Unit 4 Concepts of Cyber Security

4.1 Concepts of Cyber Security

−​ Cyber security is the protection to defend internet-connected devices and services
from malicious attacks by hackers, spammers, and cybercriminals.
−​ cyber-attacks are usually aimed at accessing, changing, or destroying sensitive
information; extorting money from users; or interrupting normal business processes
and Cyber security has been used as a catch-all term in the media to describe the
process of protection against every form of cybercrime, from identity theft to
international digital weapons.

4.1.1​ Types of Threats

−​ Cyber terrorism. This threat is a politically-based attack on computers and
information technology to cause harm and create widespread social disruption.
−​ Malware. This threat encompasses ransomware, spyware, viruses, and worms. It can
install harmful software, block access to your computer resources, disrupt the
system, or covertly transmit information from your data storage.
−​ Trojans. Like the legendary Trojan horse of mythology, this attack tricks users into
thinking they're opening a harmless file. Instead, once the trojan is in place, it attacks
the system, typically establishing a backdoor that allows access to cybercriminals.
−​ Botnets. This especially hideous attack involves large-scale cyber-attacks conducted
by remotely controlled malware-infected devices. Think of it as a string of computers
under the control of one coordinating cybercriminal. What are worse, compromised
computers becomes part of the botnet system.
−​ Adware. This threat is a form of malware. It's often called advertisement-supported
software. The adware virus is a potentially unwanted program (PUP) installed without
your permission and automatically generates unwanted online advertisements.
−​ SQL injection. A Structured Query Language attack inserts malicious code into a
SQL-using server.
−​ Phishing. Hackers use false communications, especially e-mail, to fool the recipient
into opening it and following instructions that typically ask for personal information.
Some phishing attacks also install malware.
−​ Man-in-the-middle attack. MITM attacks involve hackers inserting themselves into a
two-person online transaction. Once in, the hackers can filter and steal desired data.
MITM attacks often happen on unsecured public Wi-Fi networks.
−​ Denial of Service. DoS is a cyber attack that floods a network or computer with an
overwhelming amount of “handshake” processes, effectively overloading the system
and making it incapable of responding to user requests.

4.1.2​ Advantages of Cyber Security

−​ Without solid cyber security defences, it would be easy to destroy modern-day
essentials like the power grids and water treatment facilities that keep the world
running smoothly.
−​ Simply put, cyber security is critically important because it helps to preserve the
lifestyles we have come to know and enjoy.
−​ CIA Triad
−​ The security of any organization starts with three principles: Confidentiality, Integrity,
and Availability. This is called as CIA, which has served as the industry standard for
computer security since the time of first mainframes.

Sutex bank college of computer applications and science Page 1

 Unit 4 Concepts of Cyber Security

−​ Confidentiality: The principles of confidentiality assert that only authorized parties

can access sensitive information and functions. Example: military secrets.
−​ Integrity: The principles of integrity assert that only authorized people and means
can alter, add, or remove sensitive information and functions. Example: a user
entering incorrect data into the database.
−​ Availability: The principles of availability assert that systems, functions, and data
must be available on-demand according to agreed-upon parameters based on levels
of service.

4.2 Basic Terminologies:

4.2.1 IP Address, MAC Address
What is a MAC Address?
The term MAC address is an acronym for Media Access Control Address. The MAC Address
refers to a unique identifier that gets assigned to a Network Interface Card/ Controller
(NIC). It has a 64-bit or 48-bit address linked and connected to the concerned network
adapter. The MAC Address can exist in a hexadecimal format. This type of address exists in
six separate sets of two characters/ digits – separated from each other using colons.

What is an IP Address?
The term IP Address is an acronym for Internet Protocol Address. An IP Address refers to the
address that assists a user in identifying a network connection. It also goes by the Logical
Address name provided to individual connections in the present network. An IP address lets
us understand and control the way in which various devices communicate on the Internet. It
also defines the specific behaviour of various Internet routers.

Difference between MAC Address and IP Address

Parameters MAC Address IP Address

Full-Form The term MAC address is an acronym for Media The term IP Address is an acronym for
Access Control Address. Internet Protocol Address.

Number of Bytes It is a hexadecimal address of six bytes. This address is either an eight-byte or a
six-byte one.

Protocol Used for You can retrieve a device attached to the MAC You can retrieve a device attached to the IP
Retrieval address using the ARP protocol. address using the RARP protocol.

Provider The Manufacturer of NIC Cards provides a device An ISP (Internet Service Provider) provides a
with its MAC address. device’s IP address.

Use The primary use of a MAC address is to ensure the The IP address, on the other hand, defines a
physical address of a given device/ computer. computer’s logical address.

Operation The MAC address primarily operates on the data The IP address primarily operates on the
link layer. network layer.

Alteration and This address does not alter or change with the This address gets modified depending on
Changes passing time and change of environment. the change in environment and time.

Third-Party Access Any third party can find out a device’s MAC The IP address stays hidden from display in
address. front of any third party.

Sutex bank college of computer applications and science Page 2

 Unit 4 Concepts of Cyber Security

4.2.2 Domain name Server (DNS)

−​ DNS stands for "Domain Name System”. DNS is a protocol within the set of standards for
how computers exchange data on the internet and on many private networks, known
as the TCP/IP protocol suite.
−​ Its purpose is vital, as it helps convert easy-to-understand domain names like
"howstuffworks.com" into an Internet Protocol (IP) address, such as 70.42.251.42 that
computers use to identify each other on the network. It is, in short, a system of matching
names with numbers.
−​ Domain: There are various kinds of DOMAIN:
−​ Generic domain: .com (commercial) .edu (educational) .mil (military) .org (non profit
organization) .net (similar to commercial) all these are generic domain.
−​ Country domain .in (India) .us .uk
−​ Inverse domain The inverse domain is used for mapping an address to a name. When
the server has received a request from the client, and the server contains the files of
only authorised clients. To determine whether the client is on the authorised list or not,
it sends a query to the DNS server and asks for mapping an address to the name.
−​ Organization of Domain:
−​

How DNS works

DNS servers convert URLs and domain names into IP addresses that computers can
understand and use. They translate what a user types into a browser into something the
machine can use to find a webpage. This process of translation and lookup is called DNS
resolution.

The basic process of a DNS resolution follows these steps:

1.​ The user enters a web address or domain name into a browser.
2.​ The browser sends a message, called a recursive DNS query, to the network to find
out which IP or network address the domain corresponds to.
3.​ The query goes to a recursive DNS server, which is also called a recursive resolver,
and is usually managed by the internet service provider (ISP). If the recursive
resolver has the address, it will return the address to the user, and the webpage will
load.
4.​ If the recursive DNS server does not have an answer, it will query a series of other
servers in the following order: DNS root name servers, top-level domain (TLD) name
servers and authoritative name servers.

Sutex bank college of computer applications and science Page 3

 Unit 4 Concepts of Cyber Security

5.​ If the query reaches the authoritative server and it cannot find the information, it
returns an error message.

4.2.3 DHCP, Router, Bots

DHCP:
−​ Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that
automatically provides an Internet Protocol (IP) host with its IP address and other
related configuration information such as the subnet mask and default gateway.
−​ RFCs 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF)
standard based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares
many implementation details. DHCP allows hosts to obtain required TCP/IP
configuration information from a DHCP server.

Why use DHCP?

−​ Every device on a TCP/IP-based network must have a unique unicast IP address to
access the network and its resources. Without DHCP, IP addresses for new computers
or computers that are moved from one subnet to another must be configured
manually; IP addresses for computers that are removed from the network must be
manually reclaimed.
−​ With DHCP, this entire process is automated and managed centrally. The DHCP server
maintains a pool of IP addresses and leases an address to any DHCP-enabled client
when it starts up on the network. Because the IP addresses are dynamic (leased)
rather than static (permanently assigned), addresses no longer in use are
automatically returned to the pool for reallocation.
−​ The network administrator establishes DHCP servers that maintain TCP/IP
configuration information and provide address configuration to DHCP-enabled clients
in the form of a lease offer. The DHCP server stores the configuration information in a
database

Benefits of DHCP
−​ Reliable IP address configuration. DHCP minimizes configuration errors caused by
manual IP address configuration, such as typographical errors, or address conflicts
caused by the assignment of an IP address to more than one computer at the same
time.
−​ Reduced network administration. DHCP includes the following features to reduce
network administration:
−​ Centralized and automated TCP/IP configuration.
−​ The ability to assign a full range of additional TCP/IP configuration values by means of
DHCP options.
−​ The efficient handling of IP address changes for clients that must be updated
frequently, such as those for portable devices that move to different locations on a
wireless network.
−​ The forwarding of initial DHCP messages by using a DHCP relay agent, which
eliminates the need for a DHCP server on every subnet.

Routers:
−​ A device that forwards data packets (units of info) from one network to another.

Sutex bank college of computer applications and science Page 4

 Unit 4 Concepts of Cyber Security

−​ Based on routing tables (lists of addresses, permissions etc) and routing protocols,
routers read the network address in each transmission and make a decision on how
to send it based on the most expedient route (determined by traffic load, line costs,
speed, bad lines)
−​ Routers are used to segment networks to balance and filter traffic for security
purposes and policy management
−​ They are also used at the edge of the n/w to connect remote offices
−​ Router can only route a message that is transmitted by a routable protocol (e.g.
Internet Protocol)
−​ Routers have to inspect n/w address in the protocol, so they process data and thus
add overhead.
−​ Most routers are specialized computers that are optimized for communications
−​ Router functions can also be implemented by adding routing software to file server.
(e.g. Windows 2000 include routing software)
−​ The operating system can route from one n/w to another, if each is connected to its
own n/w adapter (or NIC), in the server.
Bots:
−​ An autonomous program on the internet or another network that can interact with
systems or users.
−​ A ‘bot’ – short for robot – is a software program that performs automated,
repetitive, pre-defined tasks. Bots typically imitate or replace human user behavior.
Because they are automated, they operate much faster than human users. They carry
out useful functions, such as customer service or indexing search engines, but they
can also come in the form of malware – used to gain total control over a computer.
−​ Internet bots can also be referred to as spiders, crawlers, or web bots.
−​ Bots can be:
Chatbots
−​ Bots that simulate human conversation by responding to certain phrases with
programmed responses. for example google assistant
Social bots
−​ Bots which operate on social media platforms, and are used to automatically
generate messages, advocate ideas, act as a follower of users, and as fake accounts
to gain followers themselves. As social networks become more sophisticated, it is
becoming harder for social bots to create fake accounts. It is difficult to identify
social bots because they can exhibit similar behavior to real users.
Shop bots
−​ Bots that shop around online to find the best price for products a user is looking for.
Some bots can observe a user’s patterns in navigating a website and then customize
that site for the user.
Spider bots or web crawlers
−​ Bots that scan content on webpages all over the internet to help Google and other
search engines understand how best to answer users’ search queries. Spiders
download HTML and other resources, such as CSS, JavaScript, and images, and use
them to process site content.
Malicious bots /Web scraping crawlers
−​ Bots that scrape content, spread spam content, or carry out credential stuffing
attacks Bots that read data from websites with the objective of saving them offline

Sutex bank college of computer applications and science Page 5

 Unit 4 Concepts of Cyber Security

and enabling their reuse. This may take the form of scraping the entire content of
web pages or scraping web content to obtain specific data points, such as names and
prices of products on e-commerce websites.
−​ In some cases, scraping is legitimate and may be allowed by website owners. In other
instances, bot operators may be violating website terms of use or stealing sensitive
or copyrighted material.
Knowbots
−​ Bots that collect knowledge for users by automatically visiting websites to retrieve
information which fulfils certain criteria.
Monitoring bots
−​ Bots used to monitor the health of a website or system. Downdetector.com is an
example of an independent site that provides real-time status information, including
outages, of websites and other kinds of services.
Transactional bots
−​ Bots used to complete transactions on behalf of humans. For example, transactional
bots allow customers to make a transaction within the context of a conversation.
Download bots
−​ Bots that are used to automatically download software or mobile apps. They can be
used to manipulate download statistics – for example, to gain more downloads on
popular app stores and help new apps appear at the top of the charts.
−​ They can also be used to attack download sites, creating fake downloads as part of a
Denial of Service (DoS) attack.
Ticketing bots
−​ Bots which automatically purchase tickets to popular events, with the aim of reselling
those tickets for a profit. This activity is illegal in many countries, and even when not
against the law, it can be a nuisance to event organizers, legitimate ticket sellers, and
consumers. Ticketing bots are often sophisticated, emulating the same behaviors as
human ticket buyers.
Why do cybercriminals use bots?
−​ 1. To steal financial and personal information
−​ 2. To attack legitimate web services
−​ 3. To extort money from victims
−​ 4. To make money from zombie and botnet systems

4.3 Common Types of Attacks:

A cyber-attack is a malicious attempt by an organization or individual to breach a network

containing sensitive data of individuals or organizations. Attackers use a variety of different
methods to exploit their victims' networks. Here are some of the most common types of
cyber-attacks:
−​ Brute force attack
−​ Advanced persistent threat (APT)
−​ Ransomware
−​ Denial-of-service (DoS) and distributed denial-of-service (DDoS)
−​ Phishing
−​ Credential stuffing
−​ Man-in-the-middle attack

Sutex bank college of computer applications and science Page 6

 Unit 4 Concepts of Cyber Security

−​ SQL injection
−​ Cross-site scripting (XSS)

4.3.1 Distributed Denial of Service

−​ DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a
cybercrime in which the attacker floods a server with internet traffic to prevent
users from accessing connected online services and sites.
−​ Motivations for carrying out a DDoS vary widely, as do the types of individuals and
organizations eager to perpetrate this form of cyberattack. Some attacks are carried
out by disgruntled individuals and hacktivists wanting to take down a company's
servers simply to make a statement, have fun by exploiting cyber weakness, or
express disapproval.
−​ Other distributed denial-of-service attacks are financially motivated, such as a
competitor disrupting or shutting down another business's online operations to steal
business away in the meantime.
−​ Others involve extortion, in which perpetrators attack a company and install
hostageware or ransomware on their servers, then force them to pay a large
financial sum for the damage to be reversed.
−​ DDoS attacks are on the rise, and even some of the largest global companies are not
immune to being "DDoS'ed". The largest attack in history occurred in February 2020
to none other than Amazon Web Services (AWS), overtaking an earlier attack on
GitHub two years prior.
−​ DDoS ramifications include a drop in legitimate traffic, lost business, and reputation
damage.

−​ A DDoS attack aims to overwhelm the devices, services, and network of its intended
target with fake internet traffic, rendering them inaccessible to or useless for
legitimate users.
DoS vs. DDoS
−​ A distributed denial-of-service attack is a subcategory of the more general
denial-ofservice (DoS) attack. In a DoS attack, the attacker uses a single internet
connection to barrage a target with fake requests or to try and exploit a
cybersecurity vulnerability.
−​ DDoS is larger in scale. It utilizes thousands (even millions) of connected devices to
fulfill its goal.
Botnets
−​ Botnets are the primary way distributed denial-of-service-attacks are carried out.
The attacker will hack into computers or other devices and install a malicious piece
of code, or malware, called a bot. Together, the infected computers form a network
called a botnet. The attacker then instructs the botnet to overwhelm the victim's
servers and devices with more connection requests than they can handle.

Types of DDoS Attacks

Even though the end goal of a DDoS attack is always to overwhelm the system, the means
to achieve the goal can differ. Three broad types of DDoS attacks are as follows
Volume-Based or Volumetric Attacks

Sutex bank college of computer applications and science Page 7

 Unit 4 Concepts of Cyber Security

−​ This type of attack aims to control all available bandwidth between the victim and
the larger internet. Domain name system (DNS) amplification is an example of a
volume-based attack. In this scenario, the attacker spoofs the target's address, then
sends a DNS name lookup request to an open DNS server with the spoofed address.
−​ When the DNS server sends the DNS record response, it is sent instead to the target,
resulting in the target receiving an amplification of the attacker’s initially small query.

Protocol Attacks
−​ Protocol attacks look to exhaust resources of a server or those of its networking
systems like firewalls, routing engines, or load-balancers. An example of a protocol
attack is the SYN flood attack.

SYN flood attack

-The attacker floods the server with numerous SYN packets, each containing spoofed IP
addresses. The server responds to each packet (via SYN-ACKs), requesting the client to
complete the handshake. However, the client(s) never respond, and the server keeps
waiting. Eventually, it crashes after waiting too long for too many responses.

−​
−​
Application-Layer Attacks
−​ The most common type of application layer attacks are the HTTP flood attacks in
which malicious actors just keep sending various HTTP requests to a server using
different IP addresses. Since the IP address and other identifiers change in every
request, the server can’t detect that it’s being attacked.

Sutex bank college of computer applications and science Page 8

 Unit 4 Concepts of Cyber Security

−​
4.3.2 Man in the Middle, Email Attack
Man in the middle:
−​ Just as the name suggests, the man-in-the-middle is like an eavesdropper between
two sessions where the communication between two parties is monitored and
intercepted. The goal of such an attack is to steal financial or login information
of users.

−​

Types of man-in-the-middle attacks:

-​ IP spoofing
-​ DNS spoofing
-​ HTTPS spoofing
-​ SSL hijacking
-​ Email hijacking
-​ Wi-Fi eavesdropping
-​ Stealing browser cookies
To help prevent man-in-the-middle attacks:
−​ Enable encryption on your router. If your modem and router can be accessed by
anyone off the street, they can use "sniffer" technology to see the information that
is passed through it.
−​ Use strong credentials and two-factor authentication. Many router credentials are
never changed from the default username and password. If a hacker gets access to
your router administration, they can redirect all your traffic to their hacked servers.
−​ Immediately logging out of a secure application when it’s not in use.

Sutex bank college of computer applications and science Page 9

 Unit 4 Concepts of Cyber Security

−​ Use a VPN. A secure virtual private network (VPN) will help prevent
man-in-the-middle attacks by ensuring that all the servers you send data to are
trusted.

Email attack:
This is one popular example of an email cyber-attack, which has just used email as an attack
vector to steal the user’s credentials and other sensitive or personal data so it can be
leveraged for malicious intent.
Types of Email Attacks
1.​ Phishing
Phishing is a type of deception. Cybercriminals utilize email, instant messaging, and
other social media to impersonate a trusted individual to obtain information such as
login credentials. When an evil entity sends a false email that appears to be from a
legitimate, trustworthy source, it is known as phishing. The goal of the message is
to deceive the receiver into downloading malware or disclosing personal or financial
information.
Spear phishing is a form of phishing attack that is very specific in its approach. While
phishing and spear-phishing use emails to contact their victims, spear-phishing
delivers personalized emails to a single individual. Before sending the email, the
criminal researches the target's interests.
2.​ Vishing
It is a type of phishing that employs voice communication technologies. Using
voice-over IP technologies, criminals can fake calls from legitimate sources. Victims
may also get a recorded message that purports to be from an official source.
Criminals attempt to steal the victim's identity by obtaining credit card numbers or
other personal information. Vishing takes advantage of people's faith in the
telephone system.
3.​ Smishing
It is a sort of phishing that uses mobile phones to send text messages. To earn the
victim's trust, criminals imitate a legitimate source. A smishing attack might, for
example, send the victim a webpage URL. Malware is installed on the victim's phone
when they access the page.
4.​ Whaling
A phishing assault that targets high-profile targets within a business, such as senior
executives, is known as whaling. Politicians and celebrities are also possible targets.
5.​ Pharming
Pharming is the impersonation of a reputable website to dupe individuals to submit
their personal information. Pharming leads consumers to a phony website that
appears to be legitimate. Victims then provide their data under the impression that
they have reached a legitimate website.
6.​ Spyware
It is software that allows a criminal to collect data about a user's computer
activity. Activity trackers, keystroke collecting, and data capture are all standard
features of spyware. A spyware frequently adjusts its security settings in an attempt
to circumvent security measures. Spywares often come along with legitimate
applications or Trojan horses. Many shareware sites are infected with spyware.
7.​ Scareware

Sutex bank college of computer applications and science Page 10

 Unit 4 Concepts of Cyber Security

It is software that uses fear to encourage the user to execute a specified action.
Scareware creates pop-up windows that seem like those found in operating systems.
These windows display fake messages claiming that the system is in danger or
requires the execution of a specific program to resume regular operation. In actuality,
there are no issues, and malware infects the user's PC if they agree and permit the
indicated program to run.
8.​ Adware
Adware generates cash for its makers by displaying unpleasant pop-ups. By tracking
the pages visited, the malware may be able to determine the user's interests. It can
then send relevant pop-up advertisements to those websites. Adware is installed by
default in some software versions.
9.​ Spam
Unsolicited emails are referred to as spam (also known as junk mail). Spam is almost
always a form of advertising. Spams can contain hazardous links, viruses, or false
content. The ultimate goal is to collect sensitive data like a social security number or
bank account details. The majority of spams originate from numerous computers
connected to a network infected with a virus or worm. These infected computers
send out as many spam emails as they can.
4.3.2 Password Attack, Malware
Password Attacks
−​ Because passwords are the most commonly used mechanism to authenticate users
to an information system, obtaining passwords is a common and effective attack
approach. Access to a person’s password can be obtained by looking around the
person’s desk, ‘‘sniffing’’ the connection to the network to acquire unencrypted
passwords, using social engineering, gaining access to a password database or
outright guessing. The last approach can be done in either a random or systematic
manner:
−​ Brute-force password guessing means using a random approach by trying different
passwords and hoping that one work some logic can be applied by trying passwords
related to the person’s name, job title, hobbies or similar items.
−​ In a dictionary attack, a dictionary of common passwords is used to attempt to gain
access to a user’s computer and network. One approach is to copy an encrypted file
that contains the passwords, apply the same encryption to a dictionary of
commonly used passwords, and compare the results.
−​ In order to protect yourself from dictionary or brute-force attacks, you need to
implement an account lockout policy that will lock the account after a few invalid
password attempts. You can follow these account lockout best practices in order to
set it up correctly.

Preventing Password Attacks

The best way to fix a password attack is to avoid one in the first place. Ask your IT
professional about proactively investing in a common security policy that includes:

−​ Multi-factor authentication. Using a physical token or a personal device (like a

mobile phone) to authenticate users ensures that passwords are not the only gate to
access.

Sutex bank college of computer applications and science Page 11

 Unit 4 Concepts of Cyber Security

−​ Remote access. Using a smart remote access platform like OneLogin means that
individual websites are no longer the source of user trust. Instead, OneLogin ensures
that the user's identity is confirmed, and then logs them in.
−​ Biometrics. A malicious actor will find it very difficult to replicate your fingerprint or
facial shape. Enabling biometric authentication turns your password into only one of
several points of trust that a hacker needs to overcome.

Malware:
Malware is intrusive software that is designed to damage and destroy computers and
computer systems. Malware is a contraction for “malicious software.” Examples of common
malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware.

Types of Malware Attacks

−​ Most malware types can be classified into one of the following categories:
−​ Virus: When a computer virus is executed, it can replicate itself by modifying other
programs and inserting its malicious code. It is the only type of malware that can
“infect” other files and is one of the most difficult types of malware to remove.
−​ Worm: A worm has the power to self-replicate without end-user involvement and
can infect entire networks quickly by moving from one machine to another.
−​ Trojan: Trojan malware disguises itself as a legitimate program, making it one of the
most difficult types of malware to detect. This type of malware contains malicious
code and instructions that, once executed by the victim, can operate under the radar.
It is often used to let other types of malware into the system.
−​ Hybrid malware: Modern malware is often a “hybrid” or combination of malicious
software types. For example, “bots” first appear as Trojans then, once executed, act
as worms. They are frequently used to target individual users as part of a larger
network-wide cyber-attack.
−​ Adware: Adware serves unwanted and aggressive advertising (e.g., pop-up ads) to
the end-user.
−​ Malvertising: Malvertising uses legitimate ads to deliver malware to end-user
machines.
−​ Spyware: Spyware spies on the unsuspecting end-user, collecting credentials and
passwords, browsing history and more.
−​ Ransomware: Ransomware infects machines, encrypts files and holds the needed
decryption key for ransom until the victim pays. Ransomware attacks targeting
enterprises and government entities are on the rise, costing organizations millions as
some pay off the attackers to restore vital systems. Cyptolocker, Petya and Loky are
some of the most common and notorious families of ransomware.
−​ Over the years, malware has been observed to use a variety of different delivery
mechanisms, or attack vectors. While a few are admittedly academic, many attack
vectors are effective at compromising their targets. These attack vectors generally
occur over electronic communications such as email, text, vulnerable network
service, or compromised website, malware delivery can also be achieved via physical
media (e.g. USB thumb drive, CD/DVD, etc.).
Prevention:
Typically, businesses focus on preventative tools to stop breaches (violation). By securing
the perimeter, businesses assume they are safe. Some advanced malware, however, will

Sutex bank college of computer applications and science Page 12

 Unit 4 Concepts of Cyber Security

eventually make their way into your network. As a result, it is crucial to deploy technologies
that continually monitor and detect malware that has evaded perimeter defenses. Sufficient
advanced malware protection requires multiple layers of safeguards along with high-level
network visibility and intelligence.

How to Prevent Malware Attacks

To strengthen malware protection and detection without negatively impacting business
productivity, organizations often take the following steps:

−​ Use anti-virus tools to protect against common and known malware.

−​ Utilize endpoint detection and response technology to continuously monitor and
respond to malware attacks and other cyber threats on end-user machines.
−​ Follow application and Operating System (OS) patching best practices.
−​ Implement the principle of least privilege and just-in-time access to elevate account
privileges for specific authorized tasks to keep users productive without providing
unnecessary privileges.
−​ Remove local administrator rights from standard user accounts to reduce the attack
surface.
−​ Apply application grey listing on user endpoints to prevent unknown applications,
such as new ransomware instances, from accessing the Internet and gaining the read,
write and modify permissions needed to encrypt files.
−​ Apply application whitelisting on servers to maximize the security of these assets.
−​ Frequently and automatically backup data from endpoints and servers to allow for
effective disaster recovery.
4.4 Hackers:
4.4.1 Various Vulnerabilities:
What is Vulnerability in Cyber Security?
Vulnerability in cyber security refers to any weakness in an information system, system
processes, or internal controls of an organization. These vulnerabilities are targets for
lurking cybercrimes and are open to exploitation through the points of vulnerability.
These hackers are able to gain illegal access to the systems and cause severe damage
to data privacy. Therefore, cyber security vulnerabilities are extremely important to monitor
for the overall security posture as gaps in a network can result in a full-scale breach of
systems in an organization.
Examples of Vulnerabilities
Below are some examples of vulnerability:
−​ A weakness in a firewall that can lead to malicious hackers getting into a computer
network
−​ Lack of security cameras
−​ Unlocked doors at businesses

Types of Vulnerabilities
Below are some of the most common types of cybersecurity vulnerabilities:
−​ System Misconfigurations
Network assets that have disparate security controls or vulnerable settings can
result in system misconfigurations. Cybercriminals commonly probe networks for
system misconfigurations and gaps that look exploitable. Due to the rapid digital

Sutex bank college of computer applications and science Page 13

 Unit 4 Concepts of Cyber Security

transformation, network misconfigurations are on the rise. Therefore, it is important

to work with experienced security experts during the implementation of new
technologies.
−​ Out-of-date or Unpatched Software
Similar to system misconfigurations, hackers tend to probe networks for unpatched
systems that are easy targets. These unpatched vulnerabilities can be exploited by
attackers to steal sensitive information. To minimize these kinds of risks, it is
essential to establish a patch management schedule so that all the latest system
patches are implemented as soon as they are released.
−​ Missing or Weak Authorization Credentials
A common tactic that attackers use is to gain access to systems and networks
through brute force like guessing employee credentials. That is why it is crucial that
employees be educated on the best practices of cybersecurity so that their login
credentials are not easily exploited.
−​ Malicious Insider Threats
Whether it’s with malicious intent or unintentionally, employees with access to
critical systems sometimes end up sharing information that helps cyber criminals
breach the network. Insider threats can be really difficult to trace as all actions will
appear legitimate. To help fight against these types of threats, one should invest in
network access control solutions, and segment the network according to employee
seniority and expertise.
−​ Missing or Poor Data Encryption
It’s easier for attackers to intercept communication between systems and breach a
network if it has poor or missing encryption. When there is poor or unencrypted
information, cyber adversaries can extract critical information and inject false
information onto a server. This can seriously undermine an organization’s efforts
toward cyber security compliance and lead to fines from regulatory bodies.
−​ Zero-day Vulnerabilities
Zero-day vulnerabilities are specific software vulnerabilities that the attackers have
caught wind of but have not yet been discovered by an organization or user.In these
cases, there are no available fixes or solutions since the vulnerability is not yet
detected or notified by the system vendor. These are especially dangerous as there
is no defense against such vulnerabilities until after the attack has happened. Hence,
it is important to remain cautious and continuously monitor systems for
vulnerabilities to minimize zero-day attacks.

Vulnerability Remediation
−​ To always be one step ahead of malicious attacks, security professionals need to
have a process in place for monitoring and managing the known vulnerabilities.
Once a time-consuming and tedious manual job, now it is possible to continuously
keep track of an organization’s software inventory with the help of automated tools,
and match them against the various security advisories, issue trackers, or databases.
−​ If the tracking results show that the services and products are relying on risky code,
the vulnerable component needs to be located and mitigated effectively and
efficiently.
−​ The following remediation steps may seem simple, but without them, organizations
may find themselves in a bit of difficulty when fighting against hackers.

Sutex bank college of computer applications and science Page 14

 Unit 4 Concepts of Cyber Security

−​ Step 1: Know Your Code – Knowing what you’re working with is crucial and the first
step of vulnerability remediation. Continuously monitoring software inventory to be
aware of which software components are being used and what needs immediate
attention will significantly prevent malicious attacks.
−​ Step 2: Prioritize Your Vulnerabilities – Organizations need to have prioritization
policies in place. The risk of the vulnerabilities needs to be evaluated first by going
through the system configuration, the likelihood of an occurrence, its impact, and the
security measures that are in place.
−​ Step 3: Fix – Once the security vulnerabilities that require immediate attention are
known, it is time to map out a timeline and work plan for the fix.

4.4.1.1 Injection attacks, Changes in security settings

Injection attack
This type of attack allows an attacker to inject code into a program or query or inject
malware onto a computer in order to execute remote commands that can read or modify a
database, or change data on a web site.

Types of Injection Attacks

Injection attack Description Potential impact

Code The attacker injects application code written in the Full system compromise
injection application language. This code may be used to execute
operating system commands with the privileges of the user
who is running the web application. In advanced cases, the
attacker may use additional privilege escalation
vulnerabilities, which may lead to full web server
compromise.
CRLF injection The attacker injects an unexpected CRLF (Carriage Return Cross-site Scripting (XSS)
and Line Feed) character sequence. This sequence is used to
split an HTTP response header and write arbitrary contents
to the response body. This attack may be combined with
Cross-site Scripting (XSS).
Cross-site The attacker injects an arbitrary script (usually in JavaScript) Account impersonation Defacement
Scripting (XSS) into a legitimate website or web application. This script is Run arbitrary JavaScript in the victim’s
then executed inside the victim’s browser. browser
Email Header This attack is very similar to CRLF injections. The attacker Spam relay Information disclosure
Injection sends IMAP/SMTP commands to a mail server that is not
directly available via a web application.
Host Header The attacker abuses the implicit trust of the HTTP Host Password-reset poisoning Cache
Injection header to poison password-reset functionality and web poisoning
caches.
SQL Injection The attacker injects SQL statements that can read or modify Authentication bypass Information
(SQLi) database data. In the case of advanced SQL Injection disclosure Data loss Sensitive data
attacks, the attacker can use SQL commands to write theft Loss of data integrity Denial of
arbitrary files to the server and even execute OS commands. service Full system compromise
This may lead to full system compromise.
OS Command The attacker injects operating system commands with the Full system compromise
Injection privileges of the user who is running the web application. In
advanced cases, the attacker may exploit additional privilege
escalation vulnerabilities, which may lead to full system
compromise.

Sutex bank college of computer applications and science Page 15

 Unit 4 Concepts of Cyber Security

Changes in security settings:

−​ Security misconfiguration is the lack of proper security in server or web apps,
opening up your business to cyber threats.
−​ This kind of misconfiguration runs rampant, commonly occurring when levels of the
application stack are upgraded while others are left untouched, as the default
settings may have included insecurities that go unaddressed.
−​ Running an application with debug enabled in production
−​ Having directory listing (which leaks valuable information) enabled on the server
−​ Running outdated software (think Word Press plugging, old PhpMyAdmin)
−​ Running unnecessary services
−​ Not changing default keys and passwords (which happens more frequently than
you’d believe)
−​ Revealing error handling information (e.g., stack traces) to potential attackers
4.4.1.2 Exposure of Sensitive Data
−​ Sensitive data is anything that should not be accessible to unauthorized access,
known as sensitive data. Sensitive data may include personally identifiable
information (PII), such as Social Security numbers, financial information, or login
credentials.
−​ Sensitive Data Exposure occurs when an organization unknowingly exposes sensitive
data or when a security incident leads to the accidental or unlawful destruction, loss,
alteration, or unauthorized disclosure of, or access to sensitive data.
−​ Such Data exposure may occur as a result of inadequate protection of a database,
misconfigurations when bringing up new instances of data stores, inappropriate
usage of data systems, and more.
Sensitive Data Exposure can of the following three types:
Confidentiality Breach: where there is unauthorized or accidental disclosure of, or
access to, sensitive data.
Integrity Breach: where there is an unauthorized or accidental alteration of sensitive
data.
Availability Breach: where there is an unauthorized or accidental loss of access to,
or ​ destruction of, sensitive data. This will include both the permanent and temporary
loss of sensitive data.
How Sensitive Data is Exposed
−​ Most cyberattacks initially target vulnerabilities that expose sensitive data to gain a
further foothold of the application stack. Several threats expose this information,
whether it is on the move or at rest.
Sensitive Data at Rest
A web application typically stores data in servers, files, databases, archives,
networks, and other applications. The security of this data depends on the controls
put in place to protect these components. Numerous attacks target unaddressed
vulnerabilities in these components to access sensitive data. For instance, hackers
can use Trojan Horses or Malicious Payloads to access system data via unauthorized
downloads without a robust detection mechanism.
Sensitive Data in Transit
While data is moving between different services and applications, it remains
vulnerable to attack vectors. Man-in-the-Middle (MITM) attack are typically geared
toward intercepting data moving between servers, channels, and APIs. It is important

Sutex bank college of computer applications and science Page 16

 Unit 4 Concepts of Cyber Security

to secure channels that transmit data within the organization’s network, as these
attackers could impersonate parties to access more sensitive data.
4.4.1.3 Breach(crack) in authentication protocol
−​ A security breach is any incident that results in unauthorized access to computer
data, applications, networks or devices. It results in information being accessed
without authorization. Typically, it occurs when an intruder is able to bypass security
mechanisms.
Types of security breaches
−​ There are a number of types of security breaches depending on how access has been
gained to the system:
−​ An exploit attacks system vulnerability, such as an out of date operating system.
Legacy systems which haven't been updated, for instance, in businesses where
outdated and versions of Microsoft Windows that are no longer supported are being
used, are particularly vulnerable to exploits.
−​ Weak passwords can be cracked or guessed. Even now, some people are still using
the password 'password', and 'pa$$word' is not much more secure.
−​ Malware attacks, such as phishing emails can be used to gain entry. It only takes one
employee to click on a link in a phishing email to allow malicious software to start
spreading throughout the network.
−​ Drive-by downloads use viruses or malware delivered through a compromised or
spoofed website.
−​ Social engineering can also be used to gain access. For instance, an intruder phones
an employee claiming to be from the company's IT helpdesk and asks for the
password in order to 'fix' the computer.
−​ An authentication protocol is a type of computer communications protocol or
cryptographic protocol specifically designed for transfer of authentication data
between two entities.
−​ It allows the receiving entity to authenticate the connecting entity (e.g. Client
connecting to a Server) as well as authenticate itself to the connecting entity (Server
to a client) by declaring the type of information needed for authentication as well as
syntax. It is the most important layer of protection needed for secure communication
within computer networks.

Authentication protocols developed for PPP Point-to-Point Protocol

PAP - Password Authentication Protocol

−​ Password Authentication Protocol is one of the oldest authentication protocols.

Authentication is initialized by the client sending a packet with credentials (username
and password) at the beginning of the connection, with the client repeating the
authentication request until acknowledgement is received.

Sutex bank college of computer applications and science Page 17

 Unit 4 Concepts of Cyber Security

−​
−​ It is highly insecure because credentials are sent "in the clear" and repeatedly,
making it vulnerable even to the most simple attacks like eavesdropping and
man-in-the-middle based attacks.
−​ It uses a two way handshake to perform authentication. For example login.
CHAP - Challenge-handshake authentication protocol
−​ It is an encrypted authentication scheme. It is developed by IETF. It performs periodic
checkups to check if the router is communicating with the same host.
−​ It uses a three way handshake to perform authentication.
−​ Server sends a random string (usually 128B long). The client uses password and the
string received as parameters for MD5 hash function and then sends the result
together with username in plain text.
−​ Server uses the username to apply the same function and compares the calculated
and received hash. An authentication is successful or unsuccessful.
EAP - Extensible Authentication Protocol

−​ EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely
used in IEEE 802.3, IEEE 802.11(WiFi) or IEEE 802.16 as a part of IEEE
802.1x authentication framework.

−​ The latest version is standardized in RFC (Request for Comments) 5247. The
advantage of EAP is that it is only a general authentication framework for
client-server authentication - the specific way of authentication is defined in its
many versions called EAP-methods.

4.4.2 Types of Hackers: White hat and Black hat

−​ A Hacker is a person who is intensely interested in the mysterious workings of any
computer operating system. Hackers are most often programmers. They gather
advanced knowledge of operating systems and programming languages and discover
loopholes within systems and the reasons for such loopholes.
−​ Hackers can be classified into three different categories:
−​ Black Hat Hacker
−​ Black-hat Hackers are also known as an Unethical Hacker or a Security
Cracker. These people hack the system illegally to steal money or to achieve
their own illegal goals. They find banks or other companies with weak
security and steal money or credit card information. They can also modify or
destroy the data as well. Black hat hacking is illegal.

Sutex bank college of computer applications and science Page 18

 Unit 4 Concepts of Cyber Security

White Hat Hacker

−​ White hat Hackers are also known as Ethical Hackers or a Penetration Tester.
White hat hackers are the good guys of the hacker world.
−​ These people use the same technique used by the black hat hackers. They
also hack the system, but they can only hack the system that they have
permission to hack in order to test the security of the system. They focus on
security and protecting the IT system. White hat hacking is legal.

Gray Hat Hacker

−​ Gray hats Hackers are Hybrid between Black hat Hackers and White hat hackers.
They can hack any system even if they don't have permission to test the security
of the system but they will never steal money or damage the system.
−​ In most cases, they tell the administrator of that system. But they are also illegal
because they test the security of the system that they do not have permission to
test. Grey hat hacking is sometimes acted legally and sometimes not.

Sutex bank college of computer applications and science Page 19