Faculty Name: Ravula Kartheek M.Tech. (Ph.

D)

EXERCISE – 1
Aim: Audit security policy implementation in
windows environment.
Page | 1
Procedure:
Step 1: Click on the search bar in windows
(available below in left side) and type Event
Viewer and click Enter.

Step 2: Then it will display Event Viewer window

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

Step 3: Select Windows Logs option at left side.

Page | 2

Step 4: Then select & double click on Security

option. Then it will display a security events just
like below.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

Page | 3

Step 5: Then select Log on Category in Security

log

Step 6: Then it opens Event Properties window, security

auditing just like below.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

Page | 4

Step 7: Then it will displays audit policy success.

Step 8: Then close the window and audit another

policy.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

Page | 5

Step 9: By doing this audit, any suspicious activities will be

known.
Result: Audit security policy implementation in windows
environment was successfully audited.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

EXERCISE – 2
Aim: Create a Demilitarized zone creation in
Network environment for information security
Page | 6
Procedure:
Creating a Demilitarized Zone (DMZ) is a
fundamental step in enhancing information
security within a network environment. A DMZ is a
network segment that is isolated from both the
internal network (trusted zone) and the external
network (untrusted zone), serving as an
intermediary area where you place services that
need to be accessible from the internet. Here's a
step-by-step guide to creating a DMZ:

1. Network Diagram and Planning:

- Design a network diagram that outlines the
existing internal network, the DMZ, and the
external network.
- Identify the services that will be hosted in the
DMZ, such as web servers, email servers, or public-
facing applications.

2. Define Firewall Policies:

- Determine firewall policies to control traffic
between the internal network, DMZ, and external
network.
- Configure the firewall to allow necessary traffic
to and from the DMZ while restricting direct access
to the internal network.
3. Deploy Firewalls:

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

- Install and configure firewalls to segregate the

DMZ from the internal and external networks.
- Consider using a combination of hardware and
Page | 7 software firewalls for added security.

4. Physical Network Segmentation:

- Physically separate the DMZ from the internal
network to minimize the risk of unauthorized
access.
- Use separate switches or VLANs for the DMZ
and internal network.

5. Select Security Appliances:

- Choose security appliances, such as intrusion
detection/prevention systems (IDPS) and web
application firewalls (WAFs), to enhance security
within the DMZ.

6. Host Placement:
- Deploy servers and services in the DMZ based
on their required accessibility.
- For example, place web servers directly in the
DMZ, while database servers may be placed in a
more restricted zone within the internal network.

7. Security Hardening:
- Apply security best practices to harden servers
and services within the DMZ.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

- Regularly update and patch systems, disable

unnecessary services, and implement strong
access controls.
Page | 8

8. Intrusion Detection and Prevention:

- Implement intrusion detection and prevention
mechanisms to monitor and block suspicious
activity within the DMZ.
- Set up alerts for potential security incidents.

9. Logging and Monitoring:

- Enable logging for all devices within the DMZ.
- Regularly monitor logs for signs of abnormal
activity or security incidents.

10. Regular Security Audits:

- Conduct regular security audits and
vulnerability assessments on systems within the
DMZ.
- Address any identified vulnerabilities promptly.

11. User Authentication and Access Control:

- Implement strong user authentication
mechanisms for accessing servers within the DMZ.
- Restrict access based on the principle of least
privilege.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

12. Regular Testing:

- Conduct penetration testing and simulate
various attack scenarios to assess the
Page | 9 effectiveness of the DMZ's security measures.
- Address any vulnerabilities or weaknesses
identified during testing.

13. Documentation:
- Maintain detailed documentation of the DMZ
configuration, firewall rules, and security policies.
- Document procedures for managing and
maintaining the DMZ environment.

14. Employee Training:

- Provide training to employees on the security
policies and procedures related to the DMZ.
- Emphasize the importance of adhering to
security best practices.

15. **Incident Response Plan:

- Develop an incident response plan specific to
the DMZ.
- Clearly define steps to be taken in the event of
a security incident within the DMZ.

By following these steps, you can create a secure

Demilitarized Zone that enhances information
security by isolating and protecting critical services

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

from both internal and external threats. Regularly

review and update your DMZ configuration to
adapt to evolving security requirements and
emerging threats.
Page | 10
Result: Create a Demilitarized zone creation in
Network environment for information security was
successfully executed.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

EXPERIMENT - 3
Aim: Implement resource harvesting attack and
Page | 11
mitigation
Procedure:
Credential harvesting is the immediate goal of
most cybercrime in which attackers seek users’
login information. The strategy is to build a large
enough cache of credentials so that they can sell
them or exert pressure on the individuals or
companies impacted by their loss.

Let’s dive into credential harvesting in more depth,

walk through some of the context and implications
surrounding it, and provide some solutions for
mitigating its harmful impacts.

What is credential harvesting?

Credential harvesting refers to collecting user
credentials en masse, by whatever means
necessary, to drive other cybercrime activity.
Often, when individual threat actors or
organizations set out to defraud users of their
credentials, they are not targeting a single
individual’s credentials. Instead, they aim to gather
—or harvest—as many as possible.

Simply put, credential harvesting is precisely what

it sounds like: a high-quantity illicit collection of
credentials.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

The goal of credential harvesting points to the

practical impacts it can have on a business.
Page | 12 Namely, cybercriminals aim to collect credentials
in great volumes because there’s a market for
them on the dark web.

Individual user credentials fetch specific per-unit

rates, per a PC Mag report. The highest prices are
reserved for LinkedIn logins ($45 each in 2022),
but the real value comes from selling huge batches
of credentials.

Credential harvesting on the rise

One of the most concerning things about credential
harvesting is its prevalence. An AT&T cybersecurity
briefing on the threat vector reports that over 24
billion credentials have been amassed on the dark
web as cybercriminals seek to sell them in bulk to
other attackers.

Once credentials have been stolen or otherwise

acquired, they can be used for:

 Account takeover
 Credential stuffing
 Lateral movement and escalation of privilege
 Other forms of broken authentication

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

That’s why most phishing attacks each year are

dedicated to credential harvesting (71.5% in 2020,
per AT&T).
Page | 13

Additionally, credential harvesting has an outsized

impact on certain industries. Per one study,
credential harvesting was the biggest threat to the
retail industry in 2022. It comprised 63% of
reported cyber threat indicators within the sector,
while the second-highest share (suspicious
domains) came in at 16%.

Not surprisingly, credential harvesting was also the

threat that survey participants were most
concerned about moving into the future.

Common techniques used for credential harvesting

Credential harvesting is not in itself a method of
attack but an underlying purpose. Attackers can
use many different methods to achieve that goal.

Anything attackers do to guess, crack, or steal

credentials can lead to harvesting, but the most
common threats are:

Phishing and social engineering: These fraudulent

emails trick victims into providing their credentials
or engaging with a link / attachment that steals
them. In a 2022 phishing campaign targeting
financial firms in the real estate sector, thousands

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

of Microsoft 365 credentials were harvested on

dark web servers.

Page | 14
Keystroke logging (keylogging): These are
programs that attackers place on victims’
computers to track every keyboard input. Then,
they analyze the results to reveal credentials.

Man-in-the-middle (MITM): These are complex

schemes in which attackers intercept or
manipulate communication between two parties
and decrypt it without being noticed.

To mitigate the impact of these attacks, it’s critical

to be cognizant of negative online behaviors like
password sharing and password recycling. It’s also
important to set up defenses against the gaps
these attacks exploit, as well as deploy
technologies for responding to incidents in real-
time.

Consequences of credential harvesting

The most immediate impact of credential
harvesting is compromised account security.

On the individual level, all impacted employees or

end users could have their sensitive information
leaked and face consequences in their professional
and personal lives.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

At the company level, sensitive data may be

leaked or held ransom by attackers.

Page | 15
There are also potential legal and compliance
consequences to these attacks. If the leaked or
compromised data is subject to industry or
governmental regulations, then the organization
could lose its certification or face monetary and
other noncompliance penalties.

An additional burden that comes due to harvested

credentials is reputational damage. Current and
potential clients, both individual consumers and
businesses, may be wary of trusting a firm
targeted by credential harvesting. The same goes
for potential and current employees, who may be
harder to recruit and retain.

How to prevent and mitigate the threat of

credential harvesting
Given the potential impacts of credential
harvesting on personnel, clientele, and other
stakeholders, it’s imperative to take active steps
toward preventing and mitigating the threat. This
means taking steps that:
 Make cybercriminals less likely to attempt an
attack
 Ensure attacks are less likely to cause harm if
they’re successful
The first line of defense comes from standard
cyberdefense practices, including:

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

User awareness, established through training, to

make falling for phishing less likely.

Page | 16
Encryption across all credentials so that even
stolen assets are unintelligible to attackers.

Regular security updates and patch

management, minimizing exploitable
vulnerabilities.

Monitoring infrastructure to identify threat

indicators and potentially fraudulent logins.

Incident response protocols to detect and

respond to an attack as swiftly as possible.

However, some of the best and most efficient

protections against credential harvesting happen
at the point of authentication itself. Secure login
makes these attacks less frequent and impactful.

Phishing-resistant multi-factor
authentication
Multi-factor authentication (MFA) is an
improvement on baseline single-factor systems
such as traditional password-based authentication.
Rather than requiring a single set of stealable or
guessable assets, such as a username and

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

password, MFA requires at least one additional

factor.

Page | 17
The best MFA systems require a possession factor
or inherence factor—something the individual
owns, such as a device, or something the user is,
such as a biometric scan of their iris, face,
fingerprint, etc.

MFA makes it harder for cybercriminals to use

stolen or defrauded credentials to access user
accounts and sensitive data. With MFA, a
harvested password is not enough to break auth.

While some MFA deployments remain vulnerable to

social engineering, phishing-resistant MFA
deployments leverage advanced techniques like
behavioral analysis, biometric authentication, and
risk-based auth to monitor for and address
fraudulent account access. It accounts for
vulnerabilities baked into more simple, traditional
MFA and is better suited to defend against
credential harvesting – while also giving legitimate
users a more seamless experience.
Passwordless authentication methods
Finally, organizations worried about credential
theft and harvesting can also look to take (most)
credentials off the table altogether. Passwordless
authentication systems utilize other methods to
validate users’ identities, beyond usernames and
passwords, so there’s nothing to harvest.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

Some of the most common and effective

passwordless auth methods include:
Page | 18
Biometric auth, used on its own rather than along
with a knowledge factor in MFA

One-time passwords (OTP) or codes sent to

users’ devices to enable a login session

Timed-based one-time passwords (TOTP), or

codes that expire within a short window

Magic links or URLs embedded with access

tokens sent securely to users’ devices

Social logins that let users sign in to apps using

pre-existing trust with another identity provider
Going passwordless renders credential harvesting
moot, while also providing people with a much
more user-friendly experience sans the need to
create, remember, and manage an endless number
of passwords.

Result: Implement resource harvesting attack and

mitigation are successfully executed.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

EXERCISE - 4
Page | 19
Aim: Implement Window Patch management
policy.
Procedure:
Certainly! Implementing a Windows Patch
Management Policy involves a combination of
tools, processes, and communication strategies.
Here's a step-by-step practical guide:

Step 1: Inventory and Asset Management

1.1 Asset Discovery:

- Use asset management tools to discover and
catalog all devices on your network.
- Identify servers, workstations, network devices,
and software applications.

1.2 Categorize Assets:

- Categorize assets based on criticality,
importance, and the sensitivity of data they
handle.

Step 2: Risk Assessment

2.1 Vulnerability Scanning:

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

- Conduct regular vulnerability scans using tools

like Nessus or Qualys.
- Prioritize vulnerabilities based on severity and
Page | 20 potential impact.

2.2 Risk Prioritization:

- Collaborate with stakeholders to prioritize risks
according to business impact.
- Identify critical vulnerabilities that need
immediate attention.

Step 3: Define Patch Management Policies

3.1 Policy Development:

- Draft a clear and comprehensive patch
management policy.
- Include details on patch testing, deployment
schedules, and communication plans.

3.2 Communication Plan:

- Establish a communication plan for notifying
users and stakeholders about patching activities
and potential downtime.
- Specify communication channels and timing.

Step 4: Testing

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

4.1 Create a Test Environment:

- Set up a test environment that mirrors your
production environment.
Page | 21
- Use virtual machines to replicate different
system configurations.

4.2 Test Critical Systems First:

- Prioritize testing on critical systems.
- Test patches for compatibility and assess the
impact on applications.

Step 5: Deployment

5.1 Schedule Regular Patching Windows:

- Define regular maintenance windows for
deploying patches.
- Coordinate with teams to minimize disruptions
during these periods.

5.2 Automated Deployment:

- Utilize Windows Server Update Services (WSUS)
or third-party patch management tools to
automate patch deployment.
- Configure automatic approvals for critical and
security updates.

Step 6: Monitoring and Reporting

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

6.1 Monitoring:
- Use monitoring tools to track the status of
Page | 22
patch deployments.
- Set up alerts for failed deployments or issues.

6.2 Generate Reports:

- Regularly generate reports on the status of
patches.
- Include details on successful deployments,
failures, and any systems requiring attention.

Step 7: Documentation and Review

7.1 Document Procedures:

- Maintain detailed documentation of the patch
management process.
- Include configurations, testing results, and
deployment logs.

7.2 Regular Review:

- Conduct regular reviews of the patch
management policy.
- Adjust the policy based on feedback, emerging
security threats, and lessons learned from previous
deployments.

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

Step 8: Education and Training

8.1 Training Programs:

Page | 23
- Provide training programs for IT staff on using
patch management tools effectively.
- Educate end-users on the importance of
allowing updates and reporting issues promptly.

8.2 User Education:

- Communicate with end-users about the
patching process and its impact on their work.
- Encourage them to report any issues promptly.

Step 9: Incident Response Planning

9.1 Develop Incident Response Plans:

- Develop plans for responding to security
incidents related to unpatched systems.
- Outline steps to contain, mitigate, and recover
from potential breaches.

9.2 Regular Testing:

- Conduct regular tests and simulations of
incident response plans to ensure readiness.

Step 10: Continuous Improvement

DEPARTMENT OF CSE – CYBER SECURITY

 Faculty Name: Ravula Kartheek M.Tech. (Ph. D)

10.1 Feedback Mechanism:

- Establish a feedback mechanism to gather input
Page | 24
from IT teams, end-users, and stakeholders.
- Use this feedback to continuously improve the
patch management process.

10.2 Adapt to Changes:

- Stay informed about emerging threats and
technology changes.
- Adapt the patch management policy to address
new challenges and requirements.

Implementing a Windows Patch Management Policy

is an ongoing process that requires collaboration,
communication, and continuous improvement.
Regularly assess and update your strategy to
ensure the security and stability of your IT
infrastructure.
Result: Implement Window Patch management
policy was successfully executed.

DEPARTMENT OF CSE – CYBER SECURITY