Unit 3

Ethical Hacking

Ethical hacking is an authorized practice of detecting vulnerabilities in an application,

system, or organization’s infrastructure and bypassing system security to identify
potential data breaches and threats in a network. Ethical hackers aim to investigate the system
or network for weak points that malicious hackers can exploit or destroy. They can improve
the security footprint to withstand attacks better or divert them.

The company that owns the system or network allows Cyber Security engineers to perform
such activities in order to test the system’s defenses. Thus, unlike malicious hacking, this
process is planned, approved, and more importantly, legal.

Ethical hackers aim to investigate the system or network for weak points that malicious
hackers can exploit or destroy. They collect and analyze the information to figure out ways to
strengthen the security of the system/network/applications. By doing so, they can improve
the security footprint so that it can better withstand attacks or divert them.

Ethical hackers are hired by organizations to look into the vulnerabilities of their systems and
networks and develop solutions to prevent data breaches. Consider it a high-tech permutation
of the old saying “ It takes a thief to catch a thief.”

They check for key vulnerabilities include but are not limited to:

 Injection attacks

 Changes in security settings

 Exposure of sensitive data

 Breach in authentication protocols

 Components used in the system or network that may be used as access points
Roles and Responsibilities of an Ethical Hacker:

Ethical Hackers must follow certain guidelines in order to perform hacking legally. A good
hacker knows his or her responsibility and adheres to all of the ethical guidelines. Here are
the most important rules of Ethical Hacking:

 An ethical hacker must seek authorization from the organization that owns the
system. Hackers should obtain complete approval before performing any security
assessment on the system or network.

 Determine the scope of their assessment and make known their plan to the
organization.

 Report any security breaches and vulnerabilities found in the system or network.

 Keep their discoveries confidential. As their purpose is to secure the system or

network, ethical hacker

 is should agree to and respect their non-disclosure agreement.

 Erase all traces of the hack after checking the system for any vulnerability. It
prevents malicious hackers from entering the system through the identified
loopholes.

What are the key concepts of ethical

hacking?
Hacking experts follow four key protocol concepts:

1. Stay legal. Obtain proper approval before accessing and performing

a security assessment.
2. Define the scope. Determine the scope of the assessment so that the ethical
hacker’s work remains legal and within the organization’s approved
boundaries.
3. Report vulnerabilities. Notify the organization of all vulnerabilities
discovered during the assessment. Provide remediation advice for resolving
these vulnerabilities.
 4. Respect data sensitivity. Depending on the data sensitivity, ethical hackers
may have to agree to a non-disclosure agreement, in addition to other terms
and conditions required by the assessed organization.

How are ethical hackers different than

malicious hackers?
Ethical hackers use their knowledge to secure and improve the technology of
organizations. They provide an essential service to these organizations by looking
for vulnerabilities that can lead to a security breach.
An ethical hacker reports the identified vulnerabilities to the organization.
Additionally, they provide remediation advice. In many cases, with the
organization’s consent, the ethical hacker performs a re-test to ensure the
vulnerabilities are fully resolved.
Malicious hackers intend to gain unauthorized access to a resource (the more
sensitive the better) for financial gain or personal recognition. Some malicious
hackers deface websites or crash backend servers for fun, reputation damage, or to
cause financial loss. The methods used and vulnerabilities found remain
unreported. They aren’t concerned with improving the organizations security
posture.

What skills and certifications should an

ethical hacker obtain?
An ethical hacker should have a wide range of computer skills. They often
specialize, becoming subject matter experts (SME) on a particular area within the
ethical hacking domain.
All ethical hackers should have:

 Expertise in scripting languages.

 Proficiency in operating systems.
 A thorough knowledge of networking.
 A solid foundation in the principles of information security.

Some of the most well-known and acquired certifications include:

  EC Council: Certified Ethical Hacking Certification
 Offensive Security Certified Professional (OSCP) Certification
 CompTIA Security+
 Cisco’s CCNA Security
 SANS GIAC

What problems does hacking identify?

While assessing the security of an organization’s IT asset(s), ethical hacking aims
to mimic an attacker. In doing so, they look for attack vectors against the target.
The initial goal is to perform reconnaissance, gaining as much information as
possible.
Once the ethical hacker gathers enough information, they use it to look for
vulnerabilities against the asset. They perform this assessment with a combination
of automated and manual testing. Even sophisticated systems may have complex
countermeasure technologies which may be vulnerable.
They don’t stop at uncovering vulnerabilities. Ethical hackers use exploits against
the vulnerabilities to prove how a malicious attacker could exploit it.
Some of the most common vulnerabilities discovered by ethical hackers include:

 Injection attacks
 Broken authentication
 Security misconfigurations
 Use of components with known vulnerabilities
 Sensitive data exposure

After the testing period, ethical hackers prepare a detailed report. This
documentation includes steps to compromise the discovered vulnerabilities and
steps to patch or mitigate them.

What are some limitations of ethical

hacking?
 Limited scope. Ethical hackers cannot progress beyond a defined scope to
make an attack successful. However, it’s not unreasonable to discuss out of
scope attack potential with the organization.
  Resource constraints. Malicious hackers don’t have time constraints that
ethical hackers often face. Computing power and budget are additional
constraints of ethical hackers.
 Restricted methods. Some organizations ask experts to avoid test cases that
lead the servers to crash (e.g., Denial of Service (DoS) attacks).

Attack vector

An attack vector is the method or combination of methods that cybercriminals use to

breach or infiltrate a victim’s network.

What is an attack vector?

An attack vector, or threat vector, is a way for attackers to enter a network or system.
Common attack vectors include social engineering attacks, credential theft, vulnerability
exploits, and insufficient protection against insider threats. A major part of information
security is closing off attack vectors whenever possible.

Suppose a security firm is tasked with guarding a rare painting that hangs in a museum. There
are a number of ways that a thief could enter and exit the museum — front doors, back doors,
elevators, and windows. A thief could enter the museum in some other way too, perhaps by
posing as a member of the museum's staff. All of these methods represent attack vectors, and
the security firm may try to eliminate them by placing security guards at all doors, putting
locks on windows, and regularly screening museum staff to confirm their identity.

Similarly, digital systems all have areas attackers can use as entry points. Because modern
computing systems and application environments are so complex, closing off all attack
vectors is typically not possible. But strong security practices and safeguards can eliminate
most attack vectors, making it far more difficult for attackers to find and use them.

What are some of the most common attack

vectors?
Phishing: Phishing involves stealing data, such as a user's password, that an attacker can use
to break into a network. Attackers gain access to this data by tricking the victim into
revealing it. Phishing remains one of the most commonly used attack vectors —
many ransomware attacks, for instance, start with a phishing campaign against the victim
organization.

Email attachments: One of the most common attack vectors, email attachments can contain
malicious code that executes after a user opens the file. In recent years, multiple major
ransomware attacks have used this threat vector, including Ryuk attacks.

Account takeover: Attackers can use a number of different methods to take over a legitimate
user's account. They can steal a user's credentials (username and password) via phishing
attack, brute force attack, or purchasing them on the underground market. Attackers can also
try to intercept and use a session cookie to impersonate the user to a web application.

Lack of encryption: Unencrypted data can be viewed by anyone who has access to it. It can
be intercepted in transit between networks, as in an on-path attack, or simply viewed
inadvertently by an intermediary along the network path.

Insider threats: An insider threat is when a known and trusted user accesses and distributes
confidential data, or enables an attacker to do the same. Such occurrences can be either
intentional or accidental on the part of the user. External attackers can try to create insider
threats by contacting insiders directly and asking, bribing, tricking, or threatening them into
providing access. Sometimes malicious insiders act of their own accord, out of dissatisfaction
with their organization or for some other reason.

Vulnerability exploits: A vulnerability is a flaw in software or hardware — think of it as

being like a lock that does not work properly, enabling a thief who knows where the faulty
lock is to enter a secured building. When an attacker successfully uses a vulnerability to enter
a system, this is called a vulnerability "exploit." Applying the software or hardware vendor's
updates can fix most vulnerabilities. But some vulnerabilities are "zero-day" vulnerabilities
— unknown vulnerabilities for which there is no known fix.

Browser-based attacks: To display webpages, Internet browsers load and execute code they
receive from remote servers. Attackers can inject malicious code into a website or direct
users to a fake website, tricking the browser into executing code that downloads malware or
otherwise compromises user devices. With cloud computing, employees often access data
and applications solely through their Internet browser, making this threat vector of particular
concern.

Application compromise: Instead of going after user accounts directly, an attacker may aim
to infect a trusted third-party application with malware. Or they could create a fake, malicious
application that users unknowingly download and install (a common attack vector for mobile
devices).

Open ports: A port is a virtual entryway into a device. Ports help computers and servers
associate network traffic with a given application or process. Ports that are not in use should
be closed. Attackers can send specially crafted messages to open ports to try to compromise
the system, just as a car thief might try opening doors to see if any are unlocked.

How can an organization secure its attack

vectors?
There is no way to eliminate attack vectors altogether. But these approaches can help stop
both internal and external attacks.

 Good security practices: Many attacks succeed due to user error: users fall for phishing
attacks, open malicious email attachments, or provide access to an unauthorized person.
Training users to avoid these errors can go a long way toward eliminating several major
attack vectors.

 Encryption: Encrypting data in transit prevents it from being exposed to any

intermediary parties.
  Browser isolation: This technology moves the process of loading and executing untrusted
code to a location outside of an organization's secured network. Browser isolation can
even help eliminate the threat of zero-day attacks, at least in the browser.

 Patching vulnerabilities: A large number of attacks occur because an organization has

not patched a vulnerability. Patching vulnerabilities and regularly updating software and
hardware vastly reduces the chances of a successful vulnerability exploit.

 Secure access service edge (SASE): As reliance on the cloud has changed corporate
computing models, many organizations find their networking and security models need to
change as well. Secure access service edge (SASE) is one method of integrating
networking and security. SASE includes a number of security safeguards that close off the
attack vectors described above — learn more about SASE.

What is an attack surface?

An attack surface is the sum of all possible security risk exposures in an organization’s
environment. Put another way, it is the collective of all potential vulnerabilities (known
and unknown) and controls across all hardware, software, network components, and
people.

Attack surfaces can be categorized into three basic types:

1. Digital attack surface: Encompasses the entire network and software environment of an organization. It can include applications, code,
ports, and other entry and exit points.
2. Physical attack surface: All of an organization’s infrastructure such as desktop systems, laptops, mobile devices, servers, access gates,
telco infrastructure, and even electrical feeds.
3. Social engineering attack surface: Attacks that exploit the human mind, used often in phishing, pretexting
(smishing), vishing (voicemail), and other manipulative techniques to mislead the human

What is a threat vector?

Threat vector is a term used to describe the method a cybercriminal uses to gain initial
access to a victim network or infrastructure. Threat vector is often used interchangeably
with attack vector.

Threat Modeling
Threat modeling involves identifying and communicating information about the threats that may
impact a particular system or network. Security threat modeling enables an IT team to understand
the nature of threats, as well as how they may impact the network. In addition, threat modeling
can be used to analyze the dangers threats pose to applications, taking into account their potential
vulnerabilities.

Benefits of threat modelling:

The process of threat modeling can:
  Provide an enhanced view of systems. The steps involved in threat modeling--creating data
flow diagrams (DFDs) and graphical representations of attack paths, as well as prioritizing
assets and risks--help IT teams gain a deeper understanding of network security and
architecture.

 Help enable better collaboration on security. Proper threat modeling requires input from many
stakeholders. Participating in the process can help instill cybersecurity consciousness as a
core competency for all participants.

 Facilitate risk prioritization. Businesses can use the threat data provided by modeling to make
decisions about which security risks to prioritize--a helpful process for understanding
where to allocate people and budget resources.

Two ways to measure effectiveness

Two ways to measure effectiveness are:
 Common Vulnerability Scoring System (CVSS). CVSS produces standardized scores for
application vulnerabilities, IT systems and elements, and IoT devices; the scores can be
calculated with a free online tool. For additional perspective, scores can be compared
against a database of existing scores crowdsourced from similar enterprises.

 Penetration testing. Sometimes referred to as "ethical hacking," penetration testing is the

process of staging dummy attacks on a system to measure its strengths and weaknesses.
Pen tests may require a good deal of time-consuming data analysis, so organizations should
be wary of running too many tests, or tests on assets that are not sufficiently high-risk to
justify the cost.

How does Threat Modeling Work?

Aside from protecting networks and applications, threat modeling can also aid in
securing Internet-of-Things (IoT) devices, as well as processes the business depends on.
Because of its versatility, threat modeling provides an organization with a veritable cyber
navy, protecting the company from a variety of threat vectors.

The procedure for threat modeling varies depending on the system being examined. However,
virtually any tech-dependent business process can benefit in one way or another. With threat
modeling, the scope of threats facing a particular process or system can be narrowed down,
then examined. This eliminates confusion about what the threats may be, as well as how to
defend against them. Further, it gives IT teams the information they need to defend the
system long before a threat impacts it.

The threat modeling process depends on a sequential series of actions. Even though they can
be performed individually, they are interdependent, so executing them together provides a
more comprehensive view of the threat situation. The steps tend to include:

1. Outlining the concern you have as it pertains to a specific system, application, or

process
 2. Making a list outlining the assumptions regarding the threat, which need to be verified
as conditions change
3. A concrete list of threats
4. A list of remediation and elimination steps
5. A way to make sure the methods of dealing with the threats are successful and still
valid as the threat landscape changes

What is the Threat Modeling Process?

The thinking powering the threat modeling process can be summed up by outlining the
following:

1. The systems that could be impacted

2. The things that could go wrong
3. What the organization or IT team is doing to reduce the risk
4. After steps have been taken, assessing their success or failure

Enterprise information security architecture

Enterprise Information Security Architecture (EISA) is the process of insisting a

complete information security solution to the architecture of an enterprise, ensuring the
security of business information at every point in the architecture. In other words, it is the
enterprise and its activities that are to be secured, and the security of computers and networks
is only a means to this end.[1]

EISA Framework[2]
EISA is not simply about building a wall between enterprise IT systems and the rest of the
world. More importantly, it is a security architecture that aligns with the strategies and
objectives of the enterprise, while also taking into consideration the importance of the free
flow of information from all levels of the organization (internal to vendors to customers,
etc.).

The development of this security architecture framework is purposely constructed to outline

the current, intermediate, and target reference architectures, allowing them to align programs
of change. This framework provides a rigorous taxonomy of the organization that clearly
identifies what processes the business performs and detailed information about how those
processes are executed and secured.

This framework goes into many levels of detail that vary according to practical
considerations such as budget. This allows decision makers to make the most informed
decisions about where to invest their resources and where to align organizational goals and
processes to support core missions or business functions.

The Structure and Content of an EISA Framework

The primary function of EISA is to document and communicate the artifacts of the security
program in a consistent manner. As such, the primary deliverable of EISA is a set of
documents connecting business drivers with technical implementation guidance. These
documents are developed iteratively through multiple levels of abstraction.

The three key dimensions of the EISA framework are as follows:

The EISA should describe how security is woven into the fabric of the business. The EISA
process must allow inputs from and interface points with design components from other
planning disciplines. Then, as the architecture and security processes mature, the EISA can
have a more symbiotic relationship with the enterprise architecture, allowing further
changes to be integrated easily.

Key elements

Here are the key elements of an EISA and the purpose of each:

 Business context— Defines enterprise information use cases and their importance for
reaching business goals.
 Conceptual layer— Provides the big picture, including the enterprise profile and risk
attributes.
 Logical layer— Defines the logical paths between information, services, processes
and application
 Implementation— Defines how the EISA should be implemented.
 Solutions— Details the software, devices, processes and other components used to
mitigate security vulnerabilities and maintain security for the future.

Benefits of an EISA
Having a solid EISA is invaluable for guiding security planning at all levels. It provides the
detailed information required to make the best decisions about what processes and solutions
to implement across the IT environment and how to manage the technology lifecycle.

Moreover, a carefully documented and published enterprise information security architecture

is vital for compliance with many modern industry standards and legal mandates.

Challenges in creating an EISA

Development of an optimal EISA strategy can be difficult, especially when the following
common factors are in play:

 Lack of communication and coordination among various departments or teams when

it comes to managing risks and maintaining IT security
 Failure to clearly articulate the goals of the EISA
 Lack of understanding among users and stakeholders about the need to prioritize
information security
 Difficulty calculating the cost and ROI of data protection software tools
 Lack of funding to properly address security issues
 Dissatisfaction with earlier security measures that were developed, such as spam
filtering that flags valid and critical correspondence
 Earlier failures to meet regulatory requirements or business objectives,
 Concerns about the ineffectiveness of earlier IT security investments

Key tasks in building an EISA

Building an enterprise information security architecture includes the following tasks:

 Identify and mitigate gaps and vulnerabilities in the current security architecture.
 Analyze current and emerging security threats and how to mitigate them.
 Perform regular security risk assessment. Risks to consider include cyberattacks,
malware, leaks of personal data of customers or employees, and hardware and
software failure events.
 Identify security-specific technologies (such as privileged access management), as
well as the security capabilities of non-security solutions (such as email servers), that
can be used in the EISA.
 Ensure the EISA is aligned with business strategy.
 Ensure the EISA helps you satisfy the requirements of applicable compliance
standards, such as SOX, PCI DSS, HIPAA/HITECH and GDPR.

The 5 steps to EISA success

The following 5 steps will help you develop an effective EISA:

1. Assess your current security situation.

Identify the security processes and standards your organization is currently operating with.
Then analyze where security provisions are lacking for different systems and how they can be
improved.

2. Analyze security insights (strategic and technical).

Link the insight gained in step 1 with your business goals. Be sure to include both technical
measures and strategy context to prioritize your efforts.

3. Develop the logical security layer of the architecture.

To create a logical architecture for your EISA based on security best practices, use an
established framework to assign controls where priority is high.

4. Design the EISA implementation.

Turn the logical layer into an implementable design. Based on your expertise, resources and
the state of the market, decide which elements to develop in-house and which things should
be managed by a vendor.

5. Treat architecture as an ongoing process.

Since the threat landscape, your IT environment, the solution marketplace and best practice
recommendations are all constantly evolving, be sure to review and revise your information
security architecture periodically.

Vulnerability assessment

Vulnerability Assessment is a process of evaluating security risks in software systems to

reduce the probability of threats. The purpose of vulnerability testing is to reduce intruders or
hackers' possibility of getting unauthorized access to systems.

The vulnerability is any mistake or weakness in the system's security procedures, design,
implementation, or internal control that may violate the system's security policy.

A vulnerability assessment process may involve automated and manual techniques with
varying degrees of rigor and an emphasis on comprehensive coverage. Using a risk-based
approach, vulnerability assessments may target different technology layers, the most common
being host, network, and application-layer assessments.

Vulnerability assessments provide security teams and other stakeholders with the information
they need to analyze and prioritize potential remediation risks in the proper context.
Vulnerability assessments are a critical component of the vulnerability management and IT
risk management lifecycles, helping protect systems and data from unauthorized access and
data breaches.

Organizations of any size, or even individuals who face an increased risk of cyberattacks, can
benefit from some form of vulnerability assessment. Still, large enterprises and other
organizations subject to ongoing attacks will benefit most from vulnerability analysis.
Because security vulnerabilities can enable hackers to access IT systems and applications,
enterprises need to identify and remediate weaknesses before being exploited.

A comprehensive vulnerability assessment, along with a management program, can help

companies improve the security of their systems.

Types of Vulnerability Assessments

Vulnerability assessment applies various methods, tools, and scanners to determine grey
areas, threats, and risks. Everything depends on how well the given systems' weakness is
discovered to attend to that specific need. Below are the different types of vulnerability
assessment, such as:

1. Network-based scans

It helps identify possible network security attacks. The scan helps zero-in the vulnerable
systems on wired or wireless networks.

2. Host-based scans

Host-based scans are used to locate and identify vulnerabilities in servers, workstations or
other network hosts. This type of scan usually examines ports and services that may also be
visible to network-based scans. It also provides excellent visibility into the configuration
settings and patch history of scanned systems.

3. Wireless network scans

Wireless network infrastructure is scanned to identify vulnerabilities. It helps in validating a

company's network.

4. Application Scans

It is used to test websites to discover all known software vulnerabilities. It also identifies
security vulnerabilities in web applications and their source code by automated scans on the
front-end or static or dynamic source code analysis.

5. Database Scans

Database Scans aid in identifying grey areas in a database to prevent vicious attacks by
cybercriminals. It is identifying rogue databases or insecure environments and classifying
sensitive data across an organization's infrastructure.
Vulnerability Assessments Benefits
Vulnerability assessments allow security teams to apply a consistent, comprehensive, and
clear approach to identifying and resolving security threats and risks. This has several
benefits to an organization, such as:

o Early and consistent identification of threats and weaknesses in IT security.

o Remediation actions to close any gaps and protect sensitive systems and information.
o Meet cybersecurity compliance and regulatory needs for areas like HIPAA and PCI DSS.
o Protect against data breaches and other unauthorized access.
o A vulnerability assessment provides an organization with information on the security
weaknesses in its environment.
o It provides direction on how to assess the risks associated with those weaknesses. This
process offers the organization a better understanding of its assets, security flaws and overall
risk.
o The process of locating and reporting the vulnerabilities provides a way to detect and resolve
security problems by ranking the vulnerabilities before someone or something can exploit
them.
o In this process, Operating systems, Application Software and Network are scanned to identify
vulnerabilities, including inappropriate software design, insecure authentication, etc.

Vulnerability Assessment Process

Below is the step by step vulnerability assessment process to identify the system
vulnerability.
1. Goals and Objective: Define the goals and objectives of Vulnerability Analysis.
2. Scope: While performing the Assessment and Test, the assignment's Scope needs to be clearly
defined. The following are the three possible scopes that exist, such as:
o Black Box Testing:It is a software testing method in which software applications'
functionalities are tested without knowing internal code structure, implementation
details and internal paths.
Black Box Testing mainly focuses on the input and output of software applications,
and it is entirely based on software requirements and specifications. It is also known
as Behavioral Testing.
o White Box Testing: White box testing is a software testing technique in which
internal structure, design and coding of software are tested to verify the flow of input-
output and also improve design, usability and security.
In white-box testing, code is visible to testers, so it is also called Clear box testing,
Open box testing, transparent box testing, Code-based testing and Glass box testing.
o Grey Box Testing:It is a software testing technique to test a software product or
application with partial knowledge of its internal structure. The purpose of grey box
testing is to search and identify the defects due to improper code structure or
improper applications.
In this process, context-specific errors that are related to web systems are commonly
identified. It increases the testing coverage by concentrating on all of the layers of
any complex system.
 Grey box testing is the combination of both Black Box Testing and White Box
Testing.
3. Information Gathering: Obtaining as much information about the IT environment, such as
Networks, IP Address, Operating System Version, etc. It applies to all the three types of
Scopes, such as Black Box Testing, White Box Testing, and Grey Box Testing.
4. Vulnerability Detection: In this step, vulnerability scanners scan the IT environment and
identify the vulnerabilities.
5. Information Analysis and Planning: It will analyze the identified vulnerabilities to devise a
plan for penetrating the network and systems.

How to do Vulnerability Assessment

Following is the steps to do a Vulnerability Assessment, such as:

Step 1) Setup: We need to start by determining which systems and networks will be
assessed, identifying where any sensitive data resides, and which data and systems are most
critical. Configure and update the tools.

Step 2) Test Execution: A packet is the data routed unit between an origin and the
destination. When any file, such as an e-mail message, HTML file, Uniform Resource
Locator (URL) request is sent from one place to another on the internet, the TCP layer
of TCP/IP divides the file into several "chunks" for efficient routing. Each of these chunks
will be uniquely numbered and will include the Internet address of the destination. These
chunks are called packets.

o Run the captured data packet.

 o When all the packets have arrived, they will be reassembled into the original file by the TCP
layer at the receiving end while running the assessment tools.

Step 3) Vulnerability Analysis: Now define and classify network or System resources and
assign priority to the resources (low, medium, high). Identify potential threats to each
resource and develop a strategy to deal with the most prioritized problems. Define and
implement ways to minimize the consequences if an attack occurs.

Step 4) Remediation: The vulnerability assessment results to patch key flaws or problems,
whether simply via a product update or through something more involved, from installing
new security tools to an enhancement of security procedures. In step 3, we prioritized the
problems that ensure the most urgent flaws are handled first. It's also worth noting that some
problems may have so little impact that they may not be worth the cost and downtime
required for remediation.

Step 5) Repeat: Vulnerability assessments need to be conducted regularly, monthly or

weekly, as any single assessment is only a report of that moment in time. These reports give a
strong sense of how security posture has developed.

Vulnerability Testing Methods

Here are the following vulnerability testing methods, such as:

1. Active Testing: In active Testing, a tester introduces new test data and analyzes the results.
During the testing process, the testers create a mental model of the process, and it will grow
further during the interaction with the software under test.
While doing the test, the tester will actively find out the new test cases and new ideas. That's
why it is called Active Testing.
2. Passive Testing: It is used to monitoring the result of running software under test without
introducing new test cases or data
3. Network Testing: Network Testing is the process of measuring and recording the current
state of network operation over some time.
Testing is mainly done for predicting the network operating under load or find out the
problems created by new services. We need to Test the following Network Characteristics,
such as:
o Utilization levels
o Number of Users
o Application Utilization

4. Distributed Testing: Distributed Tests are applied for testing distributed applications. These
applications are working with multiple clients simultaneously. Testing a distributed
application means testing its client and server parts separately, but by using a distributed
 testing method, we can test them all together.
The test parts will interact with each other during the Test Run.
This makes them synchronized properly. Synchronization is one of the most crucial points in
distributed testing.

Penetration test
A penetration test (pen test) is an authorized simulated attack performed on a computer
system to evaluate its security. Penetration testers use the same tools, techniques, and
processes as attackers to find and demonstrate the business impacts of weaknesses in a
system. Penetration tests usually simulate a variety of attacks that could threaten a business.
They can examine whether a system is robust enough to withstand attacks from authenticated
and unauthenticated positions, as well as a range of system roles. With the right scope, a pen
test can dive into any aspect of a system.
What are the benefits of penetration testing?

Ideally, software and systems were designed from the start with the aim of eliminating
dangerous security flaws. A pen test provides insight into how well that aim was achieved.
Pen testing can help an organization

 Find weaknesses in systems

 Determine the robustness of controls

 Support compliance with data privacy and security regulations (e.g., PCI
DSS, HIPAA, GDPR)
 Provide qualitative and quantitative examples of current security posture and budget
priorities for management

Penetration testing stages

The pen testing process can be broken down into five stages.
1. Planning and reconnaissance
The first stage involves:

 Defining the scope and goals of a test, including the systems to be addressed
and the testing methods to be used.
 Gathering intelligence (e.g., network and domain names, mail server) to
better understand how a target works and its potential vulnerabilities.

2. Scanning
The next step is to understand how the target application will respond to various
intrusion attempts. This is typically done using:

 Static analysis – Inspecting an application’s code to estimate the way it

behaves while running. These tools can scan the entirety of the code in a
single pass.
 Dynamic analysis – Inspecting an application’s code in a running state. This
is a more practical way of scanning, as it provides a real-time view into an
application’s performance.

3. Gaining Access
This stage uses web application attacks, such as cross-site scripting, SQL
injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and
exploit these vulnerabilities, typically by escalating privileges, stealing data,
intercepting traffic, etc., to understand the damage they can cause.

4. Maintaining access
The goal of this stage is to see if the vulnerability can be used to achieve a
persistent presence in the exploited system— long enough for a bad actor to gain
in-depth access. The idea is to imitate advanced persistent threats, which often
remain in a system for months in order to steal an organization’s most sensitive
data.

5. Analysis
The results of the penetration test are then compiled into a report detailing:

 Specific vulnerabilities that were exploited

 Sensitive data that was accessed
 The amount of time the pen tester was able to remain in the system
undetected

This information is analyzed by security personnel to help configure an

enterprise’s WAF settings and other application security solutions to
patch vulnerabilities and protect against future attacks.

Penetration testing methods

External testing

External penetration tests target the assets of a company that are visible on the
internet, e.g., the web application itself, the company website, and email and
domain name servers (DNS). The goal is to gain access and extract valuable data.

Internal testing

In an internal test, a tester with access to an application behind its firewall

simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue
employee. A common starting scenario can be an employee whose credentials were
stolen due to a phishing attack.

Blind testing

In a blind test, a tester is only given the name of the enterprise that’s being
targeted. This gives security personnel a real-time look into how an actual
application assault would take place.
Double-blind testing

In a double blind test, security personnel have no prior knowledge of the simulated
attack. As in the real world, they won’t have any time to shore up their defenses
before an attempted breach.

Targeted testing

In this scenario, both the tester and security personnel work together and keep each
other appraised of their movements. This is a valuable training exercise that
provides a security team with real-time feedback from a hacker’s point of view.

Insider Attack:
 Insider Attack gets their name as these are the attacks that people having
inside access to information cause.
 The inside people may be current or former employees, business partners,
contractors, or security admins who had access to the confidential
information previously.
 Insider Attacks are carried out by people who are familiar with the
computer network system and hold authorised access to all the
information.
 This form of cyber attack is extremely dangerous as the attack is led by the
system employees, which makes the entire process extremely vulnerable.
 Computer organisations , most likely focus on external cyber attack
protection and rarely have their attention focused on internal cyber-
attacks.

Insider Types:

Malicious Insider Threats

Also referred to as a turncloak, the principal goals of malicious insider threats include
espionage, fraud, intellectual property theft and sabotage. They intentionally abuse their
privileged access to steal information or degrade systems for financial, personal and/or
malicious reasons. Examples include an employee who sells confidential data to a competitor
or a disgruntled former contractor who introduces debilitating malware on the organization’s
network.

Malicious insider threats may be collaborators or lone wolves.

Collaborator
Collaborators are authorized users who work with a third party to intentionally harm the
organization. The third party may be a competitor, nation-state, organized criminal network
or an individual. The collaborator’s action would lead to the leak of confidential information
or the disruption of business operations.

Lone Wolf

Lone wolves operate entirely independently and act without external manipulation or
influence. They can be especially dangerous because they often have privileged system
access such as database administrators.

Careless Insider Threats

Careless insider security threats occur inadvertently. They are often the result of human error,
poor judgement, unintentional aiding and abetting, convenience, phishing (and other social
engineering tactics), malware and stolen credentials. The individual involved unknowingly
exposes enterprise systems to external attack.

Careless insider threats may be pawns or goofs.

Pawn

Pawns are authorized users who have been manipulated into unintentionally acting
maliciously, often through social engineering techniques such as spear phishing. These
unintentional acts could include downloading malware to their computer or disclosing
confidential information to an impostor.

Goof

Goofs deliberately take potentially harmful actions but harbor no malicious intent. They are
arrogant, ignorant and/or incompetent users who do not recognize the need to follow security
policies and procedures. A goof may be a user who stores confidential customer information
on their personal device, even though they know it’s against organizational policy.

A Mole
A mole is an outsider but one who has gained insider access to the organization’s systems.
They may pose as a vendor, partner, contractor or employee, thereby obtaining privileged
authorization they otherwise would not qualify for.

How to Detect an Insider Threat

Most threat intelligence tools focus on the analysis of network, computer and application data
while giving scant attention to the actions of authorized persons who could misuse their
privileged access. For secure cyber defense against an insider threat, you have to keep an eye
on anomalous behavioral and digital activity.

Behavioral Indicators
There are a few different indicators of an insider threat that should be looked out for,
including:

 A dissatisfied or disgruntled employee, contractor, vendor or partner.

 Attempts to circumvent security.
 Regularly working off-hours.
 Displays resentment toward co-workers.
 Routine violation of organizational policies.
 Contemplating resignation or discussing new opportunities.

Digital Indicators

 Signing into enterprise applications and networks at unusual times. For instance, an
employee who, without prompting, signs into the network at 3am may be cause for
concern.
 Surge in volume of network traffic. If someone is trying to copy large quantities of data
across the network, you will see unusual spikes in network traffic.
 Accessing resources that they usually don’t or that they are not permitted to.
 Accessing data that is not relevant for their job function.
 Repeated requests for access to system resources not relevant for their job function.
 Using unauthorized devices such as USB drives.
 Network crawling and deliberate search for sensitive information.
 Emailing sensitive information outside the organization.

Examples of Insider Threats

Numerous insider cyberattacks take place each year, but the overwhelming majority do not
make it to the news. There have, however, been insider threats in cyber security that have
stood out in recent years.

 In 2018, Facebook fired a security engineer accused of exploiting the privileged

information his position accorded him to stalk women online.
 In 2018, a Tesla employee was alleged to have sabotaged company systems and sent
proprietary information to third parties.
 In the 2019 Capital One data breach, a former Amazon engineer retrieved more than 100
million customer records. They exploited their inside knowledge Amazon EC2 to
circumvent a misconfigured firewall in Capital One’s cloud server.
 In 2020, a former Google executive was sentenced to 18 months in prison for stealing
trade secrets from Google’s self-driving-car division and handed them over to Uber, his
new employer.
A defense-in-depth strategy, aka a security-in-depth strategy, refers to a cybersecurity
approach that uses multiple layers of security for holistic protection. A layered defense helps
security organizations reduce vulnerabilities, contain threats, and mitigate risk. In simple
terms, with a defense-in-depth approach, if a bad actor breaches one layer of defense, they
might be contained by the next layer of defense.

The defense-in-depth concept was originally conceived by the U.S. National Security Agency
(NSA) and takes its name from a common military strategy. (A defense-in-depth
cybersecurity strategy is also sometimes referred to as a castle approach because it is similar
to the layered defenses of a medieval castle with moats, drawbridges, towers, etc.)

The NSA defense-in-depth strategy covers people, technology, and operations. It provides
guidelines and best practices for securing physical infrastructure, organizational processes,
and IT systems.

The Evolution of Defense-in-Depth Strategies

Historically, most businesses developed defense-in-depth strategies around traditional

perimeter-based security models designed to protect on-premises IT infrastructure. A
classic defense-in-depth security implementation contains a wide range of security elements
including:

 Endpoint security solutions – antivirus software and endpoint detection and response (EDR)
tools to protect threats originating from PCs, Macs, servers, and mobile devices; and endpoint
privilege management solutions to control access to privileged endpoint accounts.
 Patch management tools – to keep endpoint operating systems and applications up-to-date
and address common vulnerabilities and exposures (CVEs).
 Network security solutions – firewalls, VPNs, VLANs, etc. to protect traditional enterprise
networks and conventional on-premises IT systems.
 Intrusion detection/prevention (IDS/IPS) tools – to identify malicious activity and thwart
attacks aimed at traditional on-premises IT infrastructure.
 User identity and access management solutions – single sign-on, multi-factor
authentication, and lifecycle management tools to authenticate and authorize users.

Defense-in-Depth Strategies for the Digital Era

Traditional perimeter-based IT security models, conceived to control access to trusted

enterprise networks, aren’t well suited for the digital world. Today, businesses develop and
deploy applications in corporate data centers, private clouds, and public clouds (AWS, Azure,
GCP, etc.) and they also leverage SaaS solutions (Microsoft 365, Google Workspace, Box,
etc.). Most businesses are evolving their defense-in-depth strategies to protect cloud
workloads and defend against new attack vectors accompanying digital transformation.

Whether applications are hosted on-premises or in the cloud, history shows sophisticated
attackers can breach networks and fly under the radar for weeks or longer. The 2020
SolarWinds supply chain attack, for example, went undetected for nine months, impacting
over 18,000 organizations.

In response, many enterprises are adopting a Zero Trust “assume-breach” mindset and
adapting their security strategies, using a combination of preventative controls and detection
mechanisms to identify attackers and stop them from reaching their goals once they do
penetrate a network. The key tenets of a modern defense-in-depth strategy include:

 Protect privileged access – use privileged access management solutions to monitor and
secure access to privileged accounts (superuser accounts, local and domain administrator
accounts, application administrative accounts, etc.) by both human and non-human identities
(applications, scripts, bots, etc.).
 Lockdown critical endpoints – use advanced endpoint privilege management solutions to
lock down privilege across all endpoints, prevent lateral movement, and defend against
ransomware and other forms of malware.
 Enable adaptive multifactor authentication – use contextual information (location, time of
day, IP address, device type, etc.) and business rules to determine which authentication factors
to apply to a particular user in a particular situation.
 Secure developer tools – use secrets management solutions to secure, manage, rotate and
monitor secrets and other credentials used by applications, automation scripts, and other non-
human identities.

Enterprises typically deploy privileged access management solutions, endpoint privilege

management solutions, adaptive multifactor authentication solutions, and secrets management
solutions in conjunction with traditional enterprise security solutions (EDRs, firewalls,
IDS/IPS, etc.) as part of a comprehensive, modern defense-in-depth strategy.

What is social engineering

Social engineering is a manipulation technique that exploits human error to obtain private
information or valuable data. In cybercrime, the human hacking scams entice unsuspecting
users to disclose data, spread malware infections, or give them access to restricted
systems. Attacks can occur online, in-person, and by other interactions. Social
engineering scams are based on how people think and act.

Hackers try to exploit the user's knowledge. Thanks to technology's speed, many consumers
and employees are not aware of specific threats such as drive-by downloads. Users cannot
realize the value of personal data like phone number. Many users are unsure of how best to
protect themselves and theirconfidential information.Social engineering attackers have two
goals:

1. Subversion: Interrupting or corrupting data due to loss or inconvenience.

2. Theft: Obtaining valuable items such as information, access

Types of Social Engineering Attacks

Every type of cybersecurity attack involves some social engineering. For example, classic
email and virus scams are laden with social overtones. Some of the standard methods used
by social engineering attackers are below:

Phishing Attacks
Phishing attackers pretend to a trusted institution or person in an attempt to convince you to
uncover personal data and valuables.Attacks by using phishing are targeted in two ways:

o Spam phishing is a widespread attack for some users. The attacks are non-personal and try to
capture any irresponsible person.
o Phishing and whaling use personal information to target particular users. The whaling attacks
are aimed at high-profile individuals such as celebrities, upper management and higher
government officials.Whether it is direct communication or by a fake website, anything you
share goes directly into the seamster's pocket.You can also be fooled into the next stage of
the phishing attack malware download. The methods used in phishing are unique methods of
delivery.
o Voice phishing (Wishing) phone calls can be an automated messaging system recording all
your inputs. The person can speak with you to build trust.
o SMS phishing (SMS) texts or mobile app messages may indicate a web link or follow-up via
a web link or phone number. A web link, phone number, or malware attachment may be used.
o Angler phishing takes place on social media, where the attacker mimics the customer service
team of a trusted company. They interrupt your communication with a brand and turn the
conversations into private messages, where they escalate the attack.
o Search engine phishing attempts to place links to fake websites at the top of any search
results. The advertisements will be paid or use valid optimization methods to manipulate
search rankings.The links are given in email, text, social media messages and online
advertisements.
o In-session phishing appears as an interruption to the normal web browsing.For example,
you can see fake pop-ups on the webpages you are currently viewing.

Baiting Attack
Baiting abuses your natural curiosity of exposing yourself as an attacker. The potential for
something exclusive is used to exploit us. An attack involves infecting us with malware.
Popular methods of baiting are:

o USB drives are left in public places, such as libraries and parking lots.
o Email attachment with details with free offer.
Physical Breach Attack
Physical violations include attackers, who would otherwise present themselves as legitimate
to access unauthorized areas or information.

This type of attack is common in enterprise environments, like the government, businesses,
or other organizations. Attackers pretend to be a representative of a trusted vendor for the
company. Some attackers may have recently been fired in retaliation against their former
employers.

They obscure their identity but are reliable enough to avoid questions. It requires little
research on the part of the attacker and involves high risk. Therefore, if someone is
attempting this method, they have identified a clear potential for a highly valued reward if
successful.

o Preceding Attack:Trusting uses a misleading identity as a "trust" to establish trusts, such as

applying directly to a vendor or facility employee. The approach requires the attacker to
interact with you more actively. Once exploited, they are convinced that you are legitimate.
o Access tailgating attack: Tailgating or piggybacking is the act of trapping any authorized
staff member in a restricted-access area.

Quid pro quo Attack

The term quid pro quo roughly means "a favor for a favor," which refers to exchanging
your information for some reward or other compensation in exchange for phishing. Offer to
participate in giveaways or research studies may make you aware of this type of attack.

Exploitation comes from making you happy for something valuable that comes with little
investment on your end. However, the attacker does not reward your data for you.

DNS Spoofing and Cash Poisoning Attack

DNS spoofing manipulates your browser and web server to visit malicious websites when
you enter a valid URL. DNS cache poisoning attacksinfect our device with valid URLs or
routing instructions for multiple URLs to connect to fake websites.

Scareware Attack
Scareware is a form of malware that is used to scare you into taking action. The deceptive
malware uses dangerous warnings that report fake malware infections or claim that your
accounts have been compromised.
Water Hole Attack
Watering hole attacks infect popular web pages with malware to affect multiple users at the
same time. Carefully planning on the part of the attacker is required to find vulnerabilities of
the specific sites.

Website owners can choose to delay software updates to keep the software that they know are
stable. Hackers recently misuse this behavior to target vulnerabilities.

Unusual Social Engineering Methods

o Fax-based Phishing: When a bank's customers receive a fake email that claims to be from
the bank - asking the customer to confirm their access code - by regular email. The customer
was asked to print out the form in an email, fill in their details and fax the form to the
cyber criminal's telephone number.
o Traditional Mail Malware Delivery: Cybercriminals use a home-delivery service to
deliver CDs infected with Trojan spyware in Japan. The disc was delivered to customers of a
Japanese bank. The addresses was firstly stolen from the bank's database.