Types of Cybersecurity Threats: Prepared By: DR Inderpreet Kaur

Types of Cybersecurity Threats
1. Malware Attacks
Malware is an abbreviation of “malicious software”, which includes viruses, worms, trojans,

spyware, and ransomware, and is the most common type of cyberattack. Malware infiltrates a
system, usually via a link on an untrusted website or email or an unwanted software
download. It deploys on the target system, collects sensitive data, manipulates and blocks
access to network components, and may destroy data or shut down the system altogether.
Here are some of the main types of malware attacks:
• Viruses—a piece of code injects itself into an application. When the application runs,
the malicious code executes.
• Worms—malware that exploits software vulnerabilities and backdoors to gain access
to an operating system. Once installed in the network, the worm can carry out attacks
such as distributed denial of service (DDoS).
• Trojans—malicious code or software that poses as an innocent program, hiding in
apps, games or email attachments. An unsuspecting user downloads the trojan,
allowing it to gain control of their device.
• Ransomware—a user or organization is denied access to their own systems or data
via encryption. The attacker typically demands a ransom be paid in exchange for a
decryption key to restore access, but there is no guarantee that paying the ransom will
actually restore full access or functionality.
• Cryptojacking—attackers deploy software on a victim’s device, and begin using
their computing resources to generate cryptocurrency, without their knowledge.
Affected systems can become slow and cryptojacking kits can affect system stability.
• Spyware—a malicious actor gains access to an unsuspecting user’s data, including
sensitive information such as passwords and payment details. Spyware can affect
desktop browsers, mobile phones and desktop applications.
• Adware—a user’s browsing activity is tracked to determine behavior patterns and
interests, allowing advertisers to send the user targeted advertising. Adware is related
to spyware but does not involve installing software on the user’s device and is not
necessarily used for malicious purposes, but it can be used without the user’s consent
and compromise their privacy.
• Fileless malware—no software is installed on the operating system. Native files like
WMI and PowerShell are edited to enable malicious functions. This stealthy form of
attack is difficult to detect (antivirus can’t identify it), because the compromised files
are recognized as legitimate.
• Rootkits—software is injected into applications, firmware, operating system kernels
or hypervisors, providing remote administrative access to a computer. The attacker
can start the operating system within a compromised environment, gain complete
control of the computer and deliver additional malware.
Prepared By: Dr Inderpreet Kaur

Virus Worm Trojan Horse
Virus is a software or computer
program that connect itself to Trojan Horse rather tha
another software or computer Worms replicate itself replicate capture some importan
program to harm computer to cause slow down information about a compute
system. the computer system. system or a computer network.
Worms are also But Trojan horse does no

Virus replicates itself. replicates itself. replicate itself.
Virus can’t be controlled by Worms can be Like worms, Trojan horse ca

remote. controlled by remote. also be controlled by remote.
While spreading rate

of worms are faster And spreading rate of Troja
Spreading rate of viruses are than virus and Trojan horse is slow in comparison o
moderate. horse. both virus and worms.
The main objective of

The main objective of virus to worms to eat the The main objective of Troja
modify the information. system resources. horse to steal the information.
Worms are executed Trojan horse executes through

Viruses are executed via via weaknesses in program and interprets as utilit
executable files. system. software.
2. Social Engineering Attacks
Social engineering involves tricking users into providing an entry point for malware. The
victim provides sensitive information or unwittingly installs malware on their device, because
the attacker poses as a legitimate actor.
Here are some of the main types of social engineering attacks:
• Baiting—the attacker lures a user into a social engineering trap, usually with a promise of
something attractive like a free gift card. The victim provides sensitive information such as
credentials to the attacker.
• Pretexting—similar to baiting, the attacker pressures the target into giving up information
under false pretenses. This typically involves impersonating someone with authority, for
example an IRS or police officer, whose position will compel the victim to comply.
• Phishing—the attacker sends emails pretending to come from a trusted source. Phishing
often involves sending fraudulent emails to as many users as possible, but can also be more

targeted. For example, “spear phishing” personalizes the email to target a specific user,
while “whaling” takes this a step further by targeting high-value individuals such as CEOs.
• Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing
sensitive data or grant access to the target system. Vishing typically targets older individuals
but can be employed against anyone.
• Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the
victim.
• Piggybacking—an authorized user provides physical access to another individual who
“piggybacks” off the user’s credentials. For example, an employee may grant access to
someone posing as a new employee who misplaced their credential card.
• Tailgating—an unauthorized individual follows an authorized user into a location, for
example by quickly slipping in through a protected door after the authorized user has opened
it. This technique is similar to piggybacking except that the person being tailgated is
unaware that they are being used by another individual.
3. Supply Chain Attacks
Supply chain attacks are a new type of threat to software developers and vendors. Its purpose
is to infect legitimate applications and distribute malware via source code, build processes or
software update mechanisms.
Attackers are looking for non-secure network protocols, server infrastructure, and coding
techniques, and use them to compromise build and update process, modify source code and
hide malicious content.
Supply chain attacks are especially severe because the applications being compromised
by attackers are signed and certified by trusted vendors. In a software supply chain attack, the
software vendor is not aware that its applications or updates are infected with malware.
Malicious code runs with the same trust and privileges as the compromised application.
Types of supply chain attacks include:
• Compromise of build tools or development pipelines

• Compromise of code signing procedures or developer accounts
• Malicious code sent as automated updates to hardware or firmware components
• Malicious code pre-installed on physical devices
4. Man-in-the-Middle Attack
A Man-in-the-Middle (MitM) attack involves intercepting the communication between two

endpoints, such as a user and an application. The attacker can eavesdrop on the
communication, steal sensitive data, and impersonate each party participating in the
communication.

Examples of MitM attacks include:
• Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor,

such as a business, that users may connect to. The fraudulent Wi-Fi allows the attacker to
monitor the activity of connected users and intercept data such as payment card details and
login credentials.
• Email hijacking—an attacker spoofs the email address of a legitimate organization, such as
a bank, and uses it to trick users into giving up sensitive information or transferring money
to the attacker. The user follows instructions they think come from the bank but are actually
from the attacker.
• DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious
website posing as a legitimate site. The attacker may divert traffic from the legitimate site or
steal the user’s credentials.
• IP spoofing—an internet protocol (IP) address connects users to a specific website. An
attacker can spoof an IP address to pose as a website and deceive users into thinking they are
interacting with that website.
• HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but
can also be used to trick the browser into thinking that a malicious website is safe. The
attacker uses “HTTPS” in the URL to conceal the malicious nature of the website.
5. Denial-of-Service Attack
A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic,
hindering the ability of the system to function normally. An attack involving multiple devices
is known as a distributed denial-of-service (DDoS) attack.
DoS attack techniques include:
• HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm
an application or web server. This technique does not require high bandwidth or malformed
packets, and typically tries to force a target system to allocate as many resources as possible
for each request.
• SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence
involves sending a SYN request that the host must respond to with a SYN-ACK that
acknowledges the request, and then the requester must respond with an ACK. Attackers can
exploit this sequence, tying up server resources, by sending SYN requests but not
responding to the SYN-ACKs from the host.
• UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets
sent to random ports. This technique forces the host to search for applications on the affected
ports and respond with “Destination Unreachable” packets, which uses up the host
resources.
• ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming
both inbound and outgoing bandwidth. The servers may try to respond to each request with
an ICMP Echo Reply packet, but cannot keep up with the rate of requests, so the system
slows down.
• NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and
can be exploited by an attacker to send large volumes of UDP traffic to a targeted server.
This is considered an amplification attack due to the query-to-response ratio of 1:20 to

1:200, which allows an attacker to exploit open NTP servers to execute high-volume, high-
bandwidth DDoS attacks.
6. Injection Attacks
Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the
code of a web application. Successful attacks may expose sensitive information, execute a
DoS attack or compromise the entire system.
Here are some of the main vectors for injection attacks:
• SQL injection—an attacker enters an SQL query into an end user input channel, such as a
web form or comment field. A vulnerable application will send the attacker’s data to the
database, and will execute any SQL commands that have been injected into the query. Most
web applications use databases based on Structured Query Language (SQL), making them
vulnerable to SQL injection. A new variant on this attack is NoSQL attacks, targeted against
databases that do not use a relational data structure.
• Code injection—an attacker can inject code into an application if it is vulnerable. The web
server executes the malicious code as if it were part of the application.
• OS command injection—an attacker can exploit a command injection vulnerability to input
commands for the operating system to execute. This allows the attack to exfiltrate OS data
or take over the system.
• LDAP injection—an attacker inputs characters to alter Lightweight Directory Access
Protocol (LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries. These
attacks are very severe because LDAP servers may store user accounts and credentials for an
entire organization.
• XML eXternal Entities (XXE) Injection—an attack is carried out using specially-
constructed XML documents. This differs from other attack vectors because it exploits
inherent vulnerabilities in legacy XML parsers rather than unvalidated user inputs. XML
documents can be used to traverse paths, execute code remotely and execute server-side
request forgery (SSRF).
• Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious
JavaScript. The target’s browser executes the code, enabling the attacker to redirect users to
a malicious website or steal session cookies to hijack a user’s session. An application is
vulnerable to XSS if it doesn’t sanitize user inputs to remove JavaScript code.
What is the CIA Triad?

The three letters in "CIA triad" stand for Confidentiality, Integrity, and Availability. The CIA
triad is a common model that forms the basis for the development of security systems. They
are used for finding vulnerabilities and methods for creating solutions.

The confidentiality, integrity, and availability of information is crucial to the operation of a
business, and the CIA triad segments these three ideas into separate focal points. This
differentiation is helpful because it helps guide security teams as they pinpoint the different
ways in which they can address each concern.
Ideally, when all three standards have been met, the security profile of the organization is
stronger and better equipped to handle threat incidents.
Confidentiality
Confidentiality involves the efforts of an organization to make sure data is kept secret or
private. To accomplish this, access to information must be controlled to prevent the
unauthorized sharing of data—whether intentional or accidental. A key component of
maintaining confidentiality is making sure that people without proper authorization are
prevented from accessing assets important to your business. Conversely, an effective system
also ensures that those who need to have access have the necessary privileges.
For example, those who work with an organization’s finances should be able to access the
spreadsheets, bank accounts, and other information related to the flow of money. However,
the vast majority of other employees—and perhaps even certain executives—may not be
granted access. To ensure these policies are followed, stringent restrictions have to be in
place to limit who can see what.
There are several ways confidentiality can be compromised. This may involve direct attacks
aimed at gaining access to systems the attacker does not have the rights to see. It can also
involve an attacker making a direct attempt to infiltrate an application or database so they can
take data or alter it.
These direct attacks may use techniques such as man-in-the-middle (MITM) attacks, where
an attacker positions themselves in the stream of information to intercept data and then either
steal or alter it. Some attackers engage in other types of network spying to gain access to
credentials. In some cases, the attacker will try to gain more system privileges to obtain the
next level of clearance.
However, not all violations of confidentiality are intentional. Human error or insufficient
security controls may be to blame as well. For example, someone may fail to protect their
password—either to a workstation or to log in to a restricted area. Users may share their
credentials with someone else, or they may allow someone to see their login while they enter
it. In other situations, a user may not properly encrypt a communication, allowing an attacker
to intercept their information. Also, a thief may steal hardware, whether an entire computer or
a device used in the login process and use it to access confidential information.
To fight against confidentiality breaches, you can classify and label restricted data, enable
access control policies, encrypt data, and use multi-factor authentication (MFA) systems. It is
also advisable to ensure that all in the organization have the training and knowledge they
need to recognize the dangers and avoid them.

Integrity
Integrity involves making sure your data is trustworthy and free from tampering. The
integrity of your data is maintained only if the data is authentic, accurate, and reliable.
For example, if your company provides information about senior managers on your website,
this information needs to have integrity. If it is inaccurate, those visiting the website for
information may feel your organization is not trustworthy. Someone with a vested interest in
damaging the reputation of your organization may try to hack your website and alter the
descriptions, photographs, or titles of the executives to hurt their reputation or that of the
company as a whole.
Compromising integrity is often done intentionally. An attacker may bypass an intrusion

detection system (IDS), change file configurations to allow unauthorized access, or alter the
logs kept by the system to hide the attack. Integrity may also be violated by accident.
Someone may accidentally enter the wrong code or make another kind of careless mistake.
Also, if the company’s security policies, protections, and procedures are inadequate, integrity
can be violated without any one person in the organization accountable for the blame.
To protect the integrity of your data, you can use hashing, encryption, digital certificates, or
digital signatures. For websites, you can employ trustworthy certificate authorities (CAs) that
verify the authenticity of your website so visitors know they are getting the site they intended
to visit.
A method for verifying integrity is non-repudiation, which refers to when something cannot
be repudiated or denied. For example, if employees in your company use digital signatures
when sending emails, the fact that the email came from them cannot be denied. Also, the
recipient cannot deny that they received the email from the sender.
Availability
Even if data is kept confidential and its integrity maintained, it is often useless unless it is
available to those in the organization and the customers they serve. This means that systems,
networks, and applications must be functioning as they should and when they should. Also,
individuals with access to specific information must be able to consume it when they need to,
and getting to the data should not take an inordinate amount of time.
If, for example, there is a power outage and there is no disaster recovery system in place to
help users regain access to critical systems, availability will be compromised. Also, a natural
disaster like a flood or even a severe snowstorm may prevent users from getting to the office,
which can interrupt the availability of their workstations and other devices that provide
business-critical information or applications. Availability can also be compromised through
deliberate acts of sabotage, such as the use of denial-of-service (DoS) attacks or ransomware.

To ensure availability, organizations can use redundant networks, servers, and applications.
These can be programmed to become available when the primary system has been disrupted
or broken. You can also enhance availability by staying on top of upgrades to software
packages and security systems. In this way, you make it less likely for an application to
malfunction or for a relatively new threat to infiltrate your system. Backups and full disaster
recovery plans also help a company regain availability soon after a negative event.
Why Should You Use the CIA Triad?
The CIA triad provides a simple yet comprehensive high-level checklist for the evaluation of
your security procedures and tools. An effective system satisfies all three components:
confidentiality, integrity, and availability. An information security system that is lacking in one of
the three aspects of the CIA triad is insufficient.
The CIA security triad is also valuable in assessing what went wrong—and what worked—after
a negative incident. For example, perhaps availability was compromised after a malware attack
such as ransomware, but the systems in place were still able to maintain the confidentiality of
important information. This data can be used to address weak points and replicate successful
policies and implementations.
When Should You Use the CIA Triad?
You should use the CIA triad in the majority of security situations, particularly because each
component is critical. However, it is particularly helpful when developing systems around
data classification and managing permissions and access privileges. You should also
stringently employ the CIA triad when addressing the cyber vulnerabilities of your
organization. It can be a powerful tool in disrupting the Cyber Kill Chain, which refers to the
process of targeting and executing a cyberattack. The CIA security triad can help you hone in
on what attackers may be after and then implement policies and tools to adequately protect
those assets.
In addition, the CIA triad can be used when training employees regarding cybersecurity. You
can use hypothetical scenarios or real-life case studies to help employees think in terms of the
maintenance of confidentiality, integrity, and availability of information and systems.
What’s an asset?
An asset is any data, device or other component of an organisation’s systems that is valuable
– often because it contains sensitive data or can be used to access such information.

For example, an employee’s desktop computer, laptop or company phone would be
considered an asset, as would applications on those devices. Likewise, critical infrastructure,
such as servers and support systems, are assets.
An organisation’s most common assets are information assets. These are things such as
databases and physical files – i.e. the sensitive data that you store.
A related concept is the ‘information asset container’, which is where that information is
kept. In the case of databases, this would be the application that was used to create the
database. For physical files, it would be the filing cabinet where the information resides.
What’s a vulnerability?
A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage

or compromise an asset.
You are most likely to encounter a vulnerability in your software, due to their complexity and
the frequency with which they are updated. These weaknesses, known as bugs, can be used
by criminal hackers to access to sensitive information.
Vulnerabilities don’t only refer to technological flaws, though. They can be physical
weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your
premises, or poorly written (or non-existent) processes that could lead to employees exposing
information.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to

phishing emails; structural flaws in the premises, such as a leaky pipe near a power outlet;
and communication errors, such as employees’ sending information to the wrong person.
Understanding risk
Now that we’ve explained the constituent elements of risk, you can see that the concept is a
lot more complex than you might have thought. But, although it sounds counterintuitive,
that’s not necessarily a bad thing.
That’s because the specificity of what counts as a risk means that you may well have fewer of
them than you estimated.
After all, an information security risk must have something that’s in jeopardy (an asset), an
actor that can exploit it (a threat) and a way that they can happen (a vulnerability).
If you’ve identified a vulnerability, but there is no threat to exploit it, you have little to no
risk. Likewise, you might detect a threat but have already secured any weaknesses that it
could exploit.

Of course, identifying risks is only the first step towards securing your organisation. You
need to document them, assess and prioritise them, and finally implement measures to secure
them.
This can be a labour-intensive task, but our risk assessment tool, vsRisk, does much of the
work for you.
This software package provides a simple and fast way to create your risk assessment
methodology and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential
threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to
compile a list of risks, and the built-in control sets help you comply with multiple
frameworks.
What Does Cyberspace Mean?
Cyberspace refers to the virtual computer world, and more specifically, an electronic medium
that is used to facilitate online communication. Cyberspace typically involves a large
computer network made up of many worldwide computer subnetworks that employ TCP/IP
protocol to aid in communication and data exchange activities.
Cyberspace's core feature is an interactive and virtual environment for a broad range of
participants.
In the common IT lexicon, any system that has a significant user base or even a well-
designed interface can be thought to be “cyberspace.”
Cyber Crime

An online dictionary defines “cybercrime” as “a crime committed on a computer network”.  «
Cybercrime », Dictionary.com,… The problem I have with this definition is that, as an
American lawyer, I need to be able to fit the concept of “cybercrime” into the specific legal
framework we use in the United States and into the more general legal framework that ties
together legal systems around the world. That leads me to ask several questions: Is
“cybercrime” different from regular “crime ?” If so, how ? If not, if “cybercrime” is merely a
boutique version of “crime,” why do we need a new term for it ?
While most of the cybercrime we have seen to date is simply the commission of traditional
crimes by new means, this is not true of all cybercrime. We already have one completely new
cybercrime : a distributed denial of service (DDoS) attack. A DDoS attack overloads
computer servers and effectively shuts down a website. In February of 2000, someone
launched DDoS attacks that effectively shut down Amazon.com and eBay, among other sites.
DDoS attacks are increasingly used for extortion; someone launches an attack on a website,
then stops the attack and explains to the owner of the website that attacks will continue unless
and until the owner pays a sum for “protection” against such attacks. This simply represents
the commission of an old crime (extortion) by new means. It is a tactic the Mafia was using
over half a century ago, though they relied on arson instead of DDoS attacks.
But a “pure” DDoS attack such as the 2000 attacks on Amazon.com and eBay is not a
traditional crime. It is not theft, fraud, extortion, vandalism burglary or any crime that was
within a pre-twentieth century prosecutor’s repertoire.  Brenner, Is There Such a Thing as
Virtual Crime ?, supra. It is an example of a new type of crime : a “pure” cybercrime. As
such, it requires that we create new law, which makes it a crime to launch such an attack.
Otherwise, there is no crime, which was the case in the United Kingdom until very recently;
To summarize, one reason why the definition quoted above is unsatisfactory is that it does not
encompass the proposition that cybercrime can consist of committing “new” crimes – crimes
we have not seen before and therefore have not outlawed – as well as “old” crimes. The other
reason I take issue with this definition is that it links the commission of cybercrime with the
use of a “computer network.” This is usually true; in fact, the use of computer networks is
probably the default model of cybercrime. But it is also possible that computer technology,
but not network technology, can be used for illegal purposes. A non-networked computer can,
for example, be used to counterfeit currency or to forge documents. In either instance, a
computer -- but not a computer network -- is being used to commit a crime. Here, the
computer is being used to commit an “old” crime, but it is at least conceptually possible that a
non-networked computer could also be used to commit a “new” crime of some type.
A better definition of cybercrime, then, is that it constitutes the use of computer technology to
commit “crime,” i.e., to engage in activity that, as noted earlier, threatens a society’s ability
to maintain internal order. But while cybercrime involves the commission of “crime” in the
generic sense, particular cybercrimes may not be proscribed by a society’s criminal laws. It is
therefore advisable for every society to conduct a periodic review of its criminal laws to
ensure that they are adequate to deal with evolving threats, such as DDoS attacks.
What Is Cyber Warfare?

Cyber warfare is usually defined as a cyber attack or series of attacks that target a country. It
has the potential to wreak havoc on government and civilian infrastructure and disrupt critical
systems, resulting in damage to the state and even loss of life.
There is, however, a debate among cyber security experts as to what kind of activity
constitutes cyber warfare. The US Department of Defense (DoD) recognizes the threat to
national security posed by the malicious use of the Internet but doesn’t provide a clearer
definition of cyber warfare. Some consider cyber warfare to be a cyber attack that can result
in death.
Cyber warfare typically involves a nation-state perpetrating cyber attacks on another, but in
some cases, the attacks are carried out by terrorist organizations or non-state actors seeking to
further the goal of a hostile nation. There are several examples of alleged cyber warfare in
recent history, but there is no universal, formal, definition for how a cyber attack may
constitute an act of war.
7 Types of Cyber Warfare Attacks
Here are some of the main types of cyber warfare attacks.
Espionage
Refers to monitoring other countries to steal secrets. In cyber warfare, this can involve
using botnets or spear phishing attacks to compromise sensitive computer systems before
exfiltrating sensitive information.
Sabotage
Government organizations must determine sensitive information and the risks if it is

compromised. Hostile governments or terrorists may steal information, destroy it, or
leverage insider threats such as dissatisfied or careless employees, or government employees
with affiliation to the attacking country.

Denial-of-service (DoS) Attacks
DoS attacks prevent legitimate users from accessing a website by flooding it with fake
requests and forcing the website to handle these requests. This type of attack can be used to
disrupt critical operations and systems and block access to sensitive websites by civilians,
military and security personnel, or research bodies.
Electrical Power Grid
Attacking the power grid allows attackers to disable critical systems, disrupt infrastructure,
and potentially result in bodily harm. Attacks on the power grid can also disrupt
communications and render services such as text messages and communications unusable.
Propaganda Attacks
Attempts to control the minds and thoughts of people living in or fighting for a target
country. Propaganda can be used to expose embarrassing truths, spread lies to make people
lose trust in their country, or side with their enemies.
Economic Disruption
Most modern economic systems operate using computers. Attackers can target computer
networks of economic establishments such as stock markets, payment systems, and banks to
steal money or block people from accessing the funds they need.
Surprise Attacks
These are the cyber equivalent of attacks like Pearl Harbor and 9/11. The point is to carry out
a massive attack that the enemy isn’t expecting, enabling the attacker to weaken their
defenses. This can be done to prepare the ground for a physical attack in the context of hybrid
warfare.
Conducting Risk Assessments with Cyber Wargames
The best way to assess a nation’s readiness for cyber warfare is to conduct a real-life exercise
or simulation, also known as a cyber wargame.
A wargame can test how governments and private organizations respond to a cyber warfare
scenario, expose gaps in defenses, and improve cooperation between entities. Most
importantly, a wargame can help defenders learn how to act quickly to protect critical
infrastructure and save lives.
Cyber wargames can help cities, states, or countries improve readiness for cyber warfare by:

• Testing different situations – such as detecting attacks in early stages, or mitigating risks
after critical infrastructure has already been compromised.
• Testing unusual scenarios – attacks are never conducted “by the book”. By establishing a
red team that acts as the attackers and tries to find creative ways to breach a target system,
the defenders can learn how to mitigate real threats.
• Division of labor and cooperation mechanisms – cyber warfare requires many individuals
from different organizations and government units to collaborate. A cyber wargame can
bring together those people, who may not know each other, and help them decide how to
work together in the event of a crisis.
• Improving policies – governments may establish cyber warfare policies, but need to test
them in practice. A cyber wargame can test the effectiveness of policies and provide an
opportunity for improving them.
The Importance of Layered Defense
Under the pressure of cyber warfare, governments of many countries have issued operational
national security policies to protect their information infrastructure. These policies typically
use a layered defense approach, which includes:
• Securing the cyber ecosystem

• Raising awareness for cybersecurity
• Promoting open standards for combating cyber threats
• Implementing a national cybersecurity assurance framework
• Working with private organizations to improve their cybersecurity capabilities
Securing the Private Sector
A strategic factor in cyberwarfare is the resilience of local businesses to cyber-attacks.

Businesses need to tighten their security measures to reduce the benefits of an attack on a
nation-state. The following is a set of measures to ensure corporate cybersecurity, which can
promote national security:
• Create obstacles to breaching the network

• Use web application firewalls (WAF) to quickly detect, investigate, and block malicious
traffic
• Quickly respond to a breach and restore business operations
• Facilitate cooperation between the public and private sectors
• Use local hackers as a resource to help protect against foreign cyber threats
Classification of Cyber Crimes
Based on the subject of the crime, cybercrimes are classified into three broad groups:

1. Crimes against individuals – These are committed against individuals or their
properties. Some examples are:
• Email harassment
• Cyber-stalking
• Spreading obscene material
• Unauthorized access or control over the computer system
• Indecent exposure
• Spoofing via email
• Fraud and also cheating
• Further, crimes against individual property like computer vandalism and

transmitting a virus. Also, trespassing online and intellectual property-
related crimes. Further, internet time thefts are also included.
2. Crimes against organizations – Some examples of cyber crimes against organizations

are:
• Possessing unauthorized information
• Cyber terrorism against a government organization
• Distributing pirated software
3. Crimes against society – Some examples of crimes against society are:

• Polluting the youth through indecent exposure
• Trafficking
• Financial crimes
• Selling illegal articles
• Online Gambling
• Forgery
Apart from the ones listed above, crimes like hacking, denial of service attacks, e-mail bombing,
etc. are also present in cyberspace.
Provisions of Cyber Crimes in the IT Act, 2000
The sections of the IT Act, 2000 pertaining to cybercrimes are as follows:

Section 43 – Penalty for damage to a computer, computer system, etc.
This section applies if any person, without the permission of the owner or the person in charge
of a computer, system, or network –
• Accesses such computer, network or system.
• Copies, downloads or extracts any data or information from such computer, network or
system (this also includes the information or data stored in a removable storage
medium).
• Also, introduces or causes any computer containment or virus into such computer,
network or system.
• Further, he damages any computer, system or data or any other programs residing in
them.
• Disrupts or causes disruption of any such computer, system or network.
• Also, denies or causes the denial of access to an authorized person to such computer,
system or network.
• Provides any assistance to anyone to facilitate access to such a computer, system or

network contrary to the provisions of the Act and its rules.
• Also, charges the services availed of by one person to the account of another by
tampering with such computer, system or network.
Penalty – Compensation, not exceeding one crore rupees to the affected person.
Section 65 – Tampering with the computer’s source code documents
This section applies to a person who intentionally conceals, alters or destroys any computer
source code used for a computer, program, system or network when the law requires the owner
to keep or maintain the source code. It also applies to a person who intentionally causes another
person to do the same.
Penalty – Imprisonment of up to three years or a fine of up to two lakh rupees, also both in
some cases.
Section 66 – Hacking of a Computer System
This section applies to a person who commits hacking. Hacking is when the person intentionally
or knowingly causes a wrongful loss or damage to the public or another person or destroys or
deletes any information residing in a computer resource or diminishes its utility or value or
injures it by any means.
Penalty – Imprisonment of up to three years or a fine of up to two lakh rupees, also both in
some cases.

Section 67 – Publishing obscene information in an electronic form
This section applies to a person who publishes or transmits any obscene material – material
which is lascivious or appeals to the prurient interests or tends to deprave or corrupt persons who
are likely to read, see or hear the matter embodied in it. It also applies to a person who causes the
publishing or transmission of such material.
Penalty – In case of the first conviction, imprisonment of up to five years and a fine of up to one
lakh rupees. For subsequent convictions, imprisonment of up to 10 years and a fine of up to two
lakh rupees.
Section 74 – Publication with the intention of fraud
This section applies to a person who knowingly creates, publishes or makes available a digital
certificate with the intention of fraud.
Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some
cases.
Other Provisions relating to Cyber Crimes
Section 44 – Failure to furnish information, returns, etc.
This section applies to a person who
• Fails to furnish any document, return or report to the Controller or the Certifying
Authority
• Fails to file returns or furnish any information as per the regulations or fails to furnish
them in time
• Does not maintain the books of account or records

Penalty – The following penalties apply:
• A monetary fine of up to one lakh and fifty thousand rupees for each such failure
• A fine of up to five thousand rupees for every day if the failure continues
• A fine of up to ten thousand rupees for every day if the failure continues
Section 45 – Residuary Penalty
This section applies to a person who contravenes any rules under the IT Act, 2000, especially
those for which there are no special provisions.
Penalty – A compensation of up to twenty-five thousand rupees to the affected person.

Section 71 – Misrepresentation
This section applies to a person who makes any misrepresentation to or even suppresses any
material fact from the Controller or Certifying Authority to obtain the license or a digital
signature certificate.
cases.
Section 72 – Breach of confidentiality and privacy
This section applies to a person with secured access to any electronic record, information, or any
other material, discloses it to another person without consent.
cases.
Section 73 – Publishing a Digital Certificate with incorrect details
This section applies to a person who publishes a digital certificate with the knowledge that –
• The Certifying Authority listed in the certificate has not issued it
• The subscriber listed in the certificate has not accepted it
• It is a revoked or suspended certificate

cases.
Section 74 – Publication with a fraudulent purpose
This section applies to a person who knowingly creates, publishes or makes available a digital
signature for fraudulent purposes.
cases.
Section 85 – Company Offences
(1) This section applies to a company who commits a contravention to the provisions of the Act.
In such cases, all the people who were in charge and responsible for the company’s conduct of
business as well as the company are guilty of the contravention. Further, those responsible are
liable for punishment. However, if a person is not aware of any such contravention, then he is
not liable.

(2) Notwithstanding anything contained in the sub-section (1), if it is proved that the
contravention was with the consent of, or due to the negligence of any director, manager or any
other officer, then such people are also held liable.
For the purposes of this section, “company” means anybody corporate and also includes a firm
or other association of individuals.
Phishing definition
Phishing is a type of cyberattack that uses disguised email as a weapon. These attacks
use social engineering techniques to trick the email recipient into believing that the
message is something they want or need—a request from their bank, for instance, or a
note from someone in their company—and to click a link or download an attachment.
"Phish" is pronounced just like it's spelled, which is to say like the word "fish" —the
analogy is of an angler throwing a baited hook out there (the phishing email) and hoping
you bite.
Phishing emails can be targeted in several different ways, with some not being targeted at
all, some being "soft targeted" at someone playing a particular role in an organization,
and some being targeted at specific, high-value people.
Types of phishing
Another way to categorize these attacks is by who they target and how the messages are
sent. If there's a common denominator among phishing attacks, it's the disguise. The
attackers spoof their email address so it looks like it's coming from someone else, set up
fake websites that look like ones the victim trusts, and use foreign character sets to
disguise URLs.
That said, there are a variety of techniques that fall under the umbrella of phishing. Ea ch
of these types of phishing are a variation on a theme, with the attacker masquerading as a
trusted entity of some kind, often a real or plausibly real person, or a company the victim
might do business with.
• Email phishing: With general, mass-market phishing attacks, emails are sent to millions
of potential victims to try to trick them into logging in to fake versions of very popular
websites.
Ironscales has tallied the most popular brands that hackers use in their phishing
attempts. Of the 50,000-plus fake login pages the company monitored, these were the top
brands attackers used:
➢ PayPal: 22%
➢ Microsoft: 19%
➢ Facebook: 15%
➢ eBay: 6%
➢ Amazon: 3%

• Spear phishing: When attackers craft a message to target a specific individual. For
instance, the spear phisher might target someone in the finance department and pretend
to be the victim's manager requesting a large bank transfer on short notice.
• Whaling: Whale phishing, or whaling, is a form of spear phishing aimed at the very big
fish—CEOs or other high-value targets like company board members.
Gathering enough information to trick a really high-value target might take time, but it
can have a surprisingly high payoff. In 2008, cybercriminals targeted corporate CEOs
with emails that claimed to have FBI subpoenas attached. In fact, they
downloaded keyloggers onto the executives' computers—and the scammers' success rate
was 10%, snagging almost 2,000 victims.
• Business email compromise (BEC): A type of targeted phishing attack in which

attackers purport to be a company’s CEO or other top executive, typically to get other
individuals in that organization to transfer money.
• Vishing and smishing: Phishing via phone call and text message, respectively.
Other types of phishing include clone phishing, snowshoeing, social media phishing, and
more—and the list grows as attackers are constantly evolving their tactics and techniques.
How phishing works
All the tools needed to launch phishing campaigns (known as phishing kits), as well as
mailing lists are readily available on the dark web, making it easy for cyber criminals,
even those with minimal technical skills, to pull off phishing attacks.
A phishing kit bundles phishing website resources and tools that need only be installed on
a server. Once installed, all the attacker needs to do is send out emails to potential
victims.
Some phishing kits allow attackers to spoof trusted brands, increasing the chances of
someone clicking on a fraudulent link. Akamai's research provided in its Phishing--
Baiting the Hook report found 62 kit variants for Microsoft, 14 for PayPal, seven for
DHL, and 11 for Dropbox.
The Duo Labs report, Phish in a Barrel, includes an analysis of phishing kit reuse. Of the
3,200 phishing kits that Duo discovered, 900 (27%) were found on more than one host.
That number might actually be higher, however. “Why don’t we see a higher percentage
of kit reuse? Perhaps because we were measuring based on the SHA1 hash of the kit
contents. A single change to just one file in the kit would appear as two separate kits even
when they are otherwise identical,” said Jordan Wright, a senior R&D engineer at Duo
and the report’s author.
Password Attack Definition
Password attacks involve exploiting a broken authorization vulnerability in the system

combined with automatic password attack tools that speed up the guessing and cracking of

passwords. The attacker uses various techniques to access and expose the credentials of a
legitimate user, assuming their identity and privileges. The username-password combination
is one of the oldest known account authentication techniques, so adversaries have had time to
craft multiple methods of obtaining guessable passwords. Additionally, applications that use
passwords as the sole authentication factor are vulnerable to password attacks since the
vulnerabilities are well understood.
Password attacks have far-reaching consequences since malicious users only require
unauthorized access to a single privileged account or a few user accounts to compromise the
web application. Depending on the data hosted by the application, compromised passwords
can pave the way for exposure of sensitive information, distributed denial-of-service,
financial fraud, and other sophisticated attacks.
Types of Password Attacks
Hackers typically rely on different techniques to obtain and authenticate with a legitimate
user’s password. These include:
Phishing Attacks
By far the most common form of password attack, a phishing attack involves a social
engineering technique in which the hacker masquerades as a trusted site by sending the
victim a malicious link. After assuming they are authenticating to a legitimate web server, the
victim clicks on this link, providing the attacker with their account credentials. Besides
identity theft, phishing attacks also foster Advanced Persistent Threats by allowing the
threat actor to gain permissions of an internal user, thereby allowing the attacker to
compromise more profound components of the system while remaining undetected. In
phishing attacks, adversaries commonly use multiple methods to trick the user into clicking
the malicious link, including:
1. DNS cache poisoning – Attackers leverage vulnerabilities in the application’s DNS server
to redirect user requests to a malicious site with a similar-looking domain name.
2. URL hijacking/typosquatting – The attacker creates a genuine-looking URL with subtle

differences from the website they want to impersonate. The attack then depends on users
making typing mistakes, so they land on the malicious page.
3. Tabnabbing – The attacker rewrites unattended browser tabs with malicious sites that look
like legitimate web pages.
4. UI redressing/iFrame overlay – The attacker places a link to the malicious page over a
legitimate, clickable button using transparent layers.
5. Clone phishing – In this attack, the attacker sends a copy of a legitimate email where the
links within the original email are replaced with URLs to malicious sites.
Brute-Force Password Attacks
This type of password attack employs trial-and-error methods to guess a user’s

authentication information. The bad actor uses automated scripts to work through as many

permutations as possible to guess the user’s password correctly. While it is a relatively old
method that requires a lot of patience and time, a Brute force attack is still standard
in account breach attempts since they are automated and straightforward. There are several
types of brute force attacks:
1. Simple brute force attacks – A hacker uses logic and data about a user to guess the most
likely password. This technique is used for relatively simple passwords, such as those
containing a combination of pet name-year and birth.
2. Credential stuffing – This involves using previously exposed login combinations that
were maliciously obtained across vulnerable websites. In such attacks, hackers typically take
advantage of the fact that entities tend to re-use their username-password combinations across
multiple services.
3. Hybrid brute force attacks – An attacker combines simple weak password-

guessing with automated software that performs credential stuffing to uncover complex
passwords. In most production systems, entities use slight variations of passwords across
different websites. Attackers also rely on user data patterns across services to improve the
accuracy of credential stuffing tools.
4. Reverse brute force attacks – In this form of attack, a hacker starts with a known
password then searches for usernames that match it. As threat actors often have access to
multiple databases of leaked credentials, it is easy to identify common passwords within a
particular group of users.
Dictionary Password Attacks
This attack method uses a predefined list of words most likely to be used as passwords by a
specific target network. The predefined list is built from a website user’s behavioral patterns
and passwords obtained from previous data breaches. The lists are created by varying
common combinations of words by case, adding numeric suffixes & prefixes, and using
common phrases. These lists are passed to an automated tool, which attempts to authenticate
against a list of known usernames.
Password Spraying Attack
In this type of attack, the hacker attempts to authenticate using the same password on various
accounts before moving to another password. Password spraying is most effective since most
website users set simple passwords, and the technique doe not violate lockout policies since it
uses several different accounts. Attackers mostly orchestrate password spraying in websites
where administrators set a standard default password for new users and unregistered
accounts.
Keylogging
While orchestrating a Keylogging attack, a hacker installs monitoring tools in the user’s
computer to record the keys struck by the user covertly. A keylogger records all information
that users type into input forms and then sends it to the malicious third party. While
keyloggers often have essential uses in enterprise settings (UX improvement, employee

monitoring, etc.), attackers often use them to extract information such as login credentials for
unauthorized access maliciously.
Password Attack Example
One of the most common examples of a phishing password attack involves lying to the victim
that their account will be deactivated if they do not confirm their login details.
Assume the user utilizes services from a website with the URL: http://darwin.com
The attacker crafts phishing emails to the users, informing them that their account has been
compromised and their credit card and login details are needed to retain the account. The
email includes a link similar to: http://darw1n.com/confirm-details, pointing to the hacker’s
malicious website. The victim clicks on this link and is redirected to the fake confirmation
page, where they supply their legitimate login credentials. The hacker then collects these
credentials and uses them to access the victim’s legitimate account.
How to Prevent Password Attacks
Some best practices to prevent password attacks include:
Enforce strong password policies
Security administrators must enforce policies that ensure users follow set criteria to prevent
malicious actors from cracking their passwords. For example, the password should be a
minimum of 8 characters long and include special characters to avoid brute force attempts.
Additionally, passwords should not contain any personally identifying information, as this
may foster dictionary attacks. Users should also use unique passwords for each service and
rotate the passwords frequently to prevent attackers from using exposed credential databases
for password attacks.
Organization-wide password security training
It is vital to ensure every user understands the criticality of a strong password policy and
follows the organization-wide awareness on password security. Additionally, every
application user should be aware of social engineering attacks that trick them into submitting
their credentials to malicious third parties.
Enable Multifactor Authentication
Passwords in themselves generally do not offer a complete user authentication solution.

Multifactor authentication involves the use of passwords in combination with extra security
checks. Some MFA implementations include the One-Time Password (OTP), biometric
authentication, software tokens, and behavioral analysis.
Use a password manager

The primary function of a password manager is to help web administrators store and manage
user credentials. Password management solutions also generate passwords for users following
strong policies and best practices. In addition, these tools store user credentials in strongly
encrypted databases, making them robustly secured from exposure in a data breach.
SQL injection
In this section, we'll explain what SQL injection (SQLi) is, describe some common examples,
explain how to find and exploit various kinds of SQL injection vulnerabilities, and
summarize how to prevent SQL injection.
What is SQL injection (SQLi)?
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with
the queries that an application makes to its database. It generally allows an attacker to view
data that they are not normally able to retrieve. This might include data belonging to other
users, or any other data that the application itself is able to access. In many cases, an attacker
can modify or delete this data, causing persistent changes to the application's content or
behavior.
In some situations, an attacker can escalate an SQL injection attack to compromise the
underlying server or other back-end infrastructure, or perform a denial-of-service attack.
What is the impact of a successful SQL injection attack?
A successful SQL injection attack can result in unauthorized access to sensitive data, such as
passwords, credit card details, or personal user information. Many high-profile data breaches
in recent years have been the result of SQL injection attacks, leading to reputational damage
and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an

organization's systems, leading to a long-term compromise that can go unnoticed for an
extended period.
SQL injection examples
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise
in different situations. Some common SQL injection examples include:
• Retrieving hidden data, where you can modify an SQL query to return additional results.
• Subverting application logic, where you can change a query to interfere with the
application's logic.
• UNION attacks, where you can retrieve data from different database tables.
• Examining the database, where you can extract information about the version and structure
of the database.
• Blind SQL injection, where the results of a query you control are not returned in the
application's responses.
Retrieving hidden data
Consider a shopping application that displays products in different categories. When the user
clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make an SQL query to retrieve details of the relevant products
from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return:
• all details (*)

• from the products table
• where the category is Gifts
• and released is 1.
The restriction released = 1 is being used to hide products that are not released. For
unreleased products, presumably released = 0.
The application doesn't implement any defenses against SQL injection attacks, so an attacker
can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

The key thing here is that the double-dash sequence -- is a comment indicator in SQL, and
means that the rest of the query is interpreted as a comment. This effectively removes the
remainder of the query, so it no longer includes AND released = 1. This means that all
products are displayed, including unreleased products.
Going further, an attacker can cause the application to display all the products in any
category, including categories that they don't know about:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
The modified query will return all items where either the category is Gifts, or 1 is equal to 1.
Since 1=1 is always true, the query will return all items.
LAB
APPRENTICESQL injection vulnerability in WHERE clause allowing retrieval of
hidden data
Subverting application logic
Consider an application that lets users log in with a username and password. If a user submits
the username wiener and the password bluecheese, the application checks the credentials by
performing the following SQL query:
SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'
If the query returns the details of a user, then the login is successful. Otherwise, it is rejected.
Here, an attacker can log in as any user without a password simply by using the SQL
comment sequence -- to remove the password check from the WHERE clause of the query.
For example, submitting the username administrator'-- and a blank password results in the
following query:
SELECT * FROM users WHERE username = 'administrator'--' AND password = ''
This query returns the user whose username is administrator and successfully logs the
attacker in as that user.
LAB
APPRENTICESQL injection vulnerability allowing login bypass
Retrieving data from other database tables

In cases where the results of an SQL query are returned within the application's responses, an
attacker can leverage an SQL injection vulnerability to retrieve data from other tables within
the database. This is done using the UNION keyword, which lets you execute an
additional SELECT query and append the results to the original query.
For example, if an application executes the following query containing the user input "Gifts":
SELECT name, description FROM products WHERE category = 'Gifts'
then an attacker can submit the input:
' UNION SELECT username, password FROM users--
This will cause the application to return all usernames and passwords along with the names
and descriptions of products.
Read more
SQL injection UNION attacks
Examining the database
Following initial identification of an SQL injection vulnerability, it is generally useful to

obtain some information about the database itself. This information can often pave the way
for further exploitation.
You can query the version details for the database. The way that this is done depends on the
database type, so you can infer the database type from whichever technique works. For
example, on Oracle you can execute:
SELECT * FROM v$version
You can also determine what database tables exist, and which columns they contain. For
example, on most databases you can execute the following query to list the tables:
SELECT * FROM information_schema.tables
Hacking :
Hacking may be defined as the technique or planning which is done to get an access to
unauthorized systems. Simply we can say to gaining access to a network or a computer for
illegal purposes. The person who does that are very intelligent and skilled in computers.
The person who are skilled in Hacking are divided into 2 categories:
1. Hackers :
Hackers are kind of good peoples who does hacking for the good purpose and to obtain
more knowledge from it. They generally find loop holes in the system and help them to
cover the loop holes. Hackers are generally programmers who obtain advance

knowledge about operating systems and programming languages. These people never
damage or harm any kind of data.
2. Crackers :
Crackers are kind of bad people who breaks or violates the system or a computer
remotely with bad intentions to harm the data and steal it. Crackers destroy data by
gaining an unauthorized access to the network. There works are always hidden as they
are doing illegal stuff. Bypasses passwords of computers and social media websites,
can steal your bank details and transfer money from bank.
Difference between Hackers and Crackers :

Hacker Cracker
The good people who hack for knowledge The evil person who breaks into a system for
purposes. benefits.
They are skilled and have a advance knowledge of They may or may not be skilled, some of
computers OS and programming languages. crackers just knows a few tricks to steal data.
They work in an organisation to help protecting

there data and giving them expertise on internet These are the person from which hackers
security. protect organisations .
Hackers share the knowledge and never damages If they found any loop hole they just delete the
the data. data or damages the data.
Crackers are unethical and want to benifit

Hackers are the ethical professionals. themselves from illegal tasks.
Crackers do not make new tools but use

Hackers program or hacks to check the integrity someone else tools for there cause and harm
and vulnerability strength of a network. the network.
Hackers have legal certificates with them e.g CEH Crackers may or may not have certificates, as
certificates. there motive is to stay annonymous.
Next →← Prev
Types of Hackers
Hackers can be classified into three different categories:
1. Black Hat Hacker

2. White Hat Hacker
3. Grey Hat Hacker

Black Hat Hacker
Black-hat Hackers are also known as an Unethical Hacker or a Security Cracker. These
people hack the system illegally to steal money or to achieve their own illegal goals. They
find banks or other companies with weak security and steal money or credit card information.
They can also modify or destroy the data as well. Black hat hacking is illegal.
White Hat Hacker
White hat Hackers are also known as Ethical Hackers or a Penetration Tester. White hat
hackers are the good guys of the hacker world.
These people use the same technique used by the black hat hackers. They also hack the
system, but they can only hack the system that they have permission to hack in order to test
the security of the system. They focus on security and protecting IT system. White hat
hacking is legal.

Gray Hat Hacker
Gray hat Hackers are Hybrid between Black hat Hackers and White hat hackers. They can
hack any system even if they don't have permission to test the security of the system but they
will never steal money or damage the system.
In most cases, they tell the administrator of that system. But they are also illegal because they
test the security of the system that they do not have permission to test. Grey hat hacking is
sometimes acted legally and sometimes not.
TYPES OF CYBERSECURITY THREATS
Just as some germs and diseases can attack the human body, numerous threats can affect
hardware, software, and the information you store. Some of the major ones include the
following:
• Viruses are designed so that they can be easily transmitted from one computer or system to
another. Often sent as email attachments, viruses corrupt and co-opt data, interfere with your
security settings, generate spam, and may even delete content.
• Computer worms are similar; they spread from one computer to the next by sending
themselves to all of the user’s contacts and subsequently to all contacts’ contacts.
• Trojans. These malicious pieces of software insert themselves into a legitimate program.
Often, people voluntarily let trojans into their systems in email messages from a person or an
advertiser they trust. As soon as the accompanying attachment is open, your system becomes
vulnerable to the malware within.
• Bogus security software that tricks users into believing that their system has been infected
with a virus. The accompanying security software that the threat actor provides to fix the
problem causes it.
• The adware tracks your browsing habits and causes particular advertisements to pop up.
Although this is common and often something you may even agree to, adware is sometimes
imposed upon you without your consent.

• Spyware is an intrusion that may steal sensitive data such as passwords and credit card
numbers from your internal systems.
• A denial of service (DOS) attack occurs when hackers deluge a website with traffic,
making it impossible to access its content. A distributed denial of service (DDOS) attack is
more forceful and aggressive since it is initiated from several servers simultaneously. As a
result, a DDOS attack is harder to mount defenses against it.
• Phishing attacks are social engineering infiltrations whose goal is to obtain sensitive data:
passwords and credit card numbers incorrectly. Via emails or links coming from trusted
companies and financial institutions, the hacker causes malware to be downloaded and
installed.
• SQL injections are network threats that involve using malicious code to infiltrate cyber
vulnerabilities in data systems. As a result, data can be stolen, changed, or destroyed.
• Man-in-the-middle attacks involve a third party intercepting and exploiting
communications between two entities that should remain private. Eavesdropping occurs, but
information can be changed or misrepresented by the intruder, causing inaccuracy and even
security breaches.
• Rootkit tools gain remote access to systems without permission and can lead to the
installation of malware and the stealing of passwords and other data.
COMMON NETWORK VULNERABILITIES

Even seemingly minor flaws or oversights in the design or implementation of your network
systems can lead to disaster. Some of the most common network vulnerabilities include the
following gaps in your application security: when applications are not kept up-to-date,
tested, and patched, the doors are open to code injection, cross-site scripting, insecure direct
object references, and much more.
Risks = Threat Probability x Potential Impact
Risks/ Cybersecurity risks are the calculated potential damage/ loss/ destruction of an asset
in the event of vulnerabilities being exploited by threats causing the level of security to fall.
Risks are a function of threats, vulnerabilities, threat probability, and their potential impact.
And this is the key difference between a cyberthreat and a cybersecurity risk. In other
words, a threat is an attack or breach or the negative event itself while the risk incl udes the
probability of the threat and the impact it is capable of causing.
So, it is essential to understand both the nature of threats facing the organization, as well as,
the vulnerabilities that exist in the systems, networks, and applications. In order to
minimize cyber risk, you must fix the vulnerabilities while also securing unfixed ones using

an intelligent and managed WAF like AppTrana so that threat actors cannot identify and
exploit them.
A Practical Example
• DDoS attacks are threats facing a business.

• Competitors who want to block legitimate users from gaining access to the website are one
of the threat actors.
• To accomplish this objective, they use to inject a malicious payload into the website
through a comments section that allows unsanitized inputs. (The permission for
unsanitized inputs is the vulnerability.)
• The potential impact of DDoS attacks is that businesses will have to face significant
financial and reputational loss.
• The probability of a DDoS attack is high given that the website does not have multi-
layered and always-on protection against such attacks; plus, the WAF is neither intelligent
nor does it have a custom workflow.
• Therefore, the business is at a high risk of facing DDoS attacks, and them allowing
unsanitized inputs in the comment section must be treated as a high-risk vulnerability.
Understanding the difference between cyber threats, vulnerabilities and risks enable you to
clearly communicate with security teams and other stakeholders. Understanding the
difference also enables you to effectively assess risks and understand how threats affect
risks, better design security solutions based on threat intelligence, and maintain a robust
security posture.

What are Malware Threats on Computer?
Malware is a malicious software that is dangerous to the computer. Once installed,

malware can harm the computer in different ways. To have a better understanding
of malware threats. Let’s find out first how does one get malware on the computer.
Where Malware Threats come from
Malware is spread on different websites on the Internet. Hackers are clever these days; they
don’t just insert malware in non-secure websites but also on legitimate websites. How do they
do this?
Hackers use different techniques to lure in victims.
1. Social Engineering
Social engineering is a technique that makes a user want to give away personal information.
Think of it this way; a present is ready to be shipped, you just have to provide your address.
Who would refuse a present? If you are unaware of how malware works, you will fall into
this trick. Rather than installing malware intrusively, they’ve developed a strategy for the
user to install malware willingly.
By presenting malware in an engaging way, it is easy to convince users into installing

malware on their computer. What are the examples of social engineering?

Email
One example of a social engineering email is a fake email from a friend or family. It may
contain a message saying that there’s a funny picture of you, click here to view the image.
This may trigger curiosity. Who doesn’t want to see his own funny photo, right? If you have
no idea that it’s a form of social engineering, you will download the attachment and install
malware without knowing it.
So how to prevent malware from fake emails? Send your contact a separate email to confirm
if the email is legit.
Fake Downloads
Social engineering can use a threat to convince their victim. You could just be browsing the
Internet, suddenly a message flashes on the screen saying that there’s a threat detected, click
here to download an antivirus.
Don’t fall for this trick. Threats can be resolved by downloading a trustworthy antivirus
software.
Phishing Link
Do you know that a phishing link generates a fake login page to collect information and
install malware? This is most common in-game cheats and hacks. A hacker can easily add a
link that redirects the user to a fake website that contains dangerous malware.
So how to avoid phishing links? Use the free website scanner on the Internet to verify if the
link is safe. You may use Website Inspector by Comodo or other third party websites.
2. Website Cookie Exploitation
Cookies are sent from a browser to a server over a secure HTTPS connection. However,
hackers have found a way to inject fake cookies that can bypass HTTPS security.
These malicious cookies can be used to install malware such as Trojan and to redirect the
user to a fake website.
Now that we know where malware threats come from, what are malware threats exactly?
Malware is an application that is designed to steal personal information and destroy computer
data without being exposed. Hackers use different types of malware to invade the computer.

What are the types of Malware
Virus
A virus is a self-replicating malware that infects the computer through an executable file. It is
attached to a file that the user must run first for the virus to spread. Note that it cannot
activate itself without a human help.
Worm
A worm is the opposite of virus. If a virus needs a human action to self-replicate, a worm can
spread independently. Once installed, worm replicates fast and consumes the computer
memory that leads in low disk space and reduced computer performance.
Trojan
Is a type of malware that is used to gain control over the computer. Trojan installs other types
of malware used to manipulate the computer without the user’s knowledge. This allows
hackers to use the computer for delivering cybercrimes.
Spyware
Spyware is used to monitor computer activities to gather personal information. Spyware

allows hackers to view emails, listen to phone calls, and watch the victim through the
webcam.
Keylogger
Keylogger exposes the passwords by recording each key pressed on the keyboard. It is used
to steal account information.
Rootkit
Targets the operating system, making it hard to detect. A rootkit is invisible in Task Manager
since it’s built in the operating system of the computer. It is used to conceal malware
activities on the computer. It’s often bundled with another malware to steal bank account
information.
Sniffing

Sniffing is the process of monitoring and capturing all the packets passing through a given
network using sniffing tools. It is a form of “tapping phone wires” and get to know about the
conversation. It is also called wiretapping applied to the computer networks.
There is so much possibility that if a set of enterprise switch ports is open, then one of their
employees can sniff the whole traffic of the network. Anyone in the same physical location
can plug into the network using Ethernet cable or connect wirelessly to that network and sniff
the total traffic.
In other words, Sniffing allows you to see all sorts of traffic, both protected and unprotected.
In the right conditions and with the right protocols in place, an attacking party may be able to
gather information that can be used for further attacks or to cause other issues for the network
or system owner.
What can be sniffed?
One can sniff the following sensitive information from a network −
• Email traffic
• FTP passwords
• Web traffics
• Telnet passwords
• Router configuration
• Chat sessions
• DNS traffic
How it works
A sniffer normally turns the NIC of the system to the promiscuous mode so that it listens to
all the data transmitted on its segment.
Promiscuous mode refers to the unique way of Ethernet hardware, in particular, network
interface cards (NICs), that allows an NIC to receive all traffic on the network, even if it is
not addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it,
which is done by comparing the destination address of the Ethernet packet with the hardware
address (a.k.a. MAC) of the device. While this makes perfect sense for networking, non-
promiscuous mode makes it difficult to use network monitoring and analysis software for
diagnosing connectivity issues or traffic accounting.

A sniffer can continuously monitor all the traffic to a computer through the NIC by decoding
the information encapsulated in the data packets.
Types of Sniffing
Sniffing can be either Active or Passive in nature.

Passive Sniffing
In passive sniffing, the traffic is locked but it is not altered in any way. Passive sniffing
allows listening only. It works with Hub devices. On a hub device, the traffic is sent to all the
ports. In a network that uses hubs to connect systems, all hosts on the network can see the
traffic. Therefore, an attacker can easily capture traffic going through.
The good news is that hubs are almost obsolete nowadays. Most modern networks use
switches. Hence, passive sniffing is no more effective.
Active Sniffing
In active sniffing, the traffic is not only locked and monitored, but it may also be altered in
some way as determined by the attack. Active sniffing is used to sniff a switch-based
network. It involves injecting address resolution packets (ARP) into a target network to
flood on the switch content addressable memory (CAM) table. CAM keeps track of which
host is connected to which port.
Following are the Active Sniffing Techniques −
• MAC Flooding
• DHCP Attacks
• DNS Poisoning
• Spoofing Attacks
• ARP Poisoning
Protocols which are affected

Protocols such as the tried and true TCP/IP were never designed with security in mind and
therefore do not offer much resistance to potential intruders. Several rules lend themselves to
easy sniffing −
• HTTP − It is used to send information in the clear text without any encryption and
thus a real target.
• SMTP (Simple Mail Transfer Protocol) − SMTP is basically utilized in the transfer
of emails. This protocol is efficient, but it does not include any protection against
sniffing.
• NNTP (Network News Transfer Protocol)− It is used for all types of
communications, but its main drawback is that data and even passwords are sent over
the network as clear text.
• POP (Post Office Protocol) − POP is strictly used to receive emails from the servers.
This protocol does not include protection against sniffing because it can be trapped.
• FTP (File Transfer Protocol) − FTP is used to send and receive files, but it does not
offer any security features. All the data is sent as clear text that can be easily sniffed.
• IMAP (Internet Message Access Protocol) − IMAP is same as SMTP in its functions,
but it is highly vulnerable to sniffing.
• Telnet − Telnet sends everything (usernames, passwords, keystrokes) over the
network as clear text and hence, it can be easily sniffed.
Sniffers are not the dumb utilities that allow you to view only live traffic. If you really want
to analyze each packet, save the capture and review it whenever time allows.
Hardware Protocol Analyzers
Before we go into further details of sniffers, it is important that we discuss about hardware
protocol analyzers. These devices plug into the network at the hardware level and can
monitor traffic without manipulating it.
• Hardware protocol analyzers are used to monitor and identify malicious network
traffic generated by hacking software installed in the system.
• They capture a data packet, decode it, and analyze its content according to certain
rules.
• Hardware protocol analyzers allow attackers to see individual data bytes of each
packet passing through the cable.
These hardware devices are not readily available to most ethical hackers due to their
enormous cost in many cases.
Lawful Interception
Lawful Interception (LI) is defined as legally sanctioned access to communications network

data such as telephone calls or email messages. LI must always be in pursuance of a lawful
authority for the purpose of analysis or evidence. Therefore, LI is a security process in which
a network operator or service provider gives law enforcement officials permission to access
private communications of individuals or organizations.
Almost all countries have drafted and enacted legislation to regulate lawful interception
procedures; standardization groups are creating LI technology specifications. Usually, LI
activities are taken for the purpose of infrastructure protection and cyber security. However,
operators of private network infrastructures can maintain LI capabilities within their own
networks as an inherent right, unless otherwise prohibited.

LI was formerly known as wiretapping and has existed since the inception of electronic
communications.
Privilege escalation
Privilege escalation is a common threat vector for adversaries, which allows them to enter
organizations’ IT infrastructure and seek permissions to steal sensitive data, disrupt
operations and create backdoors for future attacks. Elevated privileges open doors for
attackers to mess with security settings, configurations and data; they often get access to
lower privilege accounts first and then use them to obtain high-level privileges and gain full
access to organization’s IT environment.
Unfortunately, it is often easy for even unsophisticated hackers to obtain and escalate
privileges because many organizations lack adequate security measures and controls, such as
rigorously enforcing the principle of least privilege and knowing what sensitive data they
have and where it is stored so they can harden its security.
Horizontal vs vertical privilege escalation
Generally, privilege escalation is a type of activity when a hacker is exploiting a bug, taking
advantage of configuration oversight and programming errors, or using any vulnerabilities in
a system or application to gain elevated access to protected resources. Normally, this happens
when an attacker has already done reconnaissance and successfully compromised a system by
gaining access to a low-level account. In this phase, an attacker wants to have a strong grip
on the system and seeks ways to heighten the privileges, either to study the system further or
perform an attack.
There are two types of privilege escalation:
• Horizontal privilege escalation — This attack involves a hacker simply taking over
someone else’s account. For example, one internet banking user might gain access to the
account of another user by learning their ID and password. In horizontal privilege escalation,
the attacker does not actively seek to upgrade the privileges associated with the account they
have compromised, but simply to misuse them by assuming the identity of the other user.
• Vertical privilege escalation (aka elevation of privilege or EoP) — Here, a malicious user
gains access to a lower-level account and uses it to gain higher level privileges. For example,
a hacker might compromise a user’s internet bank account user and then try to get access to
site administrative functions. Vertical privilege escalation requires more sophisticated attack
techniques than horizontal privilege escalation, such as hacking tools that help the attacker
gain elevated access to systems and data.
How does privilege escalation attack happen?

Attackers who try to perform unauthorized actions and obtain high-level privileges often use
so-called privilege escalation exploits. Exploits are pieces of code with the goal to release a
particular payload. The payload will focus on a known weakness in the operating system or
software components. Privilege escalation exploit execution will later enable them to steal or
damage data, disrupt operations or set up persistence on the network to perform further
attacks. Typically privilege escalation attack consists of five steps:
1. Find a vulnerability
2. Create the related privilege escalation exploit
3. Use the exploit on a system
4. Check if it successfully exploits the system
5. Gain additional privileges
Privilege escalation techniques
An attacker’s goal in a privilege escalation attack is to obtain high-level privileges (e.g. root
privileges) and make their way to critical IT systems without being noticed. There are
multiple privilege escalation techniques that attackers use to accomplish this. Let’s explore
three of the most common ones:
• Manipulating access tokens

• Bypassing user account control
• Using valid accounts
Technique 1: Access Token Manipulation.
How it happens?
This privilege escalation technique exploits the way Windows manages admin privileges.
Normally, Windows makes use of access tokens to determine the owners of all running
processes, e.g. when a thread interacts with a securable object or tries to perform a system
task that requires certain privileges.
In case of an access token manipulation, hacker’s main task is to fool the system into
believing that the running processes belong to someone other than the user that actually
started the process. When this happens, the process also takes on the security context
associated with the new token.
Adversaries can leverage access tokens through three methods:
1. Impersonate or steal a token – An adversary can create a new access token that duplicates
an existing token using DuplicateToken(Ex) The token can then be used
with ImpersonateLoggedOnUserfunction to enable the calling thread to impersonate a

logged-on user’s security context, or with SetThreadToken function to assign the
impersonated token to a thread.
2. Create Process with a Token– This happens when an adversary creates a new access token
with DuplicateToken(Ex) function and uses it with CreateProcessWithTokenW function to
create a new process that runs under the security context of the impersonated user. This may
be useful for creating a new process under the security context of a different user.
3. Make and Impersonate Token– In this method, an adversary has a username and
password, but the user is not logged onto the system. The adversary can then create a logon
session for the user with the help of LogonUser The function will return a copy of the new
session’s access token and the adversary can then use SetThreadToken to assign the token to
a thread.
How to mitigate this threat?
Access tokens are an integral part of the security system within Windows and cannot be
turned off. However, an attacker must already have administrator level access to make full
use of this technique. Therefore, you need to assign access rights in accordance with the
least-privilege principle and make sure that all the access rights are regularly reviewed. You
also need to keep a close eye on privileged accounts to promptly respond to signs of
suspicious activity performed by these accounts.
Technique 2: Bypassing User Account Control.
How it happens?
Windows has a well-structured mechanism for controlling privileges of all users in the
network. The user account control (UAC) feature serves as a gate between normal users and
users with admin privileges. It limits application software to standard user permissions until
an administrator authorizes an increase of privileges. In this way, only applications trusted by
the user may receive administrative privileges, which prevents malware from compromising
the operating system.
However, this mechanism has security gaps. If the UAC protection level of a computer is set
to anything but the highest level, some Windows programs are allowed to elevate privileges
or execute Component Object Model (COM) objects that are elevated without prompting a
user first. An example of this is use of rundll32.exe to load a specifically crafted Dynamic
Link Library (DLL), which loads a COM object that already has elevated privileges. This
performs file operations even in protected directories and opens the UAC mechanism to
compromise from attackers.
You need to check your IT environment for common UAC bypass weaknesses regularly to be
aware of current risks to your systems and address issues where appropriate. Another good
practice is to regularly review which accounts are in your local administrator groups on
systems and remove regular users from these groups.

Technique 3: Using Valid Accounts.
How it happens?
Adversaries can use Credential Access techniques (e.g. Credential Dumping, Account
Manipulation and other) to obtain the credentials of specific user accounts, or steal them
through social engineering. As soon as attackers get access to organization’s network, they
can use compromised credentials to bypass access controls placed on various resources on IT
systems, or any other security restrictions, and may even gain access to remote systems and
services, e.g. VPNs, Outlook Web Access and remote desktop. One of the main concerns
here is the overlap of credentials and permissions across the network, because adversaries
may be able to switch between accounts and systems to reach a higher level of access (i.e.,
domain or enterprise administrator).
One of the simplest, yet most effective ways to mitigate this threat is to change passwords of
administrative accounts regularly and enforce strong password policy (e.g. ensure that local
administrator accounts have complex, unique passwords across all systems).
It is also essential to monitor what is going on in your IT environment to detect techniques

like Credential Dumping. Limit credential overlap across systems to further reduce the risk of
unauthorized access in case adversaries obtain account credentials, and do not put user or
admin domain accounts in the local administrator groups unless they are tightly controlled.
Finally, you need to monitor user behavior and keep an eye on what permission level each
user has to quickly detect adversaries’ activities.
Trojans And Backdoors:-
Trojans And Backdoors Are Types Of Malware Used To Infect And Compromise Computer
Systems. A Trojan Is A Malicious Program Disguised As Something Benign. In Many Cases,
The Trojan Appears To Perform A Desirable Function For The User But Actually Allows A
Hacker Access To The User’s Computer System. Trojans Are Often Downloaded Along
With Another Program Or Software Package.

Once Installed On A System, They Can Cause Data Theft And Loss, As Well As System
Crashes Or Slowdowns. Trojans Can Also Be Use As Launching Points For Other Attacks,
Such As A Distributed Denial Of Service (DDoS). Many Trojans Are Use To Manipulate
Files On The Victim Computer, Manage Processes, Remotely Run Commands, Intercept
Keystrokes, Watch Screen Images, And Restart Or Shut Down Infected Hosts.
Trojans Ride On The Backs Of Other Programs And Are Usually Install On A System
Without The User’s Knowledge. A Trojan Can Be Send To A Victim System In Many Ways,
Such As The Following:
1. An Instant Messenger (IM) Attachment

2. IRC
3. An Email Attachment
4. NetBIOS File Sharing
5. A Downloaded Internet Program
Types Of Trojans
Trojans Can Be Created And Use To Perform Different Attacks. Here Are Some Of The
Most Common Types Of Trojans:
1. Remote Access Trojans (RATs) Used To Gain Remote Access To A System.

2. Destructive Trojans Used To Delete Or Corrupt Files On A System.
3. Denial-Of-Service Trojans Used To Launch A Denial-Of-Service Attack.
4. Security Software Disabler Trojans Used To Stop Antivirus Software.
How The Netcat Trojan Works?
Netcat Is A Trojan That Uses A Command-Line Interface To Open TCP Or UDP Ports On A
Target System. A Hacker Can Then Telnet To Those Open Ports And Gain Shell Access To
The Target System. Exercise 5.1 Shows You How To Use Netcat.
Trojan Construction Kit And Trojan Makers:

Several Trojan-Generator Tools Enable Hackers To Create Their Own Trojans. Such Toolkits
Help Hackers Construct Trojans That Can Be Customized. These Tools Can Be Dangerous
And Can Backfire If Not Executed Properly. New Trojans Created By Hackers Usually Have
The Added Benefit Of Passing Undetected Through Virus-Scanning And Trojan-Scanning
Tools Because They Don’t Match Any Known Signatures. Some Of The Trojan Kits
Available In The Wild Are Senna Spy Generator, The Trojan Horse Construction Kit V2.0,
Progenic Mail Trojan Construction Kit, And Pandora’s Box.
Viruses And Worms
Viruses And Worms Can Be Use To Infect A System And Modify A System To Allow A
Hacker To Gain Access. Many Viruses And Worms Carry Trojans And Backdoors. In This
Way, A Virus Or Worm Is A Carrier And Allows Malicious Code Such As Trojans And
Backdoors To Be Transfer From System To System Much In The Way That Contact Between
People Allows Germs To Spread.

A Virus And A Worm Are Similar In That They’re Both Forms Of Malicious Software
(Malware). A Virus Infects Another Executable And Uses This Carrier Program To Spread
Itself. The Virus Code Is Injected Into The Previously Benign Program And Is Spread When
The Program Is Run. Examples Of Virus Carrier Programs Are Macros, Games, Email
Attachments, Visual Basic Scripts, And Animations.
A Worm Is Similar To A Virus In Many Ways But Does Not Need A Carrier Program. A
Worm Can Self-Replicate And Move From An Infected Host To Another Host.
Types Of Viruses
Viruses Are Classified According To Two Factors: What They Infect And How They Infect.
A Virus Can Infect The Following Components Of A System:
1. System Sectors
2. Files
3. Macros (Such As Microsoft Word Macros)
4. Companion Files (Supporting System Files Like DLL And INI Files)
5. Disk Clusters
6. Batch Files (BAT Files)
7. Source Code
Viruses Are Categorize According To Their Infection Technique, As Follows:
1. Polymorphic Viruses
These Viruses Encrypt The Code In A Different Way With Each Infection And Can Change
To Different Forms To Try To Evade Detection.
2. Stealth Viruses
These Viruses Hide The Normal Virus Characteristics, Such As Modifying The Original
Time And Date Stamp Of The File So As To Prevent The Virus From Being Noticed As A
New File On The System.
3. Armored Viruses
These Viruses Are Encrypted To Prevent Detection.
4. Multipartite Viruses
These Advanced Viruses Create Multiple Infections.
5. NTFS And Active Directory Viruses

These Viruses Specifically Attack The NT File System Or Active Directory On Windows
Systems.
Virus Detection Methods:-

The Following Techniques Are Use To Detect Viruses:

1. Scanning
2. Integrity Checking With Checksums
3. Interception Based On A Virus Signature
The Process Of Virus Detection And Removal Is As Follows:

1. Detect The Attack As A Virus. Not All Anomalous Behavior Can Be Attribute To A
Virus.
2. Trace Processes Using Utilities Such As Handle.Exe, Listdlls.Exe, Fport.Exe,
Netstat.Exe, And Pslist.Exe, And Map Commonalities Between Affected Systems.
3. 3. Detect The Virus Payload By Looking For Altered, Replaced, Or Deleted Files.
New Files, Changed File Attributes, Or Share Library Files Should Be Check.
4. Acquire The Infection Vector And Isolate It. Then, Update Your Antivirus
Definitions And Rescan All Systems.
Cyber Forensics
Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the
evidence to the court. Cyber forensics is also known as computer forensics. The main aim
of cyber forensics is to maintain the thread of evidence and documentation to find out who
did the crime digitally. Cyber forensics can do the following:
• It can recover deleted files, chat logs, emails, etc
• It can also get deleted SMS, Phone calls.
• It can get recorded audio of phone conversations.
• It can determine which user used which system and for how much time.
• It can identify which user ran which program.
Why is cyber forensics important?
In todays technology driven generation, the importance of cyber forensics is immense.

Technology combined with forensic forensics paves the way for quicker investigations and
accurate results. Below are the points depicting the importance of cyber forensics:
• Cyber forensics helps in collecting important digital evidence to trace the criminal.
• Electronic equipment stores massive amounts of data that a normal person fails to see.
For example: in a smart house, for every word we speak, actions performed by smart
devices, collect huge data which is crucial in cyber forensics.
• It is also helpful for innocent people to prove their innocence via the evidence
collected online.
• It is not only used to solve digital crimes but also used to solve real-world crimes like
theft cases, murder, etc.
• Businesses are equally benefitted from cyber forensics in tracking system breaches and
finding the attackers.
How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic
experts follow are:
• Identification: The first step of cyber forensics experts are to identify what evidence is
present, where it is stored, and in which format it is stored.
• Preservation: After identifying the data the next step is to safely preserve the data and
not allow other people to use that device so that no one can tamper data.
• Analysis: After getting the data, the next step is to analyze the data or system. Here the
expert recovers the deleted files and verifies the recovered data and finds the evidence
that the criminal tried to erase by deleting secret files. This process might take several
iterations to reach the final conclusion.
• Documentation: Now after analyzing data a record is created. This record contains all
the recovered and available(not deleted) data which helps in recreating the crime scene
and reviewing it.
• Presentation: This is the final step in which the analyzed data is presented in front of
the court to solve cases.
• Database forensics: This branch of forensics examines and analyzes the data from
databases and their related metadata.
• Disk forensics: This branch of forensics extracts data from storage media by searching
modified, active, or deleted files.
Techniques that cyber forensic investigators use
Cyber forensic investigators use various techniques and tools to examine the data and some
of the commonly used techniques are:
• Reverse steganography: Steganography is a method of hiding important data inside
the digital file, image, etc. So, cyber forensic experts do reverse steganography to
analyze the data and find a relation with the case.
• Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct
digital activity without using digital artifacts. Here, artifacts mean unintended
alterations of data that occur from digital processes.
• Cross-drive analysis: In this process, the information found on multiple computer
drives is correlated and cross-references to analyze and preserve information that is
relevant to the investigation.
• Live analysis: In this technique, the computer of criminals is analyzed from within the
OS in running mode. It aims at the volatile data of RAM to get some valuable
information.
• Deleted file recovery: This includes searching for memory to find fragments of a
partially deleted file in order to recover it for evidence purposes.
Advantages
• Cyber forensics ensures the integrity of the computer.

• Through cyber forensics, many people, companies, etc get to know about such crimes,
thus taking proper measures to avoid them.
• Cyber forensics find evidence from digital devices and then present them in court,
which can lead to the punishment of the culprit.
• They efficiently track down the culprit anywhere in the world.

• They help people or organizations to protect their money and time.
• The relevant data can be made trending and be used in making the public aware of it.
What are the required set of skills needed to be a cyber forensic expert?
The following skills are required to be a cyber forensic expert:

• As we know, cyber forensic based on technology. So, knowledge of various
technologies, computers, mobile phones, network hacks, security breaches, etc. is
required.
• The expert should be very attentive while examining a large amount of data to identify
proof/evidence.
• The expert must be aware of criminal laws, a criminal investigation, etc.
• As we know, over time technology always changes, so the experts must be updated
with the latest technology.
• Cyber forensic experts must be able to analyse the data, derive conclusions from it and
make proper interpretations.
• The communication skill of the expert must be good so that while presenting evidence
in front of the court, everyone understands each detail with clarity.
• The expert must have strong knowledge of basic cyber security.
Cyberforensics can be divided into two domains:
• Computer forensics
• Network forensics
Network forensics is the study of network traffic to search for truth in civil, criminal, and
administrative matters to protect users and resources from exploitation, invasion of privacy,
and any other crime.
Digital evidence is different from physical evidence because of the following characteristics:
• Digital evidence is much easier to change/manipulate

• Perfect copies can be made without harming the original
• Different information is available at different levels of abstraction
Computer forensics experts know the techniques to retrieve data from files listed in standard
directory search, hidden files, deleted files, deleted E-Mail and passwords, login ids,
encrypted files, hidden partitions, etc. Computer systems have the following:
• Logical file system that consists of:

o File system
o Random Access Memory (RAM)
o Physical storage media

▪ Slack space: It is a space allocated to the file but is not actually used due to
internal fragmentation
▪ Unallocated space
• User created files
• Computer created files (backups, cookies, config. Files, history files, log files, swap files,
system files, temp. files, etc.)
• Computer networks
Dr. Edmond Locard is known as the father of forensic science. He is also known as the
“Sherlock Holmes of France”. The famous principle given by Locard is “Every contact leaves
a trace“, is known as Locard’s exchange principle.
The Rules of Evidence
According to Indian Evidence Act 1872, evidence means:
• All statements which the court permits or requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are called oral evidence.
• All documents that are produced for the inspection of the court are called documentary
evidence.
Newly added provisions in the Indian Evidence Act 1972 through the ITA 2000, constitute
the body of law applicable to electronic evidence. Digital evidence by its very nature is
invisible to the eye. Digital evidence must be developed using tools other than the human
eye. Acquisition of digital evidence is both a legal and technical problem. Difficulties
associated with gathering digital evidence:
• Determining what piece of digital evidence is required

• Where the evidence is physically located
Different contexts involved in actually identifying a piece of digital evidence:
• Physical context
o It is definable by its physical form, that is, it should reside on a specific piece of
media
• Logical context
o It must be identifiable as to its logical position, that is, where does it reside relative to
the file system
• Legal context
o The evidence must be placed in the correct context to read its meaning
o This may require looking at the evidence as machine language

Guidelines for digital evidence collection phase:
• Follow site’s security policy and engage the appropriate incident handling and law
enforcement personnel
• Capture a picture of the system as accurately as possible
• Keep detailed notes with dates and times
• Be prepared to testify outlining all actions you took and at what times
• Minimize changes to the data as you are collecting it
• Remove external avenues for change
• Always choose collection before analysis
• Your procedures should be implementable
• Manage the work among the team members
• Proceed from most volatile to less volatile areas while collecting evidence:
o Registers, cache
o Routing table, ARP cache, process table, kernel statistics, RAM
o Temporary file systems
o Disk
o Remote logging and monitoring data
o Physical configuration and network topology
o Archival media
• Do a bit-level copy of the media (try to avoid conducting forensics on the evidence copy)
Digital Forensics
Digital Forensics is defined as the process of preservation, identification, extraction, and

documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.
Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.

History of Digital forensics
Here, are important landmarks from the history of Digital Forensics:
• Hans Gross (1847 -1915): First use of scientific study to head criminal investigations
• FBI (1932): Set up a lab to offer forensics services to all field agents and other law
authorities across the USA.
• In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
• Francis Galton (1982 – 1911): Conducted first recorded study of fingerprints
• In 1992, the term Computer Forensics was used in academic literature.
• 1995 International Organization on Computer Evidence (IOCE) was formed.
• In 2000, the First FBI Regional Computer Forensic Laboratory established.
• In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book
about digital forensic called “Best practices for Computer Forensics”.
• In 2010, Simson Garfinkel identified issues facing digital investigations.
Objectives of computer forensics

Here are the essential objectives of using Computer forensics:
• It helps to recover, analyze, and preserve computer and related materials in such a manner
that it helps the investigation agency to present them as evidence in a court of law.
• It helps to postulate the motive behind the crime and identity of the main culprit.
• Designing procedures at a suspected crime scene which helps you to ensure that the digital
evidence obtained is not corrupted.
• Data acquisition and duplication: Recovering deleted files and deleted partitions from digital
media to extract the evidence and validate them.
• Helps you to identify the evidence quickly, and also allows you to estimate the potential
impact of the malicious activity on the victim
• Producing a computer forensic report which offers a complete report on the investigation
process.
• Preserving the evidence by following the chain of custody.
Types of Digital Forensics

Three types of digital forensics are:
Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted
files.
Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer
network traffic to collect important information and legal evidence.
Wireless Forensics:

It is a division of network forensics. The main aim of wireless forensics is to offers the tools
need to collect and analyze the data from wireless network traffic.
Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and their
related metadata.
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses,
worms, etc.
Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw
form and then carving the data from Raw dump.
Mobile Phone Forensics:

It mainly deals with the examination and analysis of mobile devices. It helps to retrieve
phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
Challenges faced by Digital Forensics

Here, are major challenges faced by the Digital Forensic:
• The increase of PC’s and extensive use of internet access

• Easy availability of hacking tools
• Lack of physical evidence makes prosecution difficult.
• The large amount of storage space into Terabytes that makes this investigation job difficult.
• Any technological changes require an upgrade or changes to solutions.
Example Uses of Digital Forensics

In recent time, commercial organizations have used digital forensics in following a type of
cases:
• Intellectual Property theft

• Industrial espionage
• Employment disputes
• Fraud investigations
• Inappropriate use of the Internet and email in the workplace
• Forgeries related matters
• Bankruptcy investigations
• Issues concern with the regulatory compliance

Advantages of Digital forensics
Here, are pros/benefits of Digital forensics
• To ensure the integrity of the computer system.

• To produce evidence in the court, which can lead to the punishment of the culprit.
• It helps the companies to capture important information if their computer systems or
networks are compromised.
• Efficiently tracks down cybercriminals from anywhere in the world.
• Helps to protect the organization’s money and valuable time.
• Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action’s in the court.
Disadvantages of Digital Forensics

Here, are major cos/ drawbacks of using Digital Forensic
• Digital evidence accepted into court. However, it is must be proved that there is no
tampering
• Producing electronic records and storing them is an extremely costly affair
• Legal practitioners must have extensive computer knowledge
• Need to produce authentic and convincing evidence
• If the tool used for digital forensic is not according to specified standards, then in the court
of law, the evidence can be disapproved by justice.
• Lack of technical knowledge by the investigating officer might not offer the desired result
Digital Forensics Life Cycle
The digital forensics process is shown in the following figure. Forensic life cycle phases are:

1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
1. Preparing for the Evidence and Identifying the Evidence
In order to be processed and analysed, evidence must first be identified. It might be possible
that the evidence may be overlooked and not identified at all. A sequence of events in a
computer might include interactions between:
• Different files
• Files and file systems
• Processes and files
• Log files
In case of a network, the interactions can be between devices in the organization or across
the globe (Internet). If the evidence is never identified as relevant, it may never be collected
and processed.
2. Collecting and Recording Digital Evidence
Digital evidence can be collected from many sources. The obvious sources can be:
• Mobile phone

• Digital cameras
• Hard drives
• CDs
• USB memory devices
Non-obvious sources can be:
• Digital thermometer settings

• Black boxes inside automobiles
• RFID tags
Proper care should be taken while handling digital evidence as it can be changed easily.
Once changed, the evidence cannot be analysed further. A cryptographic hash can be
calculated for the evidence file and later checked if there were any changes made to the file or
not. Sometimes important evidence might reside in the volatile memory. Gathering volatile
data requires special technical skills.
3. Storing and Transporting Digital Evidence
Some guidelines for handling of digital evidence:
• Image computer-media using a write-blocking tool to ensure that no data is added to the
suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and evaluated to validate their accuracy
and reliability
Care should be taken that evidence does not go anywhere without properly being traced.
Things that can go wrong in storage include:
• Decay over time (natural or unnatural)

• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batteries and other media preserving mechanisms
Sometimes evidence must be transported from place to place either physically or through a
network. Care should be taken that the evidence is not changed while in transit. Analysis is
generally done on the copy of real evidence. If there is any dispute over the copy, the real can
be produced in court.
4. Examining/Investigating Digital Evidence
Forensics specialist should ensure that he/she has proper legal authority to seize, copy and
examine the data. As a general rule, one should not examine digital information unless one

has the legal authority to do so. Forensic investigation performed on data at rest (hard disk) is
called dead analysis.
Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits
the information in the computer’s main memory. Performing forensic investigation on main
memory is called live analysis. Sometimes the decryption key might be available only in
RAM. Turning off the system will erase the decryption key. The process of creating and
exact duplicate of the original evidence is called imaging. Some tools which can create entire
hard drive images are:
• DCFLdd
• Iximager
• Guymager
The original drive is moved to secure storage to prevent tampering. The imaging process is
verified by using the SHA-1 or any other hashing algorithms.
5. Analysis, Interpretation and Attribution
In digital forensics, only a few sequences of events might produce evidence. But the possible
number of sequences is very huge. The digital evidence must be analyzed to determine the
type of information stored on it. Examples of forensics tools:
• Forensics Tool Kit (FTK)

• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autopsy
Forensic analysis includes the following activities:
• Manual review of data on the media

• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images
Types of digital analysis:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis

6. Reporting
After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. The report contains all the details about the evidence in analysis, interpretation,
and attribution steps. As a result of the findings in this phase, it should be possible to confirm
or discard the allegations. Some of the general elements in the report are:
• Identity of the report agency

• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
7. Testifying
This phase involves presentation and cross-examination of expert witnesses. An expert

witness can testify in the form of:
• Testimony is based on sufficient facts or data

• Testimony is the product of reliable principles and methods
• Witness has applied principles and methods reliably to the facts of the case
Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be
taken when collecting digital evidence are:
• No action taken by law enforcement agencies or their agents should change the evidence
• When a person to access the original data held on a computer, the person must be competent
to do so
• An audit trial or other record of all processes applied to digital evidence should be created
and preserved
• The person in-charge of the investigation has overall responsibility for ensuring that the law
and these are adhered to
Chain of Custody

A chain of custody is the process of validating how evidences have been gathered, tracked,
and protected on the way to the court of law. Forensic professionals know that if you do not
have a chain of custody, the evidence is worthless.
The chain of custody is a chronological written record of those individuals who have had
custody of the evidence from its initial acquisition to its final disposition. A chain of custody
begins when an evidence is collected and the chain is maintained until it is disposed off. The
chain of custody assumes continuous accountability.
Ethical Hacking Concepts and Scopes
What is Ethical hacking?

Ethical Hacking is also called as penetration Testing. It is an act of penetrating networks
or systems to find out threats and vulnerabilities in that system which the attacker would
have exploited and caused the loss of data, financial loss or other major damages to a
business.
Purpose of Ethical hacking

The purpose of Ethical hacking is to build the security of the system or network by
settling the vulnerabilities which are detected while testing. Ethical hackers may use the
same techniques and mechanisms used by malicious hackers but with the permission of
the authorized person, the Ethical hackers help to develop the security and defend the
systems from attacks.
Why Ethical Hacking is important?

When the Ethical hacker finds a vulnerability, he will inform the issues and advise how
to fix the problem. The company employs an Ethical hacker to protect and secure their
data. The Ethical hacker’s tests do not always mean a system is attacked by malicious
attackers. Sometimes, it means the hacker is preparing and protecting their data in
precaution. Some of the advanced attacks caused by hackers include: -
• Piracy
• Vandalism
• Credit card theft
• Theft of service
• Identity theft
• Manipulation of data
• Denial-of-service Attacks

These types of cyberattacks, hacking cases are increased because of the huge usage of
online services and online transactions in the last decade.
Phases of Ethical Hacking:-

The phases of Ethical Hacking:-
• Scanning
• Footprinting & Reconnaissance
• Enumeration
• System Hacking
• Escalation of Privileges
• Covering Track
Skills of an Ethical Hacker

A skilled Ethical Hacker should hold a collection of technical and non-technical skills.
Technical Skills
1. The Ethical Hackers must have strong knowledge in all Operating Systems like
Windows, Linux, and Mac.
2. The Ethical Hackers should be skilled with Networking and have a strong knowledge of
basic and detailed concepts in technologies, software, and hardware applications.
3. Ethical Hackers must know all kinds of attacks.
Non-Technical Skills
1. Communication Skills
2. Learning Ability
3. Problem-solving skills
4. Proficient in the security policies
5. Awareness of laws, standards, and regulations.
Scope of Ethical Hacking:-

Ethical hacking is generally used as penetration testing to detect vulnerabilities, risk and
identify the loopholes in a security system and to take corrective measures against those
attacks.
Ethical hacking is a key component of risk evaluation, auditing, and counter-frauds. The
scope for the Ethical Hackers is high and it is one of the rapidly growing career s at
present as many malicious attackers cause a threat to the business and its networks.
Industries like Information Technology and Banking Sectors hire several Ethical hackers
to protect their data and infrastructure. Also, in the upcoming days, the demand for this
profile is going to be high compared to other profiles due to an increased threat of
vulnerabilities.

Attack Vector Definition
An attack vector is a pathway or method used by a hacker to illegally access a network or

computer in an attempt to exploit system vulnerabilities. Hackers use numerous attack
vectors to launch attacks that take advantage of system weaknesses, cause a data breach, or
steal login credentials. Such methods include sharing malware and viruses, malicious email
attachments and web links, pop-up windows, and instant messages that involve the attacker
duping an employee or individual user.
Many security vector attacks are financially motivated, with attackers stealing money from
people and organizations or data and personally identifiable information (PII) to then hold the
owner to ransom. The types of hackers that infiltrate a network are wide-ranging. They could
be disgruntled former employees, politically motivated organized groups, hacktivists,
professional hacking groups, or state-sponsored groups.
The Difference Between an Attack Vector and an Attack Surface
Cybersecurity attacks are launched using an attack vector. This could be through malware or
a phishing attack, which aims to steal user credentials and gain unauthorized access to
corporate data or resources. Social engineering is another way to launch an attack.
The attack surface is the total network area an attacker can use to launch cyber attack vectors
and extract data or gain access to an organization’s systems. Devices and people are part of
an organization’s attack surface because their vulnerabilities, such as weak passwords or
unpatched software, can be exploited by an attacker.
How Do Hackers Exploit Attack Vectors?
Hackers use multiple threat vectors to exploit vulnerable systems, attack devices and
networks, and steal data from individuals. There are two main types of hacker vector
attacks: passive attacks and active attacks.
Passive Attack
A passive attack occurs when an attacker monitors a system for open ports or vulnerabilities
to gain or gather information about their target. Passive attacks can be difficult to detect
because they do not involve altering data or system resources. Rather than cause damage to
an organization’s systems, the attacker threatens the confidentiality of their data.
Passive attack vectors include passive reconnaissance, which sees the attacker monitor an
organization’s systems for vulnerabilities without interacting with them through tools like
session capture, and active reconnaissance, where the attacker uses methods like port scans to
engage with target systems.

Active Attack
An active attack vector is one that sets out to disrupt or cause damage to an organization’s
system resources or affect their regular operations. This includes attackers launching attacks
against system vulnerabilities, such as denial-of-service (DoS) attacks, targeting users’ weak
passwords, or through malware and phishing attacks.
A common example of an active attack is a masquerade attack, in which an intruder pretends

to be a trusted user and steals login credentials to gain access privileges to system resources.
Active attack methods are often used by cyber criminals to gain the information they need to
launch a wider cyberattack against an organization.
Common Types of Attack Vectors
There are many types of attack vectors, with cyber criminals using many methods to target
large or small organizations from any industry, as well as individuals from nearly every
business level. Some of the most common threat vectors are listed below.
Compromised Credentials
Weak and compromised credentials are the most-used attack vector as people continue to use
weak passwords to protect their online accounts and profiles. Compromised credentials occur
when information like usernames or passwords are exposed to a third party such as mobile
apps and websites. This is frequently caused by victims of a phishing attempt revealing their
login details to an attacker by entering them on a spoofed website. Lost and stolen credentials
enable an intruder to access user accounts and corporate systems without detection, then
escalate their access level within a network.
Employees must use strong passwords and consider using a password manager to limit the
chances of an attacker stealing their credentials. To avoid the risk of compromised
credentials, organizations must move away from relying on passwords alone and deploy
multi-factor authentication (MFA) to verify users’ identities. Employee education is also vital
to ensuring users understand the security risks they face and the signs of a potential
cyberattack.
Malware
Malware is a term that describes various strands of malicious software, which include
ransomware, spyware, Trojans, and viruses. Cyber criminals use malware as a threat vector to
help them gain access to corporate networks and devices, then steal data or damage systems.
Avoiding malware is reliant on understanding the signs of an attack, such as phishing

schemes that urge users to share valuable information. Protecting against malware requires
technology like sandboxing, firewalls, and antivirus and anti-malware software that detect
and block potential attacks.

Phishing
Phishing is an email, Short Message Service (SMS), or telephone-based attack vector that
sees the attacker pose as a trusted sender to dupe the target into giving up sensitive data, such
as login credentials or banking details.
Organizations can protect their employees and customers from phishing attacks by using
spam filters, deploying MFA, ensuring software is patched and updated, and blocking
malicious websites. However, the best way to defend against phishing is to assume that every
email is part of a phishing attack. This also comes down to employee education and relies on
employees' awareness of common security risks, such as never clicking any link within an
email.
Insider Threats
Some security attacks come from inside the organization, through employees exposing
confidential information to attackers. While this can be accidental, malicious insiders expose
corporate data or vulnerabilities to third parties. These are often unhappy or disgruntled
employees with access to sensitive information and networks.
It can be difficult for organizations to spot malicious insiders, largely because they are
authorized users with legitimate access to corporate networks and systems. Therefore,
businesses should monitor network access for unusual activity or users accessing files or
systems they would not normally, which could be an indicator of insider risk.
Missing or Weak Encryption
Encryption is a technique that hides the true meaning of a message and protects digital data
by converting it into a code or ciphertext. This ensures that the data within a message cannot
be read by an unauthorized party, which helps prevent cyber criminals from stealing sensitive
information.
Missing, poor, or weak encryption leads to the transmission of sensitive data in plaintext.
This risks its exposure to unauthorized parties if intercepted or obtained through a brute-force
attack. To avoid this, users should use strong encryption methods, including Advanced
Encryption Standard (AES) or Rivest-Shamir-Adleman (RSA) encryption, and always ensure
sensitive information is encrypted while at rest, in processing, and in transit.
Unpatched Applications or Servers

Cyber criminals are always on the lookout for potential open doors or vulnerabilities in
software and servers. When they find and exploit a vulnerability that no one is aware of until
the breach occurs, this is known as a zero-day attack.
Organizations and users can avoid this type of attack by ensuring their software, operating
systems, and servers are patched. This means applying a software update or fixing code to a
program or server to remove the vulnerability. Regular patching by software developers is the
best strategy for mitigating potential attacks. To assist with this and prevent any gaps that
could present a vulnerability to an attacker, users should ensure automatic software updates
are enabled.
Distributed Denial of Service (DDoS)
A DDoS attack occurs when an attacker overloads a server with internet traffic using multiple
machines, also known as a botnet. This prevents users from accessing services and can force
the organization’s site to crash.
A DDoS attack can be mitigated through the use of firewalls to filter and prevent malicious
traffic. Other defense tools include regular risk assessments, traffic differentiation to scatter
traffic and prevent a targeted attack, and rate-limiting to restrict the number of requests a
server can receive.
The Five Phases of Ethical Hacking

While the phases discussed in the webinar are from the perspective of a hacker, King explains
that these are the same phases used by a white hat hacker to test an organization’s network.
To put it simply, an attacker uses this approach to breach the network, while the ethical
hacker uses it to protect it.
1. Reconnaissance
Reconnaissance, also known as the preparatory phase, is where the hacker gathers
information about a target before launching an attack and is completed in phases prior to
exploiting system vulnerabilities. One of the first phases of Reconnaissance is dumpster
diving. It is during this phase that the hacker finds valuable information such as old
passwords, names of important employees (such as the head of the network department), and
performs an active reconnaissance to know how the organization functions. As a next step,
the hacker completes a process called footprinting to collect data on the security posture,
reduces the focus area such as finding out specific IP addresses, identifies vulnerabilities

within the target system, and finally draws a network map to know exactly how the network
infrastructure works to break into it easily. Footprinting provides important information such
as the domain name, TCP and UDP services, system names, and passwords. There are also
other ways to do footprinting, including impersonating a website by mirroring it, using search
engines to find information about the organization, and even using the information of current
employees for impersonation.
2. Scanning
In this phase, the hacker identifies a quick way to gain access to the network and look for
information. There are three methods of scanning: pre-attack, port scanning/sniffing, and
information extraction. Each of these phases demonstrates a specific set of vulnerabilities that
the hacker can utilize to exploit the system's weaknesses. The pre-attack phase is where the
hacker scans the network for specific information based on the information gathered during
reconnaissance. The port scanner or sniffing phase is where scanning includes the use of
dialers, port scanners, vulnerability scanners, and other data-gathering equipment. The
information extraction phase is where the attackers collect information about ports, live
machines and OS details to launch an attack.
3. Gain Access
The hacker gains access to the system, applications, and network, and escalates their user
privileges to control the systems connected to it.
4. Maintain Access
Here, the hacker secures access to the organization’s Rootkits and Trojans and uses it to
launch additional attacks on the network.
5. Cover Tracks
Once the hacker gains access, they cover their tracks to escape the security personnel. They
do this by clearing the cache and cookies, tampering the log files, and closing all the open
ports. This step is important because it clears the system information making hacking a great
deal harder to track.
Foot printing

Foot printing is a part of reconnaissance process which is used for gathering possible
information about a target computer system or network. Footprinting could be
both passive and active. Reviewing a company’s website is an example of passive
footprinting, whereas attempting to gain access to sensitive information through social
engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible
to find ways to intrude into a target system or at least decide what type of attacks will be
more suitable for the target.
During this phase, a hacker can collect the following information −
• Domain name
• IP Addresses
• Namespaces
• Employee information
• Phone numbers
• E-mails
• Job Information
In the following section, we will discuss how to extract the basic and easily accessible
information about any computer system or network that is linked to the Internet.
Domain Name Information
You can use http://www.whois.com/whois website to get detailed information about a

domain name information including its owner, its registrar, date of registration, expiry, name
server, owner's contact information, etc.
CYBER SECURITY: ORGANIZATIONAL

IMPLICATIONS
• Introduction
• Cost of Cyber Crimes
• IPR Issues
• Web Threats for Organizations
• Security and Privacy Implications
• Social Media Marketing: Security Risks
• Perils for Organizations
• Social Computing and associated challenges for organizations.

Organizational Implications-Introduction
In the global environment with continuous network connectivity, the
possibilities for cyberattacks can emanate from sources that are local, remote, domestic
or foreign. They could be launched by an individual or a group. They could be casual
probes from hackers using personal computers (PCs) in their homes, hand-held devices
or intense scans from criminal groups.
Fig: A cyber security perspective. EU is the European Union.
PI is information that is, or can be, about or related to an identifiable individual. It

includes anyinformation that can be linked to an individual or used to directly or indirectly
identify an individual.
Most information the organization collects about an individual is likely to come
under “PI”category if it can be attributed to an individual. For an example, PI is an
individual’s first name or
first initial and last name in combination with any of the following data:
1. Social security number (SSN)/social insurance number.

2. Driver’s license number or identification card number.
3. Bank account number, credit or debit card number with personal identification
number such as an access code, security codes or password that would permit
access to an individual’s financial account.
4. Home address or E-Mail address.
5. Medical or health information.

An insider threat is defined as “the misuse or destruction of sensitive or
confidential information,as well as IT equipment that houses this data by employees,
contractors and other ‘trusted’ individuals.”
Insider threats are caused by human actions such as mistakes, negligence,
reckless behavior, theft,fraud and even sabotage. There are three types of “insiders” such
as:
1. A malicious insider is motivated to adversely impact an organization
through a rangeof actions that compromise information confidentiality,
integrity and/or availability.
2. A careless insider can bring about a data compromise not by any bad
intention butsimply by being careless due to an accident, mistake or
plain negligence.
3. A tricked insider is a person who is “tricked” into or led to providing

sensitive or private company data by people who are not truthful about
their identity or purpose via “pretexting” (known as social engineering).
• Insider Attack Example 1: Heartland Payment System Fraud
A case in point is the infamous “Heartland Payment System Fraud” that

was uncovered in January 2010. This incident brings out the glaring point about
seriousness of “insider attacks. In this case, the concerned organization suffered a
serious blow through nearly 100 million credit cards compromised from at least
650 financial services companies. When a card is used to make a purchase, the
card information is transmitted through a payment network.
• Insider Attack Example 2: Blue Shield Blue Cross (BCBS)
Yet another incidence is the Blue Cross Blue Shield (BCBS) Data Breach
in October 2009 the theft of 57 hard drives from a BlueCross BlueShield of
Tennessee training facility puts the private information of approximately 500,000
customers at risk in at least 32 states.
The two lessons to be learnt from this are:
1. Physical security is very important.
2. Insider threats cannot be ignored.

What makes matters worse is that the groups/agencies/entities connected
with cybercrimes are all linked. There is certainly a paradigm shift in computing
and work practices; with workforce mobility, virtual teams, social computing
media, cloud computing services being offered, sharp rise is noticed in business
process outsourcing (BPO) services, etc. to namea few.
Fig: Cybercrimes – the flow and connections.
A key message from this discussion is that cybercrimes do not happen on

their own or in isolation. Cybercrimes take place due to weakness of
cybersecurity practices and “privacy” which may get impacted when cybercrimes
happen.
Privacy has following four key dimensions:

1. Informational/data privacy: It is about data protection, and the users’
rights to determine how, when and to what extent information about them
is communicated to other parties.
2. Personal privacy: It is about content filtering and other mechanisms to
ensure that the end-users are not exposed to whatever violates their moral

senses.
3. Communication privacy: This is as in networks, where encryption of
data being transmitted is important.
4. Territorial privacy: It is about protecting users’ property for example,
the user devices from being invaded by undesired content such as SMS or
E-Mail/Spam messages. The paradigm shift in computing brings many
challenges for organizations; some such key challenges are described
here.
Fig: Security threats – paradigm shift.
The key challenges from emerging new information threats to organizations are as
follows:
1. Industrial espionage: There are several tools available for web
administrators tomonitor and track the various pages and objects that
are accessed on their website.

2. IP-based blocking: This process is often used for blocking the access
of specific IPaddresses and/or domain names.
3. IP-based “cloaking”: Businesses are global in nature and economies are
interconnected.
4. Cyberterrorism: “Cyberterrorism” refers to the direct intervention of a
threat sourcetoward your organization’s website.
Confidential information leakage: “Insider attacks” are the worst ones. Typically, an
organization is protected from external threats by your firewall and antivirus solutions
Cost of Cybercrimes and IPR Issues: Lessons for Organizations
cybercrimes cost a lot to organizations.
Fig: Cost of cybercrimes.
When a cybercrime incidence occurs, there are a number of internal costs

associated with it for organizations and there are organizational impacts as well. Detection
and recovery constitute a very large percentage of internal costs. This is supported by a
benchmark study conducted by Ponemon Institute USA carried out with the sample of 45
organizations representing more than 10 sectors and each with a head count of at least 500
employees.

• Organizations have Internal Costs Associated with Cyber security Incidents
The internal costs typically involve people costs, overhead costs and productivity losses. The
internal costs, in order from largest to the lowest and that has been supported by the
benchmark study mentioned:
1. Detection costs.(25%)
2. Recovery costs.(21%)
3. Post response costs.(19%)
4. Investigation costs.(14%)
5. Costs of escalation and incident management.(12%)
6. Cost of containment.(9%)
• The consequences of cybercrimes and their associated costs, mentioned
1. Information loss/data theft.(42%)
2. Business disruption.(22%)
3. Damages to equipment, plant and property.(13%)
4. Loss of revenue and brand tarnishing.(13%)
5. Other costs.(10%)
• The impact on organizations by various cyber crimes
1. Virus,worms and Trojans-100%
2. Malwares-80%
3. Botnets-73%
4. Web based attacks-53%
5. Phishing and Social engineering-47%
6. Stolen devices-36%
7. Malicious insiders-29%
8. Malicious code-27%
• Average days taken to resolve
cyber Attacks
1. Attacks by Malicious insiders-42
days
2. Malicious code-39 days
3. Web based attacks-19 days
4. Data lost due to stolen devices-10 days
5. Phishing and social engineering attacks-9 days

6. Virus,worms,and trojans-2.5 days
7. Malware-2 days
8. Botnets- 2 days
• There are many new endpoints in today’s complex networks; they include
hand-helddevices.
Again, there are lessons to learn:
1. Endpoint protection: It is an often-ignored area but it is IP-based printers,
although theyare passive devices, are also one of the endpoints.
2. Secure coding: These practices are important because they are a good
mitigation control toprotect organizations from “Malicious Code” inside
business applications.
3. HR checks: These are important prior to employment as well as after employment.
4. Access controls: These are always important, for example, shared IDs and
shared laptopsare dangerous.
5. Importance of security governance: It cannot be ignored policies,

procedures and theireffective implementation cannot be over-emphasized.
• Organizational Implications of Software Piracy

Use of pirated software is a major risk area for organizations.
From a legal standpoint, software piracy is an IPR violation crime. Use of
pirated software increases serious threats and risks of cybercrime and computer
security when it comesto legal liability.
The most often quoted reasons by employees, for use of pirated software, are as
follows:
1. Pirated software is cheaper and more readily available.

2. Many others use pirated software anyways.
3. Latest versions are available faster when pirated software is used.
Web Threats for Organizations: The Evils and Perils

Internet and the Web is the way of working today in the interconnected digital economy.
More and more business applications are web based, especially with the growing
adoption of cloud computing.

• Overview of Web Threats to Organizations
The Internet has engulfed us! Large number of companies as well as individuals
have a connection to the Internet. Employees expect to have Internet access at work just
like they do athome.
IT managers must also find a balance between allowing reasonable personal
Internet use at work and maintaining office work productivity and work concentration in
the office.
• Employee Time Wasted on Internet Surfing

This is a very sensitive topic indeed, especially in organizations that claim to
have a “liberal culture.” Some managers believe that it is crucial in today’s business
world to have thefinger on the pulse of your employees.
People seem to spend approximately 45-60 minutes each working day on
personal web surfing at work.
• Enforcing Policy Usage in the Organization

An organization has various types of policies. A security policy is a statement
producedby the senior management of an organization, or by a selected policy board or
committee to dictate what type of role security plays within the organization.

Fig: Policy hierarchy chart.
• Monitoring and Controlling Employees’ internet surfing

A powerful deterrent can be created through effective monitoring and
reporting of employees’ Internet surfing.
Even organizations with restrictive policies can justify a degree of
relaxation; for example, allowing employees to access personal sites only during
the lunch hour or during specified hours.
• Keeping Security Patches and Virus Signatures Up to Date
Updating security patches and virus signatures have now become a reality
of life, a necessary activity for safety in the cyberworld! Keeping security systems
up to date with security signatures, software patches, etc. is almost a nightmare for
management.
• Surviving in the Era of Legal Risks

As website galore, most organizations get worried about
employees visitinginappropriate or offensive websites. We mentioned about
Children’s Online Privacy Protection.
Serious legal liabilities arise for businesses from employee’s
misuse/inappropriate use ofthe Internet.
• Bandwidth Wastage Issues
Today’s applications are bandwidth hungry; there is an increasing image
content inmessages and that too, involving transmission of high-resolution
images.
There are tools to protect organization’s bandwidth by stopping unwanted

traffic beforeit even reaches your Internet connection.

• Mobile Workers Pose Security Challenges
Use of mobile handset devices in cybercrimes. Most mobile

communication devices for example, the personal digital assistants has raised
security concerns with their use. Mobile workers use those devices to connect
with their company networks when they move. So the organizations cannot
protect the remote user system as a result workforce remains unprotected. We
need tools to extend web protection and filtering to remote users, including policy
enforcement
• Challenges in Controlling Access to Web Applications

Today, a large number of organizations’ applications are web based. There
will be morein the future as the Internet offers a wide range of online applications,
from webmail or through social networking to sophisticated business applications.
Employees use personal mail id to send business sensitive information (BSI) for
valid or other reasons. It leads to data security breach. The organizations need to
decide what type of access to provide to employees.
• The Bane of Malware
Many websites contain malware. Such websites are a growing security
threat. Although most organizations are doing a good job of blocking sites
declared dangerous, cyber attackers, too, are learning. Criminals change their
techniques rapidly to avoid detection.
• The Need for Protecting Multiple Offices and Locations
Delivery from multi-locations and teams collaborating from multi-
locations to deliver a single project are a common working scenario today. Most
large organizations have several offices at multiple locations. In such scenario
Internet-based host service is best idea to protect many locations.

Social Media Marketing: Security Risks and Perils for Organizations
Social media marketing has become dominant in the industry. According to fall 2009 survey by
marketing professionals; usage of social media sites by large business-to-business (B2B) organizations shows
the following:
FIG: Social Media Marketing Tools
1. Facebook is used by 37% of the organizations.

2. LinkedIn is used by 36% of the organizations.
3. Twitter is used by 36% of the organizations.
4. YouTube is used by 22% of the organizations.
5. My Space is used by 6% of the organizations.
Although the use of social media marketing site is rampant, there is a problem related to “social
computing” or “social media marketing” – the problem of privacy threats. Exposures to sensitive PI and
confidential business information are possible if due care is not taken by organizations while using the
mode of “social media marketing.”
• Understanding Social Media Marketing

Most professionals today use social technologies for business purposes. Most common usage
include: marketing, internal collaboration and learning, customer service and support, sales, human
resources, strategic planning, product development.
Following are the most typical reasons why organizations use social media marketing to promote
their products and services:
1. To be able to reach to a larger target audience in a more spontaneous and instantaneous
manner without paying large advertising fees.
2. To increase traffic to their website coming from other social media websites by using Blogs

and social and business-networking. Companies believe that this, in turn, may increase their
“page rank” resulting in increased traffic from leading search engines.
3. To reap other potential revenue benefits and to minimize advertising costs because social
media complements other marketing strategies such as a paid advertising campaign.
4. To build credibility by participating in relevant product promotion forums and responding
to potential customers’ questions immediately.
5. To collect potential customer profiles. Social media sites have information such asuser
profile data, which can be used to target a specific set of users for advertising
There are other tools too that organizations use; industry practices indicate the following:
1. Twitter is used with higher priority to reach out to maximum marketers in the technology
space and monitor the space.
2. Professional networking tool LinkedIn is used to connect with and create a community
oftop executives from the Fortune 500.
3. Facebook as the social group or social community tool is used to drive more traffic to
Websense website and increase awareness about Websense.
4. YouTube (the video capability tool to run demonstrations of products/services, etc.) is used
to increase the brand awareness and create a presence for corporate videos.
5. Wikipedia is also used for brand building and driving traffic.

Types of Cybersecurity Threats: Prepared By: DR Inderpreet Kaur

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Types of Cybersecurity Threats: Prepared By: DR Inderpreet Kaur

Uploaded by

Copyright:

Available Formats

Types of Cybersecurity Threats

Malware is an abbreviation of “malicious software”, which includes viruses, worms, trojans,

Prepared By: Dr Inderpreet Kaur

Worms are also But Trojan horse does no

Virus can’t be controlled by Worms can be Like worms, Trojan horse ca

While spreading rate

The main objective of

Worms are executed Trojan horse executes through

2. Social Engineering Attacks

Here are some of the main types of social engineering attacks:

Prepared By: Dr Inderpreet Kaur

3. Supply Chain Attacks

Types of supply chain attacks include:

• Compromise of build tools or development pipelines

A Man-in-the-Middle (MitM) attack involves intercepting the communication between two

Prepared By: Dr Inderpreet Kaur

• Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor,

DoS attack techniques include:

Prepared By: Dr Inderpreet Kaur

Here are some of the main vectors for injection attacks:

What is the CIA Triad?

Prepared By: Dr Inderpreet Kaur

Prepared By: Dr Inderpreet Kaur

Compromising integrity is often done intentionally. An attacker may bypass an intrusion

Prepared By: Dr Inderpreet Kaur

Why Should You Use the CIA Triad?

When Should You Use the CIA Triad?

Prepared By: Dr Inderpreet Kaur

A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage

Other vulnerabilities include inherent human weaknesses, such as our susceptibility to

Prepared By: Dr Inderpreet Kaur

What Does Cyberspace Mean?

Prepared By: Dr Inderpreet Kaur

What Is Cyber Warfare?

Prepared By: Dr Inderpreet Kaur

7 Types of Cyber Warfare Attacks

Here are some of the main types of cyber warfare attacks.

Government organizations must determine sensitive information and the risks if it is

Prepared By: Dr Inderpreet Kaur

Electrical Power Grid

Conducting Risk Assessments with Cyber Wargames

Prepared By: Dr Inderpreet Kaur

The Importance of Layered Defense

• Securing the cyber ecosystem

Securing the Private Sector

A strategic factor in cyberwarfare is the resilience of local businesses to cyber-attacks.

• Create obstacles to breaching the network

Classification of Cyber Crimes

Prepared By: Dr Inderpreet Kaur

• Spreading obscene material

• Unauthorized access or control over the computer system

• Spoofing via email

• Fraud and also cheating

• Further, crimes against individual property like computer vandalism and

2. Crimes against organizations – Some examples of cyber crimes against organizations

• Possessing unauthorized information

• Cyber terrorism against a government organization

• Distributing pirated software

3. Crimes against society – Some examples of crimes against society are:

• Selling illegal articles

Provisions of Cyber Crimes in the IT Act, 2000

The sections of the IT Act, 2000 pertaining to cybercrimes are as follows:

Prepared By: Dr Inderpreet Kaur