DATA VISUALIZATION IN

CYBERSECURITY
• In today’s world, we are exposed to an immense amount of information daily. Whether it is
online transactions, social media interactions, or scientific research, the complexity of
data continues to grow exponentially.
• Data is one of the most important assets of many companies. It is power, and if presented
correctly, can tip the scales, acquire customers, secure investments, and make impactful
change. This presents a challenge — how to transform this raw data to actionable insights.

• Data Visualization plays a significant role in cybersecurity by helping users better

understand and respond to cyber threats and vulnerabilities.
• Security visualisation helps a security analyst identify imminent vulnerability and attacks in a network.
• By bridging the gap between raw data and comprehensible insights, data visualization
stands as a beacon of clarity, empowering security professionals to navigate the
complexities of the digital world with agility, precision, and confidence. As technology
advances and the digital landscape evolves, the role of data visualization in cybersecurity
will continue to be indispensable.
How Does Insightful Data Visualization
Play a Significant Role in Cybersecurity
Systems?
• 1. Threat Detection and Monitoring
• Data visualization helps security teams and analysts to quickly detect
and identify patterns, anomalies, and potential security threats.
• In a world where information overload is increasingly common, a
well-designed data visualization turns complicated data into
actionable insights.
• In addition, the real-time of these data visualizations empowers
teams to respond promptly to suspicious activities, minimizing the
window of vulnerability and allowing for more effective mitigation
strategies.
Cloud Firewall
• 2. Mitigation
• Under Attack, swift response is crucial. By visualizing
complex data, it empowers teams to detect threats
faster and make informed decisions, facilitating not only
a rapid response but also an effective one. It aids in
swiftly formulating strategies to contain the attack and
expedite recovery.
Infrastructure Protection Security
Events
3. Analytics
• During Peacetime, meaningful data visualization tools
play a crucial role in the analysis of large volumes of
data generated by security systems.
• These tools enable the identification of attack patterns,
such as sudden surges in network traffic from specific
geographic regions or recurrent suspicious login
attempts.
Network Analytics
What is a Vulnerability
Assessment?
• Vulnerability assessment is the process of identifying the threats
or weaknesses in computer systems, networks, and software,
along with the inherent risks they introduce.
• Vulnerability assessments done by performing black box or grey
box security testing simulate real-life scenarios of how hackers
attack applications.
• Every application is a black box from a hacker’s perspective and
they just brute force various attack types using sophisticated
scanners.
• Vulnerability Assessment and Penetration Testing(VAPT) helps
organizations figure out where they might be at risk to prioritize
remediation based on the severity level.
Grey box testing and black box testing are both types of penetration
testing that differ in the amount of information the tester has about the
target:
Grey box testing
Testers have some knowledge of the internal workings of the application,
such as access to documentation of internal data structures and
algorithms.
This approach is a balance between white box testing and the realism of
black box testing.
Grey box testing is often used for end-to-end system testing, penetration
testing, and integration testing.
• Black box testing does not require any knowledge of the
internal workings of the software, and can be performed by
testers who are not familiar with programming languages.
• Gray box testing requires limited knowledge of the
software’s internal workings, and can be performed by
testers who have some programming knowledge.
• Black box testing uses methods like equivalence
partitioning, boundary value analysis, and error guessing to
create test cases. Gray box testing uses both black box and
white box testing methods to create test cases.
• Black box testing is generally used for testing the software
at the functional level. Gray box testing is used for testing
the software at both the functional and internal level.
Black box testing
Testers have no knowledge of the internal structure of the
application.
This approach is ideal for functional testing and end-user-
driven scenarios.
Black box testing is the most authentic, but it's also usually the
most expensive option.

Differences:

1.Black box testing is mainly focused on testing the

functionality of the software, ensuring that it meets the
requirements and specifications. Gray box testing is focused on
both the functionality and internal workings of the software.
 How to Perform Vulnerability Assessments?
To identify code or security vulnerabilities in advance, performing a SAST(Static Application
Security testing) or a DAST scan and integrating these tools in your CI/CD pipeline is
recommended.
SAST stands for Static Application Security Testing. It's a software testing methodology that
analyzes an application's source code, byte code, or binary to identify security
vulnerabilities. SAST is a white-box testing technique, meaning it doesn't execute the
application. Instead, it uses static code analysis techniques to identify potential security
threats.
DAST stands for Dynamic Application Security Testing. It's a security testing method that
analyzes a web application while it's running to identify vulnerabilities. DAST is also known as
"black-box" tools.

These vulnerability scanners use databases of known vulnerabilities to detect potential

weaknesses across applications, systems, data, and other elements.
The vulnerability scanner performs a thorough scan across all dimensions of your technology.
It examines the target system for known security issues, misconfigurations, outdated
software, and potential entry points that attackers could exploit.
Once the scans finish, the tool presents a report detailing all uncovered problems and
proposes measures to counter potential threats.
Here are some characteristics of DAST:
• Simulated attacks
DAST evaluates an application from the perspective of a malicious user
by attacking it through the front-end.

• Real-time analysis
DAST analyzes applications in real time, identifying vulnerabilities that
might not be apparent in static code analysis.

• Runtime issues
DAST provides a realistic perspective on the potential threats a live
application could face, emphasizing runtime issues and operational
environments.

• Developer insights
DAST tools provide information about the app's
responses, helping developers identify and eliminate
threats.
• Testing and QA phase
DAST tools are used during the testing and QA phase of
the SDLC
Key features of a vulnerability assessment:
• Scanning: Automated tools are used to scan the target
system for known vulnerabilities.
• Identifying Weaknesses: The assessment identifies security
weaknesses and provides a prioritized list of vulnerabilities.
• No Exploitation: Vulnerability assessment does not involve
actively exploiting vulnerabilities; it focuses on identification
and reporting.
• Remediation Recommendations: The assessment results
typically include recommendations for remediation and
mitigation.
Several types of vulnerability assessments can be conducted, including:
1. Network-Based Vulnerability Assessment
• A network-based vulnerability assessment identifies vulnerabilities in
network devices such as routers, switches, firewalls, and other network
infrastructure components.
• The primary goal of a network-based vulnerability assessment is to
identify weaknesses in the network that attackers could exploit to gain
unauthorized access, steal data, or launch attacks.
• Network-based vulnerability assessments typically involve specialized
software tools and techniques that scan the network for vulnerabilities.
These tools may use various methods to identify vulnerabilities, such as
port scanning, vulnerability scanning, password cracking, and network
mapping.
 2.Application-Based Vulnerability Assessment
• An application vulnerability assessment is a process of
reviewing security weaknesses in software
applications(Layer 7) including websites, mobile apps
and APIs. It examines if the apps are susceptible to
known vulnerabilities and assigns severity/criticality
levels to those vulnerabilities, recommending
remediation or mitigation if and whenever needed.
• These assessments typically involve testing the
application for common vulnerabilities, such as SQL
injection, cross-site scripting (XSS) etc. Application
vulnerability assessments can be performed using both
automated and manual methods.
3.API-Based Vulnerability Assessment
API vulnerability assessment is conducted to identify and mitigate
potential security risks in APIs. This process identifies vulnerabilities
and weaknesses in the API’s design, implementation, and deployment.
The goal is to ensure that the API is secure, reliable, and resilient to
attacks.
4.Host-Based Vulnerability Assessment
A host-based vulnerability assessment identifies vulnerabilities in
individual host systems, including servers, workstations, and laptops.
These assessments typically involve scanning the host system for
known vulnerabilities, such as missing security patches or outdated
software. Host-based vulnerability assessments can be performed using
both automated and manual methods.
5.Wireless Network Vulnerability Assessment
A wireless network vulnerability assessment focuses on identifying
vulnerabilities in wireless networks, including Wi-Fi networks. These
assessments typically involve testing the wireless network for
common vulnerabilities, such as weak encryption, default passwords.
Wireless network vulnerability assessments can be performed using
specialized software tools and techniques.
6.Physical Vulnerability Assessment
• A physical vulnerability assessment identifies vulnerabilities in
physical security measures, such as locks, surveillance cameras,
and access control systems. These assessments typically involve
physical inspections of the facility and its security measures.
7.Social Engineering Vulnerability Assessment
• A social engineering vulnerability assessment identifies
vulnerabilities in human behaviour, such as phishing
attacks and other social engineering techniques.
• This vulnerability assessment type typically involves
simulated attacks against employees to test their
awareness of security threats and their ability to identify
and respond to them.
8.Cloud-Based Vulnerability Assessment
• A cloud-based vulnerability assessment identifies
vulnerabilities in cloud infrastructure and services, such
as Amazon Web Services (AWS) and Microsoft Azure.
• These assessments scan the cloud infrastructure for
known vulnerabilities and test the security of cloud
applications and services.
What Types of Threats Does Vulnerability
Assessment Find?
Here are some of the most common types of threats that
can be prevented through vulnerability assessment
methods:
1. Malware Infections
• Malware infections are among the most common
cyber threats, which can devastate organizations.
Malware is typically delivered through attack vectors
such as phishing emails, malicious websites, and
software vulnerabilities.
2. Denial of Service (DoS) Attacks
• DoS attacks are a type of cyberattack that aims to
overwhelm a targeted system or network with traffic or
other resources, causing it to crash or become unavailable
to legitimate users. Vulnerability assessment can identify
vulnerabilities in the network or systems that attackers
could exploit to launch DoS attacks.
3. Data Breaches
• Data breaches occur when attackers gain unauthorized
access to sensitive data, such as personal information,
financial data, or intellectual property.
 Insider Threats
• Insider threats are threats that originate from within an
organization. These threats could come from current or
former employees, contractors, or business partners
who can access an organization’s IT resources.
• Vulnerability assessment can identify vulnerabilities in
applications, systems, and network devices that insiders
could exploit to steal data or cause damage to an
organization’s IT infrastructure.
Vulnerability Assessment
Methodology
1. Determine Critical and Attractive Assets
• The first step in vulnerability assessment is
understanding your entire ecosystem and determining
which networks and systems are more critical to your
business operation.
• The attacker’s objectives might vary from your
perspective. Review each asset from an attacker’s
perspective and rank them based on attractiveness.
2. Conduct Vulnerability Assessment
• Actively scan your entire network or system through automated tools to
identify security flaws and weaknesses.
• The critical and attractive assets should be termed “targets,” which requires
further analysis, including testing with real-time scenarios to find and
assess perceived security weaknesses.
• The assessments should rely on vendor vulnerability announcements, asset
management systems, vulnerability databases, and threat intelligence feed.
• The vulnerability assessment is complete if the overall network or system
effectiveness meets the defined security requirements. If vulnerabilities are
identified, you should proceed to the next phase.
3. Vulnerability Analysis and Risk Assessment
The next phase in the vulnerability assessment methodology is
identifying the source and root cause of the security weakness
identified in phase two. It offers a coherent view of remediation.
It involves assigning the severity score or rank to each
susceptibility based on factors like.
• What data are at risk?
• Which network or system is affected?
• The severity of the possible attacks
• Ease of compromise
• Potential damage if an attack happens
Remediation
• The main objective of this phase is the closing of
security gaps. For each identified vulnerability,
determine the remediation actions. Certain remediation
actions might include:
• Update all the configuration or operational changes
• Develop and implement vulnerability patches
• Implement new security measures, procedures, or tools
 Mitigation
• Not all vulnerabilities can be resolved completely; this is where
mitigation comes into play. Mitigation focuses on lowering the
chances of a vulnerability being exploited or minimizing the
impact of its exploitation.
• A practical approach, known as virtual patching, involves
promptly applying a patch to the identified vulnerability without
making any changes to the actual source code or components.
• This virtual patch creates a protective barrier that prevents
malicious actors from exploiting the vulnerability, effectively
buying time until a permanent patch or code fix can be
implemented
Key features of penetration
testing:
• Active Exploitation: Penetration testing involves actively
attempting to exploit vulnerabilities to assess their impact.
• Realistic Scenarios: Testers simulate real-world attack scenarios
to identify potential entry points and the extent of damage that
could occur.
• Manual and Automated Testing: Both manual techniques and
automated tools are used to identify and exploit vulnerabilities.
• Limited Scope: Penetration testing usually focuses on specific
target systems or components.
• Actionable Insights: Penetration testing provides actionable
insights into the effectiveness of security measures and the
potential impact of successful attacks.
Port Scanning Basics

A port scanner sends a TCP or UDP network packet and asks the
port about their current status.
The three types of responses are below:
1.Open, Accepted: The computer responds and asks if there is
anything it can do for you.
2.Closed, Not Listening: The computer responds that “This
port is currently in use and unavailable at this time.”
3.Filtered, Dropped, Blocked: The computer doesn’t even
bother to respond.
 What is a Port Scan?
• Port scan visualization refers to graphically representing the activity of a
network port scan, which is typically used to detect unauthorized access
attempts, identify open ports, or analyze network vulnerabilities.
• Security professionals can use visualizations to detect scanning patterns,
malicious activities, and trends over time.
• A port scanner is an application which is made to probe a
host or server to identify open ports.
• Bad actors can use port scanners to exploit vulnerabilities
by finding network services running on a host.
• They can also be used by security analysts to confirm
network security policies.
• Ports vary in their services offered. They are numbered
from 0 to 65535, but certain ranges are more frequently
used. Ports 0 to 1023 are identified as the “well-known
ports” or standard ports and have been assigned
services by the Internet Assigned Numbers Authority
(IANA). Some of the most prominent ports and their
assigned services include:
• Port 20 (UDP) — File Transfer Protocol (FTP) for data
transfer
• Port 22 (TCP) — Secure Shell (SSH) protocol for secure
logins, FTP, and port forwarding
• Port 23 (TCP) — Telnet protocol for unencrypted text
• Port scans generally occur early in the cyber kill chain,
during reconnaissance and intrusion.
• Attackers use port scans to detect targets with open
and unused ports that they can repurpose for
infiltration, command and control, and data exfiltration
or discover what applications run on that computer to
exploit a vulnerability in that application.
How a Port Scan Works

• Running a port scan on a network or server reveals which

ports are open and listening (receiving information) as
well as revealing the presence of security devices, such
as firewalls, that are present between the sender and the
target.
• This technique is known as fingerprinting.
• It is also valuable for testing network security and the
strength of the system’s firewall.
• Due to this functionality, it is also a popular
reconnaissance tool for attackers seeking a weak point of
access to break into a computer.