Week 4

Introduction to Firewalls

In this video you will learn to, discuss what firewalls do and what types of attacks they

can shield a network from. So let's start off with

security and firewalls. So firewalls, they are protection mechanisms that

isolate organizations internal networks from

the larger Internet allowing some packets to pass

and blocking others. So firewalls generally used

in pairs externally for DMCs separate the internal

enterprise that has the application of

security policies from the public internet, where WWW stands for Wild Wild West that just not a shred
of

security applied to that. So why would we want to apply prevention of denial

of service attacks. There are two particular attacks, SYN flooding at

TCP connections attacks and keeps things so busy that there's no resources left

for real connection. Additionally as opposed to this frontal attack of attacks in the denial service that an
illegal modification or

access of internal data. So this is a violation

of the security policy. Content can be stolen for data exfiltration or for example of organizations
homepage could be modified and replaced

with something else. So firewalls also allow only authorized access in conjunction with

an access control module. We'll talk about that in

a little bit to ensure that only authenticated users

and hosts come through. There's actually two types of firewalls, application level, packet filtering,
there's

a third called an XML firewall but

it's an XML gateway. We'll talk about that briefly.

Packet Filtering

In this video, you will learn to describe what

packet filtering is, and how packet filtering

firewalls work. Packet filtering is one of the fundamental technologies for application in

enterprise level firewalls, and fundamentally on a packet by packet decision

is made whether the forward have dropped the packets based on

a couple of parameters. So those parameters that

we're going to look at are listed here on Slide Six. One of the fundamental ones is the source IP address
and

the destination IP address. Fundamentally, where's

it coming from, and where is it going to? We can make decisions based on those two parameters alone.
Also the transport

protocol being used, and the destination

port numbers can also be a filtering side of that. So TCP and UDP are the two primary transport

protocols on the Internet. That's basically

how IP packets get moved from IP address

to IP address. One is a connectionless sought

of a broadcast signal, that's UDP and TCP is

more point-to-point. We can also filter on

message types and we can also filter on synchronization and acknowledgement bits

being flipped. Let's take a look at a couple of examples of packet filtering. So in example one, write that
within

a block incoming and outgoing datagrams or does

he pulls a VIP blocks like IP protocol field 17 and neither were source or

destination port 23. So effectively, the reason

we are blocking all UDP flows and all telnet

connection flows with, at the enterprise edge, these are good

security protocols, and this is generally a great application of firewalls to enforce

your security policy. The second one when we block inbound TCP segments would be acknowledge bit
set to zero. This is preventing

external communicators from making TCP connections

with internal clients, but allows internal to

communicate to the outside, which is a security

policy says that, "We trust our inside guys, more than we trust

are outside guys."

Firewalls Application Gateway

In this video, you will learn to; describe application

gateways and how this differ from standard

packet filtering firewalls, describe the limitations

of application gateways. Application gateways, so these

also are filter packets. But they are on

the application data. Which is the payload right at the top level

of the OSI stack, as well as these IP transport the fields that are in there. So this allows for example,
select users to employee the Telnet application

right outside. So effectively to

do this mandate. We require all telnet connections to go through a gateway. There's an access

control mechanism that says, yes this is a telnet

connection and then is this user authorized

or not authorized. So it is once again an access control type mechanism that is applied to

an application. So there's some

limitations right here. One of the things that as I said is that these are based

on transport protocol, so we can masquerade or

spook the IP address. This is done significantly

with Internet attacks that the source destination

is not in fact the true source destination

but its masqueraded, it appears to becoming

from either a customer or a trusted source when

in fact it is anything. But these firewalls that

we have been discussing. Do not have a mechanism

to really validate this, but significant threat

area right there. For application gateways

application firewalls. This is a one-to-one

relationship so that if you've got a single application

like a telnet, or in broadcast UDP

each one of these is going to require

its own application gateways. So there's one to

one relationship. This gets into

a very expensive process. In addition, the client software, the applications,

the web browsers, the email tools, Ftp tools, instant messaging all of

them have to be smart. So they need to have the protocol predetermined to know how to communicate
with the gateways whether that's an application

or a packet filter. These packet filters

will frequently are all or nothing application

relative to UDP. There's a security

thought that UDP should be largely disengaged. Because that's broadcasts,

there's a number of security vulnerabilities that

are associated with that. So what is the trade-off? The trade-off is

open communication with the outside world. No security policies in play. As opposed to an increasing

level of security. With the increasing

level of security, there's more control

on protocols and applications and user access. So that is the trade space that the security engineer

needs to outbreak. Despite that, many

highly protected sites US government sites still

suffer from cyber attack.

Firewall XML Gateway

[SOUND] In this video, you will learn to describe what

an XML gateway is and why it is used. >> We wanted to talk about

today was the XML gateway. So XML, right, is a transport

protocol that moves documents, communication artifacts through

conventional firewalls without inspection. So why is that [INAUDIBLE]? Well, XML uses port 80 on a
firewall. And port 80 is the standard web

traffic port, it's left open. Otherwise, web browsers

fundamentally wouldn't work, communicating with the outside world. So a standard firewall cannot

differentiate between XML traffic and a communication tool,

an external web server. There's a challenge within that. XML gateways, which are generally

installed just inside the first firewall in a DMZ takes a look at

the payload of the XML message for compliance, for

security policy compliance. So fundamentally,

this is the XML message to stack, right? One of the attack profiles is that a

protocol is slightly out of specification. There's some vulnerabilities

that can be open for that. But whereas with the security

policy we can define exactly how we expect an XML package to appear. If you're outside of that
specification,

it's dropped. We can also protect against

executable code in the payloads. This is a variable element

in the security policy, that if we have, that we want no

surprises, nothing unexpected. And certainly executable code,

when we're expecting a document, constitutes a surprise. There are no good surprises in security. We
also, with this XML gateway, can ensure

that the target IP address makes sense. Is it one of ours? And is it a IP address that's

in the correct domain for receiving XML messaging? We can also require that

IP addresses are nothing. That is also a big element on that.

Firewalls Stateless and Stateful

In this video, you will learn to; describe the difference between a stateful and

a stateless firewall, describe the trade

offs when moving from the stateless to

stateful firewall. Okay. So next up,

we're going to talk a little bit about firewalls. Firewalls as you

already probably know can fills the truck would

be between networks. Depending on the type

of firewalls, they handle packets differently. Firewalls can be

multi-homing as well, meaning they have multiple and mixed explorer interface

connectors connected to different networks that's basically to put in other words, we have one new

connected to Internet, and then we have one big

connected to our local network. They are also different

types of firewalls, but we'll go over a few of them stateless and

stateful which are the most common ones in a loyalty to the latter

one the more secure one. So stateless firewalls

as the word says, they have no concept

of the state. It can also be called

packet filters. They make their

decisions based on layer three and layer four information

meaning IP and port. They lacked the sense

of the state, and of course,

they're less secure. As you can see from the image

shown here on your left, on the top you see

ICMP echo request and the corresponding ICMP reply

via accepted bug firewall. But on the bottom,

the attackers just sending equal replies that it's not

preceded by an echo request, and the packet filter on the stainless firewall actually allows them packets
through. On a stateful firewalls

that we will see next, that echo reply if it's not followed by an echo request

would be denied firewall. Stateful firewalls, they have

a state tables basically allowed the firewall to compare current packets

with previous packets. This actually makes the firewall

a little bit slower, but far more secure than

their stateless firewall. Sometimes they're also called

application firewalls, and they can make

decisions based on layer 7 information meaning they could also filter information based on the type of
website

that somebody is listening. As you can see from

the image on your left, ICMP echo requests and then the corresponding

echo required by being accepted by when an effect

that tries to send an ICMP echo reply. The stateful firewall will

go to the state table, detect that at echo required has no corresponding

previous echo requests and block that traffic

with the night. There's one more type

of firewall that we'll discuss in they

called proxy firewalls. They basically act as

an intermediary server. As you can see from

the image below, iIt's between two nodes of course computer and the server. But actually terminates

the connection once the computer initiative and

the connection with the bug. As you can see also it has as two and 3-way handshakes

between two devices meaning computer would initiate a connection with the server, but the firewall
will actually make that connection

back to computer one, and then the proxy

firewall will initiate another connection

with the bug itself. So it should be between two devices like

a man in the middle, and this will allow

the proxy firewalls to filter a bunch of tracking can actually analyze

them even better.

AntiVirus

In this video, you

will learn to describe how antivirus and

anti-malware programs detect, block, and remove viruses and malware from infected systems. Describe
the purpose of malware definitions

or signatures. Next time, we will discuss a little bit about

anti-virus and anti-malware. So an antivirus is a specialized software that can detect, prevent, and even
destroy

computer viruses or malware. This specialized software

use model with definitions. They're basically

like signatures for identifying malicious

software or malware. Those smaller definitions are constantly being updated

by vendors and usually the vendors are the ones that

send out these updates or these smaller model definition to the antivirus software itself. They basically
scan

the systems and they search for matches against those

smaller definitions. So for example, we get

one file infected, you will actually match

a hash for example, a md5 hash that it's already

recognizes a malware. So the empty virus will either delete that file, put

it in quarantine, or just file and you user it to alert the new user that this file is infective or

might be infective. Antivirus can sit locally on a computer like

a whole antivirus. The goals with be

a narrower anti-virus system. The most common one

that we'll encounter, it's a host-based

anti-virus system that is actually connected

to a centralized server.

Introduction to Cryptography

In this video, you will learn to; describe the purpose or use of cryptography in cybersecurity, describe
how cryptography

is used to assure the key cybersecurity tenants

of confidentiality, integrity, authentication,

and non-repudiation. One key concept of

security cryptography we'll discuss this now. Cryptography it's basically

a way of secret writing. Its a secure communication

between two parties, and only the intended recipient can understand

this communication. That is the key task

of cryptography. One thing that we need

to understand for cryptography is that there's data at motion and data at rest, and both of them

need to be secure. Cryptography is nothing new it has been used for

thousands of years. Examples are

Egyptian Hieroglyphics, the Spartan Scytale,

Ceasar Cipher, those are just a few examples of the ancient cryptography. Nowadays is just more
evolved. We have encrypting data, and with the rise of computers, cryptography has

evolved over the years. To understand better cryptography and why it is important, we need to discuss

some key concepts. We'll start with confidentiality. Basically, confidentiality is the process of assuring
that only the intended parties can read and understand

the message. Integrity is

the process of actually detecting if the message

has been changed, where the message

shouldn't be altered in any way in the process

of being transmitted. Authentication it's

the process of identifying are authenticated

with someone or something it's actually

not allowed to do something or some message

is actually correct. Non-repudiation is the process of detecting if something or

someone has done something, and that someone one cannot deny that action or that message

which was sent by him or her. Cryptonalysis is

basically the process of analyzing ciphers in

cryptographic algorithms. Cryptonalysis is

a key factor to cryptography because it allows scientists and mathematicians to

actually determine if a cryptographic algorithm

is secure or not. Cipher is the actual algorithm

that encrypts a message. For example, the Caesar Cipher was an engineers' cryptography

algorithm that basically shifted the alphabet or shifted specific letters either to the right to the left

in amount of kinds. Plaintext like the word says it's just plain text

can be human readable. The Ciphertext

basically refers to the plaintext gone

through the cipher, which is basically,

the cipher has been applied to a plaintext and

the ciphertext is something that it's not humanly readable. Encryption is the process of transforming
plaintext

into ciphertext. Decryption is the process of

transforming the ciphertext into a plaintext using the cipher as well on

those two key concept. Let's talk about cryptographic

strength a little bit now. Cryptographic strength

relies on math not secrecy. Keeping something

secret does not make a cryptographic algorithm

anymore secure. Actually, the most secure

algorithms out there they have stood the test of time are

public algorithms. Modern ciphers use modular math. On the left side of the screen, you will see some

exclusive XOR table. You will see column A, B

and the column A XOR B. So trying to explain

this would be better. Column A will be the plaintext, column B will be the key that we'll use to

encrypt the information, and column C will be

the resulting ciphertext. If you did the other way around, you'll have the column A XOR B, meaning you
have the ciphertext, and you run that on

another XOR based on column B, which will be the key,

you will end up having column A will choose plan

through the plaintext. Now let's talk little bit

about two type of ciphers. There is stream cipher and

there's the block cipher. Stream cipher encrypt or decrypt the information

bit per bit, meaning one bit at a time

on a stream manner. Block ciphers they encrypt or decrypt information

differently. They actually use blocks of bits or bits to

encrypt information. Some algorithms use 64 bits of information to

encrypt at a time. So block cipher will encrypt the message 64 bits at a time.

Types of Cryptography

In this video, you will learn to describe the three

encryption types used in modern cryptography

including typical uses and advantages of each;

symmetric, asymmetric, hash. On this section we will

discuss three main types of cryptography or

modern encryption types. There are the symmetric, the asymmetric and

the hash functions. Symmetric Encryption, there

are several cross of it or strengths both

include the speed, and the fact that the

cryptographic strength increases by bit of the key. So meaning, if we

have a bigger key the cryptographic will

be more secure. The up welling with

Symmetric Encryption is that the key to be shared

using a secure method sometimes an out-of-band

method meaning we cannot send a key plaintext to

the third party using an unsecured channel. Because as we

discussed previously, the whole extent of the

encryption algorithm or the algorithm is based on just one key and that key needs to remain secret at all
times. DES, Triple DES and AES are just some of the examples

that we currently use and AES is one of the most modern

symmetric encryption that we currently

us as up to date. On the other hand, asymmetric

encryption uses two keys. Whitfield Diffie and

Martin Hellman are the ones that created the

Diffie-Hellman algorithm. They're considered

the pioneers of the modern asymmetric encryption. On asymmetric encryption, we have to keys as

I mentioned before. One key can be made

publicly called public key and the other one needs to be kept

private at all times, it is called the private key. Since we have

two keys, one key is used to encrypt and the other

one is used to decrypt. So basically whatever

is encrypted with the public key can

only be decrypted with the private key and

the other way around as well. Whatever is encrypted

with the private key can only really decrypted

with the public key. Asymmetric encryption is used

in digital certificates, it's used in public

key infrastructures. It uses the one-way algorithm

to generate the two keys. It's based on math like factoring prime numbers and

discrete logarithm. This basically used for

generating the two set of keys. It's actually a lot smaller than symmetric encryption and

this is a reason why whenever we use

asymmetric encryption most of the time we're using symmetric

encryption as well. To put it in an example,

whenever you visit a HTTPS website or

a secure website, you use an asymmetric

encryption first to exchange the key for the

symmetric encryption to be used from

that point forward. So basically as we

discussed earlier, since we need to be

able to exchange the key for the symmetric

encryption in a secure manner, asymmetric encryption

permits that we exchange one key between two nodes or two parties and from that point forward

we'll be able to use symmetric encryption

which is a lot faster in a secure manner. The hash functions

provide encryption using a one-way

algorithm and no key. This means that any length or a variable-length plaintext is hashed into a

fixed-length hash value. This is often called

message digest or simply a hash. This is used like we talked

before for integrity. If a message or a plaintext changes and we

can determine this by hashing that same plain text and checking the previous hash and

the hash that we just did. In other words, if we generated a plaintext and we send

it to somebody else with a corresponding hash and somebody changed that

plaintext in transit, then we can determine if something is changing

on that message using the previews hash generated and then the hash generated

after the message arrived. SHA-1 and MD5 are

older algorithms. They are prone to collisions and SHA-2 is the newer and

recommended alternative. Hash functions are prone to collisions or that's

one of the issues. SHA-1 and MD5 are the older algorithms that are
more prone to collisions. A collision means

two different plaintexts having the same hash. Again, since we have

a limited amount of characters that

the hash actually outputs, let's say MD5 outputs

15 characters or more, there is a possibility that

two plaintexts can have the same exact hash volume

or message digest. Those are called collisions.

Cryptographic Attacks

In this video, you

will learn to describe the five common forms of

cryptographic attack, brute force, rainbow tables, social engineering, known

plaintext, known ciphertext. Now, we'll discuss

some cryptographic attacks. Some basic cryptographic

attacks that we have seen in the past

are brute force, the rainbow tables, of

course social engineering, known plain text, and

known ciphertext. So brute force is an attack

based on trial and error, and effectively would work

through submission of many passwords or

fast traces to hope that eventually it

will guess correctly. Rainbow tables are similar, but they use a limited amount of information or

entity, or files, and they actually contain three hash passwords that we can check against hash
customers, that makes the attacks

a lot faster. Social engineering consists using non-technical methods

to get those, maybe get the password from

the end users themselves. The known plaintext

attack is based on having only plain text, and doing analysis based on that plaint text to try to
understand how the cipher works, and how the cipher

encrypts the information. This is an attempt to actually

understand and try to get the actual key that is used in the cipher to

encrypt the information. Once you have

the key, you are able to decrypt or encrypt

any information. The known ciphertext is the process of having

only ciphertext. It's similar to the

plaintext attack, but with the difference that

we don't own plaintext, we just own ciphertext, and based on that ciphertext, we try to defer the key
used

in the cipher to again, encrypt and decrypt information.

Cryptography - a different perspective from a Security architect

In this video, you

will learn to describe important cryptography

terms such as plain text, cipher text, symmetric key, public key, substitution cipher, Data Encryption
Standard. So before starting,

one of the things we should do is set our lexicon or dictionary about cryptography. So there's a couple of

key points to be made here. Looking at this diagram, we see Alice communicating

to Bob again. Alice and Bob are the sender

and receiver respectively. Alice has a plain text message that she wishes to send to Bob. So the plain text
message

is human readable. This is a clear text. It can be an email, a Microsoft Word document, a web-page link,
anything that Alice may wish

to send to Bob. Like I said, it can

be clear text and in this simple form,

readable by any. So then there's

Alice runs through an encryption algorithm to

create the cipher-text. So the cipher-text is

the encrypted message. We talk about a message but

could be a Word document. Once again, any number

of types of content. You'll notice that Alice

has an encryption key. So this encryption key is designated by the letter

K and you will notice there's a small subscript

right here that indicates that is Alice's key. So K_A is Alice's key. Once again, this creates

the cipher-texts which is put on the communication

channel and sent to Bob who's the recipient. Bob decrypts the cipher-text to recover the plain

text using his key which is

designated by K is for key lowercase b

subscript b for Bob. So K_A Alice's key,

K_B Bob's key. Truly, in the center here is the interceptor,

the eavesdropper. Now well there's

a basic architectural difference between two types of

cryptography architecture. One is a symmetric key. This is where the receiver key, Bob's key and Alice's
keys

are identical. So in this case, K_A equals K_B. Public-key cryptography

uses a difference of a key. There is a secret key that Bob has so K_A does

not equal K_B. So let's move on and

let's take a look at some principles of

symmetric cryptography. Let's take some time and investigate the principles behind symmetric

key cryptography. There is a couple

of architectures, a couple of styles of symmetric key cryptography

that we will look at. So one of the first ones is

the substitution cipher. So this is the equivalent of a magic decoder warning that we have a simple

substitution of one letter. It's a mono alphabetic cipher which means that we substitute one letter to
another and that substitution does not change

for the entire message. We'll take a look here at a plain text or are we
just simply run a through z and the cipher-text

is m through cube. So m is the 13th letter

of the alphabet. So this is k equals 13, meaning that we'll shift

the cipher-text 13 characters to the right in the mono alphabetic

presentation of a through z and our plain text

as in the example from Alice to Bob says, "Bob, I love you Alice,"

and the cipher-text as you can see is nkn and you can certainly

read the rest. So one of the questions before us is how difficult is it to

break this simple cipher. Well, the answer is it's not very hard at

all because there's a very uneven distribution of the use of letters in

the English language. So we know for example, that the letter e

occurs most frequently. So a simple histogram

of the occurrence of letters in the cipher

text will reveal what e is. In this case, e will be c. So this frequency histogram will quickly yield the
cipher-text. So in fact, this is not

a very secure method to use it. Now from a graphic at what a symmetric key cryptography

architecture looks like. So once again, Alice, who is sending

a plain text message and we will designate

the message as M, encrypts the plain text with the key especially designed

between Alice and Bob. That's what the subscripts

of A-B indicates. Lets go through the

encryption algorithm to create the cipher-text. Now look the

designation right here. So we have the cipher-text

is identified as the key, Alice to Bob,

parenthetically message. So this is the

distribution that we saw earlier with

a one-letter shift. For example, Bob here

receives the cipher-text, applies the decryption key which is identical to

the encryption key. So this is K_A-B and

recovers the plain texts. So mathematically, the message

here is found by applying the decryption key to the encrypted message or the cipher-text that Bob

has received from Alice. So this element right here. This is the message. This is the decryption

key and that will result in the extraction or recovery of

the plain text message. So Bob and Alice, for this to work, we have to share

the distribution key K_A-B. Now the question is, how does Bob and Alice

agree on the key value? That is actually the weakness for symmetric key cryptography. The actual
encryption

on that and we'll take a look at some other methods that are just not

Manuel alphabetic. Well, no strong or no worse than asymmetric or

public-key cryptography. But the issue is, this is about key distribution, how does Bob get

the key from Alice? So she could e-mail it, but could truly

intercept that key and then use that for

decryption of that message, and the answer was obviously yes. So the problem, and we'll talk

about this in more detail, for the foundational problem for symmetric key cryptography is actually in key
distribution. So let's take a look there are another symmetric key method. We'll take a look at some of
the technology behind

[inaudible] by six. Let's talk about DES. So this is a IBM historical

cryptography approach. So this was actually built to a standard, that NIST published. It's a 56-bit
symmetric key. So that means that the key from Alice to Bob is 56-bits long. When you see a 64-bit

plaintext input, that just simply means

that the algorithm, the DES encryption algorithm, ingests digests text

in 64 bit chunks. So if you had a 640-bit

plaintext message, you'd have 10, 64-bit groups that are going

to be encrypted. So one of the questions, of course, is how secure is DES, the data encryption standard?
Well, 56-bit keys, it like I said is

the encrypted key life. It is a brute force

approach which was undertaken about

several years ago, and said this could be

broken in about four-months. So how to defeat defeat that? Well, change the key
every three months, and then they have to

simply start it over. So there's no known back door. This has been gone through peer review within the
cryptography community

and those people will report on

the slightest vulnerability in an encryption standards. So this has never been published, so we have a
sense that there's

some strength right here. So we'll take a look at how to make this a

little more secure, we could simply use three keys on each of

these data blocks, that's the 64-kbit that

we see coming through. There's an architecture

called cipher-block chaining. Let's take a look at

that briefly on the next slide. Here on Slide 7, is an

architectural element for DES. So there's actually you can take a look at just do a little finger walk right
here, that you can see that there's

a left and a right part of the 64-bit and

those are reversed. Then we apply 48 bits out of the 56 bits

against this element, and there are swapped left and right and there's

a permutation elements. The point being is that

there are 16 rounds of this segmentation and encryption per encryptions cycle

on each of the 64 bits. So once I said earlier

we had a 640-bit input, this would happen 10

times and we would concatenate those tendons send that as the encrypted message. Following DES in

November of 2001, NIST published a new standard. So what we did was is that NIST moved the ingest
block

by a factor of two. So went from 64 bits to 128 bits. The key length move from 56 bits to these larger
numbers

that we've seen here 128, 192, or 256 bits. Why are there three? Well, this is a user

selected key length. Now keep in mind

the longer the key, the more computationally

intensive the algorithm will be. So that if we got

information that is at one level of sensitivity

and information, it's at a higher level

of sensitivity. There's an argument for

using the longer bits, the a 128-bit verses the 64-bit makes for

a more efficient algorithm. So if you remember on

the previous slide, we mentioned that we had a brute force approach that with the high-end

computers that are available today we

would take just a second to find the DES key

as you can see, moves to a 149 trillion

years for AES. So you've seen the attraction that brute force is essentially off the table when it comes to
the advanced

encryption standard. So the salient point for this training module

is to know that the first commercially available, electronic encryption

algorithms, DES, and then the second

follow one was AES which effectively

removed brute force.

Penetration Testing Introduction

In this video, you will learn

to describe penetration testing, why it is used, and the ethical

considerations you might run into. Describe the difference between white hat,

black hat, and grey hat attackers. Describe the several different types of

threat actors and what characterizes each. >> Okay for our next topic be we're going

to talk a little bit about penetration testing. So penetration testing,

it's also called Pentest or pen testing,

it's also referred as ethical hacking. It's basically the practice

of testing a computer system, a network application, either web

application or software application, to find security vulnerabilities that

an attacker could use to exploit and gain authorized access to a system or

an application. The main objective of a Pentest

is to identify security weaknesses before attackers can

identify them and and exploit them. A penetration testing it's

a practice that requires several contracts before it can be performed. For example, service level
agreement,

engagement rules, all sorts of documentation to make

the penetration testing a legal agreement between two parties. The penetration testers are the ones in

charge of doing the technical process and they are also called white hackers. There are different type of
hackers and

we can divide them into three categories, basically white hat hackers,

grey hat hackers and black cat hackers. The white hat hackers, as we discussed

earlier, are basically the ethical hackers, people that do this under

contract and for security reasons. They're authorized to perform penetration

testing on companies and they do it for the good of the company. Grey hat hackers they stand like in

between the white hats and the grey hats, they usually performed penetration

testing without authorization, but they usually report back to the customer,

not the customer, the possible victim because they

were not contracted to do this. So they were not authorized for previously

previously authorized by a company to perform any type of security assessment

under instructor or their network. They do it anyways and

they report back to the customer or the victim, the possible victim. On the other hand we have

the black hat hacker, they are quote unquote the bad guys. They usually do these type of attacks for

personal recognition, money, political agenda or social change. They do not do it under contract if they

are not authorized to perform any type of penetration testing activity

on any of their victims. We also have something

called thread actors. It's basically an entity that

it's partially responsible for an incident or an attack. It usually affects the security

of organizations and they are also referred

as malicious actors. There are different types. And with this different types there

are also different skill levels associated with them. To start with during there's

this script kiddies. Basically, the script kiddies

are unexperienced hackers. They have limited technical knowledge and

they rely on automated tools to hack. They do not develop their own tools and

they pretty much use what's publicly available with very little

technical knowledge. We have also the hacktivist. These type of hackers they are usually

have a political agenda or a some sort of social

change in their minds. There are also organized crime. These are usually external

to the do the company. They're highly sophisticated, meaning

they have very high technical knowledge. They are also heavily funded from

an economical standpoint and they are usually attacking

from some sort of a highly developed malware like

Ransomware in nowadays. Insiders, they represent past or present

employees, contractors, partners or any entity that has access to a company

property or confidential information. The insiders can be a security risk for

intentionally or unintentionally basically an insider or an employee could be fired from

the company for example, and they could be motivated to perform some sort of

disruption activity on the company. They are could also be unintentionally

an employee may be deleting some sort of some sort of information that

is not to be supposed to be deleted but they made a mistake and

they deleted that information by mistake. We also have the competitors. A competitor could be a
potential security

risk to other organizations because they they could be motivated by maybe releasing

a product before the competition. And finally we have the nation states. Nation states are external to
the company. They are also highly sophisticated. They are very well economically funded,

they could be something related to politics, military,

technical or economic agendas. We have a few examples of some

nation-state threat actors. The Fancy Bear, also called ATP28. Lazarus Group, Scarcruft also called
accrued Group 123 or the APT29. These are all examples of nation

state funded hacking organizations.

Pentest Methodologies

In this video, you will learn to

describe the methodologies used in penetration testing,

including the following. Open Source Security Testing Methodology,

National Institute of Standards and Technology Guidelines on

network security testing. Federal Financial Institutions

Examination Council, Information Technology Examination. Information System Security

Assessment Framework. >> Let' talk about, now,

pen testing methodologies. So when we talk about

pentest methodologies, we're talking about a process for

offensive cyber security consultant, to a perform a series of actions in

order to try to exploit a system. But the exploitation process actually is

one of the key parts of the methodology. It's something that will give you a clear

understanding of how the company, how you're victim, or your client,

is dealing with the cyber security war. You're still in with the cyber security

defenses and monitory processes. So let's understand first a couple of

methodologies that are on the public knowledge, or are in the environment for

you to understand and follow. So we have the OSSTMM methodology, the Open Source Security

Testing Methodology Manual. Then we have the NIST, a methodology for

a network security testing. There is another one called the Federal

Financial Institution Examination Council for Information Technology Examination. And then we have
the ISSAF, Information

System Security Assessment Framework. There is another pentest

methodology called a PTES. Actually if we go here on Google

to PTES Technical Guidelines, the actual URL is

www.pentest-standard.org. If you go here,

you will see a lot of things, you will see a lot of information from

the pen testing methodology perspective. But in order for

you to be able to read this methodology, actually is one of the simplest

methodology out there, it's simple. Just understand that here

you will have the phases. So each of these is a phase

that you will need to explore, you will need to perform

on your pen test project. So, for example, when you are in the Intelligence Gathering

process, you can click here. And you will have a lot

of things to perform, in order to you get enough

knowledge from your target. So, in the real world,

if you work as a pen tester, as an ethical hacker, the first step and

the most important step that you could do is the information gathering process,

the enumeration process. Understand all the attack surface from

your client, understand all the possible exploits, all the older possible systems

that you could exploit on your target. So, normally, there is a misconception

because, in some occasions, the people things that a pen tester

will just go and open something called metasploit and start are working with

comments and exploits and that's all. I mean, that's not the real world,

on the real world, you will need to get a lot of

information from your target. A lot of enumeration, a lot of

information gathering from your target in order to proceed with the other phases. Then when you have
enough information,

you could go and start your Threat Modeling process. So you have all the information for

your target, now what? Now you need to understand

what will be your roadmap, sorry, in order for you to exploit or

attack your target. Here is just some examples,

or checklists, or things that you could

start doing on your end. In order to understand which

part of the organization, which part of the network

that you already understand. Because you already performed

the information gathering process, but you'll start exploring more

deeply in the next step. The next step, actually,

is the Vulnerability Analysis. In some occasions, as a pen testers, we use vulnerability scanners,

the Vulnerability Assessment Tools. For understanding a little bit better, which vulnerabilities are more
likely

to be exploitable in the system. So, for example, if we have something on

port 80, and we already know that that thing on port 80 is a web page running on

Apache Server Version 2.6, for example. One of the things that we could do

is try to perform an exploration regarding vulnerabilities that will

affect that version of Apache Server. So we could use

a Vulnerability Assessment Tool, we could use something called,

for example, OpenVAS. We can use Qualys, we can use Nessus, there is a lot of

Vulnerability Assessment Tools over there. But one of the things that also it's

important for you to understand, you could also explore the vulnerabilities

using a manual process. So one of the things that you

could do is just go to Google. And if you have the version of the system,

just go and type exploit apache 2.4, for example. And you will have a lot of information

about vulnerabilities that will affect that specific

version of Apache Server. And you could start trying to exploit

those vulnerabilities in the next step. The next step, actually,

is the Exploitation step. So when you are in the Exploitation,

you will need, first of all, to understand that you as a pen tester,

or as an ethical hacker. You cannot, you cannot, again, you cannot exploit any system if

you don't have the permission to do that. You need to coordinate with your client, you need to
coordinate with your victim

[LAUGH] the time frame, time windows, in order to perform the exploit

of the systems, why? Because what happen if

you exploit something, if you exploit the Apache web server

that we were talking about minutes ago. In a time where your victim, your client is performing some

important actions on the Web page. For example, in a high season of sales for that client that will

take over the Internet. So, if you exploit the system and you,

not just get access into the system, but you also broke the system because

you perform a denial of service attack. You probably will have problems because the normal operation
of

the client it's affected for you. So that's an important part for

any pen tester to understand. Coordination, talk with your client,

operation, try to coordinate all the operations from

the Exploitation phase is a key part. But, again, on this PTES or

Pen Test Standard methodology that we're seeing here, there is a lot of things

that you need to have in mind. So, for example, if you want to send a payload with

a reverse connection to your system. Probably you'll need to deal with

something called evasion or obfuscation, to try to avoid antivirus detection,

for example. Or if you want to encrypt your payload or

your attack, you could start doing something

that will encrypt your connection. For example,

using NetGuard with encryption. Or using other tools that are not

necessarily encrypted, but will use encryption portal or

use ports that are open on the system. And, lastly, we have

the Post Exploitation and Reporting. Again, the Post Exploitation is what

happened when you already have access to the system. How could you maintain the access,

how could you start doing some pivoting? In other words, how could you start

jumping from computer to computer? Or how could you start doing something

that we call privilege escalation? And the most important part here,

Reporting. How could you show your client,

how do you perform each of the steps of the project,

and gain access to the system.

Vulnerability Test

In this video, you will learn to describe the vulnerability

assessment methodologies. There is something

I mentioned before, we normally use in the

pen testing world or scenarios, but it could be something

that is separate from the pen testing world and this is vulnerability

assessment test. So as I mentioned there is tools that will exploit or will try to give us vulnerabilities for
each of the systems that

we are dealing with. So for example when we have a system and we know

that that system runs on port 80 again Apache server on

the version 2.4 for example, we could start

understanding each of the exploits doing

a manual search but, we can use open badge for example to perform a automated

vulnerability assessment. So the tool will be run on the on the network from

your client and will give us a lot of information from possible exploits

that we could use as band testers to

gain access to the system. Now the important part of the vulnerability assessment

methodology is the vulnerability assessment

finish with the report, finish with understanding

of the vulnerability. The vulnerability

assessment report will not exploit the vulnerability

identified on the system. So only will give us the report, only will give us

the information to exploit that vulnerability but will not exploit the

vulnerability itself. So that's the next step if we're dealing with a pen testing

methodology but if we're talking about

vulnerability assessment we're just dealing

with information that could harm a system or could

be used to exploit a system, not necessarily the

exploitation process or that Bose

exploitation process. That's something

important to understand. So here is a weaker

scenario recommended by some companies or

followed by song companies. So the vulnerability

assessment or the vulnerability scanning

could be done quarterly or bi-monthly or bi-weekly or on

monthly basis, why? Because normally something

automated is something that it's already

configured in a system, it's already configuring

a tool and will be running automatically on a regular basis

on the internal network. So when we have all the information regarding

vulnerability scanners, we could start trying to patch the systems or adding

security into the systems for the vulnerabilities or the exploits not be

longer available for attackers to get off

access on the system. Now to start or to test that we're doing the

correct patching or the correct

sanitisation of each of the vulnerabilities that we detect on the

vulnerability scanning, normally we perform

a penetration testing process. This could be done

annually for example, in some occasions one or two times per year it's

important or is recommended but this case the pen testers will take

not just the vulnerabilities that you already know that you have but probably will take some additional
exploits

or techniques, for example the social

engineering techniques, to try to exploit your systems. So this is something that

will be manually made. I mean there is

companies that will bring consultants to deploy

or to execute pen testing. In the vulnerability

assessment scenario, there is not necessarily

a consultant but could be a system generated information on the vulnerable list

that you have.

Digital Forensics

In this video, you will learn to describe

the practice of digital forensics and what technical skills and legal

knowledge is required to be effective. >> We move now on to

the digital forensics area. So digital forensics,

is a branch of forensic science. It basically includes everything relate to

identification, recovery, investigation, validation, and presentation of

facts regarding digital evidence. There's digital evidence, it's usually

found on computers or similar digital storage media devices, for example,

hard drives, cell phones, servers. If we talk about forensic science, we need to talk about

the Locard's exchange principle. Dr. Edmond Locard is a pioneer

in the forensic science scene. And he became known as

the Sherlock Holmes of France. He came up with this principle,

that is true for both the physical world as well as

the technical world or the computer world. The perpetrator of a crime will bring

something into the crime scene and leave with something from it. And that both can be used

as forensics evidence. Basically this means that when

anybody commits a crime, he will take something from the crime, but he will

also leave something in the crime scene. And those two facts can be used for

forensics evidence. In digital forensics,

we need to talk about chain of custody, just as we will in the forensic science. Basically refers to

the chronological documentation or paper trail that records the sequence

of custody, control, transfer, analysis, and disposition of physical or

electronic evidence. So the chain of custody, basically

it's a written document that will allow us to reconstruct what have

been done with the evidence. Who has had it in the past,

who has copied the information, how it was copied, who has analyzed

the information, all sorts of things. And chain of custody will be able to

tell us that or recreate that for us. This chain of custody process have

been required, it is required for any type of evidence to be

presented legally in court. In digital forensics,

we have several tools there. We can divided them into two,

hardware tools and software tools. In hardware tools,

we have a few samples of the Faraday cage, it's basically a device that

can block any electronic. It basically blocks magnetic fields. And it's used to isolate cellphones,

for example, from the cellular data, wi-fi access. So isolate the cellphone from any,

impulse or any electronic communication. We also have a specific forensics tools or forensics briefcase
that have

a bunch of tools inside of them. We can discuss them maybe it's

forensics laptops, power supplies, tool sets, digital cameras,

case folders, blank forms. Basically these blank forms are what

would then constitute the chain of custody of any evidence

collected during the investigation. Also we would need some empty hard drives

if we need to copy any information. And also the write blockers because we

want to make sure that we're able to copy anything from the hard drives but we're

not writing anything into the hard drives. We have several software

tools out there and these are just some very small list of

anything that's available out there. We have open sourcing

applications like Volatility and we also have paid software like FTK and

EnCase. In the case of dd, it is basically a bit-by-bit copier found in most of

the Linux operating systems out there. Autopsy, Bulk Extractor, and many more are some of the tools
that can
be used in any forensics investigation.