CIT 4206 Cyber security Fundamentals

Contact Hours: 45 hours

Purpose: The course will provide learners with insight into the importance of cybersecurity and
the integral role of cybersecurity professionals.

Introduction to Cybersecurity:

Cyber security is the protection of internet-connected systems such as hardware, software and
data from cybert threats.

The practice is used by individuals and enterprises to protect against unauthorized access to data
centers and other computerized systems.

Cybersecurity is the practice of preventing digital attacks on systems, networks, and programs.

It aims to reduce the risk of cyber-attacks and protect against the unauthorised exploitation of
systems, networks, and technologies.

Kenyan scenario

Cyber attacks on Kenyan organisations rose by nearly 50 percent in the last three months of 2020
compared to a similar period the previous year, a new data shows.

This came at a time when organisations adopted remote working systems as well as ecommerce
tools amid Covid-19 lockdown measures.

The Communications Authority of Kenya (CA) data shows that more than 56 million cyber
threats were detected nationwide in comparison to 37.1 million in 2019.

“A majority of the threats were malware attacks at 46 million, followed by web application
attacks at 7.8 million while 2.2 million Distributed Denial of Service (DDos) threats were
detected during the same period,” the CA said in a statement.

The rise in cyber threats have seen businesses lose billions of shillings and sensitive information
to hackers. This has forced firms, especially in the financial sector, to be vigilant.

According to a survey conducted by the Kenya National Bureau of Statistics (KNBS) and the
CA, Kenya lost about Sh18 billion to cybercrime in 2016.

In 2017, the Central Bank of Kenya (CBK) warned that local lenders were exposed to cyberattacks
and ICT-enabled fraud.
Cyber security objectives and roles.
The majority of the business operations run on the internet exposing their data and resources to
various cyber threats

Goals of cybersecurity.

i. Confidentiality
Keeping the sensitive data private and accessible to only authorized users.
Ensures that the data is only accessible by genuine authorized users. It helps in preventing
disclosure to unintended parties who might exploit the privacy of the user.
ii. Integrity
Designed to protect the data from unauthorized access and ensure its reliability, completeness and
correctness.
Making sure the data is unaltered during the time of transmission and ensuring it reaches the end-
user in the correct form. It maintains the consistency and reliability of data.
iii. Availability
Authorized users can have access to system resources and data as and when they need it.
Availability helps in delivering resources as and when requested by the user without any
intervention like Denial of Service warnings.

Methods to ensure Confidentiality

1. Encryption of raw data

2. Using biometrics for authentication
3. Two way or multifactor authentication

Example: assume you work as a security engineer for a renowned financial firm with many
competitors across the globe.

An anonymous entity is trying to access the company’s trade secrets. You must make sure that
the confidential information is not accessible to any unauthorized outsiders.

Hence you implement Firewall and intrusion detection systems. This is a typical example of
holding the confidentiality of your company.

Methods to ensure Integrity:

1. Making use of user access control to restrict unauthorized modification of files.

2. Setting up backups to restore data during any system failure.
 3. Version control systems help to identify any modification by tracing the logs.

Example: As a security engineer of a financial firm, you have to ensure that users are not
destroying the data that the company holds.

I.e some users may accidentally or intentionally alter the database and corrupt the data to cause
loss to the firm.

You need to ensure that the backups are in place for implementation during such emergencies.

You may use File Integrity Monitors(FIM) and hashing functions to make sure the data is un-
tampered and safe.

Methods to ensure Availability:

1. Installing firewalls, proxy servers during downtime.

2. Locating backups at geographically isolated locations.

Example: Task To ensure the website of your firm is functioning properly 24/7 without any
hindrance.

Organizations that deal with financial transactions cannot take any chances to face downtime as
it will cause huge losses, hold the customers’ assets at stake and reduce trust in the organization.

During such times, when the server crashes you need to have a second one that you replace the
services and keep the site up and running.

Tools for Achieving CIA Goals

Tools for Confidentiality

a. Encryption – It is the process of transforming plain data into unreadable cipher data using an
encryption key.

b. Access Control – It has rules and policies to limit access to the resources by checking the
credentials of users.

c. Authentication – It is the confirmation of the user’s identity for providing access to the
resources.

d. Authorisation – Verifies the user’s access level and either grant or refuses resource access.

e. Physical Security – It is required to keep the information available and improve the robustness
of the system during hardware failures. It secures business-sensitive information, trade secrets,
and customer information.
2. Tools for Integrity

a. Backups – These are duplicate archives of original data.

b. Checksums – It is a computational function that maps the contents of the data to a numerical
value to check whether the data is the same before and after the transaction.

c. Error-correcting codes – Method for controlling errors during and unreliable data transfer over
noisy channels.

3. Tools for Availability

a. Physical protection – Safeguarding the data against physical challenges like fire or theft.

b. Computational Redundancy – Makes the system fault-tolerant and protects against accidental
modification.

To achieve and maintain these goals, good cybersecurity has to consider the following points:

 A business-specific plan which establishes threats and risk.

 Policies and procedures for execution when business is under threat.
 Security training among employees to create awareness.
 Set security milestones.
 Consult an expert for advice.

Case studies discussion.

Differences between Information Security & Cybersecurity.
Cyber security is concerned with protecting electronic devices and mobile devices against attacks
in cyberspace.
Cyber security is a practice of safeguarding digital information stored on electronic systems,
including computers, servers, networks, and mobile devices, from unauthorized access and
malicious threats.
It involves recognizing what data is significant, where it is located, the potential risks, and the
methods and tools necessary to protect it from certain risk vectors.

Examples of Cyber Security Inclusion are as follows:

 Network Security
 Essential Components of Network Security? Firewalls, IPS intrusion prevention system,
network access control (NAC), the process of restricting unauthorized users and devices
from gaining access to a corporate or private network. and security information and event
management (SIEM) are the four most essential components of network security.

 Application Security

Authentication, authorization, encryption, logging

 Cloud Security

Procedures and technology designed to address external and internal threats to business security.

Information security is concerned with protecting the confidentiality, integrity, and availability
of information.

Examples and inclusion of Information Security are as follows:

 Procedural Controls:

Refer to the procedures performed by individuals. They are often detailed in written documents
that an organization uses for security. Procedural controls are directives from senior management
on how to address security within the organization.

 Access Controls

Data security process that enables organizations to manage who is authorized to access corporate
data and resources.

 Technical Controls

Any software-based mechanism for controlling access, such as passwords, encryption,

 Compliance Controls

Cyber security Principles:

i) Confidentiality,
ii) Integrity,
 iii) Availability,
iv) Authentication
v) Nonrepudiation.
Confidentiality: This ensures that information held in the computer can only be accessed by the
people who should access it i.e. intended person
Integrity: Integrity ensures correctines of data i.e. Data remains un- altered
Authentication: A service related to identification i.e. is the data or the person you are dealing
with the actual one
Authentication mechanisms
o User name and passwords
o Card based authentication
o Biometric authentication
Non- repudiation: This provides proof of a transaction to have taken place and prevents users
who send online messages from denying their actions i.e. maintaining a log file
Availability: Avoids denial of service attacks. Happens when legitimate systems users can not
access the systems resources.
Elements of cyber security and how does it work.

i. Application security
ii. Information Security
iii. Network Security
iv. Disaster Recovery Planning
v. Operational Security
vi. End User Education

1. Application security adds security features within applications during development period to
prevent from cyber-attacks.
Principal key component of cyber security which adds security highlights inside applications to
defend against cyberattacks.
Vulnerabilities of Application: Denial-of-service (DoS) and Distributed denial-of-service (DDoS)
attacks are used by some isolated attackers to flood a designated server or the framework that
upholds it with different sorts of traffic.
This traffic in the end keeps real users from getting to the server, making it shut down.
A strategy called SQL injection (SQLi) is used by hackers to take advantage of database flaws.
These hackers, specifically, can uncover user personalities and passwords and can also create,
modify and delete data without taking permission of the user.

Tools of Application Security: firewall, antivirus, encryption techniques, web application

firewalls that protect applications from threats.

2. Information Security: The process and methodology for preventing unauthorized access, use,
disclosure, disruption, modification, or destruction of information.
Principles of Information security are Confidentiality, Integrity, and Availability.
3. Network security: is the security given to a network from unapproved access and dangers
Process of preventing and protecting against unauthorized access into computer networks
Network Security Methods

Antivirus Software, Email Security, Firewalls, Virtual Private Network (VPN), Web Security,
Wireless Security, Endpoint Security, Network Access Control (NAC)

4. Disaster Recovery Planning

A business continuity plan and managed procedures that describe how work can be resumed
quickly and effectively after a disaster.

Types of Disaster Recovery Plans

 Data Center Disaster Recovery

 Cloud-Based Disaster Recovery
  Virtualization Disaster Recovery
 Disaster Recovery as a Service

5. Operational Security

Identifies the organization’s critical information and develops a protection mechanism to ensure
the security of sensitive information.

6. End User Education

End users are becoming the largest security risk in any organization because it can happen anytime.

Arrange a cyber-security awareness training program on different types of Cyber Threats, Email
Phishing and Social Engineering attack , Device Security , Physical Security , Password creation
and usages

The end user threats can be created according to following ways:

 Using of Social Media

 Text Messaging
 Apps Download
 Use of Email
 Password creation and usages

Types of cyber threats

Cyber threats change at a rapid pace. Tactics and attack methods are changing and improving daily.

Cyber criminals access a computer or network server to cause harm using several paths. This is
also called an attack vector

Common ways to gain access to a computer or network include:

 Removable media such as flash drives

 Brute force attack using trial and error to decode encrypted data, hacking method that
uses trial and error to crack passwords, login credentials, and encryption keys.
 Web or email attacks
 Unauthorized use of your organization's system privileges
 Loss or theft of devices containing confidential information

Types of cyber threats your institution should be aware of include:

i. Malware
ii. Ransomware
iii. Distributed denial of service (DDoS) attacks
iv. Spam and Phishing
 v. Corporate Account Takeover (CATO)
vi. Automated Teller Machine (ATM) Cash Out

Malware

Program inserted into a system to compromise the confidentiality, integrity, or availability of

data. It is done secretly and can affect your data, applications, or operating system.

Common types of malicious software: trojans, spyware, viruses, and ransomware

Preventing Malware

require e-mail file attachments to be scanned and saved to local drives or removable media.
Don’t allow certain types of files (e.g., .exe files) to be sent or received by e-mail.
Restrict removable media, such as CDs or flash drives, on systems that are high risk.
Limit the number of users with administrator-level access or privileges.
Ensure systems are updated regularly with operating system and application upgrades and
patches

Ransomware
A malware designed to encrypt users’ files or lock operating systems and attackers can demand
a ransom payment.
Ransomware executes when a user is lured to click on an infected link or e-mail attachment or to
download a file or software drive while visiting a rogue website.

Ransomware asks you to pay a ransom using online payment methods to regain access to your
system or data. Online payment methods usually include virtual currencies such as bitcoins.

Examples include

 an embedded malicious link in an e-mail offers a cheap airfare ticket;

 an e-mail that appears to be from Google Chrome or Facebook invites recipients to click
on an image to update their web browser; or
 a well-crafted website mimics a legitimate website and prompts users to download a file
or install an update that locks their PC or laptop.

Examples of Ransomware Attacks in Kenya

Attacks on the Kenya Airports Authority and Naivas

The KAA attack, no sensitive data was stolen. However, the attackers released 514 GB of data,
including procurement plans, physical plans, site surveys, invoices, and receipts, on the internet.
The Naivas attack, exposed private information including invoices, agreements, and customer
data to possible manipulation by unknown actors.

Protection againist Ransomware Attacks

i. Keep your software and systems up to date: Ensure that you install updates and
patches for your operating system, software, and applications regularly.
ii. Use antivirus software: Install and use reputable antivirus software that can detect and
block ransomware attacks.
iii. Educate yourself and your employees: Train yourself and your employees on how to
detect and avoid phishing emails and malicious attachments.
iv. Backup your data: Regularly backup your important data and store it offsite or on the
cloud.
v. Use multi-factor authentication: Use multi-factor authentication for your accounts and
systems to add an extra layer of security.

Distributed Denial of Service (DDoS) Attacks

DDoS attacks make an online service unavailable by overwhelming it with excessive traffic from
many locations and sources. Website response time slows down, preventing access during a
DDoS attack.

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic
of a targeted server, service or network by overwhelming the target or its surrounding
infrastructure with a flood of Internet traffic.
DDoS attack can seriously damage brand reputation and cost hundreds of thousands or even
millions of dollars in revenue
Examples:
State-sponsored cyber threats, in addition to the physical confrontation, Russia was involved in
distributed denial of service (DDoS) incidents that took place in Ukraine.
On 15 February, a large DDoS attack brought down the websites of the defense ministry, army,
and Ukraine's two largest banks, PrivatBank and Oschadbank.
Spam & Phishing

Spam unsolicited, or undesirable messages and emails.

Phishing is a form of social engineering, including attempts to get sensitive information.

Phishing attempts will appear to be from a trustworthy person or business.
Phishing hackers obtain account holders details through credit cards and banking details to
commit crime

Example: Customers of a telecommunications firm received an e-mail recently explaining a

problem with their latest order. They were asked to go to the company website, via a link in the e-
mail, to provide personal information like their birthdates and Social Security numbers. But both
the e-mail and the website were bogus.

Automated Teller Machine (ATM) Cash Out

Involve large cash withdrawals from several ATMs in many regions.

The attack involves changing the settings on ATM web-based control panels. Cyber criminals
change the ATM's dispense function control to "Unlimited Operations." The “Unlimited
Operations" setting allows withdrawal of funds over the customer's account balance or beyond
the ATM’s cash limit. Stolen ATM or debit card information is often used to withdraw the funds.

Mitigation: reviewing your control over information technology networks, card issuer
authorization systems, systems that manage ATM parameters, and fraud detection and response
processes to prevent ATM Cash Out attacks.

How do ATM cash-outs work?

First, hackers must obtain users’ information. One of the most common ways to do this is a
phishing attack that uses emails or phone calls that appear to come from a reputable or familiar
source.

If a person clicks on a link in a phishing email, it could compromise banking passwords. A

phone call from someone posing as the IRS or a bank could convince someone to give up the
answers to their security questions.

Criminals can also buy a person’s information off the black market from other hackers.

If hackers have your debit card information, they can “clone” the card using hardware that
duplicates the bank information onto another card. That “clone” can then be used at any number
of ATMs.

Once they do that, they get hundreds of people, likely recruited off the dark web, to go to ATMs
at the same time, using the debit card clones to withdraw stacks of cash from the machines.
Emerging information security threats and challenges in 2023/ cybersecurity challenges

A.I tools

AI is used by attackers to bypass mitigation solutions.

AI tool used by criminals to make bots that pass for human users and to dynamically change the
characteristics and behaviors of malware.

Cybersecurity skills gap

There are simply not enough cybersecurity experts to fill all of the positions needed.

Internet of Things (IoT) threats

The data on these devices can provide sensitive information to criminals.
Threats facing mobile devices
Widespread use of mobile devices targeted by attackers.
Cloud security threats

With businesses moving to cloud resources daily, many environments are growing more
complex.

State-sponsored attacks

The Russia-Ukraine war and the new geopolitical situation has raised the stakes of state-
sponsored attacks against Western nations and organizations.

Evolving threats

The evolving nature of security risks. As new technologies emerge, and as technology is used in
new or different ways, new attack avenues are developed.

Cybersecurity tools

Common security tools and systems include:

 Identity and access management (IAM)

 Firewalls
 Endpoint protection
 Antimalware/antivirus
 Intrusion prevention/detection systems (IPS/IDS)
  Data loss prevention (DLP)
 Endpoint detection and response
 Security information and event management (SIEM)
 Encryption tools
 Vulnerability scanners
 Virtual private networks (VPNs)
 Cloud workload protection platform (CWPP)
 Cloud access security broker (CASB)

Cybercrime Reconnaissance – Gathering Information information

- Reconnaissance involves an attacker taking time to conduct detailed information before attack
using publicly available information.

- Through reconnaissance phase, computer attackers can determine how best to mount their attack
for success.

- Examples of reconnaissance techniques

1. low–technology reconnaissance,

2. general Web searches,

3. whois databases,

4. Domain Name System (DNS)

1. Low-Technology Reconnaissance: (Social Engineering, Physical Break-In and Dumpster

Diving).

(i). Social Engineering

- involves an attacker calling an employee at the target organization on the phone and deceive /
fools the individual into revealing sensitive information; i.e the attacker pretends to be an
employee, a customer or supplier.

- Social engineering is a deception where the attacker develops a pretext for the call:

Table 2.1: Some Common Social Engineering Pretexts

A “new employee” calls the help desk trying to figure out how to do a particular task on
the computer.

A manager” calls a lower-level employee because his password has suddenly stopped
 working

A “system administrator” calls an employee to fix her account, which requires using her
password.

An “employee in the field” has lost his contact information and calls another employee to
get the remote access phone number.

- a female voice on the phone is more likely to gain trust in a social engineering
attack than a male voice, although attackers of either gender can be remarkably
effective.

Possible Defenses against Social Engineering Attacks

The most effective method of defending against the social engineer is User Awareness:

 Computer users at all levels must be trained not to give sensitive information away to a
friendly caller;

 The security awareness program should inform employees about social engineering
attacks, and give explicit directions about information that should never be revealed over
the phone;

 Employees should not give out sensitive data

(ii). Physical Break-In

- Involves Attackers with physical access to computer systems gaining access to accounts and data

-N.B may plant malicious programs on the internal systems, giving them remote control
capabilities of your systems from the outside.

Possible Defenses against Physical Break-In

Effective methods of defending against physical break-ins include:

 Security badges issued to each and every employee are an obvious and widely used defense
against physical break-ins. A guard at the front door or a card reader checks all employees
coming into a given facility.
  Employees must be educated about the dangers of just letting people in the building;
remember, people just trying to be friendly will let a person in through a back door who
claims that they forgot their badge that day.

 The user awareness program should focus on making proper badge checks a deeply
ingrained part of your organizational culture.

 Invest in a special revolving door and card readers that allow only one authorized employee
to enter at a time.

 There should be a tracking system for all computers – including laptops – brought into and
out of your facilities

 You should have locks on computer room doors and wiring closets; you should lock your
down servers and even desktops so they do not disappear at night.

 There should be a policy regarding the use of automatic password protected screen savers;
after five minutes or so of nonuse, each of your machines should bring up a screen saver
requiring the user to type in a password before being given access to the system.

 Traveling workers with laptop machines must be careful! They should also consider
installing a file system encryption tool, and training users about its function and importance
– else, major organizational secrets extracted from the laptop could be for sale on the open
market.

(iii). Dumpster Diving (Trashing)

- This involves going through an organization’s grabage, looking for sensitive information i.e. the
attacker looks for discarded paper, floppy disks, tapes and even hard drives containing sensitive
data.

- in the process the attacker may get a complete diagram of the network architecture userIDs and
passwords.

Possible Defenses against Dumpster Diving

Effective methods of defending against dumpster diving could include:

  Paper shredders, and should be encouraged to use them for discarding all sensitive
information;

 The awareness program must spell out how to discard sensitive information.

Summary: One of the most effective defenses against low-level

reconnaissance is user awareness, through training.

2. Web-based Reconnaissance

- An attacker use a computer and Internet resources to learn about the target organisation i.e.
determine the domain names, network addresses and contact information.

Techniques used.

(i). Searching an Organization’s Own Web Site

- The organization’s Web site could have useful information on the following.

 Employees’ contact information with phone numbers. This information is useful

particularly for social engineering.

 Clues about the corporate culture and the language. The site could include significant
information about product offerings, work locations, and even the best employees.
Digesting this information could be useful when conducting a social engineering attack.

 Business Partners. This knowledge could be useful in social engineering; or, by attacking
a weak partner, the target organization could ultimately be reached.

 Recent mergers and acquisitions. I.e. During mergers many organizations forget about the
security issues & a skilful attacker may target an organization during a merger.

- a company being acquired may have a lower security position than the acquiring company,
and the attacker can benefit by attacking the weaker organization.

 Technologies. Some sites may include a description of the computing platforms in use (say,
Windows NT, with an IIS Web Server, and an Oracle Database). Such information is useful
for attackers, who will refine their attack based on this information.

(ii). Using Search Engines

- Using search engines, an attacker can retrieve information about the history, current events, and
future plans of the target organization. E.g Organization name, product names, known employee
names etc.

(iii). Use of Usenet Newsgroups

- Internet Usenet newsgroups are used by employees to share information and ask questions; i.e
employees may submit questions about how to configure a particular type of system or
troubleshoot problems.

- An attacker could send a response giving incorrect advice about how to configure the system
tricking the user into lowering the security standing of the organization.

Defenses against Web-Based Reconnaissance

The following techniques can be useful:

 Establish policies regarding what type of information are allowed on your own Web
servers; you do want to make sure that you are not making things extra easy for them by
publishing sensitive information on your own Web site.

 The organization must have a policy regarding the use of newsgroups and mailing lists by
employees. The policy must be enforced by periodically and regularly conducting searches
of open, public sources such as the Web and newsgroups, to see what the world is saying
about your organization.

3. Whois Databases

- The whois database contains data elements regarding the assignment of Internet addresses,
domain names, and individual contacts.

N.B The registrar of domain names ensures that your domain name is unique, and assigns it to your
organization by entering it into various databases i.e whois databases so that your machines will
be accessible on the Internet using your domain name.

Example :- (InterNIC) Internet Network Information Center is an Internet

information center developed to allow people to look for information about domain
name registration services.

Practical Task: Log on the InterNIC’s whois database, located at www.internic.net/whois.html,

and try to gather organization’s name or domain name.
N.B An attacker can enter an organization’s names, and the InterNIC’s whois database will output
a record containing the name of the registrar the organization has used to register its domain.

- The attacker can contact the target’s registrar to obtain the following useful data

 Names: complete registration information, i.e. the administrative, technical and billing
contacts that an attacker can use to deceive people in the target organization during a social
engineering attack.

 Telephone Numbers: The telephone numbers associated with the contacts can be used by
an attacker.

 Email addresses: This information will indicate (to an attacker) the format of email
addresses used in the target organization; the attacker will know how to address email for
any user.

 Postal addresses: An attacker can use this geographic information to conduct dumpster-
diving exercises or social engineering.

 Registration dates: A record that hasn’t been recently updated may indicate an organization
that is lax in maintaining their Internet connection. i.e. not keep their servers or firewalls
up to data either.

 Name Servers: To get the addresses for the DNS servers for the target.

Defenses against Whois Searches

- Keep the registration information (that will appear in the whois database) accurate and up to date.

N.B This information assist to identify attack packets in a network.

are traced to that network. inform an administrator of another network that their systems were used
during the attack, if attack packets are traced to that network.

4. The Domain Name System - DNS

- DNS is s component of the internet which is a hierarchical database distributed around the world
and stores a variety of information, such as IP addresses, domain names and mail server
information.

DNS servers – referred to as “name servers” – store this information and make up the hierarchy.
 Root DNS servers

com DNS servers net DNS servers org DNS servers

company.com DNS server

The Domain Name Service (DNS) Hierarchy

Question 5: How does name resolution take place?

- An attacker aim is to determine one or more DNS servers for the target organization which
is readily available in the registration records obtained from the registrar’s whois database.
- Using the DNS server information, an attacker can use tools such as nslookup to get DNS
information ,
- Through this tool, an attacker can interrogating name servers, by asking the DNS server to
transmit all information it has about all systems associated with the given domain.
- Through DNS-based reconnaissance, an attacker can find extremely useful
information such as: machine names and associated IP addresses, purpose
of the machines and the operating system type.

- With this information, the machines can be scanned looking for

vulnerabilities.

Defenses from DNS-based Reconnaissance

- The amount of DNS information about your infrastructure that is publicly available should
be limited.
- This is because the general public on the Internet only needs to resolve names for a small
fraction of the systems in your enterprise (such as external Web, Mail and FTP servers).
 - A Split DNS will allow you to separate the DNS records that you want the public to access
from your internal names I.e. implement an internal DNS server and an external DNS
server, separated by a firewall.

The external DNS server contains only DNS information about those hosts that are publicly
accessible; the internal DNS server contains DNS information for all your internal systems.

Internal
External DNS
DNS

Internet Internal
network

Firewall
Internal
External
System
System

A Split DNS

5.0 : Scanning – Looking for Vulnerabilities

Introduction

- After reconnaissance, the attacker has information about an organization infrastructure

(telephone numbers, domain names, IP addresses, technical contact information, etc). and use the
information to scan the systems for openings.

Scanning techniques.
1. War Dialing
2. Network Mapping
3. Determining Open Ports Using Port Scanners
4. Vulnerability Scanning Tools
5. Intrusion Detection System Evasion
1. War Dialing

- Tool used to automate dialing of large pools of telephone numbers in an effort to find
unprotected

- A War Dialer is a tool used to locate modems and repeat dial tones within a range or list
of telephone numbers.

- War dialing identifies systems that have modems and that can answer incoming calls.

- Once the modems are found, a hacker can return to each in turn to see what programs it is
running.

N.B This happens if the system is not configured properly and the remote control products offer
an excellent opening for attackers to gain access to the network.

N.B a war dialing tools available today is THC-Scan 2.0, found at

http://thc.inferno.tusculum.edu

- The numbers to dial could come from the following sources: phone book, whois databases, the
Internet, the organization’s Web site, or through social engineering.

- The war dialing tool provides a list of discovered phone lines with modems; based on the dialer
output, the attacker may find a system without passwords connect to the systems, look through
local files and start to scan the network.

Defenses against War Dialing

The following are the ways you can protect your organization against war-dialing attacks:

Provide documented policy forbidding use of modems on desktop machines in offices without
approval from security team

Periodically scan all analog lines and digital PBX lines

Perform desk-to-desk check of modem lines to computers

i)Modem Policy: Users should not use modems on desktop machines without written approval
 from central security. (from security team)

ii)Periodically scan all analog lines and digital PBX lines. (a system that connects telephone
company trunk lines with individual user lines and equipment inside the organization)

iii)Dial-out Only: Configure PBX so that a particular telephone line supports outgoing calls
only; so that no incoming calls will be allowed to that line. This prevents an attacker from
discovering the modem and gaining access.

While this technique works well, some users have a business need that requires incoming dial-
up modem access.

iv)Find Your Modems Before the Attacker Does: You can periodically conduct a war
dialing exercise against your own telephone numbers..

2. Network Mapping

- Network mapping is the study of the physical connectivity of networks

- Network mapping attempts to determine the servers and operating systems running on networks.

- After the reconnaissance phase, an attacker takes an inventory of the systems on the network: i.e
determine the addresses of the targets, gain an understanding of the network topology,
interconnection devices, discover critical hosts, routers and firewalls.

-The attackers gains access to the internal network by mapping and scanning the Internet
gateway and the DMZ systems (such as Web, FTP, Mail and DNS servers).

From military meaning a buffer area between two enemies.

-DMZ (DeMilitarized Zone): A perimeter network between two other networks with different
security policies and threats.

Typically, an organization builds a DMZ between its internal network and the Internet, putting
Internet-accessible servers on the DMZ network.

-After conquering the perimeter network, attackers will attempt to move onto the internal network.

Alternatively, an outside attacker may have gotten access to your internal network using a modem
discovered through a war-dialing attack.

N.B: The attack will use the following common techniques to map and scan network, particularly
for finding live hosts and tracing your network topology:

(i). Sweeping: or Finding Live Hosts

- The attackers will attempt to ping all possible addresses in your network, to determine which
ones have active hosts build an inventory of accessible systems. (Packet INternet Groper)

-A ping test determines whether your computer can communicate with another computer over the
network.

- If network communication is established, ping tests also determine the connection latency (delay)
between the two computers.

-Ping test works by sending ICMP "echo request" packets to the target host and listening
for replies.

-Ping measures the round-trip time and records any packet loss, and show when finished a
statistical summary of the echo response packets received,

Many networks block incoming ICMP packets, so an attacker could alternatively send a TCP or
UDP packet to a port that is commonly open, such as TCP port 80 where Web servers typically
listen.

Question 1: How do ICMP pings work?

(ii). Traceroute: determining What are the Hops?

-After the attacker identifies live hosts they proceed to identify the network topology by using
tracerouting
-Tracerouting determine the various routers/gateways that make up your network infrastructure
(UNIX, traceroute; Windows, tracert).

-Traceroute used to discover the path from source to destination

-Through tracerouting, an attacker will determine the path to each host discovered during the ping
sweep; in the process, an attacker can recreate your network topology, from which he create a
network diagram.

(iii). Use of Automated Ping/Traceroute tools (e.g. Cheops)

-Ping and traceroute are used to determine the network topology by hand which is too much work.

Attackers may use tools that automate the process of developing a network inventory and topology
using automated software’s such as Cheops (www.marko.net/cheops). N.B site where the tool is
found.

Defenses against Network Mapping

The following measures could help prevent an attacker from mapping your network as described:

-Block incoming ICMP messages at Internet gateway to make ping ineffective

Internet Control Message Protocol (ICMP) An internet Protocol used by the operating systems
of networked computers to send error messages i.e to indicate that a requested service is not
available or that a host or router could not be reached.

-Filter ICMP Time Exceeded messages leaving your network to make traceroute ineffective

By using firewalls and the packet-filtering capabilities of your routers.

Filters will inhibit users and network management personnel who

want to use traceroute, but it can improve security.

3. Determining Open Ports Using Port Scanners

-The active TCP and UDP ports on a computer are indicative of the services running on those
machines. For example, if you are running a Web server, attackers may listen on TCP port 80; if a
DNS server, UDP port 53 will be open; if the machine is hosting an Internet mail server, TCP port
25 is likely open.

-The attacker wants to discover the purpose of each system and discover potential entryways into
your machines by analyzing which ports are open;

-The inventory of open ports is possible through a port-scanning tool.

-Using a port scanner, the attacker will send packets to various ports to determine if any service is
listening there.

Examples of port-scanning tools, including:

Nmap (www.insecure.org/Nmap),

In an attempt to avoid detection, the attacker may choose to scan a limited set of ports, focusing
on the ones associated with common services like telnet, FTP, e-mail, and Web.

To conduct a scan, an attacker can choose from a very large number of free port-
scanning tools, including: Nmap (www.insecure.org/Nmap), Strobe
(packetstorm.securify.com/UNIX/scanners), and Ultrascan, a Windows NT port
scanner (packetstorm.securify.com/UNIX/scanners). Nmap is the most capable,
combining the best features of most other port-scanning tools.

When scanning for open ports, the scanning system sends packets to the target system to interact
with each port.

A few scan types supported by Nmap are described below:

 TCP Connect Scan: Completes the 3-way handshake with each scanned port. The
attacker’s system sends out a SYN and awaits a SYN-ACK response from the target. If the
port is open, the scanning machine completes the 3–way handshake with an ACK, and then
gratefully tears down the connection using FIN packets.

If the target port is closed, no SYN-ACK will be returned by the target. For closed ports,
the attacker’s system will receive either no response, or a RESET, or an ICMP Port
Unreachable packet, depending on the system type and the target network configuration.
Any of these results back means that the port is closed.

However, the target system will record the connection in its log file, indicating that a
 connection was made from the attacker’s IP address. This evidence makes attackers to use
other scan types.

 TCP SYN Scan: Involves the attacking machine sending a SYN to each target port.
If the port is open, the target system will send a SYN-ACK response. The attacking
machine then sends a RESET packet immediately, aborting the connection before it is
completed. Thus, in a SYN scan, only the first two parts of the 3-way handshake occur.

SYN scans have two primary benefits over Connect scans:

(i). the end system will not record the connection, since no connection was ever
established; however, routers and firewalls that have logging enabled on the target
network will record the SYN packet.

(ii). SYN scans require sending only SYN and RESET packets, and waiting only for the
SYN-ACK. Because they are simpler and involve less waiting, SYN scanning can be quite
fast.

 TCP FIN, Xmas Tree and Null Scans: These types of scans violate the protocol by
sending packets that are not expected at the start of a connection.

A FIN packet instructs the target system that the connection should be torn down; however,
the connection is non-existent! According to the TCP specification, if a closed port receives
an unexpected FIN when no connection is present, the target system should respond with
a RESET. If the port is open, and unexpected FIN arrives, the port sends back nothing.

In this way, FIN scans can be used to help determine which ports are open and which are
closed.

Similarly, an Xmas Tree scan sends packets with the FIN, URG, and PUSH code bits set.
A Null scan involves sending TCP packets with no code bits set.

Again, Xmas and Null scans expect the same behaviour from the target system as a FIN
scan: a closed port will send a REST, while a listening port sends nothing.

Note: Many other TCP/UDP scans exist, and the major goal is to find ports that are open and
listening.

Defenses against Port Scanning

The following are some defenses against port scanning:

(i). Hardening the Systems

-Close all unused ports; there is no need to have services listening that are not required.

(ii). Find the Openings before the Attackers Do

-Scan your systems before an attacker does to verify that all ports are closed except those that have
a defined business need

Comments

A port scanning tool, such as Nmap, is used to send packets to an end system to determine
which ports are listening at the given end machine. Nmap, however, can not differentiate
between what is open on and end system and what is being firewalled. To give the attacker
even more information on the target network infrastructure, additional scanning techniques
are required.

Firewalk is an innovative tool that allows an attacker to determine which packets are
allowed through a packet-filtering device such as a router or firewall. That is, Firewalk can
determine if a given port is allowed through a packet filtering device; with this information,
Firewalk will allow an attacker to determine the firewall rule set.

In summary, so far, the attacker may have the following information using the tools
discussed.

What the Attacker Has Learned So Far Using Scanning Tools

What the Attacker Knows Tools Used to Get the

Information

List of addresses for live hosts on the network Ping and Cheops

General network topology Traceroute and Cheops

List of open ports on live hosts Nmap

Operating system types of live hosts Nmap

List of ports open through packet filters on the target Firewalk

 network

Though the attacker has a lot of information about the target network, he still doesn’t know how
to get into the target systems.

4. Vulnerability Scanning Tools

-These tools provide a list of vulnerabilities on the target system that an attacker can exploit to
gain access. These scanners are based on the following idea:

Automate the process of connecting to a target system and checking to see if a

vulnerability is present; by automating the process, many hundreds of
vulnerabilities can be quickly and easily checked on the target system.

-A vulnerability scanning tools Checks for the following types of vulnerabilities

 Common configuration errors: Systems have poor configuration settings, leaving

various openings for an attacker to gain access. (open ports)

 Default configuration weaknesses: Many systems have very weak security settings i.e
default accounts and passwords.

 Well-known system vulnerabilities: Regularly, many new security holes are discovered
and published in a variety of locations on the Internet; vendors create security patches to
keep up. However, once the vulnerabilities are published, a flurry of attacks against un-
patched systems is inevitable.

Examples of scanning tool is the free, open-source Nessus: www.nessus.org.

Most vulnerability-scanning tools can be broken down to the following common set of
components:
 User
Configuration
Tool

Scanning
Engine

Vulnerability
Database Knowledge
Base of
Current
Active Scan

Results Target
Repository Systems
& Report
Generation
A Generic Vulnerability Scanner

(i). Vulnerability database

This is the brain of the vulnerability scanner. It contains a list of vulnerabilities for a variety of
systems and describes how those vulnerabilities should be checked.
(ii). User Configuration tool
The user interacts with this component of the vulnerability scanner. The user can select the target
systems and which vulnerability checks should be run.
(iii). Scanning Engine
Based on the vulnerability database and user configuration, this tool formulates packets and sends
them to the target to determine whether vulnerabilities are present.

(iv). Knowledge Base of Current active Scan

This element acts like the short-term memory of the tool, keeping track of the current scan,
remembering the discovered vulnerabilities, and feeding data to the scanning engine.
(v). Results Repository and Report Generation Tool
This is considered the mouth of the scanner, where it says what it found during a scan. It generates
reports for the user, explaining which vulnerabilities were discovered on which targets.
Comment
- The vulnerability-scanning tool enables the attacker to have a list of vulnerabilities on your
system; using this information (operating system type, open port list & vulnerability list), the
attacker will then search for code to exploit the weaknesses – the search could be done using search
engines or attacker-friendly web sites.
-Defenses against vulnerability scanning:
(i). Close Unused Ports and Keep Your Systems Patched
You must close all unused ports and apply patches to your systems; ultimately, to prevent attacks,
you must have a defined policy and practices for building and maintaining secure systems.
(ii). Run the Tools against Your Own Networks
-You should run a vulnerability scanning tool against your own network on a periodic basis to
identify vulnerabilities before an attacker does.
-This should be regular, say, every three months given the dynamic nature of the information
security environment (with new vulnerabilities being discovered almost every day).
Analyze the results of your vulnerability-scanning tool and ensure that you implement fixes to all
of the significant vulnerabilities in a timely fashion.
Note(s):
 Password guessing modules are included in major vulnerability scanners. These modules
attempt to login to various accounts as a variety of users, guessing common passwords
along the way. This may lock out legitimate users.
 A major limitation of vulnerability-scanning tools is that the tools only check for
vulnerabilities that they understand; this means that the vulnerability database must be kept
up to data or else you will miss vulnerabilities on your network that attackers will be able
to find.
 The tools only give you a snapshot in time of your system security. That is, the vulnerability
scan that was run, say, last month, may no longer indicate all of your vulnerabilities
accurately today; this is because as the configuration and topology of your network
changes, so too does your exposure to vulnerabilities.
5. Intrusion Detection System Evasion
-A port scan sends tens of thousands of packets or more; a robust vulnerability scan could send
hundreds of thousands or millions of packets to the target network.
Thus, network-mappers, port-scanners and vulnerability-scanners are all noisy; a
diligent system administrator will notice the generated traffic. This jeopardizes the
attacker’s success.
An IDS – Intrusion Detection System – is a system or program that looks for
attacker activity and warns administrators when it discovers evidence of an attack.
An IDS acts like a burglar alarm.
Based on warnings from the IDS, the administrators of the target systems could improve their
security stance, or even start an investigation – foiling the attacker’s ability to gain access. Even
worse, vigorous investigation by the target network’s security team could result in a criminal case.
Clearly, the attackers want to evade detection by the IDS.
Possible IDS Evasion Defenses
The following are some defenses against IDS evasion:
(i). Utilize IDS Where Appropriate
Even though there are a variety of methods to full IDS machines, most modern IDS vendors work
hard to ensure that they detect the latest attackers despite various evasion tactics.
Because of their value as early-warning indicators, you should
consider using IDS on your sensitive networks.
(ii). Keep the IDS System Up to Date
Because new attacks are constantly being developed, you must update your IDS platform on a
monthly basis, or more often.
(iii). Utilize Both Host-Based and Network-Based IDS
While the network-based IDS listens to the network looking for attacks, a host-based IDS runs on
the end system that is under attack. Host-based IDS can look at the logs and the system
configuration to see what an attacker has actually done, rather than trying to interpret what is going
on by looking at packets on the network.
Still, network-based IDS serves a valuable role in monitoring network traffic and while host-based
IDS only defends the host it is installed on, a network-based IDS can monitor a whole LAN.
You get economies of scale with network-based IDS that you can not
achieve with host-based IDS; network-based IDS tend to require
less administrative work, have fewer interactions with monitored
systems, and usually require less expensive software.
Conclusion
Using a variety of scanning techniques, attackers have gained valuable information about your
network, including a list of phone numbers with modems, addresses of live hosts, network
topology, open ports and firewall rule sets. The attackers are now ready to take over systems on
your network.
The next chapter explores how attackers, armed with information from a detailed network scan,
can compromise systems on the target network.
Lecture Key Comments:
Review TCP/IP Protocol Suite; review concept of port numbers; review ping and traceroute
commands.
6.0 Gaining Access to Systems and Data: Summary
- During the scanning phase, the attacker is able to put together the following information, which
can then be used to compromise systems:
 Phone numbers with modems;
 Addresses of live hosts;
 Network topology;
 Open ports;
 Firewall rule sets (rules determining what packets the firewall allows or refuses to pass
through it)

- Based on the above information, the attacker can compromise systems through the following
attacks:
(a). Application and Operating System Attacks
 Buffer overflow attacks;
 Password attacks;
 Web application attacks
(b). Network-based attacks
 Sniffing;
 IP address Spoofing;
 Session Hijacking

i) .Stack-Based Buffer Overflow Attacks

  Allows attacker a way to execute arbitrary commands and take control of a vulnerable
machine
 Any poorly written application or operating system component could have a stack-based
buffer overflow
 A stack data structure that stores important information for processes running on a
computer
These kinds of attacks can be handled in the following ways (from the system’s administrator and
software developer perspectives).
• Ensure that publicly available systems (Internet Mail, DNS, Web, FTP servers, etc) have
configurations with a minimum of unnecessary services and software extras – because
these serve as doorways to inserting the data for overflow attacks.
• Configure your systems with non-executable stack – so that it refuses to execute
instructions.

ii) Password attacks;

Password attacks involve guessing default password or active password cracking.

Password attack defenses include:

 A strong password policy;
 Better user awareness;
 Use of password filtering software that will help enforce organizational password policy
(that is, the software will determine whether a password is appropriate, etc);
 Use of authentication tools other than passwords;
 Protection of password hash files;
 Company can conduct its own password cracking exercises to see how exposed it is.

iii) Web Application Attacks

- Web applications are characterized by the need to login to the application and the setting up of a
session between the client and server application.
- Web application attacks come in two forms: Account Harvesting and Undermining Session
Tracking Mechanisms.
a) Account Harvesting
- Technique used to determine legitimate userIDs and passwords of a vulnerable application
- Targets the authentication process when application requests a userID and password
- Works against applications that have a different error message for users who type in an
incorrect userID
Account Harvesting Defenses
- Account harvesting can be prevented if there is a consistent message that is returned when wrong
authentication data is transmitted to the application, a message that will not give hints to the
attacker on whether the User ID or Password is wrong.
 Make sure that error message is the same when a user types in an incorrect userID or
password
b) Undermining Session Tracking Mechanisms
- Attacker changes his session ID to a value assigned to another user
o Application thinks that attacker is the other user
- Most Web application generate a session ID to track the user’s session.
- Session ID is passed back and forth across the HTTP or HTTPS connection when client
browses web pages, enters data into forms, or conducting transactions
- Session ID allows the Web application to maintain the state of a session with a user
- Consider the interaction between the Internet Explorer browser (client program) and
Apache Server (the server program); the two programs may be on the same server hardware
or not.
- Hypertext Transfer protocol (HTTP) typically governs the conversation between the two
programs.
Req 1

Req 2
Browser Server
(IE) Req n (Apache)

To prevent attacks associated with session tracking mechanisms, the following approaches are (can
be) applied:
Defending against Web Application Session-Tracking Attacks

 Digitally sign session-tracking information

 Encrypt information in the URL, hidden form element, or cookie
 Make sure that your session IDs are long enough to prevent accidental collision
 Apply a timestamp within the session ID variable and encrypt it
 Allow users to terminate their sessions via a logout button which will invalidate the session
ID
Summary: Key Points
(a). Briefly discuss how the following application and operating system attacks are realized and
the appropriate defenses:
 Buffer overflow attacks;
 Password attacks;
 Web application attacks
(b). Discuss briefly the key elements of a strong password policy
(b). Network-based attacks
Key techniques are:
i. Sniffing,
ii. IP Address spoofing
iii. Session Hijacking.
i)Sniffing
-A sniffer is a program used to capture traffic from the network;
-The program is often used to gather sensitive information such as userIDs, passwords, DNS
queries and responses, sensitive email messages, etc. Often, it has the capability to decode the
messages.
- Allows attacker to see everything sent across the network, including userIDs and passwords
 Attacker initially takes over a machine via some exploit
 Attacker installs a sniffer to capture userIDs and passwords to take over other machines

The possible defenses against sniffing are indicated below:

 Sniffing Defenses

Encrypt data that gets transmitted across the network;

Consider replacement of hubs – use switches;

Enable port-level security on switches: configure each switch with

a specific MAC address of the machine using that port.

ii)IP Address Spoofing panic

-Changing or disguising the source IP address i.e used by Nmap

-This kind of attack involves changing/disguising the source IP address of a system, and it is
helpful for attackers who do not want their actions traced back (for example, the source of a packet
flood may never be known if the true source is disguised);
Disguising the source IP address also helps attackers undermine applications that rely on IP
addresses for authentication or filtering, since the address may not be the right address.

-Another form of IP address spoofing involves what is known as spoofing with source routing. In
source routing, the source machine sending a packet specifies the path the packet will take on the
network. Source routing is often divided into:

• Loose source routing: the attacker to specify just some of the hops (handoff points) that
must be taken as the packet traverses the network.
• Strict source routing: the entire route is included in the packet header

Several techniques combined will help with ip spoofing attacks:

  Apply the latest security patches from your OS vendor; this ensures that the initial sequence
numbers are difficult to predict.
 Avoid applications that use IP addresses for authentication purposes.
 Do not allow source-routed packets (“no ip sourceroute”).
 Implement anti-spoof packet filters at border routers.

iii)Session Hijacking
Note Sniffing allows an attacker to observe traffic on a network; spoofing supports an attacker in
pretending to be another machine.
In session hijacking, an attacker steals an existing session established between a source and a
destination, using both sniffing and spoofing techniques.
In the diagram below, explain how Eve can still Alice’s session with Bob using sniffing and
spoofing techniques. Session hijacking can be defended through encrypted sessions, especially if
the sessions traverse the Internet.

Alice telnet

NETWORK
ALICE BOB

Eve could be on: “Hi, I’m Alice”

EVE
• Originating LAN; 1. Sniffing;
Attacker
•Path to destination; 2. TCP sequence numbers
•Destination LAN

 Use SSH or VPN for securing sessions

Information Security Lifecycle Management:

The information security lifecycle describes the process to follow to mitigate risks to your
information assets.
Life cycle activities.
i. Identify
ii. Protect
iii. Detect
iv. Respond
v. Recover
1. Identify

During this stage, you must take steps to catalog and comprehend the systems, assets, and people
who comprise and influence your network and its security.

Performing an inventory of all your IT assets and setting up monitoring processes to track user
access and behavior.

Examples:

Identifying physical and software assets within your organization and establishing asset
management processes.

Identifying cybersecurity policies and ensuring they comply with legal and regulatory
requirements.

Identifying vulnerabilities, threats, and risk-response activities through a Risk Assessment.

2. Protect

The organization take steps to defend data and assets.

This phase outlines the processes you must put in place to ensure your organization can limit the
detrimental impact of a breach.

Examples of activities you may engage in at the Protect stage include:

 Providing staff with cybersecurity training based on their role and system privileges.
 Implementing access controls and identity management processes.
 Protecting resources and assets through maintenance.

Use cybersecurity tools and solutions like firewalls, VPNs, and file integrity monitoring
software.
VPN provides an encrypted server and hides your IP address from corporations, government
agencies and would-be hackers.

Virtual Private Network is a mechanism for creating a secure connection between a computing
device and a computer network, or between two networks.

VPN stands for Virtual Private Network. It is a type of network you can connect to which will
help you protect your online security and privacy.

A VPN acts as a tunnel through which all your data goes from your location to your destination.
It's all properly encrypted and secure so that any outside party can’t see what data you are
transferring.

Advantages to using VPNs, such as:

 Privacy
 Anonymity
 Security
 Encryption
 Masking or changing your original IP address, so others can’t track you

A VPN works by routing / forwarding all your data from your laptop or phone through your
VPN to the internet, rather than directly through your ISP.

When you use a VPN, it encrypts all your data on the client side. Then after the data is
encrypted, it's passed through a VPN tunnel which others can’t access, and then it reaches the
internet.

3. Detect

This stage involves discovering breaches and other cybersecurity events promptly.

Examples of activities related to the Detect stage:

 Implementing continuous monitoring of your network and user activities.

 Consistently verifying the effectiveness of protective measures in your network.
 Evaluating your awareness of unusual behavior and events and maintaining processes
designed to detect those events.

An organization can succeed in the Detect stage of the cybersecurity lifecycle by creating a
policy for logging system activity and user access.

Implementing a tool like CimTrak can help automatically create this audit trail.

Additionally, CimTrak assists your team in flagging unusual activity so that you can take action
quickly.
4. Respond

Ability to contain and mitigate the impact of a breach

Examples of actions in the Respond stage include:

 Communicating clearly with stakeholders, law enforcement, and other parties where
appropriate during and after a breach.
 Performing mitigating actions to prevent the spread of a breach and halt lateral
movement within your network.
 Consistently improving and learning after an event to prevent future breaches of the
same nature.

5. Recover

Set up the systems and practices you need to restore full functionality after a breach.

Examples of recovery stage activities include:

 Setting up Recovery Planning processes and procedures ahead of time.

 Adjusting processes and implementing new solutions based on lessons learned from
previous challenges.
 Coordinating communication internally and externally following an incident.

CYBER SECURITY PERIMETER PROTECTION

Perimeter security in cybersecurity refers to the process of defending a company’s network

boundaries from hackers and intruders.
This entails surveillance detection, pattern analysis, threat recognition, and effective response.

Network perimeter protection includes the following components:

 Intrusion Detection Systems (IDS)

 Intrusion Prevention Systems (IPS)
 Firewalls
 Border routers
 Unified Threat Management (UTM) systems

Intrusion Detection Systems (IDS)

An Intrusion Detection System (IDS) monitors network traffic for unusual or suspicious
activity and sends an alert to the administrator.
Some IDS software can take action based on rules when malicious activity is detected, for
example blocking certain incoming traffic.

Examples of Intrusion Detection Systems:

Manage Engine Event Log Analyzer. A log file analyzer that searches for evidence of intrusion
and also provides log management.

Intrusion Prevention Systems (IPS)

A network security tool that monitors a network for malicious activity and takes action to prevent
it, including reporting, blocking, or dropping it, when it does occur.
Firewalls
A network security device that monitors incoming and outgoing network traffic and decides
whether to allow or block specific traffic based on a defined set of security rules
Border routers

These are routers that manage traffic into and out of networks.

CYBER RISK VULNERABILITY ASSESSMENT

The process of identifying risks and vulnerabilities in computer networks, systems, hardware,
applications, and other parts of the IT ecosystem.

A vulnerability assessment is a systematic review of security weaknesses in an information

Examples of threats that can be prevented by vulnerability assessment include:

1. SQL injection, XSS and other code injection attacks.

2. Escalation of privileges due to faulty authentication mechanisms.
3. Insecure defaults – software that ships with insecure settings, such as a guessable admin
passwords.

There are several types of vulnerability assessments.

Host assessment – The assessment of critical servers, which may be vulnerable to attacks if not
adequately tested or not generated from a tested machine image.

Network and wireless assessment – The assessment of policies and practices to prevent
unauthorized access to private or public networks and network-accessible resources.
Database assessment – The assessment of databases or big data systems for vulnerabilities and
misconfigurations, identifying rogue databases or insecure dev/test environments, and classifying
sensitive data across an organization’s infrastructure.

Application scans – The identifying of security vulnerabilities in web applications and their
source code by automated scans on the front-end or static/dynamic analysis of source code

Types of Vulnerability Assessment Tools

Network-based scanning—used to identify potential network security attacks. This type of scan
can also detect vulnerable systems on wired or wireless networks.
Host-based scanning—used to identify vulnerabilities on servers, workstations, or other
network hosts. This type of scan looks for vulnerable open ports and services, providing insights
about the configuration settings and patch history of scanned systems.
Wireless network scans—used to scan an organization's Wi-Fi network to identify security
weaknesses. These scans can identify malicious access points and ensure that wireless networks
are configured securely.
Application scans—used to test websites and mobile applications for known software
vulnerabilities and misconfigurations
Database scans—used to identify vulnerabilities that might allow database-specific attacks like
SQL and NoSQL injection, as well as general vulnerabilities and misconfigurations in a database
server

Information systems security policies

An information security policy (ISP) is a set of rules, policies and procedures designed to ensure
end users and networks within an organization meet minimum IT security and data protection
security requirements.
ISPs should address all data, programs, systems, facilities, infrastructure, authorized users, third
parties and fourth parties of an organization.
Purpose of an Information Security Policy

Aims to enact protections and limit the distribution of data to only those with authorized access.

 Establish a general approach to information security

 Document security measures and user access control policies
 Detect and minimize the impact of compromised information assets such as misuse of
data, networks, mobile devices, computers and applications
 Protect the reputation of the organization
 Comply with legal and regulatory requirements
 Protect their customer's data, such as credit card numbers
  Provide effective mechanisms to respond to complaints and queries related to real or
perceived cyber security risks such as phishing, malware and ransomware
 Limit access to key information technology assets to those who have an acceptable use

Elements of an Information Security Policy

1.Purpose

Outline the purpose of your information security policy

 Preserve your organization's information security.

 Protect the organization's reputation
 Uphold ethical, legal and regulatory requirements
 Protect customer data and respond to inquiries and complaints about non-compliance of
security requirements and data protection

2. Audience

Define who the information security policy applies to and who it does not apply to.

3. Information Security Objectives

These are the goals management has agreed upon, as well as the strategies used to achieve them.

 Confidentiality: data and information are protected from unauthorized access

 Integrity: Data is intact, complete and accurate
 Availability: IT systems are available when needed

4. Authority and Access Control Policy

Deciding who has the authority to decide what data can be shared and what can't.
5. Data Classification

Classify data into categories.

1. Level 1: Public information

2. Level 2: Information your organization has chosen to keep confidential but disclosure
would not cause material harm
3. Level 3: Information has a risk of material harm to individuals or your organization if
disclosed
4. Level 4: Information has a high risk of causing serious harm to individuals or your
organization if disclosed

6. Data Support and Operations

Outline how data is each level will be handled.

1. Data protection regulations: Organizations that store personally sensitive data must be
protected according to organizational standards, best practices, industry compliance
standards and regulation
2. Data backup requirements: Outlines how data is backed up, what level of encryption is
used and what third-party service providers are used
3. Movement of data: Outlines how data is communicated.

7. Security Awareness Training

Security training should include:

 Social engineering. Teach your employees about phishing, spearphishing and other
common social engineering cyber attacks
 Clean desk policy: Laptops should be taken home and documents shouldn't be left on
desks at the end of the work day
 Acceptable usage: What can employees use their work devices and Internet for and what
is restricted?

8. Responsibilities and Duties of Employees

Operationalize your information security policy, outline the owners of:

 Security programs
 Acceptable use policies
 Network security
 Physical security

Penetration testing,
An authorized simulated attack performed on a computer system to evaluate its security.
Examine whether a system is robust enough to withstand attacks from authenticated and
unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can
dive into any aspect of a system.
Benefits of penetration testing

 Find weaknesses in systems

 Determine the robustness of controls
 Support compliance with data privacy and security regulations
 Provide qualitative and quantitative examples of current security posture and budget
priorities for management
Phases of penetration testing.
Reconnaissance. Gather as much information about the target as possible from public and
private sources to inform the attack strategy.
Scanning. Pen testers use tools to examine the target website or system for weaknesses, including
open services, application security issues, and open source vulnerabilities.
Gaining access. Attacker motivations can include stealing, changing, or deleting data; moving
funds; or simply damaging a company’s reputation. To perform each test case, pen testers
determine the best tools and techniques to gain access to the system, whether through a weakness
such as SQL injection or through malware, social engineering, or something else.
Maintaining access. Once pen testers gain access to the target, their simulated attack must stay
connected long enough to accomplish their goals of exfiltrating data, modifying it, or abusing
functionality. It’s about demonstrating the potential impact.

Types of penetration testing

Entails testing all the areas in your environment.
Web apps. Testers examine the effectiveness of security controls and look for hidden
vulnerabilities, attack patterns that can lead to a compromise of a web app.
Mobile apps. Testers look for vulnerabilities in application binaries running on the mobile device
and the corresponding server-side functionality. Server-side vulnerabilities include session
management, cryptographic issues, authentication and authorization issues, and other common
web service vulnerabilities.
Networks. Identifies security vulnerabilities in an external network and systems. Examples Test
cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative
services, and more.
Cloud. Cloud penetration testing requires a set of specialized skills and experience to scrutinize
the various aspects of the cloud, such as configurations, APIs, various databases, encryption,
storage, and security controls.
Embedded devices (IoT). Embedded / Internet of Things (IoT) devices such as medical devices,
automobiles, in-home appliances. Experts perform a thorough communication analysis along with
a client/server analysis to identify defects that matter most to the relevant use case.
Mobile devices. Pen testers find vulnerabilities in application binaries running on the mobile
device and the corresponding server-side functionality.
Vulnerabilities in application binaries can include authentication and authorization issues, client-
side trust issues, misconfigured security controls, and cross-platform development framework
issues. Server-side vulnerabilities can include session management, cryptographic issues,
authentication and authorization issues, and other common web service vulnerabilities.

Cyber-attack response and recovery

Cybercrime Aftermath: How to Recover From a Cyber Attack

Cyber and disaster recovery systems are designed to help your company recover from the
consequences of a cyber-attack or a data breach.
Steps your business can take to recover from a cyber-attack

Follow your cyber incident response plan:

Contain all the necessary steps your organization should take to recover as painlessly as possible.

Create a business continuity plan:. Find alternatives for the critical processes that were
interrupted by the incident and instruct your employees on how to adjust to the new working
conditions.

For example, you might have to instruct your customer service department to call customers
instead of emailing them or your employees could use personal computers that your
cybersecurity department has approved while work computers are being restored to working
order.

Use safe backups to resume operations: Finding a secure backup will be much easier if you
have a cyber recovery system in place.

Recover or rebuild the lost data: If you haven’t installed a cyber recovery system, but you do
keep backups as a part of your disaster recovery system, you will only need to rebuild the data
that you stored after the most recent clean backup. If that data was irreparably damaged, you
would need to enlist expert help to rebuild it.

Analyze and improve your cyber security procedures: Analyze your security gaps and learn
what you can improve. Strengthen your security protocols, change all the passwords, and instruct
your employees to do the same. Educating your staff is the best method for preventing future
attacks from infiltrating your systems.
Future of cyber security and emerging technologies

Future of Cybersecurity
Cybersecurity Trends
Rise of Automotive Hacking

Modern vehicles come packed with automated software creating seamless connectivity for
drivers in cruise control, engine timing, door lock, airbags and advanced systems for driver
assistance.

These vehicles use Bluetooth and WiFi technologies to communicate that opens them to several
vulnerabilities or threats from hackers.

Gaining control of the vehicle or using microphones for eavesdropping is expected to rise with
more use of automated vehicles.

Potential of Artificial Intelligence (AI)

AI has been used to develop smart malware and attacks to bypass the latest security protocols in
controlling data.

AI-enabled threat detection systems can predict new attacks and notify admins of any data
breach instantly.

Mobile networks

Cybersecurity trends provide a considerable increase for mobile banking malware or attacks
making handheld devices a potential prospect for hackers. F

Financial transactions, emails, and messages possess more threats to individuals.

Smartphone viruses or malware may capture the attention of cybersecurity trends

Cloud is Also Potentially Vulnerable

With more and more organizations now established on clouds, security measures need to be
continuously monitored and updated to safeguard the data from leaks.

Although cloud applications such as Google or Microsoft are well equipped with security from
their end still, it's the user end that acts as a significant source for erroneous errors, malicious
software, and phishing attacks.
Data Breaches: Prime Target

Safeguarding digital data is the primary goal now. Any minor flaw or bug in your system
browser or software is a potential vulnerability for hackers to access personal information.

IoT With 5G Network: The New Era of Technology and Risks

Communication between multiple devices opens vulnerabilities from outside influence, attacks
or an unknown software bug.

Increase in Ransomware attacks

Ransomware is a malware designed to deny a user or organization access to files on their computer.
By encrypting these files and demanding a ransom payment for the decryption key, cyberattackers
place organizations in a position where paying the ransom is the easiest and cheapest way to regain
access to their files.
State-Sponsored Cyber Warfare
State-sponsored cyber warfare is a form of cyber warfare in which a government or state sponsors
or carries out cyber attacks against other governments, businesses, organizations, or individuals.

The attacks are more significant on an event such as elections.

Increase in Social Engineering Attacks

Attackers use techniques such as phishing, spoofing, sniffing to gain access to sensitive data.

Cyber security emerging technologies

Artificial Intelligence (AI) and Machine Learning (ML): Artificial Intelligence and Machine
Learning are revolutionizing the cybersecurity industry.

These technologies analyze vast amounts of data, learn from patterns, and make predictions about
potential threats.

By utilizing these technologies, cybersecurity experts can identify and respond to threats faster
and more accurately than ever before.

Behavioral Biometrics: A new approach to cybersecurity that uses machine learning algorithms
to analyze user behavior.
his technology can detect patterns in the way users interact with devices, such as typing speed,
mouse movement, and navigation.

By analyzing these patterns, behavioral biometrics can identify potential threats, such as hackers
who have gained access to a user’s account.

Zero Trust Architecture: A security model that requires strict identity verification for every
person or device that tries to access an organization’s network or resources.

This model assumes that no one is trusted by default, even if they are within the organization’s
network perimeter.

Zero trust architecture has gained popularity in recent years due to the increasing number of
cyberattacks targeting businesses and organizations.

Blockchain: By creating a decentralized database, blockchain can provide secure storage for
sensitive information.

Because there is no central authority controlling the data, it is much more difficult for hackers to
gain unauthorized access.

Quantum Computing: Quantum computing is a technology that uses quantum mechanics to

process data.

It has the potential to solve complex problems much faster than traditional computers.

While this technology is still in its infancy, it has the potential to revolutionize the field of
cybersecurity by allowing more secure encryption.

Cloud Security: Cloud computing has become an essential part of many businesses, but it also
introduces new security risks.

Cloud security technologies are emerging to address these risks, such as multi-factor
authentication, encryption, and access controls.

By utilizing these technologies, businesses can ensure that their data is secure in the cloud.

Internet of Things (IoT) Security: IoT devices are becoming more vulnerable to cyberattacks.
IoT security technologies include encryption, access controls, and monitoring to protect IoT
devices and the data they collect.

MOBILE SECURITY ISSUES, RISKS AND VULNERABILITIES

Mobile Device Security Threats

As cybersecurity threats become more frequent and severe, organizations must take the time to
understand the potential risks of allowing employees to use their personal mobile devices for
work-related activities.

Examples of Common mobile device security threats:

Phishing and smishing

Phishing is a form of social engineering where attackers deceive people into revealing sensitive
information or installing malware such as ransomware.

Cybercriminals pose as legitimate institutions, via email, to obtain sensitive information from
targeted individuals.

Smishing is a social engineering attack that uses fake mobile text messages to trick people into
downloading malware, sharing sensitive information, or sending money to cybercriminals.

Malicious apps

A software application designed to do harm to the devices on which it is installed.

These apps are sometimes promoted on untrustworthy sites, but can even make their way onto
the most popular platforms, such as the Apple App Store and Google Play

Once a malicious app is installed, hackers can steal or lock data stored in the mobile device or
spread more malware.

Malware is software that is installed on a computer without the user's consent and that performs
malicious actions, such as stealing passwords or money.

Insecure Wi-Fi and network spoofing

Use of compromised or public Wi-Fi network make devices vulnerable to cyberattacks.

Insecure Wi-Fi, such as open or free Wi-Fi hotspots, can allow cybercriminals to intercept device
network traffic.

Network spoofing entails a hacker impersonating a network’s name to trick users into signing in,
allowing them to access user data.

Outdated operating systems (OSs) and apps

Older OSs and apps may contain vulnerabilities that can be exploited by cybercriminals.

MOBILE DEVICE THREAT PREVENTION

The consequences of mobile device security breaches can be devastating to an organization,
potentially resulting in a loss of profits, data, reputation and compliance.
To minimize mobile device security threats, organizations can take the following precautions:

Train employees.

Cybersecurity awareness training can help employees combat scams by teaching them to identify
signs of phishing, smishing and malicious apps, avoid public and insecure Wi-Fi networks, and
keep their devices’ software up to date.

Install a virtual private network (VPN).

An encrypted connection over the Internet from a device to a network.

The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents
unauthorized people from eavesdropping on the traffic and allows the user to conduct work
remotely.

A VPN is a service that protects your internet connection and privacy online. VPNs create an
encrypted tunnel for your data, protect your online identity by hiding your IP address, and allow
you to use public Wi-Fi hotspots safely.

VPN restricts cybercriminals from deciphering data.

Activate multifactor authentication (MFA).

MFA can prevent account compromises by requiring users to provide multiple security
credentials to access a device or account. Examples of MFA include entering a code sent to a
user’s email, answering a security question or scanning a fingerprint.

Install zero-trust-enabled applications.

A zero-trust security model evaluates access requests based on predefined controls. Legitimate
access requests are permitted, and unauthorized requests are blocked and logged. With this
strategy, installing zero-trust-enabled applications can reduce cybersecurity risks by restricting
access to applications that aren’t permitted.
Turn on user authentication. User authentication on mobile devices verifies a user’s identity
through one or more authentication methods, such as passwords or VPNs, to ensure secure
access.

Develop bring-your-own-device (BYOD) policies.

A company should develop and implement BYOD policies when allowing or requiring
employees to use their personal devices for work-related activities. BYOD policies should
address which devices and apps are permitted and outline security requirements.

Create device update policies. Cybercriminals can infiltrate mobile devices through unpatched
software. Therefore, a company device update policy should require employees to update their
devices and apps as soon as a patch becomes available.

Back up mobile data regularly.

Regularly backing up data can help companies recover in the event a mobile device is lost, stolen
or otherwise compromised. Backups can protect against human errors, hardware failure, virus
attacks, power failure and natural disasters.

Implement a password policy.

A strong corporate password policy can ensure that systems and data are as secure as possible.
Some best practices include encouraging employees to use unique, complex or long passwords;
enabling MFA; and using password management systems.

CLOUD CONCEPTS AROUND DATA AND COLLABORATION.

Cloud data security refers to the technologies and controls that discover, classify, and protect all
data in the cloud to mitigate risks arising from data loss, misuse, breaches, and unauthorized
access. This includes:

 Detecting and classifying structured and unstructured data

 Implementing and monitoring access management controls at the file and field levels
 Identifying storage locations for structured and unstructured data
 Data transmission flows
 Encryption configurations

Data security in cloud computing

Core principles of information security also apply to the cloud:

Data confidentiality, integrity, and availability

 Confidentiality: protecting the data from unauthorized access and disclosure

  Integrity: safeguard the data from unauthorized modification so it can be trusted
 Availability: ensuring the data is fully available and accessible when it’s needed

Common cloud data security risks

Common cloud-related risks that organizations face include:

 Regulatory noncompliance cloud computing adds complexity to satisfying compliance

requirements.
 Data loss and data leaks data loss and data leaks can result from poor security practices
such as misconfigurations of cloud systems or threats such as insiders.
 Loss of customer trust and brand reputation—customers trust organizations to
safeguard their personally identifiable information (PII) and when a security incident
leads to data compromise, companies lose customer goodwill.
 Business interruption risk professionals around the globe identified business disruption
caused by failure of cloud technology / platforms or supply chains as one of their top five
cyber exposure concerns.
 Financial losses. The costs of incident mitigation, data breaches, business disruption, and
other consequences of cloud security incidents can add up to hundreds of millions of
dollars

 Unsecure application programming interfaces (APIs)—many cloud services and

applications rely on APIs for functionalities such as authentication and access, but these
interfaces often have security weaknesses such as misconfigurations, opening the door to
compromises.
 Account hijacking or takeover—many people use weak passwords or reuse
compromised passwords, which gives cyberattackers easy access to cloud accounts.
 Insider threats—while these are not unique to the cloud, the lack of visibility into the
cloud ecosystem increases the risk of insider threats, whether the insiders are gaining
sensitive data via the cloud.

Types of Cloud Data Protection

1. Encryption

Before transferring data to cloud storage, it has to be transformed or encoded. Cloud security
service providers typically provide customers with various encryption methods.

Cloud data protection platform should include strong access controls and key management
features that let businesses use encryption practically and affordably.

2. Authentication and Identity Security

An identity check is necessary to ensure the person is who they claim to be and that the
information they provide is accurate before you can trust them.
Authentication is based on data that can only be produced by one, specific individual.

3. Managing Access Control

Access control is a technique for ensuring users have the right level of access to corporate data
and that they are who they say they are.

5. Backing Up Data

Organizations must configure each system that uses cloud security services to perform automatic
backups at least once a week.