Outline

Cyber Security Vulnerabilities

Module 2
• Vulnerabilities in software
Cyber Security Vulnerabilities and Cyber • System administration
Security Safeguards • Complex Network Architectures
• Open Access to Organizational Data
• Weak Authentication
• Unprotected Broadband communications
• Poor Cyber Security Awareness

Outline - Safeguard Vulnerability vs. Risk vs. Threat

• Safeguard Overview
• Access control • A vulnerability is a weakness in a system that malicious actors can exploit. For
• Audit example, an excess of permissions in accounts or mistakes in code that
• Authentication cybercriminals can use to access the network.
• Biometrics
• Cryptography • A threat is what cybercriminals do to exploit a vulnerability.
• Deception
• Denial of Service Filters
• A risk is the probability and impact of a vulnerability being exploited—the
• Ethical Hacking
• Firewalls
damage the attack can cause, the potential loss, destruction, or theft of your
• Intrusion Detection Systems assets. Risk is the measure of what can happen when the attacker exploits the
• Response vulnerability.
• Scanning
• Security policy
• Threat Management
 Vulnerability
• In cyber security, a vulnerability is a weakness that can be exploited by
cybercriminals to gain unauthorized access to a computer system. After
exploiting a vulnerability, a cyber attack can run malicious code, install
malware and even steal sensitive data.

• Weakness in an information system, system security procedures, internal

controls, or implementation that could b e exploited or triggered by a threat
source.
---- by National Institute of Standards and Technology (NIST):

Types of Vulnerabilities Types of Vulnerabilities

▪ System Misconfigurations • Unsecure APIs

Cybercriminals commonly probe networks for system misconfigurations and If not properly and adequately secured, they can become an easy target for
gaps that look exploitable. [application or cloud security] attackers to breach.

▪ Missing or poor data encryption • Out-of-date or Unpatched Software

Cyber adversaries can extract critical information and inject false information Unpatched vulnerabilities can be exploited by attackers to steal sensitive
onto a server. information.

▪ Missing or Weak Authorization Credentials

Educate best practices of cybersecurity so that their login credentials are not 7 8
easily exploited.
 Causes of Vulnerabilities Causes of Vulnerabilities
Complexity Poor Password Management
❑Complex systems increase the probability of a flaw, misconfigurations or ❑Weak passwords can be broken with brute force and reusing passwords
unintended access. can result in one data breach becoming many.

Familiarity Operating System Flaws

❑Common code, software, operating systems and hardware increase the ❑Operating systems that are insecure by default and allow any user to
probability that an attacker can find or has information about known gain access and potentially inject viruses and malware.
vulnerabilities.

Internet Usage
Connectivity ❑The Internet is full of spyware and adware that can be installed
14
❑ More connected a device is the higher the chance of a vulnerability. automatically on computers.

Causes of Vulnerabilities Vulnerabilities in software

Software Bugs • Software vulnerabilities are weaknesses or flaws present in your code.
❑Programmers can accidentally or deliberately leave an exploitable bug
in software. Sometimes end users fail to update their software leaving • Unfortunately, testing and manual code reviews cannot always find every vulnerability.
them unpatched and vulnerable to exploitation.
Unchecked User Input • Vulnerabilities can impact the performance and security of your software.
❑Ifyour website or software assumes all input is safe it may execute
• They could even allow untrustworthy agents to exploit or gain access to your products
unintended SQL commands.
and data.
People
❑The biggest vulnerability in any organization is the human at the end of
the system. Social engineering is the bigg est threat to the majority of
Organizations.
11
 Common Software Vulnerabilities Common Software Vulnerabilities
3. Flaws in Injection
1. Bugs Injection flaws result in cyber attackers injecting malicious code into an application.
Software bugs are an error or failure in software and they’re very common.
This kind of software security vulnerability occurs when untrusted data is sent along with
Some bugs will result in serious issues like information theft and some will lead to system a query or command to an interpreter, which in turn will make the targeted system to
failure. But some less serious bugs will result in error messages or incorrect results. execute unexpected commands.

2. Exposure of sensitive data 4. Buffer overflow

Sensitive data includes things such as account numbers, addresses, financial data, health Buffer overflow occurs when an attempt is made to store data that is too big for the
information, usernames, and passwords. memory space allocated.

Personal or sensitive data has to be protected with encryption and access controls to Attackers can use this software coding mistake, where the storage capacity of a program is
prevent unauthorized people from accessing it. overwritten, to take control of or to access your system.

This vulnerability tends to be more common in software written in C and C++.

Common Software Vulnerabilities Common Software Vulnerabilities

5. Security misconfiguration 7. Insecure deserialization
Security misconfiguration is a result of incomplete configurations and default Insecure deserialization is a security weakness that is used by hackers to carry out
configurations that are not secure. injection attacks and DDoS attacks.

For example, open cloud storage or misconfigured HTTP headers. In this type of vulnerability, untrusted data is used to implement attacks.

To avoid this kind of software security weakness, you need to make sure you have 8. Broken/Missing Authentication
properly configured your OS, frameworks, and applications. Weaknesses in session management and credential management result in broken
authentication, which means an attacker is able to compromise passwords or other
6. Broken access control information to access a user’s account.
Broken user restrictions can cause severe software weaknesses.
Improperly implemented authentication and session management can result in this kind
For example, if you have an admin panel for your website, you want to restrict that area so of software vulnerability.
only admin users can access it.
 How to Prevent Software Vulnerabilities How to Prevent Software Vulnerabilities
1. Test Your Software
It’s a good practice to test your software often as this will help you find and get rid of 4. Use a Code Signing Certificate
vulnerabilities quickly. You can test your software using code analysis tools, white box Digitally signing your code using a code signing certificate will make your code tamper-
testing, black box testing, and other techniques. proof, making it impossible for third parties to tamper with your code. A code signing
certificate will make sure your files remain secure and it will also prevent hackers from
2. Update the Software Regularly adding security vulnerabilities to your code.
It is important to regularly update software as outdated software is prone to vulnerabilities.
By making sure your software uses up to date components and dependencies, you can
prevent security issues and software vulnerabilities.

3. Set Up Software Design Requirements

Define a set of principles that need to be followed while developing each software release.
These principles will show the developers how to write, inspect, and demonstrate their code
to ensure security best practices are followed. Following the latest information from
organizations such as CWE, OWASP, and CERT will also help you detect and prevent
vulnerabilities.

System administration System administration

They are responsible for maintaining the security and integrity of an organization's • Managing and configuring security systems: Security systems administrators are
computer systems and networks. This involves the implementation and management of responsible for installing, configuring, and managing security systems such as firewalls,
various security measures, such as firewalls, intrusion detection and prevention systems, intrusion detection and prevention systems, anti-virus software, and other security-
anti-virus software, and encryption tools. related software and hardware.

• Monitoring network traffic and system logs: Security systems administrators are
responsible for monitoring network traffic and system logs to detect and respond to
potential security threats or suspicious activities.

• Conducting regular security assessments: Security systems administrators are

responsible for conducting regular security assessments to identify vulnerabilities and
areas for improvement in an organization's security posture.
 System administration System administration – Best practices
• Developing and implementing security policies and procedures: Security systems
administrators are responsible for developing and implementing security policies and • Performing regular security assessments to identify vulnerabilities and security risks.
procedures to ensure that an organization's data and systems are protected against • Implementing strong password policies and user authentication protocols.
cyber threats. • Keeping software and hardware components up-to-date to address potential security
concerns.
• Responding to security incidents: Security systems administrators are responsible for • Maintaining up-to-date backups of critical data to ensure data recovery in the event of a
responding to security incidents such as data breaches, virus outbreaks, and other system failure.
security incidents to contain the damage and prevent further damage to the • Providing user training on cyber security best practices.
organization's systems and data.

• Keeping up-to-date with the latest security threats and technologies: Security systems
administrators are responsible for staying up-to-date with the latest security threats
and technologies to ensure that an organization's security systems are effective against
current and emerging cyber threats.

Open Access to Organizational Data Challenges

• Data Sensitivity:
• Open access to organizational data in cyber security refers to the practice of making Not all data should be openly accessible. Personally identifiable information (PII),
certain information and resources within an organization accessible to a broader intellectual property, and other sensitive information must be carefully protected.
audience, both internally and potentially externally.
• Compliance and Regulations:
• While transparency and collaboration are essential for innovation and efficiency, open Organizations must comply with data protection regulations such as GDPR, HIPAA, or
access to organizational data in cyber security requires careful consideration due to the industry-specific standards. Open access should not violate these regulations.
sensitivity of the information involved.
• Access Control and Permissions:
Implement robust access control mechanisms to ensure that only authorized individuals
have access to sensitive data. This includes role-based access controls and encryption.

• Security Risks:
Opening up access can potentially increase the risk of unauthorized access or data
breaches. It's crucial to implement strong security measures to mitigate these risks.
 Challenges Complex Network Architectures
• Trust and Communication: • Complex network architectures can introduce various vulnerabilities that may pose
Building trust among employees and stakeholders is essential. Clear communication about challenges to the overall security of the network.
the purpose, benefits, and limitations of open access is vital to avoid misunderstandings. 1. Increased Attack Surface:
The larger and more complex a network, the greater the attack surface. This provides
• Redundancy and Backups: more entry points for attackers to exploit vulnerabilities and gain unauthorized access.
Ensure redundancy and backups are in place in case of a security incident. Regularly test
and update these systems to maintain data integrity. 2. Complex Configuration Errors:
The complexity of network configurations increases the likelihood of errors,
• Monitoring and Auditing: misconfigurations, and oversights. These mistakes can lead to unintended security
Implement continuous monitoring and auditing to track who accesses what data. This vulnerabilities that attackers may exploit.
helps in identifying any unusual activities or potential security incidents.
3. Interconnected Systems:
• Education and Training: In a complex network, multiple systems and components are interconnected. If a
Regularly educate employees about the importance of data security and their role in vulnerability is discovered in one part of the network, it may be exploited to compromise
maintaining it. Training programs can help them understand the risks and best practices. other connected systems.

Complex Network Architectures Complex Network Architectures

7. Insufficient Access Controls:
4. Difficulty in Patch Management: In large and complex networks, managing access controls becomes more challenging.
With a complex network, managing and applying patches consistently across all devices Inadequate access controls may result in unauthorized users gaining access to sensitive
can be challenging. Unpatched systems are more susceptible to known vulnerabilities. resources.

5. Misuse of Virtualization and Cloud Resources: 8. Limited Visibility:

Virtualization and cloud technologies, while providing flexibility, can introduce security A complex network may lack comprehensive visibility into all network activities. This
challenges if not properly configured and monitored. Misconfigurations in virtual makes it difficult to detect anomalous behavior, identify potential threats, and respond in a
environments may lead to vulnerabilities. timely manner.

6. Overreliance on Security Appliances: 9. Complexity in Monitoring and Incident Response:

Complex networks often deploy numerous security appliances, such as firewalls and Monitoring a complex network for security incidents and responding effectively can be
intrusion detection systems. Depending solely on these devices without addressing complex. Delays in identifying and responding to security events can lead to prolonged
configuration issues can introduce vulnerabilities. exposure to threats.
 Complex Network Architectures Complex Network Architectures
10. Integration Issues:
Integrating diverse technologies and solutions within a complex network may lead to 13. Third-Party Risks:
compatibility issues and vulnerabilities if not thoroughly tested and validated. Complex networks often involve interactions with third-party vendors and services. If
Employee Training Challenges: security measures are not properly vetted and enforced, third-party elements can
introduce vulnerabilities.
11. Training personnel to understand and manage the complexity of a sophisticated
network is essential. Inadequate training may result in security lapses, such as falling
for social engineering attacks.

12. Lack of Documentation:

Complex networks may lack comprehensive documentation, making it challenging for
administrators to understand and secure all aspects of the infrastructure.

Prevention Weak Authentication

To mitigate these vulnerabilities, organizations should implement robust security • Weak authentication refers to a method of verifying the identity of a user or system that
practices, conduct regular security audits and assessments, prioritize patch management, is easily compromised or circumvented, posing a security risk.
and provide ongoing training for network administrators and users. • Inadequate authentication mechanisms can lead to unauthorized access, data breaches,
and other security incidents.
 Example of weak authentication Example of weak authentication
• Username and Password: Weak passwords that are easy to guess or commonly used. • Insecure Token Systems:
The use of easily replicable or predictable tokens for authentication, which can be
• Lack of multi-factor authentication (MFA): which adds an extra layer of security beyond intercepted or duplicated.
just a password. • Social Engineering:
Exploiting human behavior or psychological manipulation to trick individuals into
• Single-Factor Authentication: Relying solely on one form of authentication (e.g., only a revealing sensitive information, such as passwords or security codes.
password or only a fingerprint) increases vulnerability. • Insufficient Session Management:
Weak session management practices can lead to unauthorized access, especially if session
• Default Credentials: Failing to change default usernames and passwords on devices or tokens are not properly protected or easily guessable.
applications, making them susceptible to attacks. • Inadequate Security Questions:
Reliance on easily discoverable or guessable security questions for password recovery.
• Biometric Vulnerabilities: Biometric authentication methods can be compromised if the • Password Storage Practices:
biometric data is not securely stored or if the system can be fooled by fake fingerprints Storing passwords in plaintext or using weak encryption methods, making it easier for
or other means. attackers to retrieve the original passwords.

Vulnerability due to weak authentication Vulnerability due to weak authentication

• Brute Force Attacks:
Attackers may attempt to gain unauthorized access by systematically trying all possible • Man-in-the-Middle (MitM) Attacks:
combinations of usernames and passwords until the correct one is found. If credentials are transmitted over an insecure network, attackers can intercept and
capture the login information, allowing them to impersonate the user.
• Credential Stuffing: • Session Hijacking:
In cases where users reuse passwords across multiple platforms, attackers may use Weak or easily guessable session tokens can be exploited by attackers to take over an
compromised credentials from one service to gain unauthorized access to another. authenticated session and gain unauthorized access to a user's account.
• Password Spraying:
• Dictionary Attacks: Attackers try a few commonly used passwords against many accounts, minimizing the risk
Attackers use precompiled lists of common passwords (dictionaries) to try and gain access of account lockouts and increasing the chances of success.
to user accounts with weak or easily guessable passwords. • Keylogging:
Malicious software or hardware may be used to capture keystrokes, including usernames
• Phishing Attacks: and passwords, as users input their credentials.
Weak credentials can be exposed through phishing attacks where users are tricked into
providing their login information on fraudulent websites or through deceptive means.
 Vulnerability due to weak authentication Prevention
• Insider Threats: • To mitigate these vulnerabilities, it's crucial to enforce strong password policies,
Employees or individuals with access to sensitive systems may abuse weak credentials for implement multi-factor authentication, regularly update and patch systems, educate
malicious purposes. users about the risks of weak credentials, and monitor for suspicious login activities.
• Unauthorized Access:
Weak or default passwords can allow unauthorized users to gain access to systems, • Additionally, organizations should conduct regular security assessments and audits to
networks, or devices. identify and address potential weaknesses in their authentication systems.

Vulnerabilities due to Unprotected

Unprotected Broadband communications Broadband communications
• Eavesdropping:
• Unprotected broadband communication refers to the transmission of data over Without encryption, data transmitted over unprotected broadband communication channels
broadband networks without adequate security measures. This lack of protection can can be intercepted and monitored by unauthorized individuals, leading to the compromise of
expose sensitive information to various risks and potential exploitation by malicious sensitive information.
actors. • Data Tampering:
Malicious actors may alter the data being transmitted over unprotected broadband
connections, potentially leading to integrity issues and unauthorized modifications.
• Man-in-the-Middle Attacks:
Attackers can position themselves between the sender and receiver to intercept and
manipulate data during transmission, potentially gaining access to confidential information.
• Unauthorized Access:
Without proper authentication and encryption, unauthorized users may gain access to
sensitive systems, networks, or data, posing a significant security risk.
 Vulnerabilities due to Unprotected
Broadband communications Prevention
• Denial of Service (DoS) Attacks: • Encryption: Use encryption protocols (e.g., SSL/TLS) to secure data in transit and
Unprotected broadband communication may be susceptible to DoS attacks, where protect it from eavesdropping.
malicious actors overwhelm the network or services with excessive traffic, leading to • Virtual Private Network (VPN): Implement VPNs to create a secure, encrypted tunnel
service disruptions. for communication over broadband networks, especially in remote access scenarios.
• Password and Credential Exposure: • Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS): Deploy these security
If authentication credentials are transmitted in plaintext over unprotected channels, they mechanisms to monitor and control network traffic, identifying and blocking suspicious
can be easily captured by eavesdroppers, leading to unauthorized access. activities.
• Network Sniffing: • Authentication: Implement strong authentication methods to ensure that only
Tools and techniques like network sniffers can capture and analyze unencrypted data authorized users can access network resources.
flowing through a network, exposing sensitive information. • Regular Updates and Patching: Keep systems and network equipment up-to-date with
• Vulnerability Exploitation: the latest security patches to address known vulnerabilities.
Unprotected communication channels may expose network vulnerabilities, making it • Security Awareness Training: Educate users about the risks associated with
easier for attackers to exploit weaknesses in systems or applications. unprotected communication and promote good security practices.

Vulnerabilities due to poor Cyber Security

Poor Cyber Security Awareness awareness
• Poor cybersecurity awareness refers to a lack of understanding and knowledge among • Phishing Attacks:
individuals, employees, or organizations about the importance of cybersecurity Individuals with poor cybersecurity awareness may be more susceptible to phishing
practices and the potential risks associated with inadequate security measures. scams, where attackers use deceptive emails or messages to trick users into revealing
sensitive information, such as passwords or financial details.
• This lack of awareness can lead to a range of cybersecurity vulnerabilities and
incidents. • Weak Passwords:
Users with low cybersecurity awareness may not prioritize the creation of strong, unique
passwords, making it easier for attackers to gain unauthorized access through brute-force
attacks or other methods.

• Unsecured Devices:
Lack of awareness about the importance of securing devices (computers, smartphones, IoT
devices) can result in the use of outdated software, missing security patches, and weak
configurations, increasing the risk of exploitation.
 Vulnerabilities due to poor Cyber Security Vulnerabilities due to poor Cyber Security
awareness awareness
• Social Engineering Exploitation: • Insufficient Software Updates:
Cybercriminals may exploit individuals with poor cybersecurity awareness through social Failure to regularly update software and applications increases the likelihood of falling
engineering tactics, manipulating them into divulging sensitive information or performing victim to exploits targeting known vulnerabilities.
actions that compromise security. • Unawareness of Cyber security Policies:
• Unprotected Networks: Employees or individuals may not be aware of and adhere to organizational or industry-
Failure to secure home or workplace networks, including the use of weak or default router specific cyber security policies, leading to non-compliance and increased risks.
passwords, can expose individuals to unauthorized access and data interception. • Inadequate Training and Education:
• Lack of Data Backups: Lack of cyber security training and education can result in employees being unaware of
Individuals or organizations with poor cybersecurity awareness may neglect regular data best practices, making them more susceptible to unintentional security breaches.
backups, making them more vulnerable to data loss due to ransomware or other cyber • Non-compliance with Policies:
threats. In organizational settings, employees with poor cybersecurity awareness may not be
• Insecure Wi-Fi Practices: aware of or may disregard established security policies, leading to non-compliance and
Poor awareness may lead to the use of unsecured Wi-Fi networks, exposing users to risks increased vulnerability.
such as man-in-the-middle attacks or unauthorized access.

Vulnerabilities due to poor Cyber Security

awareness Prevention
• Inadequate Incident Response: • To address these vulnerabilities, it is essential to invest in cyber security education and
Individuals and organizations with poor cybersecurity awareness may lack effective training programs, raise awareness about common threats, and promote a culture of
incident response plans. In the event of a security incident, the lack of awareness can delay security.
or hinder the proper handling of the situation.
• Organizations should provide regular training sessions, conduct awareness campaigns,
and establish clear security policies to mitigate the risks associated with poor cyber
security awareness.
 Safeguard Safeguard
• Safeguard is an umbrella term involving various techniques, measures, and • One of the core elements of safeguarding in cyber security and antivirus is Identifying
technologies designed to protect computer systems, networks, applications, programs, and Countering Vulnerabilities.
and data.
• Technological vulnerabilities can act as entry points for cybercriminals to gain
• These safeguards strictly imply the adherence to defined procedures that limit the unauthorized access or to launch a cyber-attack.
access and potential harm caused by unauthorized users and protect systems from
adverse scenarios such as security breaches, data theft, blackmail schemes, and other • These vulnerabilities can exist in software, hardware, network connections, or user
cyber threats. practices.

• Security professionals conduct regular system health checks, vulnerability assessments,

and penetration testing to spot these vulnerabilities.

Access control Access control

• Implement strong authentication mechanisms: Utilize multi-factor authentication,
strong password policies, and secure session management to ensure only authorized • Conduct regular security code reviews: Perform thorough code reviews to identify any
users can access the application. access control weaknesses or vulnerabilities introduced during the development
process. Use static code analysis tools to automate this process and catch potential
• Enforce proper authorization checks: Implement granular access controls and validate issues.
user roles and permissions at various levels within the application. This ensures that • Implement secure data validation and sanitization: Validate and sanitize user input to
users only have access to functionalities and data they are authorized to use. prevent common attacks, such as SQL injection or cross-site scripting (XSS). This helps
to ensure that user input is properly handled and does not lead to unauthorized access
• Implement secure session management: Use secure session management techniques, or data manipulation.
such as session timeouts and secure cookie settings, to prevent unauthorized access to • Follow the principle of least privilege: Grant users the minimum privileges necessary to
user sessions. perform their tasks. Avoid granting unnecessary permissions that could potentially be
exploited by attackers.
• Regularly update and patch software: Keep the application and underlying software
frameworks up to date with the latest security patches. This helps to address known
vulnerabilities and protect against potential exploits.
 Access control Audit
• Auditing is a crucial component of ensuring the security and integrity of systems and
• Implement secure session management: Use secure session management techniques,
processes. To safeguard against vulnerabilities through auditing, you can follow these
such as session timeouts and secure cookie settings, to prevent unauthorized access to
general steps:
user sessions.
1. Identify Assets and Vulnerabilities:
• Conduct regular security testing and auditing: Regularly perform penetration testing,
• List all assets within your organization, including hardware, software, data, and
code reviews, and vulnerability assessments to identify and address any access control
personnel.
weaknesses or vulnerabilities. This helps to ensure that the application remains secure
• Identify potential vulnerabilities in each asset, such as outdated software, weak
against evolving threats.
passwords, or misconfigured systems.

2. Define Security Policies:

• Establish clear and comprehensive security policies that define acceptable use, access
controls, data protection, and other relevant guidelines.
• Ensure that these policies align with industry standards and regulations.

Audit Audit
3. Regular Security Audits: 6. User Access Reviews:
Conduct regular security audits to assess the effectiveness of your security measures. Regularly review and audit user access permissions to ensure that users have the
Schedule both internal and external audits to gain different perspectives on your appropriate level of access based on their roles.
security posture. Remove or adjust access for users who no longer need specific privileges.
4. Penetration Testing: 7. Incident Response Planning:
Perform penetration testing to simulate real-world attacks and identify potential Develop and regularly update an incident response plan to address security incidents
weaknesses in your systems. promptly.
Regularly update and refine penetration testing scenarios to address emerging threats. Conduct simulations and tabletop exercises to ensure that your team is prepared to
5. Vulnerability Scanning: respond effectively.
Use automated tools for vulnerability scanning to identify weaknesses in your network, 8. Log Management:
applications, and systems. Implement robust log management to monitor and analyze system logs for suspicious
Regularly update and run these scans to stay ahead of potential vulnerabilities. activities.
Regularly review logs to detect and respond to potential security incidents.
 Audit Authentication
9. Patch Management: • Authentication is a critical component of safeguarding against vulnerabilities, as it helps ensure
Establish a patch management process to promptly apply security patches and updates. that only authorized users gain access to systems, applications, and data. Here are some best
Regularly review and update software to address known vulnerabilities. practices for strengthening authentication and enhancing security:
10. Employee Training: 1. Multi-Factor Authentication (MFA):
Provide regular security awareness training to employees to educate them about potential risks Implement multi-factor authentication to require users to provide two or more authentication
and best practices. factors (e.g., password, biometrics, one-time codes).
Ensure that employees are aware of the latest phishing and social engineering tactics. MFA adds an extra layer of security, making it more difficult for unauthorized individuals to
11. Third-Party Audits: access accounts.
Engage third-party auditors to provide an independent assessment of your security measures. 2. Strong Password Policies:
Consider certifications like ISO 27001 to demonstrate your commitment to security standards. Enforce strong password policies, including minimum length, complexity requirements, and
12. Document and Review: regular password changes.
Document the results of your audits and assessments. Educate users on the importance of creating unique and secure passwords.
Regularly review and update your security policies and procedures based on the findings and
changes in the threat landscape.

Authentication Authentication
3. Biometric Authentication: 6. Secure Communication Protocols:
Where feasible, implement biometric authentication methods such as fingerprint, facial Use secure communication protocols, such as HTTPS, to protect authentication data during
recognition, or retina scans. transit.
Biometrics provide a unique and difficult-to-replicate method of verifying user identity. Avoid transmitting sensitive information, especially credentials, over unsecured networks.
4. Account Lockout Policies: 7. Regular Auditing and Monitoring:
Implement account lockout policies to prevent brute force attacks. After a specified number of Conduct regular audits of user accounts, permissions, and authentication logs.
failed login attempts, lock the account temporarily. Monitor for suspicious or unauthorized activities and respond promptly to any anomalies.
Configure lockout parameters based on the organization's security needs. 8. Centralized Authentication Systems:
5. Session Management: Utilize centralized authentication systems, such as LDAP (Lightweight Directory Access
Implement session timeout settings to automatically log out users after a period of inactivity. Protocol) or Active Directory, to manage user credentials in a unified manner.
Regularly review and adjust session management policies based on security requirements. Ensure that these systems are properly secured and regularly audited.
 Authentication Cryptography
9. Secure Password Storage: Cryptography plays a crucial role in safeguarding information by providing techniques for securing
Hash and salt passwords before storing them to protect against data breaches. Avoid storing data, protecting communication, and ensuring the integrity and confidentiality of sensitive
plain-text passwords. information.
Regularly review and update password storage mechanisms to align with industry best
practices. 1. Use Strong Encryption Algorithms:
10. User Training and Awareness: Employ well-established and widely recognized encryption algorithms, such as AES (Advanced
Educate users on the importance of strong authentication practices and the risks associated Encryption Standard), for securing data at rest and in transit.
with weak authentication. Regularly update cryptographic algorithms to stay ahead of potential vulnerabilities.
Encourage users to report any suspicious activities or attempts at unauthorized access. 2. Key Management:
11. Regular Security Assessments: Implement a robust key management system to generate, distribute, store, and rotate cryptographic
Conduct regular security assessments, including penetration testing, to identify and address keys securely.
potential vulnerabilities in the authentication process. Regularly update and strengthen key management practices to prevent unauthorized access.
Stay informed about the latest authentication technologies and best practices. 3. Secure Key Storage:
12. Adaptive Authentication: Safeguard cryptographic keys by storing them in secure, tamper-resistant environments.
Implement adaptive authentication mechanisms that adjust the level of authentication required Consider using hardware security modules (HSMs) for key protection and management.
based on risk factors, user behavior, or contextual information.
This helps detect and respond to abnormal or high-risk activities.

Cryptography Cryptography
4. Secure Communication Protocols: 7. Implement Forward Secrecy:
Use secure communication protocols such as TLS/SSL for encrypting data in transit. Enable forward secrecy in communication protocols to ensure that compromised session keys do not
Ensure that protocols and ciphers are configured securely, and stay updated on best practices compromise past or future sessions.
for securing communication. Regularly review and update configurations to support forward secrecy.
5. Digital Signatures: 8. Data Encryption at Rest:
Encrypt sensitive data stored on servers, databases, or other storage systems.
Implement digital signatures to verify the authenticity and integrity of messages or documents.
Implement disk encryption to protect data even when the physical storage is compromised.
Use strong hash functions and signing algorithms for creating digital signatures.
9. Regularly Update Cryptographic Libraries:
6. Secure Hash Functions:
Keep cryptographic libraries and software up-to-date to address vulnerabilities and take advantage of
Choose secure hash functions (e.g., SHA-256) for data integrity verification. improved security features.
Avoid using deprecated or vulnerable hash algorithms. Monitor security advisories for any updates related to cryptographic implementations.
10. Use Cryptographic Random Number Generators:
Use secure random number generators for generating cryptographic keys and initialization vectors.
Avoid using predictable or non-random sources for generating cryptographic values.
 Cryptography Deception
11. Quantum-Resistant Cryptography: • In cybersecurity, deception refers to the use of intentionally misleading information, decoys, and
Stay informed about the development and adoption of quantum-resistant cryptographic algorithms, traps to misdirect or detect attackers and enhance the overall security posture of an
especially if your organization deals with long-term data storage or transmission. organization.
12. Adherence to Standards:
Adhere to recognized security standards (e.g., FIPS, ISO) for cryptographic implementations. • The goal of deception is to create confusion, slow down attackers, and gather valuable
Regularly assess and update cryptographic practices based on emerging standards and best practices.
information about their tactics, techniques, and procedures.
13. Regular Security Audits:
Conduct regular security audits, including cryptographic assessments, to identify and address potential
• Deception techniques are employed strategically to identify and respond to threats before they
vulnerabilities.
Engage external experts for cryptographic reviews and validations. can cause harm

Deception Deception Techniques

• Deception is part of an active defense strategy and can complement other security measures. • Deception in Endpoint Security:
Deception elements can be integrated into endpoint security solutions, using tactics such as
• While it can be a valuable tool, organizations must carefully manage and monitor their deception deceptive files, processes, or registry entries to mislead attackers and identify malicious behavior.
techniques to ensure they do not inadvertently disrupt legitimate operations or create false
positives. • Deceptive Data:
Organizations can create enticing but fake data or documents that appear valuable to attackers.
• Regular testing, adjustment, and integration into broader cybersecurity frameworks are Accessing these decoy files triggers alerts, indicating potential unauthorized access.
essential for the effectiveness of deception in cybersecurity.
 Denial of Service filters Common DoS filters
• Denial of Service (DoS) filters are security measures designed to detect and mitigate the impact • Rate Limiting
of Denial of Service attacks on computer systems, networks, or online services.
• Traffic Filtering
• DoS attacks aim to disrupt the availability of a system by overwhelming it with a flood of traffic, • Behavioral Analysis
requests, or other malicious activities.
• CAPTCHA Challenges
• DoS filters help identify and block such malicious traffic to ensure the normal functioning of • DNS Filtering
systems
• IP Whitelisting and Blacklisting
• Anomaly Detection
• Cloud-based DDoS Protection Services
• Load Balancers
• Incident Response Plans

Firewall Features of Firewall

• A firewall is a network security device or software that monitors and controls incoming and • Packet Filtering
outgoing network traffic based on predetermined security rules. It acts as a barrier between a • Stateful Inspection
trusted internal network and untrusted external networks, such as the internet, to prevent • Proxy Firewalls
unauthorized access and protect against cyber threats. • Network Address Translation (NAT)
• Application Layer Filtering
• Firewalls can be implemented as hardware devices, software applications, or a combination of • Intrusion Detection and Prevention Systems (IDPS)
both • Virtual Private Network (VPN) Support
• Logging and Auditing
• Default Deny Policy
• Security Zones
 IDS Security Policy
• An Intrusion Detection System (IDS) is a security technology designed to monitor and analyze • A security policy is a formalized set of rules and practices that an organization adopts to protect
network or system activities for signs of malicious behavior or security policy violations. its information assets, technology infrastructure, and overall security posture.

• The primary goal of an IDS is to detect and respond to security incidents, including unauthorized • The primary purpose of a security policy is to establish guidelines, standards, and procedures
access, malware infections, and other types of cyber threats. that govern how an organization manages, protects, and secures its information resources.

• A well-defined security policy helps mitigate risks, ensures compliance with regulations, and
fosters a culture of security within the organization.

Component of Security Policy Threat Management

• Introduction and Purpose
• Threat management involves the identification, assessment, and mitigation of potential threats
• Scope
to an organization's information assets, systems, and operations.
• Roles and Responsibilities
• Information Classification
• The goal is to proactively address and minimize the impact of threats, whether they are
• Access Control
cybersecurity threats, physical threats, or other risks that could harm the organization.
• Data Encryption
• Network Security
• Effective threat management encompasses various processes and strategies to safeguard against
• Endpoint Security
potential harm.
• Incident Response
• Security Awareness and Training
• Physical Security
• Risk Management
• Compliance
• Third-Party Security
• Documentation and Review
 Component of Threat management
Network-based scanning tool:
• Threat Identification
• Risk Assessment ▪ Network-based scanning tools send network traffic to various network
• Threat Intelligence hosts and devices.
• Security Controls ▪ It with the g oal of g athering information that will indicate whether those
• Incident Response Planning systems have holes that can be exploited.
• Security Awareness and Training
• Physical Security Measures ▪ Example: OpenVAS,Wireshark, NMAP, Nikto etc.
• Continuous Monitoring
• Regular Security Audits and Assessments
Host-based scanning tool:
• Collaboration and Information Sharing ▪ Host-based scanning tools are run on each host to scan for a wide range of
• Regulatory Compliance system problems.
• Backup and Recovery Planning
▪ It including unauthorized software, unauthorized accounts, unprotected
logins, weak passwords and inappropriate access permissions.
▪ Example: O SSEC
12

Cloud-Based Vulnerability Scanners

▪ Used to find vulnerabilities within cloud-based systems such as web ▪ The vulnerability scanners use predefined tests to identify
applications, WordPress, and Joomla.
vulnerabilities.
Host-Based Vulnerability Scanners
▪ Used to find vulnerabilities on a single host or system such as an individual
computer or a network device like a switch or core-router. ▪ If the scanner has insufficient test then the scanner does not
Network-Based Vulnerability Scanners report the vulnerability exists on the system.
▪ Used to find vulnerabilities in an internal network by scanning for open ports.
Services running on open ports determined whether vulnerabilities exist or not
with the help of the tool. ▪ It can be known as false negative.
Database-Based Vulnerability Scanners
▪ Used to find vulnerabilities in database management systems. Databases are
the backbone of any system storing sensitive information. Vulnerability scanning
is performed on database systems to prevent attacks like SQL Injection. 13 84
❑If the scanner has a poorly written test then scanner reports ▪ Port scanner: Software designed to probe server or host for Open ports.
vulnerability even if it does not exist on a system. It may ▪ Used by administrator to verify security policy.
produce a false positive.
▪ Used by attacker to identify running services on host.
▪ Port scan: A process that sends a client request to server for finding
❑It wastes time as administrators must follow up to manually active ports.
check the vulnerability that is actually vulnerable or not. ▪ Open port: Host sends a reply indicating port is active.
▪ Close port: Host sends a reply that connection will be denied.
❑ Some of the free and very useful vulnerability scanners are: ▪ Filtered: There was no reply from the host [because of the firewall
❑ Netcat security].
❑ Socat ▪ Vulnerability can be with open ports or operating system of running
85
host. 86

Scanme.nmap.org is available to do the experiments.

▪ Nmap (“Network Mapper”) is a free and open source (license) utility for
▪ Flexible
network discovery and security auditing.
▪ Powerful
▪ Many systems and network administrators also find it useful for tasks such as
network inventory (exploring), managing service upgrade schedules, ▪ Portable
and monitoring host or service uptime. ▪ Easy
▪ It is designed to rapidly scan large networks, but works fine against single ▪ Free
hosts. ▪ Well Documented
▪ Nmap uses raw IP packets in novel ways:
▪ Supported
▪ To determine what hosts are available on the network.
▪ Acclaimed
▪ Available services (application name and version) those hosts are offering.
▪ Operating systems (and OS versions) they are running. ▪ Popular

▪ Type of packet filters/firewalls are in use. ▪ Source: http://nmap.org/

88
▪ Information about the TCP and UDP ports.
❑The command is designed to be a dependable back-end that can ❑ Hackers have come up with hundreds of ways to use Netcat.
be used directly or easily driven by other programs and scripts. ❑ Some of the uses of Netcat are given here in detail:
❑ Chatting
❑ File Transfer
❑At the same time, it is a feature-rich network debugging and
investigation tool, since it can produce almost any kind of ❑ Obtain Remote Access to a Shell
connection its user could need and has a number of built-in ❑ Perform Basic Port Scanning
capabilities. ❑ Identify more information about ports
❑ Communicate with UDP Services
❑ For IP Spoofing
❑ Hijack a Service
❑ Create Proxies and Relays
❑ Bypass Port Filters
89 ❑ Used as Backdoor 20

❑Web application vulnerabilities involve a system flaw or

❑It is online community that produces freely-available articles,
weakness in a web-based application.
methodologies, documentation, tools, and technologies in the
❑ Make sure to write the secure code while coding any application. field of web application security.
❑www.Hackthissite.org and DV WA (Damn Vulnerable Web
Application) are available for experiments.
❑The Open Web Application Security Project (OWASP) provides
free and open resources. It is led by a non-profit called The OWASP
Foundation.

91 92
❑ Thereare three new categories, four cate gories with naming and scoping
❑This is when the attacker inserts (injecting code) malicious
changes, and some consolidation in the Top 10 for 2021.
SQL statements into form fields and other injection points,
with the intention of gathering information from and
controlling the database.

❑Untrusted data is sent to an interpreter as a part of a

query.

❑SQL injection is a code injection technique used to execute

malicious SQL Statements.

❑ This attack is used to take over Database server.

93 94

95 96
❑Prepared statements with parameterized queries can mitigate SQL-related
web application vulnerabilities. A prepared statement helps to sanitize the ❑ It stands for Damn Vulnerable Web Application.
input and ensures that it is considered as a string literal in SQL rather than as
part of the SQL query.
❑DVWA is a vulnerable web application developed using PHP
❑Migrating to Object Relational Mapping Tools (ORMs) is another excellent and M y S Q L that allows ethical hackers to test out their hacking
option. However, most O R M s allow non-parameterized queries in addition skills and security tools.
to performing parameterized queries.

❑Make the most of LIMIT and other SQL controls within your queries so that
even if an SQL injection attack does occur, it can prevent the mass disclosure of
records.
❑Prevent injections is to attempt to escape all characters that have a
special meaning in SQL.
97 98

CROSS-SITE SCRIPTING (XSS) CROSS-SITE SCRIPTING (XSS)

❑Cross-site scripting or XSS is one of the most popular web application ❑The goal of XSS attacks is to send this malicious code to other
vulnerabilities that could put your users’ security at risk. users, sometimes infecting their devices with malware or
stealing sensitive information. This type of website application
vulnerability can give the attacker full control of the user’s browser
❑These attacks inject malicious code (scripts) into the running
and can be extremely dangerous to any website.
application and executes it on the client-side (browser) causing hijack
user sessions, deface websites and redirection to malicious websites.
❑Cross site scripting is the name given to web site vulnerabilities
arising from the embedding of malicious HTML tags into a HTML
document which is generated dynamically on the server.

99 100
 CROSS-SITE SCRIPTING (XSS) TYPES OF CROSS-SITE SCRIPTING (XSS)
Reflected XSS (Non-persistent)
❑Script is executed (reflected)on the victim side. Script is not stored on
the server.

Stored XSS (Persistent)

❑Script is stored and executed on the server. Executed every time the
malicious site is requested.

D O M (Document Object Model) XSS

❑Client side attack. Script is not sent to the server. Legitim ate Server
script is executed followed by malicious script.
101 Barkha Wadhvani 102

HOWIMPORTANT IS XSS PREVENTION? HO

WTOPREVENT CROSS-SITE SCRIPTING (XSS)
❑Spreading worms on social media: Facebook, Twitter and ❑ Escape dynamic content :
YouTube have all been successfully attacked in this way. Escaping dynamic content generally consists of replacing significant
❑Session hijacking: Malicious JavaScript may be able to send the characters with the HTML entity encoding. Escaping editable content
session ID to a remote site under the hacker’s control, allowing the in this way, the content will never be treated as executable code by the
hacker to impersonate that user by hijacking a session in progress. browser.
❑ Sanitize HTML:
❑Identity theft: If the user enters confidential information such as
credit card numbers into a compromised website, these details can Consider all input as a threat and If your site stores and renders rich
be stolen using malicious JavaScript. content, you need to use a HTML sanitization library to ensure
malicious users cannot inject scripts in their HTML submissions.
❑ Denial of service attacks.
❑ Whitelist values:
❑ Theft of sensitive data, like passwords.
Make sure your rendering logic only permits known, proper values
❑ Financial fraud on banking sites. (User can not change the default values by editing URLs).
Barkha Wadhvani 103 Barkha Wadhvani 34
 HO
WTOPREVENT CROSS-SITE SCRIPTING (XSS) HO
WTOPREVENT CROSS-SITE SCRIPTING (XSS)
❑ Implement a content-security policy ❑ HTTP-only Cookies
Content-Security Policies allow the author of a web-page to control Malicious JavaScript can be used to steal a cookie containing the user’s
where JavaScript and other resources can be loaded and executed from. session ID.
By whitelisting the URLs from which scripts can be loaded, you are Consider marking cookies as HTTP-only, meaning that cookies will be
implicitly stating that inline JavaScript is not allowed. received, stored, and sent by the browser, but cannot be modified or read
You can also place the content security policy in a <meta> tag in the by JavaScript.
<head> element of a page:
<meta http-equiv= ” C o ntent-Security-Policy” content=”script-scr
‘self ’
https://apis.google.com”>

Barkha Wadhvani 105 Barkha Wadhvani 106

BROKEN AUTHENTICATION PREVENT BROKEN AUTHENTICATION

❑Broken authentication is an umbrella term for several vulnerabilities
❑Best practices of password – complex password, change default
that attackers exploit to impersonate legitimate users online.
Password.
❑ Encryption
❑Broken authentication refers to weaknesses in two areas: session ❑ Proper roles and features as developer
management and credential management. Both are classified as
❑Automated Attack can be prevented with Captcha / two way Factor
broken authentication because attackers can use either avenue to
authentication.
masquerade as a user: hijacked session IDs or stolen login
credentials. ❑ Don’t expose Session Id in URL.
❑ Control the count of Login attempts to avoid brute force attack.
❑Incorrect implementation of application functions related to ❑Don’t use user IDs or predictable sequential values as a session IDs.
authentication (Login Page :Username and Password) and session Instead, use a secure server-side session manager that generates a random
session ID with high entropy.
management.
Barkha Wadhvani 107 ❑Invalidate the Session after Logged out.
Barkha Wadhvani 108
 SENSITIVE DATA EXPOSURE SENSITIVE DATA EXPOSURE
❑This is where data is exposed to actors that are not authorized to
view that data.

❑Such data could be user credentials, banking information, credit

cards or personal information.

❑Sensitive Data exposure vulnerability comes because of other

vulnerability. [attacker can exploit sensitive data by attacking other
vulnerabilities]

Barkha Wadhvani 109 Barkha Wadhvani 110

HAT CAUSES SENSITIVE DATA EXPOSURE

W PREVENT SENSITIVE DATA EXPOSURE
❑It occurswhen an application does not adequately protect sensitive ❑Encrypt data during transport and at rest , using the latest
information from being disclosed to attackers. encryption algorithms.

❑ Data at rest and transit are not protected enough. ❑ Encrypt all data in transit with secure protocols.

❑ Unencrypted traffic. ❑ Don’t store sensitive data unnecessarily.

❑ Unencrypted Data in Database. ❑ Use Strong hashing algorithm.

❑ Weak encryption used. ❑ Disable caching of sensitive data.

Barkha Wadhvani 111 Barkha Wadhvani 112
 XML EXTERNAL ENTITIES INJECTION [XXE]
❑XML external entity injection is a web security vulnerability that allows an
XML EXTERNAL ENTITIES
attacker to interfere with an application’s processing of X M L data.

❑This attack takes place due to web security based vulnerability when a
reference to an external entity containing XML input gets possessed by an XML
parser that is weakly configured.

❑As a result of this attack, denial of service, confidential data disclosure, port
scanning from the machine perspective where the parser is located, server-
side request forgery, and other system impact results.

❑It often allows an attacker to view files on an application server filesystem and
to interact with an back end or external systems that the application itself can43 Barkha Wadhvani 114
acceBasrksha.Wadhvani

WHATCAUSES XEE INJECTION PREVENT XML EXTERNAL ENTITY

▪ The XXE attack is carried out by processing untrusted XML input that
❑Poorly configured XML processors evaluating external entity
contains a reference to an external entity by an XML parser configured
references or untrusted data within XML documents.
with a weak configuration.
▪ It may lead to the disclosure of confidential data, denial of service,
❑Not Configured (DTD) entity. It also happens when any XML Server Side Request Forgery (SSRF), port scanning from the perspective
processors in SOAP-based web services or applications have DTDs of the machine where the parser is located, and other system impacts.
or Document Type Definitions enabled. The mechanism for disabling
DTD processing may vary from one processor to another.
▪ XXEs should be prevented by disabling DTDs (External Entities)
entirely.
❑ If it held other external files , commands. ▪ Depending on the parser, the method should be similar to the following:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-
decl", true);
Barkha Wadhvani 115 Barkha Wadhvani 116
 BROKEN ACCESS CONTROL ATTACK BROKEN ACCESS CONTROL ATTACK
❑Broken access control vulnerabilities exist
Access control is dependent on authentication and session
when a user can in fact access some resource
management:
or perform some action that they are not
supposed to be able to access. ❑Authentication identifies the user and confirms that they are who
they say they are.

❑This caused because of Improperly

enforced restrictions on non-authenticated ❑Session management identifies which subsequent HTTP requests
/ guest users. are being made by that same user.

❑This can give them the ability to modify or ❑Access control determines whether the user is allowed to carry
delete contents on the website, or even worse, out the action that they are attempting to perform.
gain full control over the web application.
Barkha Wadhvani 117 Barkha Wadhvani 118

HOWBROKENACCESS CONTROL HO
WBROKENACCESS CONTROL
Forced browsing:
ATTACKW ORKS? ATTACKW
ORKS?
Insecure I D’s (Insecure Direct Object Reference): Let say, I am visiting a ❑Forced browsing is when the user tries to access resources that are
p a g e by URL with unique ID., https://example.com/profile?id=13. not referenced by the application, but still available.

But what if I replace the ID with another user’s ID? If the webserver is configured improperly, then if I ❑If someone directly edits the URL, e.g. visit
visit another p a g e and I will get the profile of another user. https://example.com/admin, they might access the admin page
https://example.com/profile?id=5. if the access control is broken.

Barkha Wadhvani 119 Barkha Wadhvani 120

 HO
WBROKENACCESS CONTROLATTACKW
ORKS?
Directory traversal
HO
WBROKENACCESS CONTROL
❑When a website stores data in different files, the server might expect a
ATTACKW
ORKS?
Client side cach in g :
filename as a request parameter. ❑ Browsersstore websites in their cache to ensure faster loading if the user tries to access the same
website again. This might b e a problem if multiple people use the same computer.

❑Use can reach the root directory, and the attacker can access any file
from there. In order to defend against this attack, the webserver ❑ Developers should prevent browsers from storing sensitive data in their cache . This can b e
should be configured in such way that it has no access to the files that it accomplished by for example using HTML meta tags.
does not need. Filtering for .. in the input parameter is another potential
solution..

Barkha Wadhvani 121 Barkha Wadhvani 122

SYSTEM MISCONFIGURATION TYPES OF SYSTEM MISCONFIGURATION

❑ Default accounts / passwords are enabled (vendor-supplied defaults)
❑Security misconfigurations are security
controls that are inaccurately
configured or left insecure, putting ❑Improper Configuration of Error Pages (detailed information about
your systems and data at risk. server and some part of code displayed )

❑Basically, any poorly documented ❑ Secure password policy is not implemented (Limit Login attempts)
configuration changes, default settings,
or a technical issue across any
component in your endpoints could ❑Software is out of date and flaws are unpatched (attacker can use various
lead to a misconfiguration. ways to exploit)

❑ Files and directories are unprotected (by forceful browsing access can 54
Barkha Wadhvani 123 be taBakrkeha nWa)dhvani
 TYPES OF SYSTEM MISCONFIGURATION PREVENT SYSTEM MISCONFIGURATION
❑Unused features are enabled or installed (unused stuff susceptible to ❑ Proper configuration of default Error Page.
misconfiguration)
❑ Limit access to administrator interfaces.
❑ Disable debugging.
❑Security features not maintained or configured properly (Failure to
properly configure and maintain security) ❑ Disable the use of default accounts and passwords.
❑ Disable Directory Listing.
❑Unpublished URLs are not blocked from receiving traffic from ordinary ❑ Regularly patch and update software.
users (failure to block URL for scanning) ❑ Remove unused features.
❑ Use automation to your advantage.
❑Improper / poor application coding practices (No proper input/output
validation )
55
❑ DireBacrkhtaoWradyhvaTniraversal (to access directories outside the root directory) Barkha Wadhvani 126

INSUFFICIENT LOGGING & MONITORING PREVENT INSUFFICIENT LOGGING &MONITORING

❑Insufficient logging and monitoring is, missing security ❑Perform a baseline of logs needed for business which includes access
critical information logs or lack of proper log format, context, logs, failed logins, suspicious or anomalous activities, network,
storage, security and timely response to detect an incident or endpoints, cloud etc.
breach. ❑ Log formatted properly and context of logs is clearly understood.
❑Have a centralized log management system where all logs are
collected in one place like a SIEM tool integrated with real time
❑Proper log management will ensure faster breach detection reporting, heuristics and visualization tools
and mitigation that will save business time, money and
reputation. ❑ Synchronize time (UTC)
❑ Secure the logs
❑Not logging enough & not monitoring the logs for timely
incident response causes a bigger attacks to succeed over time.
Barkha Wadhvani 127 Barkha Wadhvani 128
 PREVENT INSUFFICIENT LOGGING &MONITORING USING COMPONENTW
ITH KNO
WNVULNERABILITY
❑Using Components with Known Vulnerabilities in your system ,
❑Store the logs in accordance with the compliance and business
requirements Components such as libraries, frameworks, and other software
modules run with the same privileges as the application.
❑Properly monitor user activity, anomalous behavior with automation and
alerting
❑ Log review should be closely monitored ❑If a vulnerable component is exploited, an attack can facilitate
❑ Logs should not be deleted or modified severe data loss or server takeover.
❑ Integrate SIEM with S O C to improve threat detection and visibility
❑ Legacy systems to cloud environments must be continuously monitored
❑Anomalous activity or any incident must be timely reported and action
must be taken

Barkha Wadhvani 129 Barkha Wadhvani 130

PREVENT USING COMPONENTW

ITH KNO
WNVULNERABILITY
❑ Wireshark is a free and open source network packet analyzer.
The best way to prevent using components with known
vulnerabilities would be to never use third-party components ❑ It includes troubleshooting networks that have performance issues.
However that is not possible in real world. So,
Wireshark will do following things:
❑ Always upgrade components to the latest version (patching) ❑Packet Capture: Wireshark listens to a network connection in real time and then
grabs entire streams of traffic – quite possibly tens of thousands of packets at a
❑ Use penetration testing. time.
❑Filtering: Wireshark is capable of slicing and dicing all of this random live data
using filters. By applying a filter, you can obtain just the information you need to
see.
❑Visualization: Wireshark, like any good packet sniffer, allows you to dive right
into the very middle of a network packet. It also allows you to visualize entire
conversations and network streams. 13
Barkha Wadhvani 131 Barkha Wadhvani
2
▪ Wireshark is a free and open source packet analyzer.
▪ It is used for network troubleshooting, analysis, software and communication
protocol development and education.
▪ It runs on Linux, UNIX, OSx, BSD, Solaris, and Microsoft windows.
▪ It provides following functionality:
▪ Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated
sorting and filtering options.
▪ User can see all traffic visible on that interface.
▪ If a remote machine captures packets and sends the captured packets to a machine running
Wireshark using the TZSP protocol. So it can analyse packets captured on a remote machine at
the time they are captured.
▪ It understands the structure of different networking protocols. It can parse and display the fields
along with their meanings as specified by different protocols.
▪ You can use it to review traffic captured by tools like tcpdump or WinDump or use it to capture
traffic directly. 63
▪ It alsoBarkha
supports capture formats from several other commercial and open source network
Wadhvani