GOOD LUCK to Final Exams

Don’t worry! You are best!

Read all things may be there are not some information in lecture notes, But these are
enough for getting 70+

Lecture 1: Introduction to Information Security

1. CIA Triad

• Confidentiality: Ensures that data is accessible only to those authorized

to have access. It's crucial for protecting sensitive information from
unauthorized users.
• Integrity: Assures the accuracy and completeness of data. This involves
protecting data from being altered by unauthorized individuals and
ensuring that data remains unchanged unless by a legitimate process.
• Availability: Ensures that data and resources are available to authorized
users when needed. This involves keeping systems up and running, even in
the face of errors or attacks.

2. Security Layers

• Physical Security: Protects the physical assets of an organization, like

buildings and hardware, from physical threats such as theft or natural
disasters.
• Personnel Security: Involves ensuring that employees and contractors are
reliable and do not pose a security risk to the organization.
• Operations Security: Protects the details of a particular operation or
series of activities to prevent sensitive information from falling into the
wrong hands.
• Communications Security: Ensures that communications are secure and
cannot be intercepted or tampered with.
• Network Security: Protects network infrastructure and defends against
unauthorized access and cyberattacks.
• Information Security: Encompasses measures used to protect the
confidentiality, integrity, and availability of computer system data from
those with malicious intentions.

3. Security Attributes (additional to CIA)

 • Accountability: Ensures that all actions on a system can be attributed to a
specific individual.
• Accuracy, Authenticity, Awareness: Ensuring that data is correct,
genuine, and that there is an understanding of potential security risks.

4. Types of Attacks

• Interception: Unauthorized gaining of access to data, e.g., eavesdropping

on transmissions.
• Interruption: Attacks that stop the systems from operating, such as Denial
of Service (DoS) attacks.
• Modification: Unauthorized changes to data, which could involve altering
database records without permission.
• Fabrication: Creation of fake data or transactions, such as falsifying
records or communications.

5. Threats, Vulnerabilities, and Risk

• Threat: Any potential occurrence that could cause an unwanted impact

through damage or unauthorized access.
• Vulnerability: A weakness which can be exploited by a threat to gain
unauthorized access to an asset.
• Risk: The potential for loss or damage when a threat exploits a
vulnerability.
Lecture 2: Ethical Hacking Fundamentals

What is Security Testing?

• Security Testing: This is the process used to identify weaknesses in the security
of information systems, aiming to protect against threats and maintain the
confidentiality, integrity, and availability (CIA) of the information.

Types of Security Activities

• Security Audit: An independent review and examination of a system's records

and activities to determine the adequacy of system controls, ensure compliance
with established policies and operational procedures, and recommend necessary
changes in controls, policies, or procedures.
• Vulnerability Assessment (VA): Involves systematically identifying, quantifying,
and prioritizing (or ranking) the vulnerabilities in a system.
• Penetration Testing (Pentest): An authorized simulated attack on a computer
system, performed to evaluate the security of the system. Not just identifying but
actively exploiting security vulnerabilities.
• Red Teaming: Involves a team mimicking the behavior and techniques of
potential attackers in the most realistic way possible. The goal is to test an
organization's real-world exposure to risk.
• Ethical Hacking: Similar to penetration testing but involves broader agreements
that may include more aggressive and creative attacks to uncover potential entry
points.

Methodologies

• The methodologies in pentesting typically follow structured steps such as

planning, reconnaissance, scanning, gaining access, maintaining access, and
covering tracks. Specific frameworks include:
 • OWASP Testing Guide: Provides a framework for performing web
application penetration tests and security assessments.
• NIST SP 800-115: Provides guidelines on conducting security testing and
assessment.
• OSSTMM (Open Source Security Testing Methodology Manual): Offers
a methodology for a comprehensive security test.
• PTES (Penetration Testing Execution Standard): Provides a baseline
standard for penetration testing.

Red Team vs. Blue Team

• Red Team: Acts as the offensive group, aiming to exploit vulnerabilities and
circumvent or defeat security features of a system.
• Blue Team: Defensive team, responsible for defending against the Red Team’s
attempts by detecting and responding to the attacks.
• Purple Team: Not always mentioned but involves the integration of both Red
and Blue team efforts to maximize both offensive and defensive tactics as a
unified security effort.

Pentest

• Goal of the Pentest: To simulate a real-world attack to identify what an

adversary could access or affect within a system. It's about finding a path through
vulnerabilities that could be exploited in a real attack.
Lecture 3: Information Security Threats and Vulnerabilities

Threats

• Threat: Defined as any potential negative action or event that leverages a

vulnerability to harm the information system or organization. Threats can lead to
the unauthorized disclosure, alteration, or destruction of information.

Vulnerabilities

• Vulnerability: Refers to any weakness within an information system, procedural

controls, or internal controls that could potentially be exploited to gain
unauthorized access or cause damage. Vulnerabilities are the specific gaps or
weaknesses that threats can exploit.

Attacks

• Attack: Any attempt to expose, alter, disable, destroy, steal, or gain unauthorized
access to or use of an asset. Attacks are the actual exploitation of vulnerabilities
by threats.

Types of Threats

• Natural threats: Events such as natural disasters that can physically damage
infrastructure.
• Intentional threats (Human): Deliberate attacks like hacking, phishing, or
insider threats.
• Unintentional threats (Human): Accidental actions by users or system operators
that compromise security.
• Hardware threats: Failures or malfunctions in hardware that lead to security
breaches or data loss.
Types of Attacks

• Network-based attacks: These include DDoS (Distributed Denial of Service), DoS

(Denial of Service), sniffing, eavesdropping, and spoofing which target the
network infrastructure.
• Social engineering attacks: These manipulate individuals into breaking normal
security procedures. They include phishing, smishing, vishing, pretexting, whaling,
and watering hole attacks.
• Bypass of security measures: Techniques like backdoor entries, brute-force
attacks, man-in-the-middle attacks, and replay attacks that directly target the
integrity and confidentiality of data.

Primary Vulnerabilities or Weaknesses

• Technology weaknesses: Include vulnerabilities in protocols, operating systems,

and network equipment.
• Configuration weaknesses: Stem from improperly configured systems, such as
unsecured user accounts or misconfigured internet services.
• Security policy weaknesses: Arise from inadequate policies or procedures, such
as a lack of a written security policy or insufficient logical access controls.

Malicious Software Types

• Viruses: Malicious software that attaches to another program and can replicate
itself to spread, requiring user interaction to spread.
• Spyware: Software that secretly gathers user information through the user's
internet connection without their knowledge, typically for advertising purposes.
• Malware and Trojans: Malware refers to various forms of harmful software,
including viruses and trojans, which are deceptive software that carry an
additional, hidden harmful function.
• Ransomware: Malicious software that encrypts the user's data and demands
payment in return for the decryption key.
• Worms: Similar to viruses, but are self-replicating and do not require user
interaction to spread.

Password Security

• Password Attacks: Include brute-force attacks, where every possible

combination is tried; dictionary attacks, using a prearranged list of likely
passwords; and rainbow table attacks, which use precomputed tables of hash
values to crack passwords.

Tools and Mitigations for Password Security

• Password Managers: Software like LastPass, BitWarden, and iCloud Keychain

help manage and generate strong passwords.
 • Password Attack Tools: Tools such as Hashcat and John the Ripper are used for
cracking passwords by employing various attack strategies.

Lecture 4: Cryptography

Cryptography Basics

• Cryptology: The broader field that encompasses both the creation and breaking
of cryptographic techniques.
• Steganography: The art of hiding information within other non-secret text or
data to prevent detection.
• Cryptography: The science of creating techniques to secure communication in
the presence of adversaries. This includes techniques for ensuring the privacy and
integrity of information.
• Cryptanalysis: The science of breaking encrypted texts, recovering encrypted
data without the key, or finding weaknesses in cryptographic algorithms.

General Cryptographic Schema

• Plaintext: Original readable message or data that is fed into the encryption
algorithm.
• Encryption: The process of converting plaintext into ciphertext using a key to
make it unreadable to unauthorized users.
• Ciphertext: The scrambled and unreadable output of encryption, which can only
be understood if decrypted.
• Decryption: The process of converting ciphertext back to plaintext using a key.

Types of Ciphers

• Substitution Cipher: Involves replacing one element (character, bit) of the

plaintext with another. Examples include the Caesar Cipher, Monoalphabetic
Cipher, and Polyalphabetic Cipher.
• Transposition Cipher: Involves rearranging the order of elements in the plaintext
to hide the original message. Examples include Columnar Transposition and Rail
Fence Cipher.

Caesar Cipher

• An early form of substitution cipher where each letter in the plaintext is shifted a
certain number of places down or up the alphabet.
Cryptography Terms

• Encoding: The act of changing a message into another format, through methods
like ASCII, Unicode, or Base64.
• Encryption vs. Encoding: While both processes transform data, encryption is
designed for securing data which encoding is not. Encryption requires a key to
decrypt, whereas encoding is reversible by design.

Encryption Algorithms

• Symmetric Encryption Algorithms: Use a single key for both encryption and
decryption. Examples include AES and DES.
• Asymmetric Encryption Algorithms: Use a pair of keys (public and private)
where one key encrypts and the other decrypts. Examples include RSA and ECC.

Hashing

• Hash Functions: Convert data of arbitrary size to fixed-size values. Hashing is a

one-way function — once you compute the hash, it is infeasible to revert it back
to the original data.
• Characteristics of Cryptographic Hash Functions: They must be deterministic,
fast, pre-image resistant, and have the avalanche effect, among others.
Lecture 5: Cyber Reconnaissance

What is Cyber Reconnaissance?

• Cyber Reconnaissance (Recon): The initial phase in any cyber attack where the
attacker gathers information about the target to identify weak points and
potential entryways into systems.

Types of Cyber Reconnaissance

• Active Reconnaissance: Involves directly interacting with the target to gather

data. This might include actions like scanning ports with tools like Nmap,
attempting to establish connections with systems, or engaging directly with
employees through social engineering.
• Passive Reconnaissance: Involves gathering information without directly
interacting with the target. This could include collecting data from publicly
available sources like DNS records, WHOIS information, and social media
platforms.

Techniques and Tools

• OSINT (Open Source Intelligence): Gathering intelligence from publicly

accessible sources to learn about a target's technology stack, security posture,
and organizational behavior. Tools often used for OSINT include search engines,
social media platforms, and specialized sites like Shodan.io or BuiltWith.
• WHOIS Lookup: Utilizing WHOIS databases to gather registrant information
about domain names, which can include the name, address, and contact
information of domain owners.
• DNS Reconnaissance (Nslookup/Dig): Using DNS lookup tools to gather data
about domain name configurations and associated IP addresses. This can help in
mapping the network structure of the target.
• Shodan.io: A search engine that lets users find specific types of computers
connected to the internet using a variety of filters, providing insights into the
devices and services that are publicly visible on a network.

Cyber Reconnaissance for Defense

• Monitoring WHOIS and DNS: Keeping track of changes in DNS and WHOIS
entries can alert organizations to potential unauthorized changes or interest from
threat actors.
 • Utilizing Reconnaissance Tools for Defense: Tools like NMAP and Shodan can
also be used defensively to audit external visibility and discover what an attacker
might see when they look at the network.
• Educating on Social Engineering: Training employees on the risks of social
engineering and active reconnaissance tactics can reduce the risk of information
leakage that could be used in an attack.

Additional Tools Mentioned

• Netcraft: Provides information about what internet technologies websites use,

and is often used for reconnaissance to understand security parameters and
technology stacks of potential targets.
• Wappalyzer: A tool for identifying technologies used on websites, which can
reveal software that might have known vulnerabilities.

Passive Reconnaissance Tools and Methods

Passive reconnaissance involves collecting information without directly engaging with

the target system. This approach minimizes the risk of detection.

1. OSINT (Open Source Intelligence)

• Utilizing public databases, social media platforms, forums, and websites.

• Tools: Google, Bing, social media platforms (LinkedIn, Facebook),
specialized sites (Shodan.io, BuiltWith).

2. WHOIS Lookup

• Accessing WHOIS databases to gather registered information about

domain names such as registrant contact details.
• Tools: WHOIS command-line tools, online services like
whois.domaintools.com, whois.net.

3. DNS Reconnaissance (Nslookup/Dig)

• Using DNS lookup tools to retrieve domain name configurations, which

can include details about subdomains and IP addresses.
• Tools: Nslookup, Dig.

4. Shodan.io
 • A search engine that lets users find specific types of connected devices
(servers, routers, etc.) accessible over the internet.
• Used for identifying devices and services that are publicly visible on a
network.

5. DNSDumpster

• A web-based tool that provides detailed DNS and subdomain information

about a target domain.

Active Reconnaissance Tools and Methods

Active reconnaissance involves interacting with the target system directly to gather
information. This method is riskier as it might alert the target about the reconnaissance
activity.

1. NMAP

• A network scanning tool used to discover hosts and services on a

computer network by sending packets and analyzing the responses.
• Used for detecting open ports, services running on ports, and operating
system details.

2. Netcraft

• Provides information about what internet technologies are used on

websites and can assist in network mapping.
• Used to find additional network-related information such as server
locations and software versions.

3. Wappalyzer

• A cross-platform utility that uncovers the technologies used on websites,

useful for identifying potential software vulnerabilities.
• Installed as a browser extension or used via a web interface to analyze the
technologies on a site.

4. Social Engineering

• Actively engaging with employees or systems through phishing,

pretexting, or other direct contact methods to extract sensitive
information.
• Includes phone calls, emails, or physical visits under false pretenses.
Lecture 6: Authentication and Authorization

Authentication

• Authentication: The process of verifying the identity of a user or system. It is a

way to ensure that the person or entity claiming an identity is indeed who they
claim to be. This typically involves presenting evidence of identity, such as a
password, which only the authentic user should possess.

Authorization

• Authorization: The process of granting or denying specific privileges or access

to resources to an authenticated user. While authentication verifies who the user
is, authorization determines what an authenticated user is allowed to do.

Authentication Factors

• Knowledge Factors: Something the user knows, such as a password or PIN.

• Ownership Factors: Something the user has, such as a security token,
smartphone, or smart card.
• Inherence Factors: Something the user is or does, such as a fingerprint, facial
recognition, or other biometrics.

Types of Authentication

• Single-factor Authentication: Involves only one factor, typically a password.

• Two-factor Authentication (2FA): Requires two distinct forms of identification.
For example, a password plus a code sent to the user’s phone.
• Multi-factor Authentication (MFA): Involves two or more credentials to verify a
user’s identity. The more factors used, the greater the security.

AAA Concept
 • AAA (Authentication, Authorization, and Accounting): A framework for
intelligently controlling access to computer resources, enforcing policies, auditing
usage, and providing the information necessary to bill for services.

Access Control Models

• Discretionary Access Control (DAC): Allows the resource owner to decide who
can access specific resources. Example: A file owner decides who can access the
file.
• Mandatory Access Control (MAC): Controls are enforced by a central authority
based on multiple levels of security. Often used in government and military
environments.
• Role-Based Access Control (RBAC): Access decisions are based on the roles
that individual users have as part of an organization.
• Rule-Based Access Control (RBAC): Access is allowed or denied to resources
based on a set of rules defined by the system administrator.

Common Vulnerabilities

• Credentials Over Unencrypted Channels: Sending usernames, passwords, or

other sensitive information over non-encrypted connections can allow attackers
to easily intercept and steal data.
• Inadequate Password Policies: Weak password policies allow attackers to guess
or brute-force passwords.
• Password Storage: Passwords should never be stored in clear text. They should
be stored in a hashed format, ideally with a salt to prevent the use of
precomputed hash databases (rainbow tables).
• User Enumeration: If error messages differentiate between "incorrect username"
and "incorrect password," an attacker can use this information to determine valid
usernames.

Security Mechanisms

• Lockout Mechanisms: To prevent brute-force attacks, systems can lock a user

account after a certain number of failed login attempts.
• CAPTCHA: Tools that differentiate humans from machines. CAPTCHAs can
prevent automated systems from performing actions that require human
behavior, such as submitting forms.
• Password Reset Features: Should be secure and may involve multiple steps,
including secret questions, to confirm the user’s identity before allowing a
password reset.

Advanced Considerations
 • Session Management: Ensuring that session IDs are secure and not easily
guessable. Proper handling of session expiration and user logouts to prevent
session hijacking.
• Authorization Bypass: Protecting against flaws like Broken Access Control,
where attackers manipulate the system to access unauthorized functionality or
data.

Lecture 7: Incident Response and Management

What is an Incident?

• Incident: Defined as any action or activity—accidental or deliberate—that

compromises the confidentiality, integrity, or availability of data and IT resources.
It also includes instances of technology misuse such as fraud, theft, and policy
violations.

Cyber Incident Statistics

• Statistics Highlight: Emphasizes the prevalence and impact of cyber incidents,

such as the high percentage of organizations affected by data breaches, the
significant costs associated with ransomware attacks, and the commonality of
phishing as an attack vector.

What is Incident Response?

• Incident Response (IR): The organized approach to addressing and managing

the aftermath of a security breach or cyberattack. The aim is to handle the
situation in a way that limits damage and reduces recovery time and costs.

Approaches to Cybersecurity Incident Response

• PICERL: An incident response model by SANS that stands for Preparation,

Identification, Containment, Eradication, Recovery, and Lessons Learned.
• SOAR: Security Orchestration, Automation, and Response—a model that enables
organizations to respond automatically to security events.
• DAIR: Dynamic Approach to Incident Response, which suggests a flexible and
ongoing response cycle with waypoints like preparation, detection, verification,
and triage.

Handling an Incident
 • IR Tasks:
• Develop IR policies and procedures.
• Conduct regular risk analysis and vulnerability assessments.
• Monitor for and report suspicious events.
• Provide IR training and security exercises.
• Run analysis/forensics and coordinate response efforts.

IR Lifecycle

• Preparation Phase: Includes defining roles, responsibilities, setting up training

for responders, creating IR and communication plans, and ensuring proper access
rights and tools are available.
• Detection and Analysis: Monitoring and analyzing network traffic and logs to
detect and assess unusual activities potentially indicative of a security incident.
• Containment: Immediate actions to limit the spread or escalation of an incident.
• Eradication: Steps to completely remove the threat from the organization’s
environment.
• Recovery: Actions to restore and validate system functionality for business
operations after an incident.
• Lessons Learned: Reviewing and learning from the incident to improve future
response efforts.

Key Concepts in Incident Response

• Incident Response Plan: A detailed plan that outlines the processes for
managing a cyber incident.
• Communication Plan: How the organization will communicate internally and
externally during an incident.
• Roles and Responsibilities: Clearly defined roles for the incident response team
and other stakeholders.
• Training and Awareness: Ongoing education and exercises to prepare staff for
potential incidents.
• Policy and Procedure Development: Establishing guidelines that dictate how
incidents should be handled.

Incident Response Tools and Techniques

• Forensic Tools: Used during the 'Analysis' phase to gather and preserve evidence
from incidents.
• Automated Security Systems: Employed to detect and respond to incidents in
real time.
• Simulation Exercises: Regularly conducted to test the effectiveness of the
incident response plan and team.
Lecture 8: Social Engineering and Countermeasures

Social Engineering Overview

• Social Engineering: The art of manipulating people so they give up confidential

information. Techniques are typically non-technical and exploit the human
element of security systems.

Key Principles of Social Engineering

• Robert Cialdini's Principles: These principles explain how social engineers

manipulate individuals into disclosing sensitive information or performing actions
that may compromise security.
• Reciprocity: People tend to return favors.
• Commitment and Consistency: People like to be consistent with what
they have previously said or done.
• Social Proof: People will do things they see other people doing.
• Authority: People tend to obey authority figures.
• Liking: People are more easily persuaded by others whom they like.
• Scarcity: Perceived scarcity will generate demand.

Phases of a Social Engineering Attack

• Phase 1: Reconnaissance: Collecting as much information as possible about the

target to make the attack more credible.
• OSINT: Gathering data from publicly accessible sources to learn about
potential targets.
• Choosing the Victim: Identifying someone within the organization who
might have access to the targeted information.
 • Phase 2: Victim Approach: Initiating contact with the victim using the gathered
information to exploit one or more of the key principles of influence.
• Approach Methods: Could be via phone, email, or social networks, rarely
face-to-face.

Social Engineering Attack Vectors

• Vishing: Voice phishing where the attacker uses a phone call to deceive the
victim.
• Spear Phishing: Highly targeted phishing attacks via email.
• Tailgating: Gaining unauthorized access to restricted areas by following
someone.
• Smishing: SMS phishing.
• Watering Hole: Compromising a commonly used and trusted website.
• Quid Pro Quo: Offering something in exchange for information or access.

Countermeasures

• Education and Awareness: Training employees on how to recognize social

engineering tactics and encouraging skepticism.
• Policy and Procedure: Implementing strict policies and procedures that help in
recognizing and reporting potential social engineering attempts.
• Verification Procedures: Such as verifying the identity of the caller or
sender and confirming requests for sensitive information or actions with
another trusted party.
• Communication: Clear guidelines on how to communicate sensitive information
and how to handle requests for such information.
• Technical Tools: Using tools like the Social Engineering Toolkit (SET) for training
and testing employees' vulnerability to social engineering tactics.

Toolkit

• Social Engineering Toolkit (SET): A popular tool used to simulate social

engineering attacks for training purposes, helping security teams identify
potential vulnerabilities and train staff in recognizing social engineering tactics.
Lecture 9: Cross-Site Scripting (XSS)

Introduction to XSS

• XSS Overview: XSS is a security vulnerability typically found in web applications.

It enables attackers to inject client-side scripts into web pages viewed by other
users. It exploits the fact that a user's browser will execute scripts in the context
of the content delivered from the server.

Anatomy of XSS Exploitation

• Purpose of XSS Attacks: To perform actions on behalf of the user without their
knowledge, such as stealing cookies, session tokens, or other sensitive
information that can lead to further attacks like identity theft.

Types of XSS

• Stored XSS: The malicious script is permanently stored on target servers, such as
in a database, message forum, visitor log, comment field, etc. The victim retrieves
the malicious script from the server when requesting the stored information.
• Reflected XSS: The malicious script comes from the current HTTP request. The
user inputs a URL with malicious script, which gets reflected by the web server in
the response, and then executed by the browser.
• DOM-based XSS: The vulnerability is in the client-side code rather than the
server-side code. It occurs when the application writes data to the Document
Object Model (DOM) without proper sanitization.

Exploitation Techniques

• Cookie Stealing: XSS can be used to steal cookies, allowing attackers to

impersonate users.
• Keylogging and Defacing: Injecting scripts that can log keystrokes of a user or
change the content of the website to display unauthorized content.
 • Advanced Phishing Attacks: Leveraging XSS to create convincing phishing
scenarios where the malicious page is actually hosted on the legitimate site,
making it very difficult for users to detect the phishing attempt.

Mitigation Strategies

• Input Sanitization: Ensuring all user input is sanitized before it is used within the
web application to prevent malicious scripts from being inserted into the output
HTML.
• Content Security Policy (CSP): Implementing CSP to reduce the severity of XSS
attacks by declaring what dynamic resources are allowed to load.
• Use of Anti-XSS Libraries: Utilizing libraries and frameworks that automatically
handle the escaping of input and encoding of output.

Tools and Frameworks

• BeEF (Browser Exploitation Framework): A penetration testing tool that

focuses on the web browser, demonstrating the type of information an attacker
can retrieve from cross-site scripting.

Practical Exercises

• Finding and Testing XSS: How to identify XSS vulnerabilities through both
manual inspection of the application and the use of automated tools. The lecture
likely includes examples where attendees are shown how to test for XSS in a
controlled environment.

Lecture Content Highlights

• XSS Exploitation Examples: Detailed examples of how XSS can be exploited to

perform various malicious activities.
• Defacement: Using XSS to alter the appearance of a website as proof of concept
to demonstrate the impact of XSS vulnerabilities.
• Cookie Stealing through XSS: Demonstrates step-by-step how an attacker can
use XSS to steal session cookies and perform actions on behalf of the victim.
Lecture 10: SQL Injection

What is SQL Injection?

• SQL Injection Overview: A code injection technique that exploits vulnerabilities

in the interface between web applications and database servers. The attacker can
manipulate SQL queries to bypass security mechanisms, access, modify, or delete
data, or even execute administrative operations on the database.

Types of SQL Injections

• Union-based SQL Injection: Involves using the UNION SQL operator to combine
the results of two SELECT queries into a single result which is then returned as
part of the HTTP response.
• Error-based SQL Injection: Involves performing actions that will trigger SQL
errors from the database server which can help infer its structure.
• Blind SQL Injection: No data is transferred via the web application, and the
attacker would not be able to see the result of an attack. These are often more
complex and are inferred via behavior such as response time.

Basic SQL Injection Example

• Exploitation Example: Demonstrates how attackers can manipulate SQL queries

by altering the input parameters to alter the query logic. For instance, an attacker
might inject ' OR '1'='1 to bypass authentication.

Detecting SQL Injections

• Injection Points: SQL injections can occur wherever user input may be
incorrectly filtered or escaped. Common injection points include form fields,
cookies, and HTTP headers.
• Indications of SQL Injection: Include unusual application errors, unexpected
content, or direct database error messages displayed on a web application.
SQL Injection Exploitation Techniques

• Union-Based Exploitation: Extracting information from the database by

appending a UNION SELECT query to the original query.
• Error-Based Exploitation: Utilizing the database's error messages to gather
information about its structure.
• Blind Exploitation: Inferring data by sending different requests and observing
the application's response or behavior.

Mitigation Strategies

• Prepared Statements and Parameterized Queries: These are the primary

defense against SQL injection, ensuring that SQL commands are separated from
data.
• Stored Procedures: Can safely encapsulate the SQL statements.
• Input Validation: Whitelisting input to allow only permitted values.
• Escaping All User Inputs: Although not the preferred method, escaping user
input by treating it as data rather than executable code can prevent injections.

Tools and Frameworks

• SQLMap: An automated tool for SQL injection detection and exploitation. It is

capable of detecting and exploiting most types of SQL injections.

Mitigation

• Best Practices: Includes using frameworks and libraries that automatically handle
the use of safe SQL queries and avoid concatenating user inputs in SQL queries.
Lecture 11: Network Security

What is Network Security?

• Network Security: The protection of networking components, connections, and

contents. It encompasses the policies and practices adopted to prevent and
monitor unauthorized access, misuse, modification, or denial of the computer
network and network-accessible resources.

Key Concepts in Network Security

• Cryptography and Encryption: Tools and techniques for securing

communication and data in transit and at rest.
• Risk Assessment: Identifying and evaluating risks to the network to implement
effective mitigation strategies.
• Firewalls: Devices or programs that control the incoming and outgoing network
traffic based on predetermined security rules.
• Malware and Shellcodes: Software designed to disrupt, damage, or gain
unauthorized access to computer systems.
• Botnets: Networks of private computers infected with malicious software and
controlled as a group without the owners' knowledge.
• Access Control: Limiting access to resources in the network to users who are
permitted to have that access.
• Email Security and Intrusion Detection: Protecting email communication and
detecting potential intrusions into the network.

Security Mechanisms

• ITU X.800 Recommendations: Details specific and non-specific security

mechanisms meant to enhance network security at various OSI layers, including
authentication, access control, data integrity, and non-repudiation.
• Cryptographic Techniques: Essential for encipherment and decipherment,
ensuring data integrity and authentication in network communications.
 • Digital Signatures: Providing authentication, integrity, and non-repudiation by
attaching a cryptographic signature to data.

The 5Ds of Perimeter Security

• Deter: Making it too difficult or unattractive to attempt an attack.

• Detect: Identifying potential security breaches as early as possible.
• Deny: Preventing unauthorized access to network resources.
• Delay: Slowing down attackers to increase the chance of detecting and
responding to the attack.
• Defend: Taking active measures to protect against attacks.

Network Attacks: Jamming, Sniffing, and Spoofing

• Jamming: Interfering with or disrupting network communications.

• Sniffing: Capturing data packets as they travel across the network.
• Spoofing: Masquerading as a different device or user on the network to bypass
security measures.

Security Protocols and Techniques

• Firewalls and IPSec: Techniques for monitoring and controlling incoming and
outgoing network traffic.
• TLS and SSH: Protocols for secure communication over a computer network.
• VPN: Virtual Private Networks create a safe and encrypted connection over a less
secure network, such as the internet.
Lecture 12: Network Security - Advanced Topics

TCP/IP Protocol Architecture

• Overview: The TCP/IP model is a concise set of protocols, designed to allow

computers to communicate over a network. It consists of four layers: Application,
Transport, Internet, and Network Access (Physical Layer).
• Functionality:
• Application Layer: Handles protocols like HTTP, SMTP, and FTP that
support user applications.
• Transport Layer: Manages end-to-end communication, providing services
such as TCP (connection-oriented) and UDP (connectionless)
communications.
• Internet Layer: Includes IP (IPv4, IPv6) responsible for routing of data
packets.
• Network Access Layer: Concerned with the physical aspects of network
communication.

Sniffing

• What it is: Sniffing involves capturing data packets as they travel across the
network.
• Techniques:
• Passive Sniffing: Capturing traffic without altering it. Often done in
'promiscuous mode' where the network card captures all traffic that it can
see, regardless of destination.
• Active Sniffing: Involves injecting traffic or queries into the network to
elicit responses or changes in network behavior.

Traffic Analysis
 • Usage: Analyzing network traffic to detect patterns, potential breaches, or
inefficiencies.
• Tools:
• Wireshark: A network protocol analyzer that lets you capture and
interactively browse the traffic running on a computer network.
• Tcpdump: A command-line packet analyzer used to capture or filter
TCP/IP packets that are received or transmitted over a network.

Using Wireshark

• Capabilities: Wireshark can capture every packet sent over the network, analyze
its content against hundreds of protocols, and display detailed information about
each packet.
• Features:
• Filtering: Allows users to filter the data based on protocols, source,
destination, and other specific characteristics.
• Follow TCP Stream: Enables viewing the full stream of a TCP session,
helping in understanding the sequence and flow of packets.

Advanced Sniffing and Analysis Techniques

• Physical Layer Attacks:

• Network Tapping: Using a physical device to intercept communications.
• Vampire Taps: Clipping onto a cable to intercept or inject data.
• Rogue Access Points: Unauthorized access points installed to capture or redirect
network traffic.

Security Implications

• Ethical Use: While tools like Wireshark and tcpdump are invaluable for network
management and security, they can be used maliciously to intercept data.
• Prevention and Mitigation: Proper network segmentation, strong encryption,
and continuous monitoring are critical for protecting against sniffing and other
passive attack techniques.
Lecture 13: Information Security Risk Management (ISRM)

Introduction to Risk Management

• ISRM Definition: The process of identifying, assessing, and treating risks

associated with the use of information technology. It aims to protect the
confidentiality, integrity, and availability of an organization’s assets within an
acceptable level of risk.

Risk Management Lifecycle

• Stages: Includes asset identification, threat assessment, vulnerability assessment,

risk assessment, risk treatment, risk monitoring, and compliance checks.

Risk Management Steps

1. Asset Identification: Determining what assets are critical to the organization's

operations and assessing their value.
2. Threat Assessment: Identifying potential threats that could exploit the
vulnerabilities of these assets.
3. Vulnerability Assessment: Analyzing the weaknesses in the organization’s
infrastructure, processes, and people that could be exploited.
4. Risk Assessment: Determining the potential impact and likelihood of threats to
prioritize risk handling measures.
5. Risk Treatment: Implementing measures to mitigate, transfer, accept, or avoid
the risks.
6. Risk Monitoring: Continuously monitoring the risk environment to detect
changes and ensure control measures are effective.
7. Compliance: Ensuring all operations are in accordance with legal, regulatory, and
policy requirements, focusing on continuous improvement.

Key Assessments and Methodologies

 • Vulnerability Assessment Tools: Utilization of resources like the NIST National
Vulnerability Database, Open Source Vulnerability Database, and tools to assess
technical and application vulnerabilities.
• Social Engineering: Understanding the human element vulnerabilities, using
tools like the Social Engineering Toolkit.
• Qualitative and Quantitative Risk Assessments: Techniques to estimate risks
associated with information security threats.
• Qualitative: Focuses on descriptions and characteristics of risk.
• Quantitative: Involves numerical values and calculations, such as Annual
Rate of Occurrence and Single Loss Expectancy.

Risk Rating and Treatment

• OWASP Risk Rating Methodology: Provides a structured method to prioritize

risks based on their severity and impact.
• Risk Treatment Options: Strategies to mitigate, avoid, transfer, or accept risks
based on the organization’s risk appetite.

Compliance and Standards

• ISO 27000-series: Guidelines for managing information security risks and

implementing an effective Information Security Management System (ISMS).
• ISMS Implementation: Based on the Plan-Do-Check-Act cycle, it helps in the
continuous improvement of security practices.

Benefits of Implementing ISO/IEC 27005

• Structured Approach to Security: Ensures systematic identification, assessment,

and management of information security risks.
• Enhanced Compliance and Security Posture: Helps organizations comply with
international standards and improve their overall security measures.
Lecture 14: Security Testing and Reporting

Vulnerability Assessment (VA)

• Definition: Vulnerability Assessment involves executing tools to identify

vulnerabilities in systems and software, primarily using open-source and
commercial tools to evaluate the security posture without actively exploiting the
vulnerabilities.
• Tools: Generally includes both automated tools and manual checks to identify
known vulnerabilities in the system.

Penetration Testing (Pentesting)

• Definition: Penetration Testing goes beyond VA by simulating the behavior and

capabilities of a real attacker, including active exploitation of vulnerabilities to
determine the impact.
• Phases:
1. Pre-engagement Interactions: Setting the scope and rules of
engagement with the client.
2. Intelligence Gathering: Collecting data about the target to prepare for
the attack.
3. Threat Modeling: Identifying potential threats and how they could exploit
vulnerabilities.
4. Vulnerability Analysis: Identifying vulnerabilities that could be exploited.
5. Exploitation: Attempting to exploit identified vulnerabilities to
understand the potential damage.
6. Post Exploitation: Determining what access and data can be obtained.
7. Reporting: Documenting the findings, methodologies, and
recommendations.

Red Teaming
 • Comparison with Pentesting: While often confused with penetration testing,
Red Teaming is broader and includes testing the organization's responses to an
attack, not just its defenses. It involves emulating a real attacker without prior
notice to the security teams, aiming to test both the detection and response
capabilities.

Reporting Results

• Objectives:
• Ensure the client can understand, reproduce, and remediate the identified
vulnerabilities.
• Reports should provide actionable insights and not just raw scan outputs.
• Contents of a Good Report:
1. Executive Summary: High-level overview, key findings, and impact
summary.
2. Detailed Findings: Each finding should include a risk rating, detailed
description, replication steps, and remediation recommendations.
3. Appendices: Additional details, raw data, and methodological
explanations.

Common Mistakes in Reporting

• Avoid:
• Using unmodified tool outputs as reports.
• Overlooking the practical impact of vulnerabilities.
• Failing to provide clear steps for replication and remediation.
• Not customizing the risk ratings and remediation strategies based on the
client's environment.

Example of a Reporting Template

• Sections:
1. Introduction/Overview
2. Scope and Objectives
3. Methodology
4. Significant Findings
5. Positive Observations
6. Detailed Findings
7. Risk and Impact Evaluation
8. Recommendations for Each Finding
9. Conclusion and Next Steps
 Here all commands with outputs
Whois:
Nslookup:

Dig:
Nikto:

Nmap:
Curl: