Student Manual

Subject

Cyber Security
Vol.01

Empowering Youth!
 Cyber Security

Submitted to :- Submitted By :- Sterlite Technologies Ltd

Bihar Skill Development Mission, Labour Resources
Department, GoB Session : 2022-23

Course name:

•
•
Course Id-

•
Candidate Eligibility : Diploma/ Graduate
Course Duration: (In hours) 550

CONTACT DETAILS OF THE BODY SUBMITTING THE QUALIFICATION FILE

Name and address of submitting body:

Sterlite Technologies Ltd

Name and contact details of individual dealing with the submission

Name : Mrs./Mr. Srikant Pattnaik

Position in the organization : Manager

Tel number(s) (Mobile no.) : 9702048264

Website : www.stlacad.tech

E-mail address : [email protected]

BIHAR SKILL DEVELOPMENT MISSION – Sterlite Technology Pvt. Ltd.

 CYBER SECURITY
STUDENT GUIDE

Copy rights reserved for STL Academy

 Cyber Security

About the Student Guide

The student guide contains modules which will help you to acquire relevant knowledge and skills
(generic and domain-specific skills) related to the ‘Cyber Security Professional’ job role. Knowledge
in each module is easily understood and grasped by you before you move on to the next module.
Comprehensible diagrams & images from world of work have been included to bring about visual
appeal and to make the text lively and interactive for you. You can also try to create your own
illustrations using your imagination or taking the help of your trainer.

Let us now see what the sections in the modules have for you.

Section1: Learning Outcome

This section introduces you to the learning objectives and knowledge criteria covered in the module.
It also tells you what you will learn through the various topics covered in the module.

Section 2: Relevant Knowledge

This section provides you with the knowledge to achieve relevant skill and proficiency to perform
tasks of the Cyber Security Professional. The knowledge developed through themodule will enable
you to perform certain activities related to the job market. You should read through the textual
information to develop an understanding on the various aspects of the module before you complete
the exercise(s).

Section 3: Exercises

Each module has exercises, which you should practice on completion of the learning sessions of
the module. You will perform the activities in the classroom, at home or at the workplace. The
activities included in this section will help you to develop necessary knowledge, skills and attitude
that you need for becoming competent in performing the tasks at workplace. The activities should
be done under the supervision of your trainer who will guide you in completing the tasks and also
provide feedback to you for improving your performance.

Section 4: Assessment Questionnaire

The review questions included in this section will help you to check your progress. You must be able
to answer all the questions before you proceed to the next module.

Copy rights reserved for STL Academy

 Cyber Security

CONTENTS
Module 1 Introduction to Cyber Security 1
1.1 Overview of Cyber Security 1
1.2 Cybersecurity Fundamentals 8
1.3 Enterprise Architecture and Components 13
1.4 Information System Governance and Risk Assessment 18
1.5 Incident Management 24
Exercises 33
Assessment Questionnaire 36

Module 2 Design Systems to Secure Applications, Networks & Devices 39

2.1 Networking, Firewalls, LAN Security, IDS, NAC & IPSec 39
2.2 Principles of security, risk management, data classification, disaster
recovery and forensics 55
2.3 Cyber-attacks, DNS security, social engineering fundamentals,
buffer overflows, security testing 64
2.4 Handling bugs, Securing storage platforms and the power grid, Hack IOT 77
2.5 Access Controls, Kerberos, Identity Federation and ID Governance 81
2.6 Encryption, Advanced Cryptography, Crypto Algorithm and PKI 87
Exercises 92
Assessment Questionnaire 93

Module 3 Build A Hacker Mindset and Defend Against Future Attack 94

3.1 Ethical Hacking 94
3.2 Footprinting and Reconnaissance 97
3.3 Scanning Networks 105
3.4 Enumeration 112
3.5 Vulnerability Analysis 113
3.6 System Hacking 116
3.7 Malware Threats 123
3.8 Sniffing 128
3.9 Social Engineering 130
3.10 Denial-of-Service 134
3.11 Session Hijacking 139
3.12 Evading IDS, Firewalls, and Honeypots 142
3.13 Hacking Web Servers 147
3.14 Hacking Web Applications 157
3.15 SQL Injection 159
3.16 Hacking Wireless Networks 165
3.17 Hacking Mobile Platforms 167
3.18 IoT Hacking 174
3.19 Cloud Computing 178
3.20 Cryptography 181
Exercises 186
Assessment Questionnaire 187

Copy rights reserved for STL Academy

 Cyber Security

Module 4 Design, Engineer and Manage the Overall Security Posture

of An Organization 189
4.1 Introduction to CISSP 189
4.2 Security and Risk Management 191
4.3 Asset Security 206
4.4 Security Engineering 214
4.5 Communication and Network Security 229
4.6 Identity and Access Management (IAM) 240
4.7 Security Assessment and Testing 251
4.8 Security Operations 256
4.9 Software Development Security 268
Exercises 274
Assessment Questionnaire 275

Module 5 Technology, Application and Policy 277

5.1 Introduction 277
5.2 Systems Security 280
5.3 Cryptography & Network 283
5.4 Case Studies 289
5.5 Cybersecurity Policy 294
Exercises 299
Assessment Questionnaire 299

Copy rights reserved for STL Academy

 Cyber Security

MODULE 1
INTRODUCTION TO CYBER SECURITY

Section 1: Learning Outcomes

After completing this module, you will be able to:

▪ Explain Common terms used in Cyber Security
▪ Describe Cyber Security Fundamentals
▪ Tell Major Cyber Security Problems
▪ Differentiate between various Types of Hackers
▪ Explain the concept and preventions measures of Trojan Horse
▪ Perform actions to avoid getting infected in cyberspace
▪ Tell Benefits and Components of Enterprise Security Architecture
▪ Explain Enterprise Frameworks
▪ Enlist Cyber Risks
▪ State Importance of Risk Assessment
▪ Explain Needs and Importance of Incident Management
▪ Perform Incident Management

Section 2: Relevant Knowledge

1.1 Overview of Cyber Security
▪ The Term Cyber Security is used to refer to the
security offered through on-line services to protect
your online information.
▪ With an increase amount of people getting
connected to internet, the security threats that
cause massive harm are increasing also.

Meaning of the Word “Cyber”

▪ It is a combining form relating to information technology, the internet, and virtual reality.

Need of Cyber Security

▪ Cyber Security is necessary since it helps in securing data from threats such as data theft or
misuse, also safeguards your system from viruses.

Major Security Problems

➢ Virus
➢ Hacker
➢ Malware
➢ Trojan Horses
➢ Password Cracking

Copy rights reserved for STL Academy 1

 Cyber Security

Viruses and Worms

▪ A Virus is a “Program that is loaded onto your computer without your knowledge and runs
against your wishes.

Solution
▪ Install a security suite that protects the computer against threats such as viruses and worms.

Hackers
▪ In Common a hacker is a person who breaks into computers, usually by gaining access to
administrative controls.

Types of Hackers
➢ White Hat / Ethical Hackers
➢ Black Hat Hackers
➢ Gray Hat Hackers
➢ Script Kiddies
➢ Green Hat Hackers
➢ Blue Hat Hackers
➢ Red Hat Hackers
➢ State/Nation Sponsored Hackers
➢ Hacktivist
➢ Malicious insider or Whistleblower

Black Hat Hackers

▪ Bad hackers who use cyber-attacks to gain money or to achieve another agenda.
▪ These hackers penetrate systems without permission to exploit known or zero-day vulnerabilities.

White Hat Hackers

▪ Ethical hackers who protect your systems from black hat hackers.
▪ Penetrate the system with the owner's permission to find and fix security vulnerabilities and
mitigate cyberattacks.

Grey Hat Hackers

▪ Hackers who cruise the line between being good and bad.
▪ Penetrate systems without permission but typically don't cause harm.
▪ Draw attention to vulnerabilities and often offer a solution to patch them by charging fees.

Red Hat Hackers

▪ Hackers who use cyber-attacks to attack black hat hackers.

2 Copy rights reserved for STL Academy

 Cyber Security

▪ Their intentions are noble, but these hackers often take unethical or illegal routes to take down
bad hackers.

Script Kiddies
▪ The Script Kiddies are amateurs types of hackers in the field of hacking.
▪ They try to hack the system with scripts from other fellow hackers.
▪ They try to hack the systems, networks, or websites.
▪ The intention behind the hacking is just to get the attention of their peers.
▪ Script Kiddies are juveniles who do not have complete knowledge of the hacking process.

Hacktivist
▪ These types of hackers intend to hack government websites.
▪ They pose themselves as activists, so known as a hacktivist.
▪ Hacktivists can be an individual or a bunch of nameless hackers whose intent is to gain access
to government websites and networks.
▪ The data gained from government files accessed are used for personal political or social gain.

Malicious insider or Whistleblower

▪ These types of hackers include individuals working in an organization who can expose
confidential information.
▪ The intent behind the exposure might be a personal grudge against the organization, or the
individual might have come across illegal activities within the organization.
▪ The reason for exposure defines the intent behind the exposure.

How to Prevent Hacking

▪ It may be impossible to prevent computer hacking, however effective security controls including
strong passwords, and the use of firewalls can help.

Malware
▪ The Word “Malware” comes from the term “MALicious softWARE.”Malware is any software that
infects and damages a computer system without the owner’s knowledge or permission.
▪ Malware:
➢ Trojans Trojans

➢ Rootkits Viruses Rootkits

➢ Worms
➢ Spyware
➢ Crime ware Malware
Adware Worms
➢ Adware
➢ Viruses
Crime
Spyware
ware

To Stop Malware
▪ Download an anti-malware program that also helps prevent infections.
▪ Activate Network Threat Protection, Firewall, Antivirus.

Copy rights reserved for STL Academy 3

 Cyber Security

Trojan Horses
▪ Trojan Horses are email viruses that can duplicate themselves, steal information, or harm the
computer system.
▪ Once inside your device, a Trojan can lay low,
collecting information and setting up holes or
backdoors into your system undetected, or it
may just take over your computer

Why Hackers use Trojan Horses?

▪ There are many uses or reasons for hackers
to use Trojans. Some of the main uses are to:

Steal and Modify Data

▪ Trojans are capable of accessing, altering, and deleting data.

Interrupt the Regular Performance of the System

▪ Sometimes a hacker isn’t interested in your data but wants to use your computer to stage a
massive attack on another system or to mine cryptocurrency.

Install More Malware and Create Backdoors

▪ Once inside your device, Trojans will often make changes to your security system, leaving a
backdoor for a hacker to use later.
▪ It will often download and install other malware onto your device, making it vulnerable to viruses
and worms.
▪ Each Trojan is created with a specific job in mind, including any of the following:
➢ Intercepting passwords and personal details
➢ Stealing bank details and credit card information
➢ Gaining control of your computer
➢ Installing other types of malware

How to Spot Trojans

▪ Look out for the following four signs, which may be a warning of Trojans attacking your computer:

Unexplained Behavior
▪ Any mysterious increase in CPU usage is definitely a red flag.
▪ If your computer has increased its processing activity for no reason, then a Trojan may be the
reason.
▪ Use your activity monitor to check what is draining your CPU and end the action if you find a
problem.

System Failures
▪ If your system suddenly slows down significantly or starts crashing regularly, then there’s
something wrong.
▪ Use a high-quality security suite to see if you can identify the problem.

4 Copy rights reserved for STL Academy

 Cyber Security

Increase in Spam
▪ Pop-ups, annoying adverts, and a general rise in spam on your machine could indicate an
adware Trojan.
▪ This malware type uses infected ads to spread the virus further.
▪ Avoid clicking on anything that looks suspicious!

Unidentified Programs
▪ If you spot an app or program that you didn’t download, it’s a cause for concern.
▪ Google the name to ensure it’s not an important part of the operating system. If it’s not— delete it
immediately!

Tips to Avoid Getting Infected

▪ Trojan Horses are often sent via email attachments in spam emails. By downloading the file, you
actively infect yourself. Avoid opening any emails from people you don’t know.
▪ Fake software is another common transmitter. The victim will choose to install a program, without
realizing it’s transporting a Trojan. Only download well-reviewed apps and files from trusted
sources to avoid this issue.
▪ You don’t always have to download a Trojan virus actively. Simply visiting an infected website is
enough to transfer the infection. Avoid clicking through banner ads and visiting random
sites to reduce the risk.
▪ Freeware is no-cost software that is easy to download. While these free programs are
convenient, Trojan horses are known to piggyback on them. Do some independent research
and read reviews on any free program you’re thinking about installing before downloading
them.

Protection from Trojan Threats

Install a high-quality antivirus
▪ Antivirus and anti-malware software should be your first line of defense and it’s essential to install
something robust enough for the job.
▪ These programs scan your device for problems and alert you if an issue arises.
▪ Some will also quarantine and delete any threats from your device.

Avoid third-party downloads

▪ Any download is a potential threat. Websites, ads, and messages that contain automatic
downloads often hide malware.
▪ Avoid clicking through to any banners and suspicious links, don’t use shortened URLs, and think
carefully before allowing any download.

Stick to trusted sources

▪ Whether it’s a website, correspondence, or software, always stick to trusted brands.
▪ If companies are tried and tested by the general public, you’ll know if any problems have arisen.
▪ Reputation is king on the internet so always check independent reviews as well.

Use a firewall
▪ Firewalls screen data that enters your device from the internet.
▪ While most operating systems come with a built-in firewall, it’s also a good idea to use a
hardware firewall for full protection.

Copy rights reserved for STL Academy 5

 Cyber Security

Securing Password
▪ Use Always Strong Password.
▪ Never use same password for two different sites.

Cyber Crime Facts

▪ India Stands 10th in the Cybercrime in the World.

Cyber Security Strategy - India

▪ Conceptualized by the Data Security Council of India (DSCI), the strategy ensures a safe,
secure, trusted, resilient, and vibrant cyberspace for India.
▪ Main sectors of focus:
➢ Large scale digitization of public services
➢ Supply chain security
➢ Critical information infrastructure protection
➢ Digital payments
➢ State-level cyber security
➢ Security of small and medium businesses
▪ To implement cybersecurity in the focus areas, the strategy lists the following recommendations:
➢ Budgetary provisions
➢ Research & innovation
➢ Human Resources
➢ Crisis management
➢ Cyber Diplomacy

Password Cracking
▪ Password Attacks are attacks by hackers that are able to determine passwords or find
passwords to different protected electronic areas and social network sites.

What is Cyber Security?

▪ The Protection of Information assets by addressing
threats to information process, stored and transported by
internetworked information systems.
➢ Information Security
➢ Cybersecurity

6 Copy rights reserved for STL Academy

 Cyber Security

What is Information Security (InfoSec)?

▪ Infosec deals with information, regardless of its (it encompasses paper documents, digital and
intellectual property in people's minds, and verbal or visual communications
▪ Infosec deals with information, regardless of its (it encompasses paper documents, digital and
intellectual property in people's minds, and verbal or visual communications

Protecting Digital Assets

▪ The NIST (National Institute of Standards and Technology) & ENISA (European Union Agency
for Network and Information Security) have identified 5 key functions necessary for the protection
of digital assets.

Identify
▪ Use Organizational Understanding to minimize risk to systems, assets, data and capabilities.

Protect
▪ Design safeguards to limit the impact of potential events on critical services and infrastructure.

Detect
▪ Implement activities to identify the occurrence of a cybersecurity event.

Respond
▪ Take Appropriate action after learning of a security event.

Recover
▪ Plan for resilience and the timely repair of compromised capabilities and services.

Cybersecurity Roles
Governance
▪ It’s the responsibility of the board of directors and senior management of the organization,
provide strategic direction, ensure that objectives are achieved, ascertain whether risk is being
managed appropriately and verify that the organization’s resources are being used responsibly,
are goals of the governance program.

Risk Management
▪ It’s the Process by which an organization manages risk to acceptable levels, it requires the
development and implementation of internal controls to manage mitigate risk throughout the
organization, including financial and investment risk, physical risk and cyber risk.

Compliance
▪ The Act of adhering to mandated requirements defined by laws and regulations, this also include
contractual obligations with clients, partners and internal policies.

Facts about Cyber Security

▪ The World Economic Forum regards the threats to cybersecurity as one of the top five global
risks confronting nations of the world today.
▪ The vulnerabilities of financial loss ranging from cybersecurity breaches to theft of intellectual
property are a growing problem.

Copy rights reserved for STL Academy 7

 Cyber Security

▪ Cyber threats are increasingly targeting the core functions of the economies in nations
throughout the world, as well as their governments on local, regional, and national levels.
▪ The potential for cyber-attacks to disrupt critical services of both the private enterprise and
nongovernmental agencies is growing at an alarming rate.

1.2 Cybersecurity Fundamentals

Cybersecurity Fundamentals
SQL Injection
▪ The attackers use this harmful software to inject to a server for stealing data.
▪ The attacker uses it to get important data. Then he can easily alter and steal valuable
information.

DDoS
▪ Distributed Denial of Service is an attack used by the attacker to send a large number of
requests to the server, network, or website.
▪ These requests normally fill up the servers and networks so that it breaks down. So, attackers
use this simple software to deal with damage to the company.

Phishing
▪ Phishing attacks sends the target to a false website to try and take the confidential data like the
login information or the passwords.
▪ The attackers use this type of attack to get the data related to the networks and to steal the
secret data.
Keylogger
▪ If you download this program, it logs all the system’s keystrokes.
▪ Then the attacking systems get all of these data.
▪ The attacker gets data like passwords, user ids, and so on.

8 Copy rights reserved for STL Academy

 Cyber Security

Scareware
▪ It is a program that is created to scare any person and make them buy an anti-virus.
▪ After it is installed, they get a number of messages on the screen. These messages read that
your system is undergoing an attack and makes them go into a panic mode.
▪ It then sends them to a fake website to buy an anti-virus.

Spyware
▪ Attackers use this software to spy on a targeted system or network.
▪ If the attacker is successful at injecting the spyware, then monitoring every activity becomes easy
for the attacker.
▪ The attacker then copies the original activity of the purchase that you do on a daily basis to steal
any important data.

Copy rights reserved for STL Academy 9

 Cyber Security

Worms
▪ This program does not cause any harm, but it multiplies on its own.
▪ It is also harmful because it can multiply continuously. So, it eventually takes up more than half of
the space on the hard disk.
▪ The networks and systems gradually slow down because of this.

Virus
▪ It is a harmful software that damages the system and the documents.
▪ This program multiplies in number and spreads through infected files.
▪ It does not need a system that is infected already.

Cyber Security Concepts

Compliance Based
▪ Also known as standards-based security, this approach relies on regulations or standards to
determine security implementations, controls are implemented regardless of their applicability or
necessity, which often leads to a ‘checklist’ attitude towards security.

Risk- Based
▪ Risk based security relies on identifying the unique risk a particular organization faces and
designing and implementing security controls to address that risk above and beyond the entity’s
risk tolerance and business needs.

10 Copy rights reserved for STL Academy

 Cyber Security

Ad-Hoc
▪ An ad hoc approach simply implements security with no particular rationale or criteria.
▪ Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient
subject matter expertise, knowledge or training when designing and implementing safeguards.

Risk Treatment
▪ Risk Treatment Options:
➢ Risk Reduction
➢ Risk Retention
➢ Risk Avoidance
➢ Risk Transfer
➢ Residual Risks

Risk Reduction/Mitigation
▪ Implement controls and/or countermeasures

Risk Avoidance, Terminate

▪ Terminate the activity giving rise to risk

Risk Retention/Acceptance
▪ If the cost of the mitigation controls is higher than the cost the impact the risk represents

Risk Transfer
▪ Purchase insurance to address the risk. which will be transferred 'o the insurance company

What is Residual Risk?

▪ The Risk that still remains after counter measures and
controls have been implemented.
▪ If Residual risk is greater than the acceptable risk level, then it
should be further treated with the option of additional
mitigation through implementing more stringent controls.

Essential Terminologies
Vulnerability
▪ Existence of a weakness, design or implementation error that
can lead to an unexpected event compromising the security of the system

Asset
▪ Anything that represents value for the organization and is worth protecting

Threat
▪ Anything capable of acting against an asset in a manner that can result in harm

Backdoor
▪ A mean of regaining access to a compromised system by installing SW or configuration existing
SE to enable remote access.

Copy rights reserved for STL Academy 11

 Cyber Security

Brute Force Attack

▪ Trying all possible combinations of passwords or encryption keys until the correct one is found.

Buffer Overflow
▪ When an app tries to store more data in a buffer (temporary data storage area) than it was
designed to hold. this corrupts the app and enables the attacker to introduce or run commands.

DDoS Attack
▪ An assault on a service from different sources that floods the target with so many requests that it
becomes unavailable to anyone.

MitM Attack
▪ The Attacker intercepts the communication stream between 2 parts, the attacker can sniff or
replace the traffic.

Social Engineering
▪ Any attempt to exploit social vulnerabilities to gain access to information systems.

Phishing
▪ The Attacker attempts by email to convince a user that the originator is genuine. but with
malicious intentions to obtaining information.

Exploit
▪ A breach of IT system security through vulnerabilities.

Payload
▪ It is the part of an exploit code that performs that intended malicious action. such as destroying,
creating backdoors, and hijacking computer.

SQL Injection
▪ SQL syntax is used without proper validation as part of SQL queries, this could harm the DB or
even the OS.

Bot
▪ A "bot" is a software application that can be controlled remotely to execute or automata
predefined tasks.

Zero-Day Attack
▪ An Attack that exploits computer application vulnerabilities before the software developer
releases a patch for the vulnerability.

XSS
▪ Cross-site scripting, malicious scripts are injected into benign and trusted websites
<script>alert("PW ND") </script>

APT
▪ Advance Persistent Threats are complex and coordinated attacks directed at a specific target,
they require enormous research and time.

12 Copy rights reserved for STL Academy

 Cyber Security

Spoofing
▪ Faking the Sending address to gain illegal entry into a system.

1.3 Enterprise Architecture and Components

What is Enterprise Architecture?
▪ Enterprise Architecture (EA) is a business concept that involves systematized planning, design,
implementation and execution of enterprise analysis in managing business strategies.
▪ Its focus lies in the comprehensive development of enterprises through a set of beliefs and
principles that guide business operations.
▪ Each architecture involves a governing framework, which contain a set of principles for the
systematic creation and management of an architecture.

Enterprise Security Architecture

▪ An enterprise security architecture is an integrated and comprehensive strategy for protecting the
organization against cyber threats.
▪ To achieve comprehensive protection, an organization needs to ensure that there are no visibility
or protection gaps that an attack could
slip through.
▪ The best way to accomplish this is by
using a suite of comprehensive security
solutions from a single vendor.
▪ Solutions that are designed to integrate
and be used together are easier to
monitor and manage and eliminate
costly overlaps or security gaps.
▪ An enterprise license agreement (ELA)
provides a means for an organization to
simply and efficiently deploy security
solutions across its entire environment.
▪ With an ELA, an organization has
access to all of a vendor’s cyber security solutions to achieve comprehensive and integrated
security across networks, endpoints, mobile devices, cloud infrastructure, and IoT devices.

Copy rights reserved for STL Academy 13

 Cyber Security

Benefits
▪ By deploying an enterprise cyber security architecture with an ELA, an organization can achieve
significant benefits, including:

Lower TCO
▪ An integrated security architecture with an ELA eliminates overlapping and underutilized security
tools. Additionally, with an ELA, an organization may have access to competitive pricing and
discounts.

Operational Efficiency
▪ An enterprise security architecture is composed of solutions that are designed to work together to
provide the organization with comprehensive protection against threats.
▪ By eliminating security gaps and overlapping solutions and simplifying security monitoring and
management, an enterprise security architecture increases the efficiency of the corporate
security architecture and SOC.

Interoperability with IT Infrastructure and Existing Integrations

▪ An enterprise cyber security architecture is built out of solutions designed for integration.
▪ This enables an organization to integrate solutions with its existing infrastructure.

Enterprise Security Solution for All Company Sizes

▪ With an ELA, an organization purchases credits that provide access to various security solutions.
▪ This enables an organization to tailor its security architecture to its unique needs and budget.

Components of Security Architecture

▪ For making the security architecture important, there are certain components that are involved in
the design.
▪ The components are people, process and the tools.
▪ All these components combine helps to protect the organization assets.
▪ After defining the components, the next step is to make the policy and the reinforcement
technique for the policies.
▪ After the other important steps are the method procedural for the implementation of security
architecture and how the architecture will get enforced.
▪ By this, the overall design and architecture are designed for the organization that will protect
them throughout their business operations.

Guidance
▪ The policies and procedures that act as the guidance should be design and implement properly.
▪ The policies should include the documentation that includes the objectives and goals for
designing the architecture, standards, policies, rules and regulations for the organization,
identification of scope and function, identification of other security policies.

Identity Management
▪ It is the type of system that include the organization processes, technologies and policies that
directly help users to gain access to the online applications and other network resources.
▪ For the organization, the proper responsibilities and roles need to be clearly stated, and
individual tasks need to be designed for the employees.

14 Copy rights reserved for STL Academy

 Cyber Security

Inclusion & Exclusion

▪ The other components are the inclusion and exclusion that include the security of elements of the
organization in which company resources are protected.
▪ The company resources include web resources, e-mail servers, private HR data and other
reporting system information.
▪ The access should be grant to authorized users only so that the privacy and integrity can be
maintained in the organization.

Access and Border Control

▪ The organization should develop an architecture that is able to control the access to the business
resources and can use the layer system for providing access to the company employees.
▪ Only authorized users should gain complete access to the system, and the rest should be
provided with limited access of the system.

Validation of Architecture
▪ As the technology advances, the company need to renew the policies and laws as per the
changes, and continuous effort is needed by the organization in this change.
▪ For that, the continuous monitoring is required, and according to that, proper changes can be
made in the architecture.

Training
▪ As for the organization, to maintain the privacy and integrity, the security architecture system is
very important.
▪ As there is a continuous change in the system, it becomes important that the employee should
know about the changes and proper training is given to them so that they can use the system
and protect the company assets and elements.

Technology
▪ To reinforce the security architecture, the software and hardware used for making the
architecture become very crucial for the organization.
▪ Because of continuous change in technology, there is a requirement of continuous change in the
system so that the system can be up to date and help to make the system secure and private.

Enterprise Frameworks
▪ Following Enterprise frameworks, such as can help achieve goals of aligning security needs with
business needs.
➢ Sherwood Applied Business Security
Architecture (SABSA)
➢ COBIT
➢ The Open Group Architecture Framework
(TOGAF)

SABSA
▪ SABSA is a business-driven security framework
for enterprises that is based on risk and
opportunities associated with it.
▪ SABSA does not offer any specific control and

Copy rights reserved for STL Academy 15

 Cyber Security

relies on others, such as the International Organization for Standardization (ISO) or COBIT
processes.
▪ It is purely a methodology to assure business alignment.
▪ The SABSA methodology has six layers (five horizontals and one vertical).
▪ Each layer has a different purpose and view.
▪ The contextual layer is at the top and includes business requirements and goals.
▪ The second layer is the conceptual layer, which is the architecture view.

COBIT
▪ COBIT 5, from ISACA, is “a comprehensive framework that assists enterprises in achieving their
objectives for the governance and management of enterprise IT.”
▪ This framework includes
tool sets and processes
that bridge the gap
between technical issues,
business risk and process
requirements.
▪ The goal of the COBIT 5
framework is to “create
optimal value from IT by
maintaining a balance
between realising benefits
and optimising risk levels
and resource use.”
▪ COBIT 5 aligns IT with business while providing governance around it.
▪ The COBIT 5 product family has a lot of documents to choose from, and sometimes it is tough to
know exactly where to look for specific information.
▪ COBIT Enablers are factors that, individually and collectively, influence whether something will
work.
▪ The COBIT framework is based on four principles.
▪ Applying those principles to any architecture ensures business support, alignment and process
optimization.

▪ COBIT 5 Principles:
➢ Meeting Stack holder Needs
➢ Covering the Enterprise End-to-end
➢ Applying a Single Integrated
Framework
➢ Enabling a Holistic Approach
▪ By using a combination of the SABSA
frameworks and COBIT principles,
enablers and processes, a top-down
architecture can be defined for every
category.
▪ As an example, when developing
computer network architecture, a top-down approach from contextual to component layers can
be defined using those principles and processes.

16 Copy rights reserved for STL Academy

 Cyber Security

TOGAF
▪ TOGAF is a framework and a set of supporting tools
for developing an enterprise architecture.
▪ The TOGAF architecture development cycle is great
to use for any enterprise that is starting to create an
enterprise security architecture.
▪ Similar to other frameworks, TOGAF starts with the
business view and layer, followed by technology and
information.
▪ TOGAF is a useful framework for defining the
architecture, goals and vision; completing a gap
analysis; and monitoring the process.
▪ By using SABSA, COBIT and TOGAF together, a
security architecture can be defined that is aligned
with business needs and addresses all the
stakeholder requirements.
▪ After the architecture and the goals are defined, the
TOGAF framework can be used to create the projects and steps, and monitor the implementation
of the security architecture to get it to where it should be.

Initiate an Enterprise Security Architecture Program

1. Identify business objectives, goals and strategy
2. Identify business attributes that are required to achieve those goals
3. Identify all the risk associated with the attributes that can prevent a business from achieving its
goals
4. Identify the required controls to manage the risk
5. Define a program to design and implement those controls:

5.1 Define conceptual architecture for business risk

➢ Governance, policy and domain architecture
➢ Operational risk management architecture
➢ Information architecture
➢ Certificate management architecture
➢ Access control architecture
➢ Incident response architecture
➢ Application security architecture
➢ Web services architecture
➢ Communication security architecture

5.2 Define physical architecture and map with conceptual architecture

➢ Platform security
➢ Hardware security
➢ Network security
➢ Operating system security
➢ File security
➢ Database security, practices and procedures

Copy rights reserved for STL Academy 17

 Cyber Security

5.3 Define component architecture and map with physical architecture

➢ Security standards (e.g., US National Institute of Standards and Technology [NIST], ISO)
➢ Security products and tools (e.g., antivirus [AV], virtual private network [VPN], firewall,
wireless security, vulnerability scanner)
➢ Web services security (e.g., HTTP/HTTPS protocol, application program interface [API], web
application firewall [WAF])

5.4 Define operational architecture

➢ Implementation guides
➢ Administrations
➢ Configuration/patch management
➢ Monitoring
➢ Logging
➢ Pen testing
➢ Access management
➢ Change management
➢ Forensics, etc.

Enterprise Security Architecture Model

1.4 Information System Governance and Risk Assessment

Information System Governance and Risk Assessment
▪ Information security governance is defined as “a subset of enterprise governance that provides
strategic direction, ensures that objectives are achieved, manages risk appropriately, uses
organizational resources responsibly, and monitors the success or failure of the enterprise
security program,” according to the Information Systems Audit and Control Association.

18 Copy rights reserved for STL Academy

 Cyber Security

Need of Security Governance Framework

▪ An information security governance framework helps organizations prepare for risks or events
before they occur by forcing you to continually re-evaluate critical IT and business functions
through:
➢ Integrated risk management functions
➢ Threat and vulnerability analysis
➢ Data governance and threat protection
➢ Aligning business strategy with IT strategy

Risk Assessment

Strategy
▪ Information security
should align with business objectives.
▪ IT strategic plans need to satisfy the current and future business requirements.
▪ The goal of information security governance is to align business and IT strategies with
organizational objectives

Copy rights reserved for STL Academy 19

 Cyber Security

Implementation
▪ Information security governance requires commitment, resources, assignment of responsibilities,
and implementation of policies and procedures that address the controls within a chosen
framework.

▪ Buy-in from senior management and above is critical to the implementation of the program.

Operation
▪ It’s important that adequate
resources are in place, projects that
align with your overall strategy are
deployed, and operational and
technology risks are addressed and
mitigated to appropriate levels.

Monitoring
▪ Metrics and monitoring help document the effectiveness of the program, provide information to
help management make decisions, address any compliance issues, and establish information
security controls with a more proactive approach.

20 Copy rights reserved for STL Academy

 Cyber Security

Risk assessment
▪ The process of identifying,
analyzing, and evaluating risk
is the only way to ensure that
the cybersecurity controls are
appropriate to the risks that
an organization faces.
▪ Without a risk assessment to
inform cybersecurity choices,
one could waste time, effort
and resources – there is, after
all, little point implementing
measures to defend against
events that are unlikely to occur or won’t have much material impact on an organization.

What does Cybersecurity Risk Assessment Include?

▪ A cybersecurity risk assessment identifies the various information assets that could be affected
by a cyber-attack (such as hardware, systems, laptops, customer data, and intellectual property),
and then identifies the various risks that could affect those assets.
▪ A risk estimation and evaluation are usually performed, followed by the selection of controls to
treat the identified risks.
▪ It is important to continually monitor and review the risk environment to detect any changes in the
context of the organization, and to maintain an overview of the complete risk management
process.

ISO 27001 and Cyber Risks

▪ The international standard ISO/IEC 27001:2013 (ISO 27001) provides the specifications of a
best-practice ISMS (information security management system) – a risk-based approach to
corporate information security risk management that addresses people, processes and
technology.
▪ Clause 6.1.2 of the standard sets out the requirements of the information security risk
assessment process.

Copy rights reserved for STL Academy 21

 Cyber Security

Organizations must
▪ Establish and maintain certain information security risk criteria
▪ Ensure that repeated risk assessments “produce consistent, valid and comparable results”

22 Copy rights reserved for STL Academy

 Cyber Security

▪ Identify “risks associated with the loss of confidentiality, integrity and availability for information
within the scope of the information security management system”, and identify the owners of
those risks
▪ Analyze and evaluate information security risks, according to the criteria established earlier
▪ It is important that organizations “retain documented information about the information security
risk assessment process” so that they can demonstrate that they comply with these
requirements.
▪ They will also need to follow a number of steps – and create relevant documentation – as part of
the information security risk treatment process.
▪ ISO 27005 provides guidelines for information security risk assessments and is designed to
assist with the implementation of a risk-based ISMS (information security management system).

What are the tasks of IT Governance and Risk Management?

1. Strategic Alignment
▪ Definition, maintenance, and IT value validation, through the alignment of IT operations with
other business operations.

2.Value Delivery
▪ Ensures the delivery of strategic benefits, with cost optimization and the intrinsic value of IT.

3. Resource Management
▪ Investment optimization and management of critical IT resources such as Applications,
Information, Infrastructure, and People.

Copy rights reserved for STL Academy 23

 Cyber Security

4. Risk Management
▪ Understanding the corporate appetite for risk, regulatory compliance requirements, and
transparency. Understanding of the significant risks to the business and implementing risk
management responsibilities within the organization.

5. Performance Measurement
▪ Monitor implementation strategies, project closures, and resource utilization. Perform the process
of delivering IT services in a Balanced Scorecard framework that transforms strategy into
effective action, for achieving measurable objectives (indicators).

1.5 Incident Management

Key Terms
Cyber Security Event
▪ A cyber security change that may have an impact on organizational operations (including
mission, capabilities, or reputation).

Cyber Security Incident

▪ A single or a series of unwanted or unexpected cyber security events that are likely to
compromise organizational operations.

Cyber Security Incident Management

▪ Processes for preparing, detecting, reporting, assessing, responding to, dealing with and learning
from cyber security incidents.

Preparing for a Cyber Security Incident

Review Your Cyber Security Incident Response Plan
▪ A cyber incident response plan is not a static document.
▪ It is important to integrate it into your business processes and to review and update it regularly,
on a yearly basis and as part of the post-incident review.

Cyber Security Incident Response Procedures

▪ Building on your cyber security
incident response plan, you can
define a number of standard
operating procedures for common
incidents that are likely to occur
within your organization.
▪ Such a procedure should explain
step by step how a specific issue
can be tackled. These quick
response guides for likely scenarios
should be easily accessible.

Incident Management
▪ In the field of cybersecurity, incident management can be defined as the process of identifying,
managing, recording, and analyzing the security threats and incidents related to cybersecurity in
the real world.

24 Copy rights reserved for STL Academy

 Cyber Security

▪ Good incident management can reduce the adverse effects of cyber destruction and can prevent
a cyber-attack from taking place.
▪ It can prevent the compromising of a large number of data leaks.
▪ An organization without a good incident response plan can become a victim of a cyber-attack in
which the data of the organization can be compromised at large.
▪ An incident is an unexpected disruption to a
service.
▪ It disturbs the normal operation thus
affecting end user’s productivity.
▪ An Incident may be caused due to an asset
that is not functioning properly or network
failure.
▪ Examples of Incidents include printer issue,
wifi connectivity issue, application lock issue,
email service issue, laptop crash, AD
authentication error, file sharing issue etc.
▪ Incident Management restores normal service operation while minimizing impact to business
operations and maintaining quality.
▪ An incident, by definition, is an occurrence that can disrupt or cause a loss of operations,
services, or functions.

▪ Incident management describes the necessary actions taken by an organization to analyze,

identify, and correct problems while taking actions that can prevent future incidents.

Incident vs Service Request

▪ A Service request is ‘a formal request from a user for something to be provided – for example, a
request for information or advice’.
▪ The main difference between Incident and service request is that often pre-approved standard
changes are classified as service requests which end users request for.
▪ For example, UX designer requests for Adobe photoshop software and increase in RAM space.
▪ Having an intuitive service catalog to capture this request is recommended.

Copy rights reserved for STL Academy 25

 Cyber Security

Incident vs Problem
▪ A Problem is a series of incidents with an unknown root cause, whereas incident arises as soon
as something breaks or stops working disrupting normal service.
▪ Incident handling is usually a reactive process whereas problem management is more proactive.
▪ Incident management system aims at restoring services quickly whereas problem management
aims at finding a permanent fix.

Importance of Incident Management

Better Efficiency and Productivity
▪ There can be established practices and procedures that can help IT teams better respond to
incidents and mitigate future incidents.
▪ Additionally, machine learning automatically assigns incidents to the right groups for faster
resolution.
▪ Dedicated agent portals for issue resolution have access to all necessary information in one
view, and can leverage AI to deliver recommended solutions immediately.
▪ A dedicated portal for Major Incident Management enables swift resolution by bringing together
the right resolution teams and stakeholders to restore services.

Visibility and Transparency

▪ Employees can easily contact IT support to track and fix issues.
▪ They can connect with IT through web or mobile to have a better understanding of the status of
their incidents from start to finish, and subsequent effects.
▪ A better consumer experience is delivered through intuitive omni-channel self-service and
transparent, two-way communications.

26 Copy rights reserved for STL Academy

 Cyber Security

Higher level of Service Quality

▪ Agents have the ability to prioritize incidents based on established processes, which can also
assist in the continuity of business processes, brought together to manage work and collaborate
using a single planform for IT processes.
▪ Likewise, incident management makes it possible to restore services fast by bringing together
the right agents to manage work and collaborate using a single platform for IT processes.
▪ IT can use advanced machine learning and data models to automatically categorize and assign
incidents, learning from patterns in historical data.

More insight into Service Quality

▪ Incidents can be logged away into incident management software, which provides insight into
service time, severity of the incident, and whether or not there is a constant type of incident that
can be mitigated.
▪ From here, the software can generate reports for visibility and analysis.

Service Level Agreements (SLAs)

▪ Incident management systems help build out processes that provide insight into SLA and
whether or not they are being met.

Prevention of Incidents
▪ Once incidents are identified and mitigated, knowledge of those incidents and necessary
responses can be applied to future incidents for faster resolution or all-around prevention.
▪ Increase incident deflection rate by reducing tickets and call volumes using self-service portals
and ServiceNow chatbots employees are able to find answers on their own before needing to log
an incident, effectively preventing issues before they impact users with AIOps.

Copy rights reserved for STL Academy 27

 Cyber Security

Reduction or Elimination of Downtime

▪ Incidents cause downtime, which can slow or prevent businesses from executing operations and
services.
▪ Well-documented incident management processes help in the reduction or total elimination of
downtime that occurs as a result of an incident.

Improved mean time to resolution (MTTR)

▪ The average amount of time to resolution decreases when there are documented processes and
data from past incidents.
▪ Accelerate incident resolution with machine learning and contextual help to eliminate bottlenecks.
▪ AIOps integration reduces incidents and mean time to resolution (MTTR) to eliminate noise,
prioritize, and remediate.

Improved Customer and Employee Experience

▪ Smooth operations within a company are
reflected in a product or service.
▪ Customers will have a better experience if
businesses do not experience downtime or a
lapse in services due to an incident.
▪ Likewise, providing omnichannel options, where
employees can submit incidents through self-
service portals, chatbots, email, phone, or
mobile, empowers them to easily contact support
to track and fix issues with incident
management.

Incident Response
▪ Always make a habit of collecting evidence and analyze forensics which is a necessary part of
incident response. For these circumstances, the following things are needed.
➢ A well-defined policy to collect evidence to ensure that it is correct and very much sufficient
to make it admissible in the Court of Law.
➢ It is also importantly needed to have the ability to employ forensics as needed for analysis,
reporting, and investigation.
➢ The personnel of the IRT must be trained in cyber forensics, functional techniques and
would also have some knowledge in the legal and governance.

28 Copy rights reserved for STL Academy

 Cyber Security

Steps of Incident Management

1. Incident Logging
▪ An incident is identified and recorded in user reports and using solution analyses once identified,
the incident is logged and categorized.
▪ This is important for how future incidents can be handled and for prioritization of incidents.

Methods for Detecting Incidents

▪ Your Organization's Personnel Has the Potential to Detect
▪ To organise incident reporting by personnel (and other partners), make available the following:
➢ A phone number for reporting emergencies
➢ An e-mail address for informal incident reporting
➢ A web-based form for formal incident reporting

Technology and Endpoint Protection

Technology
▪ Technology is one of the main enablers when it comes to your incident detection, investigation,
eradication and recovery.
▪ When an incident has occurred, ad-hoc deployment of technology is still possible, but your
investigation will often be limited to the current events.
▪ Implementing the right technology during the preparation phase will allow you to get a
comprehensive picture of current and past events.
▪ This gives your organization a better chance of tracing the incident back to its roots.

Copy rights reserved for STL Academy 29

 Cyber Security

Endpoint protection
▪ An endpoint is a device that is connected to your organization's network, such as laptops,
smartphones, etc.
▪ Each of these devices is a potential entry point for cybercriminals. Therefore, it is important that
all of those devices are adequately protected.

Detection Tools
▪ Each detection tool (e.g. IDS) has a specific purpose and is able to monitor from a different
perspective: network-based or host-based.
▪ Given the variety of different threats, the tools should be using and be tuned to the correct inputs.

From a network perspective

▪ A good start would be the implementation of an intrusion prevention system, such as Snort
network IDS sensor, on the Internet uplink.
▪ Many organizations are unaware that they already have a lot of information that can be used to
detect an incident.
▪ This can be in the form of:
➢ Access logs to servers and appliances
➢ Operational logs from systems (e.g., process creation)
➢ Firewall policy logs.
▪ This data can be used to create rules and trends, which help in detecting unexpected or invalid
traffic (e.g., traffic to uncommon websites, login attempts by non-existent users, etc.).

From a host perspective

▪ Anti-virus solutions are not sufficient to fend off advanced attacks against endpoints.
▪ Many malwares today are polymorphic (they change depending on the behaviour of the host),
which makes them hard to detect based on static signatures by classic anti-viruses.
▪ Advanced endpoint protection tools investigate suspicious behaviour and can thus be more
effective in many cases.
▪ This does not mean however that anti-virus solutions should not be deployed. On the contrary,
anti-virus is needed to cover most of the more widely recognized threats.

2. Notification & Escalation

▪ The timing of this step may vary from incident to incident depending on the categorization of the
incident.
▪ Smaller incidents may also be logged and acknowledged without triggering an official alert.
▪ Escalation occurs when an incident triggers an alert, and the proper procedures are performed
by the individual who is assigned to manage the alert.
3. Incident Classification
▪ Incidents need to be classified into the proper category and subcategory in order to be easily
identified and addressed.
▪ Typically, classification happens automatically when the right fields are set up for classification,
prioritization is assigned based on the classification, and reports are quickly generated.

30 Copy rights reserved for STL Academy

 Cyber Security

Categories of Incidents
4. Incident Prioritization
▪ The proper priority can have a direct impact on the SLA of an incident response, ensuring that
business-critical issues are addressed on time and neither customers nor employees experience
any lapse in service.

Copy rights reserved for STL Academy 31

 Cyber Security

5. Investigation and Diagnosis

▪ The IT team performs an analysis and provides a solution to the employee once an incident is
raised.
▪ If a resolution is not immediately available, the incident is escalated to the proper teams for
further investigation and diagnosis of the incident.

6. Incident Resolution and Closure

▪ An IT team is meant to resolve incidents using the proper prioritization methods as quickly as
possible.
▪ Communication can help with the resolution and closure of tickets, with the possibility of
automation to help resolving tickets.
▪ Once an incident is resolved, there is further logging and understanding of how to prevent the
incident from occurring again or decrease the time to resolution.

Handling an Actual Incident

▪ Convene Your Cyber Security Incident Response Team
▪ When an actual incident is detected, it is very important to evaluate the risks quickly in order to
take the right measures.
▪ The cyber security incident manager should be informed immediately and convene a meeting of
the cyber security incident response team, if your organization has one Cyber Security Incident
Response Team).
▪ The cyber security incident manager and his/her team will report to the CEO, who will have to
validate their decisions.

32 Copy rights reserved for STL Academy

 Cyber Security

Situational Awareness
▪ After the detection of an incident, it is essential to collect all available information on the activities
around the incident’s timeframe.
▪ Central collection and archiving of security information (e.g. system logs, firewall policy logs)
provides the analyst with easy access to this information.
▪ Important factors to take into account are integrity of the information and indexation.

Recover Quickly Or Gather Evidence?

▪ Containing a cyber security incident is all about limiting the damage and stopping the attacker.
You have to find a way to limit the risk to your organization while at the same time keeping it
running.
▪ You need to prevent the incident from spreading further into other systems, devices and
networks both within your organization and beyond.
▪ At the beginning of this phase, your organization will have to make an important strategic
decision: Disconnect the systems immediately in order to recover as quickly as possible? Or take
the time to collect evidence against the cybercriminal who penetrated the system?

Investigating: Gathering Evidence

▪ If you want to tackle the problem at its root and identify the perpetrator for prosecution, you will
need to preserve the evidence.
▪ To gather evidence, forensic investigation must be performed before you eradicate the incident.

To Tackle a DDOS Attack You Need Experience

▪ A DDoS attack is a targeted attack to bring your system down.
▪ It therefore has the potential to have a very significant impact on the availability of
your system.
▪ These attacks are very sophisticated and difficult to get rid of.
▪ Most organizations will be unable to solve a DDoS attack themselves and will have
to call upon external experts.

Copy rights reserved for STL Academy 33

 Cyber Security

Steps of Incident Management in Cyber Security

▪ There is a five-step process for incident management in cybersecurity given by
the ISO/IEC Standard 27035.

Step-1
▪ The process of incident management starts with an alert that reports an incident that took place.
▪ Then comes the engagement of the incident response team (IRT). Prepare for handling
incidents.

Step-2
▪ Identification of potential security incidents by monitoring and report all incidents.

Step-3
▪ Assessment of identified incidents to determine the appropriate next steps for mitigating the risk.

Step-4
▪ Respond to the incident by containing, investigating, and resolving it (based on the outcome of
step 3).

Step-5
▪ Learn and document key takeaways from every incident.

Tips for Security Incident Management

▪ Each and every organization needs to have a good and matured plan for the security incident
management process, implementing the best process is very useful to make a comprehensive
security incident management plan.
▪ Create a security incident management plan with supporting policies including proper guidance
on how incidents are detected, reported, assessed, and responded.
▪ It should have a checklist ready.
▪ The checklist will be containing actions based on the threat.
▪ The security incident management plan has to be continuously updated with security incident
management procedures as necessary, particularly with lessons learned from prior incidents.
▪ Creating an Incident Response Team (IRT) which will work on clearly defined roles and
responsibilities.
▪ The IRT will also include functional roles like finance, legal, communication, and operations.
▪ Always create regular training and mock drills for security incident management procedures. This
improves the functionality of the IRT and also keep them on their toes.
▪ Always perform a post-incident analysis after any security incident to learn from any success and
failure and make necessary adjustments to the program and incident management processes
when needed.

Section 3: Exercises

Exercise 1: In given Boxes write down all Risk Treatment Options.

34 Copy rights reserved for STL Academy

 Cyber Security

Exercise 2: In given Boxes write down Incident Management Steps.

Exercise 3: Fill the types of Malwares in following image.

Exercise 4: Participate in a group discussion on following topics:

a) Common terms used in Cyber Security
b) Cyber Security Fundamentals
c) Major Cyber Security Problems
d) Types of Hackers
e) Trojan Horse
f) Actions to avoid getting infected
g) Benefits and Components of Enterprise Security Architecture
h) Enterprise Frameworks
i) Importance of Risk Assessment
j) Cyber Risks
k) Needs, Importance and Steps of Incident Management

Copy rights reserved for STL Academy 35

 Cyber Security

Section 4: Assessment Questionnaire

Multiple Choice Questions

1. What is Cyber Security?
a) Cyber Security provides security against malware
b) Cyber Security provides security against cyber-terrorists
c) Cyber Security protects a system from cyber-attacks
d) All of the mentioned

2. What does cyber security protect?

a) Cyber security protects criminals
b) Cyber security protects internet-connected systems
c) Cyber security protects hackers
d) None of the mentioned

3. Who is the father of computer security?

a) August Kerckhoffs
b) Bob Thomas
c) Robert
d) Charles

4. Which of the following is a type of cyber security?

a) Cloud Security
b) Network Security
c) Application Security
d) All of the above

5. What are the features of cyber security?

a) Compliance
b) Defense against internal threats
c) Threat Prevention
d) All of the above

6. Which of the following is an objective of network security?

a) Confidentiality
b) Integrity
c) Availability
d) All of the above

7. Which of the following is not a cybercrime?

a) Denial of Service
b) Man in the Middle
c) Malware
d) AES

8. Which of the following is a component of cyber security?

a) Internet Of Things

36 Copy rights reserved for STL Academy

 Cyber Security

b) AI
c) Database
d) Attacks

9. Which of the following is a type of cyber-attack?

a) Phishing
b) SQL Injections
c) Password Attack
d) All of the above

10. What does the World Economic Forum regard as one of the top 5 risks confronting nations of
the world today?
a) World Hunger
b) Threat of Nuclear War
c) Rise of sentient technology
d) Cybersecurity

11. What is a pertinent factor that must be taken into cybersecurity concerns?
a) Financial loss
b) Data Leaks
c) Privacy
d) World War

12. What are the concerns that private and governmental agencies face on an ongrowing basis?
a) Disruption of operations
b) Disruption of services
c) Freezing of assets
d) Hacking

Questions
1. What are the types of Hackers?
2. ________ are email viruses that can duplicate themselves, steal information, or harm the
computer system.
3. How to spot Trojans?
4. How to protect from Trojans?
5. What is Cyber Security?
6. __________ is an attack used by the attacker to send a large number of requests to the server,
network, or website.
7. The attackers use ______ attack to get the data related to the networks and to steal the secret
data.
8. If you download _____ program, it logs all the system’s keystrokes.
9. _______ is a program that is created to scare any person and make them buy an anti-virus.
10. If the attacker is successful at injecting the spyware, then monitoring every activity becomes
easy for the attacker. (True/False)
11. ____ is harmful because it can multiply continuously. So, it eventually takes up more than half
of the space on the hard disk.
12. What is a mean of regaining access to a compromised system by installing SW or configuration
existing SE to enable remote access?

Copy rights reserved for STL Academy 37

 Cyber Security

13. What happens in MitM attack?

14. ______ is the part of an exploit code that performs that intended malicious action. such as
destroying, creating backdoors, and hijacking computer.
15. A _____ is a software application that can be controlled remotely to execute or automata
predefined tasks.
16. An Attack that exploits computer application vulnerabilities before the software developer
releases a patch for the vulnerability is called:
17. What is Spoofing?
18. An ________ is an integrated and comprehensive strategy for protecting the organization
against cyber threats.
19. What is Enterprise License Agreement (ELA)?
20. What are benefits of enterprise license agreement (ELA)?
21. Name three enterprise frameworks.
22. _____ from ISACA, is “a comprehensive framework that assists enterprises in achieving their
objectives for the governance and management of enterprise IT.”
23. What are the four principles of COBIT?
24. _____ is a framework and a set of supporting tools for developing an enterprise architecture.
25. What is risk assessment in cyber security?
26. Incident handling is usually a reactive process whereas problem management is more
proactive. (True/False)

----------End of the Module----------

38 Copy rights reserved for STL Academy

 Cyber Security

MODULE 2
DESIGN SYSTEMS TO SECURE APPLICATIONS, NETWORKS & DEVICES

Section 1: Learning Outcomes

After completing this module, you will be able to:
▪ Explain Basics of Networking
▪ Work with Firewalls and LAN Security
▪ Describe IDS, NAC and IPSec
▪ Explain Principles of Cybersecurity
▪ Describe Risk Management, Data Classification, Disaster Recovery and Cyber Forensics
▪ Differentiate between various types of Cyber-attacks and DNS security methods
▪ Explain Fundamentals of social engineering, buffer overflows and security testing
▪ Handle bugs and describe features of Secured Storage Platforms
▪ Explain IoT Hacking and Access Control Models
▪ Describe Kerberos process
▪ Explain Identity Federation and ID Governance
▪ Tell concept of Encryption, Advanced Cryptography and Crypto Algorithm
▪ Describe components of Public Key Infrastructure (PKI)

Section 2: Relevant Knowledge

2.1 Networking, Firewalls, LAN Security, IDS, NAC & IPSec
Basics of Networking
The foundations of Networking are:
1. Switches
2. Routers
3. Wireless Access Points

Internet
CLIENT
▪ Knows how to communicate with a particular type of server to use the information stored on that
server.

Copy rights reserved for STL Academy 39

 Cyber Security

SERVER
▪ Handles requests for data, email, file transfer, and other network services. It stores information to
be used by clients.

How did the Internet originate?

▪ In 1969, the US Department of Defense started a project called ARPAnet to enable military
communication and it is the foundation of the INTERNET.

What is the WWW?

▪ WORLD WIDE WEB. Collection of electronic documents, also called WEB. Each electronic
document is called a Web page which contains text, graphics, audio, video, and built-in
connections.

What is a Web Browser?

▪ Application software that enables you to access and navigate the Web or the Internet by viewing
web pages. ¤ Ex. Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, Opera, Safari etc.

What is IP Address?
▪ Internet Protocol (IP) address a unique string of characters that identifies each computer using
the Internet Protocol to communicate over a network.
▪ Number that uniquely identifies each computer device connected to the internet
▪ Four groups of numbers, separated by a dot
▪ Number in each group is between 0 and 255
▪ Ex. 74.125.71.103

40 Copy rights reserved for STL Academy

 Cyber Security

Domain Name is text version of an IP address. (www.google.com)

Broadband
“Broadband is defined as a high bandwidth connection to the Internet. Broadband is easier and
faster to use than the traditional telephone and modem as information can be sent and downloaded
much quicker”
▪ Broadband speed is measured in megabits per second (Mbps)
▪ File sizes are measured in megabytes (MB) or gigabytes (GB)
▪ There are 8 bits in a byte (10101010)
▪ A download speed of 8 bits will shift 1MB per second

Wireless broadband transmits signals to a computer over radio waves

Mbps vs MBPS
▪ Mbps is used to specify Internet connection speeds, whereas MBps is used to specify how much
of a file is downloaded/uploaded per second.
▪ Mbps vs. MBps. Mbps: (Small "b") A megabit per second (Mbit/s or Mbps) is a unit of data
transfer rate equal to 1,000,000 bits per second or 1,000 kilobits per second.
▪ 8 Megabits per second is equivalent to 1 Megabyte per second (i.e., 8 Mbps = 1 MBps).

Switches
▪ Switches are the foundation of most business
networks.
▪ A switch acts as a controller, connecting computers,
printers, and servers to a network in a building or a
campus.
▪ Switches allow devices on your network to
communicate with each other, as well as with other
networks, creating a network of shared resources.
▪ Through information sharing and resource allocation, switches save money and increase
productivity.
▪ There are two basic types of switches to choose from as part of your networking basics: on-
premises and cloud-managed.
➢ On-Premises
➢ Cloud-Managed

On-premises
▪ A managed on-premises switch lets you configure and monitor your LAN, giving you tighter
control of your network traffic.

Cloud-Managed
▪ Have a small IT team? A cloud-managed switch can simplify your network management. You get
a simple user interface, multisite full-stack management, and automatic updates delivered
directly to the switch.

Routers
▪ Routers connect multiple networks together.

Copy rights reserved for STL Academy 41

 Cyber Security

▪ They also connect computers on those networks to the Internet.

▪ Routers enable all networked computers to share a single Internet connection, which saves
money.
▪ A router acts a dispatcher.
▪ It analyzes data being sent across a network, chooses the best route for data to travel, and
sends it on its way.
▪ Routers connect your business to the world, protect information from security threats, and can
even decide which computers receive priority over others.
▪ Beyond those basic networking functions, routers come with additional features to make
networking easier or more secure.
▪ Depending on your security needs, for example, you can choose a router with a firewall, a virtual
private network (VPN), or an Internet Protocol (IP) communications system.

Wireless Access Point

▪ An access point is a device that creates a wireless local area network, or WLAN, usually in an
office or large building.
▪ An access point connects to a wired router, switch, or hub via an Ethernet cable, and projects a
WiFi signal to a designated area.

Wireless Networking
▪ To create your wireless network, you can choose between three types of deployment:
1. Centralized Deployment
2. Converged Deployment
3. Cloud-based Deployment

1. Centralized Deployment
▪ Centralized deployments are traditionally used in campuses where
buildings and networks are in close proximity.
▪ This deployment consolidates the wireless network, which makes
upgrades easier and facilitates advanced wireless functionality.
▪ Controllers are based on-premises and are installed in a centralized
location.

2. Converged Deployment
▪ For small campuses or branch offices, converged deployments offer consistency in wireless and
wired connections.

42 Copy rights reserved for STL Academy

 Cyber Security

▪ This deployment converges wired and wireless on one network device—an access switch—and
performs the dual role of both switch and wireless controller.

3. Cloud-based Deployment
▪ This system uses the cloud to a manage network devices deployed on-premises at different
locations.
▪ The solution requires Cisco Meraki cloud-managed devices, which provide full visibility of the
network through their dashboards.

Firewalls
▪ A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules.
▪ Firewalls have been a first line of defence in network security for over 25 years.
▪ They establish a barrier between secured and controlled internal networks that can be trusted
and untrusted outside networks, such as the Internet.
▪ A firewall can be hardware, software, or both.
▪ A personal firewall is software that runs on the user’s workstation and blocks incoming and
outgoing LAN traffic.
▪ When used properly, a personal firewall can be much more effective than a perimeter firewall in
protecting the user’s workstation.
▪ With regard to traffic in and out of a user’s workstation, the perimeter firewall configuration is
usually very general.
▪ A properly configured personal firewall can be very specific to a user’s need for LAN traffic.

Copy rights reserved for STL Academy 43

 Cyber Security

▪ The proper way to configure a personal firewall is to block everything in and out of the
workstation.

▪ As the user encounters warnings of attempted activity that has been blocked, the user can
choose to permit that traffic.
▪ In a short period of time, the user will have unblocked the majority of the needed traffic to and
from the LAN.
▪ The configuration of the personal firewall now represents the user’s very specific needs.

▪ It is a hardware/software which acts as a shield between an organization’s network and the

internet and protects it from the threats like virus, malware, hackers, etc.
▪ It can be used to limit the persons who can have access to your network and send information to
you.

44 Copy rights reserved for STL Academy

 Cyber Security

▪ There are two types of traffic in an

organization viz. inbound traffic and
outbound traffic.
▪ Using firewall, it is possible to configure
and monitor the traffic of the ports.
▪ Only the packets from trusted source
address can enter the organization’s
network and the sources which are
blacklisted, and unauthorized address are
denied access to the network.
▪ It is important to have firewalls to prevent the network from unauthorized access, but firewall
does not guarantee this until and unless it is configured correctly.
▪ A firewall can be implemented using hardware as well as software or the combination of both.

Hardware Firewalls
▪ Example of hardware firewalls are routers through which the network is connected to the network
outside the organization i.e., Internet.

Software Firewalls
▪ These firewalls are installed and installed on the server and client machines, and it acts as a
gateway to the organizations‟ network.
▪ The firewalls are an essential component of the organizations‟ network.
▪ They not only protect the organization against the virus and other malicious code but also
prevent the hackers to use your network infrastructure to launch DOS attacks.

▪ The firewalls can be configured to follow “rules” and “policies” and based on these defined rules
the firewalls can follow the following filtering mechanisms.
▪ The firewalls can be configured to follow “rules” and “policies” and based on these defined rules
the firewalls can follow the following filtering mechanisms.

Proxy
▪ All the outbound traffic is routed through proxies for monitoring and controlling the packets that
are routed out of the organization.

Packet Filtering
▪ Based on the rules defined in the policies each packet is filtered by their type, port information,
and source & destination information. The example of such characteristics is IP address, Domain
names, port numbers, protocols etc. Basic packet filtering can be performed by routers.

Copy rights reserved for STL Academy 45

 Cyber Security

Stateful Inspection
▪ Rather than going through all the field of a packet, key features are defined. The
outgoing/incoming packets are judged based on those defined characteristics only.

Detection
▪ Detection is the key to good security
▪ Detection requires a lot of time and resources because you are aiming at an ever-changing
target.
▪ Most companies prefer to install a firewall, say they are secure, and forget about it, but this leads
to a false sense of security, which most people would argue is worse than having no security at
all.
▪ If companies really want to be secure, they need to realize that setting up systems to prevent
breaches is only half the battle.

Type of attacks
▪ The following list of the types of network-based attacks occurring on the Internet:

Active Attacks
➢ Denial of service
➢ Breaking into a site
➢ Intelligence gathering
➢ Resource usage
➢ Deception

Passive Attacks
➢ Sniffing
➢ Passwords
➢ Network traffic
➢ Sensitive information
➢ Information gathering

46 Copy rights reserved for STL Academy

 Cyber Security

LAN Security
▪ A LAN is a private network which makes it quite secure and reliable for use in companies and
businesses.
▪ It can hold off any outside interference with the network.
▪ A LAN can operate at a comparatively higher level than other kinds of wide area networks.

LAN Security Lifecycle

▪ There are 2 stages to LAN Security:
➢ Pre-Connect
➢ Post-Connect.

Copy rights reserved for STL Academy 47

 Cyber Security

PRE-CONNECT
▪ The Pre-Connect process PREVENTS unauthorized access to the network by non-compliant
endpoints.
▪ Within Pre-Connect there are 3 requirements that must be met before a user is allowed on the
network:

(i) Safe
▪ scan the endpoint to check for AV, OS & Spyware updates

(ii) Authenticated
▪ verify user credentials with AAA infrastructure

(iii) Authorized
▪ Create a binding of User ID, Mac and IP address and retrieve group membership from AAA or
Directory service

POST-CONNECT
▪ The Post-Connect process includes user access CONTROL and DETECTs threats and other
malware.
▪ CONTROL – and monitor user activity through simple, automated creation of policies for each
user based on their role in the organization and group memberships in existing AAA and
directory infrastructure.
▪ Quarantine and/or Alert inappropriate access on a per flow basis in line with company policies.
▪ DETECT – threats on the network at wire speed by inspecting every packet looking for known
signatures and anomalies in every flow to and from the user. Quarantine and/or Alert on a per
flow basis in line with company policies.

Tips for Office LAN Security

1. Get a support router with an activated firewall
▪ Change the default admin login credentials so that if your network is compromised the hacker
can’t make changes to the network.
▪ Every time a vulnerability is discovered, there will be a firmware update issued. It’s critical that
you install these updates.
▪ An easy way to make sure an update isn’t missed would be to turn on the auto-update feature.

2. Use WPA2 encryption

▪ This is a type of encryption that secures the vast majority of Wi-Fi networks.
▪ The WPA2 should have a strong password.

3. Create a “Guest Network”

▪ You want this for individuals who visit the office but are not a part of your company.
▪ Most modern routers have a feature to enable a guest network.
▪ This is an easy way to boost your network security.

4. Physically secure your network hardware

▪ Physical security is a very important consideration.
▪ The hardware shouldn’t be out in the open where anybody can access it.

48 Copy rights reserved for STL Academy

 Cyber Security

▪ You want hardware stored in a controlled room or locked office where a member of the
organization can keep an eye on it.
▪ An extra precaution would be to monitor the hardware with a security camera.

5. Acquire higher-quality routers

▪ You likely have basic routers like the kind that the service provider sets up or the cheap ones
from the electronics store come with a low-level firewall.
▪ A business-grade router comes with stronger firewalls. Some even have intrusion detection or
intrusion protection systems built into them that make them worth the extra cost.
▪ The stronger routers are likely to have better performance on the network because these models
have the ability to handle more devices.

6. Deactivate the “use ports” on the router

▪ There are often USB or Ethernet ports on a router that are not in use.
▪ Deactivating these ports will limit the chances that somebody could plug a rouge device into the
network.
▪ Since these ports are one more entry point to worry about when it comes to LAN security, turn
them off if you can.

7. Add MAC address filtering

▪ MAC address filtering is a security measure that only allows devices that the organization is
aware of to connect to the network.
▪ The filtering can be done by collecting the MAC address of every device and then uploading
those credentials into a database in the router.
▪ It may seem like an extra precaution, but it just ensures that if a hacker was able to get the
password to the network, they wouldn’t be able to gain access without having one of the
identified MAC addresses.

IDS or Intrusion Detection System

▪ The role of an intrusion detection system (IDS) is to attempt to trap a hacker’s presence on a
compromised network, to weed out any malfeasance as a result of the hacker’s presence, and to
catalog the activities so that similar attacks can be avoided in the future.
▪ An intrusion is technically defined as ‘‘an attempt by an unauthorized entity to compromise the
authenticity, integrity, and confidentiality of a resource.’’

Copy rights reserved for STL Academy 49

 Cyber Security

Intrusions include the following types of attacks:

▪ Malign sensitive information on internal networks
▪ Appropriate confidential and proprietary information
▪ Dampen functionalities and resources available to possible legitimate users
▪ IDSs are required to prevent problems from arising out of an attack.
▪ Rectification of damage wrought by an attacker and the subsequent legal issues can be far more
costly and time consuming than detecting the attacker’s presence and removing him at an earlier
stage.
▪ IDSs produce a very good log of the means and modalities used by various attackers, which can
be used to prevent and circumvent possible future attacks.

Categories
▪ Basically, IDSs are classified under the following categories:
1. Host-based intrusion detection systems
Host-based IDSs are designed to monitor, detect, and respond to activity and attacks on a given
host. In most cases, attackers target specific systems on corporate networks that have confidential
information.

50 Copy rights reserved for STL Academy

 Cyber Security

▪ They will often try to install scanning programs and other

vulnerabilities that can record user activity on a particular
host.
▪ A host-based IDS allows an organization or individual owners
of a host on a network to protect against and detect
adversaries who may incorporate security loopholes or exploit
other vulnerabilities.
▪ Some host-based IDS tools provide policy management,
statistical analysis, and data forensics at the host level.
▪ Host-based IDSs are best used when an intruder tries to
access particular files or other services that reside on the host
computer.

2. Network-based intrusion detection systems

▪ Network-based IDSs capture network traffic (usually on the network as a whole or from large
segments of it) for their
intrusion detection
operations.
▪ Most often, these systems
work as packet sniffers
that read through
incoming traffic and use
specific metrics to
conclude that a network
has been compromised.
▪ Various Internet and other
proprietary protocols, such
as TCP/IP, NetBEUI,
XNS, and so on, which handle messages between external and internal networks, are vulnerable
to attack and have to rely on additional means to detect malicious events.

3. Intrusion prevention systems

Copy rights reserved for STL Academy 51

 Cyber Security

▪ Frequently, intrusion detection systems have difficulty in working with encrypted information and
traffic from virtual private networks.

Network Intrusion Prevention System

▪ Network-based IDSs can be centralized or distributed in control.
▪ In centralized control mechanisms, a central entity is responsible for analyzing and processing
the logged information provided by the various constituent IDSs.
▪ The constituent systems can also be host-based IDSs.
▪ On the other hand, network-based IDSs can be on distributed architectures.

▪ Corporate networks can be spread over great distances. Some attacks target an organization’s
entire network spread over such big dimensions.

52 Copy rights reserved for STL Academy

 Cyber Security

▪ Distributed systems could be integrated for performance and operations under such
environments.

NetworkAccess Control
▪ Network Access Control (NAC) is a cybersecurity technique that prevents unauthorized users
and devices from entering private
networks and accessing sensitive
resources.
▪ Also known as Network Admission
Control, NAC first gained a
foothold in the enterprise in the
mid-to-late 2000s as a way to
manage endpoints through basic
scan-and-block techniques.
▪ As knowledge workers became
increasingly mobile, and as BYOD
(bring your own device) initiatives
spread across organizations, NAC solutions evolved to not only authenticate users, but also to
manage endpoints and enforce policies.

IPSEC – Internet Protocol-based Security Protocols

▪ Internet Protocol–based security protocols are easy to develop and are highly scalable to any
type of network and application.

▪ Essentially, IPs are used by almost all types of applications, which makes them a highly suitable
medium for incorporating security-related protocols.

Copy rights reserved for STL Academy 53

 Cyber Security

▪ Most application-level protocols and transport-level

protocols do not provide highly standardized security
features because different network services may use
different application- and transport level protocols.
▪ Although Transmission Control Protocol (TCP) enjoys
▪ a vast amount of utilization in the transport layer on the
Internet, adding security features on top of it may be
cumbersome compared to doing so on lower-level
Internet protocols.
▪ Moreover, application-level encryption requires changes
to be made at the application level, which is not
standardized because of multiple vendors in the market.
▪ IPSec, an Internet layer security protocol, enjoys a major
place in the security architecture of VPNs.

IPSec-based encryption schemes provide many different security features, including the
following:
➢ Confidentiality
➢ Authentication
➢ Data integrity
➢ Protection against data replay attacks

▪ These schemes also encompass multiple security algorithm options.

▪ The user can decide which security algorithm to use for an application depending on the nature
of security to be provided.

54 Copy rights reserved for STL Academy

 Cyber Security

▪ Because IPSec provides for connection-oriented networks, unlike the conventional Internet
Protocol, which is basically a connectionless protocol, a trusted key management facility has to
be present for IPSec communication to take place effectively.
▪ Protocols such as the Internet Security Association, Key Management Protocol, and the Internet
Key Exchange Protocol address the issues related to key management.

2.2 Principles of security, risk management, data classification,

disaster recovery and forensics
Principles of Cybersecurity
▪ The rise in cyber crimes has made it mandatory for us to upgrade the security of our system to
the next level.
▪ This has built up pressure on security engineers to never miss out on any vulnerability and keep
the security tight round the clock.
▪ The principles of cybersecurity are the steps taken by a business or an individual to surpass any
attack in cyberspace.
▪ They help us to govern and protect the data by detecting and responding to network
vulnerabilities.

The following are the crucial principles of cybersecurity:

➢ Framing a Risk Management Regime
➢ Economy of Mechanism
➢ Secure all configurations
➢ Fail-safe defaults
➢ Network security
➢ Managing user privileges
➢ Open design
➢ Monitoring
➢ Complete mediation
➢ Home and mobile networking
➢ Work factor
➢ Incident management
➢ Prevention of malware

Copy rights reserved for STL Academy 55

 Cyber Security

➢ Acceptance of security breaches

1. Framing a Risk Management Regime

▪ A risk management regime is a system of rules and policies followed during the occurrence of a
risk.
▪ Board of members with expertise in this area lay down policies for the regime.
▪ Exploring the various sources of risks and prioritizing them based on ranks help in defining the
rules.
▪ All employees, contractors, and suppliers involved in the business must be made aware of the
final structure of risk management.
▪ It helps in minimizing risk exposure and identifies growth opportunities.

2. Economy of Mechanism
▪ This Principle aims to make the security mechanisms as basic as possible by simplifying the
design and implementation of the same.
▪ The idea behind this principle is that the smaller the design, the fewer are the occurrences of the
error. This in turn reduces the load in the testing phase.
▪ The interfaces between the Lessons are prone to more vulnerabilities.
▪ This is because it handles many assumptions about the data flowing in as input and the data
flowing out as output.
▪ A simpler security framework eliminates confusion and provides better clarity to the development
team.

3. Secure all Configurations

▪ Security configuration is the set of measures that are employed during the construction and
installation of computers in the network.
▪ It helps in reducing unwanted security vulnerabilities in the system.
▪ It also includes the removal of unwanted functionalities to eliminate the possibility of a security
breach.
▪ Managing access permission, disabling auto-run features, and monitoring user authorizations
help in achieving secure configuration of a system.

4. Fail-safe Defaults
▪ The idea behind fail-safe defaults is that, when a system fails, it should still be able to maintain a
secure state.
▪ This is typically done by denying access to any object outside the scope during downtime.
▪ This protocol drives the system to undo any changes on failure and restore to a secure state.
▪ This way attackers are not able to gain access to the privileged objects that are normally
vulnerable during a failure.
▪ Hence the integrity and confidentiality of the system are still in good shape even though the
availability of the system has been compromised.

5. Network Security
▪ Network security serves as a foundation to establish policies and architectures for maintaining a
secure network.
▪ It reduces the risk of becoming a victim in cyberspace.
▪ It nails down a framework through which the data flowing into the system and out from the
system should pass through.

56 Copy rights reserved for STL Academy

 Cyber Security

▪ This helps us cut down any threats entering via the network before reaching the system and vice
versa.
▪ Firewalls help to filter any virus that is trying to enter into the system perimeter.
▪ Similarly, filters prevent malware from sending out infected data to other nodes in the network.

6. Managing User Privileges

▪ Managing user privileges is very essential to any business. Provide minimal access privileges to
the users to complete their tasks.
▪ This prevents misuse of privileges and locks all the loose ends that act as an entry point for
unauthorized third parties.
▪ Avoid sharing the company’s passcode which contains sensitive data to everyone. Verifying
users’ identities before granting access is important.
▪ When a user requests for higher-level access privilege, grant permission to the user only if he
has a task at that level.
▪ The rights can be withdrawn when the task is complete.

7. Open Design
▪ It states that the security of a mechanism should not completely rely on the secrecy of its design
or implementation.
▪ If a mechanism completely relies on secrecy to protect data, it becomes completely vulnerable
and wide open to attack when the secrecy breaks. Open security protects the system
components with methods whose designs are publicly available.
▪ This strengthens the secrecy of the key by implementing cryptographic methods for encryption.
▪ Maintain different levels of security to ensure secrecy of key and allow only authorized users to
see the key.

8. Monitoring
▪ Monitoring gives complete visibility over the security activities happening across the organization.
▪ It comes as a savior to rescue our system when intrusion detection and prevention facilities fail to
handle a security breach.
▪ An organization achieves this by framing a monitoring strategy with backing up policies.
▪ It involves monitoring individual systems, user activities, decluttering, and finally reviewing and
recording the lessons learned.

9. Complete Mediation
▪ This principle makes sure that every user who gets object access must be an authorized user.
▪ It sets up a fool-proof protection scheme that checks the compliance behind requests to every
object.
▪ The system must improve performance by remembering the results of previous authorization
checks and update the permissions systematically.
▪ It also involves operations like initialization, recovery, shutdown, and maintenance.
▪ Timed sessions for online transactions are a great example of complete mediation.

10. Home and Mobile Networking

▪ Employees and customers use remote networking while they are at home or while using mobile.
▪ Since users disconnect from the company’s local network, exposure to network threats is a
concern.

Copy rights reserved for STL Academy 57

 Cyber Security

▪ This makes it necessary to establish risk-based policies for the company to support home and
mobile networking.
▪ These policies prevent the loss of information which is critical to the organization.

11. Work Factor

▪ The expense of bypassing a security mechanism weighed up with the resources of the attacker
is what we call the work factor.
▪ The work factor is the cost of circumventing. In other words, it is the complexity of breaking the
cipher in cryptographic encryption.
▪ For example, an attacker must try 244 = 331776 possibilities to crack a 4 letter cipher. But when
the attacker makes use of a tool that feeds 1 million keys per second, breaking the system isn’t
that difficult.

12. Incident Management

▪ The security information and event management (SIEM) software brings up many security-
associated incidents to you.
▪ The organization must frame incident management policies.
▪ This guarantees the protection of the system and data during security compromising incidents.
Hence a company drafts an incident management monitoring plan.
▪ Response resources must be ready in place to act during high-risk events. Preparing reliable
backup helps in the recovery of lost resources.

13. Prevention of Malware

▪ Malware is a very commonly concerned issue faced by all organizations. Since malware comes
in different forms a common unified approach cannot handle the situation.
▪ Each type must have a dedicated expert solution.
▪ Use spam email thread protection software to protect emails from phishing attacks.
▪ Use firewalls and intrusion prevention systems to prevent malware attacks in the network. use
antivirus software to detect any malware sitting in the OS.

14. Least Common Mechanism

▪ The principle of least common mechanism states that do not share the mechanism used to
access resources in systems with multiple users.
▪ Sharing resources makes use of a communication medium where transmission of information
occurs. Hence minimize the amount of data shared and restrict it to the intended limit.

15. Compromise Recording

▪ The Compromise Recording principle suggests that prefer a mechanism that records a
compromise over a mechanism that prevents loss.
▪ This is because sometimes recording the details of intrusion are more important than preventing
it.
▪ This approach helps the company to adopt a more sophisticated initiative to prevent loss in the
future.
▪ Maintaining logs of all file access activities is a great example of compromise recording.

58 Copy rights reserved for STL Academy

 Cyber Security

16. User Education and Awareness

▪ Organization’s employees and clients hold a huge responsibility in safeguarding and securing the
organization’s resources.
▪ Lack of knowledge about the company’s policies and risk management regime can hold the
company’s data at stake. Hence awareness training must be made mandatory for all members of
the business.
▪ This helps the people to gain knowledge about policies and best practices that prevent security
breaches to a great extent.
▪ To face any sophisticated breaches at any point in time security professionals must be
extensively trained.

17. Removable Media Controls

▪ Removable media are plugin portable storages. These can unknowingly spread malware across
devices.
▪ Viruses can be effortlessly installed on USB, CD’s, or any other removable storage and infect the
entire network. This demands the necessity of removable media policies for every organization
that aims in minimizing the usage of the same.
▪ The organization must apply for passcode protection and encrypt all data present in the
removable device.

Cybersecurity Risk Management

▪ Cybersecurity attacks can compromise systems, steal data and other valuable company
information, and damage an enterprise’s reputation.
▪ As the volume and severity of cyber attacks grow, the need for cybersecurity risk management
grows with it.
▪ IT departments rely on a combination of strategies, technologies, and user awareness training to
protect an enterprise organization.
▪ Cybersecurity risk management takes the idea of traditional risk management and applies it to
digital systems and infrastructure.
▪ It involves identifying your risks and vulnerabilities and using administrative actions and
comprehensive solutions to ensure your organization is adequately protected.

Data Classification
▪ Data classification is broadly defined as the process of organizing data by relevant categories so
that it may be used and protected more efficiently.
▪ On a basic level, the classification process makes data easier to locate and retrieve.
▪ Data classification is of particular importance when it comes to risk management, compliance,
and data security.
▪ Data to make it easily searchable and trackable.
▪ It also eliminates multiple duplications of data, which can reduce storage and backup costs while
speeding up the search process.
▪ Though the classification process may sound highly technical, it is a topic that should be
understood by your organization’s leadership.

Disaster Recovery
▪ Disaster recovery is all about making sure your business can continue operating with minimal
losses in the event of a disaster.

Copy rights reserved for STL Academy 59

 Cyber Security

▪ Cybersecurity disaster recovery focuses explicitly on disasters resulting from cyber threats, such
as DDoS attacks or data breaches.
▪ Your recovery plan will detail the steps your organization needs to take to stop losses, end the
threat, and move on without jeopardizing the future of the business.
▪ These are some of the biggest goals you’ll need to achieve with any plan you develop.

Importance of Disaster Recovery

1. Business continuity
▪ First and foremost, you need to establish a line of business continuity.
▪ In other words, your highest priority needs to be making sure that the business can continue
operating during and immediately after the threat.
▪ This way, you can continue generating revenue. In addition, you’ll want to maintain your
reputation as you pick up the pieces in the wake of the disaster.

2. Data protection
▪ You’ll also need to think about protecting your data.
▪ This includes minimizing data accessibility to hackers, reducing the threat of data loss, and
making it possible to back up your data when the threat is over.

3. Loss minimization
▪ Businesses can suffer various other losses and forms of damage in the wake of a disaster.
▪ These include financial losses, legal ramifications, and reputational blows. Therefore, part of your
disaster recovery plan needs to focus on minimizing these losses.

4. Communication
▪ You also need to think about how you will communicate this disaster, both internally and
externally.
▪ How will you make sure all your staff members are up-to-date about what has happened? And
how are you going to break the news to stakeholders?

5. Restoration
▪ Once the threat has been mitigated or completely ended, you can focus on restoration.
▪ What steps do you need to take to restore your systems back to normal, and what’s the fastest
and most efficient path to do this?

6. Improvements
▪ Every disaster recovery plan should also have a phase documented for reflection and
improvement.
▪ Why did this threat jeopardize your business? What did you do right? What did you do wrong?
And what improvements can you make in the future?

Cyber Forensics
▪ Cyber forensics means investigating, gathering, and analyzing information from a computer
device which can then be transformed into hardware proof to be presented in the court regarding
the crime in question.

60 Copy rights reserved for STL Academy

 Cyber Security

▪ A very important aspect of the investigation is making a digital copy of the storage cell of the
computer and further analyzing it so that the device itself doesn’t get violated accidentally during
the whole process.
▪ The aim is to only find malware in the software part of the device and leave the actual component
of it on one side.
▪ While studying the entry and exit points of the device’s storage, one can easily and efficiently
learn about the individuals who accessed the device and the circumstances under which the logs
were made which in turn gives a crystal-clear picture of what happened and at what date and
time.
▪ Cyber forensics is an unavoidable force that is extremely significant in today’s everchanging,
evolving, and technologically transforming world.
▪ Cyber forensic is a branch of science which deals with tools and techniques for investigation of
digital data to find evidences against a crime
which can be produced in the court of law.
▪ It is a practice of preserving, extracting, analysing
and documenting evidence from digital devices
such as computers, digital storage media,
smartphones, etc. so that they can be used to
make expert opinion in legal/administrative
matters.
▪ The computer forensic plays a vital role in an
organization as the our dependency on computing
devices and internet is increasing day-by-day.
▪ Digital forensic investigation is a highly skilled task which needs the expose of various tools,
techniques and guidelines for finding and recovering the digital evidences from the crime scene
or the digital equipment used in the crime.
▪ With digital equipment like smartphone, tablets, palmtops, smart tv, etc having increasing
processing capabilities and computation speed, the possibility of use of these devices in cyber
crime cannot be ruled out.
▪ A forensic investigator must not only have deep understanding of the working of these devices
and also hands-on exposure to the tools for accurate data retrieval so that the value and integrity
of the data is preserved.
▪ An experienced computer forensic investigator plays a crucial role in distinguishing direct and
indirect attack.
▪ Computer forensic experts are also useful for recovery of accidental data loss, to detect industrial
espionage, counterfeiting, etc

Types
Database forensics
▪ The examination of information contained in databases, both data and related metadata.

Email forensics
▪ The recovery and analysis of emails and other information contained in email platforms, such as
schedules and contacts.

Malware forensics
▪ Sifting through code to identify possible malicious programs and analyzing their payload. Such
programs may include Trojan horses, ransomware or various viruses.

Copy rights reserved for STL Academy 61

 Cyber Security

Memory forensics
▪ Collecting information stored in a computer's random access memory (RAM) and cache.

Mobile forensics
▪ The examination of mobile devices to retrieve and analyze the information they contain,
including contacts, incoming and outgoing text messages, pictures and video files.

Network forensics
▪ Looking for evidence by monitoring network traffic, using tools such as a firewall or intrusion
detection system.
▪ In large organization, as soon as a cyber crime is detected by the incident handling team, which
is responsible for monitoring and detection of security event on a computer or computer network,
initial incident management processes are followed.
This is an in-house process. It follows following steps:
➢ Preparation
➢ Identification
➢ Containment
➢ Eradication
➢ Recovery

Preparation
▪ The organization prepares guidelines for incident response and assigns roles and the
responsibilities of each member of the incident response team.
▪ Most of the large organizations earn a reputation in the market and any negative sentiment may
negatively affect the emotions of the shareholders.
▪ An effective communication is required to declare the incident. Hence, assigning the roles based
on the skill-set of a member is important.

Identification
▪ Based on the traits the incident response team verifies whether an event had actually occurred.
▪ One of the most common procedures to verify the event is examining the logs.
▪ Once the occurrence of the event is verified, the impact of the attack is to be assessed.

Containment
▪ Based on the feedback from the assessment team, the future course of action to respond to the
incident is planned in this step.

Eradication
▪ In this step, the strategy for the eradication or mitigate of the cause of the threat is planned and
executed.

Recovery
▪ It is the process of returning to the normal operational state after eradication of the problem.

Lesson Learned
▪ If a new type of incident is encounter, it is documented so that this knowledge can be used to
handle such situations in future.

62 Copy rights reserved for STL Academy

 Cyber Security

The computer forensic investigation involves following steps:

➢ Identify incident and evidence
➢ Collect and preserve evidence
➢ Investigate
➢ Summarize and Presentation

Identify incident and evidence

▪ This is the first step performed by the system administrator where he tries to gather as much
information as possible about the incident. Based on this information the scope and severity of
the attack is assessed.
▪ Once the evidence of the attack is discovered, the backup of the same is taken for the
investigation purpose.
▪ The forensic investigation is never performed on the original machine but on the data that is
restored from the backup.

Collect and preserve evidence

▪ Various tools like Helix, WinHex, FKT Imager, etc. are used to capture the data.
▪ Once the backup of the data is obtained, the custody of the evidence and the backup is taken.
▪ MD5(message digest) hash of the backup is calculated and matched with the original one to
check the integrity of the data.
▪ Other important sources of information like system log, network information, logs generated by
Intrusion Detection Systems(IDS), port and process information are also captured.

Investigate
▪ The image of the disk is restored from the backup and the investigation is performed by
reviewing the logs, system files, deleted and updates files, CPU uses and process logs,
temporary files, password protected and encrypted files, images, videos and data files for
possible stenographic message, etc.

Summarize and Presentation

▪ The summery of the incident is presented in chronological order.
▪ Based on the investigation, conclusions are drawn and possible cause is explained.
▪ While carrying out the digital forensic investigation, rules and procedure must be applied.
▪ Specially while capturing the evidence.
▪ It should be ensured that the actions that are taken for capturing the data do not change the
evidence.
▪ The integrity of the data should be maintained.
▪ It must be ensured that the devices used for capturing the backup are free from contamination.
▪ All the activities related to seizure, access, storage or transfer of digital evidence must be fully
documented, preserved and available for review.
▪ Prevention is always better than cure.
▪ It is always recommended to fine tune your intrusion detection system like firewall occasionally
perform penetration tests on your network to avoid pray to hacker.
▪ Report the crime.

Copy rights reserved for STL Academy 63

 Cyber Security

2.3 Cyber-attacks, DNS security, social engineering fundamentals,

buffer overflows, security testing
Cyber Attacks
▪ A cyber-attack is an exploitation of computer systems and networks.
▪ It uses malicious code to alter computer code, logic or data and lead to cybercrimes, such as
information and identity theft.
▪ Cyber-attacks can be classified into the following categories:
➢ Cyber Attacks
➢ Web-based
➢ System- Based

Web-Based Attacks
These are the attacks which occur on a website or web applications. Some of the important web-
based attacks are as follows-
➢ Injection attacks
➢ DNS Spoofing
➢ Session Hijacking
➢ Phishing
➢ Brute force
➢ Denial of Service
➢ Dictionary attacks
➢ URL Interpretation
➢ File Inclusion attacks
➢ Man in the middle attacks

1. Injection attacks
▪ It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.
▪ Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing
▪ DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS
resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the
attacker’s computer or any other computer.
▪ The DNS spoofing attacks can go on for a long period of time without being detected and can
cause serious security issues.

3. Session Hijacking
▪ It is a security attack on a user session over a protected network.
▪ Web applications create cookies to store the state and user sessions.
▪ By stealing the cookies, an attacker can have access to all of the user data.

4. Phishing
▪ Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number.
▪ It occurs when an attacker is masquerading as a trustworthy entity in electronic communication.

64 Copy rights reserved for STL Academy

 Cyber Security

5. Brute force
▪ It is a type of attack which uses a trial-and-error method.
▪ This attack generates a large number of guesses and validates them to obtain actual data like
user password and personal identification number.
▪ This attack may be used by criminals to crack encrypted data, or by security, analysts to test an
organization's network security.

6. Denial of Service
▪ It is an attack which meant to make a server or network resource unavailable to the users.
▪ It accomplishes this by flooding the target with traffic or sending it information that triggers a
crash.
▪ It uses the single system and single internet connection to attack a server. It can be classified
into the following-

Volume-based attacks
▪ Its goal is to saturate the bandwidth of the attacked site and is measured in bit per second.

Protocol attacks
▪ It consumes actual server resources and is measured in a packet.

Application layer attacks

▪ Its goal is to crash the web server and is measured in request per second.

7. Dictionary attacks
▪ This type of attack stored the list of a commonly used password and validated them to get
original password.

8. URL Interpretation
▪ It is a type of attack where we can change the certain parts of a URL, and one can make a web
server to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

▪ It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of the
include functionality.

10. Man in the middle attacks

▪ It is a type of attack that allows an attacker to intercept the connection between client and server
and acts as a bridge between them.
▪ Due to this, an attacker will be able to read, insert and modify the data in the intercepted
connection.

System-Based Attacks
▪ These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-
➢ Virus
➢ Worm

Copy rights reserved for STL Academy 65

 Cyber Security

➢ Trojan horse
➢ Backdoors
➢ Bots

1. Virus
▪ It is a type of malicious software program that spread throughout the computer files without the
knowledge of a user.
▪ It is a self-replicating malicious computer program that replicates by inserting copies of itself into
other computer programs when executed.
▪ It can also execute instructions that cause harm to the system.

2. Worm
▪ It is a type of malware whose primary function is to replicate itself to spread to uninfected
computers.
▪ It works same as the computer virus.
▪ Worms often originate from email attachments that appear to be from trusted senders.

3. Trojan horse
▪ It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle.
▪ It misleads the user of its true intent.
▪ It appears to be a normal application but when opened/executed some malicious code will run in
the background.

4. Backdoors
▪ It is a method that bypasses the normal authentication process.
▪ A developer may create a backdoor so that an application or operating system can be accessed
for troubleshooting or other purposes.

5. Bots
▪ A bot (short for "robot") is an automated process that interacts with other network services.
▪ Some bots’ programs run automatically, while others only execute commands when they receive
specific input.
▪ Common examples of bots’ program are the crawler, chatroom bots, and malicious bots.

Domain Name System

▪ The Domain Name System (DNS) is the phonebook of the Internet.
▪ Humans access information online through domain names, like nytimes.com or espn.com.
▪ The Domain Name System is the hierarchical and decentralized naming system used to identify
computers reachable through the Internet or other Internet Protocol networks.
▪ All devices (computers etc) that are connected to the Internet, your own network, or company
network are identified by an IP address, which is a number.
▪ IP addresses are easy for computers to process but they are not so easy for people to
remember.

66 Copy rights reserved for STL Academy

 Cyber Security

Purpose of DNS
▪ Domains are “namespaces”
▪ Everything below .com is in the com domain.
▪ Everything below ripe.net is in the ripe.net domain and in the net domain.

▪ The Domain Name System matches domain names, like cloudflare.com, to IP addresses, like
192.0.2.24.
▪ DNS is necessary in order to allow users to
access websites without memorizing
confusing lists of numbers – just as a
person is able to store their friends' phone
numbers in their smartphone contacts list
instead of memorizing every individual
phone number.
▪ Anytime a user opens up a website or
accesses a web application, the process of
loading the content only starts after the
user's device has looked up the correct IP
address.

Domain Name Server

▪ The DNS system consists of many Domain Name servers that together provide the name to IP
address mapping for registered devices (usually servers) on the Internet.
▪ The main DNS severs (root servers) are owned and managed by a variety of different
organizations and are located mainly in the USA.
▪ Other companies including ISPs have their own DNS servers which are linked to the root servers
in a hierarchical fashion providing a distributed system.
▪ To access a DNS server, you will need the IP address of the DNS server.

Copy rights reserved for STL Academy 67

 Cyber Security

▪ This is usually supplied to you by your ISP (Internet

Service Provider).
▪ Most client computers/devices will be configured to
obtain an IP and a DNS server address
automatically.
▪ You can Check what IP address and what DNS
address you have been assigned by
typing ipconfig/all at the command line.
▪ When queried, a DNS Server will respond in one of
three ways:
➢ The server returns the requested name-resolution
or IP-resolution data.
➢ The server returns a pointer to another DNS
Server that can service the request.
➢ The server indicates that it does not have the
requested data.

Discovering IP Address to Load a website

▪ Once the user types a domain name into their browser, the user's device creates a DNS query
and sends it to a specialized web server called a DNS resolver.
▪ The DNS resolver matches the queried domain name to an IP address either by querying
additional DNS servers or by checking its cache.
▪ The DNS resolver sends a reply to the user's device with the correct IP address – this is called
"resolving" the domain.
▪ The user's device contacts the server at that IP address to open a connection and begin loading
the content.
▪ DNS is an essential part of accessing web content – no content can load before the DNS
process occurs.
▪ This makes DNS filtering an effective way to exert control over what content users can access.

68 Copy rights reserved for STL Academy

 Cyber Security

Types of Domain Name Server

▪ There are three main kinds of DNS Servers

Primary Server
▪ The primary server is the authoritative server for the zone.
▪ All administrative tasks associated with the zone (such as creating subdomains within the zone,
or other similar administrative tasks) must be performed on the primary server.
▪ Any changes associated with the zone or any modifications or additions to RRs in the zone files
must be made on the primary server.
▪ For any given zone, there is one primary server, except when you integrate Active Directory
services and Microsoft DNS Server.

Secondary Server
▪ Secondary servers are backup DNS Servers. Secondary servers receive all of their zone files
from the primary server zone files in a zone transfer.
▪ Multiple secondary servers can exist for any given zone — as many as necessary to provide load
balancing, fault tolerance, and traffic reduction.
▪ Additionally, any given DNS Server can be a secondary server for multiple zones.
▪ In addition to primary and secondary DNS Servers, additional DNS Server roles can be used
when such servers are appropriate for a DNS infrastructure.
▪ These additional servers are caching servers and forwarders.

Caching Server
▪ Caching servers, also known as caching-only servers, perform as their name suggests; they
provide only cached-query service for DNS responses.
▪ Rather than maintaining zone files like other secondary servers do, caching DNS Servers
perform queries, cache the answers, and return the results to the querying client.
▪ The primary difference between caching servers and other secondary servers is that other
secondary servers maintain zone files (and do zone transfers when appropriate, thereby
generating network traffic associated with the transfer), caching servers do not.
▪ Most Home users will use the DNS severs provided by their ISP via their home router.
▪ However, you can use alternative DNS servers like OpenDNS and Google Public DNS.
▪ This does mean that you will need to manually add these server addresses to your DNS settings.

DNS Security
How DNS is used in attacks?
▪ DNS can be used in different ways. Some threats include attacks against the infrastructure:

Distributed Denial of Service (DDoS)

▪ DNS infrastructure is essential to the functioning of the Internet.

Copy rights reserved for STL Academy 69

 Cyber Security

▪ DDoS attacks against DNS can make websites unreachable by making the DNS servers that
serve them unavailable by saturating the networks with what looks like legitimate traffic.
▪ A classic example of this is the 2016 DDoS attack against Dyn, where an army of bots hosted on
Internet connected cameras caused outages to many major websites, including Amazon, Netflix,
Spotify, and Twitter.

Denial of Service (DoS) Attacks

▪ In addition to network-based DDoS attacks, the applications that run on DNS servers can also be
targeted by DoS attacks.
▪ These attacks are designed to exploit vulnerabilities in the systems that render them unable to
respond to legitimate requests.
▪ DNS can also be abused and used in cyberattacks. Examples of the abuse of DNS include:

DNS Tunneling
▪ As DNS is a trusted protocol, most organizations allow it to freely enter and leave their networks.
▪ Cybercriminals take advantage of DNS for data exfiltration with malware whose DNS requests
contain the data being exfiltrated.
▪ Since the target DNS server is typically controlled by the owner of the target website, the
attackers ensure that the data reaches a server where it can be processed by them and a
response sent in the DNS response packet.

DNS Typosquating
▪ Typosquatting is the fraudulent process of registering domain names that have a strong
resemblance to well-known brands and companies in order to deceive users.
▪ The users could enter the website address incorrectly and end up on a malicious site that
perfectly resembles a legitimate website.
▪ The risky part is that users might then carry out transactions and reveal private information.
▪ Typosquatting might be combined with phishing and other online attacks.

Importance of DNS Security

▪ DNS is an old protocol, and it was built without any integrated security. Several solutions have
been developed to help secure DNS, including:

Reputation Filtering
▪ Like any other Internet user, most malware needs to make DNS requests to find the IP
addresses of the sites that it is visiting.

70 Copy rights reserved for STL Academy

 Cyber Security

▪ Organizations can block or redirect DNS requests to known malicious domains based on threat
intelligence to stop users from visiting dangerous sites or malware from communicating with its
operator.

DNS Inspection:
▪ The use of DNS for data exfiltration (via DNS tunneling) and other malicious activities can be
detected and blocked by an intrusion prevention system (IPS) integrated into a next-generation
firewall (NGFW).
▪ This helps to block the abuse of DNS for malware command and control and other attacks.

Secure the Protocol

▪ DNSSEC is a protocol that includes authentication for DNS responses. Since the authenticated
response cannot be spoofed or modified, attackers cannot use DNS to send users to malicious
sites.

Secure the Channel

▪ DNS over TLS (DoT) and DoH (DNS over HTTPS) adds a secure layer to an insecure protocol.
▪ This ensures that the requests are encrypted and authenticated, unlike traditional DNS. By using
DoH and DoT, a user can ensure the privacy of DNS responses and block eavesdropping on
their DNS requests (which reveals the sites that they are visiting).

Endpoint DNS Security

DNS Filtering
▪ DNS content filtering is the process by which an internet filter restricts access to a particular
website's content based on its IP address rather than its domain name.
▪ DNS content filtering methods include category filters (for example, racial hatred, pornography
websites, etc.), keyword filters (restricting access to specific websites or web applications based
on keywords found in the content of those websites), and administrator-controlled blacklists and
whitelists.

Threat Hunting
▪ Threat hunting is the process of identifying and understanding threat actors who may
compromise a company's infrastructure by concentrating on recurring behaviors.
▪ Using the presumption of compromise, threat hunting is a proactive cyber defense tactic that
enables you to focus on potential risks in your network that may have gone undetected.

Ways to Enhance DNS Security

▪ Although a high percentage of businesses acknowledge the importance of DNS security, the
average time to mitigate attacks increased by 29 minutes, now taking 6 hours and 7 minutes,
with 24% taking longer than 7 hours, according to the 2022 Global DNS Threat Report.
▪ The amount of lost time translates into lost revenue, so it's important to be aware of alternative
techniques for enhancing DNS security to ensure you don't end up being the next victim of
malicious players.

Onsite DNS Backup

▪ You might consider hosting your own specialized backup DNS server to improve DNS security.

Copy rights reserved for STL Academy 71

 Cyber Security

▪ Although managed DNS service providers and Internet service providers can both be attacked,
having a backup is crucial not just in the event of a planned attack on your vendor.
▪ Hardware or network failures are more frequently to blame for DNS performance problems or
outages.

Response Policy Zones

▪ The use of response policy zones (RPZ) is an additional method for enhancing DNS security.
▪ A nameserver administrator can use RPZ to provide alternative responses to queries by
superimposing custom data on top of the global DNS.
How can a response policy zone help? With an RPZ, you can:
▪ Direct users to a walled garden in order to prevent them from accessing a known malicious
hostname or domain name
▪ Prevent users from accessing hostnames that point to subnets or known malicious IP addresses
▪ Restrict user access to DNS data managed by nameservers that only host malicious domains

IPAM
▪ Internet protocol address management (IPAM) is a system that enables IP address management
in a corporate setting.
▪ It does this by facilitating the organization, tracking, and modification of data pertaining to the IP
addressing space.
▪ The network services that assign IP addresses to machines in a TCP/IP model and resolve them
are DNS and Dynamic Host Configuration Protocol (DHCP).
▪ These services will be connected by IPAM, enabling each to be informed of modifications in the
other. For example, DNS will update itself in accordance with the IP address selected by a client
via DHCP.

Security tasks automation

▪ Automation is one of the key strategies for increasing DNS security and should be used
whenever and wherever possible.
▪ Automated solutions can help you respond to potential security threats with advanced threat
intelligence, deal with security-related issues automatically in real time, and gather crucial
security metrics, as well as streamline breach incident response.
▪ It can minimize human input in time-consuming remediation tasks and increase employee
productivity, but also speed up breach incident response and aid in making well-informed
decisions.

Social Engineering
▪ Social engineering is a manipulation technique that exploits human error to gain private
information, access, or valuables.
▪ In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data,
spreading malware infections, or giving access to restricted systems. Attacks can happen online,
in-person, and via other interactions.
Social Engineering
▪ Scams based on social engineering are built around how people think and act.
▪ As such, social engineering attacks are especially useful for manipulating a user’s behavior.
▪ Once an attacker understands what motivates a user’s actions, they can deceive and manipulate
the user effectively.

72 Copy rights reserved for STL Academy

 Cyber Security

▪ Social engineering is a manipulation technique that exploits human error to gain private
information, access, or valuables.
▪ In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data,
spreading malware infections, or giving access to restricted systems. Attacks can happen online,
in-person, and via other interactions.
▪ Scams based on social engineering are built around how people think and act.
▪ As such, social engineering attacks are especially useful for manipulating a user’s behavior.
▪ Once an attacker understands what motivates a user’s actions, they can deceive and manipulate
the user effectively.

Traits of Social Engineering Attacks

▪ Social engineering attacks center around the
attacker’s use of persuasion and confidence.
▪ When exposed to these tactics, you are more likely to
take actions you otherwise wouldn’t.

Heightened emotions
▪ Emotional manipulation gives attackers the upper
hand in an any interaction. You are far more likely to
take irrational or risky actions when in an enhanced emotional state. The following emotions are
all used in equal measure to convince you.
➢ Fear
➢ Excitement
➢ Curiosity
➢ Anger
➢ Guilt
➢ Sadness

Urgency
▪ Time-sensitive opportunities or requests are another reliable tool in an attacker’s arsenal.
▪ You may be motivated to compromise yourself under the guise of a serious problem that needs
immediate attention.
▪ Alternatively, you may be exposed to a prize or reward that may disappear if you do not act
quickly. Either approach overrides your critical thinking ability.

Trust
▪ Believability is invaluable and essential to a social engineering attack. Since the attacker is
ultimately lying to you, confidence plays an important role here.
▪ They’ve done enough research on you to craft a narrative that’s easy to believe and unlikely to
rouse suspicion.
▪ There are some exceptions to these traits. In some cases, attackers use more simplistic methods
of social engineering to gain network or computer access.
▪ For example, a hacker might frequent the public food court of a large office building and
"shoulder surf" users working on their tablets or laptops. Doing so can result in a large number of
passwords and usernames, all without sending an email or writing a line of virus code.

Copy rights reserved for STL Academy 73

 Cyber Security

Buffer Overflow
▪ Buffers are memory storage regions that temporarily hold data while it is being transferred from
one location to another.
▪ A buffer overflow (or buffer overrun)
occurs when the volume of data
exceeds the storage capacity of the
memory buffer.
▪ As a result, the program attempting to
write the data to the buffer overwrites
adjacent memory locations.
▪ For example, a buffer for log-in
credentials may be designed to expect
username and password inputs of 8
bytes, so if a transaction involves an
input of 10 bytes (that is, 2 bytes more
than expected), the program may write
the excess data past the buffer boundary.

Security Testing
▪ Security testing is a sort of software
testing that identifies vulnerabilities,
hazards, and dangers in a software
program and guards against intruder
assaults.
▪ The goal of security tests is to find any
potential flaws and vulnerabilities in the
software system that might lead to a
loss of data, income, or reputation at
the hands of workers or outsiders.
▪ The basic purpose of security testing is
to find and assess possible
vulnerabilities in a system so that
attacks may be faced and the system
does not cease working or be exploited.
▪ It also aids in the detection of any potential security vulnerabilities in the system, as well as
assisting developers in the resolution of issues via code.

74 Copy rights reserved for STL Academy

 Cyber Security

Honeypots
▪ Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study
the tricks and types of attacks used by
hackers.
▪ It acts as a potential target on the internet
and informs the defenders about any
unauthorized attempt to the information
system.
▪ The cost of a honeypot is generally high
because it requires specialized skills and
resources to implement a system such
that it appears to provide an
organization’s resources still preventing
attacks at the backend and access to any production system.
▪ Honeypots are mostly used by large companies and organizations involved in cybersecurity.
▪ It helps cybersecurity researchers to learn about the different type of attacks used by attackers.
▪ It is suspected that even the cybercriminals use these honeypots to decoy researchers and
spread wrong information.

Copy rights reserved for STL Academy 75

 Cyber Security

Vulnerability Assessment and Penetration Testing (VAPT)

▪ Vulnerability Assessment and Penetration Testing (VAPT) are two types of vulnerability testing.
▪ The tests have different strengths and are often combined to achieve a more complete
vulnerability analysis.
▪ Penetration Testing and Vulnerability Assessments perform two different tasks, usually with
different results, within the same area of focus.

▪ Vulnerability assessment tools discover which vulnerabilities are present, but they do not
differentiate between flaws that can be exploited to cause damage and those that cannot.
▪ Vulnerability scanners alert companies to the preexisting flaws in their code and where they are
located.

▪ Penetration tests attempt to exploit the vulnerabilities in a system to determine whether

unauthorized access or other malicious activity is possible and identify which flaws pose a threat
to the application.
▪ Penetration tests find exploitable flaws and measure the severity of each.
▪ A penetration test is meant to show how damaging a flaw could be in a real attack rather than
find every flaw in a system.
▪ Together, penetration testing and vulnerability assessment tools provide a detailed picture of the
flaws that exist in an application and the risks associated with those flaws.

76 Copy rights reserved for STL Academy

 Cyber Security

2.4 Handling bugs, Securing storage platforms and the power grid,
Hack IOT
Bugs
▪ A software bug is an error, flaw or fault in a computer program or system that causes it to
produce an incorrect or unexpected result.
▪ This can sometimes cause very subtle, minor
impacts but in some cases it can cause an entire
system to crash or break.
▪ In cybersecurity, a bug is a flaw or vulnerability
in the software or hardware design that can be
potentially exploited by the attackers.
▪ These security bugs can be used to exploit
various vulnerabilities by compromising – user
authentication, authorization of access rights and
privileges, data confidentiality, and data integrity.
▪ A bug is when the system isn't behaving as it's
supposed to, whereas a vulnerability is a bug
that manifests itself as an opportunity for

Copy rights reserved for STL Academy 77

 Cyber Security

exploitation.
▪ Not all bugs are cyber security issues, they aren’t all vulnerable to exploitation, where an attacker
can use the fault to steal data, or even run code remotely.
▪ However, some of these bugs can be very serious, and allow attackers to distribute hundreds of
thousands of malicious programs to users, or steal swathes of data from a database.

Bug Hunting
▪ Despite the lack of formal documentation, common techniques and methodologies exist for
hunting bugs. Here are the seven ways that are regularly use at Core Security Technologies.
➢ Source code audit
➢ Reverse engineering: Debug & disassembly
➢ Reverse engineering: Network traffic
➢ Black-box security testing
➢ Brute force
➢ Top-down analysis
➢ Information gathering

Secure Storage Platform

Encrypted Cloud Storage
▪ Encrypted cloud storage is defined as a security service that makes files and stored data
incomprehensible to anyone except the user across all cloud interactions.
▪ Encrypted cloud storage platforms add another layer of security to existing mechanisms followed
by public cloud providers, making breaches near-impossible.
▪ Encrypted cloud storage is a sub-category of data encryption.
▪ It refers to the process of encoding or transforming data before, during, and after it is moved to
the cloud so that it can be viewed only by authorized users.
▪ Interestingly, almost all public cloud storage comes with a varying degree of encryption service.
Google uses 128-bit AES encryption for data at rest (providing server-side encryption).
▪ Dropbox offers data-in-transit encryption through SSL, in addition to 256-bit AES encryption for
data at rest. Microsoft has a dedicated encryption service called BitLocker for data at rest, with its
pre-built cloud security services handling encryption during transit.

78 Copy rights reserved for STL Academy

 Cyber Security

Key Features and Functionalities

➢ Support for all major cloud platforms
➢ A mobile application
➢ Compliance with regulatory standards
➢ Secure collaboration
➢ Multiple encryption layer
➢ Bundled secure storage
➢ Trackability and audit logs

Internet of Things - IoT

▪ The Internet of Things, or IoT, refers to the billions of physical devices around the world that are
now connected to the internet, all collecting and sharing data.
▪ Any physical object can be transformed into an IoT device if it can be connected to the internet to
be controlled or communicate information.

▪ A lightbulb that can be switched on using a smartphone app is an IoT device, as is a motion
sensor or a smart thermostat in your office or a connected streetlight.
▪ An IoT device could be as fluffy as a child's toy or as serious as a driverless truck.
▪ The term IoT is mainly used for devices that wouldn't usually be generally expected to have an
internet connection, and that can communicate with the network independently of human action.
▪ For this reason, a PC isn't generally considered an IoT device and neither is a smartphone, even
though the latter is crammed with sensors.
▪ A smartwatch or a fitness band or other wearable device might be counted as an IoT device.

Copy rights reserved for STL Academy 79

 Cyber Security

Security Flaws in IoT

▪ Hackers exploit the weak security and 24-hour connectivity of the consumer devices, like
toasters, washers and webcams, to recruit them into botnets, which are used to launch attacks
on other targets.
▪ While the devices themselves have only limited computing power and memory, they can still be
harnessed together to create a formidable army of robot devices.

Hacking IoT
▪ After viruses infected computers in the late 1990s, software makers invested in making their
products more secure. Computer users are wiser about the dangers and how to protect
themselves from losing data or being hacked.
▪ As mobile devices proliferated in the past decade, hackers have focused on trying to gain
access. While infections remain relatively small, the sheer number of mobile devices mean
mobile malware can be a lucrative business.
▪ The Internet of Things is now also attracting the attention of hackers and cybercriminals. Devices
from cars to consumer electronics, which were first thought to be of little interest to hackers, now
raise more cybersecurity concerns.

▪ Most IoT devices lack security, it's easy due to a surprising array of software and hardware tools
available to hackers that too often makes their job of finding and exploiting IoT vulnerabilities
trivial.
▪ These tools exploit insecure interfaces, decompile firmware, and simulate and analyze code to
find flaws leading to cyber-exploits.
▪ By hacking IoT devices, attackers pursue very specific objectives related to the commercial use
of captured resources.
▪ The most popular methods are anonymous spamming, DDoS attacks, malware distribution, and
industrial espionage.
▪ Hackers infect devices with malware to turn them into botnets that probe access points or search
for valid credentials in device firmware that they can use to enter the network.

80 Copy rights reserved for STL Academy

 Cyber Security

2.5 Access Controls, Kerberos, Identity Federation and ID Governance

Access Control
▪ Access control is a method of restricting access to sensitive data. Only those that have had their
identity verified can access company data through an access control gateway.
▪ An access control mechanism is a security safeguard (i.e., hardware and software features,
physical controls, operating procedures, management procedures, and various combinations of
these) designed to detect and deny unauthorized access and permit authorized access to an
information system or physical facility.

Physical access control

▪ limits access to campuses, building and other physical assets, e.g. a proximity card to unlock a
door.

Logical access control

▪ limits access to computers, networks, files and other sensitive data, e.g. a username and
password.

Copy rights reserved for STL Academy 81

 Cyber Security

▪ Organizations typically choose the method that makes the most sense based on their unique
security and compliance requirements.
▪ The four access control models are:
➢ Discretionary access control (DAC)
➢ Mandatory access control (MAC)
➢ Role-based access control (RBAC)
➢ Attribute-based access control (ABAC)

Discretionary access control (DAC)

▪ In this method, the owner or administrator of the protected system, data, or resource sets the
policies for who is allowed access.

Mandatory access control (MAC)

▪ In this nondiscretionary model, people are granted access based on an information clearance.
▪ A central authority regulates access rights based on different security levels.
▪ This model is common in government and military environments.

Role-based access control (RBAC)

▪ RBAC grants access based on defined business functions rather than the individual user’s
identity.
▪ The goal is to provide users with access only to data that’s been deemed necessary for their
roles within the organization.
▪ This widely used method is based on a complex combination of role assignments, authorizations,
and permissions.

Attribute-based access control (ABAC)

▪ In this dynamic method, access is based on a set of attributes and environmental conditions,
such as time of day and location, assigned to both users and resources.

Kerberos
▪ Traditionally, when users access computer systems, they do so by entering a password. The
challenge with this authentication method is that if hackers obtain the password, they can take on
the user's identity and gain access to an organization's network. Organizations need a better way
to protect their systems and users. This is where Kerberos comes in.
▪ A Kerberos is a system or router that provides a gateway between users and the internet.
Therefore, it helps prevent cyber attackers from entering a private network. It is a server, referred
to as an “intermediary” because it goes between end-users and the web pages they visit online.
▪ Kerberos is a computer network security protocol that authenticates service requests between
two or more trusted hosts across an untrusted network, like the internet.
▪ It uses secret-key cryptography and a trusted third party for authenticating client-server
applications and verifying users' identities.

Benefits of Kerberos
Secure
▪ Kerberos never transmits passwords over the network.
▪ Kerberos proves user identity by sending time-bound cryptographic messages that become
invalid after a set period.

82 Copy rights reserved for STL Academy

 Cyber Security

▪ Even the messages were intercepted and decrypted, they’d be useless in a matter of minutes!

Single-Sign-On
▪ Kerberos only requires the user to type their password once when first authenticating the client.
▪ From then on, the user has access across all kerberized services within a Kerberos realm
without needing to re-enter their password.
▪ Single Sign-on simplifies working with multiple services by removing the hassle of multiple login
requirements.

Trusted third-party
▪ Kerberos uses a centralized authentication server known as the Key Distribution Center (KDC)
that all other devices in the network trust by default.
▪ All authentication requests, such as cryptographic messages, are routed through this server.
▪ This outsourcing ensures that sensitive information is not stored on a local machine.

Mutual authentication
▪ In Kerberos, both ends of communication must be authenticated before the communication is
permitted.
▪ Mutual authentication drastically reduces the ability of fraudulent actors to trick systems into
sending confidential information.
An example of mutual authentication:
▪ A user in a network using Kerberos can authenticate to a mail server to prove they are who they
claim to be. On the other end, the mail server must also authenticate that it is truly the mail
server and not some other service in the network pretending to be the mail server. If both sides
are authenticated, the connection is established.

Core Components of Kerberos

Key Distribution Center
▪ The Key Distribution Center (KDC) is the central process of Kerberos, containing the
Authentication Server (AS) and the Ticket Granting Service (TGS).
▪ Its main function is to be a mediator between these two, relaying messages from the AS, grants
a ticket-granting ticket (TGT), then passing that to be encrypted by the TGS. After this pass off,
the KDC has little influence in the authentication process.

Ticket-Granting Ticket
▪ This ticket is granted by the KDC after the client is successfully authenticated.
▪ The TGT is encrypted and contains permissions on what services the client can access, how
long access is granted, and also a session key used to communicate with the client.
▪ Clients cannot decrypt the TGT, as they do not have the TGS key.
▪ They must, therefore, blindly present the TGT to desired services (which can access the TGS)
and allow the services to decide if the client can access it.
▪ By hiding the TGT from the client, Kerberos prevents permissions from being copied or altered
fraudulently by the client.

Authentication Server
▪ The Authentication Server is the first stop in getting authenticated with Kerberos.
▪ The client first must authenticate themself to the AS using a username and password login.
▪ Once this is complete, the AS forwards the username to the KDC that in turn grants a TGT.

Copy rights reserved for STL Academy 83

 Cyber Security

▪ Without completing this first step, the client cannot interact with any other part of the Kerberos
system.

Ticket Granting Service

▪ The Ticket Granting Service acts as the gatekeeper between TGT-holding clients and the various
services on the network.
▪ When a client wants to access a service, they must present their TGT to the TGS.
▪ The TGS then authenticates the TGT and establishes a session key shared by the server and
client.
▪ If the TGS confirms that the client TGT includes access to the desired service, the client is
granted access to request the service.

Working of Kerberos
▪ Kerberos has three parts a client, server, and trusted third party (KDC) to mediate between them.
▪ Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these
tickets to servers when connections are established.

User/Client Login
▪ This phase’s interactions are between the User and the Client.
▪ The user enters their username and password information into the client.
▪ The client then transforms that password into a cipher key stored locally.
▪ If this completes correctly, the client can begin authentication with the AS.

Client/AS Authentication
▪ In this phase the client and Authentication Server connect to authenticate the user’s username
and ensure that they’re part of the system.
▪ The AS then checks that the username is already documented in the system.
▪ If so, the Client and AS exchange encrypted verification messages to verify each other.
▪ By the end, both are authenticated, a connection is established, and the client may move to
authentication with the service.

Client/Service Authentication
▪ In this phase the client and server must authenticate each other, keeping in line with the mutual
authentication practice.
▪ The client and server exchange encrypted verification messages similar to the previous phase.
▪ If these all pass, the client and service are authenticated and the client is cleared to request their
service.
Client/Service Request
▪ Finally, the client can request a named service from the service server.
▪ The service server then verifies that it has the requested service available.
▪ If yes, the service server grants the service to the client.

84 Copy rights reserved for STL Academy

 Cyber Security

▪ As the client has been authenticated through all steps of this process, they may continue to use
the service until their permissions expire.

Kerberos Process
1. Login
2. Client Requests for Ticket Granting Server
3. Server Verifies the Username
4. Ticket Granting Ticket Returned to the Client
5. Client Obtains the TGS session key
6. Client Requests Service Access From Server
7. Server Verifies the service
8. Server Obtains TGS Session Key
9. Server Generates Service Session Key
10. Client Obtains Service Session Key
11. Client Contacts the Service
12. Service Decrypts
13. Service Verifies the Request
14. Service is Authenticated to the Client
15. Client Verifies the Service
16. Client and Service Communicate Freely

Identity Federation
▪ Identity federation is the process
where the authentication
responsibility of a user is delegated
to an external partner, this makes
life easier and faster for the user, as
the user only has to login once.
▪ It also increases security, as the
user only has to remember one set
of credentials (provided that they’re
using a strong password).
▪ In corporate environments, and
within a corporate network,

Copy rights reserved for STL Academy 85

 Cyber Security

Microsoft's Active Directory (AD) is a common user directory that is responsible for user
authentication within the corporate domain.
▪ When combined with Active Directory Federation Services (ADFS), AD is then able to interact
with other online services and ADFS is an Federated Identity Provider that supports federation.
▪ In online environments, Google Account can be used as an alternative Federated Identity
Provider, and Microsoft also has Azure AD.

Identity Governance
▪ Identity governance provides organizations with visibility and control over identity and access life
cycles across multiple systems.
▪ The goal of identity governance is to help customers understand how people, applications, data,
and devices are linked together in order to determine who has access to what, the potential risks
that it poses, and also the ability to take action when policy violations are identified.

▪ Specifically, identity governance and administration gives admins and the enterprise itself a way
to establish role-based access for activities aligned with the specific role a user has.

86 Copy rights reserved for STL Academy

 Cyber Security

▪ The reason it goes beyond the mere assigning of roles is identity governance and administration
tools monitor permissions users have, and revoke unnecessary ones if discovered, through
automation.
▪ This greatly assists with administration in terms Human Resources that would be needed; it also
helps with compliance as the analysis feeds into he collection of data that help gain an
understanding of risk.

2.6 Encryption, Advanced Cryptography, Crypto Algorithm and PKI

Encryption
▪ Encryption is a way of scrambling data so that only authorized parties can understand the
information.
▪ In technical terms, it is the process of converting human-readable plaintext to incomprehensible
text, also known as ciphertext.
▪ In simpler terms, encryption takes readable data and alters it so that it appears random.
▪ Encryption requires the use of a cryptographic key: a set of mathematical values that both the
sender and the recipient of an encrypted message agree on.

Advanced Cryptography
▪ Below are core principles of modern-day cryptography.
➢ Data Confidentiality
➢ Data Integrity
➢ Authentication
➢ Non-repudiation

1. Confidentiality refers to certain rules and guidelines usually executed under confidentiality
agreements which ensure that the information is restricted to certain people or places.

Copy rights reserved for STL Academy 87

 Cyber Security

2. Data integrity refers to maintaining and making sure that the data stays accurate and consistent
over its entire life cycle.
3. Authentication is the process of making sure that the piece of data being claimed by the user
belongs to it.
4. Non-repudiation refers to ability to make sure that a person or a party associated with a contract
or a communication cannot deny the authenticity of their signature over their document or the
sending of a message.
▪ Consider two parties Alice and Bob.
▪ Alice wants to send a message m to Bob over a secure channel. So, what happens is as follows.
▪ The sender’s message or sometimes called the Plaintext, is converted into an unreadable form
using a Key k.
▪ The resultant text obtained is called the Ciphertext. This process is known as Encryption.
▪ At the time of receival, the Ciphertext is converted back into the plaintext using the same Key k,
so that it can be read by the receiver. This process is known as Decryption.

Alice (Sender) Bob (Receiver)

C = E (m, k) ----> m = D (C, k)
C = E (m, k) ----> m = D (C, k)
▪ Here, C refers to the Ciphertext while E and D are the Encryption and Decryption algorithms
respectively.
▪ Let’s consider the case of Caesar Cipher or Shift Cipher as an example. As the name suggests,
in Caesar Cipher each character in a word is replaced by another character under some defined
rules. Thus, if A is replaced by D, B by E and so on. Then, each character in the word would be
shifted by a position of 3.

For example:
Plaintext : Geeksforgeeks
Ciphertext : Jhhnvirujhhnv

Crypto Algorithm
▪ Cryptography algorithms are the means of altering data from a readable form to a protected form
and back to the readable form.
▪ Cryptographic algorithms are used for important tasks such as data encryption, authentication,
and digital signatures.

▪ Cryptographic algorithms can be classified as follows:

➢ Encryption algorithms that are used to encrypt data and provide confidentiality.

88 Copy rights reserved for STL Academy

 Cyber Security

➢ Signature algorithms that are used to digitally “sign” data to provide authentication. Hashing
algorithms that are used to provide data integrity.

Classes of Crypto Algorithm

Hash functions
▪ A cryptographic hash function does not use keys for its basic operation.
▪ This function creates a small digest or “hash value” from often large amounts of data through a
one-way process.
▪ Hash functions are generally used to create the building blocks that are used in key
management and provide security services such as:
➢ Providing source and integrity authentication services by generating message authentication
codes (MACs)
➢ Compressing messages for generating and verifying digital signatures
➢ Deriving keys in key-establishment algorithms
➢ Generating deterministic random numbers

Symmetric-key algorithms
▪ Also referred to as a secret-key algorithm, a symmetric-key algorithm transforms data to make it
extremely difficult to view without possessing a secret key.
▪ The key is considered symmetric because it is used for both encrypting and decrypting.
▪ These keys are usually known by one or more authorized entities.
▪ Symmetric key algorithms are used for:
➢ Providing data confidentiality by using the same key for encrypting and decrypting data.
➢ Providing Message Authentication Codes (MACs) for source and integrity authentication
services. The key is used to create the MAC and then to validate it.
➢ Establishing keys during key-establishment processes
➢ Generating deterministic random numbers

Asymmetric-key algorithms
▪ Also referred to as public-key algorithms, asymmetric-key algorithms use paired keys (a public
and a private key) in performing their function.
▪ The public key is known to all, but the private key is controlled solely by the owner of that key
pair.
▪ The private key cannot be mathematically calculated through the use of the public key even
though they are cryptographically related. Asymmetric algorithms are used for:
➢ Computing digital signatures
➢ Establishing cryptographic keying material
➢ Identity Management

Public Key Infrastructure (PKI)

▪ A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures
needed to create, manage, distribute, use, store and revoke digital certificates and manage
public-key encryption.
▪ The purpose of a PKI is to manage the public keys used by the network for public key encryption,
identity management, certificate distribution, certificate revocation, and certificate management.
▪ Once enabled, users who enroll for a certificate are identified for later authentication or certificate
revocation.

Copy rights reserved for STL Academy 89

 Cyber Security

▪ The PKI allows users and systems to verify the legitimacy of certificate-holding entities and
securely exchange information between them over the air.
▪ The introduction of a PKI enables
stronger, certificate-based
security, as well as identity
services and management tools
to maximize network efficiency
and security.
▪ PKI (Public Key Infrastructure), is
a framework that enables the
encryption of public keys and
includes their affiliated crypto-
mechanisms.
▪ The underlying purpose of any
PKI setup is to manage the keys
and certificates associated with it, thereby creating a highly secure network environment for use
by applications and hardware.
▪ X.509 certificates and public keys form the cornerstone of PKI, acting as the mechanism through
which cryptography can be established for an endpoint consequently, PKI may refer to any
software, policy, process, or procedure that may be employed while configuring and managing
those certificates and keys.
▪ In a nutshell, PKI is responsible for making online interactions more secure, and it does this by:
▪ Establishing the identity of endpoints on a network
▪ Encrypting the flow of data via the network’s communication channels
▪ It does this by using private keys and public keys for encryption and decryption respectively,
which are facilitated in turn by digital certificates.

Components of PKI
▪ The components of a PKI include:
➢ public key
➢ private key
➢ Certificate Authority
➢ Certificate Store

90 Copy rights reserved for STL Academy

 Cyber Security

➢ Certificate Revocation List

➢ Hardware Security Module
▪ A public key system relies on asymmetric cryptography, which consists of a public and private
key pair.
▪ The Certificate Authority (CA) certifies the ownership of the key pairs and completes the PKI
setup.
▪ The ultimate goal of a PKI is identity and access management for a secure network.

Public Key
▪ A Public Key is a cryptographic key that can be distributed to the public and does not require
secure storage.
▪ Messages encrypted by the public key can only be decrypted by the corresponding private key.

Private Key
▪ Private Keys are used by the recipient to decrypt a message that is encrypted using a public key.
▪ Since the message is encrypted using a given public key, it can only be decrypted by the
matching private key.
▪ This establishes the ownership of the private and public key, ensuring the message is only read
by the approved parties.

Certificate Authority (CA)

▪ The CA generally handles all aspects of the certificate management for a PKI, including the
phases of certificate lifecycle management.
▪ A CA issues certificates to be used to confirm that the subject imprinted on the certificate is the
owner of the public key.
▪ In a PKI system, the client generates a public-private key pair.
▪ The public key and information to be imprinted on the certificate are sent to the CA.
▪ The CA then creates a digital certificate consisting of the user’s public key and certificate
attributes.
▪ The certificate is signed by the CA with its private key.
▪ Once the certificate is distributed to the user, they can present the signed certificate and the
receiver can trust that it belongs to the client because of the matching public-private key pair.

Hardware Security Module (HSM)

▪ A Hardware Security Module isn’t a mandatory component of a PKI, but it improves the security
of the PKI as a whole when implemented.
▪ This device protects and manages digital keys and serves as the groundwork for building a
secure enterprise PKI infrastructure.
▪ The HSM contributes to managing the complete lifecycle of cryptographic keys, which includes
creation, rotation, deletion, auditing, and support for API’s to integrate with various applications.

Certificate Lifecycle
▪ The lifecycle of a certificate can be broken into a handful of distinct steps.
1. Certificate Enrollment – An entity submits a request for a certificate to the Certificate
Authority (CA). An entity can be a person, a device, or even just a few lines of code.
2. Certificate Issuance – The CA needs to validate the identity of the applicant, which is
typically done through credentials or by trusting another CA that has already validated the
applicant.

Copy rights reserved for STL Academy 91

 Cyber Security

3. Certificate Validation – Every time the certificate is used to authenticate, the RADIUS
server checks with the CA to confirm that the certificate is still valid and hasn’t expired or
been revoked.
4. Certificate Revocation – Certificates contain an expiration date that’s specified when they
are first issued, usually for a duration of several years. When that date is reached, the
certificate will automatically be considered invalid for any authentication attempt.
5. Certificate Renewal – Instead of automatically being shunted to a CRL, some CA’s have
settings that renew certificates upon expiration date, though typically they re-verify identity.
At this time, you can choose whether or not to generate a new key pair – effectively making
it a totally new certificate.

Section 3: Exercises
Exercise 1: Identify the Public and Private Key in below Picture.

Exercise 2: Draw networking architecture.

Exercise 3: Draw diagram depicting DNS hijacking.

Exercise 4: Draw security testing cycle.

Exercise 5: Participate in group discussion on following topics:

a) Basics of Networking
b) Firewalls
c) LAN Security
d) IDS, NAC and IPSec
e) Principles of security and risk management
f) Data classification, disaster recovery and cyber forensics
g) Types of Cyber-attacks
h) DNS security
i) Fundamentals of social engineering, buffer overflows and security testing
j) Handling bugs
k) Securing storage platforms
l) Hacking IoT
m) Access Control Models
n) Kerberos
o) Identity Federation and ID Governance
p) Encryption, Advanced Cryptography and Crypto Algorithm

92 Copy rights reserved for STL Academy

 Cyber Security

q) Public Key Infrastructure (PKI)

Section 4: Assessment Questionnaire

Questions
1. What are the two types of switches?
2. An _______ is a device that creates a wireless local area network, or WLAN, usually in an
office or large building.
3. What is firewall?
4. There are two types of traffic in an organization _______ and _______ traffic.
5. _______ is a cybersecurity technique that prevents unauthorized users and devices from
entering private networks and accessing sensitive resources.
6. What are principles of Cybersecurity?
7. _______ means investigating, gathering, and analyzing information from a computer device
which can then be transformed into hardware proof to be presented in the court regarding the
crime in question.
8. What are the types of Cyber Forensic?
9. Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. (True/False)
10. What are the types of system-based attacks?
11. ________ refers to any attack that tricks a user into thinking they are connecting to a legitimate
domain while they are actually connected to a malicious domain.
12. ________ is the fraudulent process of registering domain names that have a strong
resemblance to well-known brands and companies in order to deceive users.
13. What is Threat Hunting?
14. Social engineering is a manipulation technique that exploits human error to gain private
information, access, or valuables. (True/False)
15. What is Honeypot?
16. In cybersecurity, a ____ is a flaw or vulnerability in the software or hardware design that can be
potentially exploited by the attackers.
17. What are IoT hacking methods?
18. What are four access control models?
19. The sender’s message or sometimes called the Ciphertext, is converted into an unreadable
form using a Key k. The resultant text obtained is called the Plaintext. (True/False)
20. What are the classes of Crypto Algorithm?
21. What is PKI?
22. What are the components of PKI?

----------End of the Module----------

MODULE 3
BUILD A HACKER MINDSET AND DEFEND AGAINST

Copy rights reserved for STL Academy 93

 Cyber Security

FUTURE ATTACKS
Section 1: Learning Outcomes

After completing this module, you will be able to explain the concepts of:
▪ Ethical Hacking
▪ Footprinting
▪ Scanning Networks
▪ Enumeration
▪ Vulnerability Analysis
▪ System Hacking
▪ Malware Threats
▪ Sniffing
▪ Social Engineering
▪ Denial-of-service
▪ Session Hijacking
▪ IDS, Firewalls, and Honeypots
▪ Hacking Web Servers
▪ Hacking Web Applications
▪ SQL Injection
▪ Hacking Wireless Networks
▪ Hacking Mobile Platforms
▪ IoT Hacking
▪ Cloud Computing
▪ Cryptography
Section 2: Relevant Knowledge
3.1 Ethical Hacking
Introduction to Ethical Hacking
▪ Ethical hacking can be referred to as a documented and authorized try to gain control and
access to a computer network or system, data or even just an application.
▪ One must devise a strategy which is on par or similar to a generic hacker that tries to gain
access for nefarious reasons.
▪ Ethical hacking helps to understand the vulnerabilities of a system and helps individuals and
companies keep their data safe from being exploited by third parties for whatever reasons.

Types of Threats
Network
▪ Any threat that would come via a network connection e.g.
▪ Man In the Middle Attack
▪ DOS
▪ DNS/ARP Positioning

Network
➢ Man in the Middle Attack
➢ Denial of Services

94 Copy rights reserved for STL Academy

 Cyber Security

Man in the middle (MITM) attack

▪ A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a
conversation between a user and an application—either to eavesdrop or to impersonate one of
the parties, making it appear as if a normal exchange of information is underway.
▪ The goal of an attack is to steal personal information, such as login credentials, account details
and credit card numbers.
▪ Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and
other websites where logging in is required.
▪ Information obtained during an attack could be used for many purposes, including identity theft,
unapproved fund transfers or an illicit password change.

DOS
▪ A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making
it inaccessible to its intended users.
▪ DoS attacks accomplish this by flooding the target with traffic, or sending it information that
triggers a crash.
▪ Deny anybody the ability to be able to access data that is the malicious guy hammer the server
with a ton of requests that it is unable to fulfill all of them and thus the servers become either a
bandwidth saturated or CPU and RAM is completely utilized.

DNS/ARP Poisoning
▪ When an attacker builds a clone of an authentic website and make people believe to visit his
clone to gain access to their vital information such as credit card numbers.

Host Based Attacks

▪ An attack targeted towards a specific system or host.
▪ Examples: Laptop, Desktop, Smartphones, etc.
➢ Password Cracking
➢ Malware
➢ Privilege Escalation
➢ Code Execution

Password Cracking
▪ Cracking someone’s password by guessing or running some sort of brute force mechanism.

Malware
▪ Running a social engineering campaign and get someone to click on a link which further allows
me to get him to download the malicious software that gives me the access to his machine.

Privilege Escalation
▪ Raise the level of access in a machine.

Code Execution

Copy rights reserved for STL Academy 95

 Cyber Security

▪ Wanting someone’s device to execute some malicious code through a mechanism like a buffer
overflow, that is having some level of access to it some way, shape or form and that grants the
access to the OS through a malicious attack.

Application Based Attacks

▪ This would be more properly injections or buffer-overflows where one is attacking not the OS at
large but the applications that run on the system that would give the access.
▪ The hacker can exploit the old service running on a machine and through the service, could get
access to the OS.

Ethical Hacking Concepts

▪ Hacking experts follow four key protocol concepts:

Stay legal
▪ Obtain proper approval before accessing and performing a security assessment.

Define the scope

▪ Determine the scope of the assessment so that the ethical hacker’s work remains legal and
within the organization’s approved boundaries.

Report vulnerabilities
▪ Notify the organization of all vulnerabilities discovered during the assessment. Provide
remediation advice for resolving these vulnerabilities.

Respect data sensitivity

▪ Depending on the data sensitivity, ethical hackers may have to agree to a non-disclosure
agreement, in addition to other terms and conditions required by the assessed organization.

Information Security Controls

▪ Information security controls are measures taken to reduce information security risks such as
information systems breaches, data theft, and unauthorized changes to digital information or
systems.
▪ These security controls are intended to help protect the availability, confidentiality, and integrity
of data and networks, and are typically implemented after an information security risk
assessment.

▪ Types of information security controls include security policies, procedures, plans, devices and
software intended to strengthen cybersecurity.
▪ There are three categories of information security controls:
➢ Preventive security controls, designed to prevent cyber security incidents.

96 Copy rights reserved for STL Academy

 Cyber Security

➢ Detective security controls, aimed at detecting a cyber security breach attempt (“event”) or
successful breach (“incident”) while it is in progress, and alerting cyber security personnel.
➢ Corrective security controls, used after a cyber security incident to help minimize data loss
and damage to the system or network, and restore critical business systems and processes
as quickly as possible (“resilience”).

Penetration Testing
▪ Penetration testing (or pen testing) is a security exercise where a cyber-security expert attempts
to find and exploit vulnerabilities in a computer system.
▪ The purpose of this simulated attack is to identify any weak spots in a system’s defenses which
attackers could take advantage of.
▪ This is like a bank hiring someone to dress as a burglar and try to break into their building and
gain access to the vault.
▪ If the ‘burglar’ succeeds and gets into the bank or the vault, the bank will gain valuable
information on how they need to tighten their security measures.

Types of Penetration Testing

3.2 Footprinting and Reconnaissance

Reconnaisance
▪ Reconnaissance is the
information-gathering stage of
ethical hacking, where you collect
data about the target system.
▪ This data can include anything
from network infrastructure to
employee contact details.
▪ The goal of reconnaissance is to
identify as many potential attack
vectors as possible.

Copy rights reserved for STL Academy 97

 Cyber Security

Footprinting
▪ Footprinting is the process of identifying and understanding the security risks present in an
organization.
▪ Like reconnaissance, it involves gathering as much information about the target as possible,
including information that may not be readily available online.
▪ This information can then be used to build a profile of the organization’s security posture and
identify potential vulnerabilities.
▪ In the world of Cyber Security, Footprinting is the first step which lets penetration testers gather
information about hardware or network.
▪ It is basically an exploration process which helps us to know our enemy.
▪ In order to complete the penetration process, one ought to gather as much information as
possible.

Types of Footprinting
➢ Footprinting
➢ Passive
➢ Active

▪ There are two main types of footprinting:

▪ Passive footprinting: Gathering information from publicly available sources such as websites,
news articles, and company profiles.
▪ Active footprinting: Using more intrusive methods to access sensitive data, such as hacking
into systems or applying social engineering techniques.
▪ Passive footprinting techniques include:
1. Finding the Top-level Domains (TLDs) and sub-domains of an objective through web
services
2. Gathering area information on the objective through web services
3. Performing individuals search utilizing social networking websites and individuals search
services
4. Stealing monetary data about the objective through various monetary services
5. Get-together framework subtleties of the objective association through places of work
6. Checking objective utilizing ready services
7. Social occasion data utilizing gatherings, discussions, and online journals
8. Deciding the working frameworks being used by the objective association
9. Extricating data about the objective utilizing Internet documents
10. Performing competitive intelligence
11. Discovering data through web crawlers
12. Monitoring website traffic of the target
13. Tracking the online reputation of the target
14. Gathering data through social designing on social networking destinations

▪ Active Footprinting techniques include:

1. Querying published name servers of the target
2. Extracting metadata of published documents and files
3. Stealing a lot of website information using various types of mirroring and web spidering tools
4. Gathering information through email tracking
5. Performing Whois lookup

98 Copy rights reserved for STL Academy

 Cyber Security

6. Extracting DNS information

7. Performing traceroute analysis
8. Performing social engineering

Let us also discuss other types of footprinting techniques

▪ Footprinting through Search Engine
▪ Footprinting through social engineering
▪ Footprinting through Social Networking sites
▪ Website Footprinting
▪ Competitive Intelligence
▪ WHOIS Footprinting
▪ Footprinting using advanced Google hacking techniques
▪ Email Footprinting
▪ DNS Footprinting
▪ Network Footprinting

Footprinting through Search Engine

▪ Attackers use search to gather information about their target such as technology platforms,
employee details, login pages, intranet portals, etc. which helps in performing social engineering
and/or other types of advanced system attacks.
▪ Even search engine cache and internet archives may provide sensitive information that has been
removed from the World Wide Web (WWW).
▪ There are many search engines where you can find anything that desires from finding the
meaning of the word to finding a person. Such search engines are:
➢ www.google.com
➢ www.bing.com
➢ www.shodan.io
➢ www.duckduckgo.com
▪ Now let’s take the example of google.com. If I search “Raj Chandel” on Google, then it will give
me every possible result associated with the said person.

▪ Same will be the result from other search engines. But different search engines are often used
for particular searches.
▪ As shown above, Google is good for general information. If you want to know which websites are
hosted on a particular server then you can use the Bing search engine.

Copy rights reserved for STL Academy 99

 Cyber Security

▪ To know an IP address of any website just ping the website as shown below :
▪ Now, open bing.com and type the IP in the search tab and press enter.

▪ So like this, Bing can give you details about

websites which are hosted in the same
server
▪ Another search engine is shodan.io, it helps
to locate various open ports, vulnerable IP’s,
and effected digital-ware all over the world.
▪ Open shodan.io in your browser and search
for port or IP.

Footprinting through Job Seeking Sites

▪ Similarly, you can collect an abundance of information through job sites.
▪ You can know about the company’s infrastructure details, employee’s profile, hardware
information, software information. Some of such sites are:
➢ www.monster.com
➢ http://www.careerbuilder.co.in/
➢ www.dice.com
➢ www.simplyhired.com
➢ www.indeed.com
➢ www.usajobs.gov
➢ www.naukri.com

Footprinting through Alerts

▪ This feature gives you an alert if anything is changed in a particular website; given that you have
added an alert to the said website.

100 Copy rights reserved for STL Academy

 Cyber Security

▪ To do so, open google.com/alerts and type the name of the website that you wanted to alert
about. And then click on create an alert.

Footprinting through Social Networking Sites

▪ Attackers use social networking sites like Facebook, Twitter, and Pinterest etc. to gain important
and sensitive data about their target.
▪ They often create fake profiles through these social media to lure their target and extract
vulnerable information.
▪ Employees may post personal information such as DOB, educational and employment
background, spouse’s names, etc.
and information about their company
such as potential clients and
business partners, trade secrets of
business, websites, company’s
upcoming news, mergers,
acquisitions, etc.
▪ Even the information about the
employee’s interest is tracked and
then they are trick into revealing
more information.
▪ Now if you want to search a particular person using just their name or email then there are
specialized websites for it like pipl.com and lullar.com
▪ Open pipl.com and type the name of the person you want to search about. For instance, search
a random name.
▪ Now open lullar.com, here you can search for people using their email and much more.
▪ Here, we will search through email (using my own email) and there is a positive result in the
image below.

Copy rights reserved for STL Academy 101

 Cyber Security

Footprinting through Social Engineering

▪ Social engineering is an art of manipulating human behavior to our own advantage.
▪ This proves most helpful when the need for extraction of confidential information.
▪ To do so, we have to depend on the fact that people are unaware of their valuable information
and have no idea about being exploited.
▪ The most common example for this is when people call as fake credit/debit card companies and
try to extract information.
▪ Techniques used for social engineering are:
➢ Eavesdropping
➢ Shoulder surfing
➢ Dumpster diving
➢ Impersonation on social networking sites

Eavesdropping
▪ It is the process of intercepting unauthorized communication to gather information.

Shoulder surfing
▪ Secretly observing the target to gather sensitive information like passwords, personal
identification information, account information etc.

Dumpster Diving
▪ This is a process of collecting sensitive information by looking into the trash bin. Many of the
documents are not shredded before disposing them into the trash bin.
▪ Retrieving these documents from trash bin may reveal sensitive information regarding contact
information, financial information, tender information etc.

Footprinting through Web Services

▪ Web services such as people search services can provide sensitive information about the target.
▪ Internet archives may also provide sensitive information that has been removed from the World
Wide Web (‘WWW’).
▪ A company’s top-level domains (‘TLDs’) and sub-domains can provide a lot of useful information
to an attacker.
▪ The sub-domain organization is available to only a few people. or members of a department.
▪ These persons may be employees Sub-domains provide an of an insight into different
departments and business units in an organization.
▪ Access restrictions can be applied based on the IP address, domain or subnet, username, and
password.
▪ The sub-domain helps to access the private functions of an organization.
▪ Most organizations use common formats for sub-domains.
▪ A hacker who knows the external URL of a company can often discover the sub- domain through
trial and error, or by using a service such as Netcraft.
▪ Information such as the physical location of an organization plays a vital role in the hacking
process.
▪ Attackers can obtain this information using footprinting. In addition to physical location, a hacker
can also collect information such as surrounding public Wi-Fi hotspots that may prove to be a
way to break into the target organization’s network.
▪ The tools for geographical location allow you to find and explore most locations on the earth.

102 Copy rights reserved for STL Academy

 Cyber Security

▪ They provide information such as images of buildings, as well as surroundings, including Wi-Fi
networks.
▪ Tools such as Google Maps even locate entrances of building, security cameras, and gates.
▪ These tools provide interactive maps, outline maps, satellite imagery, and information on how to
interact with and create one’s own maps. Google Maps, Yahoo Maps, and other tools provide
driving directions, traffic conditions, locate landmarks, give us detailed information about address
and contact information.

Footprinting Tools
Whois
▪ A WHOIS lookup could be a way for you to search the general public database for information a
few specific domain, like the expiration date, current registrar, registrant information, etc.
▪ Once you enter a domain into the search bar at Uniregistry.com/whois, a request is sent to the
general public WHOIS database of the domain’s registrar or registry and therefore the stored
record is displayed.

NSlookup
▪ nslookup is a simple but very practical command-line tool, which is principally wont to find the IP
address that corresponds to a host, or the domain name that corresponds to an IP address (a
process called “Reverse DNS Lookup”).
▪ nslookup allows itself to be used in the command-line of the OS in question; Windows users start
the service via the command prompt, and Unix users via the terminal window.

Sam Spade
▪ Sam Spade runs on all versions of Windows starting with Windows 95 and makes it simple to do
a lot of investigation and analysis quickly, from determining the owner of a specific IP address
block to examining the contents of an internet page.
▪ It also has several features that are specific to the detection of spam and sites that relay spam.
▪ Sort of a real PI , Sam Spade doesn’t do anything that you couldn’t do yourself if you knew how
and had the correct tools; this software integrates the capabilities found in ping, traceroute, time,
whois, nslookup, finger, DIG, a packet sniffer, a port scanner, a scripting language, and more, all
with a nice GUI to boot.

SuperScan
▪ Download Super Scan from its new location and install it.
▪ SuperScan allows you to scan a variety of information processing addresses and do TCP port
scanning.
▪ It will check all ports, or those you choose. it’s a awfully quick and powerful tool.

Nmap
▪ Download Nmap from its site. you’ll use it in each Windows and UNIX/Linux.
▪ It will do ping sweeps, OS identification, additionally to what is finished SuperScan.
▪ You’ll be able to see most of its choices and commands at its site choices outline and a lot of
details is seen in its on-line book version.

TcpView
▪ TcpView may be a free tool for Windows that allows you to observe all open TCP and UDP ports
on the native laptop.

Copy rights reserved for STL Academy 103

 Cyber Security

▪ You’ll be able to transfer it from the Microsoft Sysinternals download website. As you’ll be able to
see during this image it shows not solely the open ports, however additionally what application in
your computer is coupled to the open ports.
▪ If a affiliation is established with a foreign host you’ll be able to see the remote
host information processing range.
▪ TcpView isn’t a Intrusion Detection System, however provides an image of goes on in your laptop
relating to ports and refreshes mechanically, therefore you’ll be able to see the changes that are
happening.

My ip Suite
▪ Its combines domain-to-IP device, Batch Ping, Tracers, Whois, Website Scanner And connection
Monitor in addition as an IP-to-country device into one Interface.
Dns enumerator
▪ its AN automated sub-domain retrieval tool and it scan google to extract the result

Spider Foot
▪ It will scarpe the the web site on it domain in addition as search Google, Netcraft, Whois and
DNS to create up info.

Nessus
▪ Once you discover the list of open ports, future step is begin searching for vulnerability within the
servers.
▪ One in all the efficient tools to vulnerability scan is Nessus. keep in mind that Nessus is not a free
tool.

Countermeasures
▪ Creating awareness among the employees and users about the dangers of social engineering.
▪ Limiting the sensitive information
▪ Encrypting sensitive information
▪ using privacy services on who is lookup database
▪ Disable directory listings in the web servers
▪ Enforcing security policies

Footprinting Pen Testing

▪ Fingerprinting pen check helps in determinant an organization’s data on the internet such as
network architecture, operating systems, applications, and users.
▪ The Penetration tester tries to assemble public ally offered sensitive data of the target by
pretending to be an attacker.
▪ The target is also a selected host or a network.
▪ The pen tester will perform a similar attacks as an attacker.
▪ The pen tester try all possible ways in which to gather as much data as possible in order to
confirm.
▪ The maximum scope of foot printing pen testing.
▪ If the pen tester finds sensitive data on any public-ally offered data resource, that data ought to
be reported to the organization.
▪ Foot printing pen testing helps organization to:
✓ Prevention data outpouring

104 Copy rights reserved for STL Academy

 Cyber Security

✓ Prevent social engineering tries

✓ Prevent ONS record retrieval from in public offered servers
✓ Foot printing Pen Testing Steps

Pen testing could be a suggests that to look at network security.

Steps within the procedure ought to be followed so as, to confirm most scope of testing.

▪ The steps concerned in foot printing Penetration testing are:

Step 1: Get correct authorization
Step 2: outline the scope of the assessment
Step 3: Perform foot printing through search engines
Step 4: Perform foot printing through web services
Step 5: Perform foot printing through social networking sites
Step 6: Perform web site foot printing
Step 7: Perform email foot printing
Step 8: Gather competitive intelligence
Step 9: Perform who is foot printing
Step 10: Perform DNS foot printing
Step 11: Perform network foot printing
Step 12: Perform social engineering

3.3 Scanning Networks

Network Scanning
▪ Network scanning is a procedure for identifying active devices on a network by employing a
feature or features in the network protocol to signal devices and await a response.
▪ Network scanning involves many procedures that help to identify the ports, services, and live
hosts.
▪ It helps to discover the architecture and the operating system of the target system.
▪ Network scanning helps to find out the vulnerabilities and the threats in the articular network.
▪ Network changes also help to create a profile for the organization that is the target.
▪ In active scanning, the tools send a ping to all of the devices on the network and wait for a
response.
▪ The scanner will then start to look at the response to see if there is much vulnerability or any
consistency.
▪ It is possible to send a ping manually to use the Address Resolution scan.
▪ To see all the devices on the particular network across the subnets the best is to make use of
tools that are capable of running scans and detecting devices automatically.
▪ You will need to make use of the ICMP or the Internet Control Message Protocol when the scan
is highly complicated.
▪ For this timestamp, echo, mask request, and subnets are used.
▪ This network is useful to map the topology of the network.
▪ Network scanning is important because it helps in managing, securing, and maintaining the
system using the data that the scanner finds.
▪ The network scanning recognizes the available services of the network and recognizes and
discovers if there are many filtering systems set in place.
▪ It looks at the operating systems that are used and it does this to protect the network from an
attack. This helps to determine the health of the complete network.

Copy rights reserved for STL Academy 105

 Cyber Security

How does a Network Scan Work?

1. Discover active hosts on the networ
2. Uses Address resolution protocol (ARP) at the subnet level
3. Or, uses Internet Control Message Protocol (ICMP) for a wider reach

Types of Network Scanning

➢ Scanning
➢ Network Scanning
➢ Port Scanning
➢ Vulnerability Scanning

Network Scanning
▪ Network scanning helps to discover any live computer or hosts, open ports, and the IP address
of a victim.
▪ It helps to discover the services that are running on any host computer.
▪ It allows the decoding of the system architecture of any target and the operating system.
▪ The method helps to deal with and discover if there are any vulnerabilities in a live host.

Port Scanning
▪ Post scanning is a conventional method that is used to penetrate into the hackers and the testers
to search if there are any open doors from where the hacker will be capable of accessing the
system of the organization.
▪ It tries to figure out the route of the hacker, to find out the live hosts, the operating system that is
used, and the installed firewalls as well as the topology of the targeted organization.
▪ Once the hacker gets the IP address of the organization of the victim using the UDP and the TCP
ports the hacker will map the network of the organization and put it in his grab.
▪ A map is a tool that is used to carry out port scanning techniques.

Vulnerability Scanning
▪ The vulnerability scanning method proactively identifies the vulnerability of the network in an
automated method that helps to find out whether the system may be threatened or exploited.
▪ To carry out this type of scanning the computer needs to be connected to the internet.

Scanning Methodologies
1. Hackers and Pen-testers check for Live systems
2. Check for open ports
3. Scanning beyond IDS (Intrusion Detection System)
4. Banner Grabbing: is the method for obtaining information regarding the targeted system on a
network and services running on its open ports. Telnet and ID Serve are the tools used

106 Copy rights reserved for STL Academy

 Cyber Security

mainly to perform a Banner-grabbing attack. This information may be used by

intruders/hackers to portray the lists of applicable exploits.
5. Scan for vulnerability
6. Prepare Proxies

Tools of Network Scanning

▪ Using the tools for network scanning is important if you are running several devices on the
network.
▪ It is also useful if you have a large network to include various subnets.
▪ It is impossible to manage such a vast network and this can expose the business to various
security threats.
▪ This is why you need scanning networks to scan the system

Here are the uses of network scanning:

▪ Automates the IP network scanning
▪ It helps to manage the subnets with the subnetwork scanning
▪ It scans the network device correctly from end to end
▪ It streamlines the scanning of the network and helps to detect if there are any rogue devices
which helps to enhance the security network
▪ It helps to set role-based access management
▪ The scanning tools may make use of passive scanning to reveal many kinds of critical
information related to your network.
▪ It works like a network discover and a management tool for performance management to
determine the networks and devices on your system and to create a network topology.
▪ It is also possible to scan the network information to determine to see whether or not the device
is working correctly or if there are faults in your network.
▪ The network scanning tools help to monitor and examine the vendors that run on multi networks.
▪ It also gives a very visual appealing insight like comparative graphs and heat maps.
▪ It helps to understand the network from the perspective of a node by node.
▪ It also pinpoints and troubleshoots the problems and to discover the weak parts that could be
vulnerable to an attack.
▪ The IP address scanning network is focused on managing and discovering the devices that are
based on information of IP across various subnets.

Techniques of Network Scanning

Port Scanning Techniques
▪ Port scanning techniques are extremely useful when it comes to identifying open ports. Scanning
techniques represent different categories which are used based on protocol types.
▪ They are categorized into three categories:
➢ Scanning ICMP network services
➢ Scanning TCP network services
➢ Scanning UDP network services

Scanning ICMP network services

ICMP Scanning
▪ ICMP scanning is used for identifying active devices and determining whether ICMP can pass
through a firewall.

Copy rights reserved for STL Academy 107

 Cyber Security

Ping Sweep
▪ Ping sweep is used to determine the range of IP addresses that is mapped to active devices.
▪ It allows hackers to calculate subnet masks and identify the number of present hosts in the
subnet.
▪ This in turn enables them to create an inventory of active devices in the subnet.

ICMP Echo Scanning

▪ ICMP Echo Scanning is used to determine which hosts are active in a target network by pinging
all the machines in the network.

TCP Connect
▪ TCP connect scan used for detecting open ports upon the completion of the three-way
handshake.
▪ It works by establishing a full connection and then dropping it by sending a RST packet.

Stealth Scan
▪ Stealth scan is used for bypassing firewall and logging mechanisms.
▪ It works by resetting the TCP connection before the three-way handshake is completed, which in
turn makes the connection half open.

Scanning TCP network services

Inverse TCP Flag Scanning
▪ Inverse TCP flag scanning works by sending TCP probe packets with or without TCP flags.
▪ Based on the response, it is possible to determine whether the port is open or closed.
▪ If there is no response, then the port is open. If the response is RST, then the port is closed.

Xmas Scan
▪ Xmas scan works by sending a TCP frame with FIN, URG, and PUSH flags set to the target
device.
▪ Based on the response, it is possible to determine whether the port is open or closed. If there is
no response, then the port is open.
▪ If the response is RST, then the port is closed. It is important to note that this scan works only for
UNIX hosts.

TCP Connect
▪ TCP connect scan used for detecting open ports upon the completion of the three-way
handshake.
▪ It works by establishing a full connection and then dropping it by sending a RST packet.

Stealth Scan
▪ Stealth scan is used for bypassing firewall and logging mechanisms.
▪ It works by resetting the TCP connection before the three-way handshake is completed, which in
turn makes the connection half open.

ACK Flag Probe Scanning

▪ ACK flag probe scanning works by sending TCP probe packets with ACK flag set in order to
determine whether the port is open or closed.

108 Copy rights reserved for STL Academy

 Cyber Security

▪ This is done by analyzing the TTL and WINDOW field of the received RST packet’s header. The
port is open if the TTL value is less than 64.
▪ Similarly, the port is also considered to be open if the WINDOW value is not 0 (zero). Otherwise,
the port is considered to be closed.
▪ ACK flag probe is also used to determine the filtering rules of the target network.
▪ If there is no response, then that means that a stateful firewall is present.
▪ If the response is RST, then the port is not filtered.

Scanning UDP network services

IDLE/IPID Header Scan
▪ IDLE/IPID header scan works by sending a spoofed source address to the target to determine
which services are available.
▪ In this scan, hackers use IP address of a zombie machine for sending out the packets. Based on
the IPID of the packer (fragment identification number), it is possible to determine whether the
port is open or closed.

UDP Scanning
▪ UDP scanning uses UDP protocol to test whether the port is open or closed.
▪ In this scan there is no flag manipulation. Instead, ICMP is used to determine if the port is open
or not.
▪ If a packet is sent to a port and the ICMP port unreachable packet is returned, then that means
that the port is closed.
▪ If, however, there is no response, then the port is open.

SSDP and List Scanning

▪ SSDP, or Simple Service Discovery Protocol, service responds to queries sent over IPv4 and
IPv6 broadcast addresses.
▪ Attackers use this scan to exploit UPnP vulnerabilities and carry out buffer overflow or DoS
attacks. List scanning indirectly discovers hosts.
▪ This scan works by listing out IP addresses and names without pinging the hosts and with
performing a reverse DNS resolution to identify the names of the hosts.

Vulnerability Scanning Techniques

▪ If a hacker wants to perform ICMP (Internet Control Message Protocol) scanning, it can be
done manually. The steps are:
➢ Open Windows OS
➢ Press Win+R (Run) buttons in combination
➢ In the Run, type- cmd
➢ Type the command: ping IP Address or type: ping DomainName

Tools that can are used to scan networks and ports are:
▪ Nmap: extract information such as live hosts on the network, services, type of packet
filters/firewalls, operating systems, and OS versions.
▪ Angry IP Scanner: scans for systems available in a given input range.
▪ Hping2/Hping3: are command-line packet crafting and network scanning tools used for TCP/IP
protocols.
▪ Superscan: is another powerful tool developed by Mcafee, which is a TCP port scanner, also
used for pinging.

Copy rights reserved for STL Academy 109

 Cyber Security

▪ ZenMap: is another very powerful Graphical user interface (GUI) tool to detect the type of OS,
OS version, ping sweep, port scanning, etc.
▪ Net Scan Tool Suite Pack: is a collection of different types of tools that can perform a port scan,
flooding, webrippers, mass emailers; and This tool is a trial version, but paid versions are also
available.
▪ Wireshark and Omnipeak are two powerful and famous tools that listen to network traffic and act
as network analyzers.
▪ Names of other famous PCs tools are Advanced Port Scanner, Net Tools, MegaPing, CurrPorts,
PRTG Network Monitor, SoftPerfect Network Scanner, Network Inventory Explorer, etc.
▪ There are various other scanners available free and inbuilt in Kali Linux OS.
▪ Tools and software that are used in mobiles as scanners include the names such as Umit
Network Scanner, Fing, IP network Scanner, PortDroid network Analysis, Panm IP Scanner,
Nessus Vulnerability Scanner, Shadow Sec Scanner, etc.

Countermeasures against Scanning

1. Configure firewalls and IDS to detect and block probes.
2. Use custom rules to lock down the network and block unwanted ports.
3. Run port Scanning tools to determine whether the firewall accurately detects the port scanning
activities.
4. Security Experts should ensure the proper configuration of anti-scanners and anti-spoofing rules.
5. Security experts of an organization must also ensure that the IDS, routers, and firewall firmware
are updated to their latest releases.

Network Diagrams

110 Copy rights reserved for STL Academy

 Cyber Security

Scanning Pen Test

Penetration Scanning Checklist
▪ This list is not an A to B roadmap, a lot of the time you will miss something and have to rescan
multiple times and this is normal.
✓ Find the network topology
✓ Find the operating system types of discovered hosts.
✓ Find open ports and network services in a target environment.
✓ Find the network addresses of live hosts, firewalls, routers, etc.
✓ Find a list of potential vulnerabilities.
✓ Don’t use tools that make a lot of noise; it can potentially crash the host or even make the
host aware of our presence, reduce these risks as much as you can.

Types of Pen Test Scans

Network Tracing
▪ Usually the first step, when we try to figure out the topology of the network which will help us in
planning our attacks.

Network Sweeping
▪ We try to figure out which of the addresses in the range are in use.
▪ We do this by sending our ICMP packets and listening carefully, if we get a response we know
that an address is in use, giving us awareness of the active systems.

OS Scanning/ Fingerprinting
▪ In this scan we try to enumerate the OS of the target system.
▪ This is done by sending a crafted packet which checks for the response of the system.
▪ Every OS has a different behavior over the network, these specific crafted packets can check
which OS is responding.
▪ Sometimes we want to be less noisy on the system so you can also perform a passive
fingerprinting scan which won’t send any packets but will receive them.
▪ Based on the response, you can decide what OS the system is and we can also figure out the
OS of a system via HTTP headers.
▪ Direct and indirect banner grabbing can grab OS data, hosts often announce their OS to anyone
trying to make a connection to them through banners.

Port Scanning
▪ In this scan we try to figure out the different TCP and UDP ports that are open on the system.
▪ Primarily there are two types of port scans; SYN scan and FIN scan.
▪ Remember these scans can be intensive and might bring the system down so be careful.

Application / Application Version

▪ In this scan we try to figure out the different applications that are running on these ports. Some
ports have assigned applications.
▪ Ports 1 through 1024 have applications assigned applications but you should still try to figure out
the application version using application specific scans.

Vulnerability Scanning
▪ In this scan we try to find out if the application is vulnerable to any known vulnerabilities which
stem from unpatched or mis-configured applications.

Copy rights reserved for STL Academy 111

 Cyber Security

3.4 Enumeration
▪ Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”.
▪ This is a process where the attacker establishes an active connection with the victim and try to
discover as much attack vectors as possible, which can be used to exploit the systems further.

▪ Enumeration can be used to gain information on:

➢ Network shares
➢ SNMP data, if they are not secured properly
➢ IP tables
➢ Usernames of different systems
➢ Passwords policies lists

Classification of Enumeration

Process of Enumeration

112 Copy rights reserved for STL Academy

 Cyber Security

Enumeration Techniques
▪ Extract User Names using email IDs
▪ Extract Information using the default password
▪ Brute Force Active
▪ Extract user names using SNMP
▪ Extract user groups from windows
▪ Extract Information using DNS transfer

Net BIOS Enumeration

▪ NetBIOS (Network Basic Input Output System) Enumeration helps in computer communication
with LAN for sharing files and printers.
▪ They are mainly used for finding the network devices.
▪ The naming is 16 characters – 15 characters for the device and the 16th denotes the service it
runs.
▪ Attackers use the NetBIOS for scanning the list of computers per domain, policies and
passwords and other shares in the network.
▪ Tools used in Netbios are Nbtstat, superscan, Net View, Hyena

SNMP Enumeration
▪ SNMP (Simple Network Management Protocol) enumeration is a cycle of specifying client
records and gadgets on an objective framework utilizing SNMP.
▪ SNMP comprises a manager and a specialist; specialists are inserted on each organization
gadget, and the trough is introduced on a different PC.

3.5 Vulnerability Analysis

Vulnerability Assessment
▪ Vulnerability assessment refers to the process of identifying risks and vulnerabilities in computer
networks, systems, hardware, applications, and other parts of the IT ecosystem.

Copy rights reserved for STL Academy 113

 Cyber Security

▪ Vulnerability assessments provide security teams and other stakeholders with the information
they need to analyze and prioritize risks for potential remediation in the proper context.
▪ Vulnerability assessments are a critical component of the vulnerability management and IT risk
management lifecycles, helping protect systems and data from unauthorized access and data
breaches.
▪ Vulnerability assessments typically leverage tools like vulnerability scanners to identify threats
and flaws within an organization's IT infrastructure that represents potential vulnerabilities or risk
exposures.
▪ Vulnerability assessments allow security teams to apply a consistent, comprehensive, and clear
approach to identifying and resolving security threats and risks.
▪ This has several benefits to an organization:
➢ Early and consistent identification of threats and weaknesses in IT security.
➢ Remediation actions to close any gaps and protect sensitive systems and information.
➢ Meet cybersecurity compliance and regulatory needs for areas like HIPAA and PCI DSS.
➢ Protect against data breaches and other unauthorized access.

Vulnerability Assessment Solutions

▪ The most vital part of vulnerability assessment is a vulnerability scanning tool.
▪ This tool should be able to carry out various types of scans, such as:
➢ Credentialed and non-credentialed scans
➢ External vulnerability scans
➢ Internal vulnerability scans
➢ Environmental scans
▪ When you’re choosing a vulnerability scanning tool, emphasize the following areas:
➢ Frequency of updates
➢ Quality and quantity of vulnerabilities, including minimizing false positives and false negatives.
Elimination of false positives
➢ Actionability of results
➢ Integrations with other vulnerability management and IT security tools (patch management,
SIEM, etc.)
▪ Vulnerability assessments should always provide clear, actionable information on all identified
threats, and the corrective actions that will be needed.
▪ This allows risk managers to prioritize fixes against the overall cyber risk profile of the
organization.
▪ A good vulnerability assessment approach can significantly reduce your exposure to cyber
threats, and boost your baseline of protection across your organization’s systems and data.

Scoring Systems
▪ The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal
characteristics of a vulnerability and produce a numerical score reflecting its severity.
▪ The numerical score can then be translated into a qualitative representation (such as low,
medium, high, and critical) to help organizations properly assess and prioritize their vulnerability
management processes.

114 Copy rights reserved for STL Academy

 Cyber Security

▪ CVSS is a published standard used by organizations worldwide, and the SIG's mission is to
continue to improve it.
▪ The CVSS Special Interest Group (SIG) is currently working on individual improvements that will
form the basis of the next version of the CVSS standard.
▪ The SIG is composed of representatives from a broad range of industry sectors, from banking
and finance to technology and academia.

Scoring Tools
▪ Vulnerability assessment tools are designed to automatically scan for new and existing threats
that can target your application.
▪ Types of tools include:
1. Web application scanners that test for and simulate known attack patterns.
2. Protocol scanners that search for vulnerable protocols, ports and network services.
3. Network scanners that help visualize networks and discover warning signals like stray IP
addresses, spoofed packets and suspicious packet generation from a single IP address.
▪ It is a best practice to schedule regular, automated scans of all critical IT systems. The results of
these scans should feed into the organization’s ongoing vulnerability assessment process.

Vulnerability Assessment Reports

▪ A vulnerability assessment report is the roadmap to a better state of security preparedness,
laying out the unique risks you face due to the technology that underpins your organization.
▪ It also reveals how to overcome them without completely overhauling your core business
strategy.

Why do you need a Vulnerability Assessment Report?

➢ To meet compliance requirements
➢ To increase customer trust
➢ Reduce cyber insurance premiums
➢ Build business resilience

What should a vulnerability assessment report contain?

▪ There is no unified reporting template that has to be maintained by everyone, even for
compliance purposes, unless you’re trying to adhere to PCI-DSS, which has its own specific
requirements.

Copy rights reserved for STL Academy 115

 Cyber Security

▪ A vulnerability assessment report will show you the raw number of vulnerabilities detected in your
systems at a point in time.
▪ In an ideal scenario, you want your vulnerability report to contain nothing = zero issues.

3.6 System Hacking

▪ System hacking is the procedure of obtaining unauthorized access to a system and its resources.
▪ Some hacking types are perfectly legal, the most typical example being ethical hacking, a system
penetration testing, conducted by information security specialists.

How to Crack Passwords

▪ One of the most important methods used by hackers in order to circumvent the standard
authentication is password cracking.
▪ It is actually the very first step in the system hacking process.
▪ By obtaining a certain password, one has initially gained access to a part of the system that is
targeted.

Password-cracking techniques used by hackers:

1. Phishing
▪ Phishing is among the most common password-stealing techniques currently in use today and is
often used for other types of cyber attacks.
▪ Rooted in social engineering tactics, its success is predicated on being able to deceive a victim
with seemingly legitimate information while acting on malicious intent.

2. Social Engineering
▪ This typically refers to the process of tricking users into believing the hacker is a legitimate agent.

116 Copy rights reserved for STL Academy

 Cyber Security

▪ A common tactic is for hackers to call a victim and pose as technical support, asking for things
like network access passwords in order to provide assistance.
▪ This can be just as effective if done in person, using a fake uniform and credentials, although
that’s far less common these days.

3. Malware
▪ Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of
malware, malicious software designed to steal personal data.
▪ Alongside highly disruptive malicious software like ransomware, which attempts to block access
to an entire system, there are also highly specialised malware families that target passwords
specifically.

4. Brute force attack

▪ Brute force attacks refer to a number of different methods of hacking that all involve guessing
passwords in order to access a system.

Copy rights reserved for STL Academy 117

 Cyber Security

5. Dictionary attack
▪ This uses an automated process of feeding a list of commonly-used passwords and phrases into
a computer system until something fits.
▪ Most dictionaries will be made up of credentials gained from previous hacks, although they will
also contain the most common passwords and word combinations.

6. Mask attack
▪ Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks
are far more specific in their scope, often refining guesses based on characters or numbers
usually founded in existing knowledge.
▪ The goal here is to drastically reduce the time it takes to crack a password, and remove any
unnecessary processing.

7. Rainbow table attack

▪ Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or a
cryptographic alias, making it impossible to determine the original password without the
corresponding hash
▪ In order to bypass this, hackers maintain and share directories that record passwords and their
corresponding hashes, often built from previous hacks, reducing the time it takes to break into a
system (used in brute force attacks).

118 Copy rights reserved for STL Academy

 Cyber Security

▪ Rainbow tables go one step further, as rather than simply providing a password and its hash,
these store a precompiled list of all possible plain text versions of encrypted passwords based on
a hash algorithm.
▪ Hackers are then able to compare these listings with any encrypted passwords they discover in a
company’s system.
▪ Much of the computation is done before the attack takes place, making it far easier and quicker
to launch an attack, compared to other methods.
▪ The downside for cyber criminals is that the sheer volume of possible combinations means
rainbow tables can be enormous, often hundreds of gigabytes in size.

8. Network Analyzers
▪ Network Analyzers are tools that allow hackers to monitor and intercept data packets sent over a
network and lift the plain text
passwords contained within.
▪ Such an attack requires the use of
malware or physical access to a
network switch, but it can prove highly
effective.
▪ It doesn’t rely on exploiting a system
vulnerability or network bug, and as
such is applicable to most internal
networks.
▪ It’s also common to use network
analyzers as part of the first phase of an attack, followed up with brute force attacks.

Copy rights reserved for STL Academy 119

 Cyber Security

9. Spidering
▪ Spidering refers to the process of hackers getting to know their targets intimately in order to
acquire credentials based on their activity.
▪ The process is very similar to techniques used in phishing and social engineering attacks, but
involves a far greater amount of legwork on the part of the hacker - although it’s generally more
successful as a result.

10. Offline cracking

▪ Offline hacking usually involves the process of decrypting passwords by using a list of hashes
likely taken from a recent data breach.
▪ Without the threat of detection or password form restrictions, hackers are able to take their time.

Hiding Files
Steganography
▪ The art of hiding a data inside another data/medium is called steganography.
▪ For eg: hiding data within an image file
▪ The secret message is called overt file and the covering file is called covert file.

120 Copy rights reserved for STL Academy

 Cyber Security

Types of Steganography
➢ Image Steganography
➢ Document Steganography
➢ Folder Steganography
➢ Video Steganography
➢ Audio Steganography
➢ White Space Steganography

Covering Tracks
▪ Covering tracks is one of the most stage during system hacking. during this stage, the attacker
tries to cover and avoid being detected, or “traced out,” by covering all track, or logs, generated
while gaining access to the target networks or computer.
▪ This starts with erasing the contaminated logs and possible error messages generated within the
attack process.
▪ Then, attackers make changes within the system configuration in order that it does riot log future
activities by manipulating and tweaking the event logs, attackers trick the supervisor in believing
that there’s no malicious activity within the system, which no intrusion or compromise has
actually taken place.

Using Reverse IMP Shells

▪ An attacker starts this attack by first infecting a victim’s machine by some malicious code and
thereby, installing reverse HTTP shell on the victim’s system.
▪ This reverse HTTP shell is programmed in such how that it might invite commands to an external
master who controls the reverse HTTP shell or a daily basis, this sort of traffic is taken into
account as normal traffic by an organization’s network perimeter security like DMZ, firewall, etc.
▪ Once an attacker types something on the master system, the command is retrieved and
executed on the victim’s system.
▪ The victim here will act as an internet client who is executing HTTP GET commands whereas the
attacker behaves sort of a web server and responds to the requests.
▪ Once the previous commands get executed, the results are sent within the next web request.
▪ All the other users within the network can normally access the net, therefore, this traffic between
the attackers and therefore the victim is seen as a normal traffic.

Using Reverse ICMP Tunnels

▪ ICMP tunneling may be a technique where an attacker uses ICMP echo and lav IP reply packets
as a carrier of TCP payload, so as to access or control a system stealthily.
▪ This method will be used to easily bypass firewall rules because most of the organizations have
security mechanisms that only check incoming ICMP packets but not outgoing IDA P packets.

Copy rights reserved for STL Academy 121

 Cyber Security

▪ An attacker first configures the local client to attach with the victim.
▪ The victim’s system is triggered to encapsulate a TCP payload in an ICMP echo packet which is
forwarded to the proxy server.
▪ The proxy server de-encapsulates and extracts the TCP payload and sends it to the attacker.

Using DNS Tunneling

▪ Attackers can use DNS tunneling to encode malicious content or data of other programs within
DNS queries and replies.
▪ DNS tunneling usually includes data payload which will be added to the victim’s DNS server to
make a channel to access a foreign server and applications, Attackers can make use of this
channel to exfiltrate stolen, confidential or sensitive information from the server.
▪ Attackers perform DNS tunneling in various stages; firstly, they compromise an inside system to
possess a reference to an external network.
▪ Then, they use that compromised system as a command and control server to access the
system remotely and transfer files covertly from within the network to outside the network.

Using TCP Parameters

▪ TCP parameters will be utilized by the attacker to distribute the payload and to make covert
channels.
▪ A number of the TCP fields where data are often hidden are as follow:

IP Identification field
▪ This can be a simple approach where a payload is transferred bitwise over a longtime session
between two systems. Here, one character is encapsulated per packet.

TCP acknowledgement number

▪ This approach is sort of difficult because it uses a bounce server that receives packets from the
victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server
per packet.

TCP initial sequence number

▪ This method also does not require a longtime connection between two systems. Here, one
hidden character is encapsulated per SYN request and Reset packets.
▪ Protecting against attackers trying to hide their tracks by changing file information is often
difficult.
▪ However, it’s possible to detect
whether an attacker has done so by
calculating the filters cryptographic
hash, this sort of hash could be a
calculation of the whole file before
encryption.
▪ Attackers might not wish to delete a
whole log to hide their tracks, as
doing so may require admin
privileges.
▪ If attackers are ready to delete only
attack event logs, they’ll still be able
to escape detection.

122 Copy rights reserved for STL Academy

 Cyber Security

▪ The attacker can manipulate the log files with the assistance of :
– SECEVENT.EVT (security): failed logins, accessing files without privileges

– SYSEVENT.EVT (system): Driver failure, things not operating correctly

– APPEVENT.EVT (applications)

Covering Tracks Tools

▪ Track-covering tools help the attacker to scrub up all the tracks of computer and online networks
activities on the pc.
▪ They free cache space, delete cookies, clear Internet history, shared temporary files, delete logs,
and discard junk.

CCleaner
▪ CCleaner may be a system optimization, privacy, and cleaning tool.
▪ It allows you to get rid of unused files and cleans track of online networks browsing details from
the P.
▪ It keeps your privacy online, and makes the system faster and safer. additionally, it frees up hard
disc space for further use.
▪ With this tool, an attacker can erase his/her track very easily.
▪ CCleaner also deans traces of your online activities like online networks history.

To cleans the following areas of your Computer:

▪ Internet Explorer: Temporary files, history, cookies, Auto complete form history, index.dat.
▪ Firefox: Temporary files, history, cookies, download history, form history
▪ Google Chrome: Temporary files, history, cookies, download history, form history
▪ Opera: Temporary files, history, and cookies
▪ Safari: Temporary files, history, cookies, form history
▪ Windows: Recycle Bin, Recent Documents, Temporary files and Log files.
▪ Some of the covering tracks tools are listed below :
➢ Privacy Eraser
➢ Wipe
➢ BleachBit
➢ CIearProg
➢ AVG TuneUp
➢ Norton Utilities
➢ Glary Utilities
➢ Clear My History
➢ WinTools.net Professional
➢ Free Internet window washer

3.7 Malware Threats

Malware Threats
▪ Malware stands for “Malicious Software” and it is designed to gain access or installed into the
computer without the consent of the user.
▪ They perform unwanted tasks in the host computer for the benefit of a third party.
▪ This term used to describe malicious applications and code that can cause damage and disrupt
normal use of devices.

Copy rights reserved for STL Academy 123

 Cyber Security

▪ Malware can allow unauthorized access, use system resources, steal passwords, lock you out of
your computer and ask for ransom, and more.
▪ Cybercriminals that distribute malware are often motivated by money and will use infected
computers to launch attacks, obtain banking credentials, collect information that can be sold, sell
access to computing resources, or extort payment from victims.
▪ There are some telltale signs you can learn that typically indicate you have been the victim of a
malware attack, including:
1. A slow computer. Malware often affects the speed of your device while you are using the
internet or applications.
2. A computer that frequently crashes or freezes during normal use.
3. A ton of pop-up ads. These often indicate that adware, a type of malware, has gotten into
your system. If you see these, it is important to not click on them because they could launch
code that causes further damage.
4. A loss of disk space. If you feel your available disk space has suddenly diminished, it could
be because malware is on your hard drive.
5. A swell in internet activity on your network. Some automatically access the internet, causing
an unusual increase in internet activity that does not correlate with user behavior.
6. When your system is working harder than it normally would. This could be due to malware
taking up valuable resources.
7. Your browser is showing new toolbars, extensions, or a different homepage.

Types of Malware
▪ There is a full range of malwares which can seriously degrade the performance of the host
machine.
▪ There is a full range of malwares which are simply written to distract/annoy the user, to the
complex ones which captures the sensitive data from the host machine and send it to remote
servers
➢ Adware
➢ Spyware
➢ Browser hijacking software
➢ Virus
➢ Worms
➢ Trojan Horse
➢ Scareware

1. Adware
▪ It is a special type of malware which is used for forced advertising.
▪ They either redirect the page to some advertising page or pop-up an additional page which
promotes some product or event.
▪ These adware are financially supported by the organizations whose products are advertised.

2. Spyware
▪ It is a special type of which is installed in the target computer with or without the user permission
and is designed to steal sensitive information from the target machine.
▪ Mostly it gathers the browsing habits of the user and the send it to the remote server without the
knowledge of the owner of the computer.
▪ Most of the time they are downloaded in to the host computer while downloading freeware i.e.
free application programmes from the internet.

124 Copy rights reserved for STL Academy

 Cyber Security

▪ Spywares may be of various types; It can keeps track of the cookies of the host computer, it can
act as a keyloggers to sniff the banking passwords and sensitive information, etc.

3. Browser hijacking software

▪ There is some malicious software which are downloaded along with the free software offered
over the internet and installed in the host computer without the knowledge of the user.
▪ This software modifies the browsers setting and redirect links to other unintentional sites.

4. Virus
▪ A virus is a malicious code written to damage/harm the host computer by deleting or appending a
file, occupy memory space of the computer by replicating the copy of the code, slow down the
performance of the computer, format the host machine, etc.
▪ It can be spread via email attachment, pen drives, digital images, e-greeting, audio or video clips,
etc.
▪ A virus may be present in a computer but it cannot activate itself without the human intervention.
▪ Until and unless the executable file(.exe) is execute, a virus cannot be activated in the host
machine.

5. Worms
▪ They are a class of virus which can replicate themselves.
▪ They are different from the virus by the fact that they does not require human intervention to
travel over the network and spread from the infected machine to the whole network.
▪ Worms can spread either through network, using the loopholes of the Operating System or via
email.
▪ The replication and spreading of the worm over the network consumes the network resources
like space and bandwidth and force the network to choke.

6. Trojan Horse
▪ Trojan horse is a malicious code that is installed in the host machine by pretending to be useful
software.
▪ The user clicks on the link or download the file which pretends to be a useful file or software from
legitimate source.
▪ It not only damages the host computer by manipulating the data but also it creates a backdoor in
the host computer so that it could be controlled by a remote computer.
▪ It can become a part of botnet(robot-network), a network of computers which are infected by
malicious code and controlled by central controller.
▪ The computers of this network which are infected by malicious code are known as zombies.
▪ Trojens neither infect the other computers in the network nor do they replicate.
▪ Trojan Horse is a program in which the malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it can get control and cause damage, such as
ruining the file allocation table on your hard disk.
▪ Trojans get activated upon users' certain predefined actions.
▪ Indications of a Trojan attack include abnormal system and network activities such as disabling
of antivirus, redirection to unknown pages, etc.
▪ Trojans create a covert communication channel between victim computer and attacker for
transferring sensitive data.

Copy rights reserved for STL Academy 125

 Cyber Security

How Hackers Use Trojans

▪ Delete or replace operating system's critical files.
▪ Generate fake traffic to create DOS attacks.
▪ Record screenshots, audio, and video of victim's PC.
▪ Use victim's PC for spamming and blasting email messages.
▪ Download spyware, adware, and malicious files.
▪ Disable firewalls and antivirus.
▪ Create backdoors to gain remote access.
▪ Infect victim's PC as a proxy server for replaying attacks.
▪ Use victim's PC as a botnet to perform DDoS attacks.
▪ Steal information such as passwords, security codes, credit card information using keyloggers.

Types of Trojans
✓ VNC Trojan
✓ HTTP Trojan
✓ HTTPS Trojan
✓ ICMP Trojan
✓ FTP Trojan
✓ Data Hiding Trojan
✓ Destructive Trojan
✓ Botnet Trojan
✓ Proxy Server Trojan
✓ Remote Access Trojan
✓ Defacement Trojan
✓ E-banking Trojan
✓ Covert Channel Trojan
✓ Notification Trojan
✓ Mobicle Trojan
✓ Command Shell Trojan

7. Spareware
▪ Internet has changed how we talk, shop, play etc.
▪ It has even changed the way how the criminal target the people for ransom.
▪ While surfing the Internet, suddenly a pop-up alert appears in the screen which warns the
presence of dangerous virus, spywares, etc. in the user‟s computer.
▪ As a remedial measure, the message suggests the used download the full paid version of the
software.
▪ As the user proceeds to download, a malicious code, known as scareware is downloaded into
the host computer.
▪ It holds the host computer hostage until the ransom is paid.
▪ The malicious code can neither be uninstalled nor can the computer be used till the ransom is
paid.

Malware Analysis
▪ Malware analysis is the process of understanding the behavior and purpose of a suspicious file
or URL.
▪ The output of the analysis aids in the detection and mitigation of the potential threat.
▪ The key benefit of malware analysis is that it helps incident responders and security analysts:

126 Copy rights reserved for STL Academy

 Cyber Security

➢ Pragmatically triage incidents by level of severity

➢ Uncover hidden indicators of compromise (IOCs) that should be blocked
➢ Improve the efficacy of IOC alerts and notifications
➢ Enrich context when threat hunting

Types of Malware Analysis

Static Analysis
▪ Basic static analysis does not require that the code is actually run. Instead, static analysis
examines the file for signs of malicious intent.
▪ It can be useful to identify malicious infrastructure, libraries or packed files.
▪ Technical indicators are identified such as file names, hashes, strings such as IP addresses,
domains, and file header data can be used to determine whether that file is malicious.
▪ In addition, tools like disassemblers and network analyzers can be used to observe the malware
without actually running it in order to collect information on how the malware works.
▪ Since static analysis does not actually run the code, sophisticated malware can include malicious
runtime behavior that can go undetected.
▪ For example, if a file generates a string that then downloads a malicious file based upon the
dynamic string, it could go undetected by a basic static analysis. Enterprises have turned to
dynamic analysis for a more complete understanding of the behavior of the file.

Dynamic Analysis
▪ Dynamic malware analysis executes suspected malicious code in a safe environment called
a sandbox.
▪ This closed system enables security professionals to watch the malware in action without the risk
of letting it infect their system or escape into the enterprise network.
▪ Dynamic analysis provides threat hunters and incident responders with deeper visibility, allowing
them to uncover the true nature of a threat.
▪ As a secondary benefit, automated sandboxing eliminates the time it would take to reverse
engineer a file to discover the malicious code.
▪ The challenge with dynamic analysis is that adversaries are smart, and they know sandboxes are
out there, so they have become very good at detecting them.
▪ To deceive a sandbox, adversaries hide code inside them that may remain dormant until certain
conditions are met. Only then does the code run.

Hybrid Analysis
▪ Basic static analysis isn’t a reliable way to detect sophisticated malicious code, and sophisticated
malware can sometimes hide from the presence of sandbox technology.
▪ By combining basic and dynamic analysis techniques, hybrid analysis provide security team the
best of both approaches –primarily because it can detect malicious code that is trying to hide,
and then can extract many more indicators of compromise (IOCs) by statically and previously
unseen code.
▪ Hybrid analysis helps detect unknown threats, even those from the most sophisticated malware.

Malware Analysis Use Cases

➢ Malware Detection
➢ Threat Alerts and Triage
➢ Incident Response

Copy rights reserved for STL Academy 127

 Cyber Security

➢ Threat Hunting
➢ Malware Research

Stages of Malware Analysis

➢ Static Properties Analysis
➢ Interactive Behavior Analysis
➢ Fully Automated Analysis
➢ Manual Code Reversing

Malware Countermeasures
➢ Frequent deletion of stored cookies and temporary files from Web browsers.
➢ Regular scanning for viruses and other malware.
➢ Regular installation of updates and patches for operating systems.
➢ Refusing to click on links that appear within e-mail messages.

3.8 Sniffing
Sniffing Concepts
▪ Sniffing involves capturing, decoding, inspecting and interpreting the information inside a network
packet on a TCP/IP network.
▪ The purpose is to steal information, usually user IDs, passwords, network details, credit card
numbers, etc.
▪ Sniffing is generally referred to as a “passive” type of attack, wherein the attackers can be
silent/invisible on the network. This makes it difficult to detect, and hence it is a dangerous type
of attack.
▪ The sniffing process is used by hackers either to get information directly or to map the technical
details of the network in order to create a further attack.
▪ Hackers are always in favour of sniffing, because it can be done for a longer time without getting
caught.
▪ Sniffers get the job done by capturing and
inspecting the data “packets” traveling along a
network.
▪ Imagine internet traffic like real-world traffic: It’s like
a series of cars driving on a road, and it ebbs and
flows depending on a variety of factors.
▪ On the internet, each car is a packet, and the
people inside are the data it carries.
▪ Some sniffers are available as hardware appliances, often built directly into network devices such
as routers for convenient management. But in most cases, people opt for sniffing software over
hardware.

Types of Sniffing
▪ There are two main types of sniffing techniques: passive and active sniffing.
▪ The type of sniffing technique used depends on the structure of the network one is trying to sniff.
▪ Passive sniffing works with hubs, but if switches are involved, active sniffing is required.
➢ Sniffing
➢ Passive
➢ Active

128 Copy rights reserved for STL Academy

 Cyber Security

Passive Sniffing
▪ Hubs are simple networking devices that connect several devices together into a single network.
▪ There aren’t any regulatory mechanisms that steer traffic to its intended recipient; rather, all
devices receive all the traffic, and then determine whether or not that traffic is relevant.
▪ Because all devices in a hub receive all the network’s traffic, a sniffer can easily and passively
soak up everything that’s being sent.
▪ There’s nothing to actually do other than sit back and sniff. This makes passive sniffing very
difficult to detect. Not impossible, but difficult.

Active Sniffing
▪ In order to access all the traffic passing through the network, an active sniffer needs to get
around or overcome the way switches direct everything.
▪ There are a few different ways to accomplish this, but all of them involve injecting additional
traffic into the network.
▪ The upside for potential victims is that an active sniffer is easier to detect, because it gives its
own presence away.

Sniffing Tools and Techniques

▪ A sniffer is a software or hardware tool that allows the user to “sniff” or monitor your internet
traffic in real time, capturing all the data flowing to and from your computer.
▪ Sniffers are a type of networking tool that is able to inspect packets of data traveling through a
network.
▪ Sniffers may either be special software created to capture data packets or a physical hardware
device that is connected directly to a network.
▪ In the case of software sniffers, the sniffer must be installed on a computer that has access to the
target network.
▪ Data packets captured by sniffers are usually legitimate communications from end users,
however, there are times when a malicious actor may be lurking on the network.
▪ A hacker can utilize network sniffers to capture data that may potentially reveal usernames,
passwords, and other sensitive information.
▪ By using sniffers, network engineers can see what type of data is picked up by a sniffer and then
make any necessary changes to the network before a hacker can capture data.
▪ Packet Sniffing is the process of expanding monitors checks every packet that passes through
any network.
▪ Packet Sniffers will give network administrators the to monitor their networks and get insights into
that.
▪ You can detect the root cause of network issues, troubleshoot the networking issues, traffic
analyzing, the bandwidth of management, and network security and compliance to deal with it.
▪ Lists of some main Networking Sniffing Tools:
➢ Auvik
➢ SolarWinds Network Packet Sniffer
➢ Wireshark
➢ Paessler PRTG
➢ ManageEngine NetFlow Analyzer
➢ Tcpdump
➢ WinDump
➢ NetworkMiner
➢ BetterCAP

Copy rights reserved for STL Academy 129

 Cyber Security

➢ Ettercap
➢ OmniPeek
➢ Dsniff
➢ EtherApe
➢ MSN Sniffer
➢ NetWitness NextGen
➢ Colasoft Capsa
➢ Telerik Fiddler

Description of some tools are:

1. BetterCAP
▪ The BetterCAP tool is a very powerful, flexible, and portable best software tool created to
perform various types of MITM attacks against networks and manipulate its HTTP, HTTPS, and
TCP traffic in real-time, sniffing it for as well as credentials, and much more through it.

2. Ettercap
▪ Ettercap tool is a software comprehensively sharp tool suited for man-in-the-middle attacks for
networks.
▪ It has features as well as sniffing of live connections, content filtering.
▪ It supports active and passive dissection of many protocols and includes many features such as
the network and the host analysis.

3. Tcpdump
▪ The tcpdump tool is a well-known command-line packeting analyzer.
▪ It provides the ability to intercept and ability to observing TCP/IP and other packets during
transmission over the network.
▪ Available at www.tcpdump.org. thus, tcpdump captures all traffic on the specified networks via
libcap and then “dumps” it directly at your screen.

4. Wireshark
▪ The Wireshark tool is one of the most widely common software as known and uses packet
sniffers.
▪ It offers an unlimited number of features designed to implement and assist in the dissection and
analysis of traffic for it.
▪ The Wireshark packet sniffing tool is known for both its data capture and analysis capabilities.
▪ We can apply filters to limit the scope of data as well as Wireshark collecting through it, or simply
let it collect all traffic passing through your selected networks.

3.9 Social Engineering

Social Engineering Concepts
▪ Social engineering is a manipulation technique that exploits human error to gain private
information, access, or valuables.
▪ Social engineering is the term used for a broad range of malicious activities accomplished
through human interactions.
▪ It uses psychological manipulation to trick users into making security mistakes or giving away
sensitive information.

130 Copy rights reserved for STL Academy

 Cyber Security

Social Engineering
▪ Scams based on social engineering are built around how people think and act.
▪ As such, social engineering attacks are especially useful for manipulating a user’s behavior.
▪ Once an attacker understands what motivates a user’s actions, they can deceive and manipulate
the user effectively.
▪ In addition, hackers try to exploit a user's lack of knowledge.

Social Engineering Life Cycle

▪ A perpetrator first investigates the intended victim to gather necessary background information,
such as potential points of entry and weak security protocols, needed to proceed with the attack.
▪ Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that
break security practices, such as revealing sensitive information or granting access to critical
resources.

Social Engineering Attack Techniques

Baiting
▪ As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity.
▪ They lure users into a trap that steals their personal information or inflicts their systems with
malware.
▪ The most reviled form of baiting uses physical media to disperse malware.
▪ For example, attackers leave the bait typically malware-infected flash drives in conspicuous
areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot
of a targeted company).
▪ The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.
▪ Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in
automatic malware installation on the system.

Scareware
▪ Scareware involves victims being bombarded with false alarms and fictitious threats.
▪ Users are deceived to think their system is infected with malware, prompting them to install
software that has no real benefit (other than for the perpetrator) or is malware itself.
▪ Scareware is also referred to as deception software, rogue scanner software and fraudware.

Copy rights reserved for STL Academy 131

 Cyber Security

▪ A common scareware example is the legitimate-looking popup banners appearing in your

browser while surfing the web, displaying such text such as, “Your computer may be infected
with harmful spyware programs.”
▪ It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious
site where your computer becomes infected.
▪ Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for
users to buy worthless/harmful services.

Pretexting
▪ Here an attacker obtains information through a series of cleverly crafted lies.
▪ The scam is often initiated by a perpetrator pretending to need sensitive information from a victim
so as to perform a critical task.
▪ The attacker usually starts by establishing trust with their victim by impersonating co-workers,
police, bank and tax officials, or other persons who have right-to-know authority.
▪ The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through
which they gather important personal data.
▪ All sorts of pertinent information and records is gathered using this scam, such as social security
numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank
records and even security information related to a physical plant.

Phishing
▪ Phishing scams are email and text message campaigns aimed at creating a sense of urgency,
curiosity or fear in victims.
▪ It then prods them into revealing sensitive information, clicking on links to malicious websites, or
opening attachments that contain malware.
▪ An example is an email sent to users of an online service that alerts them of a policy violation
requiring immediate action on their part, such as a required password change. It includes a link
to an illegitimate website nearly identical in appearance to its legitimate version prompting the
unsuspecting user to enter their current credentials and new password. Upon form submittal the
information is sent to the attacker.

Spear Phishing
▪ This is a more targeted version of the phishing scam whereby an attacker chooses specific
individuals or enterprises.
▪ They then tailor their messages based on characteristics, job positions, and contacts belonging
to their victims to make their attack less conspicuous.
▪ Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and
months to pull off.
▪ They’re much harder to detect and have better success rates if done skillfully.
▪ A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT
consultant, sends an email to one or more employees.
▪ It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into
thinking it’s an authentic message.
▪ The message prompts recipients to change their password and provides them with a link that
redirects them to a malicious page where the attacker now captures their credentials.

132 Copy rights reserved for STL Academy

 Cyber Security

Social Engineering Countermeasures

➢ Don’t open emails and attachments from suspicious sources
➢ Use multifactor authentication
➢ Be wary of tempting offers
➢ Keep your antivirus/antimalware software updated

Social Engineering Pen Testing

▪ Social engineering penetration testing focuses on people and processes and the vulnerabilities
associated with them.
▪ These pen tests typically consist of an ethical hacker conducting different social engineering
attacks such as phishing, USB drops, or impersonation that a person could face during the
course of their work.
▪ The goal of this test is to identify weaknesses in a person, group of people, or process and
identify vulnerabilities with a clear path to remediation.

Types

Steps
▪ There are four main steps to performing a social engineering penetration test including:
➢ Test planning and scoping
➢ Attack vector identification
➢ Penetration attempts
➢ Reporting

Step 1: Test Planning and Scoping

▪ During this step, you will identify what is in scope and how the test will be performed.
▪ This typically requires a meeting between management and the personnel performing the test.
▪ You want to keep the number of people involved in this meeting to a minimum to prevent the
number of people that know about the test.
▪ While scoping out the test you will want to include all methods and attacks that you plan to use.
▪ For example, if you want to tailgate or impersonate employees or delivery personnel, that needs
to be in the scope. From the scope, you will be able to write a clear contract that is agreed on by
all parties involved. The contract is key to a penetration test.

Step 2: Attack Vector Identification

▪ This step of the pen test will involve the tester identifying all of the methods that they will use
during the test.

Copy rights reserved for STL Academy 133

 Cyber Security

▪ For Example:
▪ Security guards will be tested using a tailgating test. This test will involve the tester closely
monitoring employees as they enter the building and entering the building, or secure area, while
a high volume of people are entering.
▪ Personnel in accounting will be tested using a phishing test. This test will involve sending an
accountant a phishing email that spoofs the Chief Executive Office and will request the last
month’s expense report for review.
▪ An employee in IT will be tested using an impersonation test. This test will involve a member of
the pen test requesting a password reset for an employee in the account receivable department.

Step 3: Penetration Attempts

▪ During this step of the pen test the tester will take all of the listed attack vectors from the previous
step and execute those tests.
▪ Documentation is key in this step as these tests will later become supporting evidence for the
report.
▪ The type of evidence you should collect is:
➢ Recorded Phone Calls
➢ Emails From Phishing Attacks

Step 4: Reporting
▪ The reporting step of a pen test is where you bring all of the results in together. While writing the
report remember who your audience is.
▪ In most cases, the audience is senior management and your report should speak to them.
▪ Make sure to address all of their initial concerns discussed at the inception of the test as well as
all of the vulnerabilities you found during the test.
▪ In the report, you should not only mention the vulnerabilities found, but you should also provide
recommendations for how to mitigate the vulnerabilities.
▪ A typical pen testing report consists of:
1. An executive summary
2. A walkthrough of technical risks found
3. The potential impact of the vulnerabilities found
4. The remediation options available for each vulnerability found
5. Your concluding thoughts of the pen test
6. Vulnerability Elimination

3.10 Denial-of-Service
Denial-of-Service (DoS)
▪ Denial of service (DoS) is a type of cyber attack designed to disable, shut down or disrupt a
network, website or service.
▪ Typically, a malware is used to interrupt or inhibit the normal flow of data into and out of a system
to render the target useless or inaccessible for a certain period.
▪ An example of a DoS attack: when a website is accessed massively and repeatedly from
different locations, preventing legitimate visitors from accessing the website.

134 Copy rights reserved for STL Academy

 Cyber Security

Distributed Denial-of-Service (DDoS)

▪ When a DoS attack is launched from different locations in a coordinated fashion, it is often
referred to as a distributed denial of service attack (DDoS).

▪ A DDoS attack is launched from numerous compromised devices, often distributed globally in
what is referred to as a botnet.
▪ It is distinct from other denial of service (DoS) attacks, in that it uses a single Internet-connected
device (one network connection) to flood a target with malicious traffic.
▪ This nuance is the main reason for the existence of these two, somewhat different, definitions.

Types of DDoS Attacks

▪ Other basic types of DoS attacks involve:
▪ Flooding a network with useless activity so that genuine traffic cannot get through. The TCP/IP
SYN and smurf attacks are two common examples.
▪ Remotely overloading a system’s CPU so that valid requests cannot be processed.

Copy rights reserved for STL Academy 135

 Cyber Security

▪ Changing permissions or breaking authorization logic to prevent users from logging into a
system.
▪ One common example involves triggering a rapid series of false login attempts that lockout
accounts from being able to log in.
▪ Deleting or interfering with specific critical applications or services to prevent their normal
operation (even if the system and network overall are functional).

➢ UDP Flood
➢ ICMP (Ping) Flood
➢ SYN Flood
➢ Ping of Death
➢ Slowloris
➢ NTP Amplification
➢ HTTP Flood

DDoS Techniques
➢ DoS/DDoS Attacks
➢ Volume Based Attacks
➢ Protocol Attacks
➢ Application Layer Attacks

Volume Based Attacks

▪ Includes UDP floods, ICMP floods, and other spoofed-packet floods.
▪ The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in
bits per second (Bps).

Protocol Attacks
▪ Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more.
▪ This type of attack consumes actual server resources, or those of intermediate communication
equipment, such as firewalls and load balancers, and is measured in packets per second (Pps).

Application Layer Attacks

▪ Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or
OpenBSD vulnerabilities and more.
▪ Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash
the web server, and the magnitude is measured in Requests per second (Rps).

Application Layer Attacks

▪ Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or
OpenBSD vulnerabilities and more.

136 Copy rights reserved for STL Academy

 Cyber Security

▪ Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash
the web server, and the magnitude is measured in Requests per second (Rps).

DDoS Case Study

The Google Attack, 2020
▪ On October 16, 2020, Google’s Threat Analysis Group (TAG) posted a blog update concerning
how the threats and threat actors are changing their tactics due to the 2020 U.S. election. At the
end of the post, the company snuck in a note:
▪ in 2020, our Security Reliability Engineering team measured a record-breaking UDP amplification
attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains
the largest bandwidth attack of which we are aware.
▪ Mounted from three Chinese ISPs, the attack on thousands of Google’s IP addresses lasted for
six months and peaked at a breath-taking 2.5Tbps! Damian Menscher, a Security Reliability
Engineer at Google, wrote:
▪ The attacker used several networks to spoof 167 Mpps (millions of packets per second) to
180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to
us.
▪ This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger
than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier.

The AWS DDoS Attack, 2020

▪ Amazon Web Services, the 800-pound gorilla of everything cloud computing, was hit by a
gigantic DDoS attack in February 2020.
▪ This was the most extreme recent DDoS attack ever and it targeted an unidentified AWS
customer using a technique called Connectionless Lightweight Directory Access Protocol
(CLDAP) reflection.
▪ This technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data
sent to the victim’s IP address by 56 to 70 times.
▪ The attack lasted for three days and peaked at an astounding 2.3 terabytes per second.

Why the AWS Attack Matters:

▪ While the disruption caused by the AWS DDoS Attack was far less severe than it could have
been, the sheer scale of the attack and the implications for AWS hosting customers potentially
losing revenue and suffering brand damage are significant.

DDoS Penetration Testing

What Tools are used for DoS and DDoS Tests?
HPING3
▪ This is an open-source tool for crafting packets.
▪ The program allows you to set packet type and the rate at which the packets will be sent to the
server.
▪ Overall, this is a terrific program for simulating DOS attacks, testing firewalls, conducting OS
fingerprinting, network testing, port scanning, uptime guessing, etc.

GOLDENEYE
▪ GoldenEye is another piece of open-source DDOS attack testing software.

Copy rights reserved for STL Academy 137

 Cyber Security

▪ The application is based on HULK but it differs from its predecessor significantly, as it doesn’t
just send packets to the server, it also simulates the users staying connected to the server.
▪ This program is perfect for carrying out stress tests on networks and applications.

HULK
▪ HULK or Http Unbearable Load King is a program created by cybersecurity expert Barry
Shteiman.
▪ This tool effectively finds its way around caching and attacks the server directly with unique
packets.
▪ Unlike many other DDOS testing tools that utilize a predictable pattern when sending the
packets, making the attack easier to detect and stop, HULK makes each request unique.
▪ This tool also allows you to carry out the simulated attack safely with the ability to control and
stop it at any time.

Prevention of DDoS Attacks

▪ If only a few computers are the source of the attack and you have identified the IP addresses for
those sources, you place an ACL (access control list) on the firewall server to block these access
from those IPs. If possible, change the IP address of the web server for a period of time, but if
the attacker resolves your newly configured IP by querying your DNS server, this is no longer
valid.
▪ If you are sure that the attack comes from a particular country, consider blocking the IP from that
country, at least for a while.
▪ Monitoring the incoming network traffic. In this way you can know who is visiting your network
and can monitor the exception to the visitor, which can analyze the log and source IP
afterwards. Before a large-scale attack, an attacker could use a small number of attacks to test
the robustness of your network.
▪ The most effective (and expensive) solution for bandwidth-consuming attacks is to buy more
bandwidth.
▪ You can also use high-performance load balancing software, the use of multiple servers, and
deployed in different data centers.
▪ The use of load balancing for web and other resources, while also using the same strategy to
protect DNS.
▪ Optimize the use of resources to improve web server load capacity. For example, the use of
apache can install apachebooster plug-in, the plug-in and varnish and nginx integration, you can
deal with the sudden increase in traffic and memory footprint.
▪ The use of highly scalable DNS devices to protect DDOS attacks against DNS. Consider the
commercial solution for Cloudflare, which can provide DDOS attack protection for DNS or TCP/IP
from layer 3 to layer 7.
▪ Enable the router or firewall anti-IP spoofing function. CISCO ASA firewall in the configuration of
the function than in the router more convenient. Enable this feature in ASDM (Cisco Adaptive
Security Device Manager) by clicking “Firewall” in “Configuration”, finding “anti-spoofing” and
clicking Enable. You can also use the ACL (access control list) in the router to prevent IP
spoofing, first for the network to create ACL, and then applied to the Internet interface.
▪ The use of third-party services to protect your site. There are many companies have such
services, providing high-performance basic network facilities to help you resist denial of service
attacks. You only need to pay hundreds of dollars a month on the line.
▪ Pay attention to the security configuration of the server, to avoid resource exhaustion DDOS
attacks.

138 Copy rights reserved for STL Academy

 Cyber Security

▪ Listen to the views of experts, for the attack in advance to respond to the emergency program.
▪ Monitoring the network and web traffic. If it is possible to configure multiple analysis tools, such
as Statcounter and Google analytics, you can more visually understand the pattern of traffic
changes and get more information from it.
▪ To protect DNS to avoid DNS amplification attacks.
▪ Disable ICMP on the router. Open ICMP only when testing is required. The following strategies
are also considered when configuring the router: flow control, packet filtering, half-connection
timeout, garbage packet discard, source forged packet drop, SYN threshold, disable ICMP and
UDP broadcast.

3.11 Session Hijacking

▪ Session hijacking, also known as TCP session hijacking, is a method of taking over a web user
session by surreptitiously obtaining the session ID and masquerading as the authorized user.
▪ Once the user's session ID has been accessed, the attacker can masquerade as that user and
do anything the user is authorized to do on the network.

▪ A byproduct of this type of attack is the ability to gain access to a server without having to
authenticate to it.
▪ Once the attacker hijacks a session, they no longer have to worry about authenticating to the
server as long as the communication session remains active.
▪ The attacker enjoys the same server access as the compromised user because the user has
already authenticated to the server prior to the attack.

Types of Session Hijacking

Active Session Hijacking

▪ An Active Session Hijacking occurs when the attacker takes control over the active session.
▪ The actual user of the network becomes in offline mode, and the attacker acts as the authorized
user.
▪ They can also take control over the communication between the client and the server.

Copy rights reserved for STL Academy 139

 Cyber Security

▪ To cause an interrupt in the communication between client and server, the attackers send
massive traffic to attack a valid session and cause a denial of service attack(DoS).

Passive Session Hijacking

▪ In Passive Session Hijacking, instead of controlling the overall session of a network of targeted
user, the attacker monitors the communication between a user and a server.
▪ The main motive of the hacker is to listen to all the data and record it for the future use.
▪ Basically, it steals the exchanged information and use for irrelevant activity.
▪ This is also a kind of man-in-middle attack (as the attacker is in between the client and the server
exchanging information.

Hybrid Hijacking
▪ The combination of Active Session Hijacking and Passive Session Hijacking is referred to as
Hybrid Hijacking.
▪ In this the attackers monitors the communication channel (the network traffic), whenever they
find the issue, they take over the control on the web session and fulfill their malicious tasks.

Methods of Session Hijacking

Brute-forcing the Session ID
▪ As the name suggests, the attack user uses guessing and trial method to find Session ID
depending on its length.
▪ This is due to lack of security and shorter length.
▪ The introduction of a strong and long session key made this method increase in a slow rate.

Cross-Site Scripting (XSS) or Misdirected Trust

▪ In Cross-Site-Scripting, the attacker tries to find out the flaws and the weak point in the web
server and injects its code into that.
▪ This activity of the attacker will help the attacker to find out the Session ID.

Man-in-the-browser
▪ Man-in-the-browser uses a Trojan Horse (program that uses malicious code) to perform its
required action.
▪ The attacker puts themselves in the communication channel of a server and a client.
▪ The main purpose of performing this attacks by the attacker is to cause financial fraud.

Malware infections
▪ In Malware Infections, attacker can deceive the user to open a link that is a malware or Trojans
program which will install the malicious software in the device.
▪ These are programmed to steal the browser cookies without the user’s knowledge.

Session Fixation
▪ Attackers create a duplicate or another disguised session in Session Fixation.
▪ It simply motivates or trick the user into authenticating the vulnerable server.
▪ This can be done by sending an email to the user, which on clicking directs to the attacker
session.
Session side-jacking
▪ In Session side-jacking, the attackers tries to get access over a session using the network traffic.

140 Copy rights reserved for STL Academy

 Cyber Security

▪ This becomes easy when the user is using an insecure Wi-Fi. The reading of network traffic and
stealing of session cookie is done by packet sniffing.

Session Hijacking Tools

▪ List of session hijacking tools:
➢ Burp Suite
➢ Ettercap
➢ OWASP ZAP
➢ BetterCAP
➢ netool toolkit
➢ WebSploit Framework
➢ sslstrip
➢ JHijack
➢ Cookie Cadger
➢ CookieCatcher
➢ hamster
➢ Firesheep

Session Hijacking Countermeasures

Use strong passwords and multifactor authentication
▪ These techniques protect accounts from being accessed by hackers if they manage to steal a
user’s session ID (Alkove, 2021).

Only share session IDs with trusted sources

▪ Be careful when sharing links or sending requests to websites, as these may include session
IDs.

Use a VPN
▪ A VPN helps prevent attackers from intercepting traffic, making it more difficult for them to steal
session IDs (McCann & Hardy, 2022).

Keep software up to date

▪ Make sure to keep operating systems and software up to date with the latest security patches to
prevent attackers from exploiting vulnerabilities to access users’ sessions.

Take cybersecurity training

▪ Cybersecurity threats are constantly evolving, so it’s essential to stay informed on the latest
attack techniques and how to prevent them. Consider getting certified in various cybersecurity
domains, including ethical hacking, incident handling, and penetration testing.

Session Hijacking Pen Testing

▪ The testing strategy is targeted at network attackers, hence it only needs to be applied to sites
without full HSTS adoption (sites with full HSTS adoption are secure, since their cookies are not
communicated over HTTP).
▪ We assume to have two testing accounts on the website under test, one to act as the victim and
one to act as the attacker.

Copy rights reserved for STL Academy 141

 Cyber Security

▪ We simulate a scenario where the attacker steals all the cookies which are not protected against
disclosure over HTTP, and presents them to the website to access the victim’s account.
▪ If these cookies are enough to act on the victim’s behalf, session hijacking is possible.
▪ Here are the steps for executing this test:
1. Login to the website as the victim and reach any page offering a secure function requiring
authentication.
2. Delete from the cookie jar all the cookies which satisfy any of the following conditions.
➢ in case there is no HSTS adoption: the SECURE attribute is set.
➢ in case there is partial HSTS adoption: the SECURE attribute is set or the DOMAIN
attribute is not set.
3. Save a snapshot of the cookie jar.
4. Trigger the secure function identified at step 1.
5. Observe whether the operation at step 4 has been performed successfully. If so, the attack
was successful.
6. Clear the cookie jar, login as the attacker and reach the page at step 1.
7. Write in the cookie jar, one by one, the cookies saved at step 3.
8. Trigger again the secure function identified at step 1.
9. Clear the cookie jar and login again as the victim.
10. Observe whether the operation at step 8 has been performed successfully in the victim’s
account. If so, the attack was successful; otherwise, the site is secure against session
hijacking.
▪ It is recommend to use two different machines or browsers for the victim and the attacker.
▪ This allows you to decrease the number of false positives if the web application does
fingerprinting to verify access enabled from a given cookie.
▪ A shorter but less precise variant of the testing strategy only requires one testing account. It
follows the same pattern, but it halts at step 5 (note that this makes step 3 useless).

3.12 Evading IDS, Firewalls, and Honeypots

What are Firewalls?
▪ A firewall is software or firmware that prevents unauthorized access to a network.
▪ It inspects incoming and outgoing traffic using a set of rules to identify and block threats.
▪ Firewalls are used in both personal and enterprise settings, and many devices come with one
built-in, including Mac, Windows, and Linux computers.
▪ They are widely considered an essential component of network security.

▪ Firewalls are used in both corporate and consumer settings.

142 Copy rights reserved for STL Academy

 Cyber Security

▪ Modern organizations incorporate them into a security information and event management
(SIEM) strategy along with other cybersecurity devices.
▪ They may be installed at an organization's network perimeter to guard against external threats, or
within the network to create segmentation and guard against insider threats.
▪ In addition to immediate threat defense, firewalls perform important logging and audit functions.
▪ They keep a record of events, which can be used by administrators to identify patterns and
improve rule sets.
▪ Rules should be updated regularly to keep up with ever-evolving cybersecurity threats.
▪ Vendors discover new threats and develop patches to cover them as soon as possible.
▪ In a single home network, a firewall can filter traffic and alert the user to intrusions.
▪ They are especially useful for always-on connections, like Digital Subscriber Line (DSL) or cable
modem, because those connection types use static IP addresses.
▪ They are often used alongside to antivirus applications.
▪ Personal firewalls, unlike corporate ones, are usually a single product as opposed to a collection
of various products.
▪ They may be software or a device with firewall firmware embedded.
▪ Hardware/firmware firewalls are often used for setting restrictions between in-home devices.

What are Honeypots?

▪ Honeypots are decoy systems or servers deployed alongside production systems within a
network.
▪ When deployed as enticing targets for attackers, honeypots can add security monitoring
opportunities for blue teams and misdirect the adversary from their true target.

▪ Honeypots come in a variety of complexities

depending on the needs of the organization
and can be a significant line of defense
when it comes to flagging attacks early.
▪ There are many applications and use cases
for honeypots, as they work to divert
malicious traffic away from important
systems, get an early warning of a current
attack before critical systems are hit, and
gather information about attackers and their
methods.

Copy rights reserved for STL Academy 143

 Cyber Security

▪ If the honeypots don’t actually contain confidential data and are well-monitored, one can get
insight on attacker tools, tactics, and procedures (TTPs) and gather forensic and legal evidence
without putting the rest of the network at risk.

▪ For a honeypot to work, the system should appear to be legitimate.

▪ It should run processes a production
system is expected to run, and
contain seemingly important dummy
files.
▪ The honeypot can be any system
that has been set up with proper
sniffing and logging capabilities.
▪ It’s also a good idea to place a
honeypot behind your corporate
firewall not only does it provide
important logging and alerting capabilities, but you can block outgoing traffic so that a
compromised honeypot cannot be used to pivot toward other internal assets.

There are two types of honeypots:

➢ Research Honeypots
➢ Production honeypots
▪ Research honeypots gather
information about attacks and are
used specifically for studying
malicious behavior out in the wild.
▪ Looking at both your environment
and the wider world, they gather
information about attacker trends,
malware strains, and vulnerabilities
that are actively being targeted by
adversaries.
▪ This can inform your preventative defenses, patch prioritization, and future investments.

144 Copy rights reserved for STL Academy

 Cyber Security

Intrusion Detection System (IDS)

▪ An intrusion detection system is a
device or software application that
monitors a network or systems for
malicious activity or policy
violations.
▪ Any intrusion activity or violation is
typically reported either to an
administrator or collected centrally
using a security information and
event management system.
▪ An IDS and firewall are the
security mechanisms intended to
prevent an unauthorized person
from accessing a network. However, even IDS and firewalls have some security limitations.
▪ Firewalls and IDS intend to avoid malicious traffic from entering into a network but certain
techniques can be used to send intended packets to the target and evade IDS/Firewalls.

How to Detect and Evade Firewalls?

Packet Fragmentation
▪ Send fragmented probe packets to the intended target, which re-assembles it after receiving all
the fragments.

Source Port Manipulation

▪ Manipulate the actual source port with the common source port to evade IDS/firewall.

Copy rights reserved for STL Academy 145

 Cyber Security

IP address spoofing /Decoy IP

▪ Generate or manually specify the IP address of the decoy so that the IDS/firewall cannot
determine the actual IP.

How to Evade Firewalls - Mock

▪ Create custom packets: Send custom packets to scan the intended target beyond the firewalls.
▪ Spoofing MAC address: Spoofing the MAC address to hide the actual identity
▪ Lab requirements: Windows 7/10/11, Linux machine (Kali/ubuntu/Parrot)
▪ To set up the lab one needs to turn on Windows Defender Firewall. Navigate to control panel ->
system and security-> windows defender firewall -> Turn windows defender firewall on or
off, enable defender and click ok

How to Detect and Evade Honeypots?

▪ Attackers can also defeat honeypots by using multi-proxies (TORs) and hiding their
conversations using encryption and steganography techniques.

146 Copy rights reserved for STL Academy

 Cyber Security

How to Detect Honeypots?

Detecting Honeypots Running on VMware
▪ Attackers can detect instances that are running on the VMWare virtual machine by analyzing the
MAC address.
▪ Referring to IEEE standards for the current range of MAC addresses assigned to VMWare Inc.,
an attacker can identify the presence of VMWare-based honeypots.

Detecting the presence of Honeyd Honeypot

▪ Honeyd is a simulator honeypot engine that can create thousands of honeypots easily.
▪ The honeyd would respond to received SMTP requests with fake responses.
▪ An attacker can identify the presence of honeyd honeypot by performing time-based TCP
fingerprinting methods.

Detecting the presence of User-Mode Linux (UML) Honeypot

▪ Attackers can identify the presence of UML honeypots by analyzing files such as /proc/mounts,
/proc/interrupts, and /proc/cmdline, which contain UML-specific information.

Detecting the presence of Sebek-based Honeypots

▪ Attackers can detect the existence of Sebek-based honeypots by analyzing the congestion in the
network layer, as Sebek data communication is usually unencrypted.
▪ Sebek logs everything that is accessed via reading () call before transferring to the network, it
causes the congestion effect.

Detecting the presence of Snort_inline Honeypot

▪ Attackers can identify these honeypots by analyzing the outgoing packets.
▪ If an outgoing packet is dropped, it might look like a black hole to an attacker.
▪ When the snort_inline modifies an outgoing packet, the attacker can capture the modified packet
through another host system and identify the packet modification.

Detecting the presence of Fake AP

▪ Fake access points send only beacon frames but do not produce any traffic on the access points,
and an attacker can detect and monitor the network traffic and quickly note the presence of fake
AP.

3.13 Hacking Web Servers

What are Web Servers?
▪ The term web server can refer to hardware or software, or both of them working together.
▪ On the hardware side, a web server is a computer that stores web server software and a
website's component files (for example, HTML documents, images, CSS stylesheets, and
JavaScript files).
▪ A web server connects to the Internet and supports physical data interchange with other devices
connected to the web.
▪ On the software side, a web server includes several parts that control how web users access
hosted files.
▪ At a minimum, this is an HTTP server.
▪ An HTTP server is software that understands URLs (web addresses) and HTTP (the protocol
your browser uses to view webpages).

Copy rights reserved for STL Academy 147

 Cyber Security

▪ An HTTP server can be accessed through the domain names of the websites it stores, and it
delivers the content of these hosted websites to the end user's device.
▪ Whenever a browser needs a file that is hosted on a web server, the browser requests the file via
HTTP.
▪ When the request reaches the correct
(hardware) web server, the (software)
HTTP server accepts the request, finds
the requested document, and sends it
back to the browser, also through
HTTP. (If the server doesn't find the
requested document, it returns a 404
response instead.)
To publish a website, you need either a static or a dynamic web server.
▪ A static web server, or stack, consists of a computer (hardware) with an HTTP server
(software). We call it "static" because the server sends its hosted files as-is to your browser.
▪ A dynamic web server consists of a static
web server plus extra software, most
commonly an application server and a
database. We call it "dynamic" because the
application server updates the hosted files
before sending content to your browser via
the HTTP server.
▪ For example, to produce the final
webpages you see in the browser, the
application server might fill an HTML
template with content from a database.
▪ Sites like MDN or Wikipedia have
thousands of webpages. Typically, these kinds of sites are composed of only a few HTML
templates and a giant database, rather than thousands of static HTML documents.

Server Attack Techniques

▪ Web Server Attacks include many techniques. Some of them are provided below:
Dos/DDoS
▪ Denial of Service where an attacker attacks by sending numerous service request packets
overwhelming the servicing capability of the web server, resulting in crashing and unavailability
for the users.

148 Copy rights reserved for STL Academy

 Cyber Security

DNS Server Hijacking

▪ DNS Server Hijacking, is also known as DNS redirection, where an attacker modifies DNS
configurations.
▪ DNS redirection's primary use is pharming, where attackers display unwanted ads to generate
some revenue, and Phishing, where attackers show fake websites to steal credentials.

DNS Amplification Attack

▪ A DNS Amplification Attack happens when an attacker spoofs the lookup request to the DNS
Server with the DNS recursive method.
▪ The size of the requests results in a Denial of Service attack.

Copy rights reserved for STL Academy 149

 Cyber Security

Directory Traversal Attacks

▪ Directory traversal, also is known as Path
Traversal, is an HTTP attack that allows
attackers to access restricted directories
and reveal sensitive information about the
system using dot and slash sequences.

Man in the Middle Attack

▪ A Man in the Middle / Sniffing attack
happens when an attacker positions
himself between a user and the
application to sniff the packets.
▪ The attacker's goal is to steal sensitive
information such as login credentials,
credit card details, etc.

Phishing Attacks
▪ A Phishing attack is a social engineering attack to obtain sensitive, confidential information such
as usernames, passwords, credit card numbers, etc.
▪ It is a practice of fraudulent attempts that appear to come from a reputable source.
▪ Scammers mostly use emails and text messages to trick you in a phishing attack.

150 Copy rights reserved for STL Academy

 Cyber Security

Website Defacement
▪ Website Defacement is an attack where an attacker changes the website/web page's visual
appearance with their messages.
▪ SQL injection attack is mainly used in web defacement.
▪ An attacker can add SQL strings to craft a query maliciously and exploit the webserver.

Web Server Misconfiguration

▪ Web Server Misconfiguration is when
unnecessary services are enabled, and
default configurations are being used.
▪ The attacker may identify weaknesses in
terms of remote functions or default
certifications, and can exploit them.
▪ An attacker can easily compromise
systems by some attacks such as SQL
Injection, Command Injection.

HTTP Response Splitting Attacks

▪ HTTP Response Splitting is a straightforward attack when the attacker sends a splitting request
to the server, which results in the splitting of a response into two responses by the server.
▪ The second response is in the hand of the attacker and is easily redirected to the malicious
website.

Copy rights reserved for STL Academy 151

 Cyber Security

Web Cache Poisoning

▪ A web cache is an information technology for storing web documents such as web pages,
passwords and images temporarily.
▪ Web Cache Poisoning is a technique where the attacker sends fake entry requests to the server,
wipes out all the server's actual caches and redirects the user to the malicious website.

SSH Brute Force Attacks

▪ Brute force is where an attacker uses trial and error to guess login info by submitting many
passwords or paraphrases.
▪ In an SSH Brute force attack, the intruder brute forces the SSH tunnel to use an encrypted
tunnel.
▪ The encrypted tunnel is for communicating between the hosts. Hence, the attacker gains
unauthorized access to the tunnel.

Web Server Password Cracking Attacks

▪ In this attack, the attacker cracks the server password and uses it to perform more attacks.
▪ Some of the common password cracking tools are Hydra, John the Ripper, Hashcat, Aircrack,
etc.

152 Copy rights reserved for STL Academy

 Cyber Security

Attacking Web Servers - Methodology

Information Gathering
▪ Information Gathering is a process
of gathering different information
about the victim/target by using
various platforms such as Social
engineering, internet surfing, etc.

Footprinting
▪ An attacker uses passive methods
to find information about the victim
before performing an attack.
▪ The attacker keeps minimum
interactions with the victim to
avoid detection and alerting the target of the attack.
▪ Footprinting can quickly reveal the vulnerabilities of the target system and can exploit them.
▪ There are various methods to gather information such as Whois, Google Searching, Operating
system detection, network enumeration, etc.

Web Server Footprinting

▪ In webserver footprinting, information is gathered using some specific tools that are focused on
web servers such as Maltego, httprecon, Nessus, etc. resulting in details like operating system,
running services, type, applications, etc.

Tools for Hacking

▪ Some of the common web server attack tools include

Metasploit
▪ This is an open source tool for developing, testing and using exploit code.
▪ It can be used to discover vulnerabilities in web servers and write exploits that can be used to
compromise the server.

Copy rights reserved for STL Academy 153

 Cyber Security

Mpack
▪ This is a web exploitation tool.
▪ It was written in PHP and is backed by MySQL as the database engine.
▪ Once a web server has been compromised using MPack, all traffic to it is redirected to malicious
download websites.

Zeus
▪ This tool can be used to turn a compromised computer into a bot or zombie.
▪ A bot is a compromised computer which is used to perform internet-based attacks.
▪ A botnet is a collection of compromised computers.
▪ The botnet can then be used in a denial of service attack or sending spam mails.

Countermeasures for Hacking Prevention

▪ An organization can adopt the following policy to protect itself against web server attacks.

Patch management
▪ This involves installing patches to help secure the server.
▪ A patch is an update that fixes a bug in the software.
▪ The patches can be applied to the operating system and the web server system.

▪ An organization can adopt the following policy to protect itself against web server attacks.
▪ Secure installation and configuration of the operating system

154 Copy rights reserved for STL Academy

 Cyber Security

▪ Secure installation and configuration of the web server software

▪ An organization can adopt the following policy to protect itself against web server attacks.

Vulnerability scanning system

▪ These include tools such as Snort, NMap, Scanner Access Now Easy (SANE)

▪ An organization can adopt the following policy to protect itself against web server attacks.
▪ Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify
source IP addresses of the attacker.
▪ Antivirus software can be used to remove malicious software on the server
▪ An organization can adopt the following policy to protect itself against web server attacks.
▪ Disabling Remote Administration
▪ Default accounts and unused accounts must be removed from the system
▪ Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP
port at 5069)

Copy rights reserved for STL Academy 155

 Cyber Security

Web Server Penetration Testing

▪ Web server pentesting performing under 3 major category which is identity, Analyse, Report
Vulnerabilities such as authentication weakness, configuration errors, protocol Relation
vulnerabilities.
1. “Conduct a serial of methodical and Repeatable tests “ is the best way to test the web
server along with this to work through all of the different application Vulnerabilities.
2. “Collecting as Much as Information” about an organization Ranging from operation
environment is the main area to concentrate on the initial stage of web server Pen testing.
3. Performing web server Authentication Testing, use Social engineering techniques to collect
the information about the Human Resources, Contact Details, and other Social Related
information.
4. Gathering Information about Target,
use whois database query tools to get
the Details such as Domain name, IP
address, Administrative Details,
autonomous system number, DNS etc.
5. Fingerprint webserver to gather
information such as server name,
server type, operating systems, an
application running on the server etc
use fingerprint scanning tools such
as, Netcraft, HTTPrecon, ID Serve.
6. Crawel Website to gather Specific
information from web pages, such as
email addresses.
7. Enumerate web server Directories to
extract important information
about web functionalities, login forms etc.
8. Perform Directory traversal Attack to access Restricted Directories and execute the
command from outside of the Web server root directories.
9. Performing vulnerability scanning to identify the weakness in the network use the
vulnerability scanning tools such as HPwebinspect, Nessus . and determine if the system
can be exploited.
10. Perform we cache poisoning attack to force the web server’s cache to flush its actual cache
content and send a specifically crafted request which will be stored in the cache.
11. Performing HTTP response splitting attack to pass malicious data to a vulnerable application
that includes the data in an HTTP response header.

156 Copy rights reserved for STL Academy

 Cyber Security

12. Bruteforce SSH,FTP, and other services login credentials to gain unauthorized access.
13. Perform session hijacking to capture valid session cookies and ID’s,use tools such
as Burb suite , Firesheep ,jhijack to automated session hijacking.
14. Performing a MITM attack to access sensitive information by intercepting the
communications between the end-users and web servers.
15. Use tools such as Webalizer, AWStats to examine the web server logs .

3.14 Hacking Web Applications

What are Web Applications?
▪ In computer system, a web application is a client-side and server-side software application in
which the client runs or request in a web browser.
▪ Common web applications include email, online retail sales, online auctions, wikis, instant
messaging services and more.
▪ Many companies are shifting their focus to web applications that can be delivered as Software-
as-a-Service (SaaS), such as moving to Microsoft 365.

Web Applications Architecture

Copy rights reserved for STL Academy 157

 Cyber Security

Types of Web Applications

Tools to Hack Web Applications

Kali Linux
▪ The application is equipped with distribution and interface tools geared toward providing an
improved hardware as well as offer support for a good number of desktop environments.
▪ It is a security-based operating system that can be run off a USB drive, CD, or anywhere at all.
▪ Its security toolkit enables hackers to crack Wi-Fi passwords, generate fake networks, plus test
vulnerabilities.

Angry IP scanner
▪ The tool helps by assisting hackers in scanning IP addresses as well as ports looking to find a
doorway into another
user’s system.
▪ The software is open
source and cross-
platform, which makes it
one of the most reliable
hacking tools you will
find on the market.
▪ The app is mostly used
by network
administrators and
system engineers.

Cain & Abel

▪ Cain & Abel is a tool used for password recovery and in hacking mainly on Microsoft systems.
▪ It uses brute force methods such as the dictionary method to crack encrypted passwords to
enable people to recover their passwords.
▪ The application also helps in recovering wireless network keys and in recording VoIP
conversations.

158 Copy rights reserved for STL Academy

 Cyber Security

Countermeasures to Hack Web Applications

▪ Use a Custom-Built, Intelligent, Managed Web Application Firewall
▪ Updates are crucial; never ignore them.
▪ Never allow unsanitized, unvalidated user inputs or inputs from untrusted sources.
▪ Use parameterized queries to prevent SQLi attacks.
▪ Secure coding practices and application development
▪ Leverage CDN so that users do not have direct access to the server.
▪ Enforce a strong password policy, implement multi-factor authentication and build a zero-trust
architecture.
▪ Install SSL and follow the latest SSL security best practices
▪ Continuous user education is key to preventing a range of attacks.

Pen Testing Web Applications

▪ Penetration testing aka Pen Test is the most commonly used security testing technique for web
applications.
▪ Web Application Penetration Testing is done by simulating unauthorized attacks internally or
externally to gain access to sensitive data.
▪ Web penetration helps end-users find out the possibility for a hacker to access data from the
internet, find out the security of their email servers and also get to know how secure the web
hosting site and server are.
▪ Pentest helps in identifying unknown vulnerabilities.
▪ Helps in checking the effectiveness of the overall security policies.
▪ Help in testing the components exposed publicly like firewalls, routers, and DNS.

▪ Let users find the most vulnerable route through which an attack can be made
▪ Helps in finding loopholes that can lead to the theft of sensitive data.
▪ In the current market demand, there has been a sharp increase in mobile usage, which has
become a major potential for attacks. Accessing websites through mobile phones is prone to
more frequent attacks and hence compromising data. Penetration Testing thus becomes very
important in ensuring we build a secure system that can be used by users without any worries of
hacking or data loss.

3.15 SQL Injection

SQL Injection Concept
▪ SQL injection is a technique that attackers use to gain unauthorized access to a web application
database by adding a string of malicious code to a database query.
▪ A SQL injection (SQLi) manipulates SQL code to provide access to protected resources, such as
sensitive data, or execute malicious SQL statements.

Copy rights reserved for STL Academy 159

 Cyber Security

▪ The following things could be done with SQLi:

▪ An SQL Injection vulnerability could allow the attacker to gain full access to the database server.
▪ SQL injection also could allow changing the data in the database. For instance, an attacker could
use SQL Injection to change balances or transfer money to their account in a financial
application.
▪ SQLi can be used to delete records and deleting data can affect application accessibility until the
database is restored.
▪ An operating system can be accessed using a database server on some database servers.
▪ SQL injection is a code injection technique that can be getting important information from your
database. SQLi can go as far as destroying your database.
▪ SQL injection usually occurs when you ask a user for input, like their username/user ID, and
instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your
database.
▪ Look at the following example which creates a SELECT statement by adding a variable
(txtUserId) to a select string. The variable is fetched from user input (getRequestString):

Types of SQL Injection

▪ SQL injections typically fall under three categories:
➢ In-band SQLi (Classic)
➢ Inferential SQLi (Blind)
➢ Out-of-band SQLi

160 Copy rights reserved for STL Academy

 Cyber Security

➢ You can classify SQL injections types based on the methods they use to access backend data
and their damage potential.

1. In-band SQLi
▪ In-band SQL Injection occurs when an attacker can use the same communication channel to
launch the attack and gather results.

a. Error based
▪ Error-based injections give insight into the database.
▪ These errors can be helpful to developers and network administrators but must be restricted
on the application side.
▪ Example: If the server responds to this URL with an SQL error, it shows the server has
connected to the database in an insecure way. After this step, some of the SQL commands
can be run to tamper or destroy the database.

b. Union-based
▪ It is a type of injection that combines the results of two or more SELECT statements into a
single result using the UNION operator to get more information from the database.
▪ Example: The below example shows an attacker can get the number of columns using this
type of injection attack.

2. Out-of-band SQLi
▪ Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch
the attack and gather results.
▪ The database server can send data to an attacker with the ability to make DNS or HTTP
requests.

Copy rights reserved for STL Academy 161

 Cyber Security

3. Inferential SQLi (Blind SQLi)

▪ In the Inferential SQLi attack, the attacker cannot see the results because the web application
database is not transmitting the data.
▪ For this reason, the attacker sends queries and tries to build the structure of the database by
observing the web application's response and the behavior of the database.

a. Boolean-based
▪ This technique forces different responses to get from the application, depending on whether
the query returns correct or incorrect results by sending queries to the database.
▪ Example: As in the first query, we can estimate the length of the database with Boolean
expressions based on the answers returned from the database. And of course, we can even
find out its name by furthering a query like this. With a query like in the second example, we
can ensure that all items in the x category are displayed from the database.

b. Time-based
▪ This technique forces the database to wait for a while before responding after the query is
submitted.
▪ Example: With this technique, we can query whether the user is a system admin from the
returned response time using a time-based query with a conditional query as in the first
example. Or we can determine that the database type is MySQL from the slowness of the
response time returned by using an example such as the second query and a query such as if
the database version is equal to MYSQL 5.
▪ SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY
'00:00:15’
▪ SELECT * FROM card WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(15), 0)

SQL Injection Methodologies

Methodologies
▪ In SQL injection, the hacker uses SQL queries and creativity to get to the database of sensitive
corporate data through the web
application and to bypass the login
barrier the hacker may input
specifically crafted SQL commands.
So it’s important to know the basic
query of the SQL.
▪ Normal SQL Query- In a login page
of a website when the Username as
“Xan” and Password as
“Kolkata2021” is submitted.
▪ Union-based SQLi-Error-based SQLi
is an in-band SQLi technique that
relies on error messages shown by
the website for inputting characters
like ‘, “, ‘), “) etc at the end of the
URLs, containing id parameters.

162 Copy rights reserved for STL Academy

 Cyber Security

▪ It’s a really critical vulnerability to have in a

website. It alone can take down an entire
database.
▪ Blind SQLi - Blind SQLi might take longer
for an attacker to exploit as it does not
return any error message during injection.
▪ Time-based SQLi is one of them.

Countermeasures
▪ SQL Injection vulnerabilities can be
prohibited with special prevention
techniques according to the subtype of
SQLi vulnerability, SQL database engine, and programming language.
▪ The general principles you can follow to keep your web application secure are as follows:

Primary Defenses
▪ Option 1: Using Prepared Statements
▪ Option 2: Using Stored Procedures
▪ Option 3: Using Whitelist for Inputs
▪ Option 4: Not Using User Inputs

Additional Defenses
▪ Option 1: Using Least Privilege
▪ Option 2: Performing Whitelist Input
Validation
▪ To prevent SQL Injection:
➢ Use Stored Procedure, Not Dynamic SQL
➢ Use Prepared Statements
➢ Use Object Relational Mapping (ORM)
Framework
➢ Least Privilege
➢ Input Validation
➢ Character Escaping
➢ Vulnerability Scanners
➢ Use Web Application Firewall

SQL Pen Testing

▪ SQL injection testing checks if it is possible to inject data into the application so that it executes a
user-controlled SQL query in the database.
▪ Testers find a SQL injection vulnerability if the application uses user input to create SQL queries
without proper input validation.

Detection Techniques
▪ The first step in this test is to understand when the application interacts with a DB Server in order
to access some data.
▪ Typical examples of cases when an application needs to talk to a DB include:

Copy rights reserved for STL Academy 163

 Cyber Security

➢ Authentication forms: when authentication is performed using a web form, chances are that
the user credentials are checked against a database that contains all usernames and
passwords (or, better, password hashes).
➢ Search engines: the string submitted by the user could be used in a SQL query that extracts
all relevant records from a database.
➢ E-Commerce sites: the products and their characteristics (price, description, availability, etc)
are very likely to be stored in a database.
▪ The tester has to make a list of all input fields whose values could be used in crafting a SQL
query, including the hidden fields of POST requests and then test them separately, trying to
interfere with the query and to generate an error.
▪ Consider also HTTP headers and Cookies.
▪ The very first test usually consists of adding a single quote ' or a semicolon ; to the field or
parameter under test.
▪ The first is used in SQL as a string terminator and, if not filtered by the application, would lead to
an incorrect query.
▪ The second is used to end a SQL statement and, if it is not filtered, it is also likely to generate an
error.
▪ The output of a vulnerable field might resemble the following (on a Microsoft SQL Server, in this
case):
▪ Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server
Driver][SQL Server]Unclosed quotation mark before the character string ''. /target/target.asp, line
113
▪ Also comment delimiters (-- or /* */, etc) and other SQL keywords like AND and OR can be used
to try to modify the query.
▪ A very simple but sometimes still effective technique is simply to insert a string where a number
is expected, as an error like the following might be generated:
▪ Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server
Driver][SQL Server]Syntax error converting the varchar value 'test' to a column of data type int.
/target/target.asp, line 113
▪ Monitor all the responses from the web server and have a look at the HTML/JavaScript source
code.
▪ Sometimes the error is present inside them but for some reason (e.g. JavaScript error, HTML
comments, etc) is not presented to the user.
▪ A full error message, like those in the examples, provides a wealth of information to the tester in
order to mount a successful injection attack.

Standard SQL Injection Testing

Classic SQL Injection
▪ Consider the following SQL query:
▪ SELECT * FROM Users WHERE Username='$username' AND Password='$password'
▪ A similar query is generally used from the web application in order to authenticate a user.
▪ If the query returns a value it means that inside the database a user with that set of credentials
exists, then the user is allowed to login to the system, otherwise access is denied.
▪ The values of the input fields are generally obtained from the user through a web form. Suppose
we insert the following Username and Password values:
▪ $username = 1' or '1' = '1
▪ $password = 1' or '1' = '1
▪ The query will be:

164 Copy rights reserved for STL Academy

 Cyber Security

▪ SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

3.16 Hacking Wireless Networks

Wireless Network Hacking
▪ Computer networks that are not connected by cables are called wireless networks.
▪ They generally use radio waves for communication between the network nodes.
▪ They allow devices to be connected to the network while roaming around within the network
coverage.

▪ Wireless networks are based on IEEE 802.11 standards defined by the Institute of Electrical and
Electronics Engineers (IEEE ) for ad hoc networks or infrastructure networks.
▪ Infrastructure networks have one or more access points that coordinate the traffic between the
nodes. But in ad hoc networks, there is no access point; each node connects in a peer-to-peer
way.
▪ Two types of vulnerabilities can be found in the Wireless LAN:
➢ Poor configuration
➢ Poor encryption
▪ Poor configuration is caused by the network admin who manages the network. It may include a
weak password, a lack of security settings, use of default configurations and other user-related
issues.
▪ Poor encryption is related to security keys used to protect the wireless network. These
vulnerabilities exist because of issues in WEP or WPA.

WEP and WPA

▪ WEP and WPA are the two main security protocols used in Wi-Fi LAN. WEP, or Wired Equivalent
Privacy, is a deprecated security protocol that was introduced back in 1997 as a part of the
original 802.11 standards.
▪ It was weak, and several serious weaknesses were found in the protocol. Now, this can be
cracked within minutes.
▪ A new Wi-Fi security protocol was introduced in 2003. This new protocol was Wi-Fi Protected
Access (WPA).
▪ While most routers currently use WPA or WPA2, a third version called WPA3 was certified a few
years ago and is designed to replace the existing protocols.

Copy rights reserved for STL Academy 165

 Cyber Security

▪ To get unauthorized access to a network, one needs to crack these security protocols. Many
tools can crack Wi-Fi encryption.
▪ These tools can either take advantage of WEP weaknesses or use brute force password
guessing attacks on WPA/WPA2/WPA3.

Types of Threats
Deauthentication Attacks
▪ Disabling networks using deauthentication attacks.
▪ These attacks exploit a known weakness in the protocol and can be generated on standard PC
equipment or using cheap devices available online:
➢ Evil Twin attacks
➢ Spying on WiFi

Wireless Hacking Tools

➢ Aircrack-ng
➢ Wifite
➢ Kismet
➢ Wifiphisher
➢ inSSIDer
➢ Wireshark
➢ CoWPAtty
➢ AirJack
➢ Airgeddon
➢ OmniPeek
➢ CommView for WiFi
➢ CloudCracker
➢ Kali Linux NetHunter

Methodologies
Wi-Fi Discovery
▪ Wi-Fi discovery is a process used to learn about WLAN's presence in the environment.
▪ WiFi discovery process is not against any law, since you are not acting offensively at any point,
you are simply, passively listening to the Wi-Fi frequency bands, using your wireless client.
▪ In order to discover what type of WLAN networks are present, you need to use specific tools that
uses wireless hardware and listens on either a 2.4GHz or a 5GHz band.
▪ Some of them are built-in to the operating system (they are most often very ineffective for
detailed WLAN analysis), and other ones are simple tools.

War Driving
▪ Wardriving is the process of finding a Wireless Network (wireless network discovery) by a person
in a car using their personal laptop, smartphone or other wireless client tools.
▪ Basically, the intention is to find some free-access wireless network, that malicious user can use
without any legal obligations.
▪ Examples might be some market, that offer free Wi-Fi, without registration or some hotel that you
can just register with fake data.

166 Copy rights reserved for STL Academy

 Cyber Security

GPS Mapping
▪ There is a number of satellites that orbit the globe, each of them sending a low-power radio
signal towards the piece of earth it covers.
▪ The GPS device that you use, it may be for example a smartphone with google maps application
started, receives that signal from multiple satellites at the same time.
▪ The device itself combines those signals together and calculate current geographical location on
earth.
▪ The idea of GPS mapping is to map a wireless network that the user encounters on the global
map of wireless network in reference to its geographical location.
▪ One may use the Kismet tool to map its wireless network to the geographical location, and then
put its coordinates on the google earth map.

Wireless Hacking Steps

▪ The wireless hacking methodology consists of the following basic steps:

Discovering Wi-Fi networks

▪ This is the first step in making an attempt to compromise a Wi-Fi network.

GPS mapping
▪ GPS is a radio navigation system that allows land, sea, and airborne users to determine their
exact location, velocity, and time 24 hours a day, in all weather conditions, anywhere in the
world.
Wireless traffic analysis
▪ Wireless traffic analysis provides a means for many investigational leads for a forensic
examination.

Execute attacks
▪ These statements control a database server behind a web application.
▪ Attackers can use SQL Injection vulnerabilities to bypass application security measures.

Break Wi-Fi encryption

▪ Wireless encryption secures your wireless network with an authentication protocol.
▪ It requires a password or network key when a user or device tries to connect.

3.17 Hacking Mobile Platforms

Hacking Mobile Platform
▪ The attackers are easily able to compromise the mobile network because of various
vulnerabilities, the majority of the attacks are because of the untrusted apps.
▪ SMS is another way the attackers are gaining access to the mobile devices by sending phishing
messages/spam messages to users.

Mobile Platform Attack Vectors

M1 - Improper Platform Usage - misuse of features or security controls (Android intents,
TouchID, Keychain)
M2 - Insecure Data Storage - improperly stored data and data leakage
M3 - Insecure Communication - poor handshaking, incorrect SSL, clear-text communication
M4 - Insecure Authentication - authenticating end user or bad session management

Copy rights reserved for STL Academy 167

 Cyber Security

M5 - Insufficient Cryptography - code that applies cryptography to an asset, but is insufficient

(does NOT include SSL/TLS)
M6 - Insecure Authorization - failures in authorization (access rights)
M7 - Client Code Quality - catchall for code-level implementation problems
M8 - Code Tampering - binary patching, resource modification, dynamic memory modification
M9 - Reverse Engineering - reversing core binaries to find problems and exploits
M10 - Extraneous Functionality - catchall for backdoors that were inadvertently placed by
coders

Anatomy of Mobile Attack

➢ The Device
➢ The Network
➢ The Data Center/Cloud

Hacker’s Profit

168 Copy rights reserved for STL Academy

 Cyber Security

Mobile Attack Vectors

Platform Vulnerabilities and Risks

▪ Malicious app in stores
o No vetting of apps
▪ Mobile Application vulnerabilities
▪ Mobile Malware
▪ Privacy Issues (Geolocation)
▪ App sandboxing vulnerabilities
o Protects systems and users by limiting the resources that the app can access to the mobile
platform
▪ Weak data security
▪ Weak device and app encryption
▪ Excessive Permissions
▪ OS and app updates' issues
▪ Weak Communication security
▪ Jailbreaking and rooting
▪ Physical attacks
▪ Mobile Spam
o Unsolicited text/email messages sent to mobile devices
o Can contain ads or malicious links
▪ SMS Phishing Attack
o Acquire personal and financial information by sending SMS
o Acts the same as a phishing attack but instead uses SMS
▪ Pairing to Open Bluetooth and Wi-Fi Connections
o Allows for eavesdrop and interception of data transmission
o Bluesnarfing and Bluebugging

Hacking Android OS
▪ Android OS is Developed by google.

Features
▪ Enabling reuse and replacement of components
▪ Variety of pre-build UI components
▪ Open source Blink and Webkit engine
▪ Media Support
▪ Rich development environment

Copy rights reserved for STL Academy 169

 Cyber Security

Android Rooting
▪ Allows user to attain privileged control within androids subsystem
▪ Involves executing security vulnerabilities in the device firmware and granting execute
permissions

170 Copy rights reserved for STL Academy

 Cyber Security

Rooting Tool
➢ KingoRoot - can be used with or without a PC
➢ TunesGo - Root Android - Done with PC
➢ One Click Root - Done with PC

Android Attack Tools

NetCut
▪ Wifi killing application; blocks Wifi access to targeted device
zANTI
➢ Spoof MAC
➢ Create Malicious Wifi Hotspot
➢ Scan for open ports
➢ Exploit Router Vulnerabilities
➢ Password complexity audits
➢ Man-in-Middle attack
➢ DoS attack

Network Spoofer
▪ Change websites on other peoples computers

Low Orbit Ion Cannon

▪ Perform DoS and DDoS attacks

DroidSheep
▪ Perform web session hijacking
Orbot
▪ Proxy app that hides identity

FaceNiff
▪ Sniff and intercept web session profiles

Android Trojans
➢ BankBot
➢ SpyDealer

Securing Android Devices

Copy rights reserved for STL Academy 171

 Cyber Security

Hacking IOS
Apple IOS
▪ Apples Mobile OS
▪ Uses direct manipulation and multi touch gestures

Jailbreaking
▪ Installing a modified set of kernel patches that allows users to run third party applications not
singed by OS vendor
▪ Provides root access to the OS
▪ Removes sandbox restrictions

Types of Jailbreaking
▪ Userland Exploit - Allows user-level access
▪ iBoot Exploit - Allows user-level access and iboot-level access
▪ Bootrom Exploit - Allows user-level access and iboot-level access

Jailbreaking Techniques
▪ Untethered Jailbreaking - Allows the device to reboot and the kernel will still be patched
▪ Semi-tethered Jailbreaking - If the device reboots the kernel will no longer have a patched
kernel but will still be usable for normal functions
▪ Tethered Jailbreaking - If the device reboots the kernel will no longer have a patched kernel
and will get stuck in a partially started state

Jailbreaking Tools
▪ Cydia - Enables a user to find and install software packages
▪ Pangu Anzhuang - Online jailbraking app
▪ Keen Jailbreak - Unofficial semi-tethered tool

IOS Trojans
▪ AceDeceiver - Exploits flaw in DRM (Digitals Rights Management)
▪ Spy/MobileSpy!iPhoneOS - Malware allows and attacker to eavesdrop all incoming and
outgoing communications

Guidelines for Mobile Platform Security

172 Copy rights reserved for STL Academy

 Cyber Security

Mobile Security Guidelines for Admins

SMS Phishing Countermeasures

Copy rights reserved for STL Academy 173

 Cyber Security

3.18 IoT Hacking

Internet of Things (IoT)
▪ The term IoT, or Internet of Things, refers to the collective network of connected devices and the
technology that facilitates communication between devices and the cloud, as well as between the
devices themselves.
▪ The Internet of Things (IoT) describes the network of physical objects “things”—that are
embedded with sensors, software, and other technologies for the purpose of connecting and
exchanging data with other devices and systems over the internet.
▪ Here are some of the most common ones:
➢ Consumer IoT- Primarily for everyday use. Eg: home appliances, voice assistance, and light
fixtures.
➢ Commercial IoT- Primarily used in the healthcare and transport industries. Eg: smart
pacemakers and monitoring systems.

IoT Hacking
▪ There are billions of such devices and because of poor security practices they're increasingly
becoming the target of hackers: especially those wanting to create a network of compromised
devices, or botnet.
▪ As the number of unsecured devices connected to corporate networks increases, so do IoT
ransomware attacks.
▪ Hackers infect devices with malware to turn them into botnets that probe access points or search
for valid credentials in device firmware that they can use to enter the network.

IoT Device Lifecycle

174 Copy rights reserved for STL Academy

 Cyber Security

IoT Hacking Methodologies

▪ Methodology for Hacking IoT: From Chip to Cloud
▪ Introduction. Over the past 10 years, Praetorian has tested hundreds of embedded systems,
ranging from autonomous vehicles, medical devices, critical infrastructure, and smart consumer
devices
▪ Hardware
▪ Network Interfaces
▪ Firmware Analysis
▪ Cloud Communications

IoT Hacking Tools

Wireshark
▪ It is a network packet analyzer that allows you to capture and analyze network traffic in real-time.
▪ It is an open-source program considered by ethical hackers to be one of the most crucial network
security tools. In short, you can capture and view information via your network with Wireshark.

Network Mapper (Nmap)

▪ It is a widely used Open-source scanning tool used in network discovery, and at the time of
scanning, it sends crafted packets to discover the devices connected to the network.
▪ It then gives data to the operating system they are running to analyze the responses.
▪ Nmap is specially developed for enterprise-scale networks to scan Hundreds of devices. Nmap
helps network administrators to detect vulnerabilities.

Fiddler
▪ It is an open-source web proxy tool that works with any browser or platform.
▪ It has many features to help a pen-testing device.
▪ It allows users to debug the web traffic on any system.

Copy rights reserved for STL Academy 175

 Cyber Security

Metasploit
▪ It is a security tool that gives software security information and enhances penetration testing.
▪ It is an open-source penetration tool used to test vulnerabilities in the computer and gain access
to the computer remotely and secure them from hacking.

Maltego
▪ It is an open-source tool; it has a comprehensive method to collect and connect the information
to investigative tasks through Open-Source intelligence and graphical relation analysis in real-
time.
▪ Maltego focuses on providing a library of transforms to find data from open sources and visualize
it in a graph format that can be used for connection analysis and data mining.

176 Copy rights reserved for STL Academy

 Cyber Security

IoT Hacking Countermeasures

➢ Change default router settings
➢ Disconnect IoT devices when they are not needed
➢ Pick a strong password and do not overuse it
➢ Avoid using Universal Plug and Play
➢ Keep your software, firmware updated

IoT Pen Testing

▪ An IoT pentest enables to search for security flaws in the connected object's entire ecosystem:
➢ Hardware
➢ Embedded software
➢ Communication protocols
➢ Servers
➢ Mobile applications
➢ APIs
➢ Web interfaces

Hardware Penetration Testing

▪ Penetration tests of hardware focus on the electronic components of the solution (non-invasive
and invasive attacks).
▪ The techniques used include the following:
➢ Reverse engineering of elements extracted from the hardware equipment studied
➢ Memory dumps
➢ Cryptographic analysis

Firmware Penetration Testing

▪ Penetration tests of firmware focus on the software embedded in the object, including a certain
number of techniques:
➢ Detection of communication ports that are open and badly protected
➢ Buffer overflow
➢ Breaking passwords
➢ Reverse engineering
➢ Cryptographic analysis

Copy rights reserved for STL Academy 177

 Cyber Security

➢ Modifications of firmware
➢ Debugging
➢ Detection of configuration interfaces or backdoors

Communication Protocols Penetration Testing

▪ Penetration tests of communication protocols focus on the technology enabling the
communication of the object and the sending of data to the outside (RFID, NFC, ZigBee,
Bluetooth, WiFi, SigFox, LoRa, etc.).
▪ The tests are based on the following techniques:
➢ Capture and analysis of multi-protocol radio signals (sniffing)
➢ Cryptographic analysis
➢ Passive monitoring of exchanges
➢ Interception and corruption of exchanges
➢ Denials of service

3.19 Cloud Computing

Cloud Computing Concept
▪ Cloud computing is the on-demand availability of computer system resources, especially data
storage and computing power, without direct active management by the user.
▪ Large clouds often have functions distributed over multiple locations, each location being a data
center.

Cloud Computing Attacks

▪ Any cyber-attack that targets off-site service platforms that offer storage, computing, or hosting
services via their cloud infrastructure can be classified as a cloud cyber-attack.
▪ This can include attacks on service
platforms that utilise service delivery
models like SaaS, IaaS, and PaaS.

Cloud Storage Encryption Risks

➢ Service Outages
➢ Large Downtime
➢ Weak / Ineffective Passwords
➢ Poor Data Syncing
➢ Provider Security Breaches
➢ Lack of Encrypted Cloud Storage
➢ Poor Data Management

Cloud Hacking Methodologies

▪ The hardware is the cloud server and the operations done by the cloud server is invisible.
▪ The user collects the information from the interface and it is connected to service management
and the services provided for the management is server and internally the server is connected to
web application.
➢ Credential Stuffing Attack
➢ Misconfiguration Mishaps
➢ Crypto Cloud Mining
➢ Server-side Request Forgery

178 Copy rights reserved for STL Academy

 Cyber Security

➢ Brute Force Attacks

➢ Ransomware transfers

Credential Stuffing Attack

▪ Credential stuffing occurs when hackers leverage the power of API to initiate an account hijack,
with high probability of infiltration.
▪ This specific attack is one of the most frequently used by hackers, with the proliferation of
microservices and containers that rely on APIs to interact with one another.
▪ To fend against credential stuffing attacks, set rate limiting for authentication attempts, also
known as throttling attempts.
▪ If employees at the organization reuse their usernames and passwords across multiple services,
the business is at risk of a credential stuffing attack. Adversaries can go through lists of user
credentials stolen from a previous attack to see if any of them are valid accounts on a different IT
system.
▪ Hackers can work around this by configuring scripts to submit requests at a slower rate that
prevents blocking.
▪ Hackers are also relying on login failure notifications to identify which usernames do and do not
exist, using the data to tweak credential lists and increase probability for success.
▪ Organizations are relying on the principle of zero trust to embolden security.
▪ The concept asserts that organizations should not trust anything inside or outside its perimeters
without verification.

Misconfiguration Mishaps
▪ Attacks associated with misconfiguration occur due to incorrect setup of information assets, such
as when an organization fails to safeguard their data in the public cloud.
▪ Sensitive data may be stored and inadequately guarded.
▪ In constant search for attack vectors, hackers rely on misconfigurations to collect targeted data.
Examples of misconfiguration include:
➢ Insecure data storage elements or containers
➢ Excessive permissions – the opposite of following the principle of least privilege
➢ Unchanged default credentials and configuration settings
➢ Disabled standard security controls

Crypto Cloud Mining

▪ Cryptomining malware, cryptocurrency mining malware or simply cryptojacking, refers to
software programs and malware components developed to take over a computer’s resources
and use them for cryptocurrency mining without a user’s explicit permission.
▪ More crypto miners have started using malware to target enterprises, with the cloud an attractive
target due to its nearly limitless computing power.
▪ Cybercriminals trying to access to the cloud will use cryptomining to obtain credentials, insert a
cryptominer and connect to the network to steal information.

Server-side Request Forgery

▪ Server-side request forgery (SSRF) is a serious attack technique and a fast-growing concern in
cloud environments.
▪ Cybercriminal can take advantage of server functionality to review and manipulate internal
resources.

Copy rights reserved for STL Academy 179

 Cyber Security

▪ SSRF is a danger because hackers can provide or access URLs, read configuration data, and
infiltrate further to internal services without authorized access.
▪ A server-side request forgery (SSRF) can occur when a web application fails to validate a URL
provided by a malicious user. Attackers can supply a URL that tells the application to make a
request or provide data that would otherwise be off-limits. SSRF attacks are growing in popularity
among cloud hackers.

Brute Force Attacks

▪ A brute force attack is an activity which involves repetitive consecutive attempts to hack into a
cloud infrastructure using multiple password combinations.
▪ Intruders may make use of bots they have already installed to farm the computing power and
cause more damage.
▪ Brute-force attacks may begin with phishing emails crafted with links to malicious pages
containing malware to compromise cloud infrastructure and accounts.
▪ Pop-ups may prompt victims to enter their usernames and passwords into fake login pages for
cloud applications.
▪ The simplest form of cloud hacking is a brute-force approach: testing different combinations of
usernames and passwords. Once inside the system, adversaries can proceed to wreak havoc
and exfiltrate data from the cloud as with any other attack.

Ransomware Transfers
▪ Ransomware can affect cloud storage services just as much as on-premises databases, often
leaping from one to the other.
▪ For example, if businesses automatically sync local files to the cloud, then a ransomware attack
infecting local systems would result in the cloud files being affected as well.
▪ The past few years have seen a surge in so-called “ransomcloud” attacks.

Cloud Hacking Tools

➢ Nmap network scanner
➢ Netcat network utility
➢ Metasploit vulnerability exploitation tool
➢ Nikto web app scanner
➢ SQLmap SQL injection tool
➢ Burpsuite web app proxy
➢ Dirbuster vulnerability scanner
➢ Droopescan vulnerability exploitation tool

Cloud Hacking Countermeasures

▪ While data backup and encryption are the key countermeasures, there are some other new
ways.
▪ Geo- redundant storage by Azure supports high availability for applications like scaling to
multiple instances amongst others.
▪ Some countermeasures practices are:
➢ Breach Responses
➢ Specialized On-Premise equipment strategies
➢ Build a Layered Defence Mechanism
➢ Due Diligence and Private Solutions

180 Copy rights reserved for STL Academy

 Cyber Security

➢ Save the data

➢ Secure Networking, etc

Cloud Pen Testing

▪ Cloud penetration testing is designed to assess the strengths and weaknesses of a cloud system
to improve its overall security posture.
▪ Cloud penetration testing helps to: Identify risks, vulnerabilities, and gaps. Impact of exploitable
vulnerabilities.
▪ The 5 phases of Penetration Testing are:
➢ Reconnaissance
➢ Scanning
➢ Vulnerability Assessment
➢ Exploitation
➢ Reporting
▪ Reconnaissance - In this phase, the tester gathers as much information about the target system
as possible.
▪ Scanning - In this phase, the tester uses various tools to identify open ports and check network
traffic on the target system.
▪ Vulnerability Assessment - The third phase of the penetration testing process is vulnerability
assessment. The tester scans all the data gathered in the reconnaissance and scanning phases
to identify potential vulnerabilities and determine whether they can be exploited
▪ Exploitation - The tester attempts to exploit the vulnerability and access the target system. This
is typically done using a tool like Metasploit to simulate real-world attacks.
▪ Reporting - Once the exploitation phase is complete, the tester prepares a report documenting
all of the penetration test’s findings.

3.20 Cryptography
▪ In computer science, cryptography refers to secure information and communication techniques
derived from mathematical concepts and a set of rule-based calculations called algorithms, to
transform messages in ways that are hard to decipher.
▪ Cryptography is the practice and study of hiding information.
▪ Cryptography is used in applications present in technologically advanced societies. Ex: ATM
cards, computer passwords, and electronic commerce etc.

Copy rights reserved for STL Academy 181

 Cyber Security

▪ Cryptography : The science of keeping messages secure

▪ Cryptanalysis : The science of breaking the ciphertext without the key.
▪ Cryptology : The branch of mathematics encompassing both cryptography and cryptanalysis.

Cryptography in Hacking

Cryptography Algorithms
▪ An encryption algorithm is the method used to transform data into ciphertext.
▪ Encryption: A process of encoding a message, so that its meaning is not obvious. ( = encoding,
enciphering)
▪ Decryption: A process of decoding an encrypted message back into its original form. ( =
decoding, deciphering)

What is Key in Cryptography?

▪ A cryptographic key is a string of characters used within an encryption algorithm for altering data
so that it appears random.

182 Copy rights reserved for STL Academy

 Cyber Security

▪ Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock
(decrypt) it.

Encryption Algorithms and Its Types

▪ Encryption is a way of scrambling data so that only authorized parties can understand the
information.
▪ In technical terms, it is the process of converting
human-readable plaintext to incomprehensible text,
also known as ciphertext.
▪ In simpler terms, encryption takes readable data and
alters it so that it appears random.
▪ Encryption requires the use of a cryptographic key: a
set of mathematical values that both the sender and
the recipient of an encrypted message agree on.
▪ Encryption algorithms are used to convert data into ciphertext.
▪ By using the encryption key, an algorithm can alter data in a predictable manner, resulting in the
encrypted data appearing random, but it can be converted back into plaintext by using the
decryption key.
▪ Types of encryption algorithms are:
➢ Encryption
➢ Symmetric
➢ Asymmetric
➢ (Public Key)
▪ In symmetric encryption, there is only one key, and all communicating parties use the same
(secret) key for both encryption and decryption.
▪ In asymmetric, or public key, encryption, there are two keys: one key is used for encryption, and
a different key is used for decryption.
▪ The decryption key is kept private (hence the "private key" name), while the encryption key is
shared publicly, for anyone to use (hence the "public key" name).
▪ Asymmetric encryption is a foundational technology for TLS (often called SSL).

Copy rights reserved for STL Academy 183

 Cyber Security

Cryptography Technique

Cryptanalysis
▪ Cryptanalysis is the decryption and analysis of codes, ciphers or encrypted text.
▪ Cryptanalysis uses mathematical formulas to search for algorithm vulnerabilities and break into
cryptography or information security systems.
▪ Cryptanalysis is used to understand the weaknesses within a cryptographic algorithm to decrypt
the contents of in-transit or at-rest data.
▪ While the objective of cryptanalysis is to find weaknesses in or otherwise defeat cryptographic
algorithms, cryptanalysts' research results are used by cryptographers to improve and strengthen
or replace flawed algorithms.
▪ Cryptanalysis is the decryption and analysis of codes, ciphers or encrypted text. Cryptanalysis
uses mathematical formulas to search for algorithm vulnerabilities and break into cryptography or
information security systems.

Hashing
▪ Hashing generates a unique signature of fixed length for a data set or message.
▪ Each specific message has its unique hash, making minor changes to the information easily
trackable.
▪ Data encrypted with hashing cannot be deciphered or reversed back into its original form. That’s
why hashing is used only as a method of verifying data.
▪ Many internet security experts don’t even consider hashing an actual encryption method, but the
line is blurry enough to let the classification stand.

184 Copy rights reserved for STL Academy

 Cyber Security

▪ The bottom line, it’s an effective way of showing that no one has tampered with the information.

Public Key Infrastructure (PKI)

▪ PKI is an arrangement that binds public keys with respective identities of entities (like people and
organizations).
▪ The binding is established through a process
of registration and issuance of certificates at
and by a certificate authority (CA).
▪ Common examples of PKI security today
are SSL certificates on websites so that site
visitors know they're sending information to the intended recipient, digital signatures, and
authentication for Internet of Things devices.

The Role of Certificate Authorities (CAs)

▪ In order to bind public keys with their associated user (owner of the private key), PKIs use digital
certificates.
▪ Digital certificates are the credentials that facilitate the verification of identities between users in a
transaction.
▪ Much as a passport certifies one’s identity as a citizen of a country, the digital certificate
establishes the identity of users within the ecosystem.
▪ Because digital certificates are used to identify the users to whom encrypted data is sent, or to
verify the identity of the signer of information, protecting the authenticity and integrity of the
certificate is imperative to maintain the trustworthiness of the system.
▪ Certificate authorities (CAs) issue the digital credentials used to certify the identity of users.
▪ CAs underpin the security of a PKI and the services they support, and therefore can be the focus
of sophisticated targeted attacks.
▪ In order to mitigate the risk of attacks against CAs, physical and logical controls as well as
hardening mechanisms, such as hardware security modules (HSMs) have become necessary to
ensure the integrity of a PKI.

PKI Deployment
▪ PKIs provide a framework that enables cryptographic data security technologies such as digital
certificates and signatures to be effectively deployed on a mass scale.
▪ PKIs support identity management services within and across networks and underpin online
authentication inherent in secure socket layer (SSL) and transport layer security (TLS) for

Copy rights reserved for STL Academy 185

 Cyber Security

protecting internet traffic, as well as document and transaction signing, application code signing,
and time-stamping.
▪ PKIs support solutions for desktop login, citizen identification, mass transit, mobile banking, and
are critically important for device credentialing in the IoT.
▪ Device credentialing is becoming increasingly important to impart identities to growing numbers
of cloud-based and internet-connected devices that run the gamut from smart phones to medical
equipment.

Tools for Cryptography

▪ The common cryptographic tools are:
➢ Security Tokens - A security token is a physical device that holds information that
authenticates a person's identity
➢ Key-Based Authentication
➢ Docker
➢ Java Cryptography Architecture
➢ SignTool
➢ Quantum Computers and Cryptography
➢ Cloud Computing
➢ Blockchain

Countermeasures
▪ To prevent people with malicious intent from breaking into a secure device, the device must be
designed with features that not only provide security but also protect the device from attacks.
▪ Maxim’s secure devices have robust countermeasures to protect against all these attacks. Here
are some of the implemented features:
➢ Patented physically unclonable function (PUF) technology to secure device data.
➢ Actively monitored die shield that detects and reacts to intrusion attempts.
➢ Cryptographic protection of all stored data from discovery.
▪ Six practices we suggest organizations should follow to keep your data and assets safe from
cyber attacks:
➢ Install software updates and patches
➢ SecOps best practice: Integrate security into each development lifecycle step
➢ Configure Cloud environments and containers properly
➢ Assign and time-limit hard-to-crack passwords to admin consoles (Zero Trust)
➢ Leverage the community: Everybody hurts
➢ Continuously monitor cloud environments and react quickly

Section 3: Exercises

Exercise 1: Write down types of SQL injections in below boxes.

186 Copy rights reserved for STL Academy

 Cyber Security

Exercise 2: Participate in a group discussion on following topics related to hacking:

a) Ethical Hacking
b) Footprinting
c) Scanning Networks
d) Enumeration
e) Vulnerability Analysis
f) System Hacking
g) Malware Threats
h) Sniffing
i) Social Engineering
j) Denial-of-service
k) Session Hijacking
l) IDS, Firewalls, and Honeypots
m) Hacking Web Servers
n) Hacking Web Applications
o) SQL Injection
p) Hacking Wireless Networks
q) Hacking Mobile Platforms
r) IoT Hacking
s) Cloud Computing
t) Cryptography

Section 4: Assessment Questionnaire

Questions
1. What is Ethical Hacking?
2. A _________ attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended users.
3. Types of information security controls include:
4. ________ is a security exercise where a cyber-security expert attempts to find and exploit
vulnerabilities in a computer system.
5. _______ is the process of identifying and understanding the security risks present in an
organization.
6. What are two types of footpriting?
7. Techniques used for social engineering are:
8. What are the types of Scanning?
9. Tell three scanning techniques?
10. ________ enumeration is a cycle of specifying client records and gadgets on an objective
framework utilizing SNMP.
11. The _________ provides a way to capture the principal characteristics of a vulnerability and
produce a numerical score reflecting its severity.
12. Why do you need a Vulnerability Assessment Report?
13. The art of hiding a data inside another data/medium is called:
14. What are the types of stenography?
15. What are the types of Malwares?
16. Trojans neither infect the other computers in the network nor do they replicate. (Trues/False)
17. What are the stages of Malware Analysis?
18. Sniffing is generally referred to as a “passive” type of attack, wherein the attackers can be
silent/invisible on the network. (True/False)

Copy rights reserved for STL Academy 187

 Cyber Security

19. ______ means revealing sensitive information, clicking on links to malicious websites, or
opening attachments that contain malware.
20. What are four main steps to perform a social engineering penetration test?
21. What are the types of DDoS attacks?
22. What are three DDoS techniques?
23. ________, also known as TCP session hijacking, is a method of taking over a web user session
by surreptitiously obtaining the session ID and masquerading as the authorized user.
24. What are the methods of session hijacking?
25. A _______is software or firmware that prevents unauthorized access to a network.
26. An HTTP server is software that understands:
27. ________is an attack where an attacker changes the website/web page's visual appearance
with their messages.
28. What are the types of web applications?
29. What is SQL Injection?
30. _____are the two main security protocols used in Wi-Fi LAN.
31. What are types of Jailbreaking?
32. What are IoT hacking countermeasures?
33. What are the phases of cloud pen testing?
34. An ______ algorithm is the method used to transform data into ciphertext.
35. A cryptographic key is a string of characters used within an encryption algorithm for altering
data so that it appears random. (True/False)

----------End of the Module----------

188 Copy rights reserved for STL Academy

 Cyber Security

MODULE 4
DESIGN, ENGINEER AND MANAGE THE OVERALL SECURITY
POSTURE OF AN ORGANIZATION
Section 1: Learning Outcomes
After completing this module, you will be able to:
▪ Explain Enterprise Architecture and Components
▪ Describe Risk Assessment and Principles of security
▪ Comprehend cyber-attacks, honeypots, vulnerability and pen testing
▪ Handle bugs, secure storage platforms
▪ Build a hacker mindset and defend against future attacks
▪ Explain Ethical Hacking, Footprinting and Reconnaissance
▪ Perform Network scanning and Enumeration
▪ Perform Vulnerability Analysis and System Hacking
▪ Describe concept of Malware, Sniffing and Social Engineering
▪ Explain concepts of Denial-of-service and Session Hijacking
▪ Show how to evade IDS, Firewalls, and Honeypots
▪ Hack IoT, Web Servers, Web Applications, Wireless Networks and Mobile Platforms
▪ Explain SQL Injection and Advanced Cryptography
▪ Explain Details of CISSP Exam
▪ Describe about Asset Security and Security Engineering
▪ Design secure network architecture
▪ Explain about components and communication channels
▪ Describe about Identity and Access Management
▪ Perform Security Assessment and Testing
▪ Explain about Security Operations and Software Development Security

Section 2: Relevant Knowledge

4.1 Introduction to CISSP

▪ Certified Information Systems Security Professional (CISSP) is an
information security certification developed by the International Information
Systems Security Certification Consortium, also known as (ISC)².
▪ The CISSP certification covers the definition of IT architecture and the
designing, building, and maintaining of a secure business environment using
globally approved security standards.

Overview of CISSP
▪ To earn the CISSP credential, the candidate must pass the certification exam, as well as
complete the CISSP exam agreement, subscribe to the (ISC)² code of ethics, answer
background qualification questions and receive an endorsement from an active (ISC)²-certified
professional.
▪ To maintain the CISSP certification, candidates are required to earn at least 40 Continuing
Professional Education (CPE) credits each year and pay an annual maintenance fee of $85.

Copy rights reserved for STL Academy 189

 Cyber Security

Introduction to ISC2
▪ The International Information System Security Certification Consortium, or (ISC)², is a non-profit
organization which specializes in training and certifications for cybersecurity professionals.
▪ It has been described as the "world's largest IT security organization”, founded in 1989.
▪ (ISC)2 maintains what it calls a Common Body of Knowledge for information security for the
following certifications:
▪ Certified Information Systems Security Professional (CISSP), including:
➢ Information Systems Security Architecture Professional (CISSP-ISSAP)
➢ Information Systems Security Engineering Professional (CISSP-ISSEP)
➢ Information Systems Security Management Professional (CISSP-ISSMP)
➢ and including:
➢ Certified Secure Software Lifecycle Professional (CSSLP)
➢ Certified Authorization Professional (CAP)
➢ Certified Cloud Security Professional (CCSP)
➢ Systems Security Certified Practitioner (SSCP)
➢ Health Care Information Security and Privacy Practitioner (HCISPP)
▪ It is certified by ANSI and meets the requirements of ANSI/ISO/IEC Standard 17024, a personnel
certification accreditation program.

CISSP Examinations
▪ Preparing to take the Certified Information Systems Security Professional (CISSP) exam requires
a great deal of time and effort.
▪ The exam covers eight domains:
1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communication and Network Security
5. Identity and Access Management (IAM)
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

190 Copy rights reserved for STL Academy

 Cyber Security

▪ The CISSP exam is six hours long

▪ Consists of 250 multiple choice questions
▪ Advanced innovative questions testing the candidate's knowledge
▪ Score of 700 or higher out of a 1,000 point maximum
▪ The results are calculated on a scaled score
▪ Understanding of the eight domains of the (ISC)² Common Body of Knowledge
▪ The CISSP examination is offered in English as well as a plethora of other languages.
➢ Korean
➢ French
➢ German
➢ Brazilian
➢ Portuguese
➢ Japanese
➢ Chinese

4.2 Security and Risk Management

Information Security Management
▪ Information security management is the process of protecting an organization's data and assets
against potential threats.
▪ One of the primary goals of these processes is to protect data confidentiality, integrity, and
availability.
▪ Information security management may
be driven both internally by corporate
security policies and externally by
regulations such as the General Data
Protection Regulation (GDPR), Health
Insurance Portability and Accessibility
Act (HIPAA), and the Payment Card
Industry Data Security Standard (PCI
DSS).
▪ Information security management is a
way of protecting an organisation's
sensitive data from threats and
vulnerabilities.
▪ The process is typically embedded via an ISMS
(information security management system).
▪ It provides the framework for managing information
security.
▪ Generally, information security is part of overall risk
management in a company, with areas that overlap with
cybersecurity, business continuity management, and IT
management, as displayed below.
▪ Cybersecurity is basically a subset of information
security because it focuses on protecting the information
in digital form, while information security is a slightly
wider concept because it protects the information in any
media.

Copy rights reserved for STL Academy 191

 Cyber Security

Objectives
▪ The objective of information security management is to protect data:

Confidentiality
▪ Protecting data confidentiality requires restricting access to data to only authorized users. Data
breaches are a breach of confidentiality.

Integrity
▪ Ensuring data integrity requires the ability to ensure that data is accurate and complete.
▪ A cyber threat actor that corrupts data in an organization’s databases is a breach of data
integrity.

Availability
▪ Data and the services that rely upon it must be available to authorized users, whether inside or
outside of the company. A Distributed Denial of Service (DDoS) attack is an example of a threat
against the availability of an organization’s data and services.

Importance
▪ The average organization collects a great deal of data. This includes sensitive customer data,
intellectual property, and other data that is vital to an organization’s competitive advantage and
ability to operate.
▪ The value of this data means that it is under constant threat of being stolen by cybercriminals or
encrypted by ransomware.
▪ An effective security management architecture is vital because organizations need to take steps
to secure this data to protect themselves and their customers.

Standards and Compliance

▪ An organization’s information security management strategy may be driven by multiple different
factors. The program may be inspired by internal policies or required by external forces. Both of
these potential drivers have associated standards and compliance.
▪ In some cases, an organization’s internal security policies and business goals may require
implementation of info security management systems. For example, ISO 27001, an international
standard describing security best practices, mandates the implementation of an information
security management system. Companies that want to certify against ISO 27001 will need to
implement it.
▪ An organization’s security management program may also be driven by external factors. For
example, many organizations operate under one or more data protection regulations.

Some common examples include:

▪ General Data Protection Regulation (GDPR): Protects the personally identifiable information
(PII) of EU citizens with strong personal privacy and data security requirements.
▪ Health Insurance Portability and Accessibility Act (HIPAA): A US regulation for the
healthcare industry that mandates security controls for protected health information (PHI).
▪ Payment Card Industry Data Security Standard (PCI DSS): A regulation developed by the
financial sector to prevent fraud by protecting the personal data of payment card holders.
▪ These and other data privacy laws may explicitly or implicitly require the implementation of an
info security management program. Even if such a program is not explicitly required, complying

192 Copy rights reserved for STL Academy

 Cyber Security

with regulatory data security requirements scalable and sustainably makes implementing strong
security management processes and procedures necessary.

Benefits
▪ In addition to improving an organization’s data security, an infosec management program can
provide the following benefits:

Streamlined Data Security

▪ An information security management program creates a framework and process for assessing
data security risks and remediating them.
▪ Adopting such a program can make data security more efficient and effective by enabling an
organization to optimize its security architecture and eliminate unnecessary and overlapping
solutions.

Improved Security Culture

▪ Often, infosec is owned by the IT or security department, and it is difficult to spread and enforce
across the organization.
▪ Educating employees about the company’s information security management program can
improve security and create a more positive security culture.

Brand Image
▪ Data breaches and other security incidents can harm an organization’s brand image.
▪ Demonstrated compliance with security best practices can help an organization’s reputation and
improve relationships with customers and partners.

Platforms
▪ Some cyber security platforms are designed with comprehensive, consolidated security
management in mind based on four pillars:

Automated
▪ Automating security processes and integrating them into CI/CD pipelines helps to eliminate
configuration errors and speed deployments while prioritizing security.

Consolidated
▪ A consolidated security architecture enhances visibility and simplifies management while
increasing efficiency and decreasing OPEX and CAPEX.

Dynamic
▪ Agile and dynamic security management solutions enable an organization to keep up with the
rapidly evolving cyber threat landscape and reduce time to manage security.

Efficient
▪ High-performance, efficient security ensures that security management is not a bottleneck and
doesn’t impede digital transformation.

Copy rights reserved for STL Academy 193

 Cyber Security

Risk Analysis
▪ A risk analysis is one step in the overall cybersecurity risk management and risk assessment
process.
▪ The analysis entails examining each risk to the security of your organization's information
systems, devices, and data and prioritizing the potential threats.
▪ Once the analysis is done, you know where to allocate your resources to prevent cyberattacks
and, should a data breach occur,
which systems to prioritize so your
ability to do business can continue
with little or no disruption.
▪ Risk analysis identifies and analyzes
the potential impact that could
adversely affect key business
initiatives or projects.
▪ This process is performed to help
organizations avoid or mitigate those
risks.
▪ An essential part of risk analysis is
identifying the estimated damage
from these events and the likelihood
of their occurrence.
▪ Risk assessment is a larger process
where all potential threats are
considered. During the risk analysis
process, the level of each risk is
determined. Both fall under the
broader umbrella of risk management
tools.
▪ Risk analysis is a process of reviewing risks that come with a particular asset or event.
▪ It is a crucial security process for any type of company.
▪ The risk analysis includes identifying the assets most vulnerable to cyberattack.

194 Copy rights reserved for STL Academy

 Cyber Security

Benefits of Risk Analysis

1. Determine Cybersecurity Vulnerabilities
▪ Vulnerabilities are essentially weaknesses cybercriminals can exploit within a company’s
computer system, network, internal controls, or other system processes.
▪ Weaknesses can also include poor passwords, not locking screens, or neglecting to back up
data.
▪ When the bad guys actively seek out ways to exploit businesses, they search for vulnerabilities.
▪ Identify them, assess the probability of risk, and then mitigate them accordingly to strengthen
your cybersecurity standing.

2. Gain Insight Into One’s Ability to Mitigate Security Threats

▪ Aside from pinpointing vulnerabilities, a risk assessment also points out other problems that
could lead to data loss or destruction of IT assets, be they from malicious software or from a
natural disaster.
▪ It also can determine if cameras or additional physical locks are needed.
▪ Many businesses are surprised when they find existing security protocols have been
inadvertently overlooked.

3. Determine if One Meets Compliance Regulations

▪ Most businesses are subject to compliance when it comes to handling data and, depending on
the industry, may have strict compliance and regulatory requirements.
▪ A thorough risk assessment will
highlight any potential issues so
they can be corrected before
consequences emerge.
▪ Reduction in Costs
▪ Provides Assessment Framework
▪ Increase Organizational
Knowledge
▪ Avoid Data Breaches and Loss
▪ Avoid Regulatory Issues
▪ Avoid Application Glitches

Copy rights reserved for STL Academy 195

 Cyber Security

How Do You Perform Risk Analysis in Cybersecurity?

Create a Risk Management Team
▪ The first step in performing a security risk analysis is to create a cross-enterprise group that can
deliver the necessary attention to the details of the risks to your data security and information
technology (IT) systems. Team members should include:
▪ Senior management
▪ Chief information security officer (CISO)
▪ Privacy officer
▪ Legal
▪ Marketing
▪ Product management
▪ Human resources
▪ A manager from each operating business group

Identify and Map Your Systems and Assets

▪ Document every IT asset on the network, including computers, tablets, routers, printers, servers,
and phones.
▪ In addition, you must identify how they are used and interconnect with one another.
▪ Catalog the software-as-a-service, platform-as-a-service, and infrastructure-as-a-service used by
every department.
▪ Specify which departments and vendors have access to those services. Include types of data,
and categorize sensitive data.
▪ Note how information travels through the network and among stakeholders.

Identify Vulnerabilities and Potential Threats

▪ Software-based vulnerability scanners can make it easier to locate vulnerable equipment, but
your team’s expertise is necessary to determine flawed security policies, physical vulnerabilities,
and other cyber threats hidden under your network and systems.
▪ For example, does your business use digitally connected “internet of things” (IoT) devices? How
susceptible are employees to phishing emails that could allow malware on your system? Other
potential threats include:
➢ Unauthorized access to your network
➢ Misuse of information or data leaks
➢ Ransomware attacks
➢ Human error or negligence
➢ Process failures
➢ Data loss
➢ Data breaches
➢ Disruption of services

Assess Your Risks

▪ Using your information asset catalog, examine the most significant risks for unauthorized access.
▪ Scrutinize every type of information, vendor, system, network, software, and device to determine
its danger.
▪ During this phase, your risk management team must use its combined knowledge and intuition to
list worst-case situations, ranging from pandemics to natural disasters to economic calamities.
The result is a list of all risks that can affect your organization.

196 Copy rights reserved for STL Academy

 Cyber Security

Risk Register
▪ A risk analysis, performed with the aid of a risk register (that is, a formal list of your organization’s
risks), considers two main factors:
➢ Probability: The likelihood of an attack
➢ Impact: The operational, reputational, or financial effect of the risk on your organization
▪ These two elements will help you determine the severity of each potential risk in your register
and improve decision-making so that you can develop strategies for each risk according to your
security posture and tolerance.
▪ You can risk remediation in several ways: accept, avoid, transfer or mitigate risk.

Set Cybersecurity Controls

▪ To mitigate risks, you must develop cybersecurity controls to reduce your company’s risk
exposure and prevent security incidents.
▪ Cybersecurity controls are safeguards used to prevent, detect and mitigate cyber threats and
attacks. These mechanisms can take a variety of forms depending on your unique threat
landscape.
▪ Examples include physical controls, such as security cameras or guards. Technical controls
might include firewalls or two-factor authentication.
▪ Risk mitigation can also help your data protection efforts, compliance with regulations and
requirements, and threat response.

Monitor and Audit

▪ You need to watch your IT systems over time to assure that cybersecurity measures are working
as expected.
▪ Establish performance metrics for your security controls, and then monitor those controls to
confirm that activity stays within your risk tolerance.
▪ Also conduct annual audits of the efficiency of your cybersecurity program.

Legal System and IP Laws

▪ Cyber Law also called IT Law is the law regarding Information-technology including computers
and the internet.
▪ It is related to legal informatics and supervises the
digital circulation of information, software, information
security, and e-commerce.
▪ IT law does not consist of a separate area of law
rather it encloses aspects of contract, intellectual
property, privacy, and data protection laws.
▪ Intellectual property is a key element of IT law.
▪ The area of software license is controversial and still
evolving in Europe and elsewhere.
▪ Cyber law is any law that applies to the internet and
internet-related technologies.
➢ Cyber law is one of the newest areas of the legal
system.
▪ Cyber law provides legal protections to people using
the internet.
➢ This includes both businesses and everyday citizens.
▪ Understanding cyber law is of the utmost importance to anyone who uses the internet.

Copy rights reserved for STL Academy 197

 Cyber Security

➢ Cyber Law has also been referred to as the "law of the internet."
▪ According to the Ministry of Electronics and Information Technology, Government of India :
▪ Cyber Laws yields legal recognition to electronic documents and a structure to support e-filing
and e-commerce transactions and also provides a legal structure to reduce cyber crimes.

Importance of Cyber Law

1. It covers all transactions over the internet.
2. It keeps eye on all activities over the internet.
3. It touches every action and every reaction in
cyberspace.
▪ Information is another important way to improve
cybersecurity. Businesses, for example, can improve
cybersecurity by implementing the following practices:
➢ Offering training programs to employees.
➢ Hiring employees who are certified in cybersecurity.
➢ Being aware of new security threats.
➢ Cybercrimes can be committed against governments,
property, and people.

Area of Cyber Laws

▪ Cyber laws contain different types of purposes. Some laws create rules for how individuals and
companies may use computers and the internet while some laws protect people from becoming
the victims of crime through unscrupulous activities on the internet.
▪ The major areas of cyber law include:
➢ Fraud
➢ Copyright
➢ Defamation
➢ Harassment and Stalking
➢ Freedom of Speech
➢ Trade Secrets
➢ Contracts and Employment Law

Fraud
▪ Consumers depend on cyber laws to protect them from online fraud.
▪ Laws are made to prevent identity theft, credit card theft, and other financial crimes that happen
online.
▪ A person who commits identity theft may face confederate or state criminal charges. They might
also encounter a civil action brought by a victim. Cyber lawyers work to both defend and
prosecute against allegations of fraud using the internet.

Copyright
▪ The internet has made copyright violations easier.
▪ Both companies and individuals need lawyers to bring an action to impose copyright protections.
▪ Copyright violation is an area of cyber law that protects the rights of individuals and companies to
profit from their creative works.

Defamation
▪ When people use the internet to say things that are not true, it can cross the line into defamation.

198 Copy rights reserved for STL Academy

 Cyber Security

▪ Defamation laws are civil laws that save individuals from fake public statements that can harm a
business or someone’s reputation.
▪ When people use the internet to make statements that violate civil laws, that is called Defamation
law.

Harassment and Stalking

▪ Sometimes online statements can violate criminal laws that forbid harassment and stalking.
▪ When a person makes threatening statements again and again about someone else online, there
is a violation of both civil and criminal laws.
▪ Cyber lawyers both prosecute and defend people when stalking occurs using the internet and
other forms of electronic communication.

Freedom of Speech
▪ Even though cyber laws forbid certain behaviors online, freedom of speech laws also allows
people to speak their minds.
▪ Cyber lawyers must advise their clients on the limits of free speech including laws that prohibit
obscenity.
▪ Cyber lawyers may also defend their clients when there is a debate about whether their actions
consist of permissible free speech.

Trade Secrets
▪ Companies doing business online often depend on cyber laws to protect their trade secrets. For
example, Google and other online search engines spend lots of time developing the algorithms
that produce search results.
▪ They also spend a great deal of time developing other features like maps, intelligent assistance,
and flight search services to name a few.
▪ Cyber laws help these companies to take legal action as necessary to protect their trade
secrets.

Information Protection Laws

Infrastructure
➢ Central Access Control
➢ Restricted cell phone usage
➢ Printing and storage restrictions

Network
➢ Disable Public email system
➢ Secure communication system
➢ Strong firewall
➢ Intrusion detection & Prevention system
➢ Content Filtering Prevent Cyber Attacks Access Control

Data
➢ Disabled Floppy & CD Disk Drives/Writers
➢ No Local Data Storage
➢ No Removable Media Devices
➢ Download Restrictions
➢ Antivirus Software

Copy rights reserved for STL Academy 199

 Cyber Security

➢ Staff
➢ Non –Disclosure Agreements
➢ Training
➢ Background Verification
➢ RFID based Attendance

When to Update Cybersecurity Policy?

▪ Cybersecurity policy is focused on providing
guidance to anyone that might be vulnerable to
cybercrime.
▪ This includes businesses, individuals, and even
the government.
▪ Many countries are looking for ways to promote
cybersecurity and prevent cybercrime.

Information Technology Act, 2000

▪ The principal impetus of this Act is to offer
reliable legal inclusiveness to eCommerce,
facilitating registration of real-time records with
the Government.
▪ The ITA, enacted by the Parliament of India, highlights the grievous punishments and penalties
safeguarding the e-governance, e-banking, and e-commerce sectors.
▪ Now, the scope of ITA has been enhanced to encompass all the latest communication devices.
▪ The IT Act is the salient one, guiding the entire Indian legislation to govern cyber crimes
rigorously:
➢ Section 43 - Applicable to people who damage the computer systems without permission
from the owner. The owner can fully claim compensation for the entire damage in such
cases.
➢ Section 66 - Applicable in case a person is found to dishonestly or fraudulently commit any
act referred to in section 43. The imprisonment term in such instances can mount up to three
years or a fine of up to Rs. 5 lakh.
➢ Section 66B - Incorporates the punishments for fraudulently receiving stolen communication
devices or computers, which confirms a probable three years imprisonment. This term can
also be topped by a Rs. 1 lakh fine, depending upon the severity.
➢ Section 66C - This section scrutinizes the identity thefts related to imposter digital
signatures, hacking passwords, or other distinctive identification features. If proven guilty,
imprisonment of three years might also be backed by a Rs.1 lakh fine.
➢ Section 66 D - This section was inserted on-demand, focusing on punishing cheaters doing
impersonation using computer resources.

Indian Penal Code (IPC) 1980

▪ Identity thefts and associated cyber frauds are embodied in the Indian Penal Code (IPC), 1860 -
invoked along with the Information Technology Act of 2000.
▪ The primary relevant section of the IPC covers cyber frauds:
➢ Forgery (Section 464)
➢ Forgery pre-planned for cheating (Section 468)
➢ False documentation (Section 465)
➢ Presenting a forged document as genuine (Section 471)

200 Copy rights reserved for STL Academy

 Cyber Security

➢ Reputation damage (Section 469)

Companies Act, 2013

▪ The corporate stakeholders refer to the Companies Act of 2013 as the legal obligation necessary
for the refinement of daily operations.
▪ The directives of this Act cement all the required techno-legal compliances, putting the less
compliant companies in a legal fix.
▪ The Companies Act 2013 vested powers in the hands of the SFIO (Serious Frauds Investigation
Office) to prosecute Indian companies and their directors.
▪ Also, post the notification of the Companies Inspection, Investment, and Inquiry Rules, 2014,
SFIOs have become even more proactive and stern in this regard.
▪ The legislature ensured that all the regulatory compliances are well-covered, including cyber
forensics, e-discovery, and cybersecurity diligence.
▪ The Companies (Management and Administration) Rules, 2014 prescribes strict guidelines
confirming the cybersecurity obligations and responsibilities of the company directors and
leaders.

NIST Compliance
▪ The Cybersecurity Framework (NCFS), authorized by the National Institute of Standards and
Technology (NIST), offers a harmonized approach to cybersecurity as the most reliable global
certifying body.
▪ NIST Cybersecurity Framework encompasses all required guidelines, standards, and best
practices to manage the cyber-related risks responsibly.
▪ This framework is prioritized flexibility and cost-effectiveness.
▪ It promotes the resilience and protection of critical infrastructure by:
➢ Allowing better interpretation, management, and reduction of cybersecurity risks to mitigate
data loss, data misuse, and the subsequent restoration costs
➢ Determining the most important activities and critical operations to focus on securing them
➢ Demonstrates the trust-worthiness of organizations that secure critical assets
➢ Helps to prioritize investments to maximize the cybersecurity ROI
➢ Addresses regulatory and contractual obligations
➢ Supports the wider information security program

Concepts of Confidentiality, Integrity and Availability

▪ Confidentiality, integrity and availability (CIA) triad is a security model that helps organizations
stay focused on the important aspects of maintaining a secure environment.

Confidentiality
▪ Sensitive data, including personally identifiable information (PII) like identification numbers and
bank account numbers, must be kept confidential.
▪ Confidentiality is different from secrecy. If you aren’t aware something exists (such as data or a
web service), then it is a secret. But keeping something secret, by itself, doesn’t ensure
confidentiality.
▪ To ensure confidentiality, you must make certain that even if someone is aware that something
valuable exists (such as a store that processes credit card transactions or a file share with
sensitive data), they can’t get to it. At a high level, you use access controls locked doors, folder
permissions and two-factor authentication to maintain confidentiality.

Copy rights reserved for STL Academy 201

 Cyber Security

▪ At a lower level, you use encryption to protect data at rest, hashing to protect data in motion, and
physical security for data in use (privacy screens or physical separation between data in use and
unauthorized persons). You can use a “default deny” configuration so that unless somebody has
been expressly authorized to access data, they are denied access.

Integrity
▪ You also have to make certain that data isn’t changed improperly. Encryption helps ensure the
integrity of data at rest, but it isn’t the best option for data in motion.
▪ Instead, hashing is typically used. Hashing data assigns the data a numeric value, which is
calculated at the source before the transfer and then again by the recipient after the transfer; a
match proves data integrity.
▪ Algorithms such as SHA256 and SHA512 are commonly used for hashing; older algorithms, such
as SHA-1, have become susceptible to attack and therefore are rarely used.

Availability
▪ To ensure high availability of services and data, use techniques like failover clustering, site
resiliency, automatic failover, load balancing, redundancy of hardware and software components,
and fault tolerance.
▪ For example, they can help you thwart a denial of service (DoS) attack that aims to deny the
availability of a service or data by overloading a system with invalid requests or requests that
take a long time to process.

Security Governance Principles

▪ Be sure the framework you choose includes the following:
➢ Alignment of security function to strategy, goals, mission, and objectives.
➢ Organizational processes (acquisitions, divestitures, governance committees)
➢ Organizational roles and responsibilities.
➢ Security control frameworks
➢ Due care / due diligence

Alignment of security function to strategy, goals, mission, and objectives

▪ An organization has a mission and uses strategy, plans and objectives to try to meet that
mission.
▪ A security framework must closely tie to the organization’s mission and objectives, enabling the
business to complete its objectives and advance the mission while securing the environment
based on risk tolerance.
▪ Objectives are the closest to the ground and represent small efforts to help you achieve a
mission.
▪ For example, a car manufacturer’s mission might be to build and sell as many high-quality cars
as possible. The objectives might include expanding automation to reduce the total build time of
a car and expanding from 2 factories to 3.
▪ Continuing with the car manufacturer example, the security framework must enable the
expansion of automation. If the security framework is such that automation cannot be expanded,
then the security framework isn’t sufficiently aligned with the mission and objectives.

202 Copy rights reserved for STL Academy

 Cyber Security

Organizational processes (acquisitions, divestitures, governance committees)

▪ Be aware of the risks in acquisitions (since the state of the IT environment to be integrated is
unknown, due diligence is critical) and divestitures (you need to determine how to split the IT
infrastructure and what to do with identities and credentials).
▪ Understand the value of governance committees (vendor governance, project governance,
architecture governance, etc.).
▪ Executives, managers and appointed individuals meet to review architecture, projects and
incidents (security or otherwise), and provide approvals for new strategies or directions.

Organizational roles and responsibilities

▪ There are multiple roles to consider. Management has a responsibility to keep the business
running and to maximize profits and shareholder value.
▪ The security architect or security engineer has a responsibility to understand the organization’s
business needs, the existing IT environment, and the current state of security and vulnerability,
as well as to think through strategies (improvements, configurations and countermeasures) that
could maximize security and minimize risk.
▪ There is a need for people who can translate between technical and non-technical people.
▪ Costs must be justified and reasonable, based on the organization’s requirements and risk.

Security control frameworks

▪ A control framework helps ensure that your organization is covering all the bases around
securing the environment.
▪ There are many frameworks to choose from, such as Control Objectives for Information
Technology (COBIT) and the ISO 27000 series (27000, 27001, 27002, etc.). These frameworks
fall into four categories:
➢ Preventative: Preventing security issues and violations through strategies such as policies
and security awareness training.
➢ Deterrent: Discouraging malicious activities using access controls or technologies such as
firewalls, intrusion detection systems and motion-activated cameras.
➢ Detective: Uncovering unauthorized activity in your environment.
➢ Corrective: Getting your environment back to where it was prior to a security incident.

Due Care / Due Diligence

▪ Due care is about your legal responsibility within the law or within organizational policies to
implement your organization’s controls, follow security policies, do the right thing and make
reasonable choices.
▪ Due diligence is about understanding your security governance principles (policies and
procedures) and the risks to your organization.
▪ Due diligence often involves gathering information through discovery, risk assessments and
review of existing documentation; creating documentation to establish written policies; and
disseminating the information to the organization.
▪ Sometimes, people think of due diligence as the method by which due care can be exercised.

Determine compliance requirements

▪ Noncompliance with applicable laws and industry standards can mean fines, jail time for
executives or even the end of a business.
▪ To achieve compliance, you must focus on controls. A few provide detailed documentation to
help organizations achieve compliance.

Copy rights reserved for STL Academy 203

 Cyber Security

▪ Privacy is about protection of PII. Laws vary. The European Union has tough laws around
privacy. Be familiar with the General Data Protection Regulation (GDPR).
▪ Understand the legal systems. Civil law is most common; rulings from judges typically do not set
precedents that impact other cases.
▪ With common law, which is used in the USA, Canada, the UK and former British colonies, rulings
from judges can set precedents that have significant impact on other cases.
▪ Customary law takes common, local and accepted practices and sometimes makes them laws.
Within common law, you have criminal law (laws against society) and civil law (typically person
vs. person and results in a monetary compensation from the losing party).
▪ Compliance factors into laws, regulations, and industry standards such as Sarbanes-Oxley
(SOX), the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard
(PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal
Information Security Management Act (FISMA).

Legal and regulatory issues pertaining to information security in a global context

Licensing and intellectual property requirements
▪ While you might be familiar with your local legal and regulatory issues, you must be familiar with
legal and regulatory issues elsewhere too, at least at a high level.
▪ Understand the rules around:
➢ Trademarks: A logo, symbol or mascot used for marketing a brand
➢ Patents: A temporary monopoly for producing a specific item such as a toy, which must be
novel and unique to qualify for a patent
➢ Copyright: Exclusive use of artistic, musical or literary works that prevents unauthorized
duplication, distribution or modification)
➢ Licensing: A contract between the software producer and the consumer that limits the use
and/or distribution of the software

Cyber crimes and data breaches

▪ Before your organization expands to other countries, perform due diligence to understand their
legal systems and what changes might be required to the way that data is handled and secured.
▪ In particular, be familiar with the Council of Europe Convention on Cybercrime, a treaty signed by
many countries that establishes standards for cybercrime policy.
▪ Be familiar with the various laws about data breaches, including notification requirements. In the
United States, the Health Information Technology for Economic and Clinical Health (HITECH) Act
requires notification of a data breach in some cases, such as when the exposed personal health
information was not protected in accordance with the Health Insurance Portability and
Accountability Act (HIPAA).

Cyber crimes and data breaches

▪ The Gramm-Leach-Bliley Act (GLBA) applies to insurance and financial organizations; it requires
notification to federal regulators, law enforcement agencies and customers when a data breach
occurs. States in the United States also impose their own requirements concerning data
breaches.
▪ The EU and other countries have their own requirements too. The GDPR has very strict data
breach notification requirements: A data breach must be reported to the competent supervisory
authority within 72 hours of its discovery. Some countries do not have any reporting
requirements.

204 Copy rights reserved for STL Academy

 Cyber Security

▪ In India, cyber crimes are covered by the Information Technology Act, 2000 and the Indian Penal
Code, 1860. It is the Information Technology Act, 2000, which deals with issues related to cyber
crimes and electronic commerce.

Import / Export Controls

▪ Every country has laws around the import and export of hardware and software.
▪ For example, the United States has restrictions around the export of cryptographic technology,
and Russia requires a license to import encryption technologies manufactured outside the
country.

Trans-border Data Flow

▪ If your organization adheres to specific security laws and regulations, then you should adhere to
them no matter where the data resides. For example, even if you store a second copy of your
data in another country.
▪ Be aware of the applicable laws in all countries where you store data and maintain computer
systems. In some cases, data might need to remain in the country.
▪ In other cases, you need to be careful with your data because the technical teams might be
unaware of the security and compliance requirements.
▪ There is currently no dedicated data protection legislation in India. Data in general is governed by
the Information Technology Act, 2000 (IT Act), which is the umbrella legislation covering several
matters relating to IT activities, cybercrimes and security and the like, and under which rules
such as the Information Technology Rules 2011 (SPDI Rules) have been framed.
▪ The EU-US Privacy Shield (formerly the EU-US Safe Harbor agreement) controls data flow from
the EU to the United States.
▪ The EU has more stringent privacy protections and without the Safe Harbor act, personal data
flow from the EU to the United States would not be allowed.

Business Continuity in Cybersecurity

▪ Business Continuity Planning (BCP) is the process of creating preventive and recovery systems
to deal with potential cyber threats to an organization or to ensure process continuity in the wake
of a cyberattack.
▪ BCP's secondary goal is to ensure operational continuity before and during execution of disaster
recovery.
▪ By integrating cybersecurity and business
continuity planning, organizations can ensure that
the proper processes are being put in place and
resources are allocated to help facilitate a smooth
transition as they recover from an attack
▪ Steps in Business Continuity Plan(BCP)
1. Conduct Business Impact Analysis & Risk
Assessment
2. Develop Recovery Strategies
3. Solution Implementation
4. Testing & Acceptance
5. Routine Maintenance

Copy rights reserved for STL Academy 205

 Cyber Security

Business Impact Analysis

▪ A business impact analysis (BIA) is the process of determining the criticality of business activities
and associated resource requirements to ensure operational resilience and continuity of
operations during and after a business disruption.
▪ The BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, and
recovery time objectives (RTOs) and recovery point objectives (RPOs).
▪ These recovery requirements are then used to develop strategies, solutions and plans.

▪ The fact of the matter is that today’s organizations cannot function without data.
▪ The BIA team must take into account all kinds of data associated with the organization.
▪ This is also where Recovery Time Objective (RTO), Mean Time Between Failures (MTBF),
Maximum Tolerable Downtime (MTD) and Recovery Point Objectives (RPO) would come in to
consideration.
▪ Identify the systems and services that the business relies on and figure out the impacts that a
disruption or outage would cause, including the impacts on business processes like accounts
receivable and sales.
▪ You also need to figure out which systems and services you need to get things running again
(think foundational IT services such as the network and directory, which many other systems rely
on).
▪ Be sure to prioritize the order in which critical systems and services are recovered or brought
back online.
▪ As part of the BIA, you will establish the recovery time objectives (RTOs) (how long it takes to
recover), the recovery point objectives (RPOs) (the maximum tolerable data loss), and maximum
tolerable downtime (MTD), along with the costs of downtime and recovery.

4.3 Asset Security

▪ Asset security for the CISSP exam focuses on virtual assets such as intellectual property and
data.
▪ Following Topics will be covered under this Domain.
➢ Identify and classify information and assets
➢ Determine and maintain information and asset ownership
➢ Protect privacy
➢ Ensure Appropriate Asset Retention
➢ Determine data security controls
➢ Establish information and asset handling requirements

206 Copy rights reserved for STL Academy

 Cyber Security

Identify and classify information and assets

▪ Data Classification or Information Classification is the process of classifying corporate
information into significant categories to ensure critical data is protected.
▪ Thus, the stored information stays safe and can be easily accessed when needed.
▪ The files are maintained in separate folders, which are accessible only by individuals who are
entitled to working with each kind of data.

▪ To improve security, you need to identify both your data and your physical assets and classify
them according to their importance or sensitivity, so you can specify procedures for handling
them appropriately based on their classification.

Data Classification
▪ Organizations classify their data using labels. You might be familiar with two government
classification labels, Secret and Top Secret.
▪ Non-government organizations generally use classification labels such as Public, Internal Use
Only, Partner Use Only, or Company Confidential.
▪ Data classification can be more granular; for example, you might label certain information as HR
Only.

Purpose of Data Classification

▪ Systematic classification of data helps
organizations manipulate, track and
analyze individual pieces of data.
▪ Data professionals often have a specific
goal when categorizing data.
▪ The goal affects the approach they take
and classification levels they use.

Confidentiality
▪ A classification system safeguards highly sensitive
data, such as customers' personally identifiable
information (PII), including credit card numbers,
Social Security numbers and other vulnerable data
types.
▪ Establishing a classification system helps an
organization focus on confidentiality and security
policy requirements, such as user permissions and
encryption.

Copy rights reserved for STL Academy 207

 Cyber Security

Data integrity
▪ A system that focuses on data integrity will require more storage, user permissions and proper
channels of access.

Data availability
▪ Addressing and ensuring information security and integrity makes it easier to know what data can
be shared with specific users.

How to Classify Information?

▪ Analyze and understand information assets and assign the level of sensitivity to each one of
them.
▪ The first step of information classification is assigning value to each information asset, depending
on the risk of loss or harm if the information gets disclosed

208 Copy rights reserved for STL Academy

 Cyber Security

Based on value, information is sorted as:

▪ Public Information – information that everyone within and outside the organization can access.
▪ Internal Information – information that is accessible by all employees.
▪ Confidential Information – information that is protected as confidential by all entities included or
impacted by the information. The highest level of security measures should be applied to such
data.
▪ Restricted Information – information that is available to most but not all employees.

Asset Classification
▪ You also need to identify and classify physical assets, such as computers, smartphones, desks
and company cars.
▪ Unlike data, assets are typically identified and classified by asset type.
▪ Often, asset classification is used for accounting purposes, but it can also be tied to information
security.
▪ For example, an organization might designate a set of special laptops with particular software
installed, and assign them to employees when they travel to high-risk destinations, so their day-
to-day assets can remain safely at home.
▪ Classification labels help users disseminate data and assets properly. For example, if Sue has a
document classified as Partner Use Only, she knows that it can be distributed only to partners;
any further distribution is a violation of security policy.
▪ In addition, some data loss prevention solutions can use classification data to help protect
company data automatically. For example, an email server can prevent documents classified as
Internal Use Only from being sent outside of the organization.
▪ People with the right clearance can view certain classifications of data or check out certain types
of company equipment (such as a company truck).
▪ Some organizations use it routinely throughout their environments, while other organizations use
it for special scenarios, such as a merger or acquisition.

Copy rights reserved for STL Academy 209

 Cyber Security

Clearance
▪ Clearance dictates who has access to what.
▪ Generally, a certain clearance provides access to a certain classification of data or certain types
of equipment.
▪ For example, Secret clearance gives access to Secret documents, and a law enforcement
organization might require a particular clearance level for use of heavy weaponry.

Formal access approval

▪ Whenever a user needs to gain access to data or assets that they don’t currently have access to,
there should be a formal approval process.
▪ The process should involve approval from the data owner, who should be provided with details
about the access being requested.
▪ Before a user is granted access to the data, they should be told the rules and limits of working
with it.
▪ For example, they should be aware that they must not send documents outside the organization
if they are classified as Internal Only.

Determine and maintain information and asset ownership

▪ Data owners are responsible for classifying the data they own. In larger companies, an asset
management department handles asset classification.
▪ A custodian is a hands-on role that implements and operates solutions for data (e.g., backups
and restores).
▪ A system owner is responsible for the computer environment (hardware, software) that houses
data; this is typically a management role with operational tasks handed off to the custodian.

Protect Privacy
▪ Varonis defines data privacy as a type of “information security that deals with the proper handling
of data concerning consent, notice, sensitivity and regulatory concerns.”
▪ On its most basic level, data privacy is a consumer’s understanding of their rights as to how their
personal information is collected, used, stored and shared.
▪ The use of personal information must be explained to consumers in a simple and transparent
manner and in most cases, consumers must give their consent before their personal information
is provided.
▪ Privacy protection is keeping the information you’d like to keep to yourself from getting into the
hands of companies, hackers, government organizations, and other groups.
▪ Each person has different expectations of privacy, so the level of security they need to feel that
their privacy is truly protected ranges greatly.

210 Copy rights reserved for STL Academy

 Cyber Security

▪ All workers need to be aware of the company’s privacy policies and procedures and know how to
contact data owners in the event of an issue.
▪ Key terms to understand include the following:

Data owners
▪ Data owners are usually members of the management or senior management team.
▪ They approve access to data (usually by approving the data access policies that are used day to
day).

Data processors
▪ Data processors are the users who read and edit the data regularly.
▪ Users must clearly understand their responsibilities with data based on its classification. Can
they share it? What happens if they accidentally lose it or destroy it?

Data Remanence
▪ Data remanence occurs when data is deleted but remains recoverable.
▪ Whenever you delete a file, the operating system marks the space the file took up as available.
But the data is still there, and with freely downloadable tools, you can easily extract that data.
▪ Organizations need to account for data remanence to ensure they are protecting their data.
▪ There are a few options:

Secure deletion or overwriting of data

▪ You can use a tool to overwrite the space that a file was using with random 1s and 0s, either in
one pass or in multiple passes.
▪ The more passes you use, the less likely it is that the data can be recovered.

Destroying the media

▪ You can shred disk drives, smash them into tiny pieces, or use other means to physically destroy
them.
▪ This is effective but renders the media unusable thereafter.

Degaussing
▪ Degaussing relies on the removal or reduction of magnetic fields on the disk drives.
▪ It is very effective and complies with many government requirements for data remanence.

Copy rights reserved for STL Academy 211

 Cyber Security

Collection limitation
▪ Security often focuses on protecting the data you already have. But part of data protection is
limiting how much data your organization collects.
▪ For example, if you collect users’ birthdates or identification card numbers, you then must protect
that data.
▪ If your organization doesn’t need the data, it shouldn’t collect it.
▪ Many countries are enacting laws and regulations to limit the collection of data. But many
organizations are unaware and continue to collect vast amounts of sensitive data.
▪ You should have a privacy policy that specifies what information is collected, how it is used and
other pertinent details.

Ensure appropriate asset retention

There are two aspects to data retention:
▪ You should ensure that your organization holds data for as long as required and also that it
securely deletes data that is no longer required, in order to reduce the risk of its exposure.
▪ To determine how long to keep certain data, you need to consider both whether the data is still
useful to your organization and whether there are any regulations, legal reasons or company
policies requiring its retention.
▪ In many cases, a company must keep data for longer than the data provides value; for example,
your organization might have a policy to retain email data for 7 years regardless of its value.
▪ As part of your comprehensive security policies, you should ensure the destruction of unneeded
data.

Hardware
▪ Even if you maintain data for the appropriate retention period, it won’t do you any good if you
don’t have hardware that can read the data.
▪ For example, if you have data on backup tapes and hold them for 10 years, you run the risk of
not being able to read the tapes toward the end of the retention period because tape hardware
changes every few years.

Personnel
▪ Suppose your company is retaining data for the required time periods and maintaining hardware
to read the data.
▪ But what happens if the only person who knew how to operate your tape drives and restore data
from them no longer works at the company, and the new team is only familiar with disk-to-disk
backup? You might not be able to get to your data! By documenting all the procedures and
architecture, you can minimize this risk.

Determine data security controls

▪ You need data security controls that protect your data as it is stored, used and transmitted.
▪ The industry identifies three data states:
➢ Data at rest is data stored on a storage medium (disk, tape, etc.).
➢ Data in motion is data moving from a source (such as a computer) to a destination (such as
another computer).
➢ Data in use is data that is actively being worked on (for example, a person editing a
spreadsheet).

212 Copy rights reserved for STL Academy

 Cyber Security

Scoping and tailoring

▪ Scoping is the process of finalizing which controls are in scope and which are out of scope (not
applicable).
▪ Tailoring is the process of customizing the implementation of controls for an organization.

Standards selection
▪ Standards selection is the process by which organizations plan, choose and document
technologies and/or architectures for implementation.
▪ For example, you might evaluate three vendors for an edge firewall solution. You could use a
standards selection process to help determine which solution best fits the organization.
▪ Vendor selection is closely related to standards selection but focuses on the vendors, not the
technologies or solutions. The overall goal is to have an objective and measurable selection
process.

Establish information and asset handling requirements

The key subtopics are important to know:

Markings and labels

▪ You should mark data to ensure that users are following the proper handling requirements. The
data could be printouts or media like disks or backup tapes.
▪ For example, if your employee review process is on paper, the documents should be labeled as
sensitive, so that anyone who stumbles across them accidentally will know not to read them but
turn them over to the data owner or a member of the management or security team.
▪ You also might restrict the movement of confidential data, such as backup tapes, to certain
personnel or to certain areas of your facility.
▪ Without labels, the backup tapes might not be handled in accordance with company
requirements.

Storage
▪ You can store data in many ways, including on paper, disk or tape.
▪ For each scenario, you must define the acceptable storage locations and inform users about
those locations.
▪ It is common to provide a vault or safe for backup tapes stored on premises, for example.
▪ Personnel who deal with sensitive papers should have a locked cabinet or similar secure storage
for those documents.
▪ Users should have a place to securely store files, such as an encrypted volume or an encrypted
shared folder.

Destruction
▪ Your organization should have a policy for destruction of sensitive data.
▪ The policy should cover all the mediums that your organization uses for storing data - paper,
disk, tape, etc. Some data classifications, such as those that deal with sensitive or confidential
information, should require the most secure form of data destruction, such as physical
destruction or secure data deletion with multiple overwrite passes.
▪ Other classifications might require only a single overwrite pass.
▪ When in doubt, destroy data as though it were classified as the most sensitive data at your
organization.

Copy rights reserved for STL Academy 213

 Cyber Security

Step 1: Build an Information Security Team

Step 2: Inventory and Manage Assets

Step 3: Assess Risk

Step 4: Manage Risk

Step 5: Develop an Incident Management and Disaster Recovery Plan

4.4 Security Engineering

Secure Design Principles
▪ The field of security engineering is very broad and there are many principles that need to be
adhered to in order to achieve rigorously secured systems; here are a few of them that should be
kept in mind by CISSP exam takers:

1. The least privilege principle

▪ According to the least privilege principle, any entity should be given the least possible set of
privileges to perform an action. It can be said that:
▪ Identity doesn’t determine the control; rather the function does.
▪ Rights are added only when there is a need and are discarded right after use.

2. Fail-safe defaults
▪ Unless access to an object has been explicitly given to a subject, it should be denied access to it.
▪ Access decisions are not made on exclusions; rather, they are made on permissions.
▪ The default action is to always deny (not grant) access.
▪ Even if the action fails, the system will still be as secure as it was when the action began.

3. Mechanism economy
All the mechanisms pertaining to the impartment of security should be kept as simple as possible.
Complex mechanisms can be incorrectly:
a) understood
b) configured
c) implemented
d) Modeled
▪ Simpler models entail that “less can go wrong.”
▪ In case of an error, it is always easier to spot and remedy.
▪ Keep the operation, implementation, design, and the interaction with other constituents as simple
as is possible. This makes the processes of analyzing, testing, and verifying simpler.

4. Full mediation
▪ Access to all objects need to be checked to ensure that they are allowed.
▪ The performance vs. security issue often creates problems for system administrators. For
instance, the access check results are often cached to increase performance, but what if the
permissions have been changed since the last access request? In most systems, cache flushing
mechanisms are absent.
▪ Access granting and management needs to be rigorous at all times.
▪ Access needs to be checked every single time without any exception.

214 Copy rights reserved for STL Academy

 Cyber Security

5. The openness of the design

▪ It’s a cliché in the field of secure system design that a mechanism’s security must never depend
on its design (or implementation) being kept secret.

6. Separation of privilege
▪ A system should never grant any permissions based on just one condition.
▪ This removes the existence of a single point of failure.
▪ Multiple conditions should be met before the granting of privileges. An example is two-factor
authentication, in which both token recognition and biometric systems are used for authentication
purposes.

7. Efficiency
▪ This is a very interesting, yet less-understood principle.
▪ It dictates that, once security mechanisms get implemented, the resource should not get more
difficult to access than it would have been if the mechanism were not present.
▪ Often people compromise on efficiency because of enhanced security, which is in direct violation
of secure system design fundamentals.

Architecture Frameworks
▪ Cyber security frameworks are sets of documents describing guidelines, standards, and best
practices designed for cyber security risk management.
▪ The frameworks exist to reduce an organization's exposure to weaknesses and vulnerabilities
that hackers and other cyber criminals may exploit.
▪ The word “framework” makes it sound like the term refers to hardware, but that’s not the case. It
doesn’t help that the word “mainframe” exists, and its existence may imply that we’re dealing with
a tangible infrastructure of servers, data storage, etc.
▪ But much like a framework in the “real world” consists of a structure that supports a building or
other large object, the cyber security framework provides foundation, structure, and support to an
organization’s security methodologies and efforts.
▪ A security architecture framework is a set of consistent guidelines and principles for
implementing different levels of business’ security architecture.
▪ Companies may opt to devise their frameworks by combining international standard frameworks,
such as:
➢ TOGAF
➢ SABSA
➢ OSA

Copy rights reserved for STL Academy 215

 Cyber Security

Types
▪ Frameworks break down into three types based on the needed function.

Control Frameworks
▪ Develops a basic strategy for the organization’s cyber security department
▪ Provides a baseline group of security controls
▪ Assesses the present state of the infrastructure and technology
▪ Prioritizes implementation of security controls

Program Frameworks
▪ Assesses the current state of the organization’s security program
▪ Constructs a complete cybersecurity program
▪ Measures the program’s security and competitive analysis
▪ Facilitates and simplifies communications between the cyber security team and the
managers/executives.

Risk Frameworks
▪ Defines the necessary processes for risk assessment and management
▪ Structures a security program for risk management
▪ Identifies, measures, and quantifies the organization’s security risks
▪ Prioritizes appropriate security measures and activities.

Cyber Security Frameworks

Need
▪ Cyber security frameworks remove some of the guesswork in securing digital assets.
▪ Frameworks give cyber security managers a reliable, standardized, systematic way to mitigate
cyber risk, regardless of the environment’s complexity.
▪ Cyber security frameworks help teams address cyber security challenges, providing a strategic,
well-thought plan to protect its data, infrastructure, and information systems.
▪ The frameworks offer guidance, helping IT security leaders manage their organization’s cyber
risks more intelligently.
▪ Companies can adapt and adjust an existing framework to meet their own needs or create one
internally.
▪ Home-grown frameworks may prove insufficient to meet those standards.
▪ Bottom line, businesses are increasingly expected to abide by standard cyber security practices,
and using these frameworks makes compliance easier and smarter.
▪ The proper framework will suit the needs of many different-sized businesses regardless of which
of the countless industries they are part of.
▪ Frameworks help companies follow the correct security procedures, which not only keeps the
organization safe but fosters consumer trust.
▪ Customers have fewer reservations about doing business online with companies that follow
established security protocols, keeping their financial information safe.

Best Practices
▪ Although every framework is different, certain best practices are applicable across the board.
Here, we are expanding on NIST’s five functions mentioned previously.

216 Copy rights reserved for STL Academy

 Cyber Security

Identify
▪ To manage the security risks to its assets, data, capabilities, and systems, a company must fully
understand these environments and identify potential weak spots.

Protect
▪ Companies must create and deploy appropriate safeguards to lessen or limit the effects of
potential cyber security breaches and events.

Detect
▪ Organizations should put in motion the necessary procedures to identify cyber security incidents
as soon as possible.

Respond
▪ Companies must be capable of developing appropriate response plans to contain the impacts of
any cyber security events.

Recover
▪ Companies must create and implement effective procedures that restore any capabilities and
services damaged by cyber security events.

Choosing Right Security Frameworks

▪ Different frameworks have different levels of complexity and scalability and choosing the right
one depends on your needs and the expectations of the system. Following are some of the most
famous security frameworks:

COBIT
▪ Control objectives for information and related technology or COBIT is a framework that was
developed by ISACA (an organization comprising IT governance officials) around 1995.
▪ Initially, the framework was used only to reduce the presence of technical risks within
organizations but, over the years, it has metamorphosed into COBIT 5, which provides the ability
to align IT with the business goals of a firm.

NIST SP 800 series

▪ NIST, or The National Institute of Standards and Technology of the United States, has been
working to build extensive collections of security standards and recommended practices
documentation.
▪ The NIST SP 800 series was published in 1990 for the first time and, since then, it has evolved
into something that can be referred to as the bible of information security.
▪ Many of the country’s governmental agencies use the NIST SP 800 to comply with the 200
requirements of the Federal Information Processing Standards (aka FIPS).
▪ Despite the overuse in the government sector, the NIST SP 800 should not be overlooked by
private sector organizations that are looking to build rigorous information security systems.

ISO 27000 series

▪ The ISO 27000 series was conceived by ISO (International Standards Organization). It is a
gigantic information security framework that is applicable to organizations, regardless of their
types and sizes.

Copy rights reserved for STL Academy 217

 Cyber Security

▪ It can be considered the information security equivalent of the ISO 9000 manufacturing quality
standards.
▪ Depending on the content, it is divided into various sub-standards.
▪ For instance, the ISO 27001 highlights the program requirements, whereas the ISO 27000
comprises a vocabulary and an overview.
▪ The ISO 27002 lays out the procedural steps that need to be followed while building an
information security system.

Biba
▪ Released in 1977, this model was created to supplement Bell-LaPadula.
▪ Its focus is on integrity.
▪ The methodology is “no read down” (for example, users with a Top Secret clearance can’t read
data classified as Secret) and “no write up” (for example, a user with a Secret clearance can’t
write data to files classified as Top Secret).
▪ By combining it with Bell-LaPadula, you get both confidentiality and integrity.

SABSA Framework
▪ Sherwood Applied Business Security Architecture (SABSA) is a methodology and framework that
can be used to develop security architectures and service management platforms at the
enterprise level.
▪ It resembles the Zachman Framework in structure but was developed independently of it.
▪ SABSA can be used to develop risk-driven security architectures that are supportive of critical
business processes and initiatives.
▪ The rudimentary tenet of the model is that the derivation of everything must be made from the
analysis of the enterprise requirements for security.
▪ There are other frameworks, such as ITIL and TNS, that are also worth exploring in this regard.
▪ The choice of the framework needs to be made after adequate brainstorming to ensure that the
subsequent customization of the blueprint
leads to an apt security design.
▪ SABSA, or the Sherwood Applied Business
Security Architecture, is a policy-driven
framework.
▪ It helps define the critical questions that
security architecture can only answer: what,
why, when, and who.
▪ The goal of SABSA is to ensure that after the design
of security services, they are then delivered and
supported as an integral part of the enterprise’s IT
management.
▪ One downside, however, is that SABSA doesn’t get
into specifics regarding technical implementation.
▪ The SABSA methodology has six layers (five
horizontals and one vertical).
▪ The contextual layer is at the top and includes
business requirements and goals.
▪ The second layer is the conceptual layer, which is the
architecture view.

218 Copy rights reserved for STL Academy

 Cyber Security

TOGAF Frameworks
▪ TOGAF, or The Open Group Architecture Framework,
helps determine which problems need to be solved
within the security infrastructure in a business.
▪ Its primary focus is on the organization’s goal and
scope, as well as the preliminary phases of security
architecture.
▪ TOGAF does not, however, give specific guidance on
ways to address security issues.
▪ TOGAF is good for implementing very big systems in
very big companies.
▪ It literally attempts to leave no stone unturned when it
comes to creating architectures intended to run at an
enterprise scale.

Copy rights reserved for STL Academy 219

 Cyber Security

OSA Frameworks
▪ On the other hand, the Open Security Architecture (OSA) is a framework related to technical and
functional security controls.
▪ OSA offers a comprehensive overview of crucial security components, principles, issues, and
concepts that underlie architectural decisions involved in designing effective security
architectures.
▪ OSA can only be used if the security architecture has already been designed.

Let's go briefly through each component of the OSA model:

▪ Mission - a brief statement of the organisation's purpose: the needs the organisation is striving
to fulfil, in alignment with its core competences and its values.
▪ Ambition - what the organisation wants to be "when it grows up", taking into consideration its
mission and the market dynamics. It is called Ambition, rather than the more traditional Vision, to
mark the fact that it should be highly aspirational in nature, ideally expanding beyond the
boundaries of the organisation and the market.
▪ Strategy - the means by which the organisation will fulfil its ambition. This may take the shape of
3 to 5 'Big Rocks'', i.e. key programs that the organisation will commit.
▪ Goals - these are specific, yet inspirational, objectives. Achieving them marks the successful
delivery of the Strategy, hence the fulfilment of the Ambition.

220 Copy rights reserved for STL Academy

 Cyber Security

▪ Metrics - analytical and quantitative measures that indicate whether the organisations is
achieving its goals, or not.
▪ Actions - activities and initiatives implemented by management to achieve the Goals.
▪ Results - the outcome of the Actions.
▪ Market forces, Customers, Core Competences and Values - external and internal elements
that are influenced by the Results and, in turn, influence the company's Mission and Ambition.
▪ Enterprise Risk Management - a systematic approach to the:
(1) identification and assessment of risks and weaknesses
(2) definition of responses
(3) periodic monitoring of both.
▪ Operational Effectiveness - the dynamic state of an organisation that is constantly focused on
achieving operational excellence through continuous improvement.

Security Models Evaluation Criteria

▪ Evaluation criteria provide a standard for quantifying the security of a computer system or
network.
▪ These criteria include:
➢ Trusted Computer System Evaluation Criteria (TCSEC)
➢ Trusted Network Interpretation (TNI)
➢ European Information Technology Security Evaluation Criteria (ITSEC)
➢ Common Criteria

Trusted Computer System Evaluation Criteria (TCSEC)

▪ The Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange
Book, is part of the Rainbow Series developed for the U.S. DoD by the National Computer
Security Center (NCSC).
▪ It’s the formal implementation of the Bell-LaPadula model.
▪ The evaluation criteria were developed to achieve the following objectives:
➢ Measurement: Provides a metric for assessing comparative levels of trust between different
computer systems.
➢ Guidance: Identifies standard security requirements that vendors must build into systems to
achieve a given trust level.
➢ Acquisition: Provides customers a standard for specifying acquisition requirements and
identifying systems that meet those requirements.

The four basic control requirements identified in the Orange Book are:
1. Security policy
▪ The rules and procedures by which a trusted system operates. Specific TCSEC requirements
include
➢ Discretionary access control (DAC): Owners of objects are able to assign permissions to
other subjects.
➢ Mandatory access control (MAC): Permissions to objects are managed centrally by an
administrator.
➢ Object reuse: Protects confidentiality of objects that are reassigned after initial use. For
example, a deleted file still exists on storage media; only the file allocation table (FAT) and
first character of the file have been modified. Thus residual data may be restored, which
describes the problem of data remanence. Object-reuse requirements define procedures for
actually erasing the data.

Copy rights reserved for STL Academy 221

 Cyber Security

➢ Labels: Sensitivity labels are required in MAC-based systems. Specific TCSEC labeling
requirements include integrity, export, and subject/object labels.

2. Assurance
▪ Guarantees that a security policy is correctly implemented. Specific TCSEC requirements (listed
here) are classified as operational assurance requirements:
➢ System architecture: TCSEC requires features and principles of system design that
implement specific security features.
➢ System integrity: Hardware and firmware operate properly and are tested to verify proper
operation.
➢ Covert channel analysis: TCSEC requires covert channel analysis that detects unintended
communication paths not protected by a system’s normal security mechanisms. A covert
storage channel conveys information by altering stored system data. A covert timing
channel conveys information by altering a system resource’s performance or timing.
➢ Trusted facility management: The assignment of a specific individual to administer the
security-related functions of a system. Closely related to the concepts of least privilege,
separation of duties, and need-to-know.
➢ Trusted recovery: Ensures that security isn’t compromised in the event of a system crash or
failure. This process involves two primary activities: failure preparation and system recovery.
➢ Security testing: Specifies required testing by the developer and the National Computer
Security Center (NCSC).
➢ Design specification and verification: Requires a mathematical and automated proof that
the design description is consistent with the security policy.
➢ Configuration management: Identifying, controlling, accounting for, and auditing all changes
made to the Trusted Computing Base (TCB) during the design, development, and
maintenance phases of a system’s lifecycle.
➢ Trusted distribution: Protects a system during transport from a vendor to a customer.

3. Accountability
▪ The ability to associate users and processes with their actions. Specific TCSEC requirements
include:
➢ Identification and authentication (I&A): Systems need to track who performs what activities.
➢ Trusted Path: A direct communications path between the user and the Trusted Computing
Base (TCB) that doesn’t require interaction with untrusted applications or operating-system
layers.
➢ Audit: Recording, examining, analyzing, and reviewing security-related activities in a trusted
system.

4. Documentation
▪ Specific TCSEC requirements include:
➢ Security Features User’s Guide (SFUG): User’s manual for the system.
➢ Trusted Facility Manual (TFM): System administrator’s and/or security administrator’s
manual.
➢ Test documentation: According to the TCSEC manual, this documentation must be in a
position to “show how the security mechanisms were tested, and results of the security
mechanisms’ functional testing.”

222 Copy rights reserved for STL Academy

 Cyber Security

➢ Design documentation: Defines system boundaries and internal components, such as the
Trusted Computing Base (TCB).

▪ Major limitations of the Orange Book include that:

▪ It addresses only confidentiality issues. It doesn’t include integrity and availability.
▪ It isn’t applicable to most commercial systems.
▪ It emphasizes protection from unauthorized access, despite statistical evidence that many
security violations involve insiders.
▪ It doesn’t address networking issues.

Trusted Network Interpretation (TNI)

▪ Part of the Rainbow Series, like TCSEC (discussed in the preceding section), Trusted Network
Interpretation (TNI) addresses confidentiality and integrity in trusted computer/communications
network systems.
▪ Within the Rainbow Series, it’s known as the Red Book.
▪ Part I of the TNI is a guideline for extending the system protection standards defined in the
TCSEC (the Orange Book) to networks.
▪ Part II of the TNI describes additional security features such as communications integrity,
protection from denial of service, and transmission security.

European Information Technology Security Evaluation Criteria (ITSEC)

▪ Unlike TCSEC, the European Information Technology Security Evaluation Criteria (ITSEC)
addresses confidentiality, integrity, and availability, as well as evaluating an entire system,
defined as a Target of Evaluation (TOE), rather than a single computing platform.
▪ ITSEC evaluates functionality (security objectives, or why; security-enforcing functions,
or what; and security mechanisms, or how) and assurance (effectiveness and correctness)
separately.
▪ The ten functionality (F) classes and seven evaluation (E) (assurance) levels are listed in the
following table.

Copy rights reserved for STL Academy 223

 Cyber Security

ITSEC Functionality (F) Classes and Evaluation (E) Levels mapped to TCSEC levels

Common Criteria
▪ The Common Criteria for Information Technology Security Evaluation (usually just
called Common Criteria) is an international effort to standardize and improve existing European
and North American evaluation criteria.
▪ The Common Criteria has been adopted as an international standard in ISO 15408.
▪ The Common Criteria defines eight evaluation assurance levels (EALs), which are listed in the
following table.

Distributed Systems
▪ In a distributed system, one must consider many possible security risks. To mitigate these risks
there are a number of strategies that can be employed:

224 Copy rights reserved for STL Academy

 Cyber Security

➢ Encryption algorithms that protect data in transit and at rest.

➢ Firewalls that limit access to specific ports/cables.
➢ Intrusion detection systems that identify anomalous behavior among network services.
➢ Intrusion prevention systems (IPS) respond to attempted intrusions by initiating defensive
actions like blocking suspicious IP addresses or taking down compromised servers.
▪ These measures may be insufficient, to identify attacks at the network level without help from
other sources.
▪ We can not only prevent malicious actors from gaining access to our machines from other
machines in the same firewall but can also monitor our own actions.
▪ Reckless data sharing can significantly increase exposure to both the threats themselves and the
costs entailed in defending against them.

Goals
▪ Security in a distributed system poses unique challenges that need to be considered when
designing and implementing systems.
▪ A compromised computer or network may not be the only location where data is at risk; other
systems or segments may also become infected with malicious code.
▪ Because these types of threats can occur anywhere, even across distances in networks with few
connections between them, new research has been produced to help determine how well
distributed security architectures are actually performing.
▪ In the past, security was typically handled on an end-to-end basis.
▪ All the work involved in ensuring safety occurred “within” a single system and was controlled by
one or two administrators.
▪ The rise of distributed systems has created a new ecosystem that brings with it unique
challenges to security.
▪ Distributed systems are made up of multiple nodes working together to achieve a common goal,
these nodes are usually called peers.

Security Requirements and Attacks

▪ A distributed system is composed of many independent units, each designed to run its own tasks
without communicating with the rest of them except through messaging service.
▪ A single point of failure can render a system completely incapable without any warning since
there is no single point that can perform all necessary operations.
▪ Attacks related to distributed systems are an area of active research.
▪ There were two main schools of thought, those who believed that network worms could be
stopped by employing firewalls and those who did not.
▪ A firewall might do nothing about worms and their ability to spread across various types of
networks, especially wireless networks and the Internet.
▪ This was because although firewalls were able to stop intruders from gaining access through the
firewall, they were unable to stop a worm from self-replicating.
▪ To summarize, there are numerous attacks that can be used against a network worm that has to
do with breaking functionality and altering data, or simply deleting it.

Popular security mechanisms in Distributed Systems

Secure Communication
➢ Authentication
➢ Shared Keys Authorship-Based Authentication

Copy rights reserved for STL Academy 225

 Cyber Security

➢ Key Distribution Center-Based Authentication

➢ Public key encryption based authentication

Message Integrity and Confidentiality

➢ Digital Signatures
➢ Session Keys

Access Controls
➢ Access Control Matrix
➢ Protection Domains
➢ Trusted Code
➢ Denial of Service

Secure Communication
Authentication
▪ Authentication and integrity are interdependent. For instance, consider a disseminated
framework that supports verification in aid of a relationship, but does not provide rules for
guaranteeing the integrity of the information.
▪ Alternatively, a framework that just ensures data truthfulness, while not measuring for validation.
▪ To guarantee truthfulness of information once it is exchanged subsequent to the right verification,
we make use of special keys encrypted by the session keys.
▪ The session key, which is a shared secret key, applies to the encryption of information
truthfulness (integrity) and discretion (confidentiality). Such a key is usable while, the set up
channel exists. At the point when the channel is shut, the session key is lost.

Shared Keys Authorship-Based Authentication

▪ Below figure depicts an authentication protocol based on shared keys.
▪ If a person, say X, wishes to build a communication channel with another person, say Y, their
communication is facilitated by sending a request message (say message1) by X to Y.
▪ The challenge ZY is sent back to X from Y through message2. This challenge can consist of any
random number. X encrypts the challenge
with the secret key KX,Y , which is shared
by y, and sends the encrypted challenge to
Yin the form of message3.
▪ At that point, when Y gets a response from
KX,Y (ZY)to its own challenge ZY, and to
check whether ZY is included or not, he
decrypts the message using the shared key.
▪ This way he knows X exists on the other
side and figures out who else is required for
encryption of ZY with ZX,Y. Y exhibits that
talks with X, however X still did not demonstrate talks with Y, so he sends the challenge ZX(via
message4) that it is answered with return of KX,Y (RX)(via message5). X is assured speaking
with Y when it decodes message5 to find KX,Y and ZX. In this fashion, (N(N−1))/2keys would be
required to manage “N” hosts.

226 Copy rights reserved for STL Academy

 Cyber Security

Key Distribution Center-Based Authentication

▪ The key distribution center (KDC) is another technique which can be utilized as an authentication
method.
▪ The key distribution center shares a secret key with each user, but no two users are required to
have a shared key.
▪ With the key distribution center, it is
important to deal with N keys.
▪ Figure shows how this authentication
works. X expresses its interest to
communicate with Y by sending a
message to the Key Distribution Center.
▪ A message is returned to X by the Key
Distribution Center that contains secret
shared keys KX,Y which can be used by X.
▪ Furthermore, using the shared key KX,Y which is encrypted by secret key KY, KDC is sent by the
Key Distribution Center to Y.
▪ The Needham-Schroeder verification protocol is outlined in view of this model.

Public key encryption based authentication

▪ Figure depicts the use of public key cryptography as an authentication protocol. X being the first
person, makes the first move of sending challenge ZX to user Y, which is encrypted by its public
key K+Y.
▪ A challenge must be sent to X by Y after the latter decrypts the message.
▪ X is assured of communicating to Y, in view of the fact that Y is the only user who can decrypt
this message by means of the private key associated with the public key of X. When Y receives
the channel establishment request from
X, it returns the decrypted challenge
accompanying its own challenge ZY to
authenticate X and generate session key
KX,Y .
▪ An encrypted message with public key
K+X related to X includes Y response to
the
▪ challenge X, own challenge ZY and
session key that is shown as message 2
in the figure.
▪ Only X is able to decrypt the message using the private key K−X related to K+X.
▪ Finally, X returns his response to the challenge Y using the session key KX,Y which is
▪ produced by B. Therefore, it can decode messages 3 and, in fact, Y talks to X.

Message Integrity and Confidentiality

Digital Signatures
▪ A digital signature can be thought of as the digital counterpart of a handwritten signature or
printed seal that offers better security than conventional signatures.
▪ A computerized signature guarantees approval of confirmation and respectability of any message
or electronic report.
▪ Uneven cryptography, which is a sort of open key cryptography, frames the premise of advanced
marks.

Copy rights reserved for STL Academy 227

 Cyber Security

▪ By the utilization of an open key calculation, for example, RSA, two keys can be created, one
private and one open.
▪ To make an advanced mark, marking programming, such as an email program, makes a
restricted hash of the electronic information to be agreed upon.
▪ The private key is then used to encode the hash.
▪ The encrypted hash along with other data, such as the hashing algorithm is the digital signature.
▪ The purpose behind encoding the hash rather than the whole message or report is that a hash
capacity can change
over a discretionary
contribution to a settled
length hash esteem,
which is generally
substantially shorter, in
this manner sparing
time as hashing is
considerably quicker
than marking.
▪ Each piece of hashed
information creates an
interesting code. Any
adjustments to the
information brings about an alternate esteem.
▪ This encourages us to approve the integrity of the information by utilizing the endorser’s open
key to unscramble the hash.

Session Keys
▪ During the formation of a protected channel, after completion of the verification stage,
▪ the users generally connect with a master session key to guarantee privacy.
▪ Another strategy is utilizing the same keys for classification and secure key settings.
▪ Assume that, the key that was utilized to build up the session is being utilized to guarantee both
trustworthiness and classification of the message as well.
▪ In this situation, each time the key is imperiled, an assailant can unscramble messages
transmitted during the old discourse, which isn’t at all satisfactory.
▪ Be that as it may, on the off chance that we utilize the session key to meet our motivation, if there
should be an occurrence of a traded off key situation, the assaulted can interrupt just a single
session and transmitted messages during different sessions stay private.
▪ In this manner, the blend of the keys into long-haul session keys, which are less expensive and
brief, is typically a decent decision for executing a protected channel for information trade.

Access Control Matrix

Protection Domains
▪ An access control list (ACL) is able to help actualize an effective access control framework,
through evacuating unfilled earnings. However, an access control list or highlight list pays little
respect to other criteria.
▪ The protection domain technique decreases the utilization of access control lists. Protection
domain is an arrangement of sets containing access rights and questions.
▪ Each match precisely indicates which activities are permitted to run for each protest. Solicitations
for activities, are dependably issued inside the range.

228 Copy rights reserved for STL Academy

 Cyber Security

▪ Along these lines, the supervisory reference first looks through its insurance area, at whatever
point the subject demands a question’s activity.
▪ As per space, the supervisory reference can check regardless of whether the application can be
run or not. Rather than being approved to do the supervisory reference in the whole assignment,
each subject could be allowed to complete a declaration to decide it has a place with which sort
of gathering.
▪ One needs to convey his endorsement to supervisory reference each time they need to peruse a
site page from the Internet.
▪ We secure it with digital signatures to ensure the beginning of the testament and its well-being.

Trusted Code
▪ The ability to migrate code between hosts has been created in recent years with the
development of distributed systems.
▪ Such systems can be protected by a tool known as Sandbox, which enables running programs
downloaded from the Internet in separation to prevent system failures or software vulnerabilities.
▪ If while trying to set up a rule is prohibited by the host, the program will come to a halt.
▪ If one wants to build a more flexible sandbox, playground designing procedures can be
downloaded from the internet.

Denial of Service
▪ The purpose of access control is to allow authentic users to have access to resources.
▪ Denial-of-service is an attack that stops authentic users from getting access to resources.
▪ Since distributed systems are open in nature, the need for protection against DoS is even more
essential.
▪ It becomes very difficult to prevent or manage DoS attacks that run from a single/multiple
source(s) to arrange a distributed denial-of-service (DDoS) attack.
▪ The intention usually is to install a malicious software into a victim’s machine.
▪ Firewall plays an important role here in restricting traffic into a internal network from the outside
world based on various filters according to suitable needs of the organization.

4.5 Communication and Network Security

Elements of a Network Security Architecture
▪ A network security architecture includes both network and security elements, such as the
following:

Copy rights reserved for STL Academy 229

 Cyber Security

Network Elements
▪ Network nodes (computers, routers, etc.), communications protocols (TCP/IP, HTTP, DNS, etc.),
connection media (wired, wireless), and topologies (bus, star, mesh, etc.).

Security Elements
▪ Cybersecurity devices and software, secure communications protocols (e.g. IPsec VPN and
TLS), and data privacy technologies (classification, encryption, key management, etc.).

Purpose of Network Security Architecture

▪ A well-designed cybersecurity architecture enables businesses to maintain flexibility in the face
of a cyberattack or a failure of one or more components of their framework.
▪ The architecture should be developed such that it will be able to handle day to day normal
business operations and prepare the company to face reasonable bursts, spikes, or surges in
traffic and to appropriately manage potential cyber threats to the organization.

230 Copy rights reserved for STL Academy

 Cyber Security

How Does a Security Architect Create a Network Security Architecture?

▪ A security architect is responsible for identifying and working to prevent potential cyber threats to
an organization’s network and systems.
▪ As part of their role, security architects should develop a network and security architecture that
provides the visibility and control necessary to identify and respond to cyber threats to an
organization’s systems.
▪ This includes developing a plan for locating security controls to maximize their benefit to the
company.

What is Network Security Design?

▪ In order to design a network in such a way as to prevent problems, network security design is
taken into consideration.
▪ In design of network security, a number of factors must be taken into consideration.
▪ The worst links, as well as defense in depth and compartmentalization, are included in this
thematic.

Copy rights reserved for STL Academy 231

 Cyber Security

What is Communication Network Design?

▪ In this process, designers analyze users' needs, then devise an initial set of technology designs
and price them, and reevaluate the concept until the final design is established.

Implement secure design principles in network architecture

Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol
(TCP/IP) models
▪ The Open Systems Interconnection (OSI) model is the more common of the two prevailing
network models.
▪ However, in the context of CISSP, you must
also be aware of the TCP/IP model and how it
compares to the OSI model.
▪ The TCP/IP model uses only four layers, while
the OSI model uses seven.
▪ The following table summarizes the layers of
each model.

Internet Protocol (IP) networking

▪ IP networking is what enables devices to communicate. IP provides the foundation for other
protocols to be able to communicate. IP itself is a connectionless protocol.
▪ IPv4 is for 32-bit addresses, and IPv6 is for 128-bit addresses. Regardless of which version you
use to connect devices, you then typically use TCP or UDP to communicate over IP.

232 Copy rights reserved for STL Academy

 Cyber Security

▪ TCP is a connection-oriented protocol that provides reliable communication, while UDP is a

connectionless protocol that provides best-effort communication.
▪ Both protocols use standardized port numbers to enable applications to communicate over the IP
network.

Implications of multilayer protocols

▪ Some protocols simultaneously use multiple layers of the OSI or TCP/IP model to communicate,
and traverse the layers at different times.
▪ The process of traversing theses layers is called encapsulation. For example, when a Layer 2
frame is sent through an IP layer, the Layer 2 data is encapsulated into a Layer 3 packet, which
adds the IP-specific information.
▪ Additionally, that layer can have other TCP or UDP data added to it for Layer 4 communication.

Converged protocols
▪ Like encapsulation, converged protocols enable communication over different mediums.
▪ For example, FCoE sends typical fibre channel control commands over Ethernet. Voice over IP
(VoIP) sends SIP or other voice protocols over typical IP networks.
▪ In most cases, this provides simplicity, since the same infrastructure can be used for multiple
scenarios.
▪ It can also add complexity by introducing more protocols and devices to manage and maintain on
that same infrastructure.

Software-defined networks
▪ Many networks follow either a two-tier (spine/leaf or core/access) or a three-tier (core,
distribution, edge/access) topology. While the core network might not change that frequently, the
edge or access devices can communicate with a variety of devices types and tenants.
▪ Increasingly, the edge or access switch is a virtual switch running on a hypervisor or virtual
machine manager. You must be able to add a new subnet or VLAN or make other network
changes on demand.
▪ You must be able to make configuration changes programmatically across multiple physical
devices, as well as across the virtual switching devices in the topology.
▪ A software-defined network enables you to make these changes for all devices types with ease.

Wireless Networks
▪ Wireless networks can be broken into the different 802.11 standards.
▪ The most common protocols within 802.11 are shown in the table below.
▪ Additional protocols have been proposed to IEEE, including ad, ah, aj, ax, ay and az. You should
be aware of the frequency that each protocol uses.
▪ You should also be familiar with the wireless security standards:

Copy rights reserved for STL Academy 233

 Cyber Security

Wired Equivalent Privacy (WEP)

▪ WEP is a legacy security algorithm for wireless networks. Originally, it was the only encryption
protocol for 802.11a and 802.11b networks.
▪ WEP used 64-bit to 256-bit keys, but with a weak stream cipher. WEP was deprecated in 2004 in
favor of WPA and WPA2. Today, WEP should be avoided.

Wi-Fi Protected Access (WPA)

▪ WPA uses Temporal Key Integrity Protocol (TKIP) with a 128-bit per-packet key.
▪ WPA is still vulnerable to password cracking from packet spoofing on a network.
▪ WPA typically uses a pre-shared key (PSK) and Temporal Key Integrity Protocol (TKIP) for
encryption. This is known as WPA Personal (which is typically used in a home environment).
▪ There is also a WPA Enterprise which can use certificate authentication or an authentication
server (such as a RADIUS server).

Wi-Fi Protected Access II (WPA 2)

▪ WPA2 is the current standard for wireless encryption.
▪ WPA2 is based on the Advanced Encryption Standard (AES) cipher with message authenticity
and integrity checking. AES is stronger than TKIP.
▪ Like WPA, WPA2 offers a PSK mode (for home or small business) and an enterprise mode
(known as WPA2-ENT).
▪ WPA2-ENT uses a new encryption key each time a user connects. The password is not stored
on the client devices (unlike PSK mode, which stores the passwords locally on clients).

Secure network components

▪ The components of a network make up the backbone of the logical infrastructure for an
organization.
▪ These components are often critical to day-to-day operations, and an outage or security issue
can cause millions of dollars in business losses. Here are issues to pay attention to:

Operation of hardware
▪ Modems are a type of Channel Service Unit/Data Service Unit (CSU/DSU) typically used for
converting analog signals into digital.
▪ In this scenario, the CSU handles communication to the provider network, while the DSU handles
communication with the internal digital equipment (in most cases, a router).
▪ Modems typically operate on Layer 2 of the OSI model.
▪ Routers operate on Layer 3 of the OSI model, and make the connection from a modem available
to multiple devices in a network topology, including switches, access points and endpoint
devices.
▪ Switches are typically connected to a router to enable multiple devices to use the connection.
Switches help provide internal connectivity, as well as create separate broadcast domains when
configured with VLANs.
▪ Switches typically operate at Layer 2 of the OSI model, but many switches can operate at both
Layer 2 and Layer 3.

Transmission media
▪ Wired transmission media can typically be described in three categories:
➢ Coaxial
➢ Ethernet

234 Copy rights reserved for STL Academy

 Cyber Security

➢ Fiber
▪ Coaxial is typically used with cable modem installations to provide connectivity to an ISP, and
requires a modem to convert the analog signals to digital.
▪ Ethernet is typically associated with Category 5 and Category 6 unshielded twisted-pair (UTP) or
shielded twisted pair (STP), and can be plenum-rated for certain installations.
▪ Fiber typically comes in two options, single-mode or multi-mode.
▪ Single-mode is typically used for long-distance communication, over several kilometers or miles.
▪ Multi-mode fiber is typically used for faster transmission, but with a distance limit depending on
the desired speed.
▪ Fiber is most often used in the datacenter for backend components.

Network access control (NAC) devices

▪ Much as you need to control physical access to equipment and wiring, you need to use logical
controls to protect a network. There are a variety of devices that provide this type of protection,
including the following:
➢ Stateful and stateless firewalls can perform inspection of the network packets that traverse
it and use rules, signatures and patterns to determine whether the packet should be delivered.
Reasons for dropping a packet could include addresses that don’t exist on the network, ports
or addresses that are blocked, or the content of the packet (such as malicious packets that
have been blocked by administrative policy).
➢ Intrusion detection and prevention devices. These devices monitor the network for unusual
network traffic and MAC or IP address spoofing, and then either alert on or actively stop this
type of traffic.
➢ Proxy or reverse proxy servers. Proxy servers can be used to proxy internet-bound traffic to
the internet, instead of having clients going directly to the internet. Reverse proxies are often
deployed to a perimeter network. They proxy communication from the internet to an internal
server, such as a web server. Like a firewall, a reverse proxy can have rules and policies to
block certain types of communication.

Application whitelisting
▪ Only applications on the whitelist can run on the endpoint.
▪ This can minimize the chances of malicious applications being installed or run.

Restricting the use of removable media

▪ In a high-security organization, you should minimize or eliminate the use of removable media,
including any removable storage devices that rely on USB or other connection methods.
▪ This can minimize malicious files coming into the network from the outside, as well as data
leaving the company on tiny storage mechanisms.

Automated patch management

▪ Patch management is the most critical task for maintaining endpoints.
▪ You must patch the operating system as well as all third-party applications. Beyond patching,
staying up to date on the latest versions can bring enhanced security.

Content-distribution networks (CDNs)

▪ CDNs are used to distribute content globally.
▪ They are typically used for downloading large files from a repository.

Copy rights reserved for STL Academy 235

 Cyber Security

▪ The repositories are synchronized globally, and then each incoming request for a file or service is
directed to the nearest service location.
▪ For example, if a request comes from Asia, a local repository in Asia, rather than one in the
United States. would provide the file access. This reduces the latency of the request and typically
uses less bandwidth.
▪ CDNs are often more resistant to denial of service (DoS) attacks than typical corporate networks,
and they are often more resilient.

Physical devices
▪ Physical security is one of the most important aspects of securing a network. Most network
devices require physical access to perform a reset, which can cause configurations to be deleted
and grant the person full access to the device and an easy path to any devices attached to it.
▪ The most common methods for physical access control are code-based or card-based access.
▪ Unique codes or cards are assigned to individuals to identify who accessed which physical doors
or locks in the secure environment.
▪ Secure building access can also involve video cameras, security personnel, reception desks and
more.
▪ In some high-security organizations, it isn’t uncommon to physically lock computing devices to a
desk. In the case of mobile devices, it is often best to have encryption and strong security
policies to reduce the impact of stolen devices because physically protecting them is difficult.

Components of Communications and Network Security

Four most essential components of communications and network security are:

Network Access Control (NAC)

236 Copy rights reserved for STL Academy

 Cyber Security

Intrusion Prevention System (IPS)

Security Information Event Management (SIEM)

Firewalls

Copy rights reserved for STL Academy 237

 Cyber Security

Different communication channels are:

Voice
▪ Voice communication covers many different technologies, which means that you will need to be
familiar with systems such as:
➢ PBX (private branch exchange)
➢ POTS (plain old telephone system)
➢ VoIP (Voice over Internet Protocol)
▪ Learning about voice technologies is essential because it is still one of the most costly services
that companies incur, so being able to effectively manage, investigate, and administer is really
important.
▪ If outside users are able to use your voice services fraudulently, your company may be liable if
crimes are committed with your services. International toll fraud is also costly, and can come
about from unsecured phone systems.

Multimedia Collaboration
▪ Multimedia collaboration includes applications such as instant messaging programs, video
conferencing, and other real-time collaboration tools.
▪ These tools are combined technologies of voice, data, text and video call in a single application
over the Internet.

VoIP
▪ This includes session controls and signaling protocols that relate to the notification and setup of
calls.
▪ This channel uses two codec software that are audio and video into digital frames as well as
open VoIP protocols such as H.323 and SIP (Session Initiated Protocol).

Remote Meeting Technology

▪ This technology allows users to share control of remote desktops, file sharing, chat functions,
voice and video.
▪ These technologies are vulnerable to unauthorized participation, eavesdropping, spying, data
leakage, and communications interception.
▪ To prevent these we employ technologies such as firewall restrictions, data encryption,
authentication security measures, etc.

Instant Messaging and Chat

▪ These were first introduced as text-based communication, many of these applications now
include voice, video, file sharing and remote control.

Content Distribution Network

▪ A CDN is a system of interconnected machines that provide large-scale services such as Internet
Service Providers (ISPs) and network operations.

Remote Access
➢ The dial-up system is the main idea behind remote access.
➢ This allows home-based users and travelling users the ability to access the internal network
from a dial-up modem connection.

238 Copy rights reserved for STL Academy

 Cyber Security

➢ This technology is the most affordable method for letting people connect to the system while
out of the office.

Virtualized Networks
▪ A virtualized network is also known as a Software-Defined Network (SDN), this means that
software and hardware are combined together to create a network that is bound and controlled
by a software component.

Implement secure communication channels according to design

▪ This section focuses on securing data in motion. You need to understand both design and
implementation aspects.

Voice
▪ As more organizations switch to VoIP, voice protocols such as SIP have become common on
Ethernet networks.
▪ This has introduced additional management, either by using dedicated voice VLANs on
networks, or establishing quality of service (QoS) levels to ensure that voice traffic has priority
over non-voice traffic.
▪ Other web-based voice applications make it more difficult to manage voice as a separate entity.
▪ The consumer Skype app, for example, allows for video and voice calls over the internet.
▪ This can cause additional bandwidth consumption that isn’t typically planned for in the network
topology design or purchased from an ISP.

Multimedia collaboration
▪ There are a variety of new technologies that allow instant collaboration with colleagues.
▪ Smartboards and interactive screens make meeting in the same room more productive.
▪ Add in video technology, and someone thousands of miles away can collaborate in the same
meeting virtually.
▪ Instant messaging through Microsoft Teams, Slack and other applications enables real-time
communication.
▪ Mobile communication has become a huge market, with mobile apps such as WhatsApp,
WeChat and LINE making real-time communication possible anywhere in the world.

Remote access
▪ Because of the abundance of connectivity, being productive in most job roles can happen from
anywhere.
▪ Even in a more traditional environment, someone working outside of the office can use a VPN to
connect and access all the internal resources for an organization.
▪ Taking that a step further, Remote Desktop Services (RDS) and virtual desktop infrastructure
(VDI) can give you the same experience whether you’re in the office or at an airport.
▪ If you have an internet connection, you can access the files and applications that you need to be
productive.
▪ A screen scraper is a security application that captures a screen (such as a server console or
session) and either records the entire session or takes a screen capture every couple of
seconds.
▪ Screen scraping can help establish exactly what a person did when they logged into a computer.
Screen scrapers are most often used on servers or remote connectivity solutions (such as VDI or
Remote Desktop farms).

Copy rights reserved for STL Academy 239

 Cyber Security

Data communications
▪ Whether you are physically in an office or working remotely, the communication between the
devices being used should be encrypted.
▪ This prevents any unauthorized device or person from openly reading the contents of packets as
they are sent across a network.
▪ Corporate networks can be segmented into multiple VLANs to separate different resources. For
example, the out-of-band management for certain devices can be on a separate VLAN so that no
other devices can communicate unless necessary.
▪ Production and development traffic can be segmented on different VLANs. An office building with
multiple departments or building floors can have separate VLANs for each department or each
floor in the building.
▪ Logical network designs can tie into physical aspects of the building as necessary. Even with
VLAN segments, the communication should be encrypted using TLS, SSL or IPSec.

Virtualized networks
▪ Many organizations use hypervisors to virtualize servers and desktops for increased density and
reliability. However, to host multiple servers on a single hypervisor, the Ethernet and storage
networks must also be virtualized.
▪ VMware vSphere and Microsoft Hyper-V both use virtual network and storage switches to allow
communication between virtual machines and the physical network.
▪ The guest operating systems running in the VMs use a synthetic network or storage adapter,
which is relayed to the physical adapter on the host.
▪ The software-defined networking on the hypervisor can control the VLANs, port isolation,
bandwidth and other aspects just as if it was a physical port.

4.6 Identity and Access Management (IAM)

Physical access control
▪ Physical access control is a set of policies to control who is granted access to a physical location.
▪ Real-world examples of physical access control include the following:
➢ Bar-room bouncers
➢ Subway turnstiles
➢ Airport customs agents
▪ Keycard or badge scanners in corporate offices

240 Copy rights reserved for STL Academy

 Cyber Security

What is information access control?

▪ Information access control restricts access to data and the software used to manipulate that
data. Examples include the following:
➢ Signing into a laptop using a password
➢ Unlocking a smartphone with a thumbprint scan
➢ Remotely accessing an employer’s internal network using a VPN
▪ In all these cases, software is used to authenticate and grant authorization to users who need to
access digital information.
▪ Authentication and authorization are integral components of information access control.

Control physical and logical access to assets

▪ There are some common methods for controlling access without regard for the asset type.
▪ For example, we need a way to authenticate users validate that they are who they say they are.
Then we need a way to authorize the users figure out whether they are authorized to perform the
requested action for the specific asset (such as read or write a given file or enter a particular
server room).

Authentication
▪ Traditional authentication systems rely on a username and password, especially for
authenticating to computing devices.
▪ LDAP directories are commonly used to store user information, authenticate users and authorize
users. But there are newer systems that enhance the authentication experience.
▪ Some replace the traditional username and password systems, while others (such as single sign-
on, or SSO), extend them. Biometrics is an emerging authentication method that includes (but is
not limited to) fingerprints, retina scans, facial recognition and iris scans.

Authorization
▪ Traditional authorization systems rely on security groups in a directory, such as an LDAP
directory. Based on your group memberships, you have a specific type of access (or no access).
▪ For example, administrators might grant one security group read access to an asset, while a
different security group might get read/write/execute access to the asset. This type of system has
been around a long time and is still the primary authorization mechanism for on-premises
technologies.
▪ Newer authorization systems incorporate dynamic authorization or automated authorization.
▪ For example, the authorization process might check to see if you are in the Sales department
and in a management position before you can gain access to certain sales data.
▪ Other information can be incorporated into authorization. For example, you can authenticate and
get read access to a web-based portal, but you can’t get into the admin area of the portal unless
you are connected to the corporate network.
▪ Next, let’s look at some key details around controlling access to specific assets.

Information
▪ “Information” and “data” are interchangeable here. Information is often stored in shared folders or
in storage available via a web portal.
▪ In all cases, somebody must configure who can gain access and which actions they can perform.
The type of authentication isn’t relevant here.
▪ Authorization is what you use to control the access.

Copy rights reserved for STL Academy 241

 Cyber Security

Systems
▪ In this context, “systems” can refer to servers or applications, either on premises or in the cloud.
▪ You need to be familiar with the various options for controlling access.
▪ In a hybrid scenario, you can use federated authentication and authorization in which the cloud
vendor trusts your on-premises authentication and authorization solutions.
▪ This centralized access control is quite common because it gives organizations complete control
no matter where the systems are.

Devices
▪ Devices include computers, smartphones and tablets. Today, usernames and passwords
(typically from an LDAP directory) are used to control access to most devices.
▪ Fingerprints and other biometric systems are common, too. In high-security environments, users
might have to enter a username and password and then use a second authentication factor
(such as a code from a smartcard) to gain access to a device.
▪ Beyond gaining access to devices, you also need to account for the level of access.
▪ In high-security environments, users should not have administrative access to devices, and only
specified users should be able to gain access to particular devices.

Facilities
▪ Controlling access to facilities (buildings, parking garages, server rooms, etc.) is typically handled
via badge access systems.
▪ Employees carry a badge identifying them and containing a chip.
▪ Based on their department and job role, they will be granted access to certain facilities (such as
the main doors going into a building) but denied access to other facilities (such as the power
plant or the server room).
▪ For high-security facilities, such as a data center, it is common to have multi-factor
authentication. For example, you must present a valid identification card to a security guard and
also go through a hand or facial scan to gain access to the data center. Once inside, you still
need to use a key or smartcard to open racks or cages.

Manage identification and authentication of people, devices and services

This section builds on the previous section. The subtopics are more operational in nature and go
into more detail.

SSO
▪ Single sign-on provides an enhanced user authentication experience as the user accesses
multiple systems and data across a variety of systems.
▪ It is closely related to federated identity management (which is discussed later in this section).
Instead of authenticating to each system individually, the recent sign-on is used to create a
security token that can be reused across apps and systems.
▪ Thus, a user authenticates once and then can gain access to a variety of systems and data
without having to authenticate again. Typically, the SSO experience will last for a specified
period, such as 4 hours or 8 hours.
▪ SSO often takes advantage of the user’s authentication to their computing device. For example,
a user signs into their device in the morning, and later when they launch a web browser to go to
a time-tracking portal, the portal accepts their existing authentication.

242 Copy rights reserved for STL Academy

 Cyber Security

▪ SSO can be more sophisticated. For example, a user might be able to use SSO to seamlessly
gain access to a web-based portal, but if the user attempts to make a configuration change, the
portal might prompt for authentication before allowing the change.
▪ Note that using the same username and password to access independent systems is not SSO.
Instead, it is often referred to as “same sign-on” because you use the same credentials.
▪ The main benefit of SSO is also its main downside: It simplifies the process of gaining access to
multiple systems for everyone.
▪ For example, if attackers compromise a user’s credentials, they can sign into the computer and
then seamlessly gain access to all apps using SSO. Multi-factor authentication can help mitigate
this risk.

LDAP
▪ Lightweight Directory Access Protocol (LDAP) is a standards-based protocol (RFC 4511) that
traces its roots back to the X.500 standard that came out in the early 1990s.
▪ Many vendors have implemented LDAP-compliant systems and LDAP-compliant directories,
often with vendor-specific enhancements.
▪ LDAP is especially popular for on-premises corporate networks.
▪ An LDAP directory stores information about users, groups, computers, and sometimes other
objects such as printers and shared folders.
▪ It is common to use an LDAP directory to store user metadata, such as their name, address,
phone numbers, departments, employee number, etc.
▪ Metadata in an LDAP directory can be used for dynamic authentication systems or other
automation.
▪ The most common LDAP system today is Microsoft Active Directory (Active Directory Domain
Services or AD DS).
▪ It uses Kerberos (an authentication protocol that offers enhanced security) for authentication, by
default.

Single- or multi-factor authentication

▪ There are three different authentication factors — something you know, something you have and
something you are.
▪ Each factor has many different methods. Something you know could be a username and
password or the answer to a personal question; something you have could be a smartcard or a
phone, and something you are could be a fingerprint or retinal scan. Single-factor authentication
requires only one method from any of the three factors usually a username and password.
▪ Multi-factor authentication (MFA) requires a method from each of two or three different factors,
which generally increases security.
▪ For example, requiring you to provide a code sent to a hard token in addition to a username and
password increases security because an attacker who steals your credentials is unlikely to also
have access to the hard token. Different methods provide different levels of security, though.
▪ For example, the answer to a personal question isn’t as secure as a token from a security app on
your phone, because a malicious user is much more likely to be able to discover the information
to answer the question on the internet than to get access to your phone.
▪ One downside to multi-factor authentication is the complexity it introduces; for instance, if a user
doesn’t have their mobile phone or token device with them, they can’t sign in.
▪ To minimize issues, you should provide options for the second method (for example, the user
can opt for a phone call to their landline).

Copy rights reserved for STL Academy 243

 Cyber Security

Accountability
▪ Accountability is the ability to track users’ actions as they access systems and data. You need to
be able to identify the users on a system, know when they access it, and record what they do
while on the system.
▪ This audit data must be captured and logged for later analysis and troubleshooting. Important
information can be found in this data.
▪ For example, if a user successfully authenticates to a computer in New York and then
successfully authenticates to a computer in London a few minutes later, that is suspicious and
should be investigated.
▪ If an account has repeated bad password attempts, you need data to track down the source of
the attempts.
▪ Today, many companies are centralizing accountability. For example, all servers and apps send
their audit data to the centralized system, so admins can gain insight across multiple systems
with a single query.
▪ Because of the enormous amount of data in these centralized systems, they are usually “big
data” systems, and you can use analytics and machine learning to unearth insights into your
environment.

Session Management
▪ After users authenticate, you need to manage their sessions.
▪ If a user walks away from the computer, anybody can walk up and assume their identity.
▪ To reduce the chances of that happening, you can require users to lock their computers when
stepping away.
▪ You can also use session timeouts to automatically lock computers.
▪ You can also use password-protected screen savers that require the user to re-authenticate.
▪ You also need to implement session management for remote sessions.
▪ For example, if users connect from their computers to a remote server over Secure Shell (SSH)
or Remote Desktop Protocol (RDP), you can limit the idle time of those sessions.

Registration and proofing of identity

▪ With some identity management systems, users must register and provide proof of their identity.
For example, with self-service password reset apps, it is common for users to register and prove
their identity.
▪ If they later forget their password and need to reset it, they must authenticate using an alternative
method, such as providing the same answers to questions as they provided during registration.
▪ Note that questions are often insecure and should be used only when questions can be
customized or when an environment doesn’t require a high level of security.
▪ One technique users can use to enhance question and answer systems is to use false answers.
For example, if the question wants to know your mother’s maiden name, you enter another name
which is incorrect but serves as your answer for authentication.
▪ Alternatively, you can treat the answers as complex passwords. Instead of directly answering the
questions, you can use a long string of alphanumeric characters such as
“Vdsfh2873423#@$wer78wreuy23143ya”.

Federated Identity Management (FIM)

▪ Note that this topic does not refer to Microsoft Forefront Identity Manager, which has the same
acronym.
▪ Traditionally, you authenticate to your company’s network and gain access to certain resources.

244 Copy rights reserved for STL Academy

 Cyber Security

▪ When you use identity federation, two independent organizations share authentication and/or
authorization information with each other.
▪ In such a relationship, one company provides the resources (such as a web portal) and the other
company provides the identity and user information.
▪ The company providing the resources trusts the authentication coming from the identity provider.
▪ Federated identity systems provide an enhanced user experience because users don’t need to
maintain multiple user accounts across multiple apps.
▪ Federated identity systems use Security Assertion Markup Language (SAML), OAuth, or other
methods for exchanging authentication and authorization information.

Credentials management systems

▪ A credentials management system centralizes the management of credentials.
▪ Such systems typically extend the functionality of the default features available in a typical
directory service.
▪ For example, a credentials management system might automatically manage the passwords for
account passwords, even if those accounts are in a third-party public cloud or in a directory
service on premises.
▪ Credentials management systems often enable users to temporarily check out accounts to use
for administrative purposes.
▪ For example, a database administrator might use a credentials management system to check out
a database admin account in order to perform some administrative work using that account.
▪ When they are finished, they check the account back in and the system immediately resets the
password.
▪ All activity is logged and access to the credentials is limited. Without a credentials management
system, you run the risk of having multiple credentials management approaches in your
organization.

Integrate identity as a third-party service

▪ There are many third-party vendors that offer identity services that complement your existing
identity store.
▪ For example, Ping Identity provides an identity platform that you can integrate with your on-
premises directory (such as Active Directory) and your public cloud services (such as Microsoft
Azure or Amazon AWS). Third-party identity services can help manage identities both on
premises and in the cloud:

On premises
▪ To work with your existing solutions and help manage identities on premises, identity services
often put servers, appliances or services on your internal network.
▪ This ensures a seamless integration and provides additional features, such as single sign-on.
▪ For example, you might integrate your Active Directory domain with a third-party identity provider
and thereby enable certain users to authenticate through the third-party identity provider for SSO.

Cloud
▪ Organizations that want to take advantage of software-as-a-service (SaaS) and other cloud-
based applications need to also manage identities in the cloud.
▪ Some of them choose identity federation they federate their on-premises authentication system
directly with the cloud providers.

Copy rights reserved for STL Academy 245

 Cyber Security

▪ There are some pros with using a cloud-based identity service:

▪ You can have identity management without managing the associated infrastructure.
▪ You can quickly start using a cloud-based identity service, typically within just a few minutes.
▪ Cloud-based identity services are relatively inexpensive.
▪ Cloud-based identity services offer services worldwide, often in more places and at a bigger
scale than most organizations can.
▪ The cloud provider often offers features not commonly found in on-premises environments. For
example, a cloud provider can automatically detect suspicious sign-ins attempts, such as those
from a different type of operating system than normal or from a different location than usual,
because they have a large amount of data and can use artificial intelligence to spot suspicious
logins.
▪ For services in the cloud, authentication is local, which often results in better performance than
sending all authentication requests back to an on-premises identity service.
▪ You also need to be aware of the potential downsides:
▪ You lose control of the identity infrastructure. Because identity is a critical foundational service,
some high-security organizations have policies that require complete control over the entire
identity service.
▪ There is a risk in using an identity service in a public cloud, although the public cloud can
sometimes be as secure or more secure than many corporate environments.
▪ You might not be able to use only the cloud-based identity service.
▪ Many companies have legacy apps and services that require an on-premises identity.
▪ Having to manage an on-premises identity infrastructure and a cloud-based identity system
requires more time and effort than just managing an on-premises environment.
▪ If you want to use all the features of a cloud identity service, the costs rise.
▪ On-premises identity infrastructures are not expensive compared to many other foundational
services such as storage or networking.
▪ There might be a large effort required to use a cloud-based identity service. For example, you
need to figure out new operational processes.
▪ You need to capture the auditing and log data and often bring it back to your on-premises
environment for analysis.
▪ You might have to update, upgrade or deploy new software and services. For example, if you
have an existing multi-factor authentication solution, it might not work seamlessly with your
cloud-based identity service.

Federated
▪ Federation enables your organization to use their existing identities (such as those used to
access your internal corporate systems) to access systems and resources outside of the
company network.
▪ For example, if you use a cloud-based HR application on the internet, you can configure
federation to enable employees to sign into the application with their corporate credentials.
▪ You can federate with vendors or partners.
▪ Federating between two organizations involves an agreement and software to enable your
identities to become portable (and thus usable based on who you federate with).
▪ Federation typically provides the best user experience because users don’t have to remember
additional passwords or manage additional identities.
▪ Other key facts about third-party identity services include:
➢ Often, you still need an on-premises directory service.

246 Copy rights reserved for STL Academy

 Cyber Security

➢ Many third-party identity services started off as solutions for web-based applications. They
have since to cover other use cases but still can’t be used for many day-to-day authentication
scenarios. For example, most of them can’t authenticate users to their corporate laptops.
➢ Third-party identity services often offer single sign-on, multi-factor authentication and meta-
directory services (pulling data from multiple directories into a single third-party directory).
➢ Many of the offerings are cloud-based, with a minimal on-premises footprint.
▪ Third-party identity services typically support SAML, OpenID Connect, WS-Federation, OAuth
and WS-Trust.

Implement and manage authorization mechanisms

▪ This section focuses on access control methods. To prepare for the exam, you should
understand the core methods and the differences between them.

Role-based access control (RBAC)

▪ RBAC is a common access control method. For example, one role might be a desktop
technician.
▪ The role has rights to workstations, the anti-virus software and a software installation shared
folder.
▪ For instance, if a new desktop technician starts at your company, you simply add them to the role
group and they immediately have the same access as other desktop technicians.
▪ RBAC is a non-discretionary access control method because there is no discretion each role has
what it has.
▪ RBAC is considered an industry-standard good practice and is in widespread use throughout
organizations.

Rule-based access control

▪ Rule-based access control implements access control based on predefined rules. For example,
you might have a rule that permits read access to marketing data for anyone who is in the
marketing department, or a rule that permits only managers to print to a high-security printer.
▪ Rule-based access control systems are often deployed to automate access management.
➢ Many rule-based systems can be used to implement access dynamically. For example, you
might have a rule that allows anybody in the New York office to access a file server in New
York.
➢ If a user tries to access the file server from another city, they will be denied access, but if they
travel to the New York office, access will be allowed.

Copy rights reserved for STL Academy 247

 Cyber Security

➢ Rule-based access control methods simplify access control in some scenarios. For example,
imagine a set of rules based on department, title and location. If somebody transfers to a new
role or a new office location, their access is updated automatically. In particular, their old
access goes away automatically, addressing a major issue that plagues many organizations.

Mandatory access control (MAC)

▪ MAC is a method to restrict access based on a person’s clearance and the data’s classification
or label.
▪ For example, a person with a Top Secret clearance can read a document classified as Top
Secret.
▪ The MAC method ensures confidentiality.
▪ MAC is not in widespread use but is considered to provide higher security than DAC because
individual users cannot change access.

Discretionary access control (DAC)

▪ When you configure a shared folder on a Windows or Linux server, you use DAC.
▪ You assign somebody specific rights to a volume, a folder or a file. Rights could include read-
only, write, execute, list and more.
▪ You have granular control over the rights, including whether the rights are inherited by child
objects (such as a folder inside another folder).
▪ DAC is flexible and easy. It is in widespread use.
▪ It is difficult to reconcile all the various permissions throughout an organization.
▪ It can also be hard to determine all the assets that somebody has access to, because DAC is
very decentralized.

Attribute-based access control (ABAC)

▪ Many organizations use attributes to store data about users, such as their department, cost
center, manager, location, employee number and date of hire.
▪ These attributes can be used to automate authorization and to make it more secure. For
example, you might configure authorization to allow only users who have “Paris” as their office
location to use the wireless network at your Paris office.
▪ You might strengthen security for your HR folder by checking not only that users are members of
a specific group, but also that their department attribute is set to “HR”.

Methods
▪ A popular tool for information access control is a virtual private network (VPN).
▪ A VPN is a service that allows remote users to access the Internet as though they were
connected to a private network.

248 Copy rights reserved for STL Academy

 Cyber Security

▪ Corporate networks will often use VPNs to manage access control to their internal network
across a geographical distance.

▪ Connecting to the VPN will also help protect the employees against on-path attacks if they are
connected to a public WiFi network.
▪ When connected to a VPN, every data packet a user sends or receives has to travel an extra
distance before arriving at its destination, as each request and response has to hit the VPN
server before reaching its destination.
▪ This process often increases latency.

▪ VPNs generally provide an all-or-nothing approach to network security.

▪ VPNs are great at providing authentication, but not great at providing granular authorization
controls.
▪ If an organization wants to grant different levels of access to different employees, they have to
use multiple VPNs.

Copy rights reserved for STL Academy 249

 Cyber Security

Manage the identity and access provisioning lifecycle

▪ The identity lifecycle extends from the creation of users, to the provisioning of access, to the
management of users, to the deprovisioning of access or users.
▪ While there are several methods to manage this lifecycle, the following ordered steps provide an
overview of the typical implementation process:
1. A new user is hired at a company.
2. The HR department creates a new employee record in the human capital management (HCM)
system, which is the authoritative source for identity information such as legal name, address,
title and manager.
3. The HCM syncs with the directory service. As part of the sync, any new users in HCM are
provisioned in the directory service.
4. The IT department populates additional attributes for the user in the directory service. For
example, the users’ email address and role might be added.
5. The IT department performs maintenance tasks such as resetting the user’s password and
changing the user’s roles when they move to a new department.
6. The employee leaves the company. The HR department flags the user as terminated in the
HCM, and the HCM performs an immediate sync with the directory service. The directory
service disables the user account to temporarily remove access.
7. The IT department, after a specific period (such as 7 days), permanently deletes the user
account and all associated access.
▪ Beyond these steps, there are additional processes involved in managing identity and access:

User access review

▪ You should perform periodic access reviews in which appropriate personnel attest that each user
has the appropriate rights and permissions.
▪ Does the user have only the access they need to perform their job? Were all permissions granted
through the company’s access request process? Is the granting of access documented and
available for review? You should also review the configuration of your identity service to ensure it
adheres to known good practices.
▪ You should review the directory service for stale objects (for example, user accounts for
employees who have left the company). The primary goal is to ensure that users have the
access permissions they need and nothing more. If a terminated user still has a valid user
account, then you are in violation of your primary goal.

System account access review

▪ System accounts are accounts that are not tied one-to-one to humans.
▪ They are often used to run automated processes, jobs, and tasks.
▪ System accounts sometimes have elevated access. In fact, it isn’t uncommon to find system
accounts with the highest level of access (root or administrative access).
▪ System accounts require review similar to user accounts.
▪ You need to find out if system accounts have the minimum level of permissions required for what
they are used for.
▪ And you need to be able to show the details who provided the access, the date it was granted,
and what the permissions provide access to.

Provisioning and deprovisioning

▪ Account creation and account deletion provisioning and deprovisioning are key tasks in the
account lifecycle.

250 Copy rights reserved for STL Academy

 Cyber Security

▪ Create accounts too early and you have dormant accounts that can be targeted.
▪ Wait too long to disable and delete accounts and you also have dormant accounts that can be
targeted.
▪ When feasible, it is a good practice to automate provisioning and deprovisioning. Automation
helps reduce the time to create and delete accounts.
▪ It also reduces human error (although the automation code could have human error).
▪ Your company should establish guidelines for account provisioning and deprovisioning. For
example, your company might have a policy that an account must be disabled while the
employee is in the meeting being notified of their termination.

4.7 Security Assessment and Testing

▪ It is critical that organizations develop an effective strategy to regularly test, evaluate, and adapt
their business and technology environment to reduce the probability and impact of successful
attacks.

▪ Organizations need to implement a proactive assessment and test strategy for both existing and
new information systems and assets.
▪ The strategy should be an integral part of the risk management process.

Copy rights reserved for STL Academy 251

 Cyber Security

▪ In an Information System, Audit is referred to a systematic, technical assessment of an

organization’s security policies.
▪ An audit process depends upon the following phases:
➢ Determination of goals and scope
➢ Selection of Audit team
➢ Audit planning and preparation
➢ Conduct an Audit
➢ Documentation
➢ Issuing the review report

Design and validate assessment, test and audit strategies

▪ An organization’s assessment, testing and audit strategies will depend on its size, industry,
financial status and other factors.
▪ For example, a small non-profit, a small private company and a small public company will all
have different requirements and goals.
▪ Like any procedure or policy, the audit strategy should be assessed and tested regularly to
ensure that the organization is not doing a disservice to itself with the current strategy.

Internal
▪ An internal audit strategy should be aligned to the organization’s business and day-to-day
operations.
▪ For example, a publicly traded company will have a more rigorous auditing strategy than a
privately held company.
▪ However, the stakeholders in both companies have an interest in protecting intellectual property,
customer data and employee information.
▪ Designing the audit strategy should include laying out applicable regulatory requirements and
compliance goals.

External
▪ An external audit strategy should complement the internal strategy, providing regular checks to
ensure that procedures are being followed and the organization is meeting its compliance goals.

Third-party
▪ Third-party auditing provides a neutral and objective approach to reviewing the existing design,
methods for testing and overall strategy for auditing the environment.
▪ A third-party audit can also ensure that both internal and external auditors are following the
processes and procedures that are defined as part of the overall strategy.

252 Copy rights reserved for STL Academy

 Cyber Security

Conduct security control testing

▪ Security control testing can include testing of the physical facility, logical systems and
applications. Here are the common testing methods:

Vulnerability assessment
▪ The goal of a vulnerability assessment is to identify elements in an environment that are not
adequately protected.
▪ This does not always have to be from a technical perspective; you can also assess the
vulnerability of physical security or the external reliance on power, for instance.
▪ These assessments can include personnel testing, physical testing, system and network testing,
and other facilities tests.

Penetration testing
▪ A penetration test is a purposeful attack on systems to attempt to bypass automated controls.
▪ The goal of a penetration test is to uncover weaknesses in security so they can be addressed to
mitigate risk.
▪ Attack techniques can include spoofing, bypassing authentication, privilege escalation and more.
▪ Like vulnerability assessments, penetration testing does not have to be purely logical. For
example, you can use social engineering to try to gain physical access to a building or system.

Log reviews
▪ IT systems can log anything that occurs on the system, including access attempts and
authorizations.
▪ The most obvious log entries to review are any series of “deny” events, since someone is
attempting to access something that they don’t have permissions for.
▪ It’s more difficult to review successful events, since there are generally thousands of them, and
almost all of them follow existing policies.
▪ It can be important to show that someone or something did indeed access a resource that they
weren’t supposed to, either by mistake or through privilege escalation.
▪ A procedure and software to facilitate frequent review of logs is essential.

Synthetic transactions
▪ While user monitoring captures actual user actions in real time, synthetic — scripted or otherwise
artificial — transactions can be used to test system performance or security.

Code review and testing

▪ Security controls are not limited to IT systems.
▪ The application development lifecycle must also include code review and testing for security
controls.
▪ These reviews and controls should be built into the process just as unit tests and function tests
are; otherwise, the application is at risk of being unsecure.

Misuse case testing

▪ Software and systems can both be tested for use for something other than its intended purpose.
▪ From a software perspective, this could be to reverse engineer the binaries or to access other
processes through the software.
▪ From an IT perspective, this could be privilege escalation, sharing passwords and accessing
resources that should be denied.

Copy rights reserved for STL Academy 253

 Cyber Security

➢ Black box testing: The tester has no prior knowledge of the environment being tested.
➢ White box testing: The tester has full knowledge prior to testing.
➢ Dynamic testing: The system that is being tested is monitored during the test.
➢ Static testing: The system that is being tested is not monitored during the test.
➢ Manual testing: Testing is performed manually by humans.
➢ Automated testing: A script performs a set of actions.
➢ Structural testing: This can include statement, decision, condition, loop and data flow
coverage.
➢ Functional testing: This includes normal and anti-normal tests of the reaction of a system or
software. Anti-normal testing goes through unexpected inputs and methods to validate
functionality, stability and robustness.
➢ Negative testing: This test purposely uses the system or software with invalid or harmful
data, and verifies that the system responds appropriately.

Interface testing
▪ This can include the server interfaces, as well as internal and external interfaces.
▪ The server interfaces include the hardware, software and networking infrastructure to support the
server.
▪ For applications, external interfaces can be a web browser or operating system, and internal
components can include plug-ins, error handling and more.
▪ You should be aware of the different testing types for each system.

Collect security process data

▪ Organizations should collect data about policies and procedures and review it on a regular basis
to ensure that the established goals are being met.
▪ Additionally, they should consider whether new risks have appeared since the creation of the
process that must now be addressed.

Account management
▪ Every organization should have a defined procedure for maintaining accounts that have access
to systems and facilities.
▪ This doesn’t just mean documenting the creation of a user account, but can include when that
account expires and the logon hours of the account.
▪ This should also be tied to facilities access. For example, was an employee given a code or key
card to access the building? Are there hours that the access method is also prevented?
▪ There should also be separate processes for managing accounts of vendors and other people
who might need temporary access.

Management review and approval

▪ Management plays a key role in ensuring that these processes are distributed to employees, and
that they are followed.
▪ The likelihood of a process or procedure succeeding without management buy-in is minimal.
▪ The teams that are collecting the process data should have the full support of the management
team, including periodic reviews and approval of all data collection techniques.

Key performance and risk indicators

▪ You can associate key performance and risk indicators with the data that is being collected.

254 Copy rights reserved for STL Academy

 Cyber Security

▪ The risk indicators can be used to measure how risky the process, account, facility access or
other action is to the organization.
▪ The performance indicators can be used to ensure that a process or procedure is successful and
measure how much impact it has on the organization’s day-to-day operations.

Backup verification data

▪ A strict and rigorous backup procedure is almost useless without verification of the data.
▪ Backups should be restored regularly to ensure that the data can be recovered successfully.
▪ When using replication, you should also implement integrity checks to ensure that the data was
not corrupted during the transfer process.

Training and awareness

▪ Training and awareness of security policies and procedures are half the battle when
implementing or maintaining these policies.
▪ This extends beyond the security team that is collecting the data, and can impact every
employee or user in an organization.
▪ The table below outlines different levels of training that can be used for an organization.

Disaster recovery (DR) and business continuity (BC)

▪ Two areas that must be heavily documented are disaster recovery and business continuity.
Because these processes are infrequently used, the documentation plays a key role helping
teams understand what to do and when to do it.
▪ As part of your security assessment and testing, you should review DR and BC documentation to
ensure it is complete and represents a disaster from beginning to end. The procedures should
adhere to the company’s established security policies and answer questions such as, how do
administrators obtain system account passwords during a DR scenario?
▪ If some sensitive information is required during a DR or BC tasks, you need to ensure this
information is both secure and accessible to those who need it.

Analyze test output and generate reports

▪ The teams that analyze the security procedures should be aware of the output and reporting
capabilities for the data.
▪ Any information that is of concern must be reported to the management teams immediately so
that they are aware of possible risks or alerts.
▪ The level of detail given to the management teams might vary depending on their roles and
involvement.

Copy rights reserved for STL Academy 255

 Cyber Security

▪ The type of auditing being performed can also determine the type of reports that must be used.
For example, for an SSAE 16 audit, a Service Organization Control (SOC) report is required.
There are four types of SOC reports:
▪ SOC 1 Type 1: This report outlines the findings of an audit, as well as the completeness and
accuracy of the documented controls, systems and facilities.
▪ SOC 1 Type 2: This report includes the Type 1 report, along with information about the
effectiveness of the procedures and controls in place for the immediate future.
▪ SOC 2: This report includes the testing results of an audit.
▪ SOC 3: This report provides general audit results with a datacenter certification level.

Conduct or facilitate security audits

▪ Security audits should occur on a routine basis according to the policy set in place by the
organization.
▪ Internal auditing typically occurs more frequently than external or third-party auditing.

Internal
▪ Security auditing should be an ongoing task of the security team.
▪ There are dozens of software vendors that simplify the process of aggregating log data.
▪ The challenge is knowing what to look for once you have collected the data.

External
▪ External security auditing should be performed on a set schedule.
▪ This could be aligned with financial reporting each quarter or some other business-driven reason.

Third-party
▪ Third-party auditing can be performed on a regular schedule in addition to external auditing.
▪ The goal of third-party auditing can either be to provide checks and balances for the internal and
external audits, or to perform a more in-depth auditing procedure.

4.8 Security Operations

Security Operations Center
▪ A security operations center, or SOC, is a team of IT security professionals that protects the
organization by monitoring, detecting, analyzing, and investigating cyber threats.
▪ Networks, servers, computers, endpoint devices, operating systems, applications and databases
are continuously examined for signs of a cyber security incident.
▪ The SOC team analyzes feeds, establishes rules, identifies exceptions, enhances responses and
keeps a look out for new vulnerabilities.

256 Copy rights reserved for STL Academy

 Cyber Security

▪ Given that technology systems in the modern organization run 24/7, SOCs usually function
around the clock in shifts to ensure a rapid response to any emerging threats.
▪ SOC teams may collaborate with other departments and employees or work expert third party IT
security providers.

Copy rights reserved for STL Academy 257

 Cyber Security

Security Operations
Understand and support investigations
Evidence collection and handling
▪ Like a crime scene investigation, a digital investigation involving potential computer crimes has
rules and processes to ensure that evidence is usable in court.
▪ At a high level, you need to ensure that your handling of the evidence doesn’t alter the integrity of
the data or environment.
▪ To ensure consistency and integrity of data, your company should have an incident response
policy that outlines the steps to take in the event of a security incident, with key details such as
how employees report an incident.
▪ Additionally, the company should have an incident response team that is familiar with the incident
response policy and that represents the key areas of the organization (management, HR, legal,
IT, etc.).
▪ The team doesn’t have to be dedicated but instead could have members who have regular work
and are called upon only when necessary.
▪ With evidence collection, documentation is key. The moment a report comes in, the
documentation process begins.
▪ As part of the documentation process, you must document each time somebody handles
evidence and how that evidence was gathered and moved around; this is known as the chain of
custody.
▪ Interviewing is often part of evidence collection. If you need to interview an internal employee as
a suspect, an HR representative should be present. Consider recording all interviews, if that’s
legal.

Reporting and documenting

▪ There are two types of reporting: one for IT with technical details and one for management
without technical details.
▪ The company must be fully aware of the incident and kept up to date as the investigation
proceeds.
▪ Capture everything possible, including dates, times and pertinent details.

Investigative techniques
▪ When an incident occurs, you need to find out how it happened.
▪ A part of this process is the root cause analysis, in which you pinpoint the cause (for example, a
user clicked on a malicious link in an email, or a web server was missing a security update and
an attacker used an unpatched vulnerability to compromise the server).
▪ Often, teams are formed to help determine the root cause. Incident handling is the overall
management of the investigation think of it as project management but on a smaller level.
▪ NIST and others have published guidelines for incident handling. At a high level, it includes the
following steps: detect, analyze, contain, eradicate and recover.
▪ There are other smaller parts to incident handling, such as preparation and post-incident
analysis, like a “lessons learned” review meeting.

Digital forensics tools, tactics and procedures

▪ Forensics should preserve the crime scene, though in digital forensics, this means the
computers, storage and other devices, instead of a room and a weapon, for example.

258 Copy rights reserved for STL Academy

 Cyber Security

▪ Other investigators should be able to perform their own analyses and come to the same
conclusions because they have the same data. This requirement impacts many of the
operational procedures.
▪ Instead of performing scans, searches and other actions against the memory and storage of
computers, you should take images of the memory and storage, so you can thoroughly examine
the contents without modifying the originals.
▪ For network forensics, you should work from copies of network captures acquired during the
incident.
▪ For embedded devices, you need to take images of memory and storage and note the
configuration.
▪ In all cases, leave everything as is, although your organization might have a policy to have
everything removed from the network or completely shut down.
▪ New technologies can introduce new challenges in this area because sometimes existing tools
don’t work (or don’t work as efficiently) with new technologies.
▪ For example, when SSDs were introduced, they presented challenges for some of the old ways
of working with disk drives.

Understand the requirements for different types of investigations

▪ If a hacker defaces your company website, you might have a criminal investigation. Each type of
investigation has special considerations:

Administrative
▪ The primary purpose of an administrative investigation is to provide the appropriate authorities
with all relevant information so they can determine what, if any, action to take.
▪ Administrative investigations are often tied to HR scenarios, such as when a manager has been
accused of improprieties.

Criminal
▪ A criminal investigation occurs when a crime has been committed and you are working with a law
enforcement agency to convict the alleged perpetrator.
▪ In such a case, it is common to gather evidence for a court of law, and to have to share the
evidence with the defense. Therefore, you need to gather and handle the information using
methods that ensure that the evidence can be used in court.
▪ We covered some key points earlier, such as chain of custody. Be sure to remember that in a
criminal case, a suspect must be proven guilty beyond a reasonable doubt.
▪ This is more difficult than showing a preponderance of evidence, which is often the standard in a
civil case.

Civil
▪ In a civil case, one person or entity sues another person or entity; for example, one company
might sue another for a trademark violation.
▪ A civil case typically seeks monetary damages, not incarceration or a criminal record. As we just
saw, the burden of proof is less in a civil case.

Regulatory
▪ A regulatory investigation is conducted by a regulating body, such as the Securities and
Exchange Commission (SEC) or Financial Industry Regulatory Authority (FINRA), against an
organization suspected of an infraction.

Copy rights reserved for STL Academy 259

 Cyber Security

▪ In such cases, the organization is required to comply with the investigation, for example, by not
hiding or destroying evidence.

Industry standards
▪ An industry standards investigation is intended to determine whether an organization is adhering
to a specific industry standard or set of standards, such as logging and auditing failed logon
attempts.
▪ Because industry standards represent well-understood and widely implemented best practices,
many organizations try to adhere to them even when they are not required to do so in order to
reduce security, operational and other risks.

Conduct logging and monitoring activities

Intrusion detection and prevention
▪ There are two technologies that you can use to detect and prevent intrusions. You should use
both. Some solutions combine them into a single software package or appliance:

Intrusion detection system (IDS)

▪ It is a technology (typically software or an appliance) that attempts to identify malicious activity in
your environment.
▪ Solutions often rely on patterns, signatures, or anomalies. There are multiple types of IDS
solutions.
▪ For example, there are solutions specific to the network (network IDS or NIDS) and others
specific to computers (host-based IDS or HIDS).

Security information and event management (SIEM)

▪ If you need to find all failed logon attempts on your web servers, you could look through the logs
on each web server individually. But if you have a SIEM solution, you can go to a portal and
search across all web servers with a single query.
▪ A SIEM is a critical technology in large and security-conscious organizations.

Continuous monitoring
▪ Continuous monitoring is the process of streaming information related to the security of the
computing environment in real time (or close to real time).
▪ Some SIEM solutions offer continuous monitoring or at least some features of continuous
monitoring.

Egress monitoring
▪ Egress monitoring is the monitoring of data as it leaves your network.
▪ One reason is to ensure that malicious traffic doesn’t leave the network (for example, in a
situation in which a computer is infected and trying to spread malware to hosts on the internet).
▪ Another reason is to ensure that sensitive data (such as customer information or HR information)
does not leave the network unless authorized.
▪ The following strategies can help with egress monitoring:
▪ Data loss prevention (DLP) solutions focus on reducing or eliminating sensitive data leaving the
network.
▪ Steganography is the art of hiding data inside another file or message. For example,
steganography enables a text message to be hidden inside a picture file (such as a .jpg).
Because the file appears innocuous, it can be difficult to detect.

260 Copy rights reserved for STL Academy

 Cyber Security

▪ Watermarking is the act of embedding an identifying marker in a file. For example, you can
embed a company name in a customer database file or add a watermark to a picture file with
copyright information.

Securely provision resources

Asset inventory
▪ You need to have a method for maintaining an accurate inventory of your company’s assets. For
example, you need to know how many computers you have and how many installations of each
licensed software application you have.
▪ Asset inventory helps organizations protect physical assets from theft, maintain software
licensing compliance, and account for the inventory (for example, depreciating the assets).
▪ There are other benefits too. For example, if a vulnerability is identified in a specific version of an
application, you can use your asset inventory to figure out whether you have any installations of
the vulnerable version.

Asset management
▪ Assets, such as computers, desks and software applications, have a lifecycle simply put, you buy
it, you use it and then you retire it. Asset management is the process of managing that lifecycle.
▪ You keep track of all your assets, including when you got it, how much you paid for it, its support
model and when you need to replace it.
▪ For example, asset management can help your IT team figure out which laptops to replace
during the next upgrade cycle.
▪ It can also help you control costs by finding overlap in hardware, software or other assets.

Configuration management
▪ Configuration management helps you standardize a configuration across your devices.
▪ For example, you can use configuration management software to ensure that all desktop
computers have anti-virus software and the latest patches, and that the screen will automatically
be locked after 5 minutes of inactivity.
▪ The configuration management system should automatically remediate most changes users
make to a system.
▪ The benefits of configuration management include having a single configuration (for example, all
servers have the same baseline services running and the same patch level), being able to
manage many systems as a single unit (for example, you can deploy an updated anti-malware
application to all servers the same amount of time it takes to deploy it to a single server), and
being able to report on the configuration throughout your network (which can help to identify
anomalies).
▪ Many configuration management solutions are OS-agnostic, meaning that they can be used
across Windows, Linux and Mac computers.
▪ Without a configuration management solution, the chances of having a consistent and
standardized deployment plummets, and you lose the efficiencies of configuring many computers
as a single unit.

Understand and apply foundational security operations concepts

Need-to-know and least privilege
▪ Access should be given based on a need to know.

Copy rights reserved for STL Academy 261

 Cyber Security

▪ For example, a system administrator who is asked to disable a user account doesn’t need to
know that the user was terminated, and a systems architect who is asked to evaluate an IT
inventory list doesn’t need to know that his company is considering acquiring another company.
▪ The principle of least privilege means giving users the fewest privileges they need to perform
their job tasks; entitlements are granted only after a specific privilege is deemed necessary.
▪ It is a good practice and almost always a recommend practice.
▪ Two other concepts are important here:

Aggregation
The combining of multiple things into a single unit is often used in role-based access control.

Transitive trust
▪ From a Microsoft Active Directory perspective, a root or parent domain automatically trusts all
child domains.
▪ Because of the transitivity, all child domains also trust each other. Transitivity makes it simpler to
have trusts.

Separation of duties and responsibilities

▪ Separation of duties refers to the process of separating certain tasks and operations so that a
single person doesn’t control all them. For example, you might dictate that one person is the
security administrator and another is the email administrator.
▪ Each has administrative access to only their area. You might have one administrator responsible
for authentication and another responsible for authorization.
▪ The goal with separation of duties is to make it more difficult to cause harm to the organization
(via destructive actions or data loss, for example).

Privileged account management

▪ A special privilege is a right not commonly given to people. For example, certain IT staff might be
able to change other users’ passwords or restore a system backup, and only certain accounting
staff can sign company checks.
▪ Actions taken using special privileges should be closely monitored. For example, each user
password reset should be recorded in a security log along with pertinent information about the
task: date and time, source computer, the account that had its password changed, the user
account that performed the change, and the status of the change (success or failure).
▪ For high-security environments, you should consider a monitoring solution that offers screen
captures or screen recording in addition to the text log.

Job rotation
▪ Job rotation is the act of moving people between jobs or duties.
▪ For example, an accountant might move from payroll to accounts payable and then to accounts
receivable.
▪ The goal of job rotation is to reduce the length of one person being in a certain job (or handling a
certain set of responsibilities) for too long, which minimizes the chances of errors or malicious
actions going undetected.
▪ Job rotation can also be used to cross-train members of teams to minimize the impact of an
unexpected leave of absence.

262 Copy rights reserved for STL Academy

 Cyber Security

Information lifecycle
▪ Information lifecycle is made up of the following phases:
➢ Collect data: Data is gathered from sources such as log files and inbound email, and when
users produce data such as a new spreadsheet.
➢ Use data: Users read, edit and share data.
➢ Retain data (optional): Data is archived for the time required by the company’s data retention
policies. For example, some companies retain all email data for 7 years by archiving the data
to long-term storage until the retention period has elapsed.

Legal hold (occasional)

▪ A legal hold requires you to maintain one or more copies of specified data in an unalterable form
during a legal scenario (such as a lawsuit) or an audit or government investigation.
▪ A legal hold is often narrow; for example, you might have to put a legal hold on all email to or
from the accounts payable department.
▪ In most cases, a legal hold is invisible to users and administrators who are not involved in placing
the hold.

Delete data
▪ The default delete action in most operating systems is not secure.
▪ The data is marked as deleted, but it still resides on the disks and can be easily recovered with
off-the-shelf software.
▪ To have an effective information lifecycle, you must use secure deletion techniques such as disk
wiping (for example, by overwriting the data multiple times), degaussing and physical destruction
(shredding a disk).

Service-level agreements (SLAs)

▪ An SLA is an agreement between a provider (which could be an internal department) and the
business that defines when a service provided by the department is acceptable.
▪ For example, the email team might have an SLA that dictates that they will provide 99.9% uptime
each month or that spam email will represent 5% or less of the email in user mailboxes.
▪ SLAs can help teams design appropriate solutions. For example, if an SLA requires 99.9%
uptime, a team might focus on high availability and site resiliency. Sometimes, especially with
service providers, not adhering to SLAs can result in financial penalties.
▪ For example, an internet service provider (ISP) might have to reduce its monthly connection
charges if it does not meet its SLA.

Apply resource protection techniques

Media management
▪ Media management is the act of maintaining media for your software and data.
▪ This includes operating system images, installation files and backup media.
▪ Any media that you use in your organization potentially falls under this umbrella.
▪ There are some important media management concepts to know:

Source files
▪ If you rely on software for critical functions, you need to be able to reinstall that software at any
time.
▪ Despite the advent of downloadable software, many organizations rely on legacy software that
they purchased on disk years ago and that is no longer available for purchase.

Copy rights reserved for STL Academy 263

 Cyber Security

▪ To protect your organization, you need to maintain copies of the media along with copies of any
license keys.

Operating system images

▪ You need a method to manage your operating system images so that you can maintain clean
images, update the images regularly (for example, with security updates), and use the images for
deployments.
▪ Not only should you maintain multiple copies at multiple sites, but you should also test the
images from time to time.
▪ While you can always rebuild an image from your step-by-step documentation, that lost time
could cost your company money during an outage or other major issue.

Backup media
▪ Backup media is considered sensitive media. While many organizations encrypt backups on
media, you still need to treat the backup media in a special way to reduce the risk of it being
stolen and compromised. Many companies lock backup media in secure containers and store the
containers in a secure location. It is also common to use third-party companies to store backup
media securely in off-site facilities.

Hardware and software asset management

▪ At first glance, asset management might not seem related to security operations, but it actually
is.
▪ For example, if a vendor announces a critical vulnerability in a specific version of a product that
allows remote code execution, you need to quickly act to patch your devices which means you
need to be able to quickly figure out if you have any devices that are vulnerable.
▪ You can’t do that without effective asset management (and, in some cases, configuration
management).

Conduct incident management

▪ Incident management is the management of incidents that are potentially damaging to an
organization, such as a distributed denial of service attack. Not all incidents are computer-
related; for example, a break-in at your CEO’s office is also an incident.

Detection
▪ It is critical to be able to detect incidents quickly because they often become more damaging at
time passes.
▪ It is important to have a robust monitoring and intrusion detection solution in place.
▪ Other parts of a detection system include security cameras, motion detectors, smoke alarms and
other sensors.
▪ If there is a security incident, you want to be alerted (for example, if an alarm is triggered at your
corporate headquarters over a holiday weekend).

Response
▪ When you receive a notification about an incident, you should start by verifying the incident. For
example, if an alarm was triggered at a company facility, a security guard can physically check
the surroundings for an intrusion and check the security cameras for anomalies.
▪ For computer-related incidents, it is advisable to keep compromised systems powered on to
gather forensic data.

264 Copy rights reserved for STL Academy

 Cyber Security

▪ Along with the verification process, during the response phase you should also kick off the initial
communication with teams or people that can help with mitigation. For example, you should
contact the information security team initially during a denial-of-service attack.

Mitigation
▪ The next step is to contain the incident. For example, if a computer has been compromised and
is actively attempting to compromise other computers, the compromised computer should be
removed from the network to mitigate the damage.

Reporting
▪ Next, you should disseminate data about the incident. You should routinely inform the technical
teams and the management teams about the latest findings regarding the incident.

Recovery
▪ In the recovery phase, you get the company back to regular operations. For example, for a
compromised computer, you re-image it or restore it from a backup. For a broken window, you
replace it.

Remediation
▪ In this phase, you take additional steps to minimize the chances of the same or a similar attack
being successful.
▪ For example, if you suspect that an attacker launched attacks from the company’s wireless
network, you should update the wireless password or authentication mechanism.
▪ If an attacker gained access to sensitive plain text data during an incident, you should encrypt
the data in the future.

Operate and maintain detective and preventative measures

Firewalls
▪ While operating firewalls often involves adding and editing rules and reviewing logs, there are
other tasks that are important, too.
▪ For example, review the firewall configuration change log to see which configuration settings
have been changed recently.

Intrusion detection and prevention systems

▪ You need to routinely evaluate the effectiveness of your IDS and IPS systems.
▪ You also need to review and fine-tune the alerting functionality.
▪ If too many alerts are sent (especially false positive or false negatives), administrators will often
ignore or be slow to respond to alerts, causing response to a real incident alert to be delayed.

Whitelisting and blacklisting

▪ Whitelisting is the process of marking applications as allowed, while blacklisting is the process of
marking applications as disallowed.
▪ Whitelisting and blacklisting can be automated.
▪ It is common to whitelist all the applications included on a corporate computer image and
disallow all others.

Copy rights reserved for STL Academy 265

 Cyber Security

Security services provided by third parties

▪ Some vendors offer security services that ingest the security-related logs from your entire
environment and handle detection and response using artificial intelligence or a large network
operations center.
▪ Other services perform assessments, audits or forensics. Finally, there are third-party security
services that offer code review, remediation or reporting.

Sandboxing
▪ Sandboxing is the act of totally segmenting an environment or a computer from your production
networks and computers; for example, a company might have a non-production environment on
a physically separate network and internet connection.
▪ Sandboxes help minimize damage to a production network. Because computers and devices in a
sandbox aren’t managed in the same way as production computers, they are often more
vulnerable to attacks and malware.
▪ By segmenting them, you reduce the risk of those computers infecting your production
computers.
▪ Sandboxes are also often used for honeypots and honeynets, as explained in the next bullet

Honeypots and honeynets

▪ A honeypot or a honeynet is a computer or network purposely deployed to lure would-be
attackers and record their actions. The goal is to understand their methods and use that
knowledge to design more secure computers and networks.
▪ An anti-virus software company might use honeypots to validate and strengthen their anti-virus
and anti-malware software.
▪ Honeypots and honeynets have been called unethical because of their similarities to entrapment.

Anti-malware
▪ Anti-malware is a broad term that often includes anti-virus, anti-spam and anti-malware (with
malware being any other code, app or service created to cause harm).
▪ You should deploy anti-malware to every possible device, including servers, client computers,
tablets and smartphones, and be vigilant about product and definition updates.

Implement and support patch and vulnerability management

Patch management
▪ The updates that software vendors provide to fix security issues or other bugs are called
patches.
▪ Patch management is the process of managing all the patches in your environment, from all
vendors.
▪ A good patch management system tests and implements new patches immediately upon release
to minimize exposure.
▪ Many security organizations have released studies claiming that the single most important part of
securing an environment is having a robust patch management process that moves swiftly.
▪ A patch management system should include the following processes:

Automatic detection and download of new patches

▪ Detection and downloading should occur at least once per day.
▪ You should monitor the detection of patches so that you are notified if detection or downloading
is not functional.

266 Copy rights reserved for STL Academy

 Cyber Security

Automatic distribution of patches

▪ Initially, deploy patches to a few computers in a lab environment and run them through system
testing. Then expand the distribution to a larger number of non-production computers.
▪ If everything is functional and no issues are found, distribute the patches to the rest of the non-
production environment and then move to production.
▪ It is a good practice to patch your production systems within 7 days of a patch release.
▪ In critical scenarios where there is known exploit code for a remote code execution vulnerability,
you should deploy patches to your production systems the day of the patch release to maximize
security.

Reporting on patch compliance

▪ Even if you might have an automatic patch distribution method, you need a way to assess your
overall compliance.
▪ Do 100% of your computers have the patch? Or 90%? Which specific computers are missing a
specific patch?
▪ Reporting can be used by the management team to evaluate the effectiveness of a patch
management system.

Automatic rollback capabilities

▪ Sometimes, vendors release patches that create problems or have incompatibilities.
▪ Ensure you have an automated way of rolling back or removing the patch across all computers.
You don’t want to figure that out a few minutes before you need to do it.

Vulnerability management
▪ A vulnerability is a way in which your environment is at risk of being compromised or degraded.
▪ The vulnerability can be due to a missing patch. But it can also be due to a misconfiguration or
other factors.
▪ For example, when SHA-1 certificates were recently found to be vulnerable to attack, many
companies suddenly found themselves vulnerable and needed to take action (by replacing the
certificates).
▪ Many vulnerability management solutions can scan the environment looking for vulnerabilities.
Such solutions complement, but do not replace, patch management systems and other security
systems (such as anti-virus or anti-malware systems).
▪ Be aware of the following definitions:

Zero-day vulnerability
▪ A vulnerability is sometimes known about before a patch is available.
▪ Such zero-day vulnerabilities can sometimes be mitigated with an updated configuration or other
temporary workaround until a patch is available.
▪ Other times, no mitigations are available and you have to be especially vigilant with logging and
monitoring until the patch is available.
▪ Zero-day exploit
▪ Attackers can release code to exploit a vulnerability for which no patch is available.
▪ These zero-day exploits represent one of the toughest challenges for organizations trying to
protect their environments.

Copy rights reserved for STL Academy 267

 Cyber Security

4.9 Software Development Security

▪ There are seven primary stages of the modern system development life cycle.
➢ Planning Stage
➢ Feasibility or Requirements of Analysis Stage
➢ Design and Prototyping Stage
➢ Software Development Stage
➢ Software Testing Stage
➢ Implementation and Integration
➢ Operations and Maintenance Stage

1. The planning stage (also called the feasibility stage) is exactly what it sounds like: the phase in
which developers will plan for the upcoming project.
▪ It helps to define the problem and scope of any existing systems, as well as determine the
objectives for their new systems.

2. The analysis stage includes gathering all the specific details required for a new system as well as
determining the first ideas for prototypes.

Developers may:
➢ Define any prototype system requirements

268 Copy rights reserved for STL Academy

 Cyber Security

➢ Evaluate alternatives to existing prototypes

➢ Perform research and analysis to determine the needs of end-users

3. The design stage is a necessary precursor to the main developer stage.

▪ Developers will first outline the details for the overall application, alongside specific aspects, such
as its:
➢ User interfaces
➢ System interfaces
➢ Network and network
requirements
➢ Databases

4. The development stage is the part where developers actually write code and build the application
according to the earlier design documents and outlined specifications.
▪ This is where Static Application Security Testing or SAST tools come into play.

5. Software must be tested to make sure that there aren’t any bugs and that the end-user
experience will not negatively be affected at any point.

Copy rights reserved for STL Academy 269

 Cyber Security

▪ During the testing stage, developers will go over their software with a fine-tooth comb, noting any
bugs or defects that need to be tracked, fixed, and later retested.

6. After testing, the overall design for the software will come together.
▪ Different modules or designs will be integrated into the primary source code through developer
efforts, usually by leveraging training environments to detect further errors or defects.
▪ The information system will be integrated into its environment and eventually installed. After
passing this stage, the software is theoretically ready for market and may be provided to any
end-users.

7. The SDLC doesn’t end when software reaches the market.

▪ Developers must now move into a maintenance mode and begin practicing any activities
required to handle issues reported by end-users.
▪ Furthermore, developers are responsible for implementing any changes that the software might
need after deployment.

270 Copy rights reserved for STL Academy

 Cyber Security

Understand and integrate security throughout the software development lifecycle (SDLC)
▪ The lifecycle of development does not typically have a final goal or destination.
▪ Instead, it is a continuous loop of efforts that must include steps at different phases of a project.

Development methodologies
▪ There are many different development methodologies that organizations can use as part of the
development lifecycle.
▪ The following table lists the most common methodologies and the key related concepts.

Maturity models
▪ There are five maturity levels of the Capability Maturity Model Integration (CMMI):
1. Initial: The development process is ad hoc, inefficient, inconsistent and unpredictable.
2. Repeatable: A formal structure provides change control, quality assurance and testing.
3. Defined: Processes and procedures are designed and followed during the project.
4. Managed: Processes and procedures are used to collect data from the development cycle to
make improvements.
5. Optimizing: There is a model of continuous improvement for the development cycle.

Operation and maintenance

▪ After a product has been developed, tested and released, the next phase of the process is to
provide operational support and maintenance of the released product.
▪ This can include resolving unforeseen problems or developing new features to address new
requirements.

Copy rights reserved for STL Academy 271

 Cyber Security

Change management
▪ Changes can disrupt development, testing and release.
▪ An organization should have a change control process that includes documenting and
understanding a change before attempting to implement it.
▪ This is especially true the later into the project the change is requested.
▪ Each change request must be evaluated for capability, risk and security concerns, impacts to the
timeline, and more.

Integrated product team

▪ Software development and IT have typically been two separate departments or groups within an
organization.
▪ Each group typically has different goals: developers want to distribute finished code, and IT
wants to efficiently manage working systems.
▪ With DevOps, these teams work together to align their goals so that software releases are
consistent and reliable.

Identify and apply security controls in development environments

▪ The source code and repositories that make up an application can represent hundreds or
thousands of hours of work and comprise important intellectual property for an organization.
▪ Organizations must be prepared to take multiple levels of risk mitigation to protect the code, as
well as the applications.

Security of the software environments

▪ Historically, security has been an afterthought or a bolt-on after an application has been
developed and deployed, instead of a part of the lifecycle.
▪ When developing an application, considerations must be made for the databases, external
connections and sensitive data that are being handled by the application.

Security weaknesses and vulnerabilities at the source-code level

▪ The MITRE organization publishes a list of the 25 most dangerous software errors that can
cause weaknesses and vulnerabilities in an application (http://cwe.mitre.org/top25/#Listing).
▪ For example, if an input field is not verified for content and length, then unexpected errors can
occur.

Configuration management as an aspect of secure coding

▪ The change control process should be tightly integrated with development to ensure that security
considerations are made for any new requirements, features or requests.
▪ A centralized code repository helps in managing changes and tracking when and where revisions
to the code.
▪ The repository can track versions of an application so you can easily roll back to a previous
version if necessary.

Security of code repositories

▪ The version control system that houses source code and intellectual property is the code
repository.
▪ There might be different repositories for active development, testing and quality assurance.

272 Copy rights reserved for STL Academy

 Cyber Security

▪ A best practice for securing code repositories is to ensure that they are as far away from the
internet as possible, even if that means that they are on a separate internal network that does not
have internet access.
▪ Any remote access to a repository should use a VPN or another secure connection method.

Security of application programming interfaces

▪ There are five generations of programming languages.
▪ The higher the generation, the more abstract the language is and the less a developer needs to
know about the details of the operating system or hardware behind the code.
The five generations are:
1. Machine language
▪ This is the binary representation that is understood and used by the computer processor.

2. Assembly language
▪ Assembly is a symbolic representation of the machine-level instructions.
▪ Mnemonics represent the binary code, and commands such as ADD, PUSH and POP are used.
▪ The assemblers translate the code into machine language.

3. High-level language
▪ High-level languages introduce the ability to use IF, THEN and ELSE statements as part of the
code logic.
▪ The low-level system architecture is handled by the programming language. FORTRAN and
COLBOL are examples of generation 3 programming languages.

4. Very high-level language

▪ Generation 4 languages further reduce the amount of code that is required, so programmers can
focus on algorithms.
▪ Python, C++, C# and Java are examples of generation 4 programming languages.

5. Natural language
▪ Generation 5 languages enable a system to learn and change on its own, as with artificial
intelligence.
▪ Instead of developing code with a specific purpose or goal, programmers only define the
constraints and goal; the application then solves the problem on its own based on this
information.
▪ Prolog and Mercury are examples of generation 5 programming languages.

Assess security impact of acquired software

▪ When an organization merges with or purchases another organization, the acquired source code,
repository access and design, and intellectual property should be analyzed and reviewed.
▪ The phases of the development cycle should also be reviewed.
▪ You should try to identify any new risks that have appeared by acquiring the new software
development process.

Define and apply secure coding guidelines and standards

Security weaknesses and vulnerabilities at the source-code level
▪ One effective way of finding and fixing bugs is to use source code analysis tools, which are also
called static application security testing (SAST) tools.

Copy rights reserved for STL Academy 273

 Cyber Security

▪ These tools are most effective during the software development process, since it’s more difficult
to rework code after it is in production.
▪ Today, with security being of paramount concern, the expectation is that all source code is
scanned during development and after release into production.

Security of application programming interfaces

▪ Application programming interfaces (APIs) enable applications to make calls to other
applications.
▪ Without proper security, APIs are a perfect way for malicious individuals to compromise your
environment or application. The security of APIs starts with requiring authentication using a
method such as OAuth or API keys.
▪ Authorization should also be used and enforced. For example, one API key might enable you to
read information but you need a separate API key to alter or write information.
▪ Many companies use an API security gateway to centralize API calls and perform checks on the
calls (checking tokens, parameters, messages, etc.) to ensure they meet the organization’s
requirements.
▪ Other common methods to secure your APIs is to use throttling (which protects against DoS or
similar misuse), scan your APIs for weaknesses, and use encryption (such as with an API
gateway).

Secure coding practices

▪ There are established practices you should follow to maximize the security of your code. Some of
the most common ones are:
▪ Input validation: Validate input, especially from untrusted sources, and reject invalid input.
▪ Don’t ignore compiler warnings: When compiling code, use the highest warning level available
and address all warnings that are generated.
▪ Deny by default: By default, everybody should be denied access. Grant access as needed.
▪ Authentication and password management: Require authentication for everything that is not
meant to be available to the public. Hash passwords and salt the hashes.
▪ Access control: Restrict access using the principle of least privilege, and deny access if there
are issues checking access control systems.
▪ Cryptographic practices: Protect secrets and master keys by establishing and enforcing
cryptographic standards for your organization.
▪ Error handling and logging: Avoid exposing sensitive information in log files or error
messages. Restrict access to logs.
▪ Data protection: Encrypt sensitive information, everywhere.
▪ Communication security: Use Transport Layer Security (TLS) everywhere possible.
▪ System configuration: Lock down servers and devices. Keep software versions up to date with
fast turnaround for security fixes. You can find good information for securing your servers and
devices from NIST. Visit https://www.nist.gov to search for standards and guides related to your
environment.
▪ Memory management: Use input and output control, especially for untrusted data, and watch
for buffer size issues (use static buffers). Free memory when it is no longer required.

Section 3: Exercises
Exercise 1: Draw Business Continuity Planning Lifecycle.

274 Copy rights reserved for STL Academy

 Cyber Security

Exercise 2: Draw SABSA Lifecycle.

Exercise 3: Draw software development cycle.

Exercise 4: Participate in a group discussion on following topics:

a) Enterprise Architecture and Components
b) Information System Governance and Risk Assessment
c) Principles of security
d) Cyber-attacks, honeypots, vulnerability and pen testing
e) Handling bugs, secure storage platforms
f) Building a hacker mindset and defend against future attacks
g) Ethical Hacking, Footprinting and Reconnaissance
h) Network scanning and Enumeration
i) Vulnerability Analysis and System Hacking
j) Malware, Sniffing and Social Engineering concepts
k) Concepts of Denial-of-service and Session Hijacking
l) How to evade IDS, Firewalls, and Honeypots
m) Hack IoT, Web Servers, Web Applications, Wireless Networks and Mobile Platforms
n) SQL Injection and Advanced Cryptography
o) Details of CISSP Exam
p) Asset Security and Security Engineering
q) How to secure network architecture
r) Design, components, and communication channels
s) Identity and Access Management
t) Security Assessment and Testing
u) Security Operations and Software Development Security

Section 4: Assessment Questionnaire

Questions
1. What are the domains covered in CISSP domain?
2. What are the objectives of information security management to protect data?
3. What are the benefits of Risk Analysis?
4. What are the major areas of cyber laws?
5. _____ is about understanding your security governance principles (policies and procedures)
and the risks to your organization.
6. A __________ is the process of determining the criticality of business activities and associated
resource requirements to ensure operational resilience and continuity of operations during and
after a business disruption.
7. What are secure design principles?
8. A _________ is a service that allows remote users to access the Internet as though they were
connected to a private network.
9. VPN increases latency. (True/False)
10. What are the phases of audit process?
11. ______ provides a neutral and objective approach to reviewing the existing design, methods for
testing and overall strategy for auditing the environment.
12. What is Intrusion Detection System (IDS)?

Copy rights reserved for STL Academy 275

 Cyber Security

13. ______ can help block an attack before it gets inside your network.
14. ______ monitoring is the monitoring of data as it leaves your network.
15. _______ is the art of hiding data inside another file or message and _______ is the act of
embedding an identifying marker in a file.
16. What are the phases of Information lifecycle?
17. _______ is the process of marking applications as allowed, while ______ is the process of
marking applications as disallowed.
18. _______ is the act of totally segmenting an environment or a computer from your production
networks and computers.

----------End of the Module----------

276 Copy rights reserved for STL Academy

 Cyber Security

MODULE 5
TECHNOLOGY, APPLICATION AND POLICY
Section 1: Learning Outcomes
After completing this module, you will be able to:
▪ Describe about New Cybersecurity Technologies
▪ Explain functionalities and features of Security System, Services and Attacks
▪ Differentiate between various types of Cryptography techniques
▪ Compare different types of Network Security Protection
▪ Discuss on Case study of Cybersecurity
▪ Explain the Techniques used for Cybersecurity
▪ Describe the mechanism of Cybersecurity Policy Development and Audits

Section 2: Relevant Knowledge

5.1 Introduction
New Cybersecurity Technologies
▪ Here are some of the most popular cybersecurity technologies in the field.
➢ Behavioural Analytics
➢ Blockchain
➢ Cloud Encryption
➢ Context-Aware Security
➢ Defensive Artificial Intelligence (AI)
➢ Extended Detection and Response (XDR)
➢ Manufacturer Usage Description (MUD)
➢ Zero Trust
➢ Regulation

Behavioral Analytics
▪ Behavioral analytics looks at data to understand how people behave on websites, mobile
applications, systems, and networks.
▪ Cybersecurity professionals can use behavioral analytics platforms to find potential threats and
vulnerabilities.
▪ Analyzing patterns of behavior can lead to identifying unusual events and actions that may
indicate cybersecurity threats.
▪ For example, behavioral analytics may find that unusually large amounts of data are coming from
one device. This may mean a cyberattack is looming or actively happening.
▪ Other indicators of malicious activity include odd timing of events and actions that happen in an
unusual sequence.
▪ Benefits of using behavioral analytics include early detection of potential attacks and the ability to
predict future attacks.
▪ Organizations can automate detection and response using behavioral analytics.

Blockchain
▪ Blockchain is a type of database that securely stores data in blocks.

Copy rights reserved for STL Academy 277

 Cyber Security

▪ It connects the blocks through cryptography.

▪ Blockchain allows information to be collected, but not edited or deleted.
▪ Cybersecurity professionals can use blockchain to secure systems or devices, create standard
security protocols, and make it almost impossible for hackers to penetrate databases.
▪ Benefits of blockchain include better user privacy, reduction of human error, greater
transparency, and cost savings by removing the need for third-party verification.
▪ Blockchain also eliminates the security problem of storing data in one place. Instead, data gets
stored across networks, resulting in a decentralized system that is less vulnerable to hackers.
▪ Challenges of using blockchain include the cost and inefficiency of the technology.

Cloud Encryption
▪ Cloud services improve efficiency, help organizations offer improved remote services, and save
money.
▪ Storing data remotely in the cloud can increase data vulnerabilities.
▪ Cloud encryption technology changes data from understandable information into an unreadable
code before it goes into the cloud.
▪ Cybersecurity professionals use a mathematical algorithm to complete cloud encryption.
▪ Only authorized users with an encryption key can unlock the code, making data readable again.
▪ This restricted access minimizes the chance of data breaches by unauthorized attackers.
▪ Experts agree that cloud encryption is an excellent cybersecurity technology for securing data.
▪ Cloud encryption can prevent unauthorized users from gaining access to usable data.
▪ Cloud encryption can also foster customer trust in cloud services and make it easier for
companies to comply with government regulations.

Context-Aware Security
▪ Context-aware security is a type of cybersecurity technology that helps businesses make better
security decisions in real time.
▪ Traditional cybersecurity technologies assess whether or not to allow someone access to a
system or data by asking yes/no questions. This simple process can cause some legitimate
users to be denied, slowing productivity.
▪ Context-aware security reduces the chance of denying entry to an authorized user.
▪ Instead of relying on answers to static yes/no questions, context-aware security uses various
supportive information like time, location, and URL reputation to assess whether a user is
legitimate or not.
▪ Context-aware security streamlines data-accessing processes and makes it easier for legitimate
users to do their work. However, end-user privacy concerns pose a challenge.

Defensive Artificial Intelligence (AI)

▪ Defensive artificial intelligence (AI) detects or stop cyberattacks.
▪ Savvy cybercriminals use technologies like offensive AI and adversarial machine learning
because they are more difficult for traditional cybersecurity tools to detect.
▪ Offensive AI includes deep fakes, false images, personas, and videos that convincingly depict
people or things that never happened or do not exist.
▪ Malicious actors can use adversarial machine learning to trick machines into malfunctioning by
giving them incorrect data.
▪ Cybersecurity professionals can use defensive AI to detect and stop offensive AI from
measuring, testing, and learning how the system or network functions.
▪ Defensive AI can strengthen algorithms, making them more difficult to break.

278 Copy rights reserved for STL Academy

 Cyber Security

▪ Cybersecurity researchers can conduct harsher vulnerability tests on machine learning models.

Extended Detection and Response (XDR)

▪ Extended detection and response (XDR) is a type of advanced cybersecurity technology that
detects and responds to security threats and incidents.
▪ XDR responds across endpoints, the cloud, and networks. It evolved from the simpler traditional
endpoint detection and response.
▪ XDR provides a more holistic picture, making connections between data in different places.
▪ This technology allows cybersecurity professionals to detect and analyze threats from a higher,
automated level.
▪ This can help prevent or minimize current and future data breaches across an organization's
entire ecosystem of assets.
▪ Cybersecurity professionals can use XDR to respond to and detect targeted attacks,
automatically confirm and correlate alerts, and create comprehensive analytics.
▪ Benefits of XDR include automation of repetitive tasks, strong automated detection, and reducing
the number of incidents that need investigation.

Manufacturer Usage Description (MUD)

▪ Manufacturer usage description (MUD) is a standard created by the Internet Engineering Task
Force to strengthen security for IoT devices in small business and home networks.
▪ IoT devices are vulnerable to network-based attacks.
▪ These attacks can lead to loss of private data or cause a machine to stop working properly.
▪ IoT devices need to be secure without costing too much or being too complicated.
▪ Benefits of using MUD include simply, affordable improved security for IoT devices.
▪ Cybersecurity professionals can use MUD to make devices more secure against distributed
denial of service attacks.
▪ MUD can help reduce the amount of damage and data loss in the event of a successful attack.

Zero-Trust
▪ Traditional network security followed the motto "trust but verify," assuming that users within an
organization's network perimeter were not malicious threats.
▪ Zero Trust, on the other hand, aligns itself with the motto, "never trust, always verify.“
▪ A framework for approaching network security, Zero Trust makes all users authenticate
themselves before they get access to an organization's data or applications.
▪ Zero Trust does not assume that users inside the network are more trustworthy than anyone
else.
▪ This stricter scrutiny on all users can result in greater overall information security for the
organization.
▪ Cybersecurity professionals can use Zero Trust to deal more safely with remote workers and
challenges like ransomware threats.
▪ A Zero Trust framework may combine various tools, including multi-factor authentication, data
encryption, and endpoint security.

Regulation
▪ As the frequency of cyberattacks continues to grow significantly each year, governments are
beginning to use and promote best practice regulations.
▪ In the past, the governments did not often get involved in cybersecurity issues.

Copy rights reserved for STL Academy 279

 Cyber Security

▪ Security Magazine, an industry publication for cybersecurity professionals, predicts that 2022 will
be the year that governments start to play a bigger role in regulating how organizations ensure
user information security.
▪ Potential regulatory changes include executive orders regarding cybersecurity standards for
government suppliers, penalties for companies that do not engage in best practices, increased
demand for cyberinsurance, and ransomware disclosure laws. Greater regulation will likely lead
to improved security standards.

5.2 Systems Security

Security Systems
▪ Systems security describes the controls and safeguards that an organization takes to ensure its
networks and resources are safe from downtime, interference or malicious intrusion.
▪ If data security is meant to protect the information in the books in the library, then system security
is what protects the library itself.

Security Services
▪ The classification of security services are as follows:

Confidentiality
▪ Ensures that the information in a computer system and transmitted information are accessible
only for reading by authorized parties. E.g. Printing, displaying and other forms of disclosure.

Authentication
▪ Ensures that the origin of a message or electronic document is correctly identified, with an
assurance that the identity is not false.

Integrity
▪ Ensures that only authorized parties are able to modify computer system assets and transmitted
information. Modification includes writing, changing status, deleting, creating and delaying or
replaying of transmitted messages.

Non repudiation
▪ Requires that neither the sender nor the receiver of a message be able to deny the transmission.
Access control: Requires that access to information resources may be controlled by or the target
system.

280 Copy rights reserved for STL Academy

 Cyber Security

Availability
▪ Requires that computer system assets be available to authorized parties when needed

Security Attacks
▪ There are four general categories of security attack which are listed below.

Interruption
▪ An asset of the system is destroyed or becomes unavailable or unusable.
▪ This is an attack on availability e.g., destruction of piece of hardware, cutting of a communication
line or Disabling of file management system.

Interception
▪ An unauthorized party gains access to an asset.
▪ This is an attack on confidentiality.
▪ Unauthorized party could be a person, a program or a computer. e.g., wire tapping to capture
data in the network, illicit copying of files.

Modification
▪ An unauthorized party not only gains access to but tampers with an asset.
▪ This is an attack on integrity. e.g., changing values in data file, altering a program, modifying the
contents of messages being transmitted in a network.

Fabrication
▪ An unauthorized party inserts counterfeit objects into the system.
▪ This is an attack on authenticity. e.g., insertion of spurious message in a network or addition of
records to a file.

Types of Threats
▪ The security of a system can be threatened via two violations:

Threat
▪ A program that has the potential to cause serious damage to the system.

Copy rights reserved for STL Academy 281

 Cyber Security

Attack
▪ An attempt to break security and make unauthorized use of an asset.
▪ Security violations affecting the system can be categorized as malicious and accidental threats.

Malicious threats
▪ As the name suggests are a kind of harmful computer code or web script designed to create
system vulnerabilities leading to back doors and security breaches.

Accidental Threats
▪ On the other hand, are comparatively easier to be protected against.

282 Copy rights reserved for STL Academy

 Cyber Security

5.3 Cryptography & Network

▪ Cryptography is the art of keeping information secure by transforming it into form that unintended
recipients cannot understand.
▪ In cryptography, an original human readable message, referred to as plaintext.
▪ It is changed by means of an algorithm, or series of mathematical operations.
▪ Converted into something that to an uninformed observer would look like gibberish.
▪ This converted gibberish is called ciphertext.

▪ Cryptography is used to keep sensitive material, such as private passwords, secure online.
▪ Cybersecurity experts use cryptography to design algorithms, ciphers, and other security
measures that codify and protect company and customer data.
▪ To work in cryptography, individuals must possess programming skills.
▪ Cryptography requires professionals to work with various operating systems as well as coding
languages like C++, Java, and Python. Programming makes up the primary task of a
cryptographer’s job.

What is Cryptography used for?

▪ In the bigger picture, there are some broad cybersecurity goals that we use cryptography to help
us achieve goals
▪ Using cryptographic techniques, security pros can:

4 Key Points
▪ Keep the contents of data confidential
▪ Authenticate the identity of a message's sender and receiver
▪ Ensure the integrity of the data, showing that it hasn't been altered
▪ Demonstrate that the supposed sender really sent this message, a principle known as non-
repudiation

Copy rights reserved for STL Academy 283

 Cyber Security

Types of Cryptography
1. Symmetric Key Cryptography
▪ It is an encryption system where the sender and receiver of message use a single common key
to encrypt and decrypt messages.
▪ Symmetric Key Systems are faster and simpler but the problem is that sender and receiver have
to somehow exchange key in a secure manner.
▪ The most popular symmetric key cryptography system is Data Encryption System (DES).

2. Hash Functions
▪ There is no usage of any key in this algorithm.
▪ A hash value with fixed length is calculated as per the plain text which makes it impossible for
contents of plain text to be recovered.
▪ Many operating systems use hash functions to encrypt passwords.

3. Asymmetric Key Cryptography

▪ Under this system a pair of keys is used to encrypt and decrypt information.
▪ A public key is used for encryption and a private key is used for decryption.
▪ Public key and Private Key are different.
▪ Even if the public key is known by everyone the intended receiver can only decode it because
they alone know the private key.

284 Copy rights reserved for STL Academy

 Cyber Security

Network Security
▪ Network Security protects your network and data from breaches, intrusions and other threats.
▪ This is a vast and overarching term that describes hardware and software solutions as well as
processes or rules and configurations relating to network use, accessibility, and overall threat
protection.

Network Security Model

Copy rights reserved for STL Academy 285

 Cyber Security

Types of Network Security Protection

Firewall
▪ A firewall is a network security system that monitors and controls incoming and outgoing network
traffic based on predetermined security rules.
▪ A firewall typically establishes a barrier between a trusted network and an untrusted network,
such as the Internet.

Network Segmentation
▪ Network segmentation is an architectural approach that divides a network into multiple
segments or subnets, each acting as its own small network.

Access Control
▪ Access control is a security technique that regulates who or what can view or use resources in a
computing environment.

Remote Access VPN

▪ Remote access virtual private network (VPN) enables users who are working remotely to
securely access and use data from a corporate data center.

286 Copy rights reserved for STL Academy

 Cyber Security

Zero Trust Network Access (ZTNA)

▪ Zero trust network access (ZTNA) is a product or service that creates an identity- and context-
based, logical access boundary around an application or set of applications.
▪ The applications are hidden from discovery, and access is restricted via a trust broker to a set of
named entities.

Email Security
▪ Email security is a term for describing different procedures and techniques for protecting email
accounts, content, and communication against unauthorized access, loss or compromise.
▪ Email is often used to spread malware, spam and phishing attacks.

Data Loss Prevent (DLP)

▪ Data loss prevention, or DLP, is a set of technologies, products, and techniques that are
designed to stop sensitive information from leaving an organization.
▪ Data can end up in the wrong hands whether it's sent through email or instant messaging,
website forms, file transfers, or other means.

Copy rights reserved for STL Academy 287

 Cyber Security

Intrusion Prevent System (IPS)

▪ Intrusion prevention system (IPS) is a network security tool (which can be a hardware device or
software) that continuously monitors a network for malicious activity and takes action to prevent
it, including reporting, blocking, or dropping it, when it does occur.

Sandboxing
▪ Sandboxing is a cybersecurity practice where you run code, observe and analyze and code in a
safe, isolated environment on a network that mimics end-user operating environments.
▪ Sandboxing is designed to prevent threats from getting on the network and is frequently used to
inspect untested or untrusted code.

Hyper Scale Network Security

▪ Hyperscale is the ability of a technology architecture to improve and scale appropriately as more
demand is added to the system.
▪ This includes the ability to provide and add more resources to the system that make up a bigger
distributed computing network.

288 Copy rights reserved for STL Academy

 Cyber Security

5.4 Case Studies

▪ Selected in-depth explorations of how leading organizations have approached critical security
challenges.

Cybersecurity Case Studies

Cybersecurity Case Studies - Yahoo
▪ Securing the number one spot – almost seven years after the initial breach and four since the
true number of records exposed was revealed is the attack on Yahoo.

Copy rights reserved for STL Academy 289

 Cyber Security

▪ The company first publicly announced the incident – which it said took place in 2013 – in
December 2016.
▪ At the time, it was in the process of being acquired by Verizon and estimated that account
information of more than a billion of its customers had been accessed by a hacking group.
▪ Less than a year later, Yahoo announced that the actual figure of user accounts exposed was 3
billion.
▪ Yahoo stated that the revised estimate did not represent a new “security issue” and that it was
sending emails to all the “additional affected user accounts.”
▪ After investigation, it was discovered that, while the attackers accessed account information such
as security questions and answers, plaintext passwords, payment card and bank data were not
stolen.

Cybersecurity Case Studies - LinkedIn

▪ Professional networking giant LinkedIn
saw data associated with 700 million of
its users posted on a dark web forum
in June 2021, impacting more than
90% of its user base.
▪ A hacker going by the moniker of “God
User” used data scraping techniques
by exploiting the site’s (and others’)
API before dumping a first information
data set of around 500 million customers.
▪ They then followed up with a boast that they were selling the full 700 million customer database.
▪ An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put
for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept
sample by the post author.
▪ While LinkedIn argued that as no sensitive, private personal data was exposed, the incident was
a violation of its terms of service rather than a data breach, a scraped data sample posted by

290 Copy rights reserved for STL Academy

 Cyber Security

God User contained information including email addresses, phone numbers, geolocation records,
genders and other social media details, which would give malicious actors plenty of data to craft
convincing, follow-on social engineering attacks in the wake of the leak, as warned by the UK’s
NCSC.

Cybersecurity Case Studies - Facebook

▪ In April 2019, it was revealed that two datasets from Facebook apps had been exposed to the
public internet.
▪ The information related to more than 530 million Facebook
users and included phone numbers, account names, and
Facebook IDs.
▪ However, two years later (April 2021) the data was posted
for free, indicating new and real criminal intent surrounding
the data.
▪ In fact, given the sheer number of phone numbers
impacted and readily available on the dark web as a result
of the incident, security researcher Troy Hunt added
functionality to his HaveIBeenPwned (HIBP) breached
credential checking site that would allow users to verify if
their phone numbers had been included in the exposed
dataset.

Technology for Cybersecurity

Cryptographic systems
▪ A widely used cybersecurity system involves the use of
codes and ciphers to transform information into
unintelligible data.

An Intrusion Detection System (IDS)

▪ IDS is an additional protection measure used to detect attack.

Copy rights reserved for STL Academy 291

 Cyber Security

Antimalware Software and scanners

▪ Viruses, worms and Trojan horses are all examples of malicious software, or Malware for short.
Special so called antimalware tools are used to detect them and cure an infected system.

Secure Socket Layer (SSL)

▪ It is a suite of protocols that is a standard way to achieve a good level of security between web
browser and websites.

292 Copy rights reserved for STL Academy

 Cyber Security

Confidentiality, Privacy and Trust Management

Biometrics
▪ Biometric security is a type of security that verifies people's behavioral and physical
characteristics to identify them.
▪ It is the most accurate and strongest physical security technique for identity verification.

Cloud Security
▪ Protects data stored in cloud computing environments from theft, deletion and leakage.

Copy rights reserved for STL Academy 293

 Cyber Security

Computer Forensics
▪ It uses investigative techniques to identify and store evidence from a computer device.

Data protection legislation and security

▪ It includes the territorial reach of the law, the contours of personal data, the application of the law
to the private and the public sector, the entities regulated by the law, the activities regulated by
the law, cross border flow of data, and data localization.

5.5 Cybersecurity Policy

▪ A cybersecurity policy is a written document that contains behavioral and technical guidelines for
all employees in order to ensure maximum protection from cybersecurity incidents and
ransomware attacks.
▪ The purpose of cybersecurity policy is to set procedures and standards to safeguard user data
against malware. Thus, it is important as it prevents cyber attacks and information breaches.

294 Copy rights reserved for STL Academy

 Cyber Security

▪ When developing your cyber security policy, one must consider the following steps:
1. Set password requirements
2. Outline email security measures
3. Explain how to handle sensitive data
4. Set rules around handling technology
5. Set standards for social media and internet access
6. Prepare for an incident
7. Keep your policy up-to-date

Information Security Policy

▪ Here are eight critical elements of an information security policy:

Copy rights reserved for STL Academy 295

 Cyber Security

Cybersecurity Audit
▪ Organizations need to implement a proactive assessment and test strategy for both existing and
new information systems and assets.
▪ The strategy should be an integral part of the risk management process.

▪ A cyber security audit is a comprehensive review of

an organisation’s IT infrastructure.
▪ Audits ensure that appropriate policies and
procedures have been implemented and are
working effectively.

▪ The goal is to identify any vulnerabilities that could

result in a data breach.
▪ This includes weaknesses that enable malicious
actors to gain unauthorised access to sensitive
information, as well as poor internal practices that
might result in employees accidentally or
negligently breaching sensitive information.
▪ Depending on the nature of the organisation, it

296 Copy rights reserved for STL Academy

 Cyber Security

could be subject to several information security and data privacy laws, creating a complex net of
requirements.
▪ The audit should be performed by a qualified third party.
▪ In an Information System, Audit is referred to a systematic, technical assessment of an
organization’s security policies.
▪ An audit process depends upon the following phases:
1. Determination of goals and scope
2. Selection of Audit team
3. Audit planning and preparation
4. Conduct an Audit
5. Documentation
6. Issuing the review report

Cybersecurity Audit Scope

▪ A cyber security audit primarily covers an organisation’s IT systems.
▪ This includes its infrastructure, the software it has deployed and the devices that employees use.
▪ However, this is only one aspect of information security, and a comprehensive assessment won’t
stop at technical resilience.

1. Data security
▪ Network access controls, data encryption and the way sensitive information moves through the
organisation.

2. Operational security
▪ information security policies, procedures and controls.
➢ Identify Critical Information
➢ Analyse Threats
➢ Analyse Vulnerabilities
➢ Risk Assessment
➢ Apply Appropriate OPSEC Measures

3. Network security
▪ network controls, antivirus configurations and network monitoring.

Copy rights reserved for STL Academy 297

 Cyber Security

4. System security
▪ patching, privileged account management and access controls.

5. Physical security
▪ The organisation’s premises and physical devices that are used to store sensitive information.

298 Copy rights reserved for STL Academy

 Cyber Security

Section 3: Exercises

Exercise 1: Here are eight critical elements of an information security policy. Write Down eight
critical elements of an information security policy in given circles.

Exercise 2: In given Boxes write down Steps for Operational Security.

Exercise 3: Participate in group discussion on following topics:

a) New Cybersecurity Technologies
b) Security System, Services and Attacks
c) Types of Cryptography
d) Types of Network Security Protection
e) Case study of Cybersecurity
f) Techniques used for Cybersecurity
g) Cybersecurity Policies and Audits

Section 4: Assessment Questionnaire

Questions
1. Name some of the largest organizations that have suffered data breaches and cyber security
attacks in the last decade?
2. How does the hashing function work?

Copy rights reserved for STL Academy 299

 Cyber Security

3. What does the term cloud security mean?

4. What is the difference between accidental threat and malicious threat?
5. What is the meaning of ‘confidentiality’ in terms of cybersecurity?
6. What is the meaning of ‘availability’ in terms of cybersecurity information control?
7. What are the different types of cryptography?
8. What is the meaning of symmetric cryptography?
9. What are some of the best practices for email security?
10. Explain the term ‘ZTNA’?
11. What are some of the most popular cybersecurity technologies in the field?
12. Blockchain allows information to be collected, but not edited or deleted. (True/False)
13. _____ responds across endpoints, the cloud, and networks. It evolved from the simpler
traditional endpoint detection and response.
14. What is the benefit of Manufacturer Usage Description (MUD)?
15. What is the classification of security services?
16. What are four general categories of security attacks?
17. In Asymmetric Key Cryptography public key is used for encryption and a private key is used for
decryption. (True/False)
18. The most popular _______ cryptography system is Data Encryption System (DES).
19. ________ is an architectural approach that divides a network into multiple segments or
subnets, each acting as its own small network.
20. _______ is a network security tool (which can be a hardware device or software) that
continuously monitors a network for malicious activity and takes action to prevent it, including
reporting, blocking, or dropping it, when it does occur.
21. What is Sandboxing?
22. What is the purpose of cybersecurity policy?
23. What are the steps of developing cyber security policy?
24. What are the phases of cybersecurity audit?

----------End of the Module----------

300 Copy rights reserved for STL Academy

 Cyber Security

NOTES
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Copy rights reserved for STL Academy 301

 Empowering Youth!
STL is one of the industry's leading integrators of digital networks providing All-in 5G solutions. Our capabilities across optical networking, services,
software, and wireless connectivity place us amongst the top optical players in the world. These capabilities are built on converged architectures helping
telcos, cloud companies, citizen networks, and large enterprises deliver next-gen experiences to their customers. STL collaborates with service providers
globally in achieving a green and sustainable digital future in alignment with UN SDG goals. STL has a global presence in India, Italy, the UK, the US,
China, and Brazil