Cyber security is the body of technologies, processes, and practices designed to Active attacks are unauthorized actions that
ons that alter the system or data. In an active
protect networks, computers, programs and digital data from attack, damage or
unauthorized access.
The CIA Triad is actually a security model that has been developed to help people
think about various parts of IT security. Confidentiality: Confidentiality is about
preventing the disclosure of data to unauthorized parties. It also means trying to
keep the identity of authorized parties involved in sharing and holding data private
and anonymous. Often confidentiality is compromised by cracking poorly encrypted
data, Man-in-the-middle (MITM) attacks, disclosing sensitive data. Standard
measures to establish confidentiality include: • Data encryption • Two-factor
authentication • Biometric verification • Security tokens. Integrity: Integrity refers
to protecting information from being modified by unauthorized parties. Standard
measures: • Cryptographic checksums • Using file permissions • Uninterrupted
power supplies • Data backups. Availability: Availability is making sure that
authorized parties are able to access the information when needed. Standard
measure: • Backing up data to external drives • Implementing firewalls • Having
backup power supplies • Data redundancy
Denial of Service: It is an attack which meant to make a server or network
resource unavailable to the users. It accomplishes this by flooding the target
with traffic or sending it information that triggers a crash. It uses the single
system and single internet connection to attack a server. It can be classified
into the following: Volume-based attacks- Its goal is to saturate the bandwidth
of the attacked site, and is measured in bit per second. Protocol attacks- It
consumes actual server resources, and is measured in a packet. Application
layer attacks- Its goal is to crash the web server and is measured in request per
second. Prevention: 1. Using firewalls and intrusion detection systems to
monitor network traffic and block suspicious activity.2. Limiting the number of
requests or connections that can be made to a system or network.3. Using load
balancers and distributed systems to distribute traffic across multiple servers
or networks.4. Implementing network segmentation and access controls to
limit the impact of a DoS attack. DNS Spoofing is a type of computer security
hacking. Whereby a data is introduced into a DNS resolver's cache causing the
name server to return an incorrect IP address, diverting traffic to the attackers
computer or any other computer. The DNS spoofing attacks can go on for a
long period of time without being detected and can cause serious security
issues. Session Hijacking It is a security attack on a user session over a
protected network. Web applications create cookies to store the state and user
sessions. By stealing the cookies, an attacker can have access to all of the user
data. Phishing is a type of attack which attempts to steal sensitive information
like user login credentials and credit card number. It occurs when an attacker
is masquerading as a trustworthy entity in electronic communication.
….After acquiring admin privileges, the hackers can install malware, remote
access, compromise devices and steal confidential data. Small and middle-
sized business are usually attacked by backdoor attack as they have fewer
resources (budgets and security experts) to close off entry points and
identify successful attacks. Hence, usually they remain unaware of backdoor
stacks.
A virus is a program that attempts to damage a computer system and replicate
itself to other computer systems. A virus: ● Requires a host to replicate and
usually attaches itself to a host file or a hard drive sector. ● Replicates each
time the host is used, increasing its spread and impact. ● Often focuses on
destruction or corruption of data. ● Usually attaches to files with execution
capabilities such as .doc, .exe, and .bat extensions. ● Often distributes via e-
mail. Many viruses can e-mail themselves to everyone in your address book.
● Examples: Stoned, Michelangelo, Melissa, I Love You.
A Trojan horse is a malicious program that is disguised as legitimate software.
Discretionary environments are often more vulnerable and susceptible to
Trojan horse attacks because security is user focused and user directed. Thus
the compromise of a user account could lead to the compromise of the entire
environment. A Trojan horse: ● Cannot replicate itself. ● Often contains
spying functions (such as a packet sniffer) or backdoor functions that allow a
computer to be remotely controlled from the network. ● Often is hidden in
useful software such as screen savers or games. ● Example: Back Orifice, Net
Bus, Whack-a-Mole.
Social engineering is a strategy through which people can mislead others into
delivering private data or accessing protected resources. Moreover, it
attempts to influence one's behaviour to a point where one undertakes
actions beyond their normal range. Reasoner has been developed which has
used psychological pressure rather than technical methods. Social engineers
are competent in sparking emotions, managing trust, showing authority, or
tapping into some curiosity that the individual will provide unauthorized
information or do whatever serves the attacker. This can be done through
different techniques, for example, phishing email creation, fake scenarios to
gain a relationship (pretexting), baiting, interviews, and social media
impersonation. Types: ●Phishing ● Baiting: Baiting is a type of social
engineering attack that involves leaving a tempting item, such as a USB drive,
in a public place in the hope that someone will pick it up and plug it into their
computer. The USB drive is then used to infect the computer with malware.
● Tailgating: Tailgating is a type of social engineering attack that involves
following an authorized individual into a secure area, such as a building or
data center, without proper authorization. ● Pretexting: Pretexting is a type
of social engineering attack that involves creating a false identity or situation
in order to trick an individual into revealing sensitive information. For
example, an attacker might pretend to be a customer service representative
in order to trick an individual into giving them their login credentials. ●
Vishing: Vishing is a type of social engineering attack that involves using voice
phishing, or “vishing,” to trick individuals into revealing sensitive information
over the phone. ● Smishing: Smishing is a type of social engineering attack
that involves using SMS messages to trick individuals into revealing sensitive
information or downloading malware. Prevention: Timely monitor online
accounts whether they are social media accounts or bank accounts, to ensure
that no unauthorized transactions have been made. ● Check for Email
headers in case of any suspecting mail to check its legitimate source. .● Avoid
clicking on links, unknown files, or opening email attachments from unknown
senders. ● Beware of links to online forms that require personal information,
even if the email appears to come from a source. Phishing websites are the
same as legitimate websites in looks. ● Adopt proper security mechanisms
such as spam filters, anti-virus software, and a firewall, and keep all systems
updated, with anti-keyloggers.
Ethical Hacking is also called as penetration Testing. It is an act of penetrating
networks or systems to find out threats and vulnerabilities in that system
which the attacker would have exploited and caused the loss of data, financial
loss or other major damages to a business. The purpose of Ethical hacking is
to build the security of the system or network by settling the vulnerabilities
which are detected while testing. Ethical hackers may use the same
techniques and mechanisms used by malicious hackers but with the
permission of the authorized person, the Ethical hackers help to develop the
security and defend the systems from attacks.
attack, the attacker will directly interfere with the target to damage or gain
unauthorized access to computer systems and networks. This is done by injecting
hostile code into communications, masquerading as another user, or altering data to
get unauthorized access. This may include the injection of hostile code into
communications, alteration of data, and masquerading as another person to get
unauthorized access. Types are: Masquerade Attack, Modification of Messages,
Repudiation, Replay Attack, Denial of Service (DoS) Attack. In Masquerade attacks, the
attacker disguises himself to pose as some other person and accesses systems or data.
It could either be impersonating a legal user or system and demanding other users or
systems to provide information with sensitive content or access areas that are not
supposed to be accessed normally. This may even include behaving like an actual user
or even some component of the system with the intention of manipulating people to
give out their private information or allowing them into secured locations.Modification
of Messages: This is when someone changes parts of a message without permission, or
mixes up the order of messages, to cause trouble. Imagine someone secretly changing
a letter you sent, making it say something different. This kind of attack breaks the trust
in the information being sent. Repudiation attacks: some person does something
damaging online, such as a financial transaction or sends a message one does not want
to send, then denies having done it. Such attacks can seriously hinder the ability to trace
down the origin of the attack or to identify who is responsible for a given action, making
it tricky to hold responsible the right person. Session replay: In this type of attack, a
hacker steals an authorized user’s log in information by stealing the session ID. The
intruder gains access and the ability to do anything the authorized user can do on site.
…..Cyberstalking messages differ from ordinary spam in that a cyberstalker targets a
specific victim with often threatening messages, while the spammer targets a
multitude of recipients with simply annoying messages. Cyber stalking works in many
ways: ●Multiple stalker utilize the services provided on the internet. ●Through
Datafurnishing companies that provide information on a person’s capability to function
in a society. ●other methods include: Spyware software, Phising, Juice Jacking, Wi-Fi
interface (Jacking), Caller ID Spoofing. Vulnerabilities are weaknesses in a system that
gives threats the opportunity to compromise assets. All systems have vulnerabilities.
Even though the technologies are improving but the number of vulnerabilities are
increasing such as tens of millions of lines of code, many developers, human
weaknesses, etc. Vulnerabilities mostly happened because of Hardware, Software,
Network and Procedural vulnerabilities.1. Hardware Vulnerability: A hardware
vulnerability is a weakness which can used to attack the system hardware through
physically or remotely. Eg: Old version of systems or devices, Unprotected storage,
Unencrypted devices, etc. 2. Software Vulnerability: A software error happen in
development or configuration such as the execution of it can violate the security policy.
Eg: Lack of input validation, Unverified uploads, Cross-site scripting, Unencrypted data,
etc. 3. Network Vulnerability: A weakness happen in network which can be hardware
or software. Eg: Unprotected communication, Malware or malicious software (eg:
Viruses, Keyloggers, Worms, etc), Social engineering attacks, Misconfigured firewalls.
4. Procedural Vulnerability: A weakness happen in an organization operational
methods. Eg: Password procedure – Password should follow the standard password
policy, Training procedure – Employees must know which actions should be taken and
what to do to handle the security. Employees must never be asked for user credentials
online. Make the employees know social engineering and phishing threats.
Cyber warfare refers to the use of digital attacks -- like computer viruses and hacking -
- by one country to disrupt the vital computer systems of another, with the aim of
creating damage, death and destruction. Future wars will see hackers using computer
code to attack an enemy's infrastructure, fighting alongside troops using conventional
weapons like guns and missiles. Cyber warfare involves the actions by a nation-state
or international organization to attack and attempt to damage another nation's
computers or information networks through, for example, computer viruses or denial-
of-service attacks. Cybercrime is criminal activity that either targets or uses a
computer, a computer network or a networked device. Cybercrime is committed by
cybercriminals or hackers who want to make money. Cybercrime is carried out by
individuals or organizations. Some cybercriminals are organized, use advanced
techniques and are highly technically skilled. Others are novice hackers. Cyber
terrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks
and threats of attacks against computers, networks and the information stored
therein when done to intimidate or coerce a government or its people in furtherance
of political or social objectives. Examples are hacking into computer systems,
introducing viruses to vulnerable networks, web site defacing, Denial-of-service
attacks, or terroristic threats made via electronic communication.
Adware tracks your browsing habits and causes particular advertisements to pop up.
Although this is common and often something one may even agree to, adware is
sometimes imposed upon one, without ones consent.
Spyware is an intrusion that may steal sensitive data such as passwords and credit
card numbers from your internal systems.
Privilege escalation is a common way for attackers to gain unauthorized access to
systems within a security perimeter. Attackers start by finding weak points in an
organization's defenses and gaining access to a system. In many cases that first point of
penetration will not grant attackers with the level of access or data they need. They will
then attempt privilege escalation to gain more permissions or obtain access to additional,
more sensitive systems. In some cases, attackers attempting privilege escalation find the
"doors are wide open" - inadequate security controls, or failure to follow the principle of
least privilege, with users having more privileges than they actually need. In other cases,
attackers exploit software vulnerabilities, or use specific techniques to overcome an
operating system's permissions mechanism. There are two types of privilege escalation:
Horizontal privilege escalation-an attacker expands their privileges by taking over another
account and misusing the legitimate privileges granted to the other user. To learn more
about horizontal privilege escalation see our guide on lateral movement. Vertical
privilege escalation-an attacker attempts to gain more permissions or access with an
existing account they have compromised. For example, an attacker takes over a regular
user account on a network and attempts to gain administrative permissions. This requires
more sophistication and may take the shape of an Advanced Persistent Threat.
A firewall is a network security device, either hardware or software-based, which
monitors all incoming and outgoing traffic and based on a defined set of security rules
accepts, rejects, or drops that specific traffic. Accept: allow the traffic, Reject: block the
traffic but reply with an “unreachable error”, Drop: block the traffic with no reply.
Firewall filters incoming and outgoing network traffic with security policies that have
previously been set up inside an organization. Firewall maintains a distinct set of rules for
both the cases. Mostly the outgoing traffic, originated from the server itself, allowed to
pass. Still, setting a rule on outgoing traffic is always better in order to achieve more
security and prevent unwanted communication. Incoming traffic is treated differently.
Most traffic which reaches on the firewall is one of these three major Transport Layer
protocols- TCP, UDP or ICMP. All these types have a source address and destination
address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port
number which identifies purpose of that packet.
Attack vectors are the specific paths or methods that cyber attackers use to gain
unauthorized access to a system, network, or application. These vectors serve as entry
points for attacks, allowing malicious actors to exploit vulnerabilities. Every ethical hacker
has their unique attack vector to check the security of the target application, this
application may be a web application or an android application. They take advantage of
weaknesses or flaws in the system to steal information, cause damage, or gain control.
A Passive attack attempts to learn or make use of information from the system but
does not affect system resources. Passive Attacks are in the nature of eavesdropping
on or monitoring transmission. The goal of the opponent is to obtain information that
is being transmitted. Passive attacks involve an attacker passively monitoring or
collecting data without altering or destroying it. Examples of passive attacks
include eavesdropping, where an attacker listens in on network traffic to collect
sensitive information, and sniffing, where an attacker captures and analyzes data
packets to steal sensitive information. Types are: Software Attacks, The Release of
Message Content, Traffic Analysis, eavesdropping.
Eavesdropping (tapping): the attacker simply listens to messages exchanged by two
entities. For the attack to be useful, the traffic must not be encrypted. Any
unencrypted information, such as a password sent in response to an HTTP request,
may be retrieved by the attacker. Traffic analysis: the attacker looks at the metadata
transmitted in traffic in order to deduce information relating to the exchange and the
participating entities, e.g. the form of the exchanged traffic (rate, duration, etc.). In the
cases where encrypted data are used, traffic analysis can also lead to attacks by
cryptanalysis, whereby the attacker may obtain information or succeed in
unencrypting the traffic. Software Attacks: Malicious code (sometimes called
malware) is a type of software designed to take over or damage a computer user's
operating system, without the user's knowledge or approval. It can be very difficult to
remove and very damaging.
Sniffing is the process of monitoring and capturing all the packets passing through a
given network using sniffing tools. It is a form of "tapping phone wires" and get to know
about the conversation. It is also called wiretapping applied to the computer networks.
There is so much possibility that if a set of enterprise switch ports is open, then one of
their employees can sniff the whole traffic of the network. Anyone in the same physical
location can plug into the network using Ethernet cable or connect wirelessly and sniff
the total traffic. Sniffing allows you to see all sorts of traffic, both protected and non-
protected. In the right conditions and with right protocols in place, an attacker can
gather information that can be used for further attacks or to cause other issues for the
network or system owner. Following can be sniffed: Email traffic, FTP passwords, web
traffics, telnet passwords, router configuration, chat sessions, DNS traffic. Process: A
sniffer normally turns the NIC of the system to the promiscuous mode so that it listens
to all the data transmitted on its segment. Promiscuous mode refers to the unique way
of Ethernet hardware, in particular, network interface cards (NICs), that allows an NIC
to receive all traffic on the network, even if it is not addressed to this NIC. By default, a
NIC ignores all traffic that is not addressed to it, which is done by comparing the
destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of
the device. While this makes perfect sense for networking, non-promiscuous mode
makes it difficult to use network monitoring and analysis software for diagnosing
connectivity issues or traffic accounting.
Cyberstalking is a crime in which the attacker harasses a victim using electronic
communication, such as e-mail or instant messaging (IM), or messages posted to a Web
site or a discussion group. A cyberstalker relies upon the anonymity afforded by the
Internet to allow them to stalk their victim without being detected. (PTO…)
Malware is intrusive software that is designed to damage and destroy computers and
computer systems. Malware is a contraction for “malicious software”. Eg includes
viruses, worms, trojan viruses, spyware, adware and ransomware. Malware is a file or
code, typically delivered over a network that infects, explores, steals or conducts
virtually any behaviour an attacker wants. Though varied in types and capabilities,
malware usually has one the following objectives: i.Provide remote control for an
attacker to use an infected machine. ii.Send spam from the infected machine to
unsuspecting targets. iii.Investigate the infected user's local network. iv.Steal sensitive
data. Malware Removal: Antivirus software can remove most standard infection types
and many options exist for off-the-shelf solutions. Cortex XDR enables remediation on
the endpoint following an alert or investigation giving administrators the option to begin
a variety of mitigation steps starting with isolating endpoints by disabling all network
access on compromised endpoints except for traffic to the Cortex XDR console,
terminating processes to stop any running malware from continuing to perform
malicious activity on the endpoint, and blocking additional executions, before
quarantining malicious files and removing them from their working directories if the
Cortex XDR agent has not already done so.
Malware Protection: To protect your organization against malware, you need a holistic,
enterprise-wide malware protection strategy. Commodity threats are exploits that are
less sophisticated and more easily detected and prevented using a combination of
antivirus, anti-spyware, and vulnerability protection features along with URL filtering
and Application identification capabilities on the firewall.
A buffer overflow occurs when more data are written to a buffer than it can hold. The
excess data is written to the adjacent memory, overwriting the contents of that location
and causing unpredictable results in a program. Buffer overflows happen when there is
improper validation (no bounds prior to the data being written). It is considered a bug or
weakness in the software. It is an is an exploit that takes advantage of a program that is
waiting on a user’s input. There are two main types of buffer overflow attacks: stack based
and heap based. Heap-based attacks flood the memory space reserved for a program but
the difficulty involved with performing such an attack makes them rare. In stack based
attacks, the program being exploited uses a memory object called stack to store user
input. Normally, the stack is empty until the program requires user input. At that point,
the program writes a return memory address to the stack and then the user’s input is
placed on top of it. When the stack is processed, the user’s input gets sent to the return
address specified by the program. Prevention: A buffer overflow attack requires two
things. First, a buffer overflow must occur in the program. Second, the after (must be able
to use the buffer overflow to overwrite a Security sensitive piece of data (a security flag,
function pointer, return address, etc). So we must: 1. Prevent all buffer overflows or 2.
Prevent all sensitive information from being overwritten. Both these solutions are costly
in terms of efficiency and many programs therefore settle for a partial goal, such as:
i.Prevent use of dangerous functions: gets, strcpy, etc. ii.Prevent return addresses from
being overwritten. iii. Prevent data supplied by the attacker from being executed
The 7 layers of cyber security should centre on the mission critical assets you are seeking
to protect. 1: Mission Critical Assets – This is the data you need to protect 2: Data Security
– Data security controls protect the storage and transfer of data. 3: Application Security
– Applications security controls protect access to an application, an application’s access
to your mission critical assets, and the internal security of the application. 4: Endpoint
Security – Endpoint security controls protect the connection between devices and the
network. 5: Network Security – Network security controls protect an organization’s
network and prevent unauthorized access of the network. 6: Perimeter Security –
Perimeter security controls include both the physical and digital security methodologies
that protect the business overall. 7: The Human Layer – Humans are the weakest link in
any cyber security posture. Human security controls include phishing simulations and
access management controls that protect mission critical assets from a wide variety of
human threats, including cyber criminals, malicious insiders, and negligent users.
Cyberspace (coined by William Gibson) can be defined as an intricate
environment that involves interactions between people, software, and
services. It is maintained by the worldwide distribution of information and
communication technology devices and networks. With the benefits carried by
the technological advancements, the cyberspace today has become a common
pool used by citizens, businesses, critical information infrastructure, military
and governments in a fashion that makes it hard to induce clear boundaries
among these different groups. The cyberspace is anticipated to become even
more complex in the upcoming years, with the increase in networks and
devices connected to it. Asset: An asset is any data, device or other component
of an organization’s systems that is valuable, often because it contains
sensitive data or can be used to access such information. A threat is any
incident that could negatively affect an asset – for example, if it’s lost, knocked
offline or accessed by an unauthorized party. Threats can be categorized as
circumstances that compromise the confidentiality, integrity or availability of
an asset, and can either be intentional or accidental.
0
Brute force It is a type of attack which uses a trial and error method. This attack
generates a large number of guesses and validates them to obtain actual data
like user password and personal identification number. This attack may be
used by criminals to crack encrypted data, or by security, analysts to test an
organization's network security. Dictionary attacks This type of attack stored
the list of a commonly used password and validated them to get original
password. URL Interpretation It is a type of attack where we can change the
certain parts of a URL, and one can make a web server to deliver web pages for
which he is not authorized to browse. Man in the middle attacks It is a type of
attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able
to read, insert and modify the data in the intercepted connection.
SQL Injection is a security flaw in web applications where attackers insert
harmful SQL code through user inputs. This can allow them to access sensitive
data, change database contents or even take control of the system. i.
SQL Injection is a web page vulnerability that lets an attacker make queries
with the database. ii. Attackers take advantage of web application vulnerability
and inject an SQL command via the input from users to the application. iii.
Attackers can SQL queries like SELECT to retrieve confidential information
which otherwise wouldn’t be visible. iv. SQL injection also lets the attacker to
perform a denial-of-service (DoS) attacks by overloading the server requests.
Impact of SQL Injection: 1.The hacker can retrieve all the user data present in
the database such as user details, credit card information, and social security
numbers, and can also gain access to protected areas like the administrator
portal. 2.It is also possible to delete user data from the tables.
A worm is a self-replicating program that can be designed to do any number
of things, such as delete files, steal sensitive information, or send documents
via e-mail without user consent. Unlike a virus, a worm does not require a host
file to spread; it can propagate independently across networks and devices. A
worm can negatively impact network traffic due to the sheer volume of
replication activities it performs, which can lead to congestion or denial of
service. A worm: ● Can install a backdoor in the infected computer, enabling
remote access for unauthorized users to control the system or deploy
additional malicious software. ● Is usually introduced into the system through
a vulnerability, such as unpatched software, weak passwords, or insecure
network configurations. ● Infects one system and spreads rapidly to other
systems on the network by exploiting shared resources or security
.weaknesses. ● Can potentially modify system files, disable security features,
or cause widespread disruption across networks. ● Example: Code Red, which
targeted Microsoft IIS servers, exploited vulnerabilities, defaced web pages,
and initiated denial-of-service attacks.
Backdoor attacks allow a cyber attacker to compromise a computer system
while using administrative access without even being noticed by any security
software. It is a malware that is spread into the system through unsecured
points of entry, such as outdated plug-ins or input fields. Normally, they
fabricate worms or viruses to exploit an existing backdoor-for instance, from
previous attacks or those that the developers have created for testing. (PTO)
Threat modelling is a method of optimizing network security by locating
vulnerabilities, identifying objectives, and developing countermeasures to
either prevent or mitigate the effects of cyber-attacks against the system.
While security teams can conduct threat modelling at any point during
development, doing it at the start of the project is best practice. This way,
threats can be identified sooner and dealt with before they become an
issue. Eg: STRIDE, DREAD, P.A.S.T.A, Trike, VAST, Attack tree.
Enterprise Information Security Architecture (EISA) is a key component of an
information security program. The primary function of EISA is to document
and communicate the artefacts of the security program in a consistent
manner. As such, the primary deliverable of EISA is a set of documents
connecting business drivers with technical implementation guidance. These
documents are developed iteratively through multiple levels of abstraction.
Information security should define three dimensions, or viewpoints, into the
architecture framework: 1.Business Viewpoint: Aligns information security
with business objectives, ensuring security measures support business goals,
risk management, and compliance. 2.Technology Viewpoint: Translates
business requirements into technical solutions, defining the tools, platforms,
and systems needed for security implementation.3. Process Viewpoint:
Focuses on operational aspects, including policies, standards, and procedures
for maintaining security, monitoring, and incident response.
An Insider Threat is a malicious activity against an organization that comes
from users with legitimate access to an organization's network, applications
or databases. These users can be current employees, former employees, or
third parties like partners, contractors, or temporary workers with access to
the organization's physical or digital assets. While the term is most commonly
used to describe illicit or malicious activity, it can also refer to users who
unintentionally cause harm to the business. There are several types of insider
threats: 1.Malicious Insider: an employee or contractor who knowingly looks
steal information or disrupt operations. They can sell the stolen information
or which can help them in their career, or to hurt an organisation. 2. Negligent
Insider: an employee who does not follow proper IT procedures. For example
someone who leaves without logging out, or did not change a default
password or failed to apply a security patch. 3. Compromised Insider a
common example is an employee whose computer has been infected with
malware. This typically happens via phishing scams or by clicking on links that
cause malware downloads. Compromised insider machines can be used as a
"home base" for cybercriminals, from which they can scan file shares, escalate
privileges, infect other systems, and more.
STRIDE: A methodology developed by Microsoft for threat modelling, it offers
a mnemonic for identifying security threats in six categories: Spoofing: An
intruder posing as another user, component, or other system feature that
contains an identity in the modelled system. Tampering: The altering of data
within a system to achieve a malicious goal. Repudiation: The ability of an
intruder to deny that they performed some malicious activity, due to the
absence of enough proof. Information Disclosure: Exposing protected data to
a user that isn't authorized to see it.
Information Assurance Model: The security model is multidimensional model
based on four dimensions: 1. Information States - Information is referred to as
interpretation of data which can be found in three states stored, processed, or
transmitted. 2. Security Services- This fundamental pillar of the model which
provides security to system and consists of five services namely availability,
integrity, confidentiality, authentication and non-repudiation. 3. Security
Countermeasures- This dimension has functionalities to save system from
immediate vulnerability by accounting for technology, policy & practice and
people. 4. Time- This dimension can be viewed in many ways. At any given time
data may be available offline or online, information and system might be in flux
thus, introducing risk of unauthorized access. Therefore, in every phase of
System Development Cycle, every aspect of Information Assurance model must
be well defined and well implemented in order to minimize risk of unauthorized
access. Information States: 1. Transmission - It defines time wherein data is
between processing steps. Eg: In transit over networks when user sends email
to reader, including memory and storage encountered during delivery. 2.
Storage - It defines time during which data is saved on medium such as hard
drive. Eg: Saving document on file server's disk by user. 3. Processing - It defines
time during which data is in processing state. Eg: Data is processed in random
access memory (RAM) of workstation. Security Services: 1. Confidentiality - It
assures that information of system is not disclosed to unauthorized access and
is read and interpreted only by persons authorized to do so. Protection of
prevents malicious access and accidental disclosure of information. Information
that is confidentiality considered to be confidential is called as sensitive
information. To ensure confidentiality data is categorized into different
categories according to damage severity and then accordingly strict measures
are taken. Eg: Protecting email content to read by only desired set of users. This
can be insured by data encryption. 2. Integrity - Ensures that sensitive data is
accurate and trustworthy and cannot be created changed, or deleted without
proper authorization. Maintaining integrity involves modification or
destruction of information by unauthorized access. To ensure integrity backups
should be planned and implemented in order to restore any affected data in
case of security breach. (PTO)
Forensic audit is, in general, referred to as an examination of evidence
regarding an assertion to determine its correspondence to established criteria
carried out in a manner suitable to the court. Forensic Audit is an examination
and evaluation of a firm's or individual's financial information for use as
evidence in court. A Forensic Audit can be conducted in order to prosecute a
party for fraud, embezzlement other financial claims. In addition, an audit may
be conducted to determine negligence or even to determine how much spousal
or child support an individual will have to pay. Jack Bologna and Robert defined
Forensic Audit as the application of financial skills and an investigative mentality
to unresolved issues, conducted within the context of the rules of evidence. As
a discipline, it encompasses financial expertise, fraud knowledge, and a strong
knowledge and understanding of business reality and the working of the legal
system.
ISO 27001:2013 is an international security standard that lays out best practices
for how organizations should manage their data. It outlines how companies
should manage their data. It outline how companies should manage
information security risk by creating an information security management
system(ISMS). This approach demands executive leadership while embedding
data security at all organizational levels. The standard is voluntary, but
organizations that follow its guidelines can seek ISO 27001 certification. ISO
27001 was developed in tandem by the International Organization for
Standardization (ISO) and the International Electro technical Commission (IEC).
It was originally released in 2005 and revised in 2013, thus its full title: ISО/IЕС
27001:2013. For companies that earn ISO 27001 certification, it's a sign of their
commitment to data security. Essentially, all the guidelines in ISO 27001 add up
to one thing: a guide for creating an ISMS. An ISMS describes the structures an
organization has in place to manage data, including technology, physical
security, personnel policies, and organizational hierarchy that delegates
responsibility for these issues. ISO 27001:2013 certification is an important
thing to look for in any cyber security partner because it indicates an
organization-wide commitment to security. Working with such a partner can
benefit ones own organization's security. As Clause 6 states, sometimes the
most effective way to deal with data security risk is to either eliminate it or
outsource it to a third- party.
Block Cipher encrypts data in fixed-size blocks usually 64 or 128 bits at a time.
The encryption algorithm processes each block of data separately using
the cryptographic key to transform the plaintext into the ciphertext. Block
ciphers function on complex mathematical computation and permutation to
ensure that the data encrypted is safe. The choice of block size does not
directly affect the strength of the encryption scheme. The strength of the
cipher depends upon the key length. However, any size of the block is
acceptable. The following aspects can be kept in mind while selecting the size
of a block: Avoid very small block sizes, Do not have very large block sizes, and
Multiples of 8-bit. Features: •Fixed Block Size: The Data is encrypted
in a fixed-size block. •Complex
Operations: In blockciphers, substitution combined with permutation forms t
he operation to achieve encryption. •Modes of Operation: Block ciphers
employ several modes such as ECB (Electronic Codebook) and CBC (Cipher
Block Chaining) for enhanced security. Eg: AES (Advanced Encryption
Standard), DES (Data Encryption Standard) and Blowfish.
Stream Cipher encrypts data one bit or one byte at a time rather than in
fixed-size blocks. It generates a keystream that is combined with the plaintext
to the produce ciphertext. Stream ciphers are made for the scenarios where
data needs to be encrypted in the continuous stream making them suitable
for the real-time applications. It can be categorized into the synchronous, self-
synchronizing and one-time pad types. The Synchronous encryption requires
independently generated keystream from both the plaintext and the
ciphertext. They have to be in the same state, with the same key, in order to
decode the data properly. Features: •Continuous Encryption: The data is
encrypted in a stream that runs continuously, a bit or byte at a time.
•Keystream Generation: To create encryption keys, the Stream ciphers use a
pseudorandom keystream generator. •Efficiency: Stream ciphers are
generally more efficient for encrypting data of variable length and in the
streaming applications. Eg: RC4, Salsa20, and ChaCha20.
2. Transposition Ciphers are those forms of ciphers that work on the principle
of shifting the positions of the characters of the plaintext to create the
ciphertext. While in substitution ciphers the actual letters are replaced, in
transposition ciphers the letters’ positions are changed instead. ●Rail Fence
Cipher: The plaintext is arranged in a manner of a zigzag pattern on the
number of ‘rails’ and then read column wise. ●Columnar Transposition
Cipher: The plaintext is written into rows under a certain key. The columns
are then arranged in order of the key names by using the sort function.
3.Modern ciphers are far more sophisticated and are intended to offer better
security as compared to the traditional ciphers. These are of two types,
the symmetric key ciphers and the asymmetric or public key ciphers.
Computer forensics, also referred to as computer forensic analysis, electronic discovery
electronic evidence discovery, digital discovery, data recovery, data discovery,
computer analysis, and computer examination, is the process of methodically
examining computer media (hard disks, diskettes, tapes, etc.) for evidence. A thorough
analysis by a skilled examiner can result in the reconstruction of the activities of a
computer user. In other words, computer forensics is the collection, preservation,
analysis and prevention of computer-related evidence. Computer evidence can be
useful in criminal cases, civil disputes and human resources. There are various types of
computer forensic examinations. Each deals with a specific aspect of information
technology. Some of the main types include the following: Database forensics: The
examination of information contained in databases, both data and related metadata.
Email forensics: The recovery and analysis of emails and other information contained
in email platforms, such as schedules and contacts. Malware forensics: Sifting through
code to identify possible malicious programs and analyzing their payload. Such
programs may include Trojan horses, ransomware or various viruses. Memory
forensics: Collecting information stored in a computer's random access memory (RAM)
and cache. Mobile forensics: The examination of mobile devices to retrieve and analyse
the information they contain, including contacts, incoming and outgoing texts, pictures
and video files. Network forensics: Looking for evidence by monitoring network traffic,
using tools suck as a firewall or intrusion detection system. Cyber Forensics
Advantages: ●Similar types of data and relevant data can be compared from different
source systems to get a complete understanding of the be scenario. ●Those data over
a period that is relevant can be made trending using cyber forensics. ●The entire data
can be scanned to identify and extract specific risks for future analysis. ●The efficiency
of the control environment and policies can be tested by determining the attributes that
violate the rules. ●It is used to set the trends of identification which the company
people, consultants and forensic analysts are not aware of. Types of computer forensic
systems: Internet security systems: Internet and network security are topics that many
executives and managers avoid talking about. Many feel that discussing their security
implementations and policies will cause their companies to become vulnerable to
attack. Ironically, Internet security can provide a more secure solution, as well as one
that is faster and less expensive than traditional solutions to security problems of
employees photocopying proprietary information, faxing or mailing purchase orders, or
placing orders by phone. (PTO)
Security policies are a formal set of rules which is issued by an organization to ensure
that the user who are authorized to access company technology and information assets
comply with rules and guidelines related to the security of information. A security policy
also considered to be a "living document" which means that the document is never
finished, but it is continuously updated as requirements of the technology and
employee changes. We use security policies to manage our network security. Most
types of security policies are automatically created during the installation. We can also
customize policies to suit our specific environment. Need of Security policies: 1) It
increases efficiency. 2) It upholds discipline and accountability 3) It can make or break
a business deal 4) It helps to educate employees on security literacy. Important cyber
security policies: Virus and Spyware Protection policy: •It helps to detect threads in
files, to detect applications that exhibits suspicious behavior. •Removes, and repairs
the side effects of viruses and security risks by using signatures. Firewall Policy: • It
blocks the unauthorized users from accessing the systems and networks that connect
to the Internet. • It detects the attacks by cybercriminals and removes the unwanted
sources of network traffic. Intrusion Prevention policy: •This policy automatically
detects and blocks the network attacks and browser attacks. •It also protects
applications from vulnerabilities and checks the contents of one or more data packages
and detects malware which is coming through legal ways. Application and Device
Control: •This policy protects a system's resources from applications and manages the
peripheral devices that can attach to a system. •The device control policy applies to
both Windows and Mac computers whereas application control policy can be applied
only to Windows clients. Email Security Protocols: 1. SSL/TLS for HTTPS: SSL or Secure
Sockets Layer, was first introduced in 1995. Due to security flaws, SSLv3 was eventually
superseded in 2015 and replaced by the Transport Layer Security (TLS) protocol in 1999.
Many people still refer to TLS as the predecessor to SSL. It is used for HTTP Secure
(HTTPS), which is employed for nearly all email exchanges between servers and users,
even though it has no inherent role in email security. TLS is used by HTTPS to encrypt
network traffic streams between clients and servers. Although it is used for web traffic
rather than email, webmail messages are encrypted using it. SMTP Secure (SMTPS)
functions similarly to HTTPS for SMTP. It uses TLS to encrypt client-server message
exchanges. Unless another encryption protocol, like StartTLS, is in use, encrypted TLS
traffic is decrypted at its destination, meaning that cleartext messages may be
accessible on email servers as messages are routed.
Block Cipher vs Stream Cipher: 1.Block Cipher Converts the plain text into cipher text
by taking plain text’s block at a time. Stream Cipher Converts the plain text into cipher
text by taking 1 bit plain text at a time. 2.Block cipher uses either 64 bits or more than
64 bits. While stream cipher uses 8 bits. 3.The complexity of block cipher is simple.
While stream cipher is more complex. 4. Block cipher uses confusion as well as
diffusion. While stream cipher uses only confusion. 5.In block cipher, reverse encrypted
text is hard. While in-stream cipher, reverse encrypted text is easy. 6.The algorithm
modes which are used in block cipher are ECB (Electronic Code Book) and CBC (Cipher
Block Chaining).The algorithm modes which are used in stream cipher are CFB (Cipher
Feedback) and OFB (Output Feedback). 7. Block cipher works on transposition
techniques like rail-fence technique, columnar transposition technique, etc. While
stream cipher works on substitution techniques like Caesar cipher, polygram
substitution cipher, etc. 8. Block cipher is slow as compared to a stream cipher. While
stream cipher is fast in comparison to block cipher.
Feistel Cipher model is a structure or a design used to develop many block ciphers such
as DES. Feistel cipher may have invertible, non-invertible and self invertible
components in its design. Same encryption as well as decryption algorithm is used. A
separate key is used for each round. However same round keys are used for encryption
as well as decryption. Algorithm: •Create a list of all the Plain Text characters. •Convert
the Plain Text to Ascii and then 8-bit binary format. •Divide the binary Plain Text string
into two halves: left half (L1)and right half (R1). •Generate a random binary keys (K1
and K2) of length equal to the half the length of the Plain Text for the two rounds. First
Round of Encryption: a.Generate function f1 using R1 and K1 as follows: f1= xor(R1,
K1); b.Now the new left half(L2) and right half(R2) after round 1 are as follows: R2=
xor(f1, L1); L2=R1; Second Round of Encryption: a.Generate function f2 using R2 and
K2 as follows: f2= xor(R2, K2); b.Now the new left half(L3) and right half(R3) after round
2 are as follows: R3= xor(f2, L2); L3=R2; c.Concatenation of R3 to L3 is the Cipher Text
d.Same algorithm is used for decryption to retrieve the Plain Text from the Cipher Text.
Cryptanalysis is the process of transforming or decoding communications from non-
readable to readable format without having access to the real key. Cryptanalysis
frequently comprises a direct evaluation of the cryptosystem in use, which is essentially
an advanced concentrated mathematical attempt at decryption utilizing knowledge
about the encryption scheme that is already available. They can employ intercepted
encrypted messages (ciphertext), intercepted complete, partial, likely, or similar
original messages (plaintext), or information (encrypted or original) that is known to be
used adaptively in subsequent trials. To determine the weak points of a cryptographic
system, it is important to attack the system. This attacks are called Cryptanalytic
attacks.
Types of attacks include ciphertext-only attacks, where only encrypted messages are
available, known-plaintext attacks, where both plaintext and ciphertext are known,
and chosen-plaintext/ciphertext attacks, where the attacker can encrypt or decrypt
specific data to expose the encryption scheme.
Intrusion Detection Systems: Intrusion detection systems help computer system
prepare for and deal with attacks. They collect information from a variety of vantage
points within computer systems and networks and analyze this information for
symptoms of security problems. Vulnerability assessment systems check systems and
networks for system problems and configuration errors that represent security
vulnerabilities ● Monitoring and analysis of user and system activity ● Auditing of
system configurations and vulnerabilities ●Assessing the integrity of critical system and
data files ✓ Recognition of activity patterns reflecting known attacks ● Statistical
analysis of abnormal activity patterns. Firewall Security Systems, Storage area
network security systems: SANs are a relatively new methodology for attaching
storage, whereby a separate network (separate from the traditional LAN connects all
storage and servers. This network would be a high-performance implementation, such
as a fiber channel, that encapsulates protocols such as a small computer system
interface (SCSI). These are more efficient at transferring data blocks from storage and
have hardware implementations offering buffering and delivery guarantees. This is not
available using TCP/IP. The SAN development areas have not yet been realized, but
there is great potential with regard to centralized storage SAN management and
storage abstraction. Storage abstraction refers to an indirect representation of storage
that has also been called virtualisation. Together with potential enhancements, SANs
should be able to generate greater functionality than has been possible previously.
Network Forensics is the process of capturing, recording and conducting analysis of the
various network events in order to identify the origin of the security attacks and other
problems. This helps in figuring out the unauthorized access to the computer system
and conducts search for the evidence in such occurrences. Network Forensics has the
capability to conduct investigation at a network level as well as the events that take
place across an IT system. Three parts of Network Forensics are Intrusion detection,
logging and Correlating intrusion detection and logging. The main aim of this network
forensics is to make available the sufficient evidence in order to impose punishment on
the criminal offenders. Network Forensics is applied in the major areas of hacking,
fraud, insurance companies, theft of data, defamation, obscene publication, credit card
cloning, software piracy, etc.
Cybersec Laws: Information Technology Act, 2000: The Indian cyber laws are governed
by the Information Technology Act, penned down back in 2000. The principal impetus
of this Act is to offer reliable legal inclusiveness to eCommerce, facilitating registration
of real-time records with the Government. But with the cyber attackers getting
sneakier, topped by the human tendency to misuse technology, a series of amendments
followed. The ITA, enacted by the Parliament of India, highlights the grievous
punishments and penalties safeguarding the e-governance, e-banking, and e-commerce
sectors. Now, the scope of ITA has been enhanced to encompass all the latest
communication devices. The IT Act is the salient one, guiding the entire Indian
legislation to govern cybercrimes rigorously: Section 43 - Applicable to people who
damage the computer systems without permission from the owner. The owner can fully
claim compensation for the entire damage in such cases. Section 66 - Applicable in case
a person is found to dishonestly or fraudulently committing any act referred to in
section 43. The imprisonment term in such instances can mount up to three years or a
fine of up to Rs. 5 lakh. Section 66B - Incorporates the punishments for fraudulently
receiving stolen communication devices or computers, which confirms a probable three
years imprisonment. This term can also be topped by Rs. 1 lakh fine, depending upon
the severity. Section 66C - This section scrutinizes the identity thefts related to imposter
digital signatures, hacking passwords, or other distinctive identification features. If
proven guilty, imprisonment of three years might also be backed by Rs.1 lakh fine.
Section 66 D - This section was inserted on-demand, focusing on punishing cheaters
doing impersonation using computer resources. National Cyber Security Policy is a
policy framework by Department of Electronics and Information Technology. It aims at
protecting the public and private infrastructure from cyberattacks. The policy also
intends to safeguard "information, such as personal information (of web users),
financial and banking information and sovereign data". To create a secure cyber
ecosystem in the country, generate adequate trust and confidence in IT system and
transactions in cyberspace and thereby enhance adoption of IT in all sectors of the
economy. Objectives: • To create an assurance framework for the design of security
policies and promotion and enabling actions for compliance to global security standards
and best practices by way of conformity assessment (Product, process, technology &
people). • To strengthen the Regulatory Framework for ensuring a SECURE CYBERSPACE
ECOSYSTEM.
Rail Fence Cipher: Encryption: •In the rail fence cipher, the plain-text is written
downwards and diagonally on successive rails of an imaginary fence. •When we reach
the bottom rail, we traverse upwards moving diagonally, after reaching the top rail, the
direction is changed again. Thus the alphabets of the message are written in a zig-zag
manner. •After each alphabet has been written, the individual rows are combined to
obtain the cipher-text.
Eg: Input: GeeksforGeeks; Key = 3; Output : GsGsekfrek eoe Decryption: As we’ve seen
earlier, the number of columns in rail fence cipher remains equal to the length of plain-
text message. And the key corresponds to the number of rails. •Hence, rail matrix can
be constructed accordingly. Once we’ve got the matrix we can figure-out the spots
where texts should be placed (using the same way of moving diagonally up and down
alternatively ). •Then, we fill the cipher-text row wise. After filling it, we traverse the
matrix in zig-zag manner to obtain the original text. Columnar Transposition cipher
involves writing the plaintext out in rows, and then reading the ciphertext off in columns
one by one. Encryption: •The message is written out in rows of a fixed length, and then
read out again column by column, and the columns are chosen in some scrambled order.
•Width of the rows and the permutation of the columns are usually defined by a
keyword. •For example, the word HACK is of length 4 (so the rows are of length 4), and
the permutation is defined by the alphabetical order of the letters in the keyword. In
this case, the order would be “3 1 2 4”. •Any spare spaces are filled with nulls or left
blank or placed by a character (Example: _). •Finally, the message is read off in columns,
in the order specified by the keyword. Eg: Input: Geeks for Geeks; Key = HACK; Order of
alphabets in HACK=3214; Output: e kefGsGsrekoe_ Decryption: •To decipher it, the
recipient has to work out the column lengths by dividing the message length by the key
length. •Then, write the message out in columns again, then re-order the columns by
reforming the key word.
Forms of Cryptanalysis: 1. Linear Cryptanalysis: Linear cryptanalysis is a general type
of cryptanalysis based on discovering affine approximations to a cipher’s action in
cryptography. Block and stream ciphers have both been subjected to attacks. Linear
cryptanalysis is one of the two most common attacks against block ciphers, with
differential cryptanalysis being the other. 2. Differential Cryptanalysis: Differential
cryptanalysis is a sort of cryptanalysis that may be used to decrypt both block and
stream ciphers, as well as cryptographic hash functions. In the widest sense, it is the
study of how alterations in information intake might impact the following difference at
the output. In the context of a block cipher, it refers to a collection of strategies for
tracking differences across a network of transformations, finding where the cipher
displays non-random behavior, and using such attributes to recover the secret key
(cryptography key).
….Besides this cryptographic checksum can also be used for verification of data.
Eg: Implementation of measures to verify that e-mail content was not modified
in transit. This can be achieved by using cryptography which will ensure that
intended user receives correct and accurate information. 3. Availability - It
guarantees reliable and constant access to sensitive data only by authorized
users. It involves measures to sustain access to data in spite of system failures
and sources of interference. To ensure availability of corrupted data must be
eliminated, recovery time must be speed up and physical infrastructure must
be improved. Eg: Accessing and throughput of e-mail service. 4. Authentication
- It is security service that is designed to establish validity of transmission of
message by verification of individual's identity to receive specific category of
information. To ensure availability of various single factors and multi-factor
authentication methods are used. A single factor authentication method uses
single parameter to verify user’s identity, whereas two-factor authentication
uses multiple factors to verify user’s identity. Eg: Entering username and
password when we log in to website is example of authentication. Entering
correct login information lets website verify our identity and ensures that only
we access sensitive information. 5.Non-Repudiation - It is mechanism to ensure
sender or receiver cannot deny fact that they are part of data transmission.
When sender sends data to receiver, it receives delivery confirmation. When
receiver receives message it has all information attached within message
regarding sender. Security Counter measures: 1. People - People are heart of
information system. Administrators and users of information systems must
follow policies and practice for designing good system. They must be informed
regularly regarding information system and ready to act appropriately to
safeguard system. 2. Policy & Practice - Every organization has some set of rules
defined in form of policies that must be followed by every individual working in
organization. These policies must be practiced in order to properly handle
sensitive information whenever system gets compromised. 3. Technology -
Appropriate technology such as firewalls, routers, and intrusion detection must
be used in order to defend system from vulnerabilities, threats. The technology
used must facilitate quick response whenever information security gets
compromised.
DIGITAL FORENSICS LIFECYCLE: Collection: The first step in the forensic process
is to identify potential sources of data and acquire data from them.
Examination: After data has been collected, the next phase is to examine the
data, which involves assessing and extracting the relevant pieces of information
from the collected data. This phase may also involve bypassing or mitigating OS
or application features that obscure data and code, such as data compression,
encryption, and access control mechanisms. Analysis: Once the relevant
information has been extracted, the analyst should study and analyze the data
to draw conclusions from it. The foundation of forensics is using a methodical
approach to reach appropriate conclusions based on the available data or
determine that no conclusion can yet be drawn. Reporting: The process of
preparing and presenting the information resulting from the analysis phase.
Many factors affect reporting, including the following: a. Alternative
Explanations: When the information regarding an event is incomplete, it may
not be possible to arrive at a definitive explanation of what happened. When
an event has two or more plausible explanations, each should be given due
consideration in the reporting process. Analysts should use a methodical
approach to attempt to prove or disprove each possible explanation that is
proposed. b. Audience Consideration. Knowing the audience to which the data
or information will be shown is important. c. Actionable Information. Reporting
also includes identifying actionable information gained from data that may
allow an analyst to collect new sources of information.
Cryptography is a technique of securing communication by converting plain
text into ciphertext. It is a technique of securing information and
communications through the use of codes so that only those persons for whom
the information is intended can understand and process it. Thus preventing
unauthorized access to information. In Cryptography, the techniques that are
used to protect information are obtained from mathematical concepts and a
set of rule-based calculations known as algorithms to convert messages in ways
that make it hard to decode them. These algorithms are used for cryptographic
key generation, digital signing, and verification to protect data privacy, web
browsing on the internet and to protect confidential transactions such as credit
card and debit card transactions.
Types Of Cryptography: 1. Symmetric Key Cryptography: It is an encryption
system where the sender and receiver of a message use a single common key
to encrypt and decrypt messages. Symmetric Key cryptography is faster and
simpler but the problem is that the sender and receiver have to somehow
exchange keys securely. The most popular symmetric key cryptography
systems are Data Encryption Systems (DES) and Advanced Encryption Systems
(AES). 2. Hash Functions: There is no usage of any key in this algorithm. A
hash value with a fixed length is calculated as per the plain text which makes
it impossible for the contents of plain text to be recovered. Many operating
systems use hash functions to encrypt passwords.
3. Asymmetric Key Cryptography: Here, a pair of keys is used to encrypt and
decrypt information. A sender’s public key is used for encryption and a
receiver’s private key is used for decryption. Public keys and Private keys are
different. Even if the public key is known by everyone the intended receiver
can only decode it because he alone knows his private key. The most popular
asymmetric key cryptography algorithm is the RSA algorithm.
Applications: 1.Computer Passwords: Cryptography secures passwords by
hashing and encrypting them, preventing unauthorized access even if the
database is compromised. 2. Digital Currencies: Cryptography protects
transactions and prevents fraud in digital currencies like Bitcoin through
complex algorithms and cryptographic keys. 3. Secure Web Browsing:
Protocols like SSL/TLS use public key cryptography to encrypt data, ensuring
secure communication between web servers and clients. 4. Electronic
Signatures: Digital signatures, created and verified using cryptography,
authenticate and secure electronic documents. 5. Authentication:
Cryptography verifies identities and access rights in scenarios like logging into
systems or secure networks. 6. Cryptocurrencies: Blockchain networks rely on
cryptographic methods to secure transactions and maintain integrity. 7. End-
to-End Encryption: Used in apps like WhatsApp, it ensures only intended
recipients can access encrypted messages, enhancing privacy and security.
A cipher is a technique that is used in transforming the readable data
(plaintext) into coded data (ciphertext) and the other way round. The first step
in converting regular text into an unrecognizable form is encryption and the
process of converting the encoded text back into regular text is decryption.
Ciphers are able to perform these transformation using keys; specific pieces of
information. It guarantees that only the right person can get to the primary
data. Types: 1. Substitution Ciphers involve replacing each member of the
plaintext with another member which can be of the same set. •Caesar Cipher:
It is a substitution cipher where each letter in the plaintext is replaced by
another letter shifted a fixed number of positions down the alphabet. •Simple
Substitution Cipher: A simple substitution cipher is a technique in which each
letter in the plain text is replaced with another letter. The key is the alphabet
but in a random order.
SSL Protocol: •SSL Protocol stands for Secure Sockets Layer protocol, which is an
encryption-based Internet security protocol that protects confidentiality and
integrity of data. - SSL is used to ensure the privacy and authenticity of data over
the internet. - SSL is located between the application and transport layers. - At first,
SSL contained security flaws and was quickly replaced by the first version of TLS;
that’s why SSL is the predecessor of the modern TLS encryption. - TLS/SSL website
has “HTTPS” in its URL rather than “HTTP”. - SSL is divided into three sub-protocols:
the Handshake Protocol, the Record Protocol, and the Alert Protocol.
TLS Protocol: • Same as SSL, TLS which stands for Transport Layer Security is widely
used for the privacy and security of data over the internet. • TLS uses a pseudo-
random algorithm to generate the master secret, which is a key used for the
encryption between the protocol client and protocol server. • TLS is basically used
for encrypting communication between online servers, like a web browser loading
a web page in the online server. • TLS also has three sub-protocols, the same as the
SSL protocol – Handshake Protocol, Record Protocol, and Alert Protocol.
Diff: Secure Socket Protocol supports Fortezza Algorithms where Transport layer
Protocol do not, also the versions of both protocols are very different SSL is version
3.0 and TLS is version 1.0 protocol. The difference between SSL and TLS is that. In
SSL the Message digest is used to create a master secret and provides the security
services in communication. which are Authentication and confidentiality. While in
TLS a randomly generated Pseudo function is used to create a master secret which
provides higher security as compared to SSL.
Types Of Cyber Security Vulnerabilities: Broken Authentication: In order to pose as
the original user, malicious attackers can hack user sessions and identities by
compromising authentication credentials. In the past, multi-factor authentication
was vastly popular, but due to its difficulties in use, password authentication
prevailed. Two-factor authentication, on the other hand, is still a widely
implemented security process that involves two methods of verification. One
method is usually password verification. Frequently used types of authentication
technology are username/password, one-time password and biometric
authentication. Injection: An injection flaw is a vulnerability which allows an
attacker to relay malicious code through an application to another system. This can
include compromising both backend systems as well as other clients connected to
the vulnerable applications. Security Misconfiguration: Security misconfiguration
gives attackers a chance to gain unauthorized access to some system data or
functionality. Generally, such flaws evolve into a complete system compromise, The
business impact depends on the protection needs of the application and data. Poor
Resource Management: Resource management practices include transferring,
using, creating and even destroying the resources within a system. When
management of resources is poor or risky, your organization is prone to have
vulnerabilities like path traversal, use of potentially dangerous functions, buffer
overflow, and much more. Insecure Connection Between Elements: When the
interaction between components of your system and/or network is insecure, your
organization is exposed to many threats including SQL injection, open redirect, cross-
site scripting, and much more. In order to ensure that your organization is free from
such vulnerabilities, it is critical to pay the utmost attention to how data circulates
across your networks and systems. If you can secure the circulation of data, most
aforementioned vulnerabilities and threats can be considered solved. Yet you must
also consider unique vulnerabilities and develop appropriate solutions for each.
Threat modelling methodologies: DREAD was proposed for threat modeling but due to
inconsistent ratings, it was dropped by Microsoft in 2008. It is currently used by
OpenStack and many other corporations. It provides a mnemonic for risk rating security
threats using five categories. The categories are: Damage Potential: ranks the extent of
damage that would occur if a vulnerability is exploited. • Reproducibility: ranks how easy
it is to reproduce an attack. • Exploitability: Assigns a number to the effort required to
launch the attack. • Affected Users: A value characterizing how many people will be
impacted if an exploit becomes widely available. • Discoverability: Measures the
likelihood of how easy it is to discover the threat. Process for Attack Simulation and
Threat Analysis (PASTA): It is a seven-step, risk-centric methodology. The purpose is to
provide a dynamic threat identification, enumeration, and scoring process. Upon
completion of the threat model, security subject matter experts develop a detailed
analysis of the identified threats. Finally, appropriate security controls can be
enumerated. This helps developers to develop an asset-centric mitigation strategy by
analyzing the attacker-centric view of an application. Trike: The focus is on using threat
models as a risk management tool. Threat models are based on the requirement model.
The requirements model establishes the stakeholder-defined “acceptable” level of risk
assigned to each asset class. Analysis of the requirements model yields a threat model
from which threats are identified and assigned risk values. The completed threat model
is used to build a risk model based on assets, roles, actions, and calculated risk exposure.
“Software piracy is the copying and use of software without a proper license from the
developer." Similarly, the simultaneous use of single-user licensed software by
multiple users, or the installation of single-user licensed software on multiple sites,
also amounts to software piracy. Using trial version software for commercial gains is
also considered piracy. Piracy is punishable if you install pirated software, use it for
your work, and then delete the software from the machine, even if there is enough
evidence to show its prior usage.
Any copyright infringement is the unauthorized use of copyrighted material in a
manner that violates one of the copyright owner’s exclusive rights, such as the right
to reproduce or to make derivative works that build upon it. For electronic and audio-
visual media, such unauthorized reproduction and distribution of copyrighted work
are often referred to as piracy (however, there is no legal basis for the term "piracy").
There are different types of software piracy, such as copying copyrighted materials
and using multiple copies of the same without a license. Even if a person installs and
uses a copy of the material and then removes it from the system, it will still be
reported as software piracy. This includes installation on a hard drive or servers and
clients with the same version and no license. If a company illegally sells the product of
another company without their permission or authorization, with or without
alteration of the original product, it can be considered piracy.
VAST: VAST is an acronym for Visual, Agile, and Simple Threat modeling. The
methodology provides actionable outputs for the unique needs of various stakeholders
like application architects and developers, cyber security personnel, etc. It provides a
unique application and infrastructure visualization scheme such that the creation and
use of threat models do not require specific security subject matter expertise.Attack
Tree: Attack trees are the conceptual diagram showing how an asset, or target, might
be attacked. These are multi-level diagrams consisting of one root node, leaves, and
children nodes. From bottom to Top, child nodes are conditions that must be satisfied
to make the direct parent node true. An attack is considered complete when the root
is satisfied. Each node may be satisfied only by its direct child nodes. Suppose there is
1 grandchild below the root node. In such a case multiple steps must be taken to carry
out an attack first the grandchild’s conditions must be satisfied for the direct parent
node to be true and then the direct parent node condition must be satisfied to make
the root node true. It also has AND and OR options which represent alternatives and
different steps toward achieving that goal.Common Vulnerability Scoring System
(CVSS): It provides a way to capture the principal characteristics of a vulnerability and
produce a numerical score (ranging from 0-10, with 10 being the most severe) depicting
its severity. The score can then be translated into a qualitative representation (such as
low, medium, high, and critical) to help organizations properly assess and prioritize
their vulnerability management processes.T-MAP: T-MAP is an approach that is used in
Commercial Off The Shelf (COTS) systems to calculate the weights of attack paths. This
model is developed by using UML class diagrams, access class diagrams, vulnerability
class diagrams, target asset class diagrams, and affected Value class diagrams.
Forgery: Offenses of computer forgery and counterfeiting have become rampant, as
it is very easy to counterfeit a document, such as a birth certificate, and use it to
perpetrate a crime. The authenticity of electronic documents, therefore, needs to be
safeguarded by explicitly making forgery with the help of computers an offense
punishable by law.
When a perpetrator alters documents stored in computerized form, the crime
committed may constitute forgery. In such instances, computer systems are the
target of criminal activity. However, computers can also be used as instruments to
commit forgery. A new generation of fraudulent alteration or counterfeiting
emerged with the advent of computerized color laser copiers. These copiers are
capable of high-resolution copying, document modification, and even the creation of
false documents without the need for an original. They produce documents of a
quality indistinguishable from authentic ones, except to an expert.
Such schemes require very little computer knowledge to execute. Counterfeit
checks, invoices, and stationery can be produced using scanners, color printers, and
graphic design software. These forgeries are difficult for an untrained eye to detect.
It is relatively easy to scan a logo into a computer system and proceed from there.
The SSL and TLS handshake establishes a system for SSL/TLS clients and servers to
start communication between them in other words it is a negotiation between two
parties on a network. Handshake Protocol is used to establish sessions. This protocol
allows the client and server to verify each other by transferring a series of messages
to each distance. Handshake protocol uses four phases to finalize its
circle. Handshake protocol uses four phases to finalize its circle.
Phase-1: Deciding which version of the Protocol to use. The system decides which
protocol to use. Client and Server exchange hello-packets with each other to
confirm. In this IP session, cipher suite, and Agree on which version of the protocol
to use. Phase-2: Server sends his certificate and Server-key-exchange. The server
end phase-2 by exchanging the hello packet. Phase-3: Verification, in this phase, the
Client replies to the server by sending his certificate and Client-exchange-key. Phase-
4: In this phase, the Change Cipher suite is passed and all the verifications and
security checks are done after this Handshake Protocol ends.
Types Of Malware: Adware, Spyware, Botnets -Short for "robot network," these
are networks of infected computers under the control of single attacking parties
using command-and-control servers. Botnets are highly versatile and adaptable,
able to maintain resilience through redundant servers and by using infected
computers to relay traffic. Botnets are often the armies behind today's distributed
denial-of-service (DDoS) attacks. Cryptojacking is malicious cryptomining (the
process of using computing power to verify transactions on a blockchain network
and earning cryptocurrency for providing that service) that happens when
cybercriminals hack into both business and personal computers, laptops, and
mobile devices to install software. Malvertising is a portmanteau of "malware +
advertising" describing the practice of online advertising to spread malware. It
typically involves injecting malicious code or malware-laden advertisements into
legitimate online advertising networks and webpages. Ransomware – A criminal
business model that uses malicious software to hold valuable files, data, or
information for ransom. Victims of a ransomware attack may have their operations
severely degraded or shut down entirely. Remote Administration Tools (RATs) –
Software that allows a remote operator to control a system. These tools were
originally built for legitimate use but are now used by threat actors. RATs enable
administrative control, allowing an attacker to do almost anything on an infected
computer. They are difficult to detect, as they don’t typically show up in lists of
running programs or tasks, and their actions are often mistaken for the actions of
legitimate programs. Rootkits – Programs that provide privileged (root-level)
access to a computer. Rootkits vary and hide themselves in the operating system.