Exploit is the term used to describe a program written to take advantage of a vulnerability

Attack is the act of using exploit against a vulnerability

Types of Malware

1.Spyware-This is design to track and spy on user

2.Adware-Advertising supported software is designed to automatically deliver advertisements.

3.Bot- Designed to automatically perform action,usually online

4.Ransomware- Hold a computer system or the data it contains until a payment is made

5.Trojan Horse-Carries out malicious operation under the guise of a desired operation

6.Worms- Malicious code that replicate themselves by independently exploiting vulnerabilities in

networks.

7.Man in the Middle- Allow the attacker to take control over a device without the knowledge of users.

8. Man in Mobile-Attack to take control of mobile device

Symptoms of Malware

here is an increase in CPU usage.

There is a decrease in computer speed.

The computer freezes or crashes often.

There is a decrease in Web browsing speed.

There are unexplainable problems with network connections.

Files are modified.

Files are deleted.

There is a presence of unknown files, programs, or desktop icons.

There are unknown processes running.

Programs are turning off or reconfiguring themselves.

Email is being sent without the user’s knowledge or consent.

ocial engineering is an access attack that attempts to manipulate individuals into performing actions or
divulging confidential information. Social engineers often rely on people’s willingness to be helpful but
also prey on people’s weaknesses. For example, an attacker could call an authorized employee with an
urgent problem that requires immediate network access. The attacker could appeal to the employee’s
vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

These are some types of social engineering attacks:

Pretexting - This is when an attacker calls an individual and lies to them in an attempt to gain access to
privileged data. An example involves an attacker who pretends to need personal or financial data in
order to confirm the identity of the recipient.

Tailgating - This is when an attacker quickly follows an authorized person into a secure location.

Something for Something (Quid pro quo) - This is when an attacker requests personal information from a
party in exchange for something, like a free gift.

Wi-Fi Password Cracking

Wi-Fi password cracking is the process of discovering the password used to protect a wireless network.
These are some techniques used in password cracking:

Social engineering – The attacker manipulates a person who knows the password into providing it.

Brute-force attacks – The attacker tries several possible passwords in an attempt to guess the password.
If the password is a 4-digit number, for example, the attacker would have to try every one of the 10000
combinations. Brute-force attacks usually involve a word-list file. This is a text file containing a list of
words taken from a dictionary. A program then tries each word and common combinations. Because
brute-force attacks take time, complex passwords take much longer to guess. A few password brute-
force tools include Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.

Network sniffing – By listening and capturing packets sent on the network, an attacker may be able to
discover the password if the password is being sent unencrypted (in plain text). If the password is
encrypted, the attacker may still be able to reveal it by using a password cracking tool.

hishing

Phishing is when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted
source. The message intent is to trick the recipient into installing malware on their device, or into
sharing personal or financial information.
Spear phishing is a highly targeted phishing attack. While phishing and spear phishing both use emails to
reach the victims, spear phishing emails are customized to a specific person. The attacker researches the
target’s interests before sending the email. For example, an attacker learns the target is interested in
cars, and has been looking to buy a specific model of car. The attacker joins the same car discussion
forum where the target is a member, forges a car sale offering and sends email to the target. The email
contains a link for pictures of the car. When the target clicks on the link, malware is installed on the
target’s computer.

SEO Poisoning

Search engines such as Google work by ranking pages and presenting relevant results based on users’
search queries. Depending on the relevancy of web site content, it may appear higher or lower in the
search result list. SEO, short for Search Engine Optimization, is a set of techniques used to improve a
website’s ranking by a search engine. While many legitimate companies specialize in optimizing websites
to better position them, a malicious user could use SEO to make a malicious website appear higher in
search results. This technique is called SEO poisoning.

The most common goal of SEO poisoning is to increase traffic to malicious sites that may host malware
or perform social engineering. To force a malicious site to rank higher in search results, attackers take
advantage of popular search terms.

What is a Blended Attack?

Blended attacks are attacks that use multiple techniques to compromise a target. By using several
different attack techniques at once, attackers have malware that are a hybrid of worms, Trojan horses,
spyware, keyloggers, spam and phishing schemes. This trend of blended attacks is revealing more
complex malware and placing user data at great risk.

The most common type of blended attack uses spam email messages, instant messages or legitimate
websites to distribute links where malware or spyware is secretly downloaded to the computer. Another
common blended attack uses DDoS combined with phishing emails. First, DDoS is used to take down a
popular bank website and send emails to the bank's customers, apologizing for the inconvenience. The
email also directs the users to a forged emergency site where their real login information can be stolen.

Many of the most damaging computer worms like Nimbda, CodeRed, BugBear, Klez and Slammer are
better categorized as blended attacks, as shown below:
Some Nimbda variants used email attachments; file downloads from a compromised web server; and
Microsoft file sharing (e.g., anonymous shares) as propagation methods.

Other Nimbda variants were able to modify the system’s guest accounts to provide the attacker or
malicious code with administrative privileges.

The recent Conficker and ZeuS/LICAT worms were also blended attacks. Conficker used all the traditional
distribution methods.

What is Impact Reduction?

While the majority of successful companies today are aware of common security issues and put
considerable effort towards preventing them, no set of security practices is 100% efficient. Because a
breach is likely to happen if the prize is big, companies and organizations must also be prepared to
contain the damage.

It is important to understand that the impact of a breach is not only related to the technical aspect of it,
stolen data, damaged databases, or damage to intellectual property, the damage also extends to the
company’s reputation. Responding to a data breach is a very dynamic process.

Below are some important measures a company should take when a security breach is identified,
according to many security experts:

Communicate the issue. Internally employees should be informed of the problem and called to action.
Externally, clients should be informed through direct communication and official announcements.
Communication creates transparency, which is crucial in this type of situation.

Be sincere and accountable in case the company is at fault.

Provide details. Explain why the situation took place and what was compromised. It is also expected that
the company take care of the costs of identity theft protection services for affected customers.

Understand what caused and facilitated the breach. If necessary, hire forensics experts to research and
learn the details.

Apply what was learned from the forensics investigation to ensure similar breaches do not happen in the
future.

Ensure all systems are clean, no backdoors were installed, and nothing else has been compromised.
Attackers will often attempt to leave a backdoor to facilitate future breaches. Make sure this does not
happen.
Educate employees, partners, and customers on how to prevent future breaches.

OAuth 2.0

Open Authorization (OAuth) is an open standard protocol that allows an end user’s credentials to access
third party applications without exposing the user’s password. OAuth acts as the middle man to decide
whether to allow end users access to third party applications. For example, say you want to access web
application XYZ, and you do not have a user account for accessing this web application. However, XYZ
has the option to allow you to log in using the credentials from a social media website ABC. So you
access the website using the social media login.

For this to work, the application ‘XYZ’ is registered with ‘ABC’ and is an approved application. When you
access XYZ, you use your user credentials for ABC. Then XYZ requests an access token from ABC on your
behalf. Now you have access to XYZ. XYZ knows nothing about you and your user credentials, and this
interaction is totally seamless for the user. Using secret tokens prevents a malicious application from
getting your information and your data.

irewall Types

A firewall is a wall or partition that is designed to prevent fire from spreading from one part of a building
to another. In computer networking, a firewall is designed to control, or filter, which communications
are allowed in and which are allowed out of a device or network, as shown in the figure. A firewall can
be installed on a single computer with the purpose of protecting that one computer (host-based
firewall), or it can be a stand-alone network device that protects an entire network of computers and all
of the host devices on that network (network-based firewall).

Over the years, as computer and network attacks have become more sophisticated, new types of
firewalls have been developed which serve different purposes in protecting a network. Here is a list of
common firewall types:

Network Layer Firewall – filtering based on source and destination IP addresses

Transport Layer Firewall –filtering based on source and destination data ports, and filtering based on
connection states

Application Layer Firewall –filtering based on application, program or service

Context Aware Application Firewall – filtering based on the user, device, role, application type, and
threat profile

Proxy Server – filtering of web content requests like URL, domain, media, etc.

Reverse Proxy Server – placed in front of web servers, reverse proxy servers protect, hide, offload, and
distribute access to web servers

Network Address Translation (NAT) Firewall – hides or masquerades the private addresses of network
hosts

Host-based Firewall – filtering of ports and system service calls on a single computer operating system

Port Scanning

Port-scanning is a process of probing a computer, server or other network host for open ports. In
networking, each application running on a device is assigned an identifier called a port number. This port
number is used on both ends of the transmission so that the right data is passed to the correct
application. Port-scanning can be used maliciously as a reconnaissance tool to identify the operating
system and services running on a computer or host, or it can be used harmlessly by a network
administrator to verify network security policies on the network.

For the purposes of evaluating your own computer network’s firewall and port security, you can use a
port-scanning tool like Nmap to find all the open ports on your network. Port-scanning can be seen as a
precursor to a network attack and therefore should not be done on public servers on the Internet, or on
a company network without permission.

To execute an Nmap port-scan of a computer on your local home network, download and launch a
program such as Zenmap, provide the target IP address of the computer you would like to scan, choose
a default scanning profile, and press scan. The Nmap scan will report any services that are running (e.g.,
web services, mail services, etc.) and port numbers. The scanning of a port generally results in one of
three responses:

Open or Accepted – The host replied indicating a service is listening on the port.

Closed, Denied, or Not Listening – The host replied indicating that connections will be denied to the
port.

Filtered, Dropped, or Blocked – There was no reply from the host.

To execute a port-scan of your network from outside of the network, you will need to initiate the scan
from outside of the network. This will involve running an Nmap port-scan against your firewall or
router’s public IP address. To discover your public IP address, use a search engine such as Google with
the query “what is my ip address”. The search engine will return your public IP address.

To run a port-scan for six common ports against your home router or firewall, go to the Nmap Online
Port Scanner at https://hackertarget.com/nmap-online-port-scanner/ and enter your public IP address
in the input box: IP address to scan… and press Quick Nmap Scan. If the response is open for any of the
ports: 21, 22, 25, 80, 443, or 3389 then most likely, port forwarding has been enabled on your router or
firewall, and you are running servers on your private network, as shown in the figure.

ecurity Appliances

Today there is no single security appliance or piece of technology that will solve all network security
needs. Because there is a variety of security appliances and tools that need to be implemented, it is
important that they all work together. Security appliances are most effective when they are part of a
system.

Security appliances can be stand-alone devices, like a router or firewall, a card that can be installed into
a network device, or a module with its own processor and cached memory. Security appliances can also
be software tools that are run on a network device. Security appliances fall into these general
categories:

Routers - Cisco Integrated Services Router (ISR) routers, shown in Figure 1, have many firewall
capabilities besides just routing functions, including traffic filtering, the ability to run an Intrusion
Prevention System (IPS), encryption, and VPN capabilities for secure encrypted tunneling.

Firewalls - Cisco Next Generation Firewalls have all the capabilities of an ISR router, as well as, advanced
network management and analytics. Cisco Adaptive Security Appliance (ASA) with firewall capabilities
are shown in Figure 2.

IPS - Cisco Next Generation IPS devices, shown in Figure 3, are dedicated to intrusion prevention.

VPN - Cisco security appliances are equipped with a Virtual Private Network (VPN) server and client
technologies. It is designed for secure encrypted tunneling.
Malware/Antivirus - Cisco Advanced Malware Protection (AMP) comes in next generation Cisco routers,
firewalls, IPS devices, Web and Email Security Appliances and can also be installed as software in host
computers.

Other Security Devices – This category includes web and email security appliances, decryption devices,
client access control servers, and security management systems.

Security Best Practices

Many national and professional organizations have published lists of security best practices. The
following is a list of some security best practices:

Perform Risk Assessment – Knowing the value of what you are protecting will help in justifying security
expenditures.

Create a Security Policy – Create a policy that clearly outlines company rules, job duties, and
expectations.

Physical Security Measures – Restrict access to networking closets, server locations, as well as fire
suppression.

Human Resource Security Measures – Employees should be properly researched with background
checks.

Perform and Test Backups – Perform regular backups and test data recovery from backups.

Maintain Security Patches and Updates – Regularly update server, client, and network device operating
systems and programs.

Employ Access Controls – Configure user roles and privilege levels as well as strong user authentication.

Regularly Test Incident Response – Employ an incident response team and test emergency response
scenarios.

Implement a Network Monitoring, Analytics and Management Tool - Choose a security monitoring
solution that integrates with other technologies.

Implement Network Security Devices – Use next generation routers, firewalls, and other security
appliances.

Implement a Comprehensive Endpoint Security Solution – Use enterprise level antimalware and
antivirus software.
Educate Users – Educate users and employees in secure procedures.

Encrypt data – Encrypt all sensitive company data including email.

Some of the most helpful guidelines are found in organizational repositories such as the National
Institute of Standards and Technology (NIST) Computer Security Resource Center, as shown in the figure.

One of the most widely known and respected organizations for cybersecurity training is the SANS
Institute. Go here to learn more about SANS and the types of training and certifications they offer.

Botnet

A botnet is a group of bots, connected through the Internet, with the ability to be controlled by a
malicious individual or group. A bot computer is typically infected by visiting a website, opening an email
attachment, or opening an infected media file.

The Kill Chain in Cyberdefense

In cybersecurity, the Kill Chain is the stages of an information systems attack. Developed by Lockheed
Martin as a security framework for incident detection and response, the Cyber Kill Chain is comprised of
the following stages:

Stage 1. Reconnaissance - The attacker gathers information about the target.

Stage 2. Weaponization - The attacker creates an exploit and malicious payload to send to the target.

Stage 3. Delivery - The attacker sends the exploit and malicious payload to the target by email or other
method.

Stage 4. Exploitation - The exploit is executed.

Stage 5 Installation - Malware and backdoors are installed on the target.

Stage 6. Command and Control - Remote control of the target is gained through a command and control
channel or server.

Stage 7. Action - The attacker performs malicious actions like information theft, or executes additional
attacks on other devices from within the network by working through the Kill Chain stages again.

To defend against the Kill Chain, network security defenses are designed around the stages of the Kill
Chain. These are some questions about a company’s security defenses, based on the Cyber Kill Chain:

• What are the attack indicators at each stage of the Kill Chain?

• Which security tools are needed to detect the attack indicators at each of the stages?

• Are there gaps in the company’s ability to detect an attack?

According to Lockheed Martin, understanding the stages of Kill Chain allowed them to put up defensive
obstacles, slow down the attack, and ultimately prevent the loss of data. The figure shows how each
stage of the Kill Chain equates to an increase in the amount of effort and cost to inhibit and remediate
attacks.

Honeypots - A Honeypot is a behavior-based detection tool that first lures the attacker in by appealing
to the attacker’s predicted pattern of malicious behavior, and then, when inside the honeypot, the
network administrator can capture, log, and analyze the attacker’s behavior. This allows an
administrator to gain more knowledge and build a better defense.

Cisco’s Cyber Threat Defense Solution Architecture - This is a security architecture that uses behavior-
based detection and indicators, to provide greater visibility, context, and control. The goal is to know
who, what, where, when, and how an attack is taking place. This security architecture uses many
security technologies to achieve this goal.

NetFlow technology is used to gather information about data flowing through a network
All this information should be compiled into a security playbook. A security playbook is a collection of
repeatable queries (reports) against security event data sources that lead to incident detection and
response. Ideally the security playbook must accomplish the following actions:

Detect malware infected machines.

Detect suspicious network activity.

Detect irregular authentication attempts.

Describe and understand inbound and outbound traffic.

Provide summary information including trends, statistics, and counts.

Provide usable and quick access to statistics and metrics.

Correlate events across all relevant data sources.

Tools for Incident Prevention and Detection

These are some of the tools used to detect and prevent security incidents:

SIEM – A Security Information and Event Management (SIEM) system is software that collects and
analyzes security alerts, logs and other real time and historical data from security devices on the
network.

DLP – Data Loss Prevention Software (DLP) is a software or hardware system designed to stop sensitive
data from being stolen from or escaping a network. A DLP system may focus on file access authorization,
data exchange, data copying, user activity monitoring, and more. DLP systems are designed to monitor
and protect data in three different states: data in-use, data in-motion and data at-rest. Data in-use is
focused on the client, data in-motion refers to data as it travels through the network, and data at-rest
refers to data storage.

Cisco ISE and TrustSec – Cisco Identity Services Engine (Cisco ISE) and Cisco TrustSec enforce access to
network resources by creating role-based access control policies that segment access to the network
(guests, mobile users, employees) without added complexity. Traffic classification is based on user or
device identity. Click play in the figure to learn more about ISE.
IDS and IPS

An Intrusion Detection System (IDS), shown in the figure, is either a dedicated network device, or one of
several tools in a server or firewall that scans data against a database of rules or attack signatures,
looking for malicious traffic. If a match is detected, the IDS will log the detection, and create an alert for
a network administrator. The Intrusion Detection System does not take action when a match is detected
so it does not prevent attacks from happening. The job of the IDS is merely to detect, log and report.

The scanning performed by the IDS slows down the network (known as latency). To prevent against
network delay, an IDS is usually placed offline, separate from regular network traffic. Data is copied or
mirrored by a switch and then forwarded to the IDS for offline detection. There are also IDS tools that
can be installed on top of a host computer operating system, like Linux or Windows.

An Intrusion Prevention System (IPS) has the ability to block or deny traffic based on a positive rule or
signature match. One of the most well-known IPS/IDS systems is Snort. The commercial version of Snort
is Cisco’s Sourcefire. Sourcefire has the ability to perform real-time traffic and port analysis, logging,
content searching and matching, and can detect probes, attacks, and port scans. It also integrates with
other third party tools for reporting, performance and log analysis.

Ethical Issues in Cybersecurity

In addition to working within the confines of the law, cybersecurity professionals must also demonstrate
ethical behavior.

Personal Ethical Issues

A person may act unethically and not be subject to prosecution, fines or imprisonment. This is because
the action may not have been technically illegal. But that does not mean that the behavior is acceptable.
Ethical behavior is fairly easy to ascertain. It is impossible to list all of the various unethical behaviors
that can be exhibited by someone with cybersecurity skills. Below are just two. Ask yourself:

Would I want to discover that someone has hacked into my computer and altered images in my social
network sites?

Would I want to discover that an IT technician whom I trusted to fix my network, told colleagues
personal information about me that was gained while working on my network?

If your answer to any of these questions was ‘no’, then do not do such things to others.

Corporate Ethical Issues

Ethics are codes of behavior that are sometimes enforced by laws. There are many areas in
cybersecurity that are not covered by laws. This means that doing something that is technically legal still
may not be the ethical thing to do. Because so many areas of cybersecurity are not (or not yet) covered
by laws, many IT professional organizations have created codes of ethics for persons in the industry.
Below is a list of three organizations with Codes of Ethics:

The CyberSecurity Institute (CSI)

The Information Systems Security Association (ISSA)

The Association of Information Technology Professionals (AITP)

Cisco has a team devoted exclusively to ethical business conduct. This site contains an eBook about
Cisco’s Code of Business Conduct. As with legal questions, in general, if you are confused about whether
an action or behavior might be unethical, assume that it is unethical and do not do it. There may be
someone in your company’s human resources or legal department who can clarify your situation before
you do something that would be considered unethical.

Search online to find other IT-related organizations with codes of ethics. Try to find what they all have in
common.