R18 B.Tech.

CSE (Cyber Security) III & IV Year JNTU Hyderabad

CLOUD SECURITY (Professional Elective – VI)

B.Tech. IV Year II Sem. L T P C

3 00 3
Pre-requisites: Computer Networks, Cryptography and Network Security, Cloud Computing.

Course Objectives:
1. To understand the fundamentals concepts of cloud computing.
2. To understand the cloud security and privacy issues.
3. To understand the Threat Model and Cloud Attacks.
4. To understand the Data Security and Storage.
5. To analyze Security Management in the Cloud.

Course Outcome
1. Ability to acquire the knowledge on fundamentals concepts of cloud computing.
2. Able to distinguish the various cloud security and privacy issues.
3. Able to analyze the various threats and Attack tools.
4. Able to understand the Data Security and Storage.
5. Able to analyze the Security Management in the Cloud.

UNIT - I
Overview of Cloud Computing: Introduction, Definitions and Characteristics, Cloud Service
Models, Cloud Deployment Models, Cloud Service Platforms, Challenges Ahead.
Introduction to Cloud Security: Introduction, Cloud Security Concepts, CSA Cloud
Reference Model, NIST Cloud Reference Model, NIST Cloud Reference Model.
Note: Laboratory practice will be imparted with the help of relevant case studies as and when
required.

UNIT - II
Cloud Security and Privacy Issues: Introduction, Cloud Security Goals/Concepts, Cloud
Security Issues, Security Requirements for Privacy, Privacy Issues in Cloud.
Infrastructure Security: The Network Level, the Host Level, the Application Level, SaaS
Application Security, PaaS Application Security, IaaS Application Security.
Note: Laboratory practice will be imparted with the help of relevant case studies as and when
required.

UNIT - III
Threat Model and Cloud Attacks: Introduction, Threat Model- Type of attack entities,
Attack surfaces with attack scenarios, A Taxonomy of Attacks, Attack Tools-Network-level
attack tools, VM-level attack tools, VMM attack tools, Security Tools, VMM security tools.
Note: Laboratory practice will be imparted with the help of relevant case studies as and when
required.

UNIT - IV
Information Security Basic Concepts, an Example of a Security Attack, Cloud Software
Security Requirements, Rising Security Threats. Data Security and Storage: Aspects of
Data Security, Data Security Mitigation, Provider Data and Its Security.
Note: Laboratory practice will be imparted with the help of relevant case studies as and when
required.
R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

UNIT - V
Evolution of Security Considerations, Security Concerns of Cloud Operating Models,
Identity Authentication, Secure Transmissions, Secure Storage and Computation, Security
Using Encryption Keys, Challenges of Using Standard Security Algorithms, Variations and
Special Cases for Security Issues with Cloud Computing, Side Channel Security Attacks in
the Cloud
Security Management in the Cloud- Security Management Standards, Availability
Management, Access Control, Security Vulnerability, Patch, and Configuration Management.
Note: Laboratory practice will be imparted with the help of relevant case studies as and when
required.

TEXT BOOKS:
1. Cloud Security Attacks, Techniques, Tools, and Challenges by Preeti Mishra,
Emmanuel S Pilli, Jaipur R C Joshi Graphic Era, 1st Edition published 2022 by CRC
press.
2. Cloud Computing with Security Concepts and Practices Second Edition by Naresh
Kumar Sehgal Pramod Chandra, P. Bhatt John M. Acken,2nd Edition Springer nature
Switzerland AG 2020.
3. Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, and Shahed Lati
First Edition, September 2019.

REFERENCE BOOKS:
1. Essentials of Cloud Computing by K. Chandrasekaran Special Indian Edition CRC
press.
2. Cloud Computing Principles and Paradigms by Rajkumar Buyya, John Wiley.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

UNIT – III

Threat Model and Cloud Attacks: Introduction, Threat Model- Type of attack entities,
Attack surfaces with attack scenarios, A Taxonomy of Attacks, Attack Tools-Network-level
attack tools, VM-level attack tools, VMM attack tools, Security Tools, VMM security tools.

Cloud Threat Modeling

Threat modeling serves to identify threats and preventive measures for a system or application.
However, threat modeling is one security methodology that has not matched the general rate of
cloud adoption, due to a gap in guidance, expertise, and applicability of the practice. Threat
modeling for cloud systems expands on standard threat modeling to account for unique cloud
services. It allows organizations to further security discussions and assess their security controls
and mitigation decisions.

This document from the Top Threats Working Group attempts to bridge the gap between threat
modeling and the cloud. To that end, this publication provides crucial guidance to help identify
threat modeling security objectives, set the scope of assessments, decompose systems, identify
threats, identify design vulnerabilities, develop mitigations and controls, and communicate a
call-to-action. Central lessons include the benefits of threat modeling, the unique knowledge
and considerations required when threat modeling in the cloud, and how to create a cloud threat
model. Example threat modeling cards are provided and can be used by your team for a more
gamified approach.

Key Takeaways:

 The baseline threat modeling processes taken from various standards and best practices
 The differences between standard threat modeling and cloud threat modeling
 How to create a cloud threat model from scratch
 A basic cloud threat model reference
 What should be included in a detailed security design report
 Example cloud threat modeling cards

Cloud attack:

In excerpts from an article by aqua, they wrote, “A cloud attack is a cyber attack that targets
cloud-based service platforms, such as computing services, storage services, or hosted
applications in a platform as a service (PaaS) or software as a service (SaaS) model.

Types of Cloud Computing Attacks

1. Denial-of-Service Attacks

A denial-of-service (DoS) attack is a type of cyber attack that aims to make a computer or
network resource unavailable to its intended users. DoS attacks typically involve flooding a
cloud service with a large volume of traffic, which can overwhelm the system and make it
unable to process legitimate requests.

DoS attacks can have serious consequences, including disrupting the availability of critical
services, causing financial losses, and damaging an organization’s reputation.

Cloud-based DoS attacks can be particularly challenging to defend against, as the scale and
complexity of cloud environments can make it difficult to identify and mitigate the attack.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

2. Account Hijacking

Account hijacking in the cloud refers to the unauthorized access or control of a cloud
computing account by an attacker. This can allow the attacker to use the associated resources
for their own purposes, or to steal or manipulate data stored in the cloud.

For example, attackers can use password cracking techniques to guess or steal login credentials
and gain access to a cloud account. Account hijacking can lead to financial losses and damage
to an organization’s reputation.

3. Security Misconfiguration

Security misconfiguration refers to the failure to properly configure cloud computing resources
and infrastructure to protect against cyber threats. This can include failure to properly set access
controls, failure to properly configure and secure systems and applications, and failure to
regularly update and patch systems and applications.

4. User Account Compromise

User account compromise typically involves an attacker gaining access to an account through
the actions of the account owner, such as by tricking the user into revealing their login
credentials or by exploiting a vulnerability in a system or application used by the user.

This differs from account hijacking, which involves an attacker gaining unauthorized access to
an account through means such as password cracking or exploiting vulnerabilities in the cloud
infrastructure.

5. Cloud Malware Injection Attacks

Cloud malware injection attacks are a type of cyber attack that involves injecting malicious
software, such as viruses or ransomware, into cloud computing resources or infrastructure. This
can allow the attacker to compromise the affected resources and steal or destroy data, or to use
the resources for their own purposes.

There are several ways in which attackers can inject malware into cloud resources, including:

Exploiting vulnerabilities in the cloud infrastructure or in the systems and applications running
on the cloud.

Adding a malicious service module to a SaaS or PaaS system, or an infected VM to an IaaS

system, and diverting user traffic to it.

Gaining unauthorized access to cloud accounts and injecting malware through the use of
malware-infected files or links.

6. Insider Threats

Insider threats in a cloud environment refer to the risk of unauthorized access or misuse of
cloud computing resources by individuals within an organization, such as employees or
contractors. These individuals may have legitimate access to the cloud assets, but may misuse
or abuse that access for their own purposes, or may accidentally expose the assets to risk
through their actions.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Insider threats can be particularly challenging to detect and prevent because they often involve
individuals who are authorized to access the cloud assets and who may not be acting
maliciously. They can also be difficult to mitigate because they often involve a high level of
trust and access within the organization.

7. Side-Channel Attacks

A side-channel attack involves exploiting information that is leaked through the physical
implementation of a system, rather than through its logical interfaces. This information can
include details about how the system is implemented or about the data being processed by the
system.

In a cloud environment, attackers can perform side-channel attacks by placing a malicious

virtual machine on a legitimate physical host used by the cloud customer. This gives the
attacker access to all confidential information on the victim machine.

Side-channel attacks can be used to extract sensitive information from a system, such as
passwords, encryption keys, or other sensitive data. They can also be used to disrupt the
operation of a system or to manipulate its behavior.

8. Cookie Poisoning

Cookie poisoning in cloud applications refers to the unauthorized modification or injection of

malicious content into a cookie, which is a small piece of data that is stored on a user’s
computer by a website or web application.

Cookies are used to store information about a user’s preferences and browsing history, and are
often used to personalize the user’s experience or to track their activity. In SaaS and other cloud
applications, cookies often contain credential data, so attackers can poison cookies to access the
applications.

9. Insecure APIs

Insecure APIs have vulnerabilities that can be exploited by attackers to gain unauthorized
access to systems or data, or to disrupt the operation of the API.

Examples include:

Shadow APIs: APIs that are not properly documented or authorized, and may not be known to
the organization that owns the API. These APIs can be created by developers or other users
within the organization, and can expose sensitive data or functionality to unauthorized parties.

API parameters: The inputs and outputs of an API, which can be vulnerable to injection attacks
if they are not properly validated and sanitized.

10. Cloud Cryptomining

A cloud cryptomining attack is a type of cyber attack in which attackers use cloud computing
resources to perform cryptomining without the knowledge or consent of the cloud provider or
the owner of the resources. Cryptomining is the process of using computing resources to solve
complex mathematical problems in order to verify and validate transactions on a blockchain
network.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

In a cloud cryptomining attack, the attackers use stolen or compromised credentials to access
and exploit cloud computing resources, such as virtual machines or containers, for the purpose
of performing cryptomining. They may also use malware or other techniques to gain
unauthorized access to cloud resources.

Threat Modelling

With the advancement in technology, it becomes easier day by day for hackers to gain access to
sensitive data, disable applications, etc. Thus, Application Security has become a major
concern. One method used to implement application security in the design process is through
THREAT MODELLING.

Threats can be anything that can take advantage of a vulnerability to breach security and
negatively alter, erase, or harm objects or objects of interest. Threat Modelling can be done at
any stage of development but if done at the beginning it will help in the early determination of
threats that can be dealt with properly.

Purpose of Threat Modeling

The purpose of Threat modeling is to identify, communicate, and understand threats and
mitigation to the organization’s stakeholders as early as possible. Documentation from this
process provides system analysts and defenders with a complete analysis of probable attackers’
profiles, the most likely attack vectors, and the assets most desired by the attacker.

Achievement of Threat Modeling

1. Defines security of application

2. Identifies and investigates potential threats and vulnerabilities
3. Results in finding architecture bugs earlier

Process of Threat Modeling

1. Aim

The target before approaching Threat Modeling must be clear within ourselves what we will
achieve from Threat Modeling, that is our application must follow the CIA Triad.

 Confidentiality: It helps in protecting data from unauthorized access.

 Integrity: It helps in preventing restricted changes.
 Availability: It helps in performing important tasks under certain attacks.

2. Visualization

Here, we will deal with what we are going to build. We must have a document overview of the
application which helps in making our process easier. Here we will build diagrams that will
help us in making our process easier.

It can be done in two ways:

 Data Flow Diagram: It helps in showing how the flow of data occurs in the system.
 Process Flow Diagram: It helps in finding the process of the system that from where
users interact in the system, and how the system works internally.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

3. Threat Identification

Here we are going to deal with how we can identify threats or what can go wrong in the
process. By analyzing the images of the previous section, you have found how threats can be
identified. These methods are mentioned in threat modeling methodologies..

4. Mitigation

Here, we are going to deal with what we will do about the Threats. Here we will review the
layers to identify the required vulnerabilities. Mitigation involves a continuous investigation of
each vulnerability so that the most effective efforts can be designed.

5. Validation

This is the final step in the process of Threat Modeling, here we are going to deal with whether
we have done a good job or not. Have all the threats been mitigated or not? We will check the
changes and as threat modeling is not a one-time activity, we have to regularly watch these
things.

Threat Modelling Methodologies

The development team will be able to implement application security as part of the design and
development process by using threat modeling to identify threats, risks, and mitigation during
the designing phase. There are various threat modeling methodologies available. We will be
discussing 8 methodologies:

1. STRIDE: STRIDE is a methodology developed by Microsoft for threat modeling. It

provides a mnemonic for security threats in six categories:

 Spoofing: An adversary posing as another user, component, or another system that has
an identity in the system being modeled.
 Tampering: The modification of data within the system to achieve a malicious goal.
 Repudiation: The ability of an adversary to deny performing some malicious activity in
absence of sufficient proof.
 Information Disclosure: The exposure of protected data to a user that is not otherwise
allowed access to that data.
 Denial of Service: This occurs when an adversary uses illegitimate means to assume a
trust level that he currently has with different privileges.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

 Elevation of Privilege: This threat occurs when an attacker successfully breaches the
administrative controls of a system and tampers its configured permissions and
privileges. By this, attackers can reach from low-level systems in the network to
systems of higher authority, which contain confidential information.

2. DREAD: DREAD was proposed for threat modeling but due to inconsistent ratings, it was
dropped by Microsoft in 2008. It is currently used by OpenStack and many other corporations.
It provides a mnemonic for risk rating security threats using five categories. The categories are:

 Damage Potential: ranks the extent of damage that would occur if a vulnerability is
exploited.
 Reproducibility: ranks how easy it is to reproduce an attack
 Exploitability: Assigns a number to the effort required to launch the attack.
 Affected Users: A value characterizing how many people will be impacted if an exploit
becomes widely available.
 Discoverability: Measures the likelihood of how easy it is to discover the threat.

3. Process for Attack Simulation and Threat Analysis (PASTA): It is a seven-step, risk-
centric methodology. The purpose is to provide a dynamic threat identification, enumeration,
and scoring process. Upon completion of the threat model, security subject matter experts
develop a detailed analysis of the identified threats. Finally, appropriate security controls can be
enumerated. This helps developers to develop an asset-centric mitigation strategy by analyzing
the attacker-centric view of an application.

4. Trike: The focus is on using threat models as a risk management tool. Threat models are
based on the requirement model. The requirements model establishes the stakeholder-defined
“acceptable” level of risk assigned to each asset class. Analysis of the requirements model
yields a threat model from which threats are identified and assigned risk values. The completed
threat model is used to build a risk model based on assets, roles, actions, and calculated risk
exposure.

5. VAST: VAST is an acronym for Visual, Agile, and Simple Threat modeling. The
methodology provides actionable outputs for the unique needs of various stakeholders like
application architects and developers, cyber security personnel, etc. It provides a unique
application and infrastructure visualization scheme such that the creation and use of threat
models do not require specific security subject matter expertise.

6. Attack Tree: Attack trees are the conceptual diagram showing how an asset, or target, might
be attacked. These are multi-level diagrams consisting of one root node, leaves, and children
nodes. From bottom to Top, child nodes are conditions that must be satisfied to make the direct
parent node true. An attack is considered complete when the root is satisfied. Each node may be
satisfied only by its direct child nodes.
Suppose there is 1 grandchild below the root node. In such a case multiple steps must be taken
to carry out an attack first the grandchild’s conditions must be satisfied for the direct parent
node to be true and then the direct parent node condition must be satisfied to make the root
node true. It also has AND and OR options which represent alternatives and different steps
toward achieving that goal.

7. Common Vulnerability Scoring System (CVSS): It provides a way to capture the principal
characteristics of a vulnerability and produce a numerical score (ranging from 0-10, with 10
being the most severe) depicting its severity.
The score can then be translated into a qualitative representation (such as low, medium, high,
and critical) to help organizations properly assess and prioritize their vulnerability management
processes.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

8. T-MAP: T-MAP is an approach that is used in Commercial Off The Shelf (COTS) systems
to calculate the weights of attack paths. This model is developed by using UML class diagrams,
access class diagrams, vulnerability class diagrams, target asset class diagrams, and affected
Value class diagrams.

Tools for Threat Modelling

1. Microsoft’s Threat Modelling Tool: This tool identifies threats based on STRIDE threat
model classification and is based on Data Flow Diagram (DFD), which can be used to discover
threats associated with overall IT assets in an organization.

2. MyAppSecurity: It offers the first commercially available threat modeling tool –

ThreatModeler. It uses a VAST threat classification scheme and it is based on a Process Flow
Diagram (PFD), which provides a detailed view of the risks and vulnerable loopholes.

3. IriuRisk: Offers both a community and a commercial version of the tool. This tool is
primarily used to create and maintain a live Threat model throughout the entire SDLC. It
connects with several different tools like OWASP ZAP, BDD-Security, etc. to facilitate
automation and involves fully customizable questionnaires and Risk Pattern Libraries.

4. securiCAD: It is a threat modeling and risk management tool developed by the Scandinavian
company Foresees. Risk is identified and quantified by conducting automated attack
simulations of current and future IT architectures and providing decision support based on the
findings. securiCAD is offered in both commercial and community editions.

5. SD Elements by Security Compass: It is a software security requirements management

platform that includes automated threat modeling capabilities. A short Questionnaire about the
technical details and compliance drivers of the application is conducted to generate a set of
threats. Countermeasures are included in the form of actionable tasks for developers.

6. Modeling Attack Trees: Commercial Tools like SecurITree, AttackTree+, and open-source
tools like ADTool, Ent, and SeaMonster are used to model Attack Trees.

7. CVSS 3.0: CVSS is currently at version 3.0. It is used for the CVSS model. In addition to
this, the CVV score of vulnerabilities identified for different hardware and software can be
analyzed online, as it aids to identify potential threats, which can harm the system.

8. Tiramisu: This tool is used for the T-MAP approach. It is used to calculate a list of all attack
paths and produce overall threats in terms of the total weight of attack paths.

How To Create a Threat Model

All threat modeling processes start with creating a visual representation of the application or
system being analyzed. There are two ways to create a visual representation:

1. Visual Representation using Data Flow Diagram

The Microsoft Methodology, PASTA, and Trike each develop a visual representation of the
application infrastructure utilizing data flow diagrams (DFD). DFDs were developed in the
1970s as tools for system engineers to provide a high-level visualization of how an application
works within a system to move, store, and manipulate data. The concept of trust boundaries was
added in the early 2000s by Security professionals in an attempt to make them applicable to
threat modeling.
DFDs are used to identify broad categories usually using the STRIDE threat classification
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

scheme. The list of threats identified through such methods is limited and thus a poor starting
point for the modeling. DFD based approach uses three main steps:

1. View System as an adversary.

2. Characterize the system.
3. Determine the threats.
4. DFD does not accurately represent the design and flow of the application.
5. They analyze how data is flowing rather than how users interact with the system.
6. DFD-based threat modeling has no standard approach due to which different people
create threat models with different outputs for the same scenario or problem.

DFD Based Threat Modeling

2. Visual Representation using Process Flow Diagram

To deal with the limitations of DFD-based threat modeling Process Flow Diagrams were
introduced in 2011 as a tool to allow Agile software development teams to create threat models
based on the application design process. These were specifically designed to illustrate how the
attacker thinks.

The attacker does not analyze data flow. Rather, they try to figure out how they can move
through an application that was not supported in DFD-based threat modeling.

Their analysis emphasizes how to abuse ordinary use cases to access assets or other targeted
goals. The VAST methodology uses PFD for the visual representation of an application.

Threat models based on PFD view applications from the perspective of user interactions.
Following are the steps for PFD-based threat modeling:

1. Designing application’s use cases

2. The communication protocols by which individuals move between use cases are defined
3. Including the various technical controls – such as forms, cookies, etc
4. PFD-based threat models are easy to understand and don’t require any security
expertise.
5. Creation of process map -showing how individuals move through an application. Thus,
it is easy to understand the applicatio n from the attacker’s point of view.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Attack surfaces with attack scenarios:

The attack surface is the number of all possible points, or attack vectors, where an unauthorized
user can access a system and extract data. The smaller the attack surface, the easier it is to
protect.

Organizations must constantly monitor their attack surface to identify and block potential
threats as quickly as possible. They also must try and minimize the attack surface area to reduce
the risk of cyberattacks succeeding. However, doing so becomes difficult as they expand their
digital footprint and embrace new technologies.

The attack surface is split into two categories: the digital and physical.

Digital attack surface

The digital attack surface area encompasses all the hardware and software that connect to an
organization’s network. These include applications, code, ports, servers, and websites, as well
as shadow IT, which sees users bypass IT to use unauthorized applications or devices.

Physical attack surface

The physical attack surface & comprises all endpoint devices that an attacker can gain physical
access to, such as desktop computers, hard drives, laptops, mobile phones, and Universal Serial
Bus (USB) drives. The physical attack threat surface includes carelessly discarded hardware
that contains user data and login credentials, users writing passwords on paper, and physical
break-ins.

Organizations can protect the physical attack surface through access control and
surveillance around their physical locations. They also must implement and test disaster
recovery procedures and policies.

Attack taxonomy:

Attack taxonomy is a systematic categorization of cyber-attacks based on their characteristics,

techniques, goals, or targets.

Attack taxonomies evolve as new attack methods emerge. They serve as a foundation for
incident response, vulnerability management, and security awareness programs, enabling
organizations to better understand and prioritize their security defenses based on the prevalent
attack vectors.

Examples of attack taxonomies

Attack taxonomies vary depending on the context and the organization using them. Here is a
general overview of common categories:

 Network-based attacks
o Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks
o Man-in-the-middle (MITM) attacks
o Network scanning and reconnaissance
o Packet sniffing and eavesdropping
 Malware-based attacks
o Viruses, worms, and Trojans
o Ransomware attacks
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

o Botnets and command-and-control (C&C) attacks

o Rootkits and backdoors
 Web-based attacks
o Cross-site scripting (XSS)
o SQL injection
o Cross-site request forgery (CSRF)
o Phishing and social engineering
 Attacks targeting operating systems
o Buffer overflow attacks
o Privilege escalation attacks
o Kernel-level attacks
o Zero-day exploits
 Wireless and mobile attacks
o Wi-Fi eavesdropping and spoofing
o Mobile malware
o SMS phishing (smishing)
o Bluetooth attacks
 Insider attacks
o Unauthorized access
o Data theft or exfiltration
o Sabotage or intentional damage
o Unauthorized use of privileges or access
 Physical attacks
o Physical theft of devices or assets
o Tampering with hardware or equipment
o Dumpster diving
o Physical security bypass
 Social engineering
o Phishing, vishing, smishing
o Pretexting and impersonation
o Baiting and tailgating
o Scareware and fake alerts

Network security prevents unauthorized access of information or misuse of the organizational

network. It includes hardware and software technologies designed to protect the safety and
reliability of a network and data.

Network security tools are essential to secure your organization's network to stop several threats
that could damage the system and the network. It helps to monitor the network and prevent data
breaches.

The network security tool can examine all the traffic across a network. Traffic monitoring helps
the organization proactively identify the issues and threats before it turns into significant
damage to the organization. Network security tools send real-time alerts for any unusual
behavior to prevent any breaches.

Some of the benefits of Network Security Tools are:

 Network security tools will minimize the business and financial impact of any breach, as
they help you stay compliant with regulations and prevent breaches.
 Network security helps your business stay compliant and provides multiple levels of
security to increase the scope of your business and offer a better workplace for your
employees.
 It ensures the protection of any sensitive information and data shared across the
network.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Best 10 Network Security Tools

1. Wireshark

Wireshark is an open-source network protocol analyzer that helps organizations capture real-
time data and track, manage, and analyze network traffic even with minute details.

It allows users to view the TCP session rebuilt streams. It helps to analyze incoming and
outgoing traffic to troubleshoot network problems.

Features

 Deep inspection of hundreds of protocols

 Capture real-time data and offline analysis
 It runs on multiple operating systems like Windows, Linux, macOS, etc.
 It provides color codes to each packet for quick analysis.

Pros

 Supports multiple operating systems like Windows, Linux, etc

 Easily integrates with third-party applications

Cons

 Steep learning curve

 Difficult to read the encrypted network traffic
 Lack of support

2. Nexpose
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Nexpose is a network security software that provides real-time information about vulnerabilities
and reduces the threats in a network. In addition, Nexpose permits the users to allot a risk score
to the detected vulnerabilities so that they may be prioritized as per the security levels.

Nexpose helps IT teams to get real-time scanning of the network and detect network
vulnerabilities. It also continuously refreshes and adapts to new threats in software and data.

Features

 Nexpose provides real-time network traffic.

 It provides a risk score and helps IT teams prioritize the risk as per the security levels.
 It shows the IT teams different actions they can take immediately to reduce the risk.

Pros

 Easy to use
 In-depth scanning of network vulnerabilities.

Cons

 No domain-based authentication for Linux devices

 Lack of customer support

3. Splunk
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Splunk is used for monitoring network security. It provides both real-time data analysis and
historical data searches.

It is a cloud-based platform that provides insights for petabyte-scale data analytics across the
hybrid cloud.

Splunk’s search function makes application monitoring easy and user-friendly.

It contains a user interface to catch, index, and assemble data and generate alerts, reports,
dashboards, and graphs in real-time.

Features

 Splunk attributes risk to users and systems and maps alerts to cybersecurity frameworks,
and trigger alerts when the risk exceeds the threshold.
 It helps in prioritizing alerts and accelerating investigations with built-in threat
intelligence.
 It helps to get automatic security content updates to stay updated with the emerging
threats.

Pros

 The indexing of data is easy

 Easy to use

Cons

 Steep learning curve

4. Nagios
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Nagios is a network security tool that helps to monitor hosts, systems, and networks. It sends
alerts in real-time. You can select which specific notifications you would like to receive.

It can track network resources like HTTP, NNTP, ICMP, POP3, and SMTP. It is a free tool.

Features

 Nagios help to monitor IT infrastructure components, including system metrics, network

protocols, application services, servers, and network infrastructure.
 It sends alerts when an unauthorized network is detected and provides IT admin with
notice of important events.
 It provides reports which show the history of events, notifications, and alert responses
for later review.

Pros

 Great tool for live monitoring

 User friendly
 Data monitoring can be tracked easily

Cons

 Limited reporting capabilities

 The system slows down while monitoring the data

5. Tor
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Tor is a network security tool that ensures the privacy of users while using the internet. It helps
in preventing cybersecurity threats and is useful in safeguarding information security.

Tor works on the concept of onion routing, and the layers are layered one over the other similar
to the onion. All the layers function smartly so that there is no need to reveal any IP and
geographical location of the user. Therefore, limiting the visibility of any sites, you are visiting.

Features

 Tor software is available for Linux, Windows, as well as Mac

 It helps to block the third-party trackers, and ads can't follow you
 It prevents third-party watching your connection from knowing what websites you visit
 It aims to make all users look the same and is difficult for trackers

Pros

 It protects the online identity

 Provides a high-level privacy
 User-friendly interface

Cons

 The system gets slower during navigation

 Starting and browsing time is high

6. Nessus Professional
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Nessus professional is a network security software that can detect vulnerabilities like software
bugs and general security problems in software applications, IT devices, and operating systems
and manage them appropriately.

Users can access a variety of security plug-ins as well as develop their own and scan individual
computers as well as networks.

Features

 It provides customization of reports by vulnerability or hosts and creates a summary for

the users.
 Sends email notifications of the scan results
 It helps meet government, regulatory, and corporate requirements
 It scans cloud applications and prevents your organization from cybersecurity threats

Pros

 It offers flexibility for developing custom solutions

 Nessus VA scan covers all standard network devices like endpoints, servers, network
devices, etc.
 Provide plug-ins for many vulnerabilities

Cons

 The software slows down when you scan a large scope

 Poor customer support

7. Metasploit
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Metasploit is security software that contains various tools for executing penetrating testing
services. IT professionals use this tool to reach security goals such as vulnerabilities in the
system, improving the computer system security, cyber defense strategies and maintaining
complete security assessments.

The penetration testing tools can examine various security systems, including web-based apps,
servers, networks, etc.

It allows the organization to perform security assessments and improve its overall network
defenses and make them more responsive.

Features

 The tools are used to take advantage of system weaknesses

 The module encoders are used to convert codes or information
 Metasploit allows a clean exit from the target system. It has compromised

Pros

 Good support for penetration testing

 Useful to learn and understand vulnerabilities that exist in the system
 Freely available and includes all penetration testing tools

Cons

 Software updates are less frequent

 Steep learning curve

8. Kali Linux
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Kali Linux is a penetration testing tool used to scan IT systems and network vulnerabilities. The
organization can monitor and maintain its network security systems on just one platform.

It offers a security auditing operating system and tools with more than 300 techniques to make
sure that your sites and Linux servers stay safe.

Kali Linux is used by professional penetration testers, ethical hackers, cybersecurity experts,
and individuals who understand the usage and value of this software.

Features

 Kali Linux comes with pre-installed tools like Nmap, Aircrack-ng, Wireshark, etc., to
help with information security tasks.
 It provides multi-language support.
 It helps to generate the customized version of Kali Linux.

Pros

 Pre-installed tools are ready to use

 Simple and user-friendly interface

Cons

 Limited customization
 The installation process is complicated

9. Snort
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Snort is an open-source network security tool used to scan networks and prevent any
unauthorized activity in the network. IT professionals use it to track, monitor, and analyze
network traffic. It helps to discover any signs of theft, unauthorized access, etc. After detection,
the tool will help send alerts to the users.

Additionally, Snort is used to perform protocol analysis, detect frequent attacks on a system,
look for data captured from traffic, etc.

Features

 Snort provides a real-time traffic monitor

 It provides protocol analysis
 It can be installed in any network environment

Pros

 Good for monitoring network traffic

 Good for detecting any network intrusions

Cons

 Complicated settings and configuration

 Steep learning curve

10. Forcepoint
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Forcepoint is a cloud-based security solution and is used to define network security, restrict
users from accessing specific content and block various attempts to hack or get your
organization's information.

The IT admin can customize Forcepoint to monitor and detect any unauthorized acts in a
network and can take the appropriate action required. It adds an extra level of security for
critical threats.

Forcepoint is majorly for the organizations working in the cloud, and it will be able to block or
provide warnings about any risky cloud servers.

Features

 Forcepoint helps in monitoring any unusual cloud activities.

 It provides tracking of any suspicious behavior and sends alerts to the IT admins.
 It protects and secures data.
 It helps to limit the access of your employees within the scope of your organization.

Pros

 Good support
 Easy to set up and user-friendly interface

Cons

 Creating reports is difficult

 Less flexibility in real-time screen monitoring
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Vulnerability Management Tools:

Vulnerability management tools are designed to scan networks, computing systems, and
software programs for exploitable weaknesses. Upon detection of weaknesses, the tool either
suggests or initiates remediation actions. The goal is to reduce the potential for a successful
cyberattack.

Vulnerability management tools approach security differently than firewalls, anti-malware

software, intrusion detection systems (IDS), and antivirus tools—these tools are built to manage
attacks on the network as they occur. Vulnerability management tools, on the other hand, look
for potential issues and fix them as needed to mitigate potential attacks.

Vulnerability management tools assess the network using IP scanners, network and port
scanners, and more. Next, these tools prioritize issues to ensure that the most critical
weaknesses are fixed first, and suggest practical remediation steps.

How Do Vulnerability Management Tools Work?

There are three common deployment models of vulnerability management tools:

 On-premise software programs

 Physical appliances
 Cloud-based services

Whatever the deployment model, most of these tools provide a web-based console that can
configure the product to scan a range of IP addresses, web applications, or specific URLs. The
broader the scan, the longer it will take to complete.

Because vulnerability scanners have complex configuration, they typically come with
preconfigured scan modes, which you can use as is or modified to your needs. You can also
schedule automated scans on a regular basis.

Vulnerability management tools typically perform two types of scans:

Authenticated scans—access systems on the network without logging in, identifying issues like
open ports, unsecure services, operating system and hardware versions.

Authenticated scans—these require inputting credentials to the vulnerability scanner, and are
more resource intensive, possibly affecting performance on scanned systems. These scans can
provide more information about vulnerabilities, including those that affect logged in users.

It is important to realize that vulnerability scanners are the most effective when run on a regular
basis:

The first scan should cover as many resources on the network as possible and should be as deep
as possible. This establishes an initial baseline of vulnerabilities.

The following scans can be less comprehensive, and can help show trends in different parts of
the network or different types of vulnerabilities.

After a remediation effort, it is important to rescan the resources to verify that vulnerabilities
are really resolved.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Like antivirus scans, the data gained by vulnerability scans is only useful when it is up to date.
Most organizations should run at least a daily scan of vulnerabilities.

Another important function of vulnerability management tools is that they enable active
exploitation. Many of these tools let you not only identify vulnerabilities, but actually try to
exploit it like a hacker would, in a safe manner and without disrupting operations. This can
provide much more information about the extent of the vulnerability and its business impact.

Features of Vulnerability Management Tools

Here are common features you should look for in modern vulnerability management solutions.

Dynamic discovery and inventory—ability to discover hosts and IT assets in traditional

networks, cloud networks, containerized and serverless environments, and alert when new
assets are created in the environment. Solutions should be able to identify device types,
firmware, operating systems, ports, running services, and certificates.

Vulnerability scanning—ability to scan any type of endpoint, including managed, unmanaged

(bring your own device), cloud-based, internet of things (IoT), cloud-based resources, and
containers. Advanced solutions can scan common business applications for vulnerabilities and
configuration weaknesses.

Identify risky assets—ability to scan the network perimeter, virtual machines, cloud
environments, and containerized applications for vulnerable access and entry points. These
could include web servers, unsecured hosts, and network devices.

Identifying unpatched systems—ability to identify which systems on the network do not have
all the necessary security updates applied.

Prioritizing vulnerabilities—ability to map out the network, indicate where vulnerabilities are
discovered, their CVE status, the severity and business impact of each vulnerability in each
asset, and provide remediation instructions.

Support for specific attack vectors—protection against important threat vectors such as
phishing, ransomware, zero day attacks, supply chain attacks, and fileless attacks.

Real-time monitoring and analysis—continuous monitoring and alerting when new

vulnerabilities are discovered in any attack surface.

Artificial intelligence and machine learning (AI/ML)—analyzing data to detect anomalous

configuration changes and system behavior that may not match a known vulnerability, but may
expose the system to threats. AI/ML is also used to analyze threat intelligence sources and use
them to discover additional vulnerabilities.

Remediation support—at a minimum, providing actionable guidelines for remediating

vulnerabilities. Advanced solutions can support auto-remediation by applying a patch, isolating
a vulnerable system, or integrating with other security systems such as firewalls and patch
management.
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Top 5 Vulnerability Management Tools

Nmap

Nmap is an open-source vulnerability scanner, which can rapidly scan entire networks, and
identify routing configurations, firewall rules, port and services configuration. Nmap is a bit
difficult to use—its primary interface is a command line and it has no visual UI. A major
advantage of Nmap is that it lets you run custom scripts to scan for specific issues in your
environment.

Main features include:

 Advanced network mapping—handles IP filters, firewall rules, routers, and other network
equipment.
 TCP and UDP port scanning—scans all ports on the network to identify security issues.
 Large community—supported by a sizable open source community with an active Facebook
page and Twitter channel.
 Covers most platforms—works with almost all operating systems including Linux, Windows,
macOS, FreeBSD, Solaris, IRIX, and HP-UX.

ThreatMapper

ThreatMapper is another open-source vulnerability management tool that identifies

vulnerabilities and bugs in running hosts, virtual machines, containers, container images, and
repositories. It supports cloud environments, Docker, and Kubernetes. ThreatMapper provides
advanced vulnerability prioritization, letting you filter vulnerabilities by risk of exploitation,
attack technique, attack surface, and other criteria.

Main features include:

 Broad vulnerability database—uses data from multiple CVE and CVSS repositories.
 Visual UI— provides a graphical console that lets you view machines, VMs, and containers,
perform on-demand scans, and view vulnerability scoring.
 Custom-built sensors—provides probes that can collect vulnerability data from Kubernetes,
virtual machines, bare metal machines, and cloud services like Amazon Fargate.

Get our Complete Guide for

Achieving 24×7 Threat Monitoring and Response

 Why 24×7 threat monitoring should no longer be considered optional

 How cybersecurity talent shortages can be overcome
 How the two-pillar approach helps lean security teams achieve 24×7 threat monitoring
 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

OSPd

OSPd is a command-line-based system that lets you develop your own vulnerability scanners
using scripts. It is highly customizable and uses the Open Scanner Protocol (OSP). Deployment
requires Python 3.4 or higher and multiple dependencies.

Main features include:

 Leveraging existing scanners—download scanner wrappers from open-source repositories.

 Writing new scanners—lets you write new scanner wrappers and deploy them to your
environment.

Watchdog

Watchdog is not a single solution, but a combination of several open source security tools. You
provide a list of domains or IPs, and the solution can identify open services and ports for all the
endpoints it can find. It then maps this information to a CVE database to identify
vulnerabilities.

Main features include:

 Performs fast network scans for hundred of domains, IP addresses, or IP ranges

 Leverages multiple open source web application vulnerability scanners: Nmap, Google Skipfish,
Wapiti, BuiltWith, Phantalyzer, and Wappalyzer
 Analyzes the technology stack analysis or each target system to see if it has known CVEs
 Leverages multiple vulnerability databases including NVD CVE, CWE, CAPEC, D2SEC, and
MITRE Reference Key/Maps

Wireshark

Wireshark lets you analyze network traffic, capturing packet data and allowing you to visualize
it in a graphical interface. It is very useful in examining and resolving security issues related to
attackers probing the network from outside, or already inside the network.

Main features include:

 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

 Supports multiple network protocols including Ethernet, ATM, and token ring.
 Lets you filter and analyze traffic data flexibly, and supports import and export.
 Provides powerful command-line switches that let you define what network data you want to
capture.
 Built in encryption/decryption for inspection of secure channels.
 Support for common compliance reports.
 Performs ongoing monitoring of networks and servers and sends notifications.
 Enables developers to automatically add modelines to files.

VMware tools:

Virtualization has become a cornerstone in modern IT infrastructures, allowing businesses to

maximize their resources, streamline operations, and improve service delivery. A key player in
this domain is VMware, a company that pioneered virtualization technology and continues to
drive innovations in this field. One of their most useful offerings is the VMware Tools, an
essential software suite for any VMware virtual machine (VM). This article explores what
VMware Tools are, their components, their benefits, and their use cases in detail.

Understanding VMware Tools

VMware Tools is a set of utilities and drivers that enhance the performance and manageability
of a VMware virtual machine. It acts as a bridge between the host and guest operating systems,
providing a seamless interaction between the two.

The functions of VMware Tools are multifold. First, they enhance the VM’s performance by
optimizing the interaction between the guest and host operating systems. Second, they facilitate
better VM management by enabling various operations like graceful shutdowns and automatic
reboots. Lastly, they unlock a host of guest OS functionalities, allowing for a smoother, more
native-like user experience.

Components of VMware Tools

VMware Tools comprises several components that work in harmony to deliver these benefits.
These components are:

1. VMware Device Drivers: These drivers optimize the VM’s hardware performance by
facilitating better communication between the guest and host operating systems. They
replace the default drivers of the guest OS, ensuring smoother operations.
2. VMware User Process: This component enhances the user interface experience. It
enables features such as copy-paste and drag-and-drop between the guest and host
environments, making the VM easier to use.
3. VMware Services: These services facilitate the execution of scripts that help automate
VM operations such as shutdowns and restarts.
4. Guest Operating System Daemons: These are background processes that run in the
guest operating system, enabling the host to perform tasks like time synchronization and
heartbeat monitoring.

Together, these components form the backbone of VMware Tools, enhancing the usability,
manageability, and performance of VMware virtual machines.

Benefits of Installing VMware Tools

Installing VMware Tools brings a host of benefits to your virtual machines.

 R18 B.Tech. CSE (Cyber Security) III & IV Year JNTU Hyderabad

Improved Performance: The optimized drivers provided by VMware Tools improve the
performance of devices such as the network and graphics adapters, providing a smoother VM
experience.

Synchronization of Guest and Host Time: With VMware Tools, the time on the guest
operating system can be accurately synchronized with the host, eliminating any discrepancies.

Improved Graphics Performance: VMware Tools improves the performance of the VM’s
graphical interface, enabling higher display resolutions and a better overall user experience.

Easy Scalability of VM: VMware Tools makes it easier to change the VM’s hardware settings,
such as RAM or CPU allocations, directly from the host interface.

Efficient Backup Process: With VMware Tools installed, VMs can be quiesced—put into a
temporary state of inactivity—during backups, ensuring data consistency.

Virtual Machine Monitor (VMM):

The VMM is included with the hypervisor and is software that implements virtual machine
hardware abstraction. It manages the system‹s processor, memory, and other resources to
allocate what each guest operating system requires.

Security Analysis Tools:

Lastly, besides the more comprehensive Hyper-V security tools above, there are tons of free
Hyper-V administration tools – many of which are security related. GFI has a great list of 101
Free Hyper-V Tools here. Some of my favorites, as they relate to security are:

 NTFS permissions explorer

 Share Enumerator
 Wireshark
 RogueScanner
 Microsoft baseline security analyzer