module 1 Cyber Security Concepts
0 likes•1,491 views
This document outlines essential concepts in cyber security, including key terminologies such as risks, threats, and the CIA triad (confidentiality, integrity, and availability). It discusses the importance of cyber security for individuals and organizations, emphasizing the need for response plans to mitigate cyber threats and attacks. The document also highlights various attack types, information gathering techniques, and tools like Nmap and Zenmap used in the security auditing process.
![Cyber Security [105713] – Notes
Module 1
Cyber Security Concepts: Essential Terminologies: CIA, Risks, Breaches, Threats, Attacks, Exploits. Information
Gathering (Social Engineering, Foot Printing & Scanning). Open Source/ Free/ Trial Tools: nmap, zenmap, Port
Scanners, Network scanners.
Introduction:
Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. Attackers are now using
more sophisticated techniques to target the systems. Individuals, small-scale businesses or large organization, are all
being impacted. So, all these firms whether IT or non-IT firms have understood the importance of Cyber Security and
focusing on adopting all possible measures to deal with cyber threats.
What is cyber security?
"Cyber security is primarily about people, processes, and technologies working together to encompass the full range
of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and
recovery policies and activities, including computer network operations, information assurance, law enforcement,
etc."
OR
Cyber security is the body of technologies, processes, and practices designed to protect networks, computers,
programs and data from attack, damage or unauthorized access.
The term cyber security refers to techniques and practices designed to protect digital data.
The data that is stored, transmitted or used on an information system.
OR
Cyber security is the protection of Internet-connected systems, including hardware, software, and data from cyber-
attacks.
It is made up of two words one is cyber and other is security.
Cyber is related to the technology which contains systems, network and programs or data.
Whereas security related to the protection which includes systems security, network security and application
and information security.
Why is cyber security important?
Listed below are the reasons why cyber security is so important in what’s become a predominant digital world:
Cyber-attacks can be extremely expensive for businesses to endure.
In addition to financial damage suffered by the business, a data breach can also inflict untold reputational
damage.
Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using more
sophisticated ways to initiate cyber-attacks.
Regulations such as GDPR are forcing organizations into taking better care of the personal data they hold.
Because of the above reasons, cyber security has become an important part of the business and the focus now is on
developing appropriate response plans that minimize the damage in the event of a cyber attack.
But, an organization or an individual can develop a proper response plan only when he has a good grip on cyber
security fundamentals.](https://image.slidesharecdn.com/module1-230413145516-823a6bf4/85/module-1-Cyber-Security-Concepts-1-320.jpg)
module 1 Cyber Security Concepts
- 1. Cyber Security [105713] – Notes Module 1 Cyber Security Concepts: Essential Terminologies: CIA, Risks, Breaches, Threats, Attacks, Exploits. Information Gathering (Social Engineering, Foot Printing & Scanning). Open Source/ Free/ Trial Tools: nmap, zenmap, Port Scanners, Network scanners. Introduction: Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. Attackers are now using more sophisticated techniques to target the systems. Individuals, small-scale businesses or large organization, are all being impacted. So, all these firms whether IT or non-IT firms have understood the importance of Cyber Security and focusing on adopting all possible measures to deal with cyber threats. What is cyber security? "Cyber security is primarily about people, processes, and technologies working together to encompass the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, etc." OR Cyber security is the body of technologies, processes, and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. The term cyber security refers to techniques and practices designed to protect digital data. The data that is stored, transmitted or used on an information system. OR Cyber security is the protection of Internet-connected systems, including hardware, software, and data from cyber- attacks. It is made up of two words one is cyber and other is security. Cyber is related to the technology which contains systems, network and programs or data. Whereas security related to the protection which includes systems security, network security and application and information security. Why is cyber security important? Listed below are the reasons why cyber security is so important in what’s become a predominant digital world: Cyber-attacks can be extremely expensive for businesses to endure. In addition to financial damage suffered by the business, a data breach can also inflict untold reputational damage. Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using more sophisticated ways to initiate cyber-attacks. Regulations such as GDPR are forcing organizations into taking better care of the personal data they hold. Because of the above reasons, cyber security has become an important part of the business and the focus now is on developing appropriate response plans that minimize the damage in the event of a cyber attack. But, an organization or an individual can develop a proper response plan only when he has a good grip on cyber security fundamentals.
- 2. CIA Triad The CIA Triad is a fundamental security model that acts as a foundation in the development of security policies designed to protect data. It is comprised of three tenets: Confidentiality, Integrity, and Availability. Confidentiality: Confidentiality is about preventing the disclosure of data to unauthorized parties. It also means trying to keep the identity of authorized parties involved in sharing and holding data private and anonymous. Often confidentiality is compromised by cracking poorly encrypted data, Man-in-the-middle (MITM) attacks, disclosing sensitive data. Standard measures to establish confidentiality include: Data encryption Two-factor authentication Biometric verification Security tokens Integrity: Integrity refers to protecting information from being modified by unauthorized parties. Standard measures to guarantee integrity include: Cryptographic checksums Using file permissions Uninterrupted power supplies Data backups Availability Availability is making sure that authorized parties are able to access the information when needed. Standard measures to guarantee availability include: Backing up data to external drives Implementing firewalls Having backup power supplies Data redundancy Risk: Cybersecurity risk is the probability of exposure, loss of critical assets and sensitive information, or reputational harm as a result of a cyber-attack or breach within an organization’s network. Across industries, cybersecurity must remain top of mind and organizations should work to implement a cybersecurity risk management strategy to protect against constantly advancing and evolving cyber threats. Risk is the potential for loss, damage or destruction of assets or data caused by a cyber threat.
- 3. Breaches: A security breach is any incident that results in unauthorized access to computer data, applications, networks or devices. It results in information being accessed without authorization. Threats: Threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include computer viruses, data breaches, Denial of Service (DoS) attacks, and other attack vectors. Where Do Cyber Threats Come From? Hostile Nation-States: - National cyber warfare programs provide emerging cyber threats ranging from propaganda, website defacement, espionage, disruption of key infrastructure to loss of life. Terrorist Groups: - Terrorist groups are increasingly using cyber-attacks to damage national interests. They are less developed in cyber-attacks and have a lower propensity to pursue cyber means than nation-states. Hacktivists: - Hacktivist’s activities range across political ideals and issues. Most hacktivist groups are concerned with spreading propaganda rather than damaging infrastructure or disrupting services. Hackers: - Malicious intruders could take advantage of a zero-day exploit to gain unauthorized access to data. Hackers may break into information systems for a challenge or bragging rights. In the past, this required a high level of skill. Attacks: A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter computer code, logic or data and lead to cybercrimes, such as information and identity theft. A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network. A cyber attack is when an individual or an organization deliberately and maliciously attempts to breach the information system of another individual or organization. While there is usually an economic goal, some recent attacks show destruction of data as a goal. Web-based attacks: These are the attacks which occur on a website or web applications. Some of the important web-based attacks are as follows- Injection attacks: It is the attack in which some data will be injected into a web application to manipulate the application and fetch the required information. Example- SQL Injection, code Injection, log Injection, XML Injection etc. DNS Spoofing: DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer or any other computer. The DNS spoofing attacks can go on for a long period of time without being detected and can cause serious security issues. Session Hijacking: It is a security attack on a user session over a protected network. Web applications create cookies to store the state and user sessions. By stealing the cookies, an attacker can have access to all of the user data. Phishing: Phishing is a type of attack which attempts to steal sensitive information like user login credentials and credit card number. It occurs when an attacker is masquerading as a trustworthy entity in electronic communication. Brute force: It is a type of attack which uses a trial and error method. This attack generates a large number of guesses and validates them to obtain actual data like user password and personal identification number. This attack may be used by criminals to crack encrypted data, or by security, analysts to test an organization's network security. Denial of Service: It is an attack which meant to make a server or network resource unavailable to the users. It accomplishes this by flooding the target with traffic or sending it information that triggers a crash. It uses the single system and single internet connection to attack a server. It can be classified into the following-
- 4. o Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured in bit per second. o Protocol attacks- It consumes actual server resources, and is measured in a packet. o Application layer attacks- Its goal is to crash the web server and is measured in request per second. Dictionary attacks: This type of attack stored the list of a commonly used password and validated them to get original password. URL Interpretation: It is a type of attack where we can change the certain parts of a URL, and one can make a web server to deliver web pages for which he is not authorized to browse. File Inclusion attacks: It is a type of attack that allows an attacker to access unauthorized or essential files which is available on the web server or to execute malicious files on the web server by making use of the include functionality. Man in the middle attacks: It is a type of attack that allows an attacker to intercepts the connection between client and server and acts as a bridge between them. Due to this, an attacker will be able to read, insert and modify the data in the intercepted connection. Cross-site Scripting: A cross-site scripting attack sends malicious scripts into content from reliable websites. The malicious code joins the dynamic content that is sent to the victim’s browser. Usually, this malicious code consists of Javascript code executed by the victim’s browser, but can include Flash, HTML, and XSS. System-based attacks: These are the attacks which are intended to compromise a computer or a computer network. Some of the important system-based attacks are as follows- Virus: It is a type of malicious software program that spread throughout the computer files without the knowledge of a user. It is a self-replicating malicious computer program that replicates by inserting copies of itself into other computer programs when executed. It can also execute instructions that cause harm to the system. Worm: It is a type of malware whose primary function is to replicate itself to spread to uninfected computers. It works same as the computer virus. Worms often originate from email attachments that appear to be from trusted senders. Trojan horse: It is a malicious program that occurs unexpected changes to computer setting and unusual activity, even when the computer should be idle. It misleads the user of its true intent. It appears to be a normal application but when opened/executed some malicious code will run in the background. Backdoors: It is a method that bypasses the normal authentication process. A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. Bots/Botnet: A bot (short for "robot") is an automated process that interacts with other network services. Some bots program run automatically, while others only execute commands when they receive specific input. Common examples of bots program are the crawler, chatroom bots, and malicious bots. Rootkits: Rootkits are installed inside legitimate software, where they can gain remote control and administration-level access over a system. The attacker then uses the rootkit to steal passwords, keys, credentials, and retrieve critical data. Exploits: An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by security researchers as a proof-of-concept threat or by malicious actors for use in their operations. When used, exploits allow an intruder to remotely access a network and gain elevated privileges, or move deeper into the network. An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. An exploit is not malware itself, but rather it is a method used by cybercriminals to deliver malware. How do I defend against exploits? Many software vendors patch known bugs to remove the vulnerability. Security software also helps by detecting, reporting, and blocking suspicious operations. It prevents exploits from occurring and damaging computer systems, regardless of what malware the exploit was trying to initiate.
- 5. The typical security software implemented by businesses to ward off exploits is referred to as threat defense as well as endpoint, detection, and response (EDR) software. Other best practices are to initiate a penetration testing program, which is used to validate the effectiveness of the defense. Zero-day Exploit A Zero-day Exploit refers to exploiting a network vulnerability when it is new and recently announced — before a patch is released and/or implemented. Zero-day attackers jump at the disclosed vulnerability in the small window of time where no solution/preventative measures exist. Thus, preventing zero-day attacks requires constant monitoring, proactive detection, and agile threat management practices. Information Gathering Information Gathering means gathering different kinds of information about the target. It is basically, the first step or the beginning stage of Ethical Hacking, where the penetration testers or hackers (both black hat or white hat) tries to gather all the information about the target, in order to use it for Hacking. To obtain more relevant results, we have to gather more information about the target to increase the probability of a successful attack. Information gathering can be classified into the following categories: Footprinting Scanning Enumeration Reconnaissance Social Engineering Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other interactions. Foot Printing In this technique, the information of a target network or system or victim is collected as much as possible. Foot printing provides various ways to intrude on the system of an organization. The security posture of the target is also determined by this technique. It can be active as well as passive. In Passive foot printing, the information of any user is collected without knowing him. If the user's sensitive information gets released intentionally and consciously or by the direct contact of the owner, active foot printing will be created. Foot printing techniques are three types. These are as follows: Open source foot printing: Open source foot printing is the safest foot printing. The limitation of footprinting is illegal. It is illegal; that's why hackers can do open source footprinting without fear. Examples of open source footprinting include DOB, phone number, search for the age, finding someone's email address, using an automation tool scans the IP etc. Most companies provide information on their official websites related to their company. Hackers will use the information provided by the company and take benefit from them. Network-based foot printing: Network-based footprinting is used to retrieve information like network service, information name within a group, user name, shared data among individuals, etc. DNS interrogation: After gathering all the required information on various areas using different techniques, the hacker uses the pre-existing tools to query the DNS. Scanning Another essential step of footprinting is scanning, which contains the package of techniques and procedures. In the network, hosts, ports and various services are identified by it. It is one of the components of information gathering mechanism and intelligence gathering, which is used by an attacker to create an overview scenario of the target. To find out the possibility of network security attacks, pen-testers use vulnerability scanning. Due to this technique,
- 6. hackers can find vulnerabilities like weak authentication, unnecessary services, missing patches, and weak encryption algorithms. So an ethical hacker and pen-tester provide the list of all vulnerabilities they found in an organization's network. There are three types of scanning: Port scanning: Hackers and penetration testers use this conventional technique to search for open doors so that the hackers can access the system of any organization. Network scanning Vulnerability scanning: Vulnerability scanning Vulnerability scanning is a proactive identification of Vulnerabilities on the target network. Using some automatic scanning tools and some manual support, vulnerabilities, and threats can be identified. Enumeration: Enumeration is the process in which information is extracted from the system like machine names, user names, network resources, shares and services. In enumeration, an active connection is established with the system by the hacker. Hackers use this connection and gain more target information by performing direct queries. Open Source/Free/Trial Tools NMAP: Nmap is an open-source network scanner that is used to recon/scan networks. It is used to discover hosts, ports, and services along with their versions over a network. It sends packets to the host and then analyzes the responses in order to produce the desired results. It could even be used for host discovery, operating system detection, or scanning for open ports. It is one of the most popular reconnaissance tools. To use nmap: Ping the host with the ping command to get the IP address ping hostname Open the terminal and enter the following command there. nmap -sV ipaddress Replace the IP address with the IP address of the host you want to scan. It will display all the captured details of the host.
- 7. ZENMAP It is another useful tool for the scanning phase of Ethical Hacking in Kali Linux. It uses the Graphical User Interface. It is a great tool for network discovery and security auditing. It does the same functions as that of the Nmap tool or in other words, it is the graphical Interface version of the Nmap tool. It uses command line Interface. It is a free utility tool for network discovery and security auditing. Tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime are considered really useful by systems and network administrators. To use Zenmap, enter the target URL in the target field to scan the target. Network scanners: SYNScan: The three-way handshaking technique of TCP is not completed by an SYN scan or stealth. An SYN packet is sent by the hacker to the target, and if the hacker receives back the SYN/ACK frame, the connection would be completed by the target, and the port is able to listen anything. If the target retrieves the RST, it will assume that the ports are not activated or closed. Some IDS system logs this as connection attempts or an attack that why SYN stealth scan is advantageous. XMASScan: This scan is used to send the packet containing PSH, FIN, and URG flags. The target will not provide any response if the port is open. But an RST/ACK packet is responded by the target if the port is closed. FINScan: XMAS scan and FIN scan is almost the same except that it does not send a packet with PSH and URG flags; it only sends packets with a FIN flag. The response and the limitations of the FIN scan are the same as the XMAS scan. IDLEScan: This scan determines the sequence number of IP header and port scan response and sends the SYN packet to the target using the spoofed/hoax IP. The port is open or not depends upon the response of the scan. Inverse TCP Flag scan: In this scan, the TCP probe packet with no flags or TCP flags send by the attacker. If the target does not provide any response, it means the port is open. If the RST packet is responded by the target, it means the port is closed. ACK Flag Probe Scan: In this scan, TCP probe packets are sent by the attacker where the ACK flag is set to a remote device, analyzing the header information. The port is open or not signified by the RST packet. This scan also checks the filtering system of the victim or target.