Unit -1

Cyber Security Basics

Syllabus
Sphere, Terminology, Vulnerability in Cyber Structure and Infrastructure, Cyber Threats and Weaponry, Cyber Defense,
Cyber Attack Detection and Prevention, Information Security Testing, Cyber Security Investigation/ Assessment, Cyber
Deterrence

Topics - Sphere, Terminology

What is Cyber Security?
• Cybersecurity is the protection of information systems from theft or damage to the hardware, the software, and to
the information on them, as well as from disruption or misdirection of the services they provide. It includes
controlling physical access to the hardware, as well as protecting against harm that may come via network access,
data and code injection, and due to malpractice by operators, whether intentional, accidental, or due to them being
tricked into deviating from secure procedures.

• The chief area of concern for the field of information security is the balanced protection of the Confidentiality,
Integrity and Availability of data, also known as the CIA Triad.
o Confidentiality means that information is not made available or disclosed to unauthorized individuals,
entities, or processes.
o Data Integrity means maintaining and assuring the accuracy and completeness of data over its entire life-
cycle. This means that data cannot be modified in an unauthorized or undetected manner.
o Availability means the information must be available when it is needed. This means that the computing
systems used to store and process the information, the security controls used to protect it, and the
communication channels used to access it must be functioning correctly. High availability systems aim to
remain available at all times, preventing service disruptions due to power outages, hardware failures, and
system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of
incoming messages to the target system essentially forcing it to shut down.

Elements of Cyber Security

• Application security
• Information security
• Network security
• Disaster recovery
• Operational security
• End-user education

Sphere of Cyber Security

The growth in the number of computer systems, and the increasing reliance upon them of individuals, businesses,
industries and governments increases the risk and scope of cyber security.

1. Financial systems

Web sites and apps that accept or store credit card numbers, brokerage accounts, and bank account information
are also prominent hacking targets, because of the potential for immediate financial gain from transferring money,
making purchases, or selling the information on the black market. In-store payment systems and ATMs have also
been tampered with in order to gather customer account data and PINs.

2. Utilities and industrial equipment

Computers control functions at many utilities, including coordination of telecommunications, the power
grid, nuclear power plants, and valve opening and closing in water and gas networks. The Internet is a potential
attack vector for such machines if connected, but the Stuxnet worm demonstrated that even equipment controlled
by computers not connected to the Internet can be vulnerable.

3. Aviation

The aviation industry is very reliant on a series of complex system which could be attacked. A simple power outage
at one airport can cause repercussions worldwide, much of the system relies on radio transmissions which could be
disrupted, and controlling aircraft over oceans is especially dangerous because radar surveillance only extends 175
to 225 miles offshore.[24] There is also potential for attack from within an aircraft.

4. Consumer devices

Desktop computers and laptops are commonly targeted to gather passwords or financial account information, or to
construct a botnet to attack another target. Smart phones, tablet computers, smart watches, and other mobile
devices such as self-devices like activity trackers have sensors such as cameras, microphones, GPS receivers,
compasses, and accelerometers which could be exploited, and may collect personal information, including sensitive
health information. Wi-Fi, Bluetooth, and cell phone networks on any of these devices could be used as attack
vectors, and sensors might be remotely activated after a successful breach.

The increasing number of home automation devices such as the Nest thermostat are also potential targets.

5. Large corporations

Large corporations are common targets. In many cases this is aimed at financial gain through identity theft and
involves data breaches.

Some cyberattacks are ordered by foreign governments, these governments engage in cyberwarfare with the intent
to spread their propaganda, sabotage, or spy on their targets.

Medical records have been targeted for use in general identify theft, health insurance fraud, and impersonating
patients to obtain prescription drugs for recreational purposes or resale.

6. Automobiles

Vehicles are increasingly computerized, with engine timing, cruise control, anti-lock brakes, seat belt tensioners,
door locks, airbags and advanced driver-assistance systems on many models. Additionally, connected cars may use
Wi-Fi and Bluetooth to communicate with onboard consumer devices and the cell phone network. Self-driving
cars are expected to be even more complex.

All of these systems carry some security risk, and such issues have gained wide attention.[43][44][45] Simple examples
of risk include a malicious compact disc being used as an attack vector,[46] and the car's onboard microphones being
used for eavesdropping. However, if access is gained to a car's internal controller area network, the danger is much
greater.

7. Government
Government and military computer systems are commonly attacked by activists and foreign powers. Local and
regional government infrastructure such as traffic light controls, police and intelligence agency
communications, personnel records, student records, and financial systems are also potential targets as they are
now all largely computerized. Passports and government ID cards that control access to facilities which use RFID can
be vulnerable to cloning.

8. Internet of things and physical vulnerabilities

The Internet of things (IoT) is the network of physical objects such as devices, vehicles, and buildings that
are embedded with electronics, software, sensors, and network connectivity that enables them to collect and
exchange data.

For example, if a front door's lock is connected to the Internet, and can be locked/unlocked from a phone, then a
criminal could enter the home at the press of a button from a stolen or hacked phone. People could stand to lose
much more than their credit card numbers in a world controlled by IoT-enabled devices. Thieves have also used
electronic means to circumvent non-Internet-connected hotel door locks.

9. Medical systems

Medical devices have either been successfully attacked or had potentially deadly vulnerabilities demonstrated,
including both in-hospital diagnostic equipment and implanted devices including pacemakers and insulin pumps.
There are many reports of hospitals and hospital organizations getting hacked, including ransomware attacks,
Windows XP exploits, viruses, and data breaches of sensitive data stored on hospital servers.

Topics- Vulnerability in Cyber Structure and Infrastructure

Vulnerability: The existence of a weakness, design, or implementation error that can lead to an unexpected,
undesirable event compromising the security of the computer system, network, application, or protocol involved.
Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw,
and attacker capability to exploit the flaw.
A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can
lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk:
for example, when the affected asset has no value. A vulnerability with one or more known instances of working
and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which
an exploit exists.

Risk, Vulnerability and threat (From Wikipedia)

Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the
asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset.
A threat is anything (man-made or act of nature) that has the potential to cause harm.

Classification of Vulnerabilities (From Wikipedia)

Vulnerabilities are classified according to the asset class they are related to:

1. hardware

• susceptibility to humidity

• susceptibility to dust

• susceptibility to soiling

• susceptibility to unprotected storage

2. software

• insufficient testing
 • lack of audit trail

• design flaw

3. network

• unprotected communication lines

• insecure network architecture

4. personnel

• inadequate recruiting process

• inadequate security awareness

5. physical site

• area subject to flood

• unreliable power source

6. organizational

• lack of regular audits

• lack of continuity plans

• lack of security

Classification of Threats / Classification of Vulnerabilities

Note: You can also write this answer for “Classification of Vulnerabilities”. The description given above is a subset of
what is described below.
Causes of Vulnerabilities

• Complexity: Large, complex systems increase the probability of flaws and unintended access points.
• Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the
probability an attacker has or can find the knowledge and tools to exploit the flaw.
• Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are
accessible increase vulnerability.
• Password management flaws: The computer user uses weak passwords that could be discovered by brute force.
The computer user stores the password on the computer where a program can access it. Users re-use passwords
between many programs and websites.
• Fundamental operating system design flaws: The operating system designer chooses to enforce suboptimal policies
on user/program management. For example, operating systems with policies such as default permit grant every
program and every user full access to the entire computer. This operating system flaw allows viruses and malware
to execute commands on behalf of the administrator.
• Internet Website Browsing: Some internet websites may contain harmful Spyware or Adware that can be installed
automatically on the computer systems. After visiting those websites, the computer systems become infected and
personal information will be collected and passed on to third party individuals.
• Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an
attacker to misuse an application.
• Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can
allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or
other non-validated inputs).
• Not learning from past mistakes, for example most vulnerabilities discovered in IPv4 protocol software were
discovered in the new IPv6 implementations.
The research has shown that the most vulnerable point in most information systems is the human user, operator,
designer, or other human: so, humans should be considered in their different roles as asset, threat, information
resources.

Topics – Cyber Threats and Weaponry

Types of Cyber Threats (Cyber Attacks)
Note: Usually cyber threats and cyber-attacks are related.
Note: More attacks/ threats can be written under this topic.

1. Denial-of-service attack
Denial of service attacks (DoS) are designed to make a machine or network resource unavailable to its intended
users. Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough
consecutive times to cause the victims account to be locked, or they may overload the capabilities of a machine or
network and block all users at once. While a network attack from a single IP address can be blocked by adding a new
firewall rule, many forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from a
large number of points – and defending is much more difficult. Such attacks can originate from the zombie computers of
a botnet, but a range of other techniques are possible including reflection and amplification attacks, where innocent
systems are fooled into sending traffic to the victim.

2. Direct-access attacks
An unauthorized user gaining physical access to a computer is most likely able to directly copy data from it. They may
also compromise security by making operating system modifications, installing software worms, keyloggers, covert
listening devices or using wireless mice. Even when the system is protected by standard security measures, these may
be able to be by-passed by booting another operating system or tool from a CD-ROM or other bootable media. Disk
encryption and Trusted Platform Module are designed to prevent these attacks.

3. Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private conversation, typically between hosts on a network. For
instance, programs such as Carnivore and NarusInSight have been used by the FBI and NSA to eavesdrop on the systems
of internet service providers. Even machines that operate as a closed system (i.e., with no contact to the outside world)
can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the
hardware; TEMPEST is a specification by the NSA referring to these attacks.

4. Spoofing
Spoofing is the act of masquerading as a valid entity through falsification of data (such as an IP address or username), in
order to gain access to information or resources that one is otherwise unauthorized to obtain.[7][8] There are several
types of spoofing, including:

• Email spoofing, where an attacker forges the sending (From, or source) address of an email.
• IP address spoofing, where an attacker alters the source IP address in a network packet to hide their identity or
impersonate another computing system.
• MAC spoofing, where an attacker modifies the Media Access Control (MAC) address of their network interface to
pose as a valid user on a network.
• Biometric spoofing, where an attacker produces a fake biometric sample to pose as another user.

5. Tampering
Tampering describes a malicious modification of products. So-called "Evil Maid" attacks and security services planting of
surveillance capability into routers are examples.

6. Privilege escalation
Privilege escalation describes a situation where an attacker with some level of restricted access is able to, without
authorization, elevate their privileges or access level. For example, a standard computer user may be able to fool the
system into giving them access to restricted data; or even to "become root" and have full unrestricted access to a
system.

7. Phishing
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details directly
from users. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter
details at a fake website whose look and feel are almost identical to the legitimate one. Preying on a victim's trust,
phishing can be classified as a form of social engineering.

8. Clickjacking
Clickjacking, also known as "UI redress attack" or "User Interface redress attack", is a malicious technique in which an
attacker tricks a user into clicking on a button or link on another webpage while the user intended to click on the top-
level page. This is done using multiple transparent or opaque layers. The attacker is basically "hijacking" the clicks meant
for the top-level page and routing them to some other irrelevant page, most likely owned by someone else. A similar
technique can be used to hijack keystrokes. Carefully drafting a combination of stylesheets, iframes, buttons and text
boxes, a user can be led into believing that they are typing the password or other information on some authentic
webpage while it is being channelled into an invisible frame controlled by the attacker.

9. Social engineering
Social engineering aims to convince a user to disclose secrets such as passwords, card numbers, etc. by, for example,
impersonating a bank, a contractor, or a customer.

Active Attacks vs Passive Attacks

Topics- Cyber Defense
Cyber Defense : Cyber Defense means acting in anticipation to oppose an attack involving computers and networks.

Various Defenses
1. Computer Access Control
In computer security, general access control includes identification, authorization, authentication, access approval,
and audit.
More info: https://en.wikipedia.org/wiki/Computer_access_control
2. Application Security
Application security encompasses measures taken to improve the security of an application often by finding, fixing
and preventing security vulnerabilities.
More Info- https://en.wikipedia.org/wiki/Application_security
a. Antivirus : Antivirus or anti-virus software is computer software used to prevent, detect and
remove malicious software.
b. Securing coding: It is the practice of developing computer software in a way that guards against the
accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the
primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of
reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a
relatively small number of common software programming errors. By identifying the insecure coding
practices that lead to these errors and educating developers on secure alternatives, organizations can
take proactive steps to help significantly reduce or eliminate vulnerabilities in software before
deployment.
c. Secure by design: Secure by design, in software engineering, means that the software has
been designed from the ground up to be secure. Malicious practices are taken for granted and care is
taken to minimize impact when a security vulnerability is discovered or on invalid user input.
d. Secure Operating System: Write from Unit-4
3. Encryption: Encryption is the process of encoding a message or information in such a way that only authorized
parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference, but
denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or
message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that
can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-
random encryption key generated by an algorithm. It is in principle possible to decrypt the message without
possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills
are required. An authorized recipient can easily decrypt the message with the key provided by the originator to
recipients but not to unauthorized users.
4. Firewall: Write from Unit-3
5. Intrusion Detection System: Write from Unit-3
6. Intrusion Prevention System: Write from Unit-3
7. Mobile Secure Gateway: Mobile secure gateway (MSG) is an industry term for the software or hardware appliance
that provides secure communication between a mobile application and respective backend resources typically
within a corporate network

Topics – Cyber Attacks Detection and Prevention

No information available. Will be updated later.

Topics- Information Security Testing

Security testing is a process intended to reveal flaws in the security mechanisms of an information system that
protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security
testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Typical security requirements may include specific elements of confidentiality, integrity, authentication, availability,
authorization and non-repudiation.
Confidentiality
A security measure which protects against the disclosure of information to parties other than the intended recipient
is by no means the only way of ensuring the security.

Integrity

Integrity of information refers to protecting information from being modified by unauthorized parties

• A measure intended to allow the receiver to determine that the information provided by a system is correct.

• Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually
involve adding information to a communication, to form the basis of an algorithmic check, rather than the encoding
all of the communication.

• To check if the correct information is transferred from one application to other.

Authentication

This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what
its packaging and labeling claims to be, or assuring that a computer program is a trusted one.

Authorization

• The process of determining that a requester is allowed to receive a service or perform an operation.
• Access control is an example of authorization.

Availability

• Assuring information and communications services will be ready for use when expected.
• Information must be kept available to authorized persons when they need it.

Non- repudiation

In reference to digital security, non-repudiation means to ensure that a transferred message has been sent and received
by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender
of a message cannot later deny having sent the message and that the recipient cannot deny having received the
message.

Security Testing Taxonomy

Common terms used for the delivery of security testing:

• Discovery - The purpose of this stage is to identify systems within scope and the services in use. It is not intended to
discover vulnerabilities, but version detection may highlight deprecated versions of software / firmware and thus
indicate potential vulnerabilities.
• Vulnerability Scan - Following the discovery stage this looks for known security issues by using automated tools to
match conditions with known vulnerabilities. The reported risk level is set automatically by the tool with no manual
verification or interpretation by the test vendor. This can be supplemented with credential based scanning that
looks to remove some common false positives by using supplied credentials to authenticate with a service (such as
local windows accounts).
• Vulnerability Assessment - This uses discovery and vulnerability scanning to identify security vulnerabilities and
places the findings into the context of the environment under test. An example would be removing common false
positives from the report and deciding risk levels that should be applied to each report finding to improve business
understanding and context.
• Security Assessment - Builds upon Vulnerability Assessment by adding manual verification to confirm exposure, but
does not include the exploitation of vulnerabilities to gain further access. Verification could be in the form of
authorized access to a system to confirm system settings and involve examining logs, system responses, error
 messages, codes, etc. A Security Assessment is looking to gain a broad coverage of the systems under test but not
the depth of exposure that a specific vulnerability could lead to.
• Penetration Test - Penetration test simulates an attack by a malicious party. Building on the previous stages and
involves exploitation of found vulnerabilities to gain further access. Using this approach will result in an
understanding of the ability of an attacker to gain access to confidential information, affect data integrity or
availability of a service and the respective impact. Each test is approached using a consistent and complete
methodology in a way that allows the tester to use their problem-solving abilities, the output from a range of tools
and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by
automated tools. This approach looks at the depth of attack as compared to the Security Assessment approach that
looks at the broader coverage.
• Security Audit - Driven by an Audit / Risk function to look at a specific control or compliance issue. Characterized by
a narrow scope, this type of engagement could make use of any of the earlier approaches discussed (vulnerability
assessment, security assessment, penetration test).
• Security Review - Verification that industry or internal security standards have been applied to system components
or product. This is typically completed through gap analysis and utilizes build / code reviews or by reviewing design
documents and architecture diagrams. This activity does not utilize any of the earlier approaches (Vulnerability
Assessment, Security Assessment, Penetration Test, Security Audit)

Topics- Cyber Security Investigation/ Assessment

Cyber Security Investigation/ Assessment is an explicit study to locate security vulnerabilities and risks.
The goal of a security assessment, is to ensure that necessary security controls are integrated into the design. A properly
completed security assessment should provide documentation outlining any security gaps.

Methodology
The following methodology outline is put forward as the effective means in conducting security assessment.

• Requirement Study and Situation Analysis

• Security policy creation and update
• Document Review
• Risk Identification
• Vulnerability Scan
• Data Analysis
• Report & Briefing
Topics- Cyber Deterrence
No information available. Will be updated later.
Extra Topics