Unit-4

4.1 Concepts of Cyber Security:

• Cybersecurity is the protection of internet-connected systems such as
hardware, software and data from cyberthreats.

• The practice is used by individuals and enterprises to protect against

unauthorized access to data centres and other computerized systems.

• A strong cybersecurity strategy can provide a good security posture

against malicious attacks designed to access, alter, delete, destroy or
extort an organization's or user's systems and sensitive data.

• Cybersecurity is also instrumental in preventing attacks that aim to

disable or disrupt a system's or device's operations.

Why is cybersecurity important?

With an increasing number of users, devices and programs in the modern
enterprise, combined with the increased deluge of data -- much of which is
sensitive or confidential -- the importance of cybersecurity continues to grow.
The growing volume and sophistication of cyber attackers and attack techniques
compound the problem even further.

4.1.1 Types of Threats

• A cyber security threat is a type of threat that targets computer networks,
systems, and user data.

• These threats can come in the form of malware, phishing, and other
malicious activity.

1. Malware
 Unit-4
Malware is malicious software such as spyware, ransomware, viruses and
worms. Malware is activated when a user clicks on a malicious link or
attachment, which leads to installing dangerous software. Cisco reports that
malware, once activated, can:

• Block access to key network components (ransomware)

• Install additional harmful software
• obtain information by transmitting data from the hard drive (spyware)
• Disrupt individual parts, making the system inoperable

2. Emotet
• The Cybersecurity and Infrastructure Security Agency (CISA) describes
Emotet as “an advanced, modular banking Trojan that primarily functions
as a downloader or dropper of other banking Trojans.

• Emotet continues to be among the most costly and destructive malware.”

3. Denial of Service
• A denial of service (DoS) is a type of cyber attack that floods a computer
or network so it can’t respond to requests.
• A distributed DoS (DDoS) does the same thing, but the attack originates
from a computer network.
• Cyber attackers often use a flood attack to disrupt the “handshake”
process and carry out a DoS. Several other techniques may be used, and
some cyber attackers use the time that a network is disabled to launch
other attacks.
• A botnet is a type of DDoS in which millions of systems can be infected
with malware and controlled by a hacker, according to Jeff Melnick of
Netwrix, an information technology security software company. Botnets,
sometimes called zombie systems, target and overwhelm a target’s
processing capabilities. Botnets are in different geographic locations and
hard to trace.

4. Man in the Middle

 Unit-4
• A man-in-the-middle (MITM) attack occurs when hackers insert
themselves into a two-party transaction. After interrupting the traffic,
they can filter and steal data, according to Cisco.
• MITM attacks often occur when a visitor uses an unsecured public Wi-Fi
network. Attackers insert themselves between the visitor and the
network, and then use malware to install software and use data
maliciously.

5. Phishing
• Phishing attacks use fake communication, such as an email, to trick the
receiver into opening it and carrying out the instructions inside, such as
providing a credit card number.
• “The goal is to steal sensitive data like credit card and login information
or to install malware on the victim’s machine,” Cisco reports.

6. SQL Injection
• A Structured Query Language (SQL) injection is a type of cyber attack that
results from inserting malicious code into a server that uses SQL.
• When infected, the server releases information. Submitting the malicious
code can be as simple as entering it into a vulnerable website search box.

7. Password Attacks
• With the right password, a cyber attacker has access to a wealth of
information.
• Social engineering is a type of password attack that Data Insider defines
as “a strategy cyber attackers use that relies heavily on human interaction
and often involves tricking people into breaking standard security
practices.” Other types of password attacks include accessing a password
database or outright guessing.

8. Backdoor attacks

• A backdoor attack is a type of cyber attack where the attacker gains access
to a system or network by bypassing security mechanisms.

• Once the attacker has gained access, they can then install malicious
software or perform other malicious actions.
 Unit-4

4.1.2 Advantages of Cyber Security

• Cyber security will defend us from critical cyber- attacks.
• It helps us to browse the safe website.
• Cyber security will defend us from hacks & virus.
• The application of cyber security used in our PC needs to update every
week.
• Internet security processes all the incoming & outgoing data on our
computer.
• It helps to reduce computer chilling & crashes.
• Gives us privacy.

4.2 Basic Terminologies:

IP Address
• An IP address is the identifier that enables your device to send or receive
data packets across the internet.
• It holds information related to your location and therefore making devices
available for two-way communication.
• An IP address is represented by a series of numbers segregated by
periods(.). They are expressed in the form of four pairs - an example
address might be 255.255.255.255 wherein each set can range from 0 to
255.

MAC Address
• A MAC address (media access control address) is a 12-
digit hexadecimal number assigned to each device connected to the
network.
• Primarily specified as a unique identifier during device manufacturing, the
MAC address is often found on a device's network interface card (NIC).
• A MAC address is required when trying to locate a device or when
performing diagnostics on a network device.

Domain name Server (DNS)

 Unit-4

DHCP
Dynamic Host Configuration Protocol(DHCP) is an application layer protocol
which is used to provide:

1. Subnet Mask (Option 1 – e.g., 255.255.255.0)

2. Router Address (Option 3 – e.g., 192.168.1.1)
3. DNS Address (Option 6 – e.g., 8.8.8.8)
4. Vendor Class Identifier (Option 43 – e.g., ‘unifi’ = 192.168.1.9
##where unifi = controller)

Router
• The router is a physical or virtual internetworking device that is designed
to receive, analyze, and forward data packets between computer
networks.
• A router examines a destination IP address of a given data packet, and it
uses the headers and forwarding tables to decide the best way to
transfer the packets.

Bots
A bot (short for robot) is a software application programmed to perform tasks
through Robotic Process Automation, or RPA. Bots work by automatically going
through a set of instructions, and they carry out tasks and processes much
faster, more accurately, and at a higher volume than it would otherwise take
humans.

4.3 Common Types of Attacks:

4.3.1 Distributed Denial of Service
• A DoS (Denial of Service) attack aims at preventing, for legitimate users,
authorized access to a system resource. The attacker uses specialized
software to send a flood of data packets to the target computer with the
aim of overloading its resources
• DDoS (distributed Denial of Service attacks)
 Unit-4
A denial-of-service attack in which the attacker gains illegal administrative
access to as many computers on the Internet as possible and uses the multiple
computers to send a flood of data packets to the target computer.

Classification of DoS attacks

1. Bandwidth consumption:
Attacks will consume all available network bandwidth
2. Resource starvation:
Attacks will consume system resources (mainly CPU, memory, storage space)
3. Programming flaws:
Failures of applications or OS components to handle exceptional conditions (i.e.
unexpected data is sent to a vulnerable component). 4. Routing and DNS attacks:
✓ manipulate routing tables.
✓ changing routing tables to route to attacker’s net or black hole.
 Unit-4
✓ attack to DNS servers, again route to attackers or black hole.
Examples
l Smurf
l 1. Attacker sends sustained ICMP (availability of host) Echo
packets (ping) to broadcast address of the amplifying network,
with source address is forged.
l 2. Since traffic was sent to broadcast address all hosts in the
amplifying LAN will answer to the victim’s IP address.
l Ping of death???
❑ C:\>ping 64.233.183.103 with 32 bytes of data (yahoo)
✓ Reply from 64.233.183.103: bytes=32 time=25ms TTL=245
✓ Reply from 64.233.183.103: bytes=32 time=22ms TTL=245
✓ Reply from 64.233.183.103: bytes=32 time=25ms TTL=246
✓ Reply from 64.233.183.103: bytes=32 time=22ms TTL=246
✓ Ping statistics for 64.233.183.103: Packets: Sent = 4, Received
= 4, Lost = 0 (0% loss),
✓ Syn flood
✓ TCP three-way handshake:
✓ The client requests a connection by sending a SYN
(synchronize) message to the server.
✓ The server acknowledges this request by sending SYN-ACK
back to the client, which,
✓ Responds with an ACK, and the connection is established.
✓ How it work………???
✓ 1. attacker sends SYN packet to victim forging non-existent IP
address
✓ 2. victim replies with Syn/Ack but neither receives Ack nor RST
from non-existent IP address
 Unit-4
✓ 3. victim keeps potential connection in a queue in Syn_Recv state,
but the queue is small and takes some time to timeout and flush
the queue, e.g 75 seconds
✓ 4. If a few SYN packets are sent by the attacker every 10 seconds,
the victim will never clear the queue and stops to respond.
▪ LAND:
• The attack involves sending a spoofed TCP SYN packet (connection
initiation) with the target host's IP address as both source and destination.
• It uses ports (echo and chargen ports).
A spoofed DoS attack is a process in which one host (usually a server or
router) sends a flood of network traffic to another host .

4.3.2
Man in the Middle
• A man-in-the-middle (MiTM) attack is a type of cyber attack in which the
attacker secretly intercepts and relays messages between two parties
who believe they are communicating directly with each other.
 Unit-4
Key Concepts of a Man-in-the-Middle Attack

Man-in-the-middle attacks:

Are a type of session hijacking

Involve attackers inserting themselves as relays or proxies in an ongoing,
legitimate conversation or data transfer
Exploit the real-time nature of conversations and data transfers to go
undetected
Allow attackers to intercept confidential data
Allow attackers to insert malicious data and links in a way
indistinguishable from legitimate data

• You can think of this type of attack as similar to the game of telephone
where one person's words are carried along from participant to
participant until it has changed by the time it reaches the final person. In
a man-in-the-middle attack, the middle participant manipulates the
conversation unknown to either of the two legitimate participants, acting
to retrieve confidential information and otherwise cause damage.

Scenario 1: Intercepting Data

1. The attacker installs a packet sniffer to analyze network traffic for

insecure communications.
 Unit-4
2. When a user logs in to a site, the attacker retrieves their user information
and redirects them to a fake site that mimics the real one.
3. The attacker's fake site gathers data from the user, which the attacker can
then use on the real site to access the target's information.

In this scenario, an attacker intercepts a data transfer between a client and

server. By tricking the client into believing it is still communicating with the
server and the server into believing it is still receiving information from the
client, the attacker is able to intercept data from both as well as inject their own
false information into any future transfers.

Scenario 2: Gaining Access to Funds

1. The attacker sets up a fake chat service that mimics that of a well-known
bank.
2. Using knowledge gained from the data intercepted in the first scenario,
the attacker pretends to be the bank and starts a chat with the target.
3. The attacker then starts a chat on the real bank site, pretending to be the
target and passing along the needed information to gain access to the
target's account.

Email Attack
1) Phishing:
Phishing is a form of fraud. Cyber criminals use email, instant
messaging, or other social media to try to gather information such
as login credentials by masquerading as a reputable person.
Phishing occurs when a malicious party sends a fraudulent email
disguised as being from an authorized, trusted source. The message
intent is to trick the recipient into installing malware on his or her
device or into sharing personal or financial information.
 Unit-4
Spear phishing is a highly targeted phishing attack. While phishing
and spear-phishing both use emails to reach the victims, spear-
phishing sends customized emails to a specific person. The criminal
researches the target’s interests before sending the email.
2) Vishing:
Vishing is phishing using voice communication technology.
Criminals can spoof calls from authorized sources using voice-over
IP technology. Victims may also receive a recorded message that
appears authorized. Criminals want to obtain credit card numbers
or other information to steal the victim’s identity. Vishing takes
advantage of the fact that people trust the telephone network.
3) Smishing:
Smishing is phishing using text messaging on mobile phones.
Criminals impersonate a legitimate source in an attempt to gain the
trust of the victim. For example, a smishing attack might send the
victim a website link. When the victim visits the website, malware is
installed on the mobile phone.
4) Whaling:
Whaling is a phishing attack that targets high profile targets within
an organization such as senior executives. Additional targets include
politicians or celebrities.
5) Pharming:
Pharming is the impersonation of an authorized website in an effort
to deceive users into entering their credentials. Pharming misdirects
users to a fake website that appears to be official. Victims then enter
their personal information thinking that they are connected to a
legitimate site.
6) Spyware:
Spyware is software that enables a criminal to obtain information
about a user’s computer activities. Spyware often includes activity
trackers, keystroke collection, and data capture. In an attempt to
overcome security measures, spyware often modifies security
settings. Spyware often bundles itself with legitimate software or
with Trojan horses. Many shareware websites are full of spyware.
7) Adware:
Adware typically displays annoying pop-ups to generate revenue
for its authors. The malware may analyze user interests by tracking
the websites visited. It can then send pop-up advertising relevant to
those sites. Some versions of software automatically install Adware.
 Unit-4
8) Spam:
Spam (also known as junk mail) is unsolicited email. In most cases,
spam is a method of advertising. However, spam can send harmful
links, malware, or deceptive content. The end goal is to obtain
sensitive information such as a social security number or bank
account information. Most spam comes from multiple computers
on networks infected by a virus or worm. These compromised
computers send out as much bulk email as possible.
4.3.3 Password Attack, Malware
4.4 Hackers:
A Hacker is a person who finds and exploits the weakness in computer systems
and/or networks to gain access. Hackers are usually skilled computer
programmers with knowledge of computer security.

4.4.1 Various Vulnerabilities:

• A vulnerability in cyber security refers to any weakness in an information
system, system processes, or internal controls of an organization. These
vulnerabilities are targets for lurking cybercrimes and are open to
exploitation through the points of vulnerability.

• These hackers are able to gain illegal access to the systems and cause
severe damage to data privacy. Therefore, cybersecurity vulnerabilities
are extremely important to monitor for the overall security posture as
gaps in a network can result in a full-scale breach of systems in an
organization.

Below are some examples of vulnerability:

• Missing data encryption
• Lack of security cameras
• Unlocked doors at businesses
• Unrestricted upload of dangerous files
• Code downloads without integrity checks
• Using broken algorithms
• URL Redirection to untrustworthy websites
 Unit-4
• Weak and unchanged passwords
• Website without SSL
Types of Cyber Security Vulnerabilities

System Misconfigurations

• Network assets can cause system mistakes with incompatible security

settings or restrictions.

• Networks are frequently searched for system errors and vulnerable spots
by cybercriminals. Network misconfigurations are increasing as a result of
the quick digital revolution.

• Cybercriminals frequently search networks for vulnerabilities and

misconfigurations in the system that they can exploit.

Out-of-date or Unpatched Software

• Hackers frequently polish networks for vulnerable, unpatched systems

that are prime targets, just as system configuration errors do.

• Attackers may use these unpatched vulnerabilities to steal confidential

data, which is a huge threat to any organization.

• Establishing a patch management strategy that ensures all the most

recent system updates are applied as soon as they are issued is crucial for
reducing these types of threats.

Missing or Weak Authorization Credentials

• Attackers frequently utilize brute force methods, such as guessing

employee passwords, to gain access to systems and networks. Therefore,
they must therefore train employees on cybersecurity best practices to
prevent the easy exploitation of their login credentials. An endpoint
system security will be a great addition to all laptop or desktop devices.

Malicious Insider Threats

 Unit-4
• Employees with access to vital systems may occasionally share data that
enables hackers to infiltrate the network, knowingly or unknowingly.
Because all acts seem genuine, insider threats can be challenging to
identify. Consider purchasing network access control tools and
segmenting your network according to employee seniority and
experience to counter these risks.

Missing or Poor Data Encryption

• If a network has weak or nonexistent encryption, it will be simpler for

attackers to intercept system communications and compromise them.

• Cyber adversaries can harvest crucial information and introduce

misleading information onto a server when there is weak or unencrypted
data. This may result in regulatory body fines and adversely jeopardize an
organization’s efforts to comply with cyber security regulations.

Zero-day Vulnerabilities

• Zero-day vulnerabilities are specific software flaws that the attackers are
aware of but that a company or user has not yet identified.

• Since the vulnerability has not yet been identified or reported by the
system manufacturer, there are no known remedies or workarounds in
these situations. These are particularly risky because there is no
protection against them before an attack occurs. Exercising caution and
checking systems for vulnerabilities is crucial to reducing the risk of zero-
day attacks.

4.4.1.1 Injection attacks, Changes in security

settings
• Injection attacks refer to a broad class of attack vectors. In an injection
attack, an attacker supplies untrusted input to a program.

• This input gets processed by an interpreter as part of a command or

query. In turn, this alters the execution of that program.
 Unit-4
• Injections are amongst the oldest and most dangerous attacks aimed at
web applications.

• They can lead to data theft, data loss, loss of data integrity, denial of
service, as well as full system compromise. The primary reason for
injection vulnerabilities is usually insufficient user input validation.

Code injection
• The attacker injects application code written in the application language.
This code may be used to execute operating system commands with the
privileges of the user who is running the web application. In advanced
cases, the attacker may exploit additional privilege escalation
vulnerabilities, which may lead to full web server compromise.
• Impact
Full system, compromise
CRLF injection
• The attacker injects an unexpected CRLF (Carriage Return and Line Feed)
character sequence. This sequence is used to split an HTTP response
header and write arbitrary contents to the response body. This attack may
be combined with Cross-site Scripting (XSS).
• Impact: Cross-site Scripting (XSS)
Cross-site Scripting (XSS)
• The attacker injects an arbitrary script (usually in JavaScript) into a
legitimate website or web application. This script is then executed inside
the victim’s browser.
• Impact

Account impersonation, Defacement, Run arbitrary JavaScript in the

victim’s browser

Email Header Injection

• This attack is very similar to CRLF injections. The attacker sends
IMAP/SMTP commands to a mail server that is not directly available via a
web application.
• Impact: Spam relay, Information disclosure
Host Header Injection
• The attacker abuses the implicit trust of the HTTP Host header to poison
password-reset functionality and web caches.
• Impact:
Password-reset poisoning
 Unit-4
Cache poisoning

LDAP Injection
• The attacker injects LDAP (Lightweight Directory Access Protocol)
statements to execute arbitrary LDAP commands. They can gain
permissions and modify the contents of the LDAP tree.
• Impact: Authentication bypass, Privilege escalation, Information
disclosure
OS Command Injection
• The attacker injects operating system commands with the privileges of
the user who is running the web application. In advanced cases, the
attacker may exploit additional privilege escalation vulnerabilities, which
may lead to full system compromise.
• Impact: Full system compromise
SQL Injection (SQLi)
• The attacker injects SQL statements that can read or modify database
data. In the case of advanced SQL Injection attacks, the attacker can use
SQL commands to write arbitrary files to the server and even execute OS
commands. This may lead to full system compromise.
• Impact
Authentication bypass
Information disclosure
Data loss
Sensitive data theft
Loss of data integrity
Denial of service
Full system compromise.
XPath injection
• The attacker injects data into an application to execute crafted XPath
queries. They can use them to access unauthorized data and bypass
authentication.
• Impact: Information disclosure, Authentication bypass

4.4.1.2 Exposure of Sensitive Data

Sensitive Data Exposure occurs when an organization unknowingly exposes
sensitive data or when a security incident leads to the accidental or unlawful
destruction, loss, alteration, or unauthorized disclosure of, or access to sensitive
 Unit-4
data. Such Data exposure may occur as a result of inadequate protection of a
database, misconfigurations when bringing up new instances of datastores,
inappropriate usage of data systems, and more.
Sensitive Data Exposure can of the following three types:

• Confidentiality Breach: where there is unauthorized or accidental

disclosure of, or access to, sensitive data.
• Integrity Breach: where there is an unauthorized or accidental alteration
of sensitive data.
• Availability Breach: where there is an unauthorized or accidental loss of
access to, or destruction of, sensitive data. This will include both the
permanent and temporary loss of sensitive data.

4.4.1.3 Breach in authentication protocol

A breach in authentication protocol in cybersecurity refers to a compromise or failure
in the mechanisms designed to verify the identity of users, systems, or devices before
granting access to resources. Such breaches can occur due to vulnerabilities in the
authentication process, poor implementation, or exploitation by attackers. These
breaches can have severe consequences, including unauthorized access to sensitive
data, system control, or service disruptions.
Common Causes of Authentication Breaches:
1. Weak Passwords:
o Users employing easily guessable passwords or reusing them across
multiple platforms.
o Lack of enforcement of password complexity rules.
2. Credential Theft:
o Attackers obtaining user credentials via phishing, keyloggers, or data
breaches.
o Use of stolen credentials in credential stuffing attacks.
3. Lack of Multi-Factor Authentication (MFA):
o Sole reliance on single-factor authentication like passwords, which can be
easily compromised.
4. Session Hijacking:
o Attackers intercepting session tokens or cookies to gain unauthorized
access to authenticated sessions.
 Unit-4
5. Insecure Transmission:
o Credentials sent over unencrypted channels (e.g., HTTP instead of HTTPS)
can be intercepted.
6. Vulnerable Authentication Systems:
o Flaws in implementation, such as SQL injection vulnerabilities in login
forms.
o Use of outdated authentication protocols prone to exploitation (e.g.,
LM/NTLM).
7. Social Engineering Attacks:
o Tricks or manipulations to convince users to divulge their credentials.
8. Misconfigured Access Controls:
o Improper permissions that allow unauthorized users to access sensitive
resources.
9. Insider Threats:
o Malicious or negligent actions by authorized users compromising
authentication systems.
Impacts of Authentication Breaches:
• Unauthorized access to sensitive data.

• Financial losses from fraud or system downtime.

• Reputational damage to organizations.
• Legal and regulatory repercussions.
• Compromise of other systems due to trust relationships or reused credentials.
Mitigation and Best Practices:
1. Enforce Strong Password Policies:
o Require complex, unique passwords and regular password changes.
2. Implement Multi-Factor Authentication (MFA):
o Add layers of security beyond just a password, such as biometrics or OTPs.
3. Encrypt Data in Transit:
o Use HTTPS and other secure protocols to protect credentials during
transmission.
4. Monitor and Detect Anomalies:
 Unit-4
o Deploy systems to detect and respond to unusual authentication activity.
5. Educate Users:
o Train users on recognizing phishing attacks and securing their credentials.
6. Regular Security Audits:
o Review and update authentication mechanisms and access controls.
7. Secure Token Management:
o Protect session tokens and ensure proper logout mechanisms.
8. Implement Zero Trust Principles:
o Continuously verify users and devices rather than assuming trust based on
location or prior authentication.
By addressing these areas, organizations can significantly reduce the risk of
authentication protocol breaches and improve overall security.

4.4.2 Types of Hackers:

White hat
• White hat Hackers are also known as Ethical Hackers or a Penetration
Tester.
• White hat hackers are the good guys of the hacker world.
• These people use the same technique used by the black hat hackers.
• They also hack the system, but they can only hack the system that they
have permission to hack in order to test the security of the system.
• They focus on security and protecting IT system. White hat hacking is
legal.

Black hat
• Black-hat Hackers are also known as an Unethical Hacker or a Security
Cracker.
• These people hack the system illegally to steal money or to achieve their
own illegal goals.
• They find banks or other companies with weak security and steal money
or credit card information.
 Unit-4
• They can also modify or destroy the data as well. Black hat hacking is
illegal.