
installation stage. These tools include specific actions such as
the following:
– An organization should remediate any malware infections as quickly
as possible before they progress. Scan the rest of the enterprise
network for indicators of compromise associated with this outbreak.
– Sometimes a distributed denial-of-service (DDoS) attack is used to
divert attention away from another, more serious, attack attempt.
Increase monitoring, investigate all related activity, and work closely
with the enterprise Internet service provider (ISP) or other service
provider.
– An organization should detect, monitor, and investigate unauthorized
access attempts, giving priority to those that are mission critical
and/or contain sensitive data.
Jagdish Bhatta 63
 Cyber Kill Chain
• Dealing with the Installation Phase
• These tools include specific actions such as the following:
– An organization should identify the privileged user accounts for all
domains, servers, apps, and critical devices. Monitoring should be
enabled for all systems, and for all system events, and the monitoring
system should feed the log monitoring infrastructure.
– An organization should configure critical systems to record all
privileged escalation events and set alarms for unauthorized
privilege escalation attempts.

Jagdish Bhatta 64
 Cyber Kill Chain
• Dealing with the Command-and-Control Phase
• Countermeasures at the command-and-control stage include
the following:
– Network-based intrusion detection systems (NIDS): A NIDS can detect
and alert on attempts to use an unauthorized or suspicious channel.
– Firewall: A firewall blocks communication with known or suspected
hostile sources and also blocks suspicious activity or packet content.
– Tarpit: This is a service on a computer system (usually a server) that
delays incoming connections for as long as possible. Tarpits were
developed as a defense against computer worms, based on the idea
that network abuses such as spamming or broad scanning are less
effective if they take too long. A tarpit is used for incoming traffic
that is not on an approved source whitelist.

Jagdish Bhatta 65
 Cyber Kill Chain
• Dealing with the Actions Phase
• If an attack gets to the stage of ongoing advanced attacks, a
critical aspect of security is a backup policy. An organization
should regularly back up all critical data and systems; test,
document, and update system recovery procedures; and,
during a system compromise, capture evidence carefully and
document all recovery steps as well as all evidentiary data
collected.

Jagdish Bhatta 66
 Vulnerability Assessment
• Vulnerability assessment is the ongoing, regular process of
defining, identifying, classifying and reporting cyber
vulnerabilities across endpoints, workloads, and systems.
• A vulnerability is any weakness within the IT environment
that can be exploited by a threat actor during a cyber attack,
allowing them access to systems, applications, data and other
assets. As such, it is crucial for organizations to identify these
weak spots before cybercriminals discover them and utilize
them as part of an attack.
• Most often, vulnerability assessments are automated using a
security tool provided by a third-party security vendor. The
purpose of the tool is to help the organization understand
what vulnerabilities exist within their environment and
determine the priorities for remediation and patching.
Jagdish Bhatta 67
 Vulnerability Assessment
• Vulnerability assessments protect the business against data
breaches and other cyberattacks, and also help ensure
compliance with relevant regulations, such as the General
Data Protection Regulation (GDPR) and Payment Card
Industry Data Security Standard (PCI DSS).
• The General Data Protection Regulation (GDPR) is the
European Union’s (EU) personal data protection law that aims
to protect the privacy of EU citizens.
• The Payment Card Industry Data Security Standard (PCI
DSS) is a framework developed by the Payment Card Industry
Security Standards Council (PCI SSC) to help secure and
protect all payment card account data.

Jagdish Bhatta 68
 Vulnerability Assessment
• A comprehensive vulnerability assessment process leverages
several automated tools to perform a variety of scans across
the entire IT environment. This enables the organization to
identify vulnerabilities present across applications, endpoints,
workloads, databases, and systems.
• The four main scans conducted as part of the vulnerability
assessment process are:
– Network-Based Scan
– Host-Based Scan
– Application Scan
– Database Scan

Jagdish Bhatta 69
 Vulnerability Assessment
• Network-based scan
– Identifies vulnerabilities that can be exploited in network
security attacks.
– Includes assessments of traditional networks as well as
wireless networks.
– Enforces existing network security controls and policies.
• Host-based scan
– Identifies vulnerabilities in systems, servers, containers,
workstations, workloads, or other network hosts.
– Is typically deployed as an agent that can scan monitored
devices and other hosts to identify unauthorized activity,
changes, or other system issues.
– Offers enhanced visibility into system configuration and
Jagdish Bhatta 70
patch history.
 Vulnerability Assessment
• Application scan
– Identifies vulnerabilities related to software applications,
including the application architecture, source code, and
database.
– Identifies misconfigurations and other security weaknesses
in web and network applications.
• Database scan
– Identifies vulnerabilities within the database systems or
servers.
– Helps prevent database-specific attacks, such as SQL
injections, and identify other vulnerabilities, such as
escalated privileges and misconfigurations.

Jagdish Bhatta 71
 Vulnerability Assessment
• Application scan
– Identifies vulnerabilities related to software applications,
including the application architecture, source code, and
database.
– Identifies misconfigurations and other security weaknesses
in web and network applications.
• Database scan
– Identifies vulnerabilities within the database systems or
servers.
– Helps prevent database-specific attacks, such as SQL
injections, and identify other vulnerabilities, such as
escalated privileges and misconfigurations.

Jagdish Bhatta 72
 Vulnerability Assessment
• Vulnerability management is the ongoing, regular process of
identifying, assessing, reporting on, managing and
remediating cyber vulnerabilities across endpoints,
workloads, and systems.
• A vulnerability assessment refers only to the initial scan of
the network, application, host, database, or other asset. In
other words, a vulnerability assessment is the first part of the
larger vulnerability management process.
• These two activities, when taken together, can help
organizations identify and address weaknesses within the IT
environment, thus helping the organization harden the attack
surface and protect the business from threats and risks.

Jagdish Bhatta 73
 Vulnerability Assessment
• Most organizations follow these five basic steps when
preparing for and conducting a vulnerability assessment:
• Program scoping and preparation
– During this phase, the IT team defines the scope and goals
of the program. The main objective of this exercise is to
accurately scope the attack surface and understand where
the most significant threats exist. Core activity includes:
• Identifying all assets, equipment, and endpoints to be
included in the scan, as well as the software, operating
systems, and other applications deployed on the assets.
• Outlining the corresponding security controls and policies
associated with each asset.
• Determining the impact of each asset in the event of a
breach e.g. does the asset contain or process sensitive data?
Jagdish Bhatta 74
 Vulnerability Assessment
• Most organizations follow these five basic steps when
preparing for and conducting a vulnerability assessment:
• Vulnerability testing
– In this step, organizations conduct an automated scan of
the designated assets to identify potential vulnerabilities
within the environment defined in step one.
– This phase may involves the use of a third-party tool or
support from a cybersecurity services provider. The tools
or vendors rely on existing vulnerability databases or
threat intelligence feeds to detect and classify
vulnerabilities.

Jagdish Bhatta 75
 Vulnerability Assessment
• Most organizations follow these five basic steps when
preparing for and conducting a vulnerability assessment:
• Prioritization
– In this stage, organizations review all vulnerabilities
surfaced during the assessment and determine which pose
the greatest risk to the business. Those that will have a
significant impact on the organization should be prioritized
for remediation.
– Prioritization is based on several factors including:
• Scoring of the vulnerability as determined by the vulnerability
database or threat intelligence
• Impact to the business if the weakness is exploited
• Known availability of the weakness
• Ease of exploitation
• Availability of a patch Jagdish
and/or
Bhatta
effort required to neutralize the
76
vulnerability
 Vulnerability Assessment
• Most organizations follow these five basic steps when
preparing for and conducting a vulnerability assessment:
• Reporting
– In this phase, the tool produces a comprehensive report
that provides the security team with a snapshot of all
vulnerabilities within the environment. The report will also
prioritize these vulnerabilities and provide some guidance
on how to remediate them.
– Information contained within the report includes details
about the vulnerability, such as:
• When and where the vulnerability was discovered?
• What systems or assets it affects?
• Likelihood of exploitation
• Potential damage to the business if exploited
• Availability of a patch and Jagdish
effortBhatta
required to deploy it 77
 Vulnerability Assessment
• Most organizations follow these five basic steps when
preparing for and conducting a vulnerability assessment:
• Continuous improvement
– Because the vulnerability landscape changes day-to-day (if not
minute-by-minute), vulnerability assessments should be
conducted regularly and frequently. This will not only help
organizations ensure that they effectively resolved
vulnerabilities identified in past scans, but also help them detect
new ones as they arise.
– In addition to assessing existing assets (such as networks,
databases, hosts and applications), organizations should also
consider incorporating a vulnerability assessment within the
continuous integration / continuous delivery (CI/CD) process.
This will help ensure that vulnerabilities are addressed early
within the development lifecycle, thus patching and protecting
Jagdish Bhatta 78
these potential exploits before they go live.
 Penetration Testing
• Penetration testing, sometimes referred to as pen testing, is
the simulation of real-world cyber attack in order to test an
organization’s cybersecurity capabilities and expose
vulnerabilities.
• While some might consider pen tests as just a vulnerability
scan meant to check the box on a compliance requirement,
the exercise should actually be much more.
• When considering to conduct a pen test, it’s important to
remember that there is not a one-size-fits-all test.
Environments, industry risks, and adversaries are different
from one organization to the next. Furthermore, there isn’t
just one type of pen test that will serve all the needs of an
organization.
Jagdish Bhatta 79
 Penetration Testing
• Following are the steps in penetration testing:
– Reconnaissance: The pen tester gathers important information about
the system to plan the scope of the attack.
– Scanning: Technical tools are used to analyze the system and probe for
vulnerabilities. Scanning helps to tailor an attack according to the
features of the targeted system.
– Vulnerability assessment: With info gathered from the previous
stages, the pen tester uses a penetration testing tool to check for
weaknesses to exploit in the targeted system.
– Exploitation: To simulate advanced persistent threats and gain
maximum insight, the pen tester hacks into the system, exploiting the
uncovered vulnerabilities while remaining undetected for as long as
possible.
– Reporting: With security data gathered, the tester leaves the targeted
system. If the aim is to remain anonymous, evidence of compromising
the system must be cleared. The pen tester then reports the exploited
Jagdish Bhatta 80
system vulnerabilities to the organization whose system was targeted.
 Penetration Testing
• There are several types of pen tests that are designed to meet
the specific goals and threat profile of an organization.
• Internal Pen Testing
– Assesses organization’s internal systems to determine how an attacker
could move laterally throughout the network: The test includes system
identification, enumeration, vulnerability discovery, exploitation,
privilege escalation, lateral movement, and objectives.
• External Pen Testing
– Assesses the Internet-facing systems to determine if there are
exploitable vulnerabilities that expose data or unauthorized access to
the outside world: The test includes system identification,
enumeration, vulnerability discovery, and exploitation.

Jagdish Bhatta 81
 Penetration Testing
• There are several types of pen tests that are designed to meet
the specific goals and threat profile of an organization.
• Web Application Pen Test
– Evaluates the web application using a three-phase process: First is
reconnaissance, where the team discovers information such as the
operating system, services and resources in use. Second is the
discovery phase, where the team attempts to identify vulnerabilities.
Third is the exploitation phase, where the team leverages the
discovered vulnerabilities to gain unauthorized access to sensitive
data.
• Insider Threat Pen Test
– Identifies the risks and vulnerabilities that can expose the sensitive
internal resources and assets to those without authorization.

Jagdish Bhatta 82
 Penetration Testing
• There are several types of pen tests that are designed to meet
the specific goals and threat profile of an organization.
• Wireless Pen Testing
– Identifies the risks and vulnerabilities associated with your wireless
network. The team assesses weaknesses such as deauthentication
attacks, misconfigurations, session reuse, and unauthorized wireless
devices.
• Physical Pen Testing
– Identifies the risks and vulnerabilities to the physical security in an
effort to gain access to a corporate computer system: The team
assesses weaknesses such as social engineering, tail-gating, badge
cloning and other physical security objectives.

Jagdish Bhatta 83
 Penetration Testing
• After doing penetration test, following things should be done:
– Review the final report and discuss the findings with both
the external pen testing team and the in-house
cybersecurity team
– Develop a comprehensive cybersecurity strategy and
remediation plan to action the findings
– Use repeat tests and vulnerability scans to track the
success and progress of the patches and upgrades long-
term

Jagdish Bhatta 84
 Activities

• Explore following and identify results:

– Do Google Dorking
– https://web.archive.org/
– https://dnsdumpster.com/
– https://sitereport.netcraft.com/
– https://www.virustotal.com/

Jagdish Bhatta 85
 Ethical Hacking
• Ethical hacking is the use of hacking techniques by friendly
parties in an attempt to uncover, understand and fix security
vulnerabilities in a network or computer system.
• Ethical hackers have the same skills and use the same tools
and tactics as malicious hackers, but their goal is always to
improve network security without harming the network or its
users.
• Ethical hacking is like a rehearsal for real-world cyberattacks.
Organizations hire ethical hackers to launch simulated attacks
on their computer networks. During these attacks, the ethical
hackers demonstrate how actual cybercriminals break into a
network and the damage they could do once inside.

Jagdish Bhatta 86
 Ethical Hacking
• Ethical hackers follow a strict code of ethics to make sure their
actions help rather than harm companies.
• While stated ethics can vary among hackers or
organizations, the general guidelines are:
– Ethical hackers get permission from the companies they hack: Ethical
hackers are employed by or partnered with the organizations they
hack. They work with companies to define a scope for their activities
including hacking timelines, methods used and systems and assets
tested.
– Ethical hackers don't cause any harm: Ethical hackers don't do any
actual damage to the systems they hack, nor do they steal any
sensitive data they find. When white hats hack a network, they're only
doing it to demonstrate what real cybercriminals might do.

Jagdish Bhatta 87
 Ethical Hacking
• While stated ethics can vary among hackers or
organizations, the general guidelines are:
– Ethical hackers keep their findings confidential: Ethical hackers share
the information they gather on vulnerabilities and security systems
with the company—and only the company. They also assist the
company in using these findings to improve network defenses.
– Ethical hackers work within the confines of the law: Ethical hackers
use only legal methods to assess information security. They don't
associate with black hats or participate in malicious hacks.

Jagdish Bhatta 88
 Ethical Hacking
• Types of Hackers
– Black Hat: These are cybercriminals. Black hat hackers attack
vulnerabilities with malicious intent.
– White Hat: Also known as security specialists, white hat hackers
look for the same vulnerabilities as black hats but determine
how to fix the issues and prevent future attacks. Sometimes,
black hats become white hats. They are often ethical hackers.
– Gray Hat: Gray hats have mixed motivations. They enjoy hacking
and often do so without authorization, but they don’t act
maliciously. Grey hats often view hacking as sport. They may
attempt for raising awareness that vulnerability exists in the
system.
– Blue Hat: Tech companies hire blue hat hackers to test products
and find security issues. Microsoft hosts an annual BlueHat
convention
Jagdish Bhatta 89
 Ethical Hacking
• Steps of Hacking
– Information gathering
– Identifying the target domain/resource
– Finding vulnerabilities
– Exploiting the vulnerabilities
– Lateral movements
– Carry out goal

Jagdish Bhatta 90
 Cyber Law: Global and Local
• Self Study!
• An assignment will be uploaded in the teams!

Jagdish Bhatta 91
• Reference and Acknowledgement
• William Stallings, Effective Cyber Security,
Addion-Wesley, 2019
• Various Web Resources like Crowdstrike and
others

Jagdish Bhatta 92