Emanuele Di Bello.

Learning Log:

1. Threat Landscape

The first lecture started with a comprehensive overview of the course structure,
assessment methods, and essential resources. The course aims to equip students
with knowledge about the threat landscape, the different types of threat actors, and
effective cybersecurity measures.
The course will be covered over twelve weeks, with each week dedicated to
different aspects of cybersecurity. The topics and assessments are structured as
follows:
- Quizzes: 10%
- Learning Log: 30%
- Final Written Assignment: 60%

A short introductory video about the UCD Professional Academy and the course
team was presented to the students. Key Resources: the lecture emphasized the
importance of several resources, particularly the "ENISA 12 Steps to Securing
Your Business." These steps include:
1. Culture
2. Training
3. Third-party Management
4. Incident Response Plan
5. Secure Access
6. Secure Devices
7. Secure Network
8. Physical Security
9. Backups
10. Engage with Cloud
11. Secure Online Sites
12. Stay Informed

Cybersecurity Definitions:
- NIST 2008: Focuses on preventing, detecting, and responding to attacks.
- NIST 2020: Emphasizes defending the use of cyberspace from cyberattacks.
Threat Landscape:
- Information Security: Understanding how it functions is crucial for mitigating
risks.
- Recent Attacks: Examples include the HSE shutdown and the US pipeline
attack.
Threat Actors:
The lecture categorized threat actors based on their motivations and technological
capabilities:
- Nation-States
- Cybercriminals
- Hacktivists
- Terrorist Groups
- Thrill Seekers
- Insider Threats

Impact and Statistics:

- Economic Impact: Cybercrime costed Ireland €9.6 billion in 2020.
- Vulnerabilities: 43% of employees in Ireland had no restrictions on accessing
IT tools, and the same percentage experienced cyberattacks in 2020.
- Cyber Ireland Skills Report: Highlights the need for improved cybersecurity
skills and awareness.
We were then shown a video: ‘Anatomy of an Attack’ which demonstrated how
social media can be exploited to penetrate significant institutions.
Key terms were defined using resources from ENISA, Tech Target's "Word of the
Day," and NIST. These included:
- Asset
- Threat
- Vulnerability
- Controls
- Risk
Top Threats (2020/2021), according to ENISA, the top threat is malware which
continues to be the most significant threat across the EU.

We were then provided some recommendations on social network, programs, docs

et alia: like cybersecurityhub on Instagram for the latest updates.
-Documentaries and Books: Recommended materials include documentaries such
as "Zero Days" and "Wannacry," and the compulsory book for this course:
"CrimeDotCom."

CIA Triad: The lecture concluded with an explanation of the CIA triad, which is
fundamental to understanding cybersecurity principles:
- Confidentiality
- Integrity
- Availability
The lecture provided a detailed introduction to the course, outlined the key topics
and assessments, and emphasized the importance of understanding the threat
landscape and cybersecurity measures. Through various resources, definitions,
and real-world examples, students are equipped to navigate and mitigate
cybersecurity threats effectively.

2. Cryptography

This second session lead us directly in the middle of the topic of how information is
shared, how can they be shared safely, avoiding interceptions from third parties.
Horizontally, an overall historical account of cryptography was given, more in detail
the first part was dedicated to the definitions of subjects adherent to cryptography,
then to different examples of ciphers (Caesar’s, substitution, transposition etc..)
while the second part was widely dedicated to Symmetric and Asymmetric
Cryptography, what they entail and in what they differ and how am hybrid version
of both is to be considered the ‘golden standard’ of cryptography, combining the
efficiency of the first and the safety of the latter.

Lastly, we learned about Enigma, its creation and complexity and how the two
Achille’s heels that were identified by the allied forces after several attempts may
have saved the world from a nazi-fascist victory in WW2.

3. Passwords & Authentication

The lecture started with a full revision of the previously introduced Symmetric vs
Asymmetric methods for encryption. Following that we learned how the hypertext
transfer protocol (http) is then evolved into shttp (s for security) by scrambling the
data transferred and hence providing safety for activities such as banking et
similia. The latest standard in website data transfer is then represented by SSL
and TLS which work on a certificate-based model. Then Hashing was introduced at
great length, in short hashing is a widely used 1 way encryption system to
transform an input in a fixed length output with a good capability in terms of
storage and availability. Hashing is the backbone of many system working on
encryption, like cryptocurrencies.

We then learned about ISBN codes and how to check the 13-digit algorithm on
which it is based. The second part of the lecture was dedicated to Identification
and access and everything that is linked to identity management both on the
logical and physical sense. Concerns over each item linked to identification of
subjects trying to access any resource/ objects. It then was explained the concept
of multi factor authentication, which entails the provision of two or more of the
following factors: something the individual knows (information, generally a
password), something the individual has (a phone, a token etc..) and something
the individual ‘is’ (biometric data such as fingerprints or facial structure).

The latter entails some human rights issues that we won’t investigate for the
purpose of this course however the most popular combination is among the first
two factors where a password is then followed by either a badge or a sms received
on the phone.

Finally, the use of password was analysed at length and what a wise password
definition should look like, moreover the salted-hash concept, where of additional
data is added before the proper hashing of the data to be encrypted, was
introduced.

4. Malware

Malware, or malicious software, is a significant threat to individuals and

organizations alike. Annually, around 230,000 new malware programs are created,
contributing to a staggering $6 trillion in costs in 2021. This threat often employs
tactics like double extortion, where attackers not only demand a ransom but also
threaten to leak stolen data.

Malware encompasses various types of harmful software, including viruses,

worms, trojans, and potentially unwanted programs (PUPs). Effective defense
against malware involves using patches, antivirus software, and maintaining
backups.

 Viruses: These replication programs require a host to spread and often

exploit backdoors in software.
 Worms: Similar to viruses, worms do not need a host to replicate and
spread through networks, consuming bandwidth.
 Trojans: Unlike viruses and worms, trojans do not replicate. They disguise
themselves as legitimate software, tricking users into downloading them. A
notable example is the FluBot banking trojan.
 Scareware: This type of malware presents fake warnings to scare users into
taking harmful actions.
 Adware: Designed to generate revenue through clickbait ads.
 Spyware: Collects information about the victim without their knowledge.
 Ad Fraud: Involves manipulating views to boost a website's ranking in
search results, commonly targeting platforms like Google Analytics.

One of the most significant threats is ransomware, which encrypts files on a

victim's computer and demands a ransom for their release. Notable ransomware
incidents include ILOVEYOU, Mydoom, WannaCry, and the DarkSide attack on the
US pipeline.

Malware follows a structured lifecycle:

1. Weaponization: Developing the attack methods and malware.

2. Delivery: Distributing the malware to targets.
3. Exploitation: Exploiting vulnerabilities to execute the malware.
4. Installation: Installing the malware on the victim’s system.
 5. Command and Control: Establishing a channel for remote control.
6. Exfiltration: Stealing data from the victim’s system.

To mitigate malware risks, it is crucial to avoid mixing public and private use of IT
tools. Additionally, valuable resources such as Threllix provide repositories of
ransomware with detailed descriptions. The "No More Ransom" project maintains a
database of all past ransomware, offering tools to help victims recover their data.
To delve deeper into the world of cyber threats, it was suggested to watch the
series "Undeclared War" and reading the book "Crime.com" for a comprehensive
history of malware evolution. Following the lecture I started listening to the
"Lazarus Heist" a bbc podcast that provides an intriguing account of state-funded
North Korean hacking activities.

5. Networking & Communications

The first part of the lecture was dedicated to the history of the internet is rich and
complex, tracing back to the early days of computer development. A detailed
timeline can be found at the Computer History Museum, which showcases
significant milestones in computer and internet evolution.

One of the earliest precursors to internet communication was the telex system,
introduced in Nazi Germany in 1934. This system allowed for the transmission of
typed messages over long distances, laying the groundwork for future digital
communication.

Birth of the Internet:

The modern internet began to take shape in the late 1960s and early 1970s. The
original internet, known as ARPANET, connected four major universities: Stanford,
UCLA, UCSB, and the University of Utah. This network enabled communication via
standardized protocols, leading to the development of foundational technologies
such as the World Wide Web (WWW), email, and File Transfer Protocol (FTP).

Key milestones in the development of internet protocols include:

IP (Internet Protocol): Developed in the 1970s, IP provides the addressing system

necessary for routing data packets between computers.
HTTP (Hypertext Transfer Protocol) : Introduced in the 1990s, HTTP became the
foundation of data communication for the World Wide Web.
Browsers: Also emerging in the 1990s, web browsers like Netscape and Internet
Explorer made the internet accessible to the general public.
Search Engines: Developed alongside browsers, search engines and internet
service providers facilitated easy access to the vast information available online.

How the Internet Works:

The internet does not follow a direct connection model. Instead, it operates on a
packet-switching model, where data is broken down into smaller packets. These
packets travel through various routers and take the most efficient, cost-effective
routes to their destination.

A crucial component of this system is the Transmission Control Protocol (TCP).

Similar to a mailing service, TCP ensures that all packets reach their destination
correctly. It checks for errors and manages the retransmission of any lost packets,
ensuring reliable communication between computers.

6. Network, Application & Mobile Security

Today's lecture focused on cloud computing, including definitions, service models,

threats, and best practices for security. It also covered methodologies of attacks,
countermeasures, and specific organizational recommendations to enhance
cybersecurity.

The following overviews were provided:

Cloud Computing:
- NIST Definition: Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable
computing resources.
- ISO/IEC Definition: Similar to NIST, emphasizing on-demand network access
to shared computing resources.

Cloud Service Models:

1. On Premise: Traditional model where all resources are managed internally.
2. Infrastructure as a Service (IaaS): Provides virtualized computing resources
over the internet.
3. Platform as a Service (PaaS): Delivers hardware and software tools over the
internet.
4. Software as a Service (SaaS): Software applications are delivered over the
internet.

The Pizza Model:

This model was used to illustrate the differences between these service models:
- On Premise: You make the pizza from scratch at home.
- IaaS: You get the pizza base and toppings, but you need to assemble and
cook it.
- PaaS: You get a ready-to-cook pizza.
- SaaS: You get a ready-to-eat pizza delivered.

Shared Responsibility Model:

In cloud computing, security responsibilities are shared between the cloud service
provider and the user, depending on the service model used.
Then we spoke about cloud threats and best practices to manage them:
The Cloud Security Alliance identified the "Egregious 11," highlighting the top
threats, including: Data Breaches: ‘Data is like cash’ and is a primary target of
cyberattacks. Many data breaches occur because data is not encrypted or
secured.
Best Practices:
- Data Handling: Training is fundamental to enhance data management. The
Cyber Readiness Institute provides guidelines and tools like CCMC, CSA STAR,
CAIQ, and STARWATCH to ensure proper data handling practices.

The lecture reiterated the motivations of various threat actors:

- Nation States: Eg. Russia and North Korea (Lazarus Heist podcast, BBC).
- Cybercriminals: Mainly focused on revenue generation.
- Hacktivists: Driven by ideology and a desire to disrupt.
- Terrorists: Political aims.
- Thrill Seekers: Engaged in extreme activities for excitement.
- Insiders: Motivated by discontent or financial gain.

What methodology of attacks is commonly used:

Reconnaissance: Gathering information about a target.
- Techniques: Whois search, social engineering, IP scanning, port scanning.
- Countermeasures: Restrict and remove content, change web server
configurations, use firewalls, implement strong authentication, and encrypt
transmissions.

Penetration Techniques and Countermeasures:

- Techniques: DoS, DDoS, SYN flood.
- Countermeasures: Keep patches up-to-date, regularly monitor systems, and
use Intrusion Prevention Systems (IPS).

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

- Types: Signature-based and anomaly-based.
- Layered Defense: Defense in depth, starting with physical security and
extending to data security.

How to prepare: the 80/20 Rule: 80% of effects come from 20% of causes.
Focusing on key areas can mitigate most threats.

An overview of OWASP (Open Web Application Security Project)was provided:

OWASP is a nonprofit organization dedicated to improving software security. Their
OWASP Top 10 list identifies the most critical web application security risks, with
the most recent list from 2017, eg: Injection Attacks: Such as those detailed in the
"CrimeDotCom" course book.

Strategies to mitigate vulnerabilities in applications and using vulnerability

scanners for regular assessments:

Mobile Systems and Remote Access

Mobile Systems
- Record the device IMEI.
- Avoid jailbreaking devices.

Remote Access
- Use VPNs and follow best practices for secure remote access.

The lecture provided a detailed examination of cloud computing, including

definitions, models, and security responsibilities. It highlighted major threats,
especially data breaches, and emphasized best practices for securing data. The
session also reviewed attack methodologies, countermeasures, and the
importance of layered defence and vulnerability management. Finally, it introduced
OWASP and best practices for mobile and remote access security. I will surely use
some of the best practices indicated in this lecture and first of all: restrict the
access of my social media accounts.

7. Risk Management

This week’s lesson focused on risk management within the context of

cybersecurity, covering definitions, assessment methodologies, control types, and
relevant frameworks. The lecture highlighted the importance of proper risk
management and the consequences of inadequate assessment.

Risk Definitions

Grades of Risk
1. Control: Measures taken to manage and mitigate risks.
2. Total Risk: The overall exposure to risk before any controls are applied.
3. Residual Risk: The remaining risk after controls have been implemented.
4. Secondary Risk: New risks that emerge because of implementing controls.
Risk is defined as the product of threat and vulnerability. This highlights the
importance of both identifying potential threats and understanding vulnerabilities
within the system.

Risk Management components:

- Monitoring: Ongoing observation of risk factors.
- Identification: Recognizing potential risks.
- Assessment: Evaluating the likelihood and impact of risks.
- Mitigation: Implementing measures to reduce risk.

Risk Assessment

Participants
All relevant stakeholders should be involved in the risk assessment process,
ensuring comprehensive coverage and insight.

Frequency
Risk assessments should be conducted at least annually to remain effective and
up to date.

Consequences of Poor Risk Assessment

Inadequate risk assessment can lead to unrecognized threats, insufficient
mitigation, and potentially severe security breaches.

Asset Identification

Knowing and evaluating assets is crucial for effective risk management. This
involves:
- Primary Assets: Core information and critical resources.
- Supporting Assets: Infrastructure and tools supporting primary assets.

Importance
If assets are not identified, it is impossible to determine if they have associated
risks or vulnerabilities.

Qualitative Risk Assessment

Risk assessment considers both the likelihood of a risk event and its potential
impact. This qualitative approach helps prioritize risks based on their severity.

Risk Treatment

Responses to identified risks can include:

1. Avoidance: Eliminating the risk by removing its cause.
2. Mitigation: Reducing the likelihood or impact of the risk.
3. Transfer: Shifting the risk to a third party (e.g., insurance).
4. Acceptance: Acknowledging the risk without taking action, typically for
minor risks.

Control Types

Control Selection Criteria

Selecting controls depends on the specific context and needs of the organization.

Types of Controls
1. Administrative: Policies, procedures, and organizational structures.
2. Physical: Security measures such as locks, guards, and surveillance.
3. Technical: Technological solutions like firewalls, encryption, and antivirus
software.

Monitoring and Assessments: risk management is an ongoing process that

requires continuous monitoring and regular assessments, supervised by
management to ensure effectiveness and alignment with organizational goals.

Risk Frameworks:

Several frameworks guide risk management practices:

- ISACA Risk: A framework focusing on IT governance and risk management.
- ISO 31000: Provides guidelines on risk management principles and
processes.
- COSO: Emphasizes enterprise risk management.
- NIST 800: A set of standards for managing cybersecurity risk.

Residual Risks
Organizations must consider residual risks that remain after implementing controls.

Understanding the sources and nature of threats is crucial. Threats can be

categorized by various factors:
- STRIDE: A model categorizing threats as Spoofing, Tampering,
Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
- Active vs. Passive: Active threats involve direct actions against the system,
while passive threats involve eavesdropping or monitoring.
- Human vs. Automated: Human threats involve individuals, whereas
automated threats involve software or scripts.
- Internal vs. External: Internal threats originate within the organization, while
external threats come from outside.
- Single vs. Advanced and Persistent Attacks (APT): Single attacks are
isolated incidents, while APTs are continuous, sophisticated attacks aimed at
achieving long-term goals.

Rating Threat Impact:

The DREAD model helps rate the impact of threats based on:
- Damage Potential: The extent of harm a threat can cause.
- Reproducibility: How easily the threat can be replicated.
- Exploitability: The effort required to exploit the threat.
- Affected Users: The number of users impacted by the threat.
- Discoverability: How easily the threat can be discovered.

Today's lecture provided a detailed overview of risk management in cybersecurity.

It emphasized the importance of understanding different types of risks, the
methodologies for assessing and mitigating them, and the frameworks that guide
these processes. By applying these principles, organizations can better protect
their assets and reduce their vulnerability to cyber threats.

8. Introduction to Penetration Testing

Main subjects covered in today’s lecture: penetration testing: pen testing, is a

crucial aspect of cybersecurity that involves ethical hacking to identify and mitigate
vulnerabilities in a system. Ethical hacking involves performing hacking activities
with the permission of the data owner to test the security of their systems. The
primary goal is to identify vulnerabilities and suggest mitigation and prevention
strategies.
Ethical vs. Non-Ethical Hacking
While ethical and non-ethical hackers may use the same tools, their objectives
differ significantly. Ethical hackers aim to improve security by finding and fixing
vulnerabilities, whereas non-ethical hackers exploit these vulnerabilities for
malicious purposes.

Threat Actors: same as introduced in previous lecture, threat actors vary in size
and scope, ranging from small individual hackers to large organized groups: states.

Testing Methodologies:

Penetration testing can be applied to various components of an organization's IT

infrastructure, including:

1. Web Applications : Testing for vulnerabilities such as SQL injection, cross-site

scripting (XSS), and other web-based threats.
2. Network Infrastructure : Assessing the security of network devices, protocols,
and configurations.
3. Wireless Networks : Evaluating the security of wireless access points and
communication.
4. Physical Facilities : Ensuring the physical security of the premises and
devices.

Standards for Penetration Testing:

Penetration testing follows certain standards and guidelines, often outlined in the
Rules of Engagement (ROE). These rules define the scope, limitations, and
objectives of the testing activities.

Contracts and Legal Agreements:

Penetration testing engagements require clear legal agreements to ensure all
parties understand their responsibilities and limitations. Common documents
include:

- Statement of Work (SOW) : Outlines the specific tasks and objectives of the
engagement.
- Master Service Agreement (MSA) : Defines the overall terms and conditions of
the relationship between the client and the testing firm.
- Non-Disclosure Agreement (NDA) : Ensures confidentiality of sensitive
information accessed during the testing.

Reconnaissance:

Reconnaissance involves gathering information about the target system, which can
be done through:

- Active Reconnaissance : Directly interacting with the target system to gather

data.
- Passive Reconnaissance : Collecting information without direct interaction.
Tools we were shortly introduced to:
- Wireshark : A network protocol analyzer.
- TCPDUMP : A packet analyzer.
- Kali Linux : A Linux distribution designed for digital forensics and penetration
testing.

Vulnerability Scanning

Vulnerability scanning involves identifying weaknesses in the system. This can be

done through:

- Authenticated Scanning : Scanning with access credentials, providing deeper

insights.
- Unauthenticated Scanning : Scanning without access credentials, simulating an
external attack.

Handling False Positives and CVE Criteria:

False positives are incorrect indications of vulnerabilities. It is important to verify
findings to ensure accuracy. The Common Vulnerabilities and Exposures (CVE)
system provides criteria for identifying and cataloging vulnerabilities.

Tools and Demonstrations:

Several tools were demonstrated during the lecture, including:
- Kali Linux : A comprehensive platform for penetration testing.
- Parrot Security OS : A distribution for security experts.
- BlackArch : An Arch Linux-based distribution for security researchers.
- Maltego : A tool for open-source intelligence and forensics.
- Nslookup : A command-line tool for querying the Domain Name System (DNS).
- WHOIS : A protocol for querying databases to obtain domain registration
details.
- FOCA : A tool for analyzing metadata and hidden information in documents.

Post-Engagement Activities:

After completing a penetration test, it is crucial to conduct post-engagement

activities, which include:

- Reporting : Documenting findings, vulnerabilities, and recommended

mitigations.
- Debriefing : Discussing the results with stakeholders.
- Remediation Support : Assisting in the implementation of security
improvements.

Penetration testing is an essential practice in the field of cybersecurity. By

understanding the ethical implications, methodologies, and tools involved,
organizations can better protect their systems from potential threats. The lecture
provided valuable insights and practical demonstrations, emphasizing the
importance of thorough and responsible security testing.
9. Digital Forensics

Today's lecture provided a comprehensive overview of digital forensics,

emphasizing its significance in retrieving, storing, and analysing data for criminal
investigations. The lecture included the history of digital forensics, investigation
types, methodologies, tools, and a hands-on team challenge.

What is Digital Forensics?

Digital forensics is the process of uncovering and interpreting electronic data. The
primary goal is to preserve any evidence in its most original form while performing
a structured investigation by collecting, identifying, and validating the digital
information for the purpose of reconstructing past events.

History of Digital Forensics

The field of digital forensics has evolved significantly over the years, adapting to
the increasing complexity and volume of digital data. Initially developed to address
computer-related crimes, digital forensics now encompasses a wide range of
devices and data sources.

Types of Investigations
Digital forensics investigations can be classified into two main categories:

1. Public Investigations : Typically involve law enforcement agencies and

include cases such as drug trafficking, sexual exploitation, and theft.
2. Private Investigations : Conducted by private organizations to address
internal issues like sabotage and espionage.

Investigation Process
The digital forensics process consists of several key phases:

1. Seizure : Securely taking control of the device or data source.

2. Acquisition : Creating a forensic copy of the data.
3. Analysis : Examining the data for relevant information.
4. Reporting : Documenting the findings in a clear and concise manner.

E-Discovery Framework:
E-discovery refers to the process of identifying, collecting, and producing
electronically stored information (ESI) in response to a request for production in a
lawsuit or investigation. The framework includes:

1. Seizure : Initial securing of evidence.

2. Chain of Custody : Ensuring all evidence is accounted for and protected
from tampering.
3. Acquisition : Gathering data in a forensically sound manner.
4. Reporting : Presenting findings in a report.
We were then introduced to several specialized tools and software are used in
digital forensics:

- Forensic Duplicators: Used during the acquisition phase to create exact copies
of data.
- Password Cracker: Tools to recover passwords.
- Cryptography Tools: For decrypting encrypted data.
- Hashing Utilities:Used to verify data integrity.
- Digital Forensics Suites: Comprehensive tools like EnCase, FTK, and Sleuth
Kit that provide a range of forensic capabilities.

Understanding operating system processes is crucial for analyzing system

behavior and identifying suspicious activities. The lecture included a brief session
on conducting basic browser forensics, specifically focusing on Chrome’s device
logs. Mobile device forensics requires specialized tools and knowledge, as much of
the data is not stored in the cloud. Tools like Oxygen Forensic Detective are used
to retrieve data from mobile devices. A typical digital forensics kit includes a laptop,
camera, cables etc…

Challenges in Digital Forensics, the field faces several challenges, including:

- Increasing number of devices

- Data stored in the cloud
- Encryption techniques
- Steganography: Hiding a file within another file
- Time Stomping: Modifying file timestamps
- File Extension Changes: Renaming file extensions to hide their true nature
- Bit Shifting: Altering data at the bit level

Demonstrations and Hands-On Activities

The lecture included demonstrations on:

- Steganography: Techniques for hiding files within files.

- Imaging and Hashing: Creating and verifying forensic images.
- Oxygen Forensics: Tool for mobile device forensics.

Finally, we were divided into three groups for a team challenge to find evidence of
wrongdoing. This exercise aimed to apply the concepts and techniques discussed
in the lecture.

For those interested in deepening their knowledge, recommended resources

include:

- "Guide to Computer Forensics and Investigations"

- Cyber IE and other specialized training programs
Today's lecture provided valuable insights into digital forensics, covering
fundamental concepts, tools, methodologies, and practical applications. The
hands-on final activity was quite challenging as well.

10. Open-Source Intelligence (OSINT) & Social Engineering

This week's lecture covered two crucial topics in cybersecurity: social engineering
and open-source intelligence (OSINT). The session provided insights into the
techniques used in social engineering to manipulate targets into revealing sensitive
information and explored the methods and ethics of gathering intelligence from
publicly available sources.

Social engineering is the art of manipulating individuals to divulge confidential

information. The primary aim is to exploit human psychology to gain unauthorized
access to systems or data.

Techniques of Social Engineering

- Pretexting: Creating a fabricated scenario to obtain information.

- Baiting: Leaving malicious devices (e.g., USB drives labeled "private pics") in
public places to tempt individuals into using them.
- Rules of Influence: Using psychological tactics to influence people, exemplified
by the Hannibal Lecter and banking details example.
- Shoulder Surfing: Observing someone’s screen or keyboard to gather
information.
- Dumpster Diving: Searching through trash to find sensitive information.
- Tailgating/Piggybacking: Following someone into a secure area without proper
authorization.
- Phishing: Sending fraudulent messages to trick individuals into revealing
information.

Identifying Phishing Attempts:

- Red Flags in Emails: Unusual requests that go against norms, strange sender
addresses, and hyperlinks that appear legitimate but are not.
- URL Red Flags: Slight modifications in URLs to mimic legitimate addresses.
- Case Study: Irish Romance cryptocurrency scam on Tinder, where a woman
lost €10,000. I have personally followed an Italian podcasts on the so called scam
cities in India and Myanmar, that among other tricks employee women to establish
remote affairs online.

Recommendations:
- Training Personnel: Regular training sessions to raise awareness about social
engineering tactics.
- Awareness Campaigns: Promoting vigilance among employees.
- Basic IT Hygien: Implementing strong security practices like regular password
updates and multi-factor authentication.
Second part of the lecture was wholly dedicated to OSINT. What is it? involves
collecting and analyzing publicly available information to produce actionable
intelligence. It is used by various actors in both public and private sectors for due
diligence, damage limitation, and understanding social media landscapes.

According to Michael Bazzell, OSINT is the process of gathering information from

publicly accessible sources. It is used for various purposes, including criminal
investigations and corporate intelligence.

OSINT Stages and Sources:

- Stages: The process includes identifying the target, gathering data, analyzing
information, and producing a report.
- Sources : OSINT sources range from social media and public records to radio
and YouTube channels.

Dark Web, Deep Web, and Surface Web:

- Dark Web: Comprises 6% of the internet, often used for illicit activities.
- Deep Web: Makes up 90% of the internet, including non-indexed databases
and private networks.
- Surface Web: The visible part of the internet, accessible through search
engines like Google and Wikipedia.

OSINT in Action:
- Social Media: A rich source of information where deep insights can be
gathered by those skilled in OSINT techniques.
- Challenge: Students were tasked with finding the email address of the lecturer
using OSINT methods.

Further Tools and Recommendations:

- Cyber Pie Workbook
- Brave Browser
- DuckDuckGo
- Ghostery
- VPNs (Virtual Private Networks)

Additional Resources:
ENISA Report on Identity Theft: Further reading on the implications and
prevention of identity theft.
- ‘Have I Been Pwned?’: A tool to check if personal data has been compromised.

Practical Demonstrations:
The lecture included demonstrations on various tools and techniques:
- Email Harvesting: Techniques to gather email addresses.
- Fake Domains: Creating domains that mimic legitimate ones to lure users.
- Fitness Tracking Apps : Example of how apps like MyFitnessPal can be used
to gather personal information.
The group received then a challenge to USE OSINT techniques: retreive the email
of the lecturer, which was quite easy to do.
Today's lecture provided a comprehensive overview of social engineering and
OSINT, highlighting the tactics used by attackers and the methods for gathering
intelligence ethically. This topic really interests me as I follow and shortly
collaborated in the past with Bellingcat an journalistic enterprise which uses Open
source for intelligence, and I am generally interested in OS intelligence and
journalism: see the case of the Dutch flight downed by the Russians in Ukraine and
how Bellingcat discovered everything about what happened, including the authors
years before the authorities could come up with a conclusion.

11. Business Continuity & Disaster Recovery

The lecture focused on the intertwined concepts of Business Continuity (BC) and
Disaster Recovery (DRP), collectively referred to as BC/DR. While often discussed
together, these concepts address different aspects of maintaining business
operations in the face of disruptions. The lecture covered definitions, industry
standards, key phases, and the roles of various stakeholders in BC/DR planning.

Business Continuity (BC) refers to the strategies and activities that ensure
critical business functions continue during and after a disaster. BC plans typically
include non-IT related activities, encompassing all aspects of a business's
operation.

Disaster Recovery (DR) focuses on the restoration of IT systems and data

after a disaster. DR plans include detailed procedures for recovering technology
infrastructure and capabilities.

Industry Standards:
Several industry standards guide the development and implementation of BC and
DR plans:

- ISO 22301 : Specifies requirements for a business continuity management

system (BCMS).
- ISO 27001 and 27002 : Standards for information security management
systems.
- NIST 800-34 : Provides a framework for IT contingency planning.
- NFPA 1600 : Standard on disaster/emergency management and business
continuity programs.

According to the SANS Institute, a BCP outlines procedures to follow after a

disaster occurs, ensuring that critical business operations can continue. Examples
: A fire BCP would include procedures for dealing with the immediate effects of the
fire, such as evacuating personnel, and guidance on resource allocation to resume
operations.
 Why BCP?: Disasters can occur at any time, and the economy is increasingly
dependent on IT systems. Traditional DRP may not suffice, hence the need for
comprehensive BC planning.

Who Counts?: The advisory committee typically includes senior management,

PR, IT professionals, company personnel, legal advisors, and business partners.

Main Figure: The coordinator, often a project manager, is responsible for

executing the established plan.

Disaster Recovery Planning (DRP)

Definition: DRP focuses on the restoration of IT systems and data, ensuring that
critical technology functions can be resumed quickly.

Phases of BCP and DRP:

1. Initiation: Establishing the need and scope for BC/DR.

2. Analysis: Conducting a Business Impact Analysis (BIA) to identify impacts
and objectives.
3. Designing the Plan: Creating detailed plans for BC and DR.
4. Implementation: Putting the plans into action.

Benefits: Ensuring business survival, managing risks, fulfilling responsibilities,

and enhancing employee satisfaction.

Role of IT: For example, Prasad Ramakrishnan, CEO of Freshworks, described

in a video interview how he managed to migrate a 2,500+ workforce to a fully
remote setup during the pandemic.

Business Impact Analysis (BIA):

Purposes: Identify the impacts of disruptions and set objectives for recovery.

Key Metrics:
- RTO (Recovery Time Objective) : The target time to restore a service.
- RPO (Recovery Point Objective) : The maximum tolerable period in which
data might be lost.

Damage Classification:
- Negligible: Minimal impact.
- Minor: Some impact but manageable.
- Major: Significant impact requiring considerable effort to manage.
- Crisis: Severe impact necessitating immediate and comprehensive response.

Recovery Sites and Strategies

Types of Recovery Sites:

- Primary Site: The main operational location.
- Dual Data Center: Two data centers supporting each other.
- Hot Mirror Site: An exact replica of the primary site, ready for immediate use.
- Warm Site: A backup site that requires some setup before use.
- Cold Site: A backup site with basic infrastructure but no data or equipment.

Backup Strategies:
- Full Backup: Complete copy of all data.
- Incremental Backup: Copies only the data that has changed since the last
backup.
- Differential Backup: Copies all data that has changed since the last full backup.
- 321 Strategy: Three copies of data, on two different media, with one copy off-
site.

DRP Training and Testing

Training: Different units require specific training:

- Management: Crisis leadership.
- Technical Team: Logistics and technical requirements.

Testing:
- Read-Through: Review the plan.
- Walkthrough: Step-by-step review of procedures.
- Simulation: Simulated disaster scenarios.
- Parallel: Simultaneously running the plan and normal operations.
- Full Interrupt: Completely stopping normal operations to test the plan.

Best Practice: review the DRP every three months to ensure it remains current.

Event Management

Definition: An event is the starting moment of a crisis, it is essential to know when

an event generates a crisis and act accordingly both in terms of implementation
and communication:
- Human Safety: Priority in any crisis.
- Asset Protection: Ensuring the safety of physical and digital assets.

Categorization:
- Non-Incident: No significant impact.
- Incident: Some impact, requiring response.
- Severe Incident: Major impact, necessitating immediate action.

Communication: Essential with both internal and external stakeholders (eg: family
of employees, customers).

Restoration: The final phase of DRP, involving legal considerations it starts

provided that facilities are safe.
In short today’s lecture emphasized the importance of comprehensive planning
and regular reviews to ensure business resilience in the face of disasters.

12. Compliance, Certifications & Resources

The lecture began with an introduction to the technical aspects of the final
assignment, including details about the submission phases. The main topic of the
lecture focused on standards in information security, highlighting the significance of
ISO 27001.
Key Standards in Information Security: ISO 27001, This standard is essential for
anyone looking to pursue a career as an auditor or consultant in information
security. Mastery of ISO 27001 is crucial as it sets the minimum standards for
information security management systems (ISMS), especially for small and
medium-sized enterprises (SMEs).
PCI DSS: The Payment Card Industry Data Security Standard is relevant for card
payment and banking industries, ensuring secure handling of cardholder
information.
We then spoke about main legislation within the EU: DORA (Digital Operational
Resilience Act): Aims to strengthen the IT security of financial institutions.
-GDPR (General Data Protection Regulation): Focuses on data protection and
privacy in the European Union.
NIS (Network and Information Systems Directive) and NIS2: These directives
enhance the cybersecurity of critical infrastructure within the EU.

Conferences and Continued Education:

The lecture included suggestions for attending various conferences in Ireland, the
EU, and the UK to stay updated with industry trends and network with
professionals.
Career Development:
We explored recruitment sites and discussed potential career paths in information
security. Building a successful CV and considering further education opportunities
were emphasized. Examples of institutions offering relevant programs include IBM,
Cyber Skills, and the Fortify Institute.

Finalizing the Learner Log and Report Writing:

The lecture concluded with guidance on finalizing the learner log and the
appropriate style for the final report. Emphasis was placed on originality, with a
strict policy against copy-pasting content that was very useful and will surely help
the smooth finalization of my work.