Okay, here are the notes for Unit-1, with each topic broken down to answer "What?", "Why?

", "How
it works?", and "Tools used" where applicable, based on the provided image.

Unit-1: Essential Terminologies & Information Gathering

Number of lectures = 8

Topic 1: Essential Terminologies

1.A. CIA Triad (Confidentiality, Integrity, Availability)

• What is it?

o The CIA Triad is a foundational model for guiding information security policies and
practices within an organization.

o Confidentiality: Ensuring that information is not disclosed to unauthorized

individuals, entities, or processes.

o Integrity: Maintaining the accuracy, consistency, and trustworthiness of data over its
entire lifecycle. Data must not be improperly modified.

o Availability: Ensuring that information and systems are accessible and usable upon
demand by authorized users.

• Why is it important?

o It provides a framework for evaluating and implementing security measures. A lapse

in any one component can lead to significant security incidents, financial loss,
reputational damage, or legal consequences.

• How does it work (Principles/Mechanisms)?

o Confidentiality: Achieved through measures like encryption, access controls

(passwords, permissions, biometrics), data classification, and secure storage.

o Integrity: Maintained using hashing algorithms, digital signatures, version control,

audit trails, and intrusion detection systems.

o Availability: Ensured through redundancy (e.g., RAID, failover clusters), regular

backups, disaster recovery plans, denial-of-service (DoS) protection, and timely
patching/maintenance.

• Tools used:

o While not a specific tool, various security tools contribute to achieving CIA. For
example, encryption tools ensure confidentiality, hashing tools ensure integrity, and
monitoring/redundancy solutions ensure availability. From the unit's tool list, nmap
or other scanners could identify vulnerabilities that might compromise CIA.

1.B. Risks

• What is it?
 o A risk is the potential for loss, damage, or destruction of an asset as a result of a
threat exploiting a vulnerability. It's often expressed as a combination of the
likelihood of an event and its impact. (Risk = Threat x Vulnerability x Impact).

• Why is it important?

o Understanding and managing risks is crucial for protecting an organization's assets,

ensuring business continuity, and making informed decisions about security
investments.

• How does it work (Risk Management Process)?

o Identification: Identifying assets, potential threats, and existing vulnerabilities.

o Analysis: Assessing the likelihood of a threat exploiting a vulnerability and the

potential impact.

o Evaluation: Comparing the level of risk against pre-defined risk criteria.

o Treatment: Applying measures to mitigate, transfer, avoid, or accept the risk.

• Tools used:

o Risk assessment frameworks (e.g., NIST RMF, ISO 27005).

o Vulnerability scanners (like nmap, zenmap, general Port Scanners, Network

scanners from the list) help identify vulnerabilities, which is a key component of risk.

1.C. Breaches

• What is it?

o A security breach is an incident where sensitive, protected, or confidential data is

copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

• Why is it important?

o Breaches can lead to severe consequences, including financial losses (fines, recovery
costs), reputational damage, loss of customer trust, legal liabilities, and intellectual
property theft.

• How does it work (How do they happen)?

o Breaches occur when security controls fail or are bypassed. Common causes include:

▪ Exploitation of software vulnerabilities.

▪ Weak or stolen credentials.

▪ Social engineering attacks (e.g., phishing).

▪ Malware infections.

▪ Insider threats (malicious or accidental).

▪ Misconfigured systems.

• Tools used:
 o Attackers might use various tools to cause a breach. Defenders use Intrusion
Detection/Prevention Systems (IDS/IPS), Security Information and Event
Management (SIEM) systems, and forensic tools to detect, respond to, and
investigate breaches. From the unit's tool list, nmap could be used by an attacker in
the reconnaissance phase leading to a breach.

1.D. Threats

• What is it?

o A threat is any circumstance or event with the potential to adversely impact

organizational operations, assets, individuals, or other organizations through an
information system via unauthorized access, destruction, disclosure, modification of
information, or denial of service.

• Why is it important?

o Identifying and understanding threats is essential for designing effective security

defenses. If you don't know what you're up against, you can't protect against it.

• How does it work (Categorization/Sources)?

o Threats can be:

▪ Intentional: Hackers, malicious insiders, cybercriminals, state-sponsored

actors.

▪ Accidental: Human error, system malfunctions.

▪ Environmental: Natural disasters (floods, earthquakes).

o They manifest as malware, phishing, denial-of-service attacks, etc.

• Tools used:

o Threat intelligence platforms and feeds. Security researchers use various tools to
analyze malware and attack patterns. Attackers use tools like nmap, port scanners,
etc., to realize their threats.

1.E. Attacks

• What is it?

o An attack is an action taken by a threat actor to gain unauthorized access to a

system, disrupt its operations, or steal/modify data. It is the actual realization of a
threat.

• Why is it important?

o Successful attacks directly lead to security incidents, breaches, and the negative
consequences associated with them.

• How does it work (Methodology)?

o Attackers often follow a methodology:

1. Reconnaissance/Information Gathering: Learning about the target.

 2. Scanning: Identifying open ports, services, vulnerabilities.

3. Gaining Access: Exploiting vulnerabilities.

4. Maintaining Access: Installing backdoors, escalating privileges.

5. Covering Tracks: Removing logs, hiding presence.

• Tools used:

o Attackers use a wide array of tools, including those listed: nmap, zenmap, Port
Scanners, Network scanners for reconnaissance and scanning. Other tools include
exploit kits, password crackers, malware.

1.F. Exploits

• What is it?

o An exploit is a piece of code, a sequence of commands, or a technique that takes

advantage of a bug, vulnerability, or security flaw in software, hardware, or a system
to cause unintended or unanticipated behavior.

• Why is it important?

o Exploits are the mechanisms attackers use to compromise systems. Understanding

exploits helps in prioritizing patching and defensive measures.

• How does it work?

o An exploit targets a specific known or unknown (zero-day) vulnerability. When

executed, it typically allows the attacker to:

▪ Gain unauthorized access.

▪ Elevate privileges.

▪ Execute arbitrary code.

▪ Cause a denial-of-service.

• Tools used:

o Exploit frameworks (e.g., Metasploit - though not listed, it's a key example).
Attackers may develop custom exploits or use publicly available ones. Scanners like
nmap can identify services with known vulnerabilities for which exploits might exist.

Topic 2: Information Gathering (Social Engineering, Foot Printing & Scanning)

2.A. Information Gathering (General/Reconnaissance)

• What is it?

o The initial phase of an ethical hack or malicious attack where an attacker (or
penetration tester) collects as much data as possible about the target organization
and its systems.
 • Why is it important?

o It helps attackers understand the target's infrastructure, identify potential weak

points, and plan a more effective attack. For defenders, understanding these
techniques helps in minimizing their organization's attack surface.

• How does it work?

o Passive Information Gathering: Collecting information without directly interacting

with the target's systems (e.g., searching public websites, WHOIS, DNS records,
social media).

o Active Information Gathering: Directly probing the target's systems (e.g., port
scanning, network mapping).

• Tools used:

o Search engines (Google, Bing), WHOIS lookup tools, nslookup/dig, Shodan.

o For active gathering: nmap, zenmap, various Port Scanners, and Network scanners
(as listed in the unit).

2.B. Social Engineering (Sub-topic of Information Gathering)

• What is it?

o The art of manipulating people into performing actions or divulging confidential

information. It relies on psychological manipulation rather than technical hacking
techniques.

• Why is it important?

o Humans are often the weakest link in security. Social engineering can bypass even
strong technical security controls.

• How does it work?

o Attackers use various techniques:

▪ Phishing: Sending deceptive emails to trick users into revealing credentials

or clicking malicious links.

▪ Pretexting: Creating a fabricated scenario to gain trust and information.

▪ Baiting: Offering something enticing (e.g., free software, USB drive) to lure
victims.

▪ Quid Pro Quo: Offering a service or benefit in exchange for information.

▪ Tailgating/Piggybacking: Following an authorized person into a restricted

area.

• Tools used:

o Primarily relies on communication (email, phone, in-person). Technical tools might

be used to craft phishing emails (email clients, spoofing tools) or fake websites, but
the core is human interaction.
2.C. Footprinting (Sub-topic of Information Gathering)

• What is it?

o The process of systematically identifying the network boundary, IP address ranges,

domain names, and overall network architecture of a target organization. It's about
creating a "blueprint" of the target's online presence.

• Why is it important?

o It defines the scope of further investigation (like scanning) and helps identify publicly
accessible information that could be leveraged in an attack.

• How does it work?

o Utilizing publicly available resources:

▪ Company website (contact details, employee names, technologies used).

▪ Search engines (for documents, news, employee profiles).

▪ WHOIS databases (for domain registration details, name servers).

▪ DNS interrogation (for A records, MX records, NS records).

▪ Social media, job boards (for employee information, technologies).

• Tools used:

o WHOIS lookup tools (online or command-line).

o DNS enumeration tools (nslookup, dig, dnsenum).

o Search engines (Google Hacking Database - GHDB).

o Sometimes, initial light network probes using tools like ping or traceroute.

2.D. Scanning (Sub-topic of Information Gathering)

• What is it?

o The phase following footprinting, where an attacker or tester actively probes the
target network (identified during footprinting) to discover live hosts, open ports,
running services, operating systems, and potential vulnerabilities.

• Why is it important?

o It provides detailed technical information about active systems and their services,
which is crucial for identifying specific attack vectors and vulnerabilities.

• How does it work?

o Involves sending specially crafted packets to target systems and analyzing the
responses. Common types:

▪ Port Scanning: Identifying open TCP and UDP ports and the services listening
on them.

▪ Network Scanning: Identifying all active hosts on a network segment.

 ▪ Vulnerability Scanning: Probing for known weaknesses in identified services
and systems.

• Tools used:

o nmap (Network Mapper): The quintessential tool for port scanning, OS detection,
service version detection, and scriptable vulnerability probing (NSE scripts).

o zenmap: The graphical user interface for nmap, making it easier to use and visualize
results.

o Port Scanners (general): Any tool designed to find open ports (e.g., netcat,
specialized commercial scanners). nmap is a prime example.

o Network scanners (general): Tools that discover hosts and map networks (e.g.,
Angry IP Scanner, Advanced IP Scanner). nmap also performs network scanning.

This covers all the topics listed for Unit-1 in the image.

Okay, here are the notes for Unit-2, structured to answer "What?", "Why?", "How it works?", and
"Tools used" for each topic based on the provided image.

Unit-2: Cryptography, Firewalls, and Security Protocols

Number of lectures = 12

Topic 1: Introduction to Cryptography

• What is it?

o Cryptography is the science and practice of techniques for secure communication in

the presence of third parties (called adversaries). It involves creating and analyzing
protocols that prevent malicious third parties from reading private messages.

o Core goals include Confidentiality, Integrity, Authentication, and Non-repudiation.

• Why is it important?

o It is fundamental to protecting digital information in transit and at rest, ensuring

privacy, verifying data integrity, authenticating users and devices, and enabling
secure transactions in the digital world.

• How does it work (Principles)?

o It relies on mathematical algorithms and keys.

o Encryption: Converting plaintext (original message) into ciphertext (unreadable

message) using an algorithm and a key.
 o Decryption: Converting ciphertext back to plaintext using an algorithm and a key.

o Keys: Secret pieces of information that determine the output of a cryptographic

algorithm.

• Tools used:

o Not a specific tool itself, but cryptographic principles are implemented in various
software libraries (e.g., OpenSSL, Bouncy Castle) and applications. The unit later lists
specific algorithms like MD5, SHA, which are cryptographic tools.

Topic 2: Symmetric key Cryptography

• What is it?

o A type of encryption where the same key is used for both encrypting plaintext and
decrypting ciphertext. The sender and receiver must share this secret key.

o Examples: DES, 3DES, AES, RC4, Blowfish.

• Why is it important?

o It's generally faster and less computationally intensive than asymmetric

cryptography, making it suitable for encrypting large amounts of data (bulk
encryption).

• How does it work?

o The sender encrypts the message using the shared secret key.

o The encrypted message (ciphertext) is sent to the receiver.

o The receiver uses the exact same shared secret key to decrypt the ciphertext back
into the original plaintext.

o The main challenge is secure distribution and management of the shared secret key.

• Tools used:

o Software implementations of symmetric algorithms like AES (e.g., in VeraCrypt for

disk encryption, or as part of protocols like TLS and PGP for bulk data encryption). No
specific symmetric-only tools are listed under Unit 2's "tools," but PGP/S/MIME and
SSL/TLS (mentioned later) utilize symmetric ciphers.

Topic 3: Asymmetric key Cryptography (Public Key Cryptography)

• What is it?

o A type of encryption that uses a pair of keys: a public key (which can be shared with
anyone) and a private key (which must be kept secret by the owner).

o Examples: RSA, ECC, Diffie-Hellman (for key exchange).

• Why is it important?
 o It solves the key distribution problem of symmetric cryptography.

o It enables digital signatures, providing authentication, integrity, and non-repudiation.

o It's used for secure key exchange to establish a shared symmetric key.

• How does it work?

o For Encryption/Confidentiality: A message encrypted with a recipient's public key

can only be decrypted with their corresponding private key.

o For Digital Signatures: A message signed (effectively encrypted) with a sender's

private key can be verified by anyone using the sender's public key.

• Tools used:

o Software implementations of asymmetric algorithms (e.g., OpenSSL for generating

key pairs, PGP/GnuPG for email encryption and signing, which use asymmetric keys
for key management and signing).

Topic 4: Message Authentication

• What is it?

o The process of verifying that a received message comes from the alleged source
(authenticity) and has not been altered during transmission (integrity).

• Why is it important?

o It protects against message tampering, replay attacks, and spoofing, ensuring the
trustworthiness of the communication.

• How does it work?

o Message Authentication Codes (MACs): A small piece of information generated

using a secret key shared between sender and receiver, and the message content.
The receiver recomputes the MAC and compares it. HMAC (Hash-based MAC) is a
common type.

o Digital Signatures: (Covered next) Uses asymmetric cryptography to provide stronger

authentication, integrity, and non-repudiation.

• Tools used:

o Hashing algorithms (MD5, SHA1, SHA256, SHA512 as listed in the unit) are
fundamental for creating MACs (like HMAC-SHA256) and for digital signatures.

Topic 5: Digital Signatures

• What is it?

o An electronic, encrypted stamp of authentication on digital information such as

email messages, macros, or electronic documents. A signature confirms that the
information originated from the signer and has not been altered.
 • Why is it important?

o Provides:

▪ Authentication: Verifies the sender's identity.

▪ Integrity: Ensures the message hasn't been tampered with.

▪ Non-repudiation: Prevents the sender from denying they sent the message.

• How does it work?

1. The sender creates a hash (message digest) of the message.

2. The sender encrypts this hash with their private key. This encrypted hash is the digital
signature.

3. The signature is attached to the message and sent.

4. The receiver decrypts the signature using the sender's public key to get the original hash.

5. The receiver independently computes a hash of the received message.

6. If the two hashes match, the signature is valid.

• Tools used:

o PGP/GnuPG, S/MIME (both mentioned later), OpenSSL, document signing software

(e.g., Adobe Acrobat). Relies on asymmetric cryptography and hashing algorithms.

Topic 6: Applications of Cryptography

• What is it?

o The diverse areas and scenarios where cryptographic techniques are applied to
secure information and communications.

• Why is it important?

o Modern digital society relies heavily on cryptography for security in countless

applications.

• How does it work (Examples of applications)?

o Secure Web Communication (HTTPS): SSL/TLS encrypts data between browsers and
web servers.

o Secure Email: PGP and S/MIME for encrypting and signing emails.

o Virtual Private Networks (VPNs): IPSec, SSL/TLS VPNs create secure tunnels over
public networks.

o Secure File Storage: Disk encryption (e.g., BitLocker, VeraCrypt), file encryption.

o Digital Payments: Securing financial transactions.

o Secure Messaging: End-to-end encrypted chat applications.

 o Software Integrity: Code signing to verify software authenticity.

• Tools used:

o Web browsers/servers (for SSL/TLS), email clients (for PGP/S/MIME), VPN

clients/servers, disk encryption utilities.

Topic 7: Overview of Firewalls

• What is it?

o A network security system (hardware, software, or both) that monitors and controls
incoming and outgoing network traffic based on predetermined security rules. It
establishes a barrier between a trusted internal network and an untrusted external
network (like the Internet).

• Why is it important?

o Acts as a primary line of defense against unauthorized access, malware, and other
network-based threats. It helps enforce network access policies.

• How does it work?

o Firewalls examine network packets and compare them against a set of configured
rules. Based on these rules, they decide whether to allow (accept), block
(deny/drop), or log the traffic. Rules are typically based on source/destination IP
addresses, port numbers, and protocols.

• Tools used:

o Specific firewall software (e.g., Windows Firewall, iptables on Linux, pf on

BSD/macOS) or dedicated hardware firewall appliances (e.g., from Cisco, Palo Alto
Networks, Fortinet). No specific firewall tools are listed in Unit 2's "tools" section, but
they are a major topic.

Topic 8: Types of Firewalls

• What is it?

o Different categories of firewalls based on their operational methods, the information

they use to filter traffic, and the layer of the OSI model at which they operate.

• Why is it important?

o Different types offer varying levels of security, performance, and complexity, allowing
organizations to choose based on their specific needs.

• How does it work (Common Types)?

o Packet-Filtering Firewalls: Operate at the network layer (Layer 3). Make decisions
based on IP addresses, ports, and protocols. Stateless (each packet treated
independently) or Stateful (track active connections).
 o Stateful Inspection Firewalls: Track the state of active connections and make
decisions based on the context of traffic, not just individual packets. More secure
than basic packet filters.

o Proxy Firewalls (Application-Level Gateways): Operate at the application layer

(Layer 7). Act as intermediaries for specific applications (e.g., HTTP, FTP). Can inspect
content and provide finer-grained control.

o Next-Generation Firewalls (NGFW): Combine traditional firewall capabilities with

advanced features like deep packet inspection (DPI), intrusion prevention systems
(IPS), application awareness, and threat intelligence integration.

• Tools used:

o These are categories of firewall products. The tools are the firewall
software/hardware itself implementing these functionalities.

Topic 9: User Management

• What is it?

o The administrative process of controlling user access to IT resources, including

creating user accounts, defining user rights and permissions, managing passwords,
and tracking user activity.

• Why is it important?

o Ensures that only authorized individuals can access specific systems and data,
enforcing the principle of least privilege and maintaining accountability. Crucial for
preventing unauthorized access and data breaches.

• How does it work?

o Authentication: Verifying a user's identity (e.g., username/password, biometrics,

multi-factor authentication).

o Authorization: Granting or denying access rights and permissions to resources based

on the authenticated user's role or identity.

o Accounting/Auditing: Tracking user actions for security monitoring and compliance.

o Involves creating/deleting accounts, password policies, group memberships, role-

based access control (RBAC).

• Tools used:

o Operating system user management tools (e.g., [Link] on Windows,

useradd/passwd on Linux), directory services (e.g., Active Directory, LDAP), Identity
and Access Management (IAM) systems. No specific tools listed in Unit 2 for this.

Topic 10: VPN Security

• What is it?
 o VPN (Virtual Private Network) security refers to the technologies and practices used
to ensure that a VPN connection provides confidentiality, integrity, and
authentication for data transmitted over it.

• Why is it important?

o Allows users to securely access private networks (e.g., corporate intranets) over
public networks (like the Internet) as if they were directly connected. Essential for
remote work, secure site-to-site connections, and bypassing geo-restrictions.

• How does it work?

o Tunneling: Encapsulating data packets from one network protocol within another.

o Encryption: Protecting the confidentiality of the data within the tunnel using
cryptographic algorithms.

o Authentication: Verifying the identity of VPN clients and servers.

o Common VPN protocols include IPSec (discussed later), SSL/TLS (e.g., OpenVPN),
PPTP (older, less secure), L2TP.

• Tools used:

o VPN client software (e.g., OpenVPN client, Cisco AnyConnect, built-in OS clients),
VPN server software/appliances. IPSec is listed as a specific protocol relevant to
VPNs.

Topic 11: Security Protocols

11.A. Security at the Application Layer - PGP and S/MIME

• What is it?

o PGP (Pretty Good Privacy): A data encryption and decryption computer program
that provides cryptographic privacy and authentication for data communication.
Often used for signing, encrypting, and decrypting texts, e-mails, files, directories,
and whole disk partitions.

o S/MIME (Secure/Multipurpose Internet Mail Extensions): A standard for public key

encryption and signing of MIME data (email). It's built into most modern email
clients.

• Why is it important?

o They provide end-to-end security for email messages, ensuring confidentiality (only
the intended recipient can read it) and authenticity/integrity (the recipient can verify
who sent it and that it hasn't been altered).

• How does it work?

o Both use a hybrid approach:

 ▪ Encryption: The email content is encrypted with a randomly generated
symmetric key. This symmetric key is then encrypted with the recipient's
public key.

▪ Digital Signature: The sender hashes the email content and encrypts the
hash with their private key.

o PGP often uses a "web of trust" model for key validation, while S/MIME typically
relies on a hierarchical Public Key Infrastructure (PKI) with X.509 certificates.

• Tools used:

o GnuPG (an open-source implementation of PGP), email clients with built-in PGP or
S/MIME support (e.g., Thunderbird, Outlook).

11.B. Security at Transport Layer - SSL and TLS

• What is it?

o SSL (Secure Sockets Layer): An older cryptographic protocol designed to provide

communications security over a computer network. Largely deprecated due to
vulnerabilities.

o TLS (Transport Layer Security): The successor to SSL. It's a cryptographic protocol
that provides end-to-end security of data sent between applications over the
Internet.

• Why is it important?

o Widely used to secure web communication (HTTPS), email transport (SMTPS, IMAPS,
POP3S), VPNs, and many other network applications, ensuring confidentiality and
integrity of data in transit.

• How does it work?

1. Handshake: Client and server negotiate cryptographic algorithms (cipher suite), exchange
certificates (server authentication, optional client authentication), and establish a shared secret key
(master secret).

2. Key Derivation: Session keys are derived from the master secret.

3. Data Transfer: Application data is encrypted and authenticated using the session keys and
agreed-upon algorithms.

• Tools used:

o Web browsers (Chrome, Firefox, Edge), web servers (Apache, Nginx, IIS), OpenSSL (a
widely used library implementing SSL/TLS), various application clients and servers.

11.C. Security at Network Layer - IPSec

• What is it?

o IPSec (Internet Protocol Security): A suite of protocols that secures Internet Protocol
(IP) communications by authenticating and/or encrypting each IP packet in a data
stream. Operates at the Network Layer (Layer 3).
 • Why is it important?

o Provides transparent security for all applications using IP. Primarily used for creating
VPNs, securing communications between network gateways (routers, firewalls), and
providing end-to-end security between hosts.

• How does it work?

o Key components:

▪ Authentication Header (AH): Provides connectionless integrity, data origin

authentication, and anti-replay protection. Does not provide confidentiality
(no encryption).

▪ Encapsulating Security Payload (ESP): Provides confidentiality (encryption),

and can also provide integrity, authentication, and anti-replay.

▪ Security Associations (SA): Unidirectional agreements between two

communicating parties that define the security services, algorithms, and
keys to be used. Managed by IKE (Internet Key Exchange).

o Modes:

▪ Transport Mode: Secures the payload of the IP packet. Original IP headers

are kept. Typically used for host-to-host security.

▪ Tunnel Mode: Encapsulates the entire original IP packet (header and

payload) within a new IP packet. Typically used for VPNs between gateways
or from a host to a gateway.

• Tools used:

o Implemented within operating systems (Windows, Linux, macOS), VPN clients and
servers, firewalls, and routers. StrongSwan and Libreswan are open-source IPSec
implementations.

Topic 12: Hash Values Calculations MD5, SHA1, SHA256, SHA512

• What are they?

o Hashing algorithms are mathematical functions that take an input (message or data
of any size) and produce a fixed-size string of characters, which is the hash value (or
message digest).

o MD5 (Message Digest 5): Produces a 128-bit hash. Now considered

cryptographically broken for collision resistance and should not be used for security
purposes like digital signatures or password storage where collision resistance is
critical. Still used for checksums to detect accidental data corruption.

o SHA-1 (Secure Hash Algorithm 1): Produces a 160-bit hash. Also considered weak
and deprecated for most security applications due to discovered collision attacks.
 o SHA-256, SHA-512 (part of the SHA-2 family): Produce 256-bit and 512-bit hashes
respectively. Currently considered secure and widely used. SHA-3 is a newer
standard.

• Why are they important?

o Integrity Verification: Ensuring data has not been altered (e.g., file downloads).

o Password Storage: Storing hashes of passwords (ideally salted and iterated) instead
of plain text.

o Digital Signatures: Hashing a message before signing it.

o Data Indexing/Fingerprinting: Creating unique identifiers for data.

• How do they work?

o One-way function: Easy to compute a hash from input, but computationally

infeasible to reverse (get input from hash).

o Deterministic: The same input always produces the same hash.

o Avalanche effect: A small change in the input data results in a drastically different
hash.

o Collision resistance (ideal): It should be computationally infeasible to find two

different inputs that produce the same hash. (MD5 and SHA-1 are weak in this
regard).

• Tools used:

o Command-line utilities: md5sum, sha1sum, sha256sum, sha512sum (Linux/macOS),

Get-FileHash (PowerShell on Windows).

o Programming libraries in various languages (Python's hashlib, Java's MessageDigest).

o OpenSSL command-line tool can also compute these hashes.

Topic 13: Steganography (Stools - likely a typo for Tools or S-Tools)

• What is it?

o Steganography is the practice of concealing a secret message, file, image, or video

within another, ordinary file, message, image, or video (the "carrier" or "cover"
medium). The goal is to hide the very existence of the communication.

• Why is it important?

o It can be used for covert communication, allowing messages to be sent without the
sender or receiver being easily identified as communicating secretly. Unlike
cryptography which makes messages unreadable, steganography makes them
invisible or undetectable.

o Can be used by malicious actors to exfiltrate data or hide malware.

• How does it work?

 o Various techniques exist depending on the carrier medium:

▪ LSB (Least Significant Bit) insertion: Modifying the least significant bits of
pixels in an image or samples in an audio file. These changes are often
imperceptible to humans.

▪ Manipulation of file formats: Hiding data in unused or reserved areas of file

headers or metadata.

▪ Transform domain techniques: Embedding data in frequency coefficients

(e.g., in JPEGs using DCT coefficients).

▪ Text steganography: Altering character spacing, using specific word patterns,

or embedding information in the properties of a document.

• Tools used:

o Steghide: A popular command-line steganography tool.

o OpenStego: An open-source GUI steganography tool.

o S-Tools: An older Windows-based steganography tool (this might be what "Stools"

referred to if it's a specific tool name).

o Various other specialized tools for different file types (e.g., Snow for text,
audio/video steganography tools). Online steganography tools are also available.

This covers the topics listed for Unit-2 in the image.

Okay, here are the notes for Unit-3, structured to answer "What?", "Why?", "How it works?", and
"Tools used" for each topic based on the provided image.

Unit-3: System, Network, and Intrusion Detection

Number of lectures = 12

Topic 1: Introduction to System Security

• What is it?

o System security refers to the measures taken to protect computer systems

(hardware, software, and data) from unauthorized access, use, disclosure, alteration,
damage, or theft. It encompasses policies, procedures, and technical controls.

• Why is it important?
 o To maintain the confidentiality, integrity, and availability (CIA) of system resources
and data. A compromised system can lead to data breaches, financial loss,
operational disruption, and reputational damage.

• How does it work (Principles/Components)?

o Involves multiple layers of defense:

▪ Hardening: Reducing the attack surface by disabling unnecessary services,

removing default accounts, and applying secure configurations.

▪ Access Control: Implementing mechanisms (passwords, permissions,

biometrics) to ensure only authorized users can access resources.

▪ Patch Management: Regularly updating software to fix known

vulnerabilities.

▪ Logging and Monitoring: Tracking system activity to detect and respond to

security incidents.

▪ Malware Protection: Using antivirus/anti-malware software.

• Tools used:

o Operating system security features (e.g., user account controls, file permissions),
security configuration management tools, patch management systems, antivirus
software. Many tools listed in this unit contribute to overall system security, e.g.,
iptables, Windows Firewall, snort, suricata, fail2ban.

Topic 2: Server Security

• What is it?

o A specialized subset of system security focused on protecting server systems, which

often host critical applications, data, and services.

• Why is it important?

o Servers are high-value targets for attackers. Compromising a server can have
widespread impact, affecting many users and services.

• How does it work (Key Practices)?

o OS Hardening: Securing the underlying operating system (see OS Security).

o Network Security: Configuring firewalls (e.g., iptables, Windows Firewall),

restricting network access, using secure protocols (HTTPS, SSH).

o Application Security: Securing the applications running on the server (e.g., web
server, database server).

o Secure Administration: Using strong passwords, secure remote access methods

(e.g., SSH instead of Telnet), principle of least privilege for admin accounts.

o Regular Auditing and Monitoring: Using tools like snort, suricata, and log analysis.
 o Physical Security: (Covered separately)

• Tools used:

o Firewalls (iptables, Windows Firewall), IDS/IPS (snort, suricata), log management

tools, vulnerability scanners, configuration management tools (e.g., Ansible, Puppet,
Chef for hardening).

Topic 3: OS Security (Operating System Security)

• What is it?

o The process of securing the operating system (e.g., Windows, Linux, macOS) that
manages a computer's hardware and software resources.

• Why is it important?

o The OS is a fundamental layer. If the OS is compromised, all applications and data

running on it are at risk.

• How does it work (Key Measures)?

o User Authentication: Strong password policies, multi-factor authentication.

o Access Control Mechanisms: File permissions (ACLs, DAC, MAC), user privileges.

o Memory Protection: Preventing processes from interfering with each other's

memory space.

o Process Isolation: Ensuring processes run independently.

o Auditing and Logging: Recording security-relevant events.

o Patch Management: Applying security updates promptly.

o Kernel Hardening: Configuring the OS kernel for enhanced security.

o Secure Boot: Ensuring the OS and bootloader are trusted.

• Tools used:

o Built-in OS security features (e.g., Group Policy in Windows, SELinux/AppArmor in

Linux), antivirus/anti-malware software, host-based firewalls (iptables, Windows
Firewall), host-based intrusion detection/prevention systems (snort in host mode,
fail2ban).

Topic 4: Physical Security

• What is it?

o Measures taken to protect physical assets, including computer hardware, facilities,

and personnel, from physical threats such as theft, vandalism, unauthorized access,
and environmental damage.
 • Why is it important?

o If an attacker gains physical access to a system, they can often bypass logical and
software-based security controls. It's a foundational layer of security.

• How does it work (Measures)?

o Access Control: Locks, key cards, biometric scanners, security guards.

o Surveillance: CCTV cameras, motion detectors.

o Environmental Controls: Fire suppression systems, climate control (temperature,

humidity), uninterruptible power supplies (UPS).

o Site Design: Fences, barriers, secure server room construction.

o Asset Tracking: Tagging and monitoring valuable equipment.

o Secure Disposal: Proper destruction of sensitive media and hardware.

• Tools used:

o Physical access control systems, surveillance equipment, environmental monitoring

systems, secure storage (safes, locked racks). No software tools listed for this specific
topic from the unit's list.

Topic 5: Introduction to Networks (in security context)

• What is it?

o Understanding the fundamental concepts of computer networks (e.g., TCP/IP model,

common protocols like HTTP, DNS, FTP, IP addressing, routing, switching) as a
prerequisite for understanding network security.

• Why is it important (for security)?

o To effectively secure a network, one must understand how it operates, where

vulnerabilities can exist, and how attacks are propagated.

• How does it work (Key concepts relevant to security)?

o Protocols: Understanding how data is formatted and transmitted.

o Network Topology: Physical and logical layout of the network.

o Network Devices: Routers, switches, firewalls, and their roles.

o Addressing and Subnetting: How devices are identified and networks are
segmented.

• Tools used:

o Network diagnostic tools (ping, traceroute, ipconfig/ifconfig). Packet sniffers like

Wireshark are invaluable for understanding network protocols and traffic.
Topic 6: Network packet Sniffing

• What is it?

o The act of capturing, logging, and analyzing data packets that travel over a computer
network. Can be done legitimately for network troubleshooting and analysis, or
maliciously to intercept sensitive information.

• Why is it important?

o Legitimate: Network administrators use it to diagnose problems, monitor

performance, and detect intrusions. Security professionals use it for forensic analysis
and understanding attack patterns.

o Malicious: Attackers use it to steal unencrypted credentials, session cookies, and

other sensitive data.

• How does it work?

o A network interface card (NIC) is put into "promiscuous mode," allowing it to capture
all packets on the network segment, not just those addressed to its own MAC
address.

o The captured packets are then decoded and displayed by sniffing software, showing
protocol information, source/destination addresses, and potentially data payloads (if
unencrypted).

• Tools used:

o Wireshark: The most popular and comprehensive open-source packet analyzer.

o tcpdump (command-line packet analyzer).

o Cain & Abel (has sniffing capabilities, particularly for password recovery on switched
networks using ARP poisoning).

Topic 7: Network Design Simulation

• What is it?

o The use of software tools to model, design, and test network architectures before
physical deployment. In a security context, this can involve simulating network
traffic, security policies, and potential attack scenarios.

• Why is it important?

o Allows for cost-effective evaluation of network designs, performance prediction, and

identification of potential vulnerabilities or misconfigurations before they impact a
live environment. Can be used to test the effectiveness of security controls.

• How does it work?

o Network simulation tools allow users to create virtual networks with various devices
(routers, switches, hosts, firewalls). Users can configure these devices, define traffic
 patterns, and run simulations to observe network behavior, test connectivity, and
analyze security posture.

• Tools used:

o GNS3, Cisco Packet Tracer, ns-3, OPNET Modeler (commercial). None of the listed
tools for Unit 3 are primarily network design simulation tools, though understanding
traffic flows via Wireshark can inform design.

Topic 8: DoS/ DDoS attacks (Denial of Service / Distributed Denial of Service)

• What is it?

o DoS (Denial of Service): An attack aimed at making a machine or network resource

unavailable to its intended users by overwhelming it with a flood of illegitimate
requests or by exploiting a vulnerability that causes it to crash or become
unresponsive.

o DDoS (Distributed Denial of Service): A DoS attack launched from multiple

compromised computer systems (often a botnet) simultaneously. The distributed
nature makes it harder to trace the source and mitigate.

• Why is it important?

o Can cause significant disruption to services, leading to financial losses, reputational

damage, and loss of customer trust.

• How does it work (Common Techniques)?

o Volume-based attacks: Overwhelm the target's bandwidth (e.g., UDP floods, ICMP
floods).

o Protocol attacks: Consume server resources by exploiting weaknesses in network

protocols (e.g., SYN floods, Ping of Death).

o Application-layer attacks: Target specific application vulnerabilities to make them

crash or consume excessive resources (e.g., HTTP floods, Slowloris).

• Tools used:

o Attack tools (e.g., LOIC, HOIC – used by attackers).

o Defense tools/services: Firewalls (iptables, Windows Firewall can offer basic

protection), rate limiting, traffic scrubbing centers, IDS/IPS (snort, suricata can
detect patterns), fail2ban (can block IPs involved in abusive behavior). The unit lists
"DOS Attacks" and "DDOS attacks" as tools, which might refer to stress testing tools
or specific mitigation tools/techniques.

Topic 9: Asset Management and Audits

• What is it?
 o Asset Management: The process of identifying, cataloging, classifying, and tracking
all valuable assets within an organization (hardware, software, data, intellectual
property, etc.).

o Audits: Systematic, independent, and documented processes for obtaining audit

evidence and evaluating it objectively to determine the extent to which audit criteria
(e.g., security policies, compliance requirements) are fulfilled.

• Why is it important?

o Asset Management: You can't protect what you don't know you have. It's
foundational for risk management, vulnerability management, and incident
response.

o Audits: Verify that security controls are in place, effective, and compliant with
policies and regulations. Identify weaknesses and areas for improvement.

• How does it work?

o Asset Management: Involves discovery tools, inventory databases, assigning

ownership, and classifying assets by sensitivity and criticality.

o Audits: Involve planning, evidence gathering (interviews, log reviews, configuration

checks, penetration testing), analysis, and reporting.

• Tools used:

o Asset inventory systems, vulnerability scanners, configuration management

databases (CMDBs), log analysis tools. Security Information and Event Management
(SIEM) systems are crucial for auditing. None of the explicitly listed tools for Unit 3
are primary asset management or pure audit tools, though outputs from tools like
Wireshark, snort, etc., would be evidence for an audit.

Topic 10: Vulnerabilities and Attacks

• What is it?

o Vulnerability: A weakness in a system, application, network, or process that could be

exploited by a threat to cause harm.

o Attack: An attempt to exploit a vulnerability to gain unauthorized access, disrupt

services, or steal data.

• Why is it important?

o Understanding common vulnerabilities and attack vectors is crucial for designing

effective defenses, prioritizing remediation efforts, and responding to incidents.

• How does it work (Examples)?

o Vulnerabilities: Unpatched software, weak passwords, misconfigurations, SQL

injection flaws, cross-site scripting (XSS), buffer overflows.
 o Attacks: Exploiting these vulnerabilities through various means (malware, phishing,
brute-force, code injection).

• Tools used:

o Attackers use various exploit kits and custom tools.

o Defenders use vulnerability scanners (e.g., Nessus, OpenVAS – though not listed,
they are key), penetration testing tools (which include many of the reconnaissance
and exploitation tools previously mentioned). Tools like Wireshark can help analyze
attack traffic, and Cain & Abel can be used to exploit certain vulnerabilities (e.g.,
password weaknesses).

Topic 11: Intrusion detection and Prevention Techniques

• What is it?

o Intrusion Detection System (IDS): A device or software application that monitors

network or system activities for malicious activities or policy violations and produces
reports to a management station.

o Intrusion Prevention System (IPS): An IDS that also has the capability to block or
prevent detected intrusions in real-time.

• Why is it important?

o Provides an additional layer of security by detecting and potentially stopping attacks

that bypass other defenses (like firewalls). Helps in identifying ongoing attacks and
policy violations.

• How does it work (Detection Methods)?

o Signature-based detection: Compares network traffic or system activity against a

database of known attack patterns (signatures). Good for known threats, but
ineffective against new (zero-day) attacks.

o Anomaly-based detection: Establishes a baseline of normal behavior and flags

deviations as potential intrusions. Can detect novel attacks but may have a higher
false positive rate.

o Stateful protocol analysis: Understands and tracks network protocol states,

identifying deviations from expected protocol behavior.

• Tools used:

o Network Intrusion Detection/Prevention Systems (NIDS/NIPS): snort, suricata.

o Host-based Intrusion Detection/Prevention Systems (HIDS/HIPS): OSSEC, Tripwire,

Wazuh. fail2ban acts as a simple HIPS by blocking IPs.

Topic 12: Host based Intrusion prevention Systems (HIPS)

• What is it?
 o A type of IPS that is installed on an individual computer (host) and monitors its
activity for malicious behavior. It can take actions to prevent attacks, such as blocking
network connections, terminating processes, or denying access to files.

• Why is it important?

o Provides granular protection for individual endpoints, can detect attacks that NIPS
might miss (e.g., malicious activity originating on the host itself, encrypted traffic),
and can protect systems even when they are off the corporate network.

• How does it work?

o Monitors system calls, application behavior, file system modifications, network traffic
to/from the host, and registry changes (on Windows).

o Uses signature-based and/or anomaly-based detection.

o Can enforce host-level security policies.

• Tools used:

o Commercial HIPS solutions (e.g., from Symantec, McAfee).

o Open-source options like OSSEC (HIDS with active response capabilities), Wazuh.

o fail2ban is a simple log-parsing application that scans log files (e.g.,

/var/log/apache/error_log) and bans IPs that show malicious signs — too many
password failures, seeking for exploits, etc. It acts as a lightweight HIPS for specific
services.

o Host-based firewalls like iptables or Windows Firewall are fundamental components

that HIPS can leverage or integrate with.

Topic 13: Security Information Management (SIM)

• What is it?

o The process and tools focused on collecting, storing, and analyzing log data (security
information) from various sources within an IT environment. This is often a
component of a broader SIEM (Security Information and Event Management)
system.

• Why is it important?

o Provides a centralized view of security-related events, enabling more effective

monitoring, threat detection, incident response, and compliance reporting. Helps in
understanding security posture and identifying trends.

• How does it work?

o Log Collection: Gathering logs from servers, network devices, applications, security
tools.

o Normalization: Converting logs from different sources into a common format.

 o Storage: Archiving logs securely for analysis and compliance.

o Analysis & Reporting: Basic searching, filtering, and generating reports from log
data. (SIEM adds correlation, alerting, and more advanced analytics).

• Tools used:

o Log management solutions (e.g., Splunk Free/Light, Graylog, ELK Stack -

Elasticsearch, Logstash, Kibana). Outputs from tools like snort, suricata, fail2ban,
iptables, and Windows Firewall logs would be fed into a SIM/SIEM system.

Topic 14: Network Session Analysis

• What is it?

o The process of examining and interpreting captured network traffic (sessions) to

understand communication patterns, identify protocols, troubleshoot issues, or
detect malicious activity. A session is a complete exchange of data between two
endpoints for a particular application.

• Why is it important?

o Helps in understanding "who is talking to whom, when, and how" on the network.
Crucial for network forensics, intrusion detection, and performance monitoring.

• How does it work?

o Involves capturing network packets (using tools like Wireshark) and then
reconstructing and analyzing the sessions within that data.

o Focuses on:

▪ Identifying TCP/UDP sessions.

▪ Analyzing protocol handshakes and data exchange.

▪ Extracting application-layer data (if unencrypted).

▪ Looking for anomalies, errors, or suspicious patterns within sessions.

• Tools used:

o Wireshark (primary tool for capturing and analyzing sessions).

o Network monitoring tools with session reconstruction capabilities (e.g.,

NetworkMiner, some features in NIDS/NIPS).

Topic 15: System Integrity Validation

• What is it?

o The process of verifying that system files, configurations, and critical data have not
been tampered with or altered in an unauthorized manner. It ensures the system is
in a known, trusted state.
 • Why is it important?

o Detects unauthorized modifications that could indicate a compromise (e.g., malware

installation, rootkit activity, configuration changes by an attacker). Helps maintain
system reliability and trustworthiness.

• How does it work?

o Typically involves:

1. Baselining: Creating a secure baseline of cryptographic hashes (e.g.,

SHA256) of critical system files, registry keys (on Windows), and
configurations.

2. Monitoring: Periodically re-calculating hashes of these files and comparing

them against the stored baseline.

3. Alerting: Notifying administrators if discrepancies (changes) are found.

• Tools used:

o Host-based Intrusion Detection Systems (HIDS) like Tripwire (commercial and open
source), AIDE (Advanced Intrusion Detection Environment - Linux), OSSEC, Wazuh.

o File integrity monitoring (FIM) tools.

o While not a direct FIM tool, fail2ban monitors logs for suspicious activity which might
indirectly point to integrity issues if, for example, unexpected services try to start or
fail.

This covers the topics listed for Unit-3.

Okay, here are the notes for Unit-4, structured to answer "What?", "Why?", "How it works?", and
"Tools used" for each topic based on the provided image.

Unit-4: Advanced Security Topics and Web Application Security

Number of lectures = 10

Topic 1: Internet Security

• What is it?

o A broad branch of cybersecurity concerned with protecting data, systems, and

networks that are connected to or accessible via the internet. It encompasses
browser security, network security (firewalls, IDS/IPS), email security, and securing
online transactions.
 • Why is it important?

o The internet is a primary vector for cyber threats. Protecting internet-connected

assets is crucial for individuals and organizations to prevent data breaches, financial
loss, malware infections, and other cyberattacks.

• How does it work (Key Areas)?

o Secure Protocols: Using HTTPS (SSL/TLS), DNSSEC, secure email protocols (SMTPS,
IMAPS with TLS).

o Network Defenses: Firewalls, IDS/IPS, VPNs.

o Endpoint Security: Antivirus/anti-malware, secure browser configurations, patch

management on devices accessing the internet.

o User Awareness: Educating users about phishing, safe browsing habits, and strong
passwords.

o Web Application Security: (Covered in detail later) Securing web applications from
attacks.

• Tools used:

o Firewalls, VPNs, SSL/TLS certificates, antivirus/anti-malware software, web browsers

with security features. Many tools from previous units apply here. Tools like OWASP
ZAP and Burp Suite (listed later) are crucial for assessing internet-facing web
application security.

Topic 2: Cloud Computing & Security

• What is it?

o Cloud security refers to the set of policies, technologies, applications, and controls
used to protect virtualized IP, data, applications, services, and the associated
infrastructure of cloud computing.

• Why is it important?

o As more organizations move data and applications to the cloud, securing these
assets becomes paramount. Cloud environments introduce unique security
challenges related to shared responsibility, multi-tenancy, and data jurisdiction.

• How does it work (Key Considerations)?

o Shared Responsibility Model: Cloud provider is responsible for the security of the
cloud (infrastructure), while the customer is responsible for security in the cloud
(data, applications, access management).

o Identity and Access Management (IAM): Strong authentication and authorization

for cloud resources.

o Data Security: Encryption (at rest and in transit), data loss prevention (DLP), data
residency and sovereignty.
 o Infrastructure Security: Securing virtual networks, compute instances, and storage.

o Compliance and Governance: Meeting industry and regulatory requirements.

o Monitoring and Logging: Visibility into cloud resource activity.

• Tools used:

o Cloud provider security tools (e.g., AWS IAM, Security Groups, Azure Security Center,
Google Cloud Security Command Center), Cloud Access Security Brokers (CASBs),
Security Information and Event Management (SIEM) systems, vulnerability scanners
configured for cloud environments.

Topic 3: Social Network sites security

• What is it?

o Measures and practices to protect users' personal information, accounts, and privacy
on social networking platforms, as well as protecting organizations from risks
associated with employee use of social media.

• Why is it important?

o Social networks are rich targets for identity theft, phishing, malware distribution,
social engineering, and reputational damage. Information shared can be exploited by
attackers.

• How does it work (User & Organizational Measures)?

o For Users:

▪ Strong, unique passwords and multi-factor authentication.

▪ Privacy settings configuration (limiting who sees posts/info).

▪ Being wary of friend requests from strangers and clicking suspicious links.

▪ Avoiding oversharing sensitive personal information.

o For Organizations:

▪ Social media usage policies for employees.

▪ Monitoring brand mentions and social media channels for threats.

▪ Training employees on safe social media practices.

• Tools used:

o Built-in security and privacy features of social media platforms, password managers,
browser security extensions. Brand monitoring tools for organizations.

Topic 4: Cyber Security Vulnerabilities - Overview

• What is it?
 o A general overview of weaknesses or flaws in systems, software, hardware, or
processes that can be exploited by a threat actor to cause harm or gain unauthorized
access.

• Why is it important?

o Understanding the landscape of vulnerabilities is essential for effective risk

management, prioritization of security efforts, and developing defensive strategies.

• How does it work (Categories/Examples)?

o Software Vulnerabilities: Bugs in code (e.g., buffer overflows, SQL injection, XSS).

o Hardware Vulnerabilities: Flaws in physical components (e.g., Spectre, Meltdown).

o Configuration Vulnerabilities: Misconfigured systems, default credentials.

o Policy/Process Vulnerabilities: Weak password policies, lack of user awareness

training.

o Human Vulnerabilities: Susceptibility to social engineering.

o The OWASP Top 10 (mentioned later) is a key list of web application vulnerabilities.

• Tools used:

o Vulnerability scanners (e.g., Nessus, OpenVAS). Web application scanners like

OWASP ZAP and Burp Suite identify web-specific vulnerabilities. DVWA kit is used to
practice identifying and exploiting common web vulnerabilities.

Topic 5: vulnerabilities in software

• What is it?

o Specific weaknesses or errors in the design, coding, or implementation of software

that can be exploited to compromise the security of the software or the system it
runs on.

• Why is it important?

o Software is ubiquitous, and vulnerabilities can lead to widespread attacks, data

breaches, system takeovers, and denial of service.

• How does it work (Common Types)?

o Injection flaws: SQL injection, command injection, LDAP injection.

o Buffer Overflows: Writing data beyond the allocated buffer, potentially overwriting
critical control data.

o Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed by other
users.

o Insecure Deserialization: Exploiting how applications handle serialized data.

 o Authentication/Authorization Flaws: Weak passwords, improper session
management, privilege escalation.

o Sensitive Data Exposure: Storing or transmitting sensitive data without proper

encryption.

• Tools used:

o Static Application Security Testing (SAST) tools (analyze source code).

o Dynamic Application Security Testing (DAST) tools (test running applications), such as
OWASP ZAP and Burp Suite.

o Fuzzers (input random data to find crashes/flaws).

o Debuggers.

Topic 6: System administration (Security Aspects)

• What is it?

o The security-related responsibilities and practices involved in managing and

maintaining computer systems and networks. This ensures systems are configured
and operated securely.

• Why is it important?

o System administrators are on the front lines of IT security. Proper administration is

crucial for preventing breaches, ensuring system availability, and maintaining data
integrity.

• How does it work (Key Security Tasks)?

o User account management (creation, permissions, deletion).

o Patch management and software updates.

o System hardening (disabling unused services, secure configurations).

o Backup and recovery procedures.

o Monitoring system logs and security alerts.

o Implementing and managing security tools (firewalls, IDS/IPS, antivirus).

o Incident response.

• Tools used:

o OS administration tools, scripting languages (PowerShell, Bash), configuration

management tools (Ansible, Puppet, Chef), monitoring tools, backup software.
WinAudit (listed later) can be used by sysadmins to get a detailed inventory and
configuration snapshot of Windows systems.
Topic 7: Complex Network Architectures (Security Considerations)

• What is it?

o The security challenges and strategies associated with designing, implementing, and
managing large, intricate, or distributed network infrastructures (e.g., enterprise
networks, cloud environments, IoT deployments).

• Why is it important?

o Complexity can increase the attack surface, make it harder to gain visibility, and
complicate the implementation of consistent security policies.

• How does it work (Security Approaches)?

o Network Segmentation: Dividing the network into smaller, isolated zones to limit the
blast radius of an attack.

o Defense in Depth: Layering multiple security controls.

o Centralized Security Management: Using tools like SIEM for unified visibility and
control.

o Zero Trust Architecture: Assuming no implicit trust, verifying everything.

o Automation: Using tools to automate security tasks and policy enforcement.

• Tools used:

o Firewalls (NGFWs), IDS/IPS, SIEM systems, network monitoring tools, vulnerability

scanners, NAC (Network Access Control) solutions.

Topic 8: Open Access to Organizational Data

• What is it?

o Situations where an organization's data is made accessible, either intentionally (e.g.,

public datasets, open APIs) or unintentionally (e.g., misconfigured cloud storage,
data leaks), without adequate restrictions.

• Why is it important?

o While open access can foster collaboration and transparency, uncontrolled open
access to sensitive organizational data can lead to data breaches, intellectual
property theft, privacy violations, and competitive disadvantage.

• How does it work (Risks and Controls)?

o Risks: Exposure of PII, financial data, trade secrets, strategic plans.

o Controls:

▪ Data classification to identify sensitive data.

▪ Strong access control mechanisms.

 ▪ Encryption for data at rest and in transit.

▪ Data Loss Prevention (DLP) tools.

▪ Regular security audits and vulnerability assessments (e.g., using OWASP

ZAP, Burp Suite for web-accessible data).

▪ Clear policies on data sharing and access.

• Tools used:

o DLP systems, encryption tools, access control management systems, data discovery
tools.

Topic 9: Weak Authentication

• What is it?

o Authentication mechanisms that are easily compromised, bypassed, or guessed,

failing to reliably verify the identity of a user or system.

• Why is it important?

o Weak authentication is a primary cause of unauthorized access and data breaches. If

an attacker can easily impersonate a legitimate user, other security controls may be
rendered ineffective.

• How does it work (Examples)?

o Using default, common, or easily guessable passwords.

o Lack of password complexity requirements.

o No multi-factor authentication (MFA).

o Storing passwords in plaintext or using weak hashing algorithms.

o Susceptibility to brute-force or credential stuffing attacks.

o Predictable password recovery mechanisms.

• Tools used:

o Attackers use password cracking tools (e.g., John the Ripper, Hashcat).

o Defenders use strong password policy enforcers, MFA solutions, password managers.
Burp Suite and OWASP ZAP can test for weak authentication on web applications.

Topic 10: Authorization

• What is it?

o The process of determining whether an authenticated user (or process) has the
necessary permissions to access a specific resource or perform a particular action. It
answers the question: "What is this user allowed to do?"
 • Why is it important?

o Ensures the principle of least privilege, where users are only granted the access
necessary to perform their job functions. This limits the potential damage if an
account is compromised.

• How does it work (Mechanisms)?

o Access Control Lists (ACLs): Define permissions for specific users/groups on objects.

o Role-Based Access Control (RBAC): Permissions are assigned to roles, and users are
assigned to roles.

o Attribute-Based Access Control (ABAC): Access decisions are based on attributes of

the user, resource, and environment.

o Policies are enforced by the system or application.

• Tools used:

o Operating system permission systems, directory services (e.g., Active Directory), IAM
solutions, application-specific authorization modules.

Topic 11: Unprotected Broadband communications

• What is it?

o Using broadband internet connections (e.g., Wi-Fi, DSL, cable modem) without
adequate security measures, making the transmitted data vulnerable to interception,
eavesdropping, or modification.

• Why is it important?

o Unsecured communications can expose sensitive information like login credentials,

financial details, and personal data to attackers on the same network or those who
can intercept traffic.

• How does it work (Examples & Mitigation)?

o Unsecured Wi-Fi: Open Wi-Fi networks or those using weak encryption (WEP, WPA).

▪ Mitigation: Use strong Wi-Fi encryption (WPA2/WPA3), strong router admin

passwords, disable WPS if not needed.

o Lack of End-to-End Encryption: Transmitting sensitive data over HTTP instead of

HTTPS.

▪ Mitigation: Use VPNs, ensure websites use HTTPS.

o Man-in-the-Middle (MitM) Attacks: Attackers intercepting and potentially altering

communications.

• Tools used:

o Attackers use packet sniffers (like Wireshark) and MitM tools.

 o Defenders use VPNs, ensure SSL/TLS (HTTPS) for web traffic, secure Wi-Fi
configurations.

Topic 12: Poor Cyber Security Awareness

• What is it?

o A lack of understanding among users (employees, individuals) about cybersecurity

threats, risks, and best practices. This makes them more susceptible to attacks like
phishing, social engineering, and malware.

• Why is it important?

o The human element is often the weakest link in security. Even with strong technical
controls, unaware users can inadvertently cause security breaches.

• How does it work (Consequences & Improvement)?

o Consequences: Clicking malicious links, opening infected attachments, divulging

credentials, falling for scams, mishandling sensitive data.

o Improvement:

▪ Regular security awareness training programs.

▪ Phishing simulations.

▪ Clear security policies and procedures.

▪ Promoting a culture of security.

• Tools used:

o Security awareness training platforms, phishing simulation tools, educational

materials.

Topic 13: Cyber Security Safeguards- Overview

• What is it?

o A general overview of the various measures, controls, technologies, and practices

implemented to protect computer systems, networks, and data from cyber threats.

• Why is it important?

o A layered approach to security, employing multiple safeguards, is necessary to create

a robust defense against a wide range of attacks.

• How does it work (Categories)?

o Technical Safeguards: Firewalls, IDS/IPS, antivirus, encryption, access controls, MFA.

o Administrative Safeguards: Security policies, procedures, risk assessments, security

awareness training, incident response plans.
 o Physical Safeguards: Locks, surveillance, access control to facilities.

o (Many topics from previous units fall under this umbrella).

• Tools used:

o The entire suite of security tools discussed throughout the units (firewalls, IDS/IPS,
vulnerability scanners, encryption tools, etc.).

Topic 14: Access control

• What is it?

o The selective restriction of access to a place or other resource. In cybersecurity, it's

the process of granting or denying specific requests to obtain and use information
and related information processing services. It involves Identification,
Authentication, and Authorization.

• Why is it important?

o Fundamental to protecting resources from unauthorized access, modification, or

destruction. Enforces who can do what with specific data or systems.

• How does it work?

1. Identification: Users claim an identity (e.g., username).

2. Authentication: Users prove their identity (e.g., password, MFA).

3. Authorization: The system determines what the authenticated user is permitted to do based
on policies and permissions (see Topic 10: Authorization).

o Models include Discretionary Access Control (DAC), Mandatory Access Control

(MAC), Role-Based Access Control (RBAC).

• Tools used:

o Operating system security mechanisms, directory services (Active Directory, LDAP),

IAM systems, network access control (NAC) solutions, physical access control
systems.

Topic 15: IT Audit

• What is it?

o The examination and evaluation of an organization's information technology

infrastructure, policies, and operations. IT audits determine whether IT controls
protect corporate assets, ensure data integrity, and align with the business's overall
goals.

• Why is it important?
 o Helps ensure compliance with regulations (e.g., GDPR, HIPAA, PCI DSS), identify
security risks and vulnerabilities, verify the effectiveness of controls, and provide
recommendations for improvement.

• How does it work?

o Involves:

▪ Planning: Defining scope and objectives.

▪ Fieldwork: Gathering evidence through interviews, system reviews, log

analysis, control testing, vulnerability assessments.

▪ Analysis: Evaluating evidence against audit criteria.

▪ Reporting: Documenting findings, conclusions, and recommendations.

• Tools used:

o Audit management software, vulnerability scanners, log analysis tools, compliance

checking tools. WinAudit can be used to gather system information for an IT audit on
Windows systems. Data from tools like OWASP ZAP or Burp Suite would feed into a
web application IT audit.

Topic 16: Authentication

• What is it?

o The process of verifying the identity of a user, process, or device. It answers the
question: "Are you who you say you are?"

• Why is it important?

o It's the gateway to accessing systems and data. Strong authentication is critical to
prevent unauthorized access.

• How does it work (Factors)?

o Something you know: Passwords, PINs.

o Something you have: Security tokens, smart cards, mobile phone (for OTPs).

o Something you are: Biometrics (fingerprint, facial recognition, iris scan).

o Multi-Factor Authentication (MFA): Uses two or more different factors to verify

identity.

• Tools used:

o Password management systems, MFA solutions (e.g., Google Authenticator, Authy,

hardware tokens), biometric scanners, RADIUS/TACACS+ servers for centralized
authentication.

Topic 17: Open Web Application Security Project (OWASP)

 • What is it?

o OWASP is a non-profit foundation that works to improve the security of software. It's
a worldwide community focused on web application security, providing free and
open resources.

• Why is it important?

o OWASP produces widely recognized and respected resources, including:

▪ OWASP Top 10: A list of the most critical web application security risks.

▪ OWASP Testing Guide (WSTG): A comprehensive guide for testing web

application security.

▪ OWASP Application Security Verification Standard (ASVS): A framework for

performing security verification.

▪ Various open-source security tools (e.g., OWASP ZAP).

• How does it work?

o Through community collaboration, research, development of documentation, tools,

and standards. Volunteers contribute to projects, chapters, and events.

• Tools used (developed/promoted by OWASP):

o OWASP ZAP (Zed Attack Proxy): A powerful, free, open-source web application
security scanner and penetration testing tool.

o OWASP Dependency-Check: Scans for known vulnerabilities in project dependencies.

o And many other projects listed on their website.

Topic 18: Web Site Audit and Vulnerabilities assessment

• What is it?

o A systematic examination of a website's security posture to identify vulnerabilities,

misconfigurations, and other security weaknesses. This involves both automated
scanning and manual testing.

• Why is it important?

o Websites and web applications are frequent targets of attack. Audits and
assessments help organizations understand their web security risks and take steps to
mitigate them before they are exploited.

• How does it work?

o Reconnaissance: Gathering information about the web application and its

infrastructure.

o Automated Scanning: Using tools to identify common vulnerabilities (e.g., XSS, SQLi,
misconfigurations).
 o Manual Testing: In-depth testing by security professionals to find more complex or
business logic flaws.

o Vulnerability Analysis: Assessing the severity and impact of identified vulnerabilities.

o Reporting: Documenting findings and providing remediation recommendations.

o Often guided by frameworks like the OWASP Testing Guide.

• Tools used:

o OWASP ZAP (Zap proxy): For automated scanning, manual testing, and
intercepting/modifying web traffic.

o Burp Suite: A comprehensive platform for web application security testing (similar
capabilities to ZAP, with commercial versions offering more features).

o Other vulnerability scanners, nikto, sqlmap.

o DVWA kit (Damn Vulnerable Web Application): Not an audit tool itself, but a
deliberately vulnerable web application used for practicing web vulnerability
assessment techniques.

Topic 19: Open Source/ Free/ Trial Tools

• What are they?

o These are the specific tools listed in the syllabus for hands-on practice or
understanding.

o 19.A. WinAudit

▪ What: A free inventory utility for Windows computers. It creates a

comprehensive report on a machine's configuration, hardware, and
software.

▪ Why: Useful for system administration, IT audits, compliance checking, and

tracking system changes.

▪ How it works: Scans the system registry, WMI, and other sources to gather
detailed information.

▪ Tool Focus: System inventory and audit.

o 19.B. Zap proxy (OWASP ZAP)

▪ What: An open-source web application security scanner. It's an OWASP

flagship project.

▪ Why: Helps developers and security professionals find and fix vulnerabilities
in web applications.

▪ How it works: Can act as a man-in-the-middle proxy to intercept and modify

web traffic, perform active and passive scanning for vulnerabilities (like XSS,
SQLi, etc.), and includes features for spidering, fuzzing, and scripting.
 ▪ Tool Focus: Web application security testing.

o 19.C. burp suite

▪ What: An integrated platform for performing security testing of web

applications. It has a free Community Edition and a paid Professional Edition.

▪ Why: Widely used by security professionals for comprehensive web

application vulnerability assessment and penetration testing.

▪ How it works: Includes tools like an intercepting proxy, application-aware

spider, web application scanner, intruder tool (for custom attacks), repeater
(for manual manipulation of requests), and sequencer (for analyzing session
token randomness).

▪ Tool Focus: Web application security testing.

o 19.D. DVWA kit (Damn Vulnerable Web Application)

▪ What: A PHP/MySQL web application that is damn vulnerable. Its main goals
are to be an aid for security professionals to test their skills and tools in a
legal environment, help web developers better understand the processes of
securing web applications, and aid teachers/students to teach/learn web
application security in a classroom environment.

▪ Why: Provides a safe and legal environment to practice identifying and

exploiting common web vulnerabilities.

▪ How it works: Contains intentionally flawed code that exhibits vulnerabilities

like SQL Injection, XSS, LFI/RFI, Command Injection, etc., at varying difficulty
levels.

▪ Tool Focus: Web application security training and practice.

This covers the topics listed for Unit-4.