UNIT-1

Introduction to Cyber Security

Cyber Security Introduction - Cyber Security Basics:

Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. Attackers
are now using more sophisticated techniques to target the systems. Individuals, small-scale
businesses or large organization, are all being impacted. So, all these firms whether IT or non-IT firms
have understood the importance of Cyber Security and focusing on adopting all possible measures to
deal with cyber threats.

What is cyber security?

"Cyber security is primarily about people, processes, and technologies working together to
encompass the full range of threat reduction, vulnerability reduction, deterrence, international
engagement, incident response, resiliency, and recovery policies and activities, including computer
network operations, information assurance, law enforcement, etc."

OR

Cyber security is the body of technologies, processes, and practices designed to protect networks,
computers, programs and data from attack, damage or unauthorized access.

• The term cyber security refers to techniques and practices designed to protect digital data.

• The data that is stored, transmitted or used on an information system.

OR

Cyber security is the protection of Internet-connected systems, including hardware, software, and
data from cyber attacks.

It is made up of two words one is cyber and other is security.

• Cyber is related to the technology which contains systems, network and programs or data.

• Whereas security related to the protection which includes systems security, network security
and application and information security.

Why is cyber security important?

Listed below are the reasons why cyber security is so important in what’s become a predominant
digital world:

• Cyber attacks can be extremely expensive for businesses to endure.

• In addition to financial damage suffered by the business, a data breach can also inflict untold
reputational damage.

• Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using
more sophisticated ways to initiate cyber attacks.
• Regulations such as GDPR are forcing organizations into taking better care of the personal
data they hold.

Because of the above reasons, cyber security has become an important part of the business and the
focus now is on developing appropriate response plans that minimize the damage in the event of a
cyber attack.

But, an organization or an individual can develop a proper response plan only when he has a good
grip on cyber security fundamentals.

CIA
The CIA in cybersecurity refers to the CIA Triad, a foundational concept used to guide the
implementation and evaluation of security measures in information systems. The CIA Triad
represents three core principles:

1. Confidentiality

 Ensures that sensitive information is accessible only to authorized individuals or systems.

 Techniques:

o Encryption: Scrambles data to make it unreadable without the correct key.

o Access controls: Use permissions, passwords, or multi-factor authentication to

restrict access.

o Data masking: Conceals sensitive information for non-authorized users.

 Examples:

o Protecting customer credit card information.

o Ensuring only specific employees can access confidential company files.

2. Integrity

 Ensures the accuracy and reliability of data by preventing unauthorized alterations.

 Techniques:

o Hashing: Verifies data integrity by comparing hash values.

o Digital signatures: Confirm the authenticity and integrity of messages or documents.

o Checksums: Detect errors in transmitted or stored data.

 Examples:

o Ensuring financial transactions are not tampered with.

o Safeguarding medical records from unauthorized changes.

3. Availability

 Ensures that information and systems are accessible to authorized users when needed.
  Techniques:

o Redundancy: Backup systems or data to ensure recovery in case of failure.

o Load balancing: Distribute network traffic to prevent overloads.

o Regular maintenance: Ensure software updates and hardware functionality.

o Protection against Distributed Denial of Service (DDoS) attacks.

 Examples:

o Online banking systems available 24/7.

o Emergency services' communication systems functioning during crises.

Importance of the CIA Triad

 The triad provides a framework for assessing and mitigating risks in cybersecurity.

 It ensures a balanced approach, as focusing on one principle without the others can create
vulnerabilities. For example:

o Strong confidentiality without availability can hinder legitimate access during

emergencies.

o Overemphasis on availability might compromise confidentiality or integrity.

Practical Applications

The CIA Triad is applied across:

 Network security: Protecting communication channels.

 Database management: Ensuring secure and accurate data storage.

 Cloud security: Safeguarding remote servers and data access.

 Incident response: Evaluating breaches against CIA principles.

Computer Security Threats

Computer security threats are potential threats to your computer’s efficient operation and
performance. These could be harmless adware or dangerous trojan infection. As the world becomes
more digital, computer security concerns are always developing. A threat in a computer system is a
potential danger that could harm your data security. At times, the damage is irreversible.

Types of Threats:

A security threat is a threat that has the potential to harm computer systems and organizations. The
cause could be physical, such as a computer containing sensitive information being stolen. It’s also
possible that the cause isn’t physical, such as a viral attack.

1. Physical Threats: A physical danger to computer systems is a potential cause of an

occurrence/event that could result in data loss or physical damage. It can be classified as:
  Internal: Short circuit, fire, non-stable supply of power, hardware failure due to excess
humidity, etc. cause it.

 External: Disasters such as floods, earthquakes, landscapes, etc. cause it.

 Human: Destroying of infrastructure and/or hardware, thefts, disruption, and

unintentional/intentional errors are among the threats.

2. Non-physical threats: A non-physical threat is a potential source of an incident that could result in:

 Hampering of the business operations that depend on computer systems.

 Sensitive – data or information loss

 Keeping track of other’s computer system activities illegally.

 Hacking id & passwords of the users, etc.

The non-physical threats can be commonly caused by:

(i) Malware: Malware (“malicious software”) is a type of computer program that infiltrates and
damages systems without the users’ knowledge. Malware tries to go unnoticed by either hiding or
not letting the user know about its presence on the system. You may notice that your system is
processing at a slower rate than usual.

(ii) Virus: It is a program that replicates itself and infects your computer’s files and programs,
rendering them inoperable. It is a type of malware that spreads by inserting a copy of itself into and
becoming part of another program. It spreads with the help of software or documents. They are
embedded with software and documents and then transferred from one computer to another using
the network, a disk, file sharing, or infected e-mail. They usually appear as an executable file.

(iii) Spyware: Spyware is a type of computer program that tracks, records, and reports a user’s
activity (offline and online) without their permission for the purpose of profit or data theft. Spyware
can be acquired from a variety of sources, including websites, instant chats, and emails. A user may
also unwittingly obtain spyware by adopting a software program’s End User License Agreement.
Adware is a sort of spyware that is primarily utilized by advertising. When you go online, it keeps
track of your web browsing patterns in order to compile data on the types of websites you visit.

(iv) Worms: Computer worms are similar to viruses in that they replicate themselves and can inflict
similar damage. Unlike viruses, which spread by infecting a host file, worms are freestanding
programs that do not require a host program or human assistance to proliferate. Worms don’t
change programs; instead, they replicate themselves over and over. They just eat resources to make
the system down.

(v) Trojan: A Trojan horse is malicious software that is disguised as a useful host program. When the
host program is run, the Trojan performs a harmful/unwanted action. A Trojan horse, often known as
a Trojan, is malicious malware or software that appears to be legal yet has the ability to take control
of your computer. A Trojan is a computer program that is designed to disrupt, steal, or otherwise
harm your data or network.

(vi) Denial Of Service Attacks: A Denial of Service attack is one in which an attacker tries to prohibit
legitimate users from obtaining information or services. An attacker tries to make a system or
network resource unavailable to its intended users in this attack. The web servers of large
organizations such as banking, commerce, trading organizations, etc. are the victims.
(vii) Phishing: Phishing is a type of attack that is frequently used to obtain sensitive information from
users, such as login credentials and credit card details. They deceive users into giving critical
information, such as bank and credit card information, or access to personal accounts, by sending
spam, malicious Web sites, email messages, and instant chats.

(viii) Key-Loggers: Keyloggers can monitor a user’s computer activity in real-time. Keylogger is a
program that runs in the background and records every keystroke made by a user, then sends the
data to a hacker with the intent of stealing passwords and financial information.

How to make your system secure:

In order to keep your system data secure and safe, you should take the following measures:

1. Always keep a backup of your data.

2. Install firewall software and keep it updated every time.

3. Make use of strong and difficult to crack passwords (having capital & small alphabets, numbers,
and special characters).

4. Install antivirus/ anti-spyware and keep it updated every time.

5. Timely scan your complete system.

6. Before installing any program, check whether it is safe to install it (using Antivirus Software).

7. Take extra caution when reading emails that contain attachments.

8. Always keep your system updated.

BREACHES

Cybersecurity breaches are incidents where unauthorized individuals or entities gain access to a
system, network, or sensitive data, often leading to data theft, financial loss, reputational damage, or
legal consequences. Breaches can occur due to a variety of reasons, including human error, malicious
attacks, or systemic vulnerabilities.

Types of Cybersecurity Breaches

1. Data Breaches

o Unauthorized access to sensitive data such as personal information, financial

records, or intellectual property.

o Example: Social Security numbers, credit card details, or medical records being
stolen.

2. Ransomware Attacks

o Attackers encrypt data and demand a ransom for its release.

o Example: The WannaCry ransomware attack disrupted global operations in 2017.

 3. Phishing Attacks

o Fraudulent emails or messages trick individuals into revealing sensitive information.

o Example: A fake email from a trusted source asking for login credentials.

4. DDoS Attacks (Distributed Denial of Service)

o Overloading a network or server to make it unavailable to users.

o Example: Cyberattacks targeting major websites, rendering them inaccessible.

5. Man-in-the-Middle (MITM) Attacks

o Intercepting communication between two parties to steal or manipulate data.

o Example: An attacker intercepting login credentials during a public Wi-Fi session.

6. Insider Threats

o Breaches caused by employees or contractors, either maliciously or unintentionally.

o Example: A disgruntled employee leaking sensitive documents.

7. Supply Chain Attacks

o Exploiting vulnerabilities in third-party vendors or partners to access the primary

target.

o Example: The SolarWinds attack, which compromised numerous organizations.

Common Causes of Breaches

 Human Error: Weak passwords, falling for phishing scams, or accidental data exposure.

 Weak Security Systems: Outdated software, lack of encryption, or inadequate firewalls.

 Social Engineering: Manipulating people into divulging confidential information.

 Advanced Persistent Threats (APTs): Sophisticated and prolonged attacks by cybercriminals

or nation-states.

 Misconfigured Systems: Incorrectly set up servers, databases, or access permissions.

Consequences of Cybersecurity Breaches

1. Financial Loss: Costs related to fines, legal fees, and recovery efforts.

2. Reputational Damage: Loss of trust among customers, partners, and the public.

3. Operational Disruption: Downtime in critical systems or services.

4. Legal Implications: Non-compliance with data protection laws like GDPR or CCPA.

5. Loss of Intellectual Property: Theft of trade secrets or proprietary information.

Prevention and Mitigation Strategies

1. Employee Training

o Educate employees about cybersecurity best practices, such as recognizing phishing

attempts.

2. Robust Security Infrastructure

o Use firewalls, intrusion detection systems, and encryption.

3. Regular Software Updates

o Patch vulnerabilities in systems and applications promptly.

4. Access Control

o Implement least-privilege access policies and multifactor authentication (MFA).

5. Incident Response Plan

o Prepare a plan for detecting, responding to, and recovering from breaches.

6. Penetration Testing

o Conduct regular security audits and simulated attacks to identify weaknesses.

7. Secure Third-Party Partnerships

o Ensure vendors and partners adhere to cybersecurity standards.

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter
computer code, logic or data and lead to cybercrimes, such as information and identity theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks

2) System-based attacks Web-based attacks

These are the attacks which occur on a website or web applications. Some of the important web-
based attacks are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing

DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS
resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the
attackers computer or any other computer. The DNS spoofing attacks can go on for a long period of
time without being detected and can cause serious security issues.

3. Session Hijacking

It is a security attack on a user session over a protected network. Web applications create cookies to
store the state and user sessions. By stealing the cookies, an attacker can have access to all of the
user data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like user login credentials
and credit card number. It occurs when an attacker is masquerading as a trustworthy entity in
electronic communication.

5. Brute force

It is a type of attack which uses a trial and error method. This attack generates a large number of
guesses and validates them to obtain actual data like user password and personal identification
number. This attack may be used by criminals to crack encrypted data, or by security, analysts to test
an organization's network security.

6. Denial of Service

It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a crash. It
uses the single system and single internet connection to attack a server. It can be classified into the
following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured in
bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get original
password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a web server
to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is available
on the web server or to execute malicious files on the web server by making use of the include
functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and server
and acts as a bridge between them. Due to this, an attacker will be able to read, insert and modify
the data in the intercepted connection.

System-based attacks
These are the attacks which are intended to compromise a computer or a computer network. Some
of the important system-based attacks are as follows-

1. Virus

It is a type of malicious software program that spread throughout the computer files without the
knowledge of a user. It is a self-replicating malicious computer program that replicates by inserting
copies of itself into other computer programs when executed. It can also execute instructions that
cause harm to the system.

2. Worm

It is a type of malware whose primary function is to replicate itself to spread to uninfected

computers. It works same as the computer virus. Worms often originate from email attachments that
appear to be from trusted senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting and unusual activity,
even when the computer should be idle. It misleads the user of its true intent. It appears to be a
normal application but when opened/executed some malicious code will run in the background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may create a backdoor
so that an application or operating system can be accessed for troubleshooting or other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other network services. Some
bots program run automatically, while others only execute commands when they receive specific
input. Common examples of bots program are the crawler, chatroom bots, and malicious bots.

Difference between Threat and Attack

Key Threat Attack

Threats can be intentional like The attack is a deliberate action. An

Intentional human negligence or unintentional attacker have a motive and plan the
like natural disasters. attack accordingly.

Malicious A Threat may or may not malicious. An Attack is always malicious.

Definition A Threat by definition is a An Attack by definition is an intended

 Key Threat Attack

condition/circumstance which can

action to cause damage to system/asset.
cause damage to the system/asset.

Chance to damage or information

Chance for The chance to damage or information
alteration varies from low to very
Damage alternation is very high.
high.

An attack is comparatively easy to

Detection A threat is difficult to detect.
detect.

An attack cannot be prevented by

A threat can be prevented by
Prevention
controlling the vulnerabilities.
merely controlling the vulnerabilities.
Other measures like backup, detect and
act, etc., are required to handle a cyber-
attack.

It might be started by the system or It is always started by an outsider

Initiation
by an outsider. (system or user

Exploits In Cyber Security

In cybersecurity, exploits refer to methods or techniques that attackers use to take advantage of
vulnerabilities in software, hardware, or networks. Exploits are a key component of cyberattacks,
allowing malicious actors to execute unauthorized actions or gain control over systems. Here's a
breakdown of key aspects related to exploits in cybersecurity:

Types of Exploits

1. Hardware

Hardware exploits are categorized into three types:

 Firmware attacks: Exploits vulnerabilities in the hardware device’s firmware.

 Side-channel attacks: Exploits gain information about a system’s physical characteristics,

including power usage or electromagnetic leakage, to obtain sensitive data.

 Hardware trojans: Exploits introduce malicious changes to hardware components.

2. Software
Exploits take advantage of vulnerabilities in the system to run unauthorized code or to invade the
system. Cybercriminals may use different types of exploits according to their objectives:

 Buffer overflow: Buffer overflow, also known as buffer overrun takes place when the amount
of data in the buffer surpasses its storage limit. The excess data overflows into nearby
memory regions, overwriting or corrupting the information.

 SQL injection: Known for being a popular method for web hacking, SQL injection can
potentially wipe out an organization’s database by inserting malicious code into SQL
statements through web page input.

 Zero-Day exploits Exploits undiscovered and unpatched vulnerabilities.

3. Network

Network exploits focus on vulnerabilities in network configuration or protocols. It allows

unauthorized access, interception of data, or service disruption.

 Man-in-the-Middle (MitM): Interferes and alters the communication between two parties.

 Denial of Service (DoS): Overwhelms a network service to make it unavailable.

 Packet Sniffing: Captures and analyzes network packets.

4. Personnel

Personnel exploits manipulate human psychology to get access to confidential information.

 Phishing: Cybercriminals attempt to deceive individuals to get confidential data like

passwords, usernames, and credit card information.

 Social Engineering: A tactic that’s widely used by attackers to manipulate or influence

individuals, forcing or tricking them into giving away sensitive data.

 Insider threats: Exploits implemented by certain members of a company.

5. Physical Site

Attackers enter the physical area where there are servers and other hardware devices with the intent
of tampering with the hardware and compromising security.

Some ways attackers can get to physical sites include:

 Tailgating: Gain access to unauthorized places by following someone who has access.

 Dumpster Diving: Retrieves important information from materials that have been discarded.

 Tamper of Physical devices: Manipulates physical devices or security protocols.

Stages of an Exploit

1. Reconnaissance:

o Identifying and scanning for vulnerabilities in the target system.

2. Weaponization:
 o Crafting a payload or malicious code to exploit the vulnerability.

3. Delivery:

o Delivering the exploit to the target (e.g., through phishing, USB drives, or malware).

4. Exploitation:

o Triggering the vulnerability to execute the exploit.

5. Installation:

o Installing backdoors or malware for persistent access.

6. Command and Control (C2):

o Establishing communication with the compromised system for further attacks.

7. Actions on Objectives:

o Performing the end goal, such as data theft, system destruction, or ransomware
deployment.

How does an Exploit work?

An exploit benefits from a system’s flaw or vulnerability to perform malicious actions. These systems
could either be software, hardware, or a network, and the attacker delivers these exploits through
malware and viruses.

Here’s a breakdown of how an exploit works:

1. Determine the Weakness: The attacker would attempt to find weaknesses–if any–in the
targeted system. This could be either through extensive research, scanning or even buying
confidential information on the dark web.

2. Create the exploit: The attacker begins creating or obtaining code that can get them to
exploit that vulnerability. They would typically use methods like reverse engineering, or
modifying an existing code.

3. Deployment of exploit: Once the code is ready, attackers deploy the code by sending it to
the system that’s being targeted through phishing emails or network attacks.

4. Trigger the exploit: After the exploit has been successfully executed, the attackers trigger the
vulnerability by manipulating the system in an unprecedented way.

5. Gaining control: A successful trigger of the exploit will execute a payload. These payloads
could either be malware or commands that manipulate the system. In some malware cases,
the attacker might attempt to spread the exploit to neighboring systems.

6. Maintain access: The attacker would consequently try to maintain their access using
different ways such as creating new user accounts or installing backdoors for quick access.

7. Cover tracks: The attacker would then try to clear all traces of the exploit in a bid not to be
easily caught.
Common Exploit Categories

1. Remote Code Execution (RCE):

o Allows attackers to execute arbitrary code on a target system remotely.

2. Privilege Escalation:

o Exploiting a vulnerability to gain higher access permissions.

3. Denial of Service (DoS):

o Exploiting weaknesses to disrupt services or networks.

4. Injection Attacks:

o Inserting malicious code into a vulnerable system (e.g., SQL injection, command
injection).

5. Cross-Site Scripting (XSS):

o Injecting malicious scripts into web applications.

6. Session Hijacking:

o Exploiting vulnerabilities to steal or manipulate session tokens.

Why do Exploits Occur?

Exploits occur for several reasons. However, they mainly occur when an organization has bugs or an
insecure system, if one is using an outdated system or improper configurations. Furthermore, it is
also correct to assume that the mistakes that individuals make, for instance, being phished or failing
to adhere to security best practices, should also be taken into consideration.

1. Vulnerabilities in the Software: Coding mistakes or having unpatched software can lead to
exploitation because it opens up the systems to cyber attacks.

2. Complex Systems: Although new-generation software is beneficial over traditional ones,

they are usually integrated with other systems. Instead of making it easier to identify and
rectify most of the common bugs and defects, this configuration poses a real challenge in this
aspect.

3. Human Error: Of course, the most convenient form of attack for the attacker is through
human contact with the system. They are capable of making people part with their personal
and sensitive details. Furthermore, the individuals who are supposed to be in charge of
managing the system may fail to embrace the software assurance measures, which allows for
exploitation to occur.

4. Lack of Security Measures: Issues such as a poor standard of encryption or bad password
protection may result in the exploitation of the system. Further, the absence of security
 features, including non-updated software or applications, also keeps the system vulnerable
to other cyber attacks.

5. Inadequate Testing and Review: This means that insufficient or improperly conducted
software testing and code reviews could result in the overlook of the defects and
peculiarities of the system design.

How to Identify an Exploit Attack?

An exploit attack can sometimes be hard to detect since attackers may camouflage their actions.
However, there exist indications that would help a user avoid being a victim of an exploit attack in
the first instance.

1. Unusual System Behaviour: An exploited system is slow; it tends to freeze or develop some
technical glitches and more frequent appearance of ads or pop-ups.

2. Monitoring Network: There are abnormal network traffic patterns, an increase in

communication traffic, and interactions with unfamiliar IP addresses.

3. Log Analysis: There are strange messages or codes in systems and application logs.

4. Behavior Analysis: The system’s behavior is not natural, or there are abrupt changes to the
structures within the system. Some of the things that users can complain about include being
locked out of their accounts, receiving odd emails, or being defrauded.

5. Unauthorized Attempts: Search for signs of intrusion, such as multiple failed login attempts
with wrong passwords or unusual transactions.

6. Unknown Files and Activity: In case an exploit is executed then you may realize that there
are other files and programs in the system besides those installed by the operating system.
Some files can also be created, modified, and deleted, or even become corrupted without
the administrator’s permission.

How to Prevent an Exploit Attack and Mitigate the Risk of Exploits?

To prevent an exploit attack and to mitigate the risks of it, organizations should adhere to the
following best practices:

 Regular Software Updates: Ensuring that all operating systems, software, and apps are
updated and that, where possible, automatic updates are enabled.

 Software and Network Security: When a suspicious activity has been detected in a network,
make use of firewalls so as to filter network traffic and additionally install efficient
antivirus/anti-malware applications to halt such activity. Similarly, choosing firewall design
and enabling the Intrusion Detection and Prevention Systems (IDPS), as well as the forming
of network segments, aids in halting unwanted activity.

 Regular Backups: You can easily retrieve your data within a short period of time when you
make routine backups of data and ensure that it is stored safely.

 Vulnerability Scans: As stated earlier, do regular vulnerability assessments and apply virtual
patching where the actual patching cannot be done soon.
  Endpoint Protection: Strengthen the enforcement through prohibitions against other
unwanted and unknown software and programs from running, as well as use regular updates
of antivirus and anti-malware software programs.

 Data Encryption: Secure and protect important information and take strict measures for a
key management system.

 User and Security Training: To increase the levels of awareness among the users, conduct
annual security seminars for all employees and, for instance, perform fake drills or attacks
with phishing e-mails.

What are Cybersecurity Threats?

Cybersecurity threats are acts performed by individuals with harmful intent, whose goal is to steal
data, cause damage to or disrupt computing systems. Common categories of cyber threats include
malware, social engineering, man in the middle (MitM) attacks, denial of service (DoS), and injection
attacks—we describe each of these categories in more detail below.

Cyber threats can originate from a variety of sources, from hostile nation states and terrorist groups,
to individual hackers, to trusted individuals like employees or contractors, who abuse their privileges
to perform malicious acts.

Common Sources of Cyber Threats

Here are several common sources of cyber threats against organizations:

 Nation states—hostile countries can launch cyber attacks against local companies and
institutions, aiming to interfere with communications, cause disorder, and inflict damage.

 Terrorist organizations—terrorists conduct cyber attacks aimed at destroying or abusing

critical infrastructure, threaten national security, disrupt economies, and cause bodily harm
to citizens.

 Criminal groups—organized groups of hackers aim to break into computing systems for
economic benefit. These groups use phishing, spam, spyware and malware for extortion,
theft of private information, and online scams.

 Hackers—individual hackers target organizations using a variety of attack techniques. They

are usually motivated by personal gain, revenge, financial gain, or political activity. Hackers
often develop new threats, to advance their criminal ability and improve their personal
standing in the hacker community.

 Malicious insiders—an employee who has legitimate access to company assets, and abuses
their privileges to steal information or damage computing systems for economic or personal
gain. Insiders may be employees, contractors, suppliers, or partners of the target
organization. They can also be outsiders who have compromised a privileged account and
are impersonating its owner.

Types of Cybersecurity Threats

Malware Attacks

Malware is an abbreviation of “malicious software”, which includes viruses, worms, trojans, spyware,
and ransomware, and is the most common type of cyberattack. Malware infiltrates a system, usually
via a link on an untrusted website or email or an unwanted software download. It deploys on the
target system, collects sensitive data, manipulates and blocks access to network components, and
may destroy data or shut down the system altogether.

Here are some of the main types of malware attacks:

 Viruses—a piece of code injects itself into an application. When the application runs, the
malicious code executes.

 Worms—malware that exploits software vulnerabilities and backdoors to gain access to an

operating system. Once installed in the network, the worm can carry out attacks such as
distributed denial of service (DDoS).

 Trojans—malicious code or software that poses as an innocent program, hiding in apps,

games or email attachments. An unsuspecting user downloads the trojan, allowing it to gain
control of their device.

 Ransomware—a user or organization is denied access to their own systems or data via
encryption. The attacker typically demands a ransom be paid in exchange for a decryption
key to restore access, but there is no guarantee that paying the ransom will actually restore
full access or functionality.

 Cryptojacking—attackers deploy software on a victim’s device, and begin using their

computing resources to generate cryptocurrency, without their knowledge. Affected systems
can become slow and cryptojacking kits can affect system stability.

 Spyware—a malicious actor gains access to an unsuspecting user’s data, including sensitive
information such as passwords and payment details. Spyware can affect desktop browsers,
mobile phones and desktop applications.

 Adware—a user’s browsing activity is tracked to determine behavior patterns and interests,
allowing advertisers to send the user targeted advertising. Adware is related to spyware but
does not involve installing software on the user’s device and is not necessarily used for
malicious purposes, but it can be used without the user’s consent and compromise their
privacy.

 Fileless malware—no software is installed on the operating system. Native files like WMI and
PowerShell are edited to enable malicious functions. This stealthy form of attack is difficult to
detect (antivirus can’t identify it), because the compromised files are recognized as
legitimate.

 Rootkits—software is injected into applications, firmware, operating system kernels or

hypervisors, providing remote administrative access to a computer. The attacker can start the
operating system within a compromised environment, gain complete control of the
computer and deliver additional malware.

Social Engineering Attacks

Social engineering involves tricking users into providing an entry point for malware. The victim
provides sensitive information or unwittingly installs malware on their device, because the attacker
poses as a legitimate actor.

Here are some of the main types of social engineering attacks:

  Baiting—the attacker lures a user into a social engineering trap, usually with a promise of
something attractive like a free gift card. The victim provides sensitive information such as
credentials to the attacker.

 Pretexting—similar to baiting, the attacker pressures the target into giving up information
under false pretenses. This typically involves impersonating someone with authority, for
example an IRS or police officer, whose position will compel the victim to comply.

 Phishing—the attacker sends emails pretending to come from a trusted source. Phishing
often involves sending fraudulent emails to as many users as possible, but can also be more
targeted. For example, “spear phishing” personalizes the email to target a specific user, while
“whaling” takes this a step further by targeting high-value individuals such as CEOs.

 Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing
sensitive data or grant access to the target system. Vishing typically targets older individuals
but can be employed against anyone.

 Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the
victim.

 Piggybacking—an authorized user provides physical access to another individual who

“piggybacks” off the user’s credentials. For example, an employee may grant access to
someone posing as a new employee who misplaced their credential card.

 Tailgating—an unauthorized individual follows an authorized user into a location, for

example by quickly slipping in through a protected door after the authorized user has
opened it. This technique is similar to piggybacking except that the person being tailgated is
unaware that they are being used by another individual.

Supply Chain Attacks

Supply chain attacks are a new type of threat to software developers and vendors. Its purpose is to
infect legitimate applications and distribute malware via source code, build processes or software
update mechanisms.

Attackers are looking for non-secure network protocols, server infrastructure, and coding techniques,
and use them to compromise build and update process, modify source code and hide malicious
content.

Supply chain attacks are especially severe because the applications being compromised by attackers
are signed and certified by trusted vendors. In a software supply chain attack, the software vendor is
not aware that its applications or updates are infected with malware. Malicious code runs with the
same trust and privileges as the compromised application.

Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts

 Malicious code sent as automated updates to hardware or firmware components

 Malicious code pre-installed on physical devices

Man-in-the-Middle Attack
A Man-in-the-Middle (MitM) attack involves intercepting the communication between two
endpoints, such as a user and an application. The attacker can eavesdrop on the communication,
steal sensitive data, and impersonate each party participating in the communication.

Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor,

such as a business, that users may connect to. The fraudulent Wi-Fi allows the attacker to
monitor the activity of connected users and intercept data such as payment card details and
login credentials.

 Email hijacking—an attacker spoofs the email address of a legitimate organization, such as a
bank, and uses it to trick users into giving up sensitive information or transferring money to
the attacker. The user follows instructions they think come from the bank but are actually
from the attacker.

 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious
website posing as a legitimate site. The attacker may divert traffic from the legitimate site or
steal the user’s credentials.

 IP spoofing—an internet protocol (IP) address connects users to a specific website. An

attacker can spoof an IP address to pose as a website and deceive users into thinking they
are interacting with that website.

 HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but can
also be used to trick the browser into thinking that a malicious website is safe. The attacker
uses “HTTPS” in the URL to conceal the malicious nature of the website.

Denial-of-Service Attack

A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic, hindering
the ability of the system to function normally. An attack involving multiple devices is known as a
distributed denial-of-service (DDoS) attack.

DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm an
application or web server. This technique does not require high bandwidth or malformed
packets, and typically tries to force a target system to allocate as many resources as possible
for each request.

 SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence

involves sending a SYN request that the host must respond to with a SYN-ACK that
acknowledges the request, and then the requester must respond with an ACK. Attackers can
exploit this sequence, tying up server resources, by sending SYN requests but not responding
to the SYN-ACKs from the host.

 UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets sent
to random ports. This technique forces the host to search for applications on the affected
ports and respond with “Destination Unreachable” packets, which uses up the host
resources.

 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming
both inbound and outgoing bandwidth. The servers may try to respond to each request with
 an ICMP Echo Reply packet, but cannot keep up with the rate of requests, so the system
slows down.

 NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and
can be exploited by an attacker to send large volumes of UDP traffic to a targeted server. This
is considered an amplification attack due to the query-to-response ratio of 1:20 to 1:200,
which allows an attacker to exploit open NTP servers to execute high-volume, high-
bandwidth DDoS attacks.

Injection Attacks

Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the code of a
web application. Successful attacks may expose sensitive information, execute a DoS attack or
compromise the entire system.

Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input channel, such as a
web form or comment field. A vulnerable application will send the attacker’s data to the
database, and will execute any SQL commands that have been injected into the query. Most
web applications use databases based on Structured Query Language (SQL), making them
vulnerable to SQL injection. A new variant on this attack is NoSQL attacks, targeted against
databases that do not use a relational data structure.

 Code injection—an attacker can inject code into an application if it is vulnerable. The web
server executes the malicious code as if it were part of the application.

 OS command injection—an attacker can exploit a command injection vulnerability to input

commands for the operating system to execute. This allows the attack to exfiltrate OS data or
take over the system.

 LDAP injection—an attacker inputs characters to alter Lightweight Directory Access Protocol
(LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries. These attacks are
very severe because LDAP servers may store user accounts and credentials for an entire
organization.

 XML eXternal Entities (XXE) Injection—an attack is carried out using specially-constructed
XML documents. This differs from other attack vectors because it exploits inherent
vulnerabilities in legacy XML parsers rather than unvalidated user inputs. XML documents
can be used to traverse paths, execute code remotely and execute server-side request
forgery (SSRF).

 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious JavaScript.
The target’s browser executes the code, enabling the attacker to redirect users to a malicious
website or steal session cookies to hijack a user’s session. An application is vulnerable to XSS
if it doesn’t sanitize user inputs to remove JavaScript code.

Footprinting
Footprinting means gathering information about a target system that can be used to execute a
successful cyber attack. To get this information, a hacker might use various methods with variant
tools. This information is the first road for the hacker to crack a system. There are two types of
footprinting as following below.

 Active Footprinting: Active footprinting means performing footprinting by getting in direct

touch with the target machine.

 Passive Footprinting: Passive footprinting means collecting information about a system

located at a remote distance from the attacker.

Different kinds of information that can be gathered from Footprinting are as follows:

 The operating system of the target machine

 Firewall

 IP address

 Network map

 Security configurations of the target machine

 Email id, password

 Server configurations

 URLs

 VPN

Sources are as follows:

 Social Media: Most people have the tendency to release most of their information online.
Hackers use this sensitive information as a big deal. They may create a fake account for
looking real to be added as friends or to follow someone’s account for grabbing their
information.

 JOB websites: Organizations share some confidential data on many JOB websites like
monsterindia.com. For example, a company posted on a website: “Job Opening for Lighttpd
2.0 Server Administrator”. From this, information can be gathered that an organization uses
the Lighttpd web server of version 2.0.

 Google: Search engines such as Google have the ability to perform more powerful searches
than one can think and one had gone through. It can be used by hackers and attackers to do
something that has been termed Google hacking. Basic search techniques combined with
advanced operators can do great damage. Server operators exist like
“inurl:”,”allinurl:”,”filetype:”, etc.

For example, devices connected to the Internet can be found. A search string such as inurl:
“ViewerFrame?Mode=” will find public web cameras. “The “link:” search operator that Google used
to have, has been turned off by now (2017)”.

Google can be used to uncover many pieces of sensitive information that shouldn’t be revealed. A
term even exists for the people who blindly post this information on the internet, they are
called “Google Dorks”.

Social Engineering: There are various techniques that fall in this category. A few of them are:

 Eavesdropping: The attacker tries to record the personal conversation of the target victim
with someone that’s being held over communication mediums like the Telephone.

 Shoulder Surfing: In this technique, Attacker tries to catch the personal information like
email id, password, etc; of the victim by looking over the victim’s shoulder while the same is
entering(typing/writing) his/her personal details for some work.

 Archive.org: The Archived version refers to the older version of the website which existed a
time before and many features of the website have been changed. archive.org is a website
that collects snapshots of all the websites at a regular interval of time. This site can be used
to get some information that does not exist now but existed before on the site.

 An Organization’s Website: It’s the best place to begin for an attacker. If an attacker wants to
look for open-source information, which is information freely provided to clients, customers,
or the general public then simply the best option is: “ORGANISATION’s WEBSITE”.

 Using Neo Trace: NeoTrace is a powerful tool for getting path information. The graphical
display displays the route between you and the remote site, including all intermediate nodes
and their information. NeoTrace is a well-known GUI route tracer program. Along with a
graphical route, it also displays information on each node such as IP address, contact
information, and location.

 Who is: This is a website that serves a good purpose for Hackers. Through this website
information about the domain name, email-id, domain owner, etc; a website can be traced.
Basically, this serves as a way for Website Footprinting.

Advantages:

 Footprinting allows Hackers to gather the basic security configurations of a target machine
along with network route and data flow.

 Once the attacker finds the vulnerabilities he/she focuses on a specific area of the target
machine.

 It allows the hacker to identify as to which attack is handier to hack the target system.

Counter Measures:

 Avoid posting confidential data on social media websites.

 Avoid accepting unwanted friend requests on social media platforms.

 Promotion of education on various hacking tricks.

  Usage of footprinting techniques for identifying and removing sensitive information from
social media platforms.

 Proper configuration of web servers to avoid loss of information about system configuration.

Social Engineering
Social engineering uses human weakness or psychology to gain access to the system, data, personal
information, etc. It is the art of manipulating people. It doesn’t involve the use of technical hacking
techniques. Attackers use new social engineering practices because it is usually easier to exploit the
victim’s natural inclination to trust. For example, it is much easier to fool someone to give their
password instead of hacking their password. Sharing too much information on social media can
enable attackers to get a password or extracts a company’s confidential information using the posts
by the employees. This confidential information helped attackers to get the password of victim
accounts.

How do Social Engineering Attacks Take Place?

Phishing scams are the most common type of Social Engineering attacks these days. Tools such as
SET(Social Engineering Toolkit) also make it easier to create a phishing page but luckily many
companies are now able to detect phishing such as Facebook. But it does not mean that you cannot
become a victim of phishing because nowadays attackers are using iframe to manipulate detection
techniques. An example of such hidden codes in phishing pages is cross-site-request-forgery “CSRF”
which is an attack that forces an end user to execute unwanted actions on a web
application. Example: In 2018 we have seen a great rise in the use of ransomware which has been
delivered alongside Phishing Emails. What an attacker does is usually deliver an attachment with a
subject like “Account Information” with the common file extension say .pdf/.docx/.rar etc. The user
generally clicks and the attacker’s job gets done here. This attack often encrypts the entire Disk or
the documents and then to decrypt these files it requires cryptocurrency payment which is said to be
“Ransom(money)”. They usually accept Bitcoin/Ethereum as the virtual currency because of its non-
traceable feature. Here are a few examples of social engineering attacks that are used to be executed
via phishing:

 Banking Links Scams

 Social Media Link Scams

 Lottery Mail Scams

 Job Scams

Purpose

The purpose of social engineering attacks is typically to steal sensitive information, such as login
credentials, credit card numbers, or personal information. Attackers can use this information for
identity theft, financial fraud, or other malicious purposes. Another purpose of social engineering
attacks is to gain unauthorized access to secure areas or systems. For example, an attacker might use
tailgating to follow an authorized individual into a secure area or use pretexting to convince an
individual to give them access to a restricted system.

Types of Social Engineering

There are many different types of social engineering attacks, each of which uses a unique approach
to exploit human weaknesses and gain access to sensitive information. Here are some of the types of
attacks, include:

 Phishing: Phishing is a type of social engineering attack that involves sending an email or
message that appears to be from a legitimate source, such as a bank, in an attempt to trick
the recipient into revealing their login credentials or other sensitive information.

 Baiting: Baiting is a type of social engineering attack that involves leaving a tempting item,
such as a USB drive, in a public place in the hope that someone will pick it up and plug it into
their computer. The USB drive is then used to infect the computer with malware.

 Tailgating: Tailgating is a type of social engineering attack that involves following an

authorized individual into a secure area, such as a building or a data center, without proper
authorization.

 Pretexting: Pretexting is a type of social engineering attack that involves creating a false
identity or situation in order to trick an individual into revealing sensitive information. For
example, an attacker might pretend to be a customer service representative in order to trick
an individual into giving them their login credentials.

 Vishing: Vishing is a type of social engineering attack that involves using voice phishing, or
“vishing,” to trick individuals into revealing sensitive information over the phone.

 Smishing: Smishing is a type of social engineering attack that involves using SMS messages to
trick individuals into revealing sensitive information or downloading malware.

Prevention

 Timely monitor online accounts whether they are social media accounts or bank accounts, to
ensure that no unauthorized transactions have been made.

 Check for Email headers in case of any suspecting mail to check its legitimate source.

 Avoid clicking on links, unknown files, or opening email attachments from unknown senders.

 Beware of links to online forms that require personal information, even if the email appears
to come from a source. Phishing websites are the same as legitimate websites in looks.

 Adopt proper security mechanisms such as spam filters, anti-virus software, and a firewall,
and keep all systems updated, with anti-keyloggers.

What is Nmap?

Nmap stands for Network Mapper which is a free Open source command-line tool. Nmap is an
information-gathering tool used for reconnaissance. It scans hosts and services on a computer
network which means that it sends packets and analyzes the response. Listed below are the most
useful Scans which you can run with the help of Nmap tools.

How to Use Nmap

Using Nmap is straightforward. Below are some basic steps and commands to get started with Nmap:
1. Install Nmap: Nmap is available for various operating systems, including Linux, Windows, and
macOS. You can download it from the official Nmap website.

2. Basic Syntax: The basic syntax for running aIt Nmap scan is:

nmap [Scan Type] [Options] {Target}

 Scan Type: Specifies the type of scan (e.g., TCP, SYN).

 Options: Additional options such as port range or timing options.

 Target: The IP address or domain name of the target.

Nmap Scanning Techniques

1. TCP Scan/TCP Connect Scan:

nmap -sT 192.168.1.12 --top-ports 50

Here:

 -sT is used for TCP Scan.

 –top-ports is used to give top ports which are used to give the number of ports. Here we
give 50 which means the top 50 ports which are most used in TCP.

 192.168.1.12 is the Destination IP. You can also give the Destination URL.

This scan is used to scan the TCP ports. It completes the 3-way handshake process which means the
host tries to make a connection with the target before any communication happens between the
systems.

3-way handshake process if the Destination port is Open.

Using this command your system sends a SYN packet and the Destination responds with SYN and
ACK packets which means the port is listening and your system sends an ACK packet to complete
the connection.

If the port is Closed then the Destination Respond with RST/ACK packets.
3-way handshake if the Destination port is close

In the above image, you can see the result of the TCP scan you can see the port number and state of
the ports and services on these ports.

2. SYN Scan/Stealth Scan/Half Open Scan:

nmap -sS 192.168.1.12 --top-ports 50

Here: -sS is used for SYN Scan.

SYN Scan is the same as TCP Scan but it does not complete the 3-way handshake process.
In this scan, Source sends the SYN packet and the destination responds with SYN/ACK packets but the
source interrupts the 3-way handshake by sending the RST packet. Because of the interruption
Destination or host does not keep a record of the Source system.

3. UDP Scan:

nmap -sU 192.168.1.12 --top-ports 50

Here: -sU is used to activate the UDP Scan. It generally sends the empty UDP packets and it takes
more time than TCP Scan.
4. Ping Scan/NO PORT Scan:

nmap -sn 192.168.1.0/24

Here: -sn and -sP both are used for Ping Scan.

Only print the available host that responds to the host Discovery probes within the network. The
above command does not tell anything about the ports of the system. you can also use it to check for
a single IP to check that the host is up or not.

Different States of the Port Scan Results and their Meaning

There are mainly 4 types of State in the port scan results.

1. Open: A port is Open means that a service is listening to the port, for example, a MySQL service
running at port 3306 as you can see in the TCP Scan result image.

2. Closed: This means the service is not listening at that port.

3. Filtered: Port is filtered by a security system like Firewall and whether the port is open or closed is
not determined. If the host sends an Unusual response then also the port is filtered. Like in the
above image of the UDP Scan Result when the host sends a response like ICMP Unreachable then the
port is considered as filtered.
4. Open | Filtered: No answer is given by the host so the port may be filtered by a firewall. But in
some cases like the above result of the UDP Scan image, the host does not send an ACK packet like in
TCP Scan so due to the lack of response means the port may be open.

Best Practices for Network Vulnerability Discovery

 Use Multiple Scan Types: There are types of scans: TCP, SYN, UDP, etc. The use of combined
types is more informative about the network.

 Timing and Performance: You may also apply timing options such as, -T0 to -T5 in order to
regulate the rate of your scans. Low scan speeds are virtually undetectable but on the other
hand, they take more time than any other scan.

 Regular Scanning: It is helpful to constantly ‘ping’ your network in order to discover new
opportunities for attacks and check if all the countermeasures are still suitable.

 Safe Scanning: With -sV option the Nessus will scan for services and their versions without
actually probing. It is always helpful to seek consent before trying to scan a network, which
you do not own.

 Save Results: The -oN, -oX, or -oG options can be used in order to save your results so that
you can analyze them later.

What is Nmap?

Nmap is an open-source network scanning and host discovery tool, which was created by Gordon
Lyon and has been actively developed and maintained over two decades. Nmap was first released in
1997 by Fyodor Vaskovich. Since then, it has grown into one of the most widely used network
scanning tools in the world. it has a rich history of development and community contributions, which
are constantly expanding its capabilities and ensuring to change according to the ever-changing
network security. Nmap allows users to do a bunch of things that are related to a wide range of
network-related tasks.

1. Network Discovery: With Nmap users can scan networks and discover devices and hosts on
a network, allowing network admin to understand the network more efficiently.

2. Port Scanning: It can determine which ports are open and which services are running on
those ports, which is critical for security assessments and vulnerability scanning.

3. OS Fingerprinting: Nmap can attempt to identify the operating system running on a target
host by analyzing various characteristics of network packets.

4. Vulnerability Assessment: It's a valuable tool for identifying potential vulnerabilities in

systems and services, aiding in proactive security measures.

5. Network Monitoring: Nmap can be used for continuous monitoring to detect changes in the
network environment.

Features of Nmap

Nmap offers a wide range of features to its users, including:

 1. Comprehensive Scanning: Nmap can scan a variety of protocols and perform different types
of scans.

2. Scripting Engine: Nmap Scripting Engine(NSE) allows users to write and run their custom
scripts to automate various tasks of Nmap such as Network auditing and vulnerability
scanning.

3. OS Detection: Nmap can used to identify the operating system of the target hosts based on
their responses to the network probes.

4. Service and Version Detection: Nmap can accurately identify the services and versions that
are running on the open ports of the target hosts.

5. Output Formats: Nmap supports multiple output formats for the scan results like plain text,
XML, and greppable output.

Why Do You Need Nmap on Your Network?

There are a few points that reflect the work of Nmap and provide many reasons to have Nmap on
your network.

 Security Assessment: One of the main reasons to have Nmap is to assess the security of your
network. you can do this by scanning open ports and services, and can further identify
potential entry points for attackers.

 Intrusion Detection: Nmap can be used to detect unauthorized or unexpected changes in

your network environment. Regular scans can help you identify new or rogue devices that
shouldn't be on your network.

 Inventory Management: Nmap provides an efficient way to create an inventory of all devices
on your network. This is crucial for keeping track of your network's assets and ensuring you
have control over what's connected.

 Network Troubleshooting: Whenever there is a network issue, Nmap can help you identify
the root cause of the issue by pinpointing the status of the network services and devices.
which can further help you resolve the issue in a better manner.

 Vulnerability Scanning: Nmap can be used in conjunction with vulnerability databases and
scripts (such as NSE scripts) to scan for known vulnerabilities on devices. This aids in
proactive security measures to patch or mitigate vulnerabilities before they are exploited.

Let's See Nmap in Action With Some Simple Examples:

Here's a simple example of how to use Nmap for basic network scanning. We'll perform a basic host
discovery and a port scan.

1. Host Discovery: To discover hosts on the network, use the following command:

sudo nmap -sn scanme.nmap.org

This command scans the scanme.nmap.org and lists the live hosts.
2. Port Scanning: To perform a port scan on a specific host, use the following command:

sudo nmap -p 1-65535 192.168.1.100

This command scans all 65,535 possible ports on the host at IP address 192.168.1.100 and reports
which ports are open. Please note that I have replaced the IP address with my machine IP, you can
use yours to run the example command.

Please note that Nmap is a powerful tool, and using it for malicious purposes is illegal and
unethical.

Zenmap

Zenmap is the graphical user interface (GUI) version of Nmap, a renowned open-source network
scanning tool. Developed by Gordon Lyon, also known as Fyodor, Zenmap simplifies the process of
network discovery and vulnerability assessment for users who prefer a visual interface. It provides a
user-friendly way to interact with Nmap's robust scanning engine, offering a range of features
tailored to cybersecurity professionals' needs.

Key Features of Zenmap:

1. Network Discovery: Zenmap facilitates the discovery of devices connected to a network, providing
insights into their IP addresses, MAC addresses, and hostnames. This information is invaluable for
identifying potential entry points and understanding the network's structure.
2. Port Scanning: One of Zenmap's primary functions is port scanning, which involves probing target
systems for open ports. By identifying open ports, cybersecurity professionals can assess potential
vulnerabilities and secure them before malicious actors exploit them.

3. Service Detection: Zenmap goes beyond port scanning by detecting the services running on open
ports. This feature helps in understanding the functionality of each port and determining whether
any services pose security risks.

4. Vulnerability Assessment: With Zenmap, users can conduct vulnerability assessments by

leveraging Nmap's extensive database of known vulnerabilities. By correlating scan results with
known vulnerabilities, cybersecurity professionals can prioritize remediation efforts and strengthen
the network's security posture.

Practical Applications of Zenmap:

1. Network Security Audits: Zenmap is instrumental in conducting comprehensive network security

audits, allowing professionals to identify weaknesses in network infrastructure, misconfigurations,
and potential security gaps.

2. Intrusion Detection: By regularly scanning the network with Zenmap, cybersecurity teams can
detect unauthorized devices or services, anomalous behavior, and potential security breaches in real-
time.

3. Penetration Testing: Zenmap plays a vital role in penetration testing exercises by providing insights
into network vulnerabilities and entry points that attackers could exploit. Penetration testers can use
Zenmap to simulate cyber attacks and assess the network's resilience to various threats.

4. Incident Response: In the event of a security incident, Zenmap can assist in rapidly assessing the
scope of the breach, identifying compromised systems, and mitigating further damage by promptly
securing vulnerable assets.

Zenmap remains a cornerstone tool in the arsenal of cybersecurity professionals, offering a robust
set of features for network discovery, vulnerability assessment, and threat detection. Its intuitive
interface, coupled with the power of Nmap's scanning engine, makes it indispensable for securing
modern networks against evolving cyber threats. By harnessing the capabilities of Zenmap,
organizations can fortify their defenses and safeguard critical assets in an increasingly interconnected
digital landscape.

Pros and Cons of ‘Zenmap’

PROS

 Open source

 Lightweight and easy to set up

 Fast and flexible

 Allows to scan individual IP address, IP address ranges, and full subnets

CONS

 No option to change font style of output

  Sometimes scanning takes more time than usual

 Sometimes it does not identify operating system accurately

 Bit of learning curve to go from novice to power user

Installation of Zenmap

Zenmap is available free from: http://insecure.org

Zenmap installation on Debian, Ubuntu, and Linux Mint

$ sudo apt-get install Zenmap

Launching Zenmap

$ sudo Zenmap

Zenmap analyses and displays the complete details related to hosts such as OS version, installed
services, services status and uptime etc

Topology map of network in Zenmap

Zenmap’s “Topology” option provides an interactive , animated visualization of hosts connectivity.

Hosts are represented as Nodes on interface and we can use controls to zoom in and zoom out.

On clicking a host, it becomes the new center and when a new scan is launched every new host and
network path will be added to the topology automatically.

The topology view is very useful when combined with Nmap’s –traceroute option to discover
network path to host.

What Is A Port Scan?

A port scan is a common technique hackers use to discover open doors or weak points in a
network. A port scan attack helps cyber criminals find open ports and figure out whether they are
receiving or sending data. It can also reveal whether active security devices like firewalls are being
used by an organization.

When hackers send a message to a port, the response they receive determines whether the port is
being used and if there are any potential weaknesses that could be exploited.

Businesses can also use the port scanning technique to send packets to specific ports and analyze
responses for any potential vulnerability. They can then use tools like IP scanning, network mapper
(Nmap), and Netcat to ensure their network and systems are secure.

Port scanning can provide information such as:

1. Services that are running

2. Users who own services

3. Whether anonymous logins are allowed

4. Which network services require authentication

What is a port?

A port is a point on a computer where information exchange between multiple programs and the
internet to devices or other computers takes place. To ensure consistency and simplify programming
processes, ports are assigned port numbers. This, in conjunction with an IP address, forms vital
information that each internet service provider (ISP) uses to fulfill requests.

Port numbers range from 0 through to 65,535 and are ranked in terms of popularity. Ports numbered
0 to 1,023 are called “well-known" ports, which are typically reserved for internet usage but can also
have specialized purposes. These ports, which are assigned by the Internet Assigned Numbers
Authority (IANA), are held by leading businesses and Structured Query Language (SQL) services.

Ports are generally managed by the Transmission Control Protocol (TCP), which defines how to
establish and maintain a network conversation between applications, and User Datagram Protocol
(UDP), which is primarily used for establishing low-latency and loss-tolerating connections between
applications. Some of the most popular and most frequently used ports include:

1. Port 20 (UDP): File Transfer Protocol (FTP) used for transferring data

2. Port 22 (TCP): Secure Shell (SSH) protocol used for FTP, port forwarding, and secure logins

3. Port 23 (TCP): The Telnet protocol used for unencrypted communication

4. Port 53 (UDP): The Domain Name System (DNS), which translates internet domain names
into machine-readable IP addresses

5. Port 80 (TCP): The World Wide Web Hypertext Transfer Protocol (HTTP)

Ports numbered from 1,024 to 49,151 are considered “registered ports,” and they are registered by
software companies. The ports numbered from 49,152 to 65,535 are considered dynamic and private
ports, which can be used by almost everyone on the internet.

What Are The Port Scanning Techniques?

A port scan sees packets sent to destination port numbers using various techniques. Several of these
include:

1. Ping scans: A ping scan is considered the simplest port scanning technique. They are also
known as internet control message protocol (ICMP) requests. Ping scans send a group of
several ICMP requests to various servers in an attempt to get a response. A ping scan can be
used by an administrator to troubleshoot issues, and pings can be blocked and disabled by a
firewall.

2. Vanilla scan: Another basic port scanning technique, a vanilla scan attempts to connect to all
of the 65,536 ports at the same time. It sends a synchronize (SYN) flag, or a connect request.
When it receives a SYN-ACK response, or an acknowledgment of connection, it responds with
an ACK flag. This scan is accurate but easily detectable because a full connection is always
logged by firewalls.

3. SYN scan: Also called a half-open scan, this sends a SYN flag to the target and waits for a SYN-
ACK response. In the event of a response, the scanner does not respond back, which means
the TCP connection was not completed. Therefore, the interaction is not logged, but the
sender learns if the port is open. This is a quick technique that hackers use to find
weaknesses.
 4. XMAS and FIN scans: Christmas tree scans (XMAS scans) and FIN scans are more discrete
attack methods. XMAS scans take their name from the set of flags that are turned on within
a packet which, when viewed in a protocol analyzer like Wireshark, appear to be blinking like
a Christmas tree. This type of scan sends a set of flags, which, when responded to, can
disclose insights about the firewall and the state of the ports. A FIN scan sees an attacker
send a FIN flag, often used to end an established session, to a specific port. The system’s
response to it can help the attacker understand the level of activity and provide insight into
the organization's firewall usage.

5. FTP bounce scan: This technique enables the sender to disguise their location by using an
FTP server to bounce a packet.

6. Sweep scan: This preliminary port scanning technique sends traffic to a port across several
computers on a network to identify those that are active. It does not share any information
about port activity but informs the sender whether any systems are in use.

Different Types Of Port Checker Or Scanner

There are several different port scanning or checking techniques, including:

1. Ping scans: A ping is used to check whether a network data packet can reach an IP address
without any issues. Ping scans involve automated transmissions of several ICMP requests to
various servers.
 2. 2Half-open or SYNC scans: Attackers can check the state of a port without creating a full
connection by using a half-open scan, often known as a SYN scan. This kind of scan just
transmits a SYN message and does not complete a connection with the recipient.

3. XMAS scans: XMAS scans send a number of packets to a port to check if it is open. If the port
is closed, the scanner gets a response. If it does not get a response, that means the port is
open and can be used to access the network.

How to use the open port checker tool

To use the open port checker tool to run a port scan, you have to:

1. Open the tool and then enter a domain or IP address.

2. The tool then checks which ports are open and active and able to accept requests.

3. You can also check individual ports by manually entering them to see if they are taking
requests.

4. The result you get from the tool is either “open,” which means it is available, or “timed out,”
which means it is either blocked or unavailable.

Port Scanning vs Network Scanning

Network scanning is a process that identifies a list of active hosts on a network and maps them to
their IP addresses, which need to be compiled before running a port scan.

The network scanning process is also known as host discovery, which is often the first step hackers
take in staging an attack. They use two primary protocols: Address Resolution Protocol (ARP) scans
and various ICMP scans. An ARP scan maps IP addresses to media access control (MAC) addresses
and can be used to determine hosts that are active. It only works within a local-area network (LAN),
so the attacker must be connected to the internal network.

Various ICMP packets can be used to conduct a network scan outside the LAN, such as address mark,
echo, and timestamp requests. Discovering hosts depends on receiving a reply from targeted hosts.
Not receiving a response means there is no host at the target address or the request was blocked by
a firewall or packet filter.

Once the network scan has been scanned and a list of available hosts compiled, port checker or port
scanner attack can identify the usage of specific ports. It will typically classify ports as open, closed,
or filtered.

How to prevent port scan attacks?

Port scanning is a popular method cyber criminals use to search for vulnerable servers. They often
use it to discover organizations’ security levels, determine whether businesses have effective
firewalls, and detect vulnerable networks or servers. Some TCP methods also enable attackers to
hide their location.

Cyber criminals search through networks to assess how ports react, which enables them to
understand the business's security levels and the systems they deploy.

Preventing a port scan attack is reliant on having effective, updated threat intelligence that is in line
with the evolving threat landscape. Businesses also require strong security software, port scanning
tools, and security alerts that monitor ports and prevent malicious actors from reaching their
network. Useful tools include IP scanning, Nmap, and Netcat.

Other defense mechanisms include:

1. A strong firewall: A firewall can prevent unauthorized access to a business’s private network.
It controls ports and their visibility, as well as detects when a port scan is in progress before
shutting it down.

2. TCP wrappers: These enable administrators to have the flexibility to permit or deny access to
servers based on IP addresses and domain names.

3. Uncover network holes: Businesses can use a port checker or port scanner to determine
whether more ports are open than required. They need to regularly check their systems to
report potential weak points or vulnerabilities that could be exploited by an attacker.

Scanning
Scanning in ethical hacking is a network exploration technique used to identify the systems
connected to an organization’s network. It provides information about the accessible systems,
services, and resources on a target system. Some may refer to this type of scan as an active scan
because it can potentially disrupt services on those hosts that are susceptible. Scanning is often used
during vulnerability assessment when probing weaknesses in existing defenses.

There are two ways of scanning:

 Active Scanning

 Passive Scanning

Scanning is more than just port scanning, but it is a very important part of this process. Scanning
allows you to identify open ports on the target system and can be used for port mapping, performing
an interactive session with the operating system via those ports, or even redirecting traffic from
these open ports. There are many tasks that can be performed with a scanning tool.
Scanning can be as simple as creating a list of IP addresses and netmasks to scan all the active
addresses on the network. This is called a ping sweep. Another method is performing a syn port scan,
which is an active scan that sends TCP SYN packets to ports on the target system waiting for a reply. A
syn port scan sends TCP SYN packets to ports that are open and waiting for replies, and an RST packet
when it grants an RST/ACK (meaning that the port is closed). An example of open ports could be
telnet and FTP, which are used by default.

Types of Scanning Techniques:

1. TCP connect scan: This is a scan that sends TCP SYN packets to each port on the target
system, waiting for an RST/ACK. This is a steal their type of scan because it does not show the
open ports on the target system. The last port that responds is its open port, and you can use
this to your advantage to determine which ports are open.

2. TCP syn port scan: This is a similar type of scan, but the packets are TCP SYN packets and not
TCP ACK. This type of scan sends packets to ports that are open and waiting for a reply.

3. Network Scanning: Network scanning is used to identify the devices and services that are
running on a target network, determine their operating systems and software versions, and
identify any potential security risks or vulnerabilities. Network scanning can be performed
manually or automated using software tools, and can target specific systems or an entire
network.

4. Vulnerability Scanning: Vulnerability scanning is a process of identifying, locating, and

assessing the security vulnerabilities of a computer system, network, or application. This
process is performed using automated software tools that scan for known vulnerabilities, as
well as weaknesses in the configuration or implementation of the system being tested.

Purpose

Scanning attacks are performed by cybercriminals or malicious actors for several reasons, including:

Information Gathering: The primary purpose of a scanning attack is to gather information about a
target system or network. This information can be used to plan and execute a more sophisticated
attack, such as a distributed denial of service (DDoS) attack or a data breach.

Vulnerability Identification: Scanning attacks can be used to identify vulnerabilities in a target system
or network. These vulnerabilities can then be exploited to gain unauthorized access, steal sensitive
information, or cause harm to the target.

Network Mapping: Scanning attacks can be used to map out a target network, including its
infrastructure, servers, and devices. This information can be used to plan and execute a more
sophisticated attack, such as a DDoS attack or a data breach.

Active Scanning

Active scanning is a type of network scanning technique that is used to gather information about a
target system or network. Unlike passive scanning, which only gathers information that is readily
available, active scanning actively interacts with the target system to gather information.

It involves sending requests or packets to a target system and analyzing the responses to gather
information about the target. This type of scanning is more aggressive and intrusive than passive
scanning and is often used to identify vulnerabilities and weaknesses in a target system or network.
It can be performed us’ng a variety of tools and techniques, including port scanning, vulnerability
scanning, and penetration testing. Port scanning involves sending requests to specific ports on a
target system to determine which ports are open and which services are running. Vulnerability
scanning involves identifying known vulnerabilities in a target system and attempting to exploit them.

The goal of active scanning is to gather as much information as possible about a target system or
network. This information can be used to plan and execute a more sophisticated attack, such as a
distributed denial of service (DDoS) attack or a data breach.

While active scanning can provide valuable information about a target system or network, it can also
pose a security risk. Active scanning can generate a large amount of network traffic and put a strain
on target systems, potentially causing service disruptions or system crashes. Additionally, active
scanning can trigger security measures, such as firewalls or intrusion detection systems (IDS), which
can alert organizations to the presence of an attacker.

Passive Scanning

Passive scanning is a type of network scanning technique that is used to gather information about a
target system or network without actively interacting with the target. Unlike active scanning, which
sends requests or packets to the target and analyzes the responses, passive scanning only gathers
information that is readily available, such as information transmitted over the network or stored in
system logs.

It is used to gather information about a target system or network for a variety of purposes, including
network mapping, vulnerability assessment, and compliance testing. By analyzing network traffic and
system logs, passive scanning can provide valuable information about a target’s infrastructure,
servers, and devices, as well as the types of services and applications that are running.

One of the benefits of passive scanning is that it is less intrusive and less likely to trigger security
measures, such as firewalls or intrusion detection systems (IDS), than active scanning. As a result,
passive scanning can provide organizations with valuable information about their systems and
networks without putting them a t risk.

However, passive scanning is also limited in its ability to gather information compared to active
scanning. Passive scanning can only gather information that is readily available and cannot actively
probe a target system or network for vulnerabilities or weaknesses.

Key Points:

There are three conditions that allow an attacker to utilize the scanning techniques:

 Physical access to the target system: Using a port scanner or ping sweep, you can locate open
ports.

 Vulnerable target software: An application may have vulnerabilities that allow you to use a
TCP connect scan or an SYN flood attack.

 Administrator privileges on the target system (Windows); In order for an attacker to perform
an SYN flood attack, he must have administrator privileges on the target system.

Types of Port Scanners:

There are several port scanning or checking methods, Some of them are given below:
  Ping scans: A ping is used to check if a network packet can reach an IP address without any
problems. Ping scanning involves the automatic transmission of multiple ICMP requests to
different servers.

 Half-open or SYNC scans: Attackers can check the status of a port without creating a full
connection by using semi-open scanning, commonly known as SYN scanning. This type of
analysis simply transmits an SYN message and does not establish a connection with the
receiver.

 XMAS scans: XMAS scan sends some packets to a port to check if it is open or not. If the port
is closed, the scanner will receive a response. If there is no response, the port is open and
can be used to access the network.

Countermeasures:

The best option to prevent getting scanned is to block the scanning packets.

 For TCP connect scan, blocking ACK packets from entering your network.

 For an SYN flood attack, you can use an SYN cookie or SYN proxy.

Network Scanners in Cybersecurity

1. Introduction to Network Scanners

A network scanner is a tool or software used to discover, analyse, and assess devices, ports, and
vulnerabilities within a network. Cybersecurity professionals use them for security auditing,
penetration testing, and compliance verification. Malicious actors can also use them to identify
potential attack vectors.

2. Types of Network Scanners

A. Port Scanners

 Identify open, closed, or filtered ports on a target system.

 Used to determine which services are running and their potential vulnerabilities.

 Common techniques used in port scanning:

o TCP Connect Scan – Attempts a full three-way handshake.

o SYN Scan (Half-Open Scan) – Sends a SYN packet without completing the handshake.

o UDP Scan – Sends UDP packets to detect open ports.

o Stealth Scans – Evade detection by firewalls and intrusion detection systems (IDS).

Example tool:
✅ Nmap (Network Mapper) – The most widely used port scanner in cybersecurity.
B. Vulnerability Scanners

 Scan systems, services, and applications for known security weaknesses.

 Compare detected vulnerabilities against a database (e.g., CVE, NVD).

 Provide severity ratings and mitigation recommendations.

Example tools:
✅ Nessus – Commercial scanner with detailed vulnerability reports.
✅ OpenVAS – Open-source alternative for vulnerability assessment.

C. Packet Sniffers

 Capture and analyze network packets to monitor traffic and detect suspicious activity.

 Useful for diagnosing network issues and investigating security incidents.

 Can detect plaintext credentials, malware activity, and network anomalies.

Example tool:
✅ Wireshark – Leading packet capture tool for in-depth analysis.

D. IP Scanners

 Discover active hosts in a network by scanning IP addresses.

 Often used for network inventory and topology mapping.

Example tool:
✅ Angry IP Scanner – Fast and lightweight IP scanning tool.

E. Web Application Scanners

 Scan web applications for vulnerabilities like SQL Injection, XSS, and insecure configurations.

 Identify outdated software versions and weak authentication mechanisms.

Example tools:
✅ Burp Suite – Popular for web security testing and manual penetration testing.
✅ Nikto – Simple scanner for detecting web server vulnerabilities.

3. How Network Scanners Work

A. Active Scanning

 Sends packets to devices and analyzes their responses.

 Faster but more likely to be detected by security defenses.

B. Passive Scanning
  Monitors network traffic without sending probes.

 Useful for stealthy reconnaissance and avoiding detection.

C. Fingerprinting

 Identifies OS, services, software versions, and device types.

 Helps attackers and defenders understand network composition.

4. Common Network Scanning Tools & Their Uses

Tool Type Purpose

Nmap Port Scanner Identifies open ports, services, and OS fingerprints.

Wireshark Packet Sniffer Captures and analyzes network traffic.

Nessus Vulnerability Scanner Detects security weaknesses in networks.

OpenVAS Vulnerability Scanner Open-source alternative to Nessus.

Angry IP Scanner IP Scanner Scans IP ranges to discover active hosts.

Metasploit Exploitation Framework Tests and exploits vulnerabilities in a controlled manner.

Burp Suite Web Scanner Identifies vulnerabilities in web applications.

5. Ethical Considerations & Legal Aspects

 Unauthorized scanning is illegal unless performed with explicit permission.

 Responsible disclosure ensures vulnerabilities are reported ethically.

 Compliance requirements (e.g., GDPR, HIPAA, PCI-DSS) dictate how scanning should be
conducted.

⚠️Illegal scanning can result in fines, legal action, or loss of job credentials. Always follow ethical
hacking guidelines!

6. Defensive Measures Against Network Scanning

🔒 Firewalls: Block unauthorized scan attempts.

📡 Intrusion Detection Systems (IDS): Alert administrators of scanning activity.
🔄 Network Segmentation: Prevent attackers from accessing critical systems.
📌 Regular Updates & Patch Management: Close vulnerabilities before they can be exploited.
🚧 Honeypots: Deploy decoy systems to mislead attackers.