Professional Documents
Culture Documents
1. Malware Attacks
• Viruses—a piece of code injects itself into an application. When the application runs,
the malicious code executes.
• Worms—malware that exploits software vulnerabilities and backdoors to gain access
to an operating system. Once installed in the network, the worm can carry out attacks
such as distributed denial of service (DDoS).
• Trojans—malicious code or software that poses as an innocent program, hiding in
apps, games or email attachments. An unsuspecting user downloads the trojan,
allowing it to gain control of their device.
• Ransomware—a user or organization is denied access to their own systems or data
via encryption. The attacker typically demands a ransom be paid in exchange for a
decryption key to restore access, but there is no guarantee that paying the ransom will
actually restore full access or functionality.
• Cryptojacking—attackers deploy software on a victim’s device, and begin using
their computing resources to generate cryptocurrency, without their knowledge.
Affected systems can become slow and cryptojacking kits can affect system stability.
• Spyware—a malicious actor gains access to an unsuspecting user’s data, including
sensitive information such as passwords and payment details. Spyware can affect
desktop browsers, mobile phones and desktop applications.
• Adware—a user’s browsing activity is tracked to determine behavior patterns and
interests, allowing advertisers to send the user targeted advertising. Adware is related
to spyware but does not involve installing software on the user’s device and is not
necessarily used for malicious purposes, but it can be used without the user’s consent
and compromise their privacy.
• Fileless malware—no software is installed on the operating system. Native files like
WMI and PowerShell are edited to enable malicious functions. This stealthy form of
attack is difficult to detect (antivirus can’t identify it), because the compromised files
are recognized as legitimate.
• Rootkits—software is injected into applications, firmware, operating system kernels
or hypervisors, providing remote administrative access to a computer. The attacker
can start the operating system within a compromised environment, gain complete
control of the computer and deliver additional malware.
Social engineering involves tricking users into providing an entry point for malware. The
victim provides sensitive information or unwittingly installs malware on their device, because
the attacker poses as a legitimate actor.
• Baiting—the attacker lures a user into a social engineering trap, usually with a promise of
something attractive like a free gift card. The victim provides sensitive information such as
credentials to the attacker.
• Pretexting—similar to baiting, the attacker pressures the target into giving up information
under false pretenses. This typically involves impersonating someone with authority, for
example an IRS or police officer, whose position will compel the victim to comply.
• Phishing—the attacker sends emails pretending to come from a trusted source. Phishing
often involves sending fraudulent emails to as many users as possible, but can also be more
Supply chain attacks are a new type of threat to software developers and vendors. Its purpose
is to infect legitimate applications and distribute malware via source code, build processes or
software update mechanisms.
Attackers are looking for non-secure network protocols, server infrastructure, and coding
techniques, and use them to compromise build and update process, modify source code and
hide malicious content.
Supply chain attacks are especially severe because the applications being compromised
by attackers are signed and certified by trusted vendors. In a software supply chain attack, the
software vendor is not aware that its applications or updates are infected with malware.
Malicious code runs with the same trust and privileges as the compromised application.
4. Man-in-the-Middle Attack
5. Denial-of-Service Attack
A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic,
hindering the ability of the system to function normally. An attack involving multiple devices
is known as a distributed denial-of-service (DDoS) attack.
• HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm
an application or web server. This technique does not require high bandwidth or malformed
packets, and typically tries to force a target system to allocate as many resources as possible
for each request.
• SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence
involves sending a SYN request that the host must respond to with a SYN-ACK that
acknowledges the request, and then the requester must respond with an ACK. Attackers can
exploit this sequence, tying up server resources, by sending SYN requests but not
responding to the SYN-ACKs from the host.
• UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets
sent to random ports. This technique forces the host to search for applications on the affected
ports and respond with “Destination Unreachable” packets, which uses up the host
resources.
• ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming
both inbound and outgoing bandwidth. The servers may try to respond to each request with
an ICMP Echo Reply packet, but cannot keep up with the rate of requests, so the system
slows down.
• NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and
can be exploited by an attacker to send large volumes of UDP traffic to a targeted server.
This is considered an amplification attack due to the query-to-response ratio of 1:20 to
6. Injection Attacks
Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the
code of a web application. Successful attacks may expose sensitive information, execute a
DoS attack or compromise the entire system.
• SQL injection—an attacker enters an SQL query into an end user input channel, such as a
web form or comment field. A vulnerable application will send the attacker’s data to the
database, and will execute any SQL commands that have been injected into the query. Most
web applications use databases based on Structured Query Language (SQL), making them
vulnerable to SQL injection. A new variant on this attack is NoSQL attacks, targeted against
databases that do not use a relational data structure.
• Code injection—an attacker can inject code into an application if it is vulnerable. The web
server executes the malicious code as if it were part of the application.
• OS command injection—an attacker can exploit a command injection vulnerability to input
commands for the operating system to execute. This allows the attack to exfiltrate OS data
or take over the system.
• LDAP injection—an attacker inputs characters to alter Lightweight Directory Access
Protocol (LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries. These
attacks are very severe because LDAP servers may store user accounts and credentials for an
entire organization.
• XML eXternal Entities (XXE) Injection—an attack is carried out using specially-
constructed XML documents. This differs from other attack vectors because it exploits
inherent vulnerabilities in legacy XML parsers rather than unvalidated user inputs. XML
documents can be used to traverse paths, execute code remotely and execute server-side
request forgery (SSRF).
• Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious
JavaScript. The target’s browser executes the code, enabling the attacker to redirect users to
a malicious website or steal session cookies to hijack a user’s session. An application is
vulnerable to XSS if it doesn’t sanitize user inputs to remove JavaScript code.
Ideally, when all three standards have been met, the security profile of the organization is
stronger and better equipped to handle threat incidents.
Confidentiality
Confidentiality involves the efforts of an organization to make sure data is kept secret or
private. To accomplish this, access to information must be controlled to prevent the
unauthorized sharing of data—whether intentional or accidental. A key component of
maintaining confidentiality is making sure that people without proper authorization are
prevented from accessing assets important to your business. Conversely, an effective system
also ensures that those who need to have access have the necessary privileges.
For example, those who work with an organization’s finances should be able to access the
spreadsheets, bank accounts, and other information related to the flow of money. However,
the vast majority of other employees—and perhaps even certain executives—may not be
granted access. To ensure these policies are followed, stringent restrictions have to be in
place to limit who can see what.
There are several ways confidentiality can be compromised. This may involve direct attacks
aimed at gaining access to systems the attacker does not have the rights to see. It can also
involve an attacker making a direct attempt to infiltrate an application or database so they can
take data or alter it.
These direct attacks may use techniques such as man-in-the-middle (MITM) attacks, where
an attacker positions themselves in the stream of information to intercept data and then either
steal or alter it. Some attackers engage in other types of network spying to gain access to
credentials. In some cases, the attacker will try to gain more system privileges to obtain the
next level of clearance.
However, not all violations of confidentiality are intentional. Human error or insufficient
security controls may be to blame as well. For example, someone may fail to protect their
password—either to a workstation or to log in to a restricted area. Users may share their
credentials with someone else, or they may allow someone to see their login while they enter
it. In other situations, a user may not properly encrypt a communication, allowing an attacker
to intercept their information. Also, a thief may steal hardware, whether an entire computer or
a device used in the login process and use it to access confidential information.
To fight against confidentiality breaches, you can classify and label restricted data, enable
access control policies, encrypt data, and use multi-factor authentication (MFA) systems. It is
also advisable to ensure that all in the organization have the training and knowledge they
need to recognize the dangers and avoid them.
Integrity involves making sure your data is trustworthy and free from tampering. The
integrity of your data is maintained only if the data is authentic, accurate, and reliable.
For example, if your company provides information about senior managers on your website,
this information needs to have integrity. If it is inaccurate, those visiting the website for
information may feel your organization is not trustworthy. Someone with a vested interest in
damaging the reputation of your organization may try to hack your website and alter the
descriptions, photographs, or titles of the executives to hurt their reputation or that of the
company as a whole.
To protect the integrity of your data, you can use hashing, encryption, digital certificates, or
digital signatures. For websites, you can employ trustworthy certificate authorities (CAs) that
verify the authenticity of your website so visitors know they are getting the site they intended
to visit.
A method for verifying integrity is non-repudiation, which refers to when something cannot
be repudiated or denied. For example, if employees in your company use digital signatures
when sending emails, the fact that the email came from them cannot be denied. Also, the
recipient cannot deny that they received the email from the sender.
Availability
Even if data is kept confidential and its integrity maintained, it is often useless unless it is
available to those in the organization and the customers they serve. This means that systems,
networks, and applications must be functioning as they should and when they should. Also,
individuals with access to specific information must be able to consume it when they need to,
and getting to the data should not take an inordinate amount of time.
If, for example, there is a power outage and there is no disaster recovery system in place to
help users regain access to critical systems, availability will be compromised. Also, a natural
disaster like a flood or even a severe snowstorm may prevent users from getting to the office,
which can interrupt the availability of their workstations and other devices that provide
business-critical information or applications. Availability can also be compromised through
deliberate acts of sabotage, such as the use of denial-of-service (DoS) attacks or ransomware.
The CIA triad provides a simple yet comprehensive high-level checklist for the evaluation of
your security procedures and tools. An effective system satisfies all three components:
confidentiality, integrity, and availability. An information security system that is lacking in one of
the three aspects of the CIA triad is insufficient.
The CIA security triad is also valuable in assessing what went wrong—and what worked—after
a negative incident. For example, perhaps availability was compromised after a malware attack
such as ransomware, but the systems in place were still able to maintain the confidentiality of
important information. This data can be used to address weak points and replicate successful
policies and implementations.
You should use the CIA triad in the majority of security situations, particularly because each
component is critical. However, it is particularly helpful when developing systems around
data classification and managing permissions and access privileges. You should also
stringently employ the CIA triad when addressing the cyber vulnerabilities of your
organization. It can be a powerful tool in disrupting the Cyber Kill Chain, which refers to the
process of targeting and executing a cyberattack. The CIA security triad can help you hone in
on what attackers may be after and then implement policies and tools to adequately protect
those assets.
In addition, the CIA triad can be used when training employees regarding cybersecurity. You
can use hypothetical scenarios or real-life case studies to help employees think in terms of the
maintenance of confidentiality, integrity, and availability of information and systems.
What’s an asset?
An asset is any data, device or other component of an organisation’s systems that is valuable
– often because it contains sensitive data or can be used to access such information.
An organisation’s most common assets are information assets. These are things such as
databases and physical files – i.e. the sensitive data that you store.
A related concept is the ‘information asset container’, which is where that information is
kept. In the case of databases, this would be the application that was used to create the
database. For physical files, it would be the filing cabinet where the information resides.
What’s a vulnerability?
You are most likely to encounter a vulnerability in your software, due to their complexity and
the frequency with which they are updated. These weaknesses, known as bugs, can be used
by criminal hackers to access to sensitive information.
Vulnerabilities don’t only refer to technological flaws, though. They can be physical
weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your
premises, or poorly written (or non-existent) processes that could lead to employees exposing
information.
Understanding risk
Now that we’ve explained the constituent elements of risk, you can see that the concept is a
lot more complex than you might have thought. But, although it sounds counterintuitive,
that’s not necessarily a bad thing.
That’s because the specificity of what counts as a risk means that you may well have fewer of
them than you estimated.
After all, an information security risk must have something that’s in jeopardy (an asset), an
actor that can exploit it (a threat) and a way that they can happen (a vulnerability).
If you’ve identified a vulnerability, but there is no threat to exploit it, you have little to no
risk. Likewise, you might detect a threat but have already secured any weaknesses that it
could exploit.
This can be a labour-intensive task, but our risk assessment tool, vsRisk, does much of the
work for you.
This software package provides a simple and fast way to create your risk assessment
methodology and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential
threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to
compile a list of risks, and the built-in control sets help you comply with multiple
frameworks.
Cyberspace refers to the virtual computer world, and more specifically, an electronic medium
that is used to facilitate online communication. Cyberspace typically involves a large
computer network made up of many worldwide computer subnetworks that employ TCP/IP
protocol to aid in communication and data exchange activities.
Cyberspace's core feature is an interactive and virtual environment for a broad range of
participants.
In the common IT lexicon, any system that has a significant user base or even a well-
designed interface can be thought to be “cyberspace.”
Cyber Crime
While most of the cybercrime we have seen to date is simply the commission of traditional
crimes by new means, this is not true of all cybercrime. We already have one completely new
cybercrime : a distributed denial of service (DDoS) attack. A DDoS attack overloads
computer servers and effectively shuts down a website. In February of 2000, someone
launched DDoS attacks that effectively shut down Amazon.com and eBay, among other sites.
DDoS attacks are increasingly used for extortion; someone launches an attack on a website,
then stops the attack and explains to the owner of the website that attacks will continue unless
and until the owner pays a sum for “protection” against such attacks. This simply represents
the commission of an old crime (extortion) by new means. It is a tactic the Mafia was using
over half a century ago, though they relied on arson instead of DDoS attacks.
But a “pure” DDoS attack such as the 2000 attacks on Amazon.com and eBay is not a
traditional crime. It is not theft, fraud, extortion, vandalism burglary or any crime that was
within a pre-twentieth century prosecutor’s repertoire. Brenner, Is There Such a Thing as
Virtual Crime ?, supra. It is an example of a new type of crime : a “pure” cybercrime. As
such, it requires that we create new law, which makes it a crime to launch such an attack.
Otherwise, there is no crime, which was the case in the United Kingdom until very recently;
To summarize, one reason why the definition quoted above is unsatisfactory is that it does not
encompass the proposition that cybercrime can consist of committing “new” crimes – crimes
we have not seen before and therefore have not outlawed – as well as “old” crimes. The other
reason I take issue with this definition is that it links the commission of cybercrime with the
use of a “computer network.” This is usually true; in fact, the use of computer networks is
probably the default model of cybercrime. But it is also possible that computer technology,
but not network technology, can be used for illegal purposes. A non-networked computer can,
for example, be used to counterfeit currency or to forge documents. In either instance, a
computer -- but not a computer network -- is being used to commit a crime. Here, the
computer is being used to commit an “old” crime, but it is at least conceptually possible that a
non-networked computer could also be used to commit a “new” crime of some type.
A better definition of cybercrime, then, is that it constitutes the use of computer technology to
commit “crime,” i.e., to engage in activity that, as noted earlier, threatens a society’s ability
to maintain internal order. But while cybercrime involves the commission of “crime” in the
generic sense, particular cybercrimes may not be proscribed by a society’s criminal laws. It is
therefore advisable for every society to conduct a periodic review of its criminal laws to
ensure that they are adequate to deal with evolving threats, such as DDoS attacks.
There is, however, a debate among cyber security experts as to what kind of activity
constitutes cyber warfare. The US Department of Defense (DoD) recognizes the threat to
national security posed by the malicious use of the Internet but doesn’t provide a clearer
definition of cyber warfare. Some consider cyber warfare to be a cyber attack that can result
in death.
Cyber warfare typically involves a nation-state perpetrating cyber attacks on another, but in
some cases, the attacks are carried out by terrorist organizations or non-state actors seeking to
further the goal of a hostile nation. There are several examples of alleged cyber warfare in
recent history, but there is no universal, formal, definition for how a cyber attack may
constitute an act of war.
Espionage
Refers to monitoring other countries to steal secrets. In cyber warfare, this can involve
using botnets or spear phishing attacks to compromise sensitive computer systems before
exfiltrating sensitive information.
Sabotage
DoS attacks prevent legitimate users from accessing a website by flooding it with fake
requests and forcing the website to handle these requests. This type of attack can be used to
disrupt critical operations and systems and block access to sensitive websites by civilians,
military and security personnel, or research bodies.
Attacking the power grid allows attackers to disable critical systems, disrupt infrastructure,
and potentially result in bodily harm. Attacks on the power grid can also disrupt
communications and render services such as text messages and communications unusable.
Propaganda Attacks
Attempts to control the minds and thoughts of people living in or fighting for a target
country. Propaganda can be used to expose embarrassing truths, spread lies to make people
lose trust in their country, or side with their enemies.
Economic Disruption
Most modern economic systems operate using computers. Attackers can target computer
networks of economic establishments such as stock markets, payment systems, and banks to
steal money or block people from accessing the funds they need.
Surprise Attacks
These are the cyber equivalent of attacks like Pearl Harbor and 9/11. The point is to carry out
a massive attack that the enemy isn’t expecting, enabling the attacker to weaken their
defenses. This can be done to prepare the ground for a physical attack in the context of hybrid
warfare.
The best way to assess a nation’s readiness for cyber warfare is to conduct a real-life exercise
or simulation, also known as a cyber wargame.
A wargame can test how governments and private organizations respond to a cyber warfare
scenario, expose gaps in defenses, and improve cooperation between entities. Most
importantly, a wargame can help defenders learn how to act quickly to protect critical
infrastructure and save lives.
Cyber wargames can help cities, states, or countries improve readiness for cyber warfare by:
Under the pressure of cyber warfare, governments of many countries have issued operational
national security policies to protect their information infrastructure. These policies typically
use a layered defense approach, which includes:
Based on the subject of the crime, cybercrimes are classified into three broad groups:
• Email harassment
• Cyber-stalking
• Indecent exposure
• Trafficking
• Financial crimes
• Online Gambling
• Forgery
Apart from the ones listed above, crimes like hacking, denial of service attacks, e-mail bombing,
etc. are also present in cyberspace.
This section applies if any person, without the permission of the owner or the person in charge
of a computer, system, or network –
• Copies, downloads or extracts any data or information from such computer, network or
system (this also includes the information or data stored in a removable storage
medium).
• Also, introduces or causes any computer containment or virus into such computer,
network or system.
• Further, he damages any computer, system or data or any other programs residing in
them.
• Also, denies or causes the denial of access to an authorized person to such computer,
system or network.
• Also, charges the services availed of by one person to the account of another by
tampering with such computer, system or network.
Penalty – Compensation, not exceeding one crore rupees to the affected person.
This section applies to a person who intentionally conceals, alters or destroys any computer
source code used for a computer, program, system or network when the law requires the owner
to keep or maintain the source code. It also applies to a person who intentionally causes another
person to do the same.
Penalty – Imprisonment of up to three years or a fine of up to two lakh rupees, also both in
some cases.
This section applies to a person who commits hacking. Hacking is when the person intentionally
or knowingly causes a wrongful loss or damage to the public or another person or destroys or
deletes any information residing in a computer resource or diminishes its utility or value or
injures it by any means.
Penalty – Imprisonment of up to three years or a fine of up to two lakh rupees, also both in
some cases.
This section applies to a person who publishes or transmits any obscene material – material
which is lascivious or appeals to the prurient interests or tends to deprave or corrupt persons who
are likely to read, see or hear the matter embodied in it. It also applies to a person who causes the
publishing or transmission of such material.
Penalty – In case of the first conviction, imprisonment of up to five years and a fine of up to one
lakh rupees. For subsequent convictions, imprisonment of up to 10 years and a fine of up to two
lakh rupees.
This section applies to a person who knowingly creates, publishes or makes available a digital
certificate with the intention of fraud.
Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some
cases.
• Fails to furnish any document, return or report to the Controller or the Certifying
Authority
• Fails to file returns or furnish any information as per the regulations or fails to furnish
them in time
• A monetary fine of up to one lakh and fifty thousand rupees for each such failure
• A fine of up to five thousand rupees for every day if the failure continues
• A fine of up to ten thousand rupees for every day if the failure continues
This section applies to a person who contravenes any rules under the IT Act, 2000, especially
those for which there are no special provisions.
This section applies to a person who makes any misrepresentation to or even suppresses any
material fact from the Controller or Certifying Authority to obtain the license or a digital
signature certificate.
Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some
cases.
This section applies to a person with secured access to any electronic record, information, or any
other material, discloses it to another person without consent.
Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some
cases.
This section applies to a person who publishes a digital certificate with the knowledge that –
This section applies to a person who knowingly creates, publishes or makes available a digital
signature for fraudulent purposes.
Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some
cases.
(1) This section applies to a company who commits a contravention to the provisions of the Act.
In such cases, all the people who were in charge and responsible for the company’s conduct of
business as well as the company are guilty of the contravention. Further, those responsible are
liable for punishment. However, if a person is not aware of any such contravention, then he is
not liable.
For the purposes of this section, “company” means anybody corporate and also includes a firm
or other association of individuals.
Phishing definition
Phishing is a type of cyberattack that uses disguised email as a weapon. These attacks
use social engineering techniques to trick the email recipient into believing that the
message is something they want or need—a request from their bank, for instance, or a
note from someone in their company—and to click a link or download an attachment.
"Phish" is pronounced just like it's spelled, which is to say like the word "fish" —the
analogy is of an angler throwing a baited hook out there (the phishing email) and hoping
you bite.
Phishing emails can be targeted in several different ways, with some not being targeted at
all, some being "soft targeted" at someone playing a particular role in an organization,
and some being targeted at specific, high-value people.
Types of phishing
Another way to categorize these attacks is by who they target and how the messages are
sent. If there's a common denominator among phishing attacks, it's the disguise. The
attackers spoof their email address so it looks like it's coming from someone else, set up
fake websites that look like ones the victim trusts, and use foreign character sets to
disguise URLs.
That said, there are a variety of techniques that fall under the umbrella of phishing. Ea ch
of these types of phishing are a variation on a theme, with the attacker masquerading as a
trusted entity of some kind, often a real or plausibly real person, or a company the victim
might do business with.
• Email phishing: With general, mass-market phishing attacks, emails are sent to millions
of potential victims to try to trick them into logging in to fake versions of very popular
websites.
Ironscales has tallied the most popular brands that hackers use in their phishing
attempts. Of the 50,000-plus fake login pages the company monitored, these were the top
brands attackers used:
➢ PayPal: 22%
➢ Microsoft: 19%
➢ Facebook: 15%
➢ eBay: 6%
➢ Amazon: 3%
• Whaling: Whale phishing, or whaling, is a form of spear phishing aimed at the very big
fish—CEOs or other high-value targets like company board members.
Gathering enough information to trick a really high-value target might take time, but it
can have a surprisingly high payoff. In 2008, cybercriminals targeted corporate CEOs
with emails that claimed to have FBI subpoenas attached. In fact, they
downloaded keyloggers onto the executives' computers—and the scammers' success rate
was 10%, snagging almost 2,000 victims.
• Vishing and smishing: Phishing via phone call and text message, respectively.
Other types of phishing include clone phishing, snowshoeing, social media phishing, and
more—and the list grows as attackers are constantly evolving their tactics and techniques.
All the tools needed to launch phishing campaigns (known as phishing kits), as well as
mailing lists are readily available on the dark web, making it easy for cyber criminals,
even those with minimal technical skills, to pull off phishing attacks.
A phishing kit bundles phishing website resources and tools that need only be installed on
a server. Once installed, all the attacker needs to do is send out emails to potential
victims.
Some phishing kits allow attackers to spoof trusted brands, increasing the chances of
someone clicking on a fraudulent link. Akamai's research provided in its Phishing--
Baiting the Hook report found 62 kit variants for Microsoft, 14 for PayPal, seven for
DHL, and 11 for Dropbox.
The Duo Labs report, Phish in a Barrel, includes an analysis of phishing kit reuse. Of the
3,200 phishing kits that Duo discovered, 900 (27%) were found on more than one host.
That number might actually be higher, however. “Why don’t we see a higher percentage
of kit reuse? Perhaps because we were measuring based on the SHA1 hash of the kit
contents. A single change to just one file in the kit would appear as two separate kits even
when they are otherwise identical,” said Jordan Wright, a senior R&D engineer at Duo
and the report’s author.
Password attacks have far-reaching consequences since malicious users only require
unauthorized access to a single privileged account or a few user accounts to compromise the
web application. Depending on the data hosted by the application, compromised passwords
can pave the way for exposure of sensitive information, distributed denial-of-service,
financial fraud, and other sophisticated attacks.
Hackers typically rely on different techniques to obtain and authenticate with a legitimate
user’s password. These include:
Phishing Attacks
By far the most common form of password attack, a phishing attack involves a social
engineering technique in which the hacker masquerades as a trusted site by sending the
victim a malicious link. After assuming they are authenticating to a legitimate web server, the
victim clicks on this link, providing the attacker with their account credentials. Besides
identity theft, phishing attacks also foster Advanced Persistent Threats by allowing the
threat actor to gain permissions of an internal user, thereby allowing the attacker to
compromise more profound components of the system while remaining undetected. In
phishing attacks, adversaries commonly use multiple methods to trick the user into clicking
the malicious link, including:
1. DNS cache poisoning – Attackers leverage vulnerabilities in the application’s DNS server
to redirect user requests to a malicious site with a similar-looking domain name.
3. Tabnabbing – The attacker rewrites unattended browser tabs with malicious sites that look
like legitimate web pages.
4. UI redressing/iFrame overlay – The attacker places a link to the malicious page over a
legitimate, clickable button using transparent layers.
5. Clone phishing – In this attack, the attacker sends a copy of a legitimate email where the
links within the original email are replaced with URLs to malicious sites.
1. Simple brute force attacks – A hacker uses logic and data about a user to guess the most
likely password. This technique is used for relatively simple passwords, such as those
containing a combination of pet name-year and birth.
2. Credential stuffing – This involves using previously exposed login combinations that
were maliciously obtained across vulnerable websites. In such attacks, hackers typically take
advantage of the fact that entities tend to re-use their username-password combinations across
multiple services.
4. Reverse brute force attacks – In this form of attack, a hacker starts with a known
password then searches for usernames that match it. As threat actors often have access to
multiple databases of leaked credentials, it is easy to identify common passwords within a
particular group of users.
This attack method uses a predefined list of words most likely to be used as passwords by a
specific target network. The predefined list is built from a website user’s behavioral patterns
and passwords obtained from previous data breaches. The lists are created by varying
common combinations of words by case, adding numeric suffixes & prefixes, and using
common phrases. These lists are passed to an automated tool, which attempts to authenticate
against a list of known usernames.
In this type of attack, the hacker attempts to authenticate using the same password on various
accounts before moving to another password. Password spraying is most effective since most
website users set simple passwords, and the technique doe not violate lockout policies since it
uses several different accounts. Attackers mostly orchestrate password spraying in websites
where administrators set a standard default password for new users and unregistered
accounts.
Keylogging
While orchestrating a Keylogging attack, a hacker installs monitoring tools in the user’s
computer to record the keys struck by the user covertly. A keylogger records all information
that users type into input forms and then sends it to the malicious third party. While
keyloggers often have essential uses in enterprise settings (UX improvement, employee
One of the most common examples of a phishing password attack involves lying to the victim
that their account will be deactivated if they do not confirm their login details.
Assume the user utilizes services from a website with the URL: http://darwin.com
The attacker crafts phishing emails to the users, informing them that their account has been
compromised and their credit card and login details are needed to retain the account. The
email includes a link similar to: http://darw1n.com/confirm-details, pointing to the hacker’s
malicious website. The victim clicks on this link and is redirected to the fake confirmation
page, where they supply their legitimate login credentials. The hacker then collects these
credentials and uses them to access the victim’s legitimate account.
Security administrators must enforce policies that ensure users follow set criteria to prevent
malicious actors from cracking their passwords. For example, the password should be a
minimum of 8 characters long and include special characters to avoid brute force attempts.
Additionally, passwords should not contain any personally identifying information, as this
may foster dictionary attacks. Users should also use unique passwords for each service and
rotate the passwords frequently to prevent attackers from using exposed credential databases
for password attacks.
It is vital to ensure every user understands the criticality of a strong password policy and
follows the organization-wide awareness on password security. Additionally, every
application user should be aware of social engineering attacks that trick them into submitting
their credentials to malicious third parties.
SQL injection
In this section, we'll explain what SQL injection (SQLi) is, describe some common examples,
explain how to find and exploit various kinds of SQL injection vulnerabilities, and
summarize how to prevent SQL injection.
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with
the queries that an application makes to its database. It generally allows an attacker to view
data that they are not normally able to retrieve. This might include data belonging to other
users, or any other data that the application itself is able to access. In many cases, an attacker
can modify or delete this data, causing persistent changes to the application's content or
behavior.
In some situations, an attacker can escalate an SQL injection attack to compromise the
underlying server or other back-end infrastructure, or perform a denial-of-service attack.
A successful SQL injection attack can result in unauthorized access to sensitive data, such as
passwords, credit card details, or personal user information. Many high-profile data breaches
in recent years have been the result of SQL injection attacks, leading to reputational damage
and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise
in different situations. Some common SQL injection examples include:
• Retrieving hidden data, where you can modify an SQL query to return additional results.
• Subverting application logic, where you can change a query to interfere with the
application's logic.
• UNION attacks, where you can retrieve data from different database tables.
• Examining the database, where you can extract information about the version and structure
of the database.
• Blind SQL injection, where the results of a query you control are not returned in the
application's responses.
Consider a shopping application that displays products in different categories. When the user
clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make an SQL query to retrieve details of the relevant products
from the database:
The restriction released = 1 is being used to hide products that are not released. For
unreleased products, presumably released = 0.
The application doesn't implement any defenses against SQL injection attacks, so an attacker
can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
Going further, an attacker can cause the application to display all the products in any
category, including categories that they don't know about:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
The modified query will return all items where either the category is Gifts, or 1 is equal to 1.
Since 1=1 is always true, the query will return all items.
LAB
APPRENTICESQL injection vulnerability in WHERE clause allowing retrieval of
hidden data
Consider an application that lets users log in with a username and password. If a user submits
the username wiener and the password bluecheese, the application checks the credentials by
performing the following SQL query:
If the query returns the details of a user, then the login is successful. Otherwise, it is rejected.
Here, an attacker can log in as any user without a password simply by using the SQL
comment sequence -- to remove the password check from the WHERE clause of the query.
For example, submitting the username administrator'-- and a blank password results in the
following query:
This query returns the user whose username is administrator and successfully logs the
attacker in as that user.
LAB
APPRENTICESQL injection vulnerability allowing login bypass
For example, if an application executes the following query containing the user input "Gifts":
This will cause the application to return all usernames and passwords along with the names
and descriptions of products.
Read more
SQL injection UNION attacks
You can query the version details for the database. The way that this is done depends on the
database type, so you can infer the database type from whichever technique works. For
example, on Oracle you can execute:
You can also determine what database tables exist, and which columns they contain. For
example, on most databases you can execute the following query to list the tables:
Hacking :
Hacking may be defined as the technique or planning which is done to get an access to
unauthorized systems. Simply we can say to gaining access to a network or a computer for
illegal purposes. The person who does that are very intelligent and skilled in computers.
The person who are skilled in Hacking are divided into 2 categories:
1. Hackers :
Hackers are kind of good peoples who does hacking for the good purpose and to obtain
more knowledge from it. They generally find loop holes in the system and help them to
cover the loop holes. Hackers are generally programmers who obtain advance
The good people who hack for knowledge The evil person who breaks into a system for
purposes. benefits.
They are skilled and have a advance knowledge of They may or may not be skilled, some of
computers OS and programming languages. crackers just knows a few tricks to steal data.
Hackers share the knowledge and never damages If they found any loop hole they just delete the
the data. data or damages the data.
Hackers have legal certificates with them e.g CEH Crackers may or may not have certificates, as
certificates. there motive is to stay annonymous.
Next →← Prev
Types of Hackers
Black-hat Hackers are also known as an Unethical Hacker or a Security Cracker. These
people hack the system illegally to steal money or to achieve their own illegal goals. They
find banks or other companies with weak security and steal money or credit card information.
They can also modify or destroy the data as well. Black hat hacking is illegal.
White hat Hackers are also known as Ethical Hackers or a Penetration Tester. White hat
hackers are the good guys of the hacker world.
These people use the same technique used by the black hat hackers. They also hack the
system, but they can only hack the system that they have permission to hack in order to test
the security of the system. They focus on security and protecting IT system. White hat
hacking is legal.
Gray hat Hackers are Hybrid between Black hat Hackers and White hat hackers. They can
hack any system even if they don't have permission to test the security of the system but they
will never steal money or damage the system.
In most cases, they tell the administrator of that system. But they are also illegal because they
test the security of the system that they do not have permission to test. Grey hat hacking is
sometimes acted legally and sometimes not.
Just as some germs and diseases can attack the human body, numerous threats can affect
hardware, software, and the information you store. Some of the major ones include the
following:
• Viruses are designed so that they can be easily transmitted from one computer or system to
another. Often sent as email attachments, viruses corrupt and co-opt data, interfere with your
security settings, generate spam, and may even delete content.
• Computer worms are similar; they spread from one computer to the next by sending
themselves to all of the user’s contacts and subsequently to all contacts’ contacts.
• Trojans. These malicious pieces of software insert themselves into a legitimate program.
Often, people voluntarily let trojans into their systems in email messages from a person or an
advertiser they trust. As soon as the accompanying attachment is open, your system becomes
vulnerable to the malware within.
• Bogus security software that tricks users into believing that their system has been infected
with a virus. The accompanying security software that the threat actor provides to fix the
problem causes it.
• The adware tracks your browsing habits and causes particular advertisements to pop up.
Although this is common and often something you may even agree to, adware is sometimes
imposed upon you without your consent.
Risks/ Cybersecurity risks are the calculated potential damage/ loss/ destruction of an asset
in the event of vulnerabilities being exploited by threats causing the level of security to fall.
Risks are a function of threats, vulnerabilities, threat probability, and their potential impact.
And this is the key difference between a cyberthreat and a cybersecurity risk. In other
words, a threat is an attack or breach or the negative event itself while the risk incl udes the
probability of the threat and the impact it is capable of causing.
So, it is essential to understand both the nature of threats facing the organization, as well as,
the vulnerabilities that exist in the systems, networks, and applications. In order to
minimize cyber risk, you must fix the vulnerabilities while also securing unfixed ones using
A Practical Example
Understanding the difference between cyber threats, vulnerabilities and risks enable you to
clearly communicate with security teams and other stakeholders. Understanding the
difference also enables you to effectively assess risks and understand how threats affect
risks, better design security solutions based on threat intelligence, and maintain a robust
security posture.
Malware is spread on different websites on the Internet. Hackers are clever these days; they
don’t just insert malware in non-secure websites but also on legitimate websites. How do they
do this?
1. Social Engineering
Social engineering is a technique that makes a user want to give away personal information.
Think of it this way; a present is ready to be shipped, you just have to provide your address.
Who would refuse a present? If you are unaware of how malware works, you will fall into
this trick. Rather than installing malware intrusively, they’ve developed a strategy for the
user to install malware willingly.
One example of a social engineering email is a fake email from a friend or family. It may
contain a message saying that there’s a funny picture of you, click here to view the image.
This may trigger curiosity. Who doesn’t want to see his own funny photo, right? If you have
no idea that it’s a form of social engineering, you will download the attachment and install
malware without knowing it.
So how to prevent malware from fake emails? Send your contact a separate email to confirm
if the email is legit.
Fake Downloads
Social engineering can use a threat to convince their victim. You could just be browsing the
Internet, suddenly a message flashes on the screen saying that there’s a threat detected, click
here to download an antivirus.
Don’t fall for this trick. Threats can be resolved by downloading a trustworthy antivirus
software.
Phishing Link
Do you know that a phishing link generates a fake login page to collect information and
install malware? This is most common in-game cheats and hacks. A hacker can easily add a
link that redirects the user to a fake website that contains dangerous malware.
So how to avoid phishing links? Use the free website scanner on the Internet to verify if the
link is safe. You may use Website Inspector by Comodo or other third party websites.
Cookies are sent from a browser to a server over a secure HTTPS connection. However,
hackers have found a way to inject fake cookies that can bypass HTTPS security.
These malicious cookies can be used to install malware such as Trojan and to redirect the
user to a fake website.
Now that we know where malware threats come from, what are malware threats exactly?
Malware is an application that is designed to steal personal information and destroy computer
data without being exposed. Hackers use different types of malware to invade the computer.
Virus
A virus is a self-replicating malware that infects the computer through an executable file. It is
attached to a file that the user must run first for the virus to spread. Note that it cannot
activate itself without a human help.
Worm
A worm is the opposite of virus. If a virus needs a human action to self-replicate, a worm can
spread independently. Once installed, worm replicates fast and consumes the computer
memory that leads in low disk space and reduced computer performance.
Trojan
Is a type of malware that is used to gain control over the computer. Trojan installs other types
of malware used to manipulate the computer without the user’s knowledge. This allows
hackers to use the computer for delivering cybercrimes.
Spyware
Keylogger
Keylogger exposes the passwords by recording each key pressed on the keyboard. It is used
to steal account information.
Rootkit
Targets the operating system, making it hard to detect. A rootkit is invisible in Task Manager
since it’s built in the operating system of the computer. It is used to conceal malware
activities on the computer. It’s often bundled with another malware to steal bank account
information.
Sniffing
• Email traffic
• FTP passwords
• Web traffics
• Telnet passwords
• Router configuration
• Chat sessions
• DNS traffic
How it works
A sniffer normally turns the NIC of the system to the promiscuous mode so that it listens to
all the data transmitted on its segment.
Promiscuous mode refers to the unique way of Ethernet hardware, in particular, network
interface cards (NICs), that allows an NIC to receive all traffic on the network, even if it is
not addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it,
which is done by comparing the destination address of the Ethernet packet with the hardware
address (a.k.a. MAC) of the device. While this makes perfect sense for networking, non-
promiscuous mode makes it difficult to use network monitoring and analysis software for
diagnosing connectivity issues or traffic accounting.
Types of Sniffing
• MAC Flooding
• DHCP Attacks
• DNS Poisoning
• Spoofing Attacks
• ARP Poisoning
Protocols which are affected
Before we go into further details of sniffers, it is important that we discuss about hardware
protocol analyzers. These devices plug into the network at the hardware level and can
monitor traffic without manipulating it.
• Hardware protocol analyzers are used to monitor and identify malicious network
traffic generated by hacking software installed in the system.
• They capture a data packet, decode it, and analyze its content according to certain
rules.
• Hardware protocol analyzers allow attackers to see individual data bytes of each
packet passing through the cable.
These hardware devices are not readily available to most ethical hackers due to their
enormous cost in many cases.
Lawful Interception
Privilege escalation
Privilege escalation is a common threat vector for adversaries, which allows them to enter
organizations’ IT infrastructure and seek permissions to steal sensitive data, disrupt
operations and create backdoors for future attacks. Elevated privileges open doors for
attackers to mess with security settings, configurations and data; they often get access to
lower privilege accounts first and then use them to obtain high-level privileges and gain full
access to organization’s IT environment.
Unfortunately, it is often easy for even unsophisticated hackers to obtain and escalate
privileges because many organizations lack adequate security measures and controls, such as
rigorously enforcing the principle of least privilege and knowing what sensitive data they
have and where it is stored so they can harden its security.
Generally, privilege escalation is a type of activity when a hacker is exploiting a bug, taking
advantage of configuration oversight and programming errors, or using any vulnerabilities in
a system or application to gain elevated access to protected resources. Normally, this happens
when an attacker has already done reconnaissance and successfully compromised a system by
gaining access to a low-level account. In this phase, an attacker wants to have a strong grip
on the system and seeks ways to heighten the privileges, either to study the system further or
perform an attack.
• Horizontal privilege escalation — This attack involves a hacker simply taking over
someone else’s account. For example, one internet banking user might gain access to the
account of another user by learning their ID and password. In horizontal privilege escalation,
the attacker does not actively seek to upgrade the privileges associated with the account they
have compromised, but simply to misuse them by assuming the identity of the other user.
• Vertical privilege escalation (aka elevation of privilege or EoP) — Here, a malicious user
gains access to a lower-level account and uses it to gain higher level privileges. For example,
a hacker might compromise a user’s internet bank account user and then try to get access to
site administrative functions. Vertical privilege escalation requires more sophisticated attack
techniques than horizontal privilege escalation, such as hacking tools that help the attacker
gain elevated access to systems and data.
1. Find a vulnerability
2. Create the related privilege escalation exploit
3. Use the exploit on a system
4. Check if it successfully exploits the system
5. Gain additional privileges
An attacker’s goal in a privilege escalation attack is to obtain high-level privileges (e.g. root
privileges) and make their way to critical IT systems without being noticed. There are
multiple privilege escalation techniques that attackers use to accomplish this. Let’s explore
three of the most common ones:
How it happens?
This privilege escalation technique exploits the way Windows manages admin privileges.
Normally, Windows makes use of access tokens to determine the owners of all running
processes, e.g. when a thread interacts with a securable object or tries to perform a system
task that requires certain privileges.
In case of an access token manipulation, hacker’s main task is to fool the system into
believing that the running processes belong to someone other than the user that actually
started the process. When this happens, the process also takes on the security context
associated with the new token.
1. Impersonate or steal a token – An adversary can create a new access token that duplicates
an existing token using DuplicateToken(Ex) The token can then be used
with ImpersonateLoggedOnUserfunction to enable the calling thread to impersonate a
Access tokens are an integral part of the security system within Windows and cannot be
turned off. However, an attacker must already have administrator level access to make full
use of this technique. Therefore, you need to assign access rights in accordance with the
least-privilege principle and make sure that all the access rights are regularly reviewed. You
also need to keep a close eye on privileged accounts to promptly respond to signs of
suspicious activity performed by these accounts.
How it happens?
Windows has a well-structured mechanism for controlling privileges of all users in the
network. The user account control (UAC) feature serves as a gate between normal users and
users with admin privileges. It limits application software to standard user permissions until
an administrator authorizes an increase of privileges. In this way, only applications trusted by
the user may receive administrative privileges, which prevents malware from compromising
the operating system.
However, this mechanism has security gaps. If the UAC protection level of a computer is set
to anything but the highest level, some Windows programs are allowed to elevate privileges
or execute Component Object Model (COM) objects that are elevated without prompting a
user first. An example of this is use of rundll32.exe to load a specifically crafted Dynamic
Link Library (DLL), which loads a COM object that already has elevated privileges. This
performs file operations even in protected directories and opens the UAC mechanism to
compromise from attackers.
You need to check your IT environment for common UAC bypass weaknesses regularly to be
aware of current risks to your systems and address issues where appropriate. Another good
practice is to regularly review which accounts are in your local administrator groups on
systems and remove regular users from these groups.
How it happens?
Adversaries can use Credential Access techniques (e.g. Credential Dumping, Account
Manipulation and other) to obtain the credentials of specific user accounts, or steal them
through social engineering. As soon as attackers get access to organization’s network, they
can use compromised credentials to bypass access controls placed on various resources on IT
systems, or any other security restrictions, and may even gain access to remote systems and
services, e.g. VPNs, Outlook Web Access and remote desktop. One of the main concerns
here is the overlap of credentials and permissions across the network, because adversaries
may be able to switch between accounts and systems to reach a higher level of access (i.e.,
domain or enterprise administrator).
One of the simplest, yet most effective ways to mitigate this threat is to change passwords of
administrative accounts regularly and enforce strong password policy (e.g. ensure that local
administrator accounts have complex, unique passwords across all systems).
Trojans And Backdoors Are Types Of Malware Used To Infect And Compromise Computer
Systems. A Trojan Is A Malicious Program Disguised As Something Benign. In Many Cases,
The Trojan Appears To Perform A Desirable Function For The User But Actually Allows A
Hacker Access To The User’s Computer System. Trojans Are Often Downloaded Along
With Another Program Or Software Package.
Trojans Ride On The Backs Of Other Programs And Are Usually Install On A System
Without The User’s Knowledge. A Trojan Can Be Send To A Victim System In Many Ways,
Such As The Following:
Viruses And Worms Can Be Use To Infect A System And Modify A System To Allow A
Hacker To Gain Access. Many Viruses And Worms Carry Trojans And Backdoors. In This
Way, A Virus Or Worm Is A Carrier And Allows Malicious Code Such As Trojans And
Backdoors To Be Transfer From System To System Much In The Way That Contact Between
People Allows Germs To Spread.
A Worm Is Similar To A Virus In Many Ways But Does Not Need A Carrier Program. A
Worm Can Self-Replicate And Move From An Infected Host To Another Host.
Types Of Viruses
Viruses Are Classified According To Two Factors: What They Infect And How They Infect.
A Virus Can Infect The Following Components Of A System:
1. System Sectors
2. Files
3. Macros (Such As Microsoft Word Macros)
4. Companion Files (Supporting System Files Like DLL And INI Files)
5. Disk Clusters
6. Batch Files (BAT Files)
7. Source Code
Viruses Are Categorize According To Their Infection Technique, As Follows:
1. Polymorphic Viruses
These Viruses Encrypt The Code In A Different Way With Each Infection And Can Change
To Different Forms To Try To Evade Detection.
2. Stealth Viruses
These Viruses Hide The Normal Virus Characteristics, Such As Modifying The Original
Time And Date Stamp Of The File So As To Prevent The Virus From Being Noticed As A
New File On The System.
3. Armored Viruses
These Viruses Are Encrypted To Prevent Detection.
4. Multipartite Viruses
These Advanced Viruses Create Multiple Infections.
Cyber Forensics
Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the
evidence to the court. Cyber forensics is also known as computer forensics. The main aim
of cyber forensics is to maintain the thread of evidence and documentation to find out who
did the crime digitally. Cyber forensics can do the following:
• It can recover deleted files, chat logs, emails, etc
• It can also get deleted SMS, Phone calls.
• It can get recorded audio of phone conversations.
• It can determine which user used which system and for how much time.
• It can identify which user ran which program.
Cyber forensic investigators use various techniques and tools to examine the data and some
of the commonly used techniques are:
• Reverse steganography: Steganography is a method of hiding important data inside
the digital file, image, etc. So, cyber forensic experts do reverse steganography to
analyze the data and find a relation with the case.
• Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct
digital activity without using digital artifacts. Here, artifacts mean unintended
alterations of data that occur from digital processes.
• Cross-drive analysis: In this process, the information found on multiple computer
drives is correlated and cross-references to analyze and preserve information that is
relevant to the investigation.
• Live analysis: In this technique, the computer of criminals is analyzed from within the
OS in running mode. It aims at the volatile data of RAM to get some valuable
information.
• Deleted file recovery: This includes searching for memory to find fragments of a
partially deleted file in order to recover it for evidence purposes.
Advantages
What are the required set of skills needed to be a cyber forensic expert?
• Computer forensics
• Network forensics
Network forensics is the study of network traffic to search for truth in civil, criminal, and
administrative matters to protect users and resources from exploitation, invasion of privacy,
and any other crime.
Digital evidence is different from physical evidence because of the following characteristics:
Computer forensics experts know the techniques to retrieve data from files listed in standard
directory search, hidden files, deleted files, deleted E-Mail and passwords, login ids,
encrypted files, hidden partitions, etc. Computer systems have the following:
Dr. Edmond Locard is known as the father of forensic science. He is also known as the
“Sherlock Holmes of France”. The famous principle given by Locard is “Every contact leaves
a trace“, is known as Locard’s exchange principle.
• All statements which the court permits or requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are called oral evidence.
• All documents that are produced for the inspection of the court are called documentary
evidence.
Newly added provisions in the Indian Evidence Act 1972 through the ITA 2000, constitute
the body of law applicable to electronic evidence. Digital evidence by its very nature is
invisible to the eye. Digital evidence must be developed using tools other than the human
eye. Acquisition of digital evidence is both a legal and technical problem. Difficulties
associated with gathering digital evidence:
• Physical context
o It is definable by its physical form, that is, it should reside on a specific piece of
media
• Logical context
o It must be identifiable as to its logical position, that is, where does it reside relative to
the file system
• Legal context
o The evidence must be placed in the correct context to read its meaning
o This may require looking at the evidence as machine language
• Follow site’s security policy and engage the appropriate incident handling and law
enforcement personnel
• Capture a picture of the system as accurately as possible
• Keep detailed notes with dates and times
• Be prepared to testify outlining all actions you took and at what times
• Minimize changes to the data as you are collecting it
• Remove external avenues for change
• Always choose collection before analysis
• Your procedures should be implementable
• Manage the work among the team members
• Proceed from most volatile to less volatile areas while collecting evidence:
o Registers, cache
o Routing table, ARP cache, process table, kernel statistics, RAM
o Temporary file systems
o Disk
o Remote logging and monitoring data
o Physical configuration and network topology
o Archival media
• Do a bit-level copy of the media (try to avoid conducting forensics on the evidence copy)
Digital Forensics
Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.
• Hans Gross (1847 -1915): First use of scientific study to head criminal investigations
• FBI (1932): Set up a lab to offer forensics services to all field agents and other law
authorities across the USA.
• In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
• Francis Galton (1982 – 1911): Conducted first recorded study of fingerprints
• In 1992, the term Computer Forensics was used in academic literature.
• 1995 International Organization on Computer Evidence (IOCE) was formed.
• In 2000, the First FBI Regional Computer Forensic Laboratory established.
• In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book
about digital forensic called “Best practices for Computer Forensics”.
• In 2010, Simson Garfinkel identified issues facing digital investigations.
• It helps to recover, analyze, and preserve computer and related materials in such a manner
that it helps the investigation agency to present them as evidence in a court of law.
• It helps to postulate the motive behind the crime and identity of the main culprit.
• Designing procedures at a suspected crime scene which helps you to ensure that the digital
evidence obtained is not corrupted.
• Data acquisition and duplication: Recovering deleted files and deleted partitions from digital
media to extract the evidence and validate them.
• Helps you to identify the evidence quickly, and also allows you to estimate the potential
impact of the malicious activity on the victim
• Producing a computer forensic report which offers a complete report on the investigation
process.
• Preserving the evidence by following the chain of custody.
Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted
files.
Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer
network traffic to collect important information and legal evidence.
Wireless Forensics:
Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and their
related metadata.
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses,
worms, etc.
Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw
form and then carving the data from Raw dump.
• Digital evidence accepted into court. However, it is must be proved that there is no
tampering
• Producing electronic records and storing them is an extremely costly affair
• Legal practitioners must have extensive computer knowledge
• Need to produce authentic and convincing evidence
• If the tool used for digital forensic is not according to specified standards, then in the court
of law, the evidence can be disapproved by justice.
• Lack of technical knowledge by the investigating officer might not offer the desired result
The digital forensics process is shown in the following figure. Forensic life cycle phases are:
In order to be processed and analysed, evidence must first be identified. It might be possible
that the evidence may be overlooked and not identified at all. A sequence of events in a
computer might include interactions between:
• Different files
• Files and file systems
• Processes and files
• Log files
In case of a network, the interactions can be between devices in the organization or across
the globe (Internet). If the evidence is never identified as relevant, it may never be collected
and processed.
Digital evidence can be collected from many sources. The obvious sources can be:
• Mobile phone
Proper care should be taken while handling digital evidence as it can be changed easily.
Once changed, the evidence cannot be analysed further. A cryptographic hash can be
calculated for the evidence file and later checked if there were any changes made to the file or
not. Sometimes important evidence might reside in the volatile memory. Gathering volatile
data requires special technical skills.
• Image computer-media using a write-blocking tool to ensure that no data is added to the
suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and evaluated to validate their accuracy
and reliability
Care should be taken that evidence does not go anywhere without properly being traced.
Things that can go wrong in storage include:
Sometimes evidence must be transported from place to place either physically or through a
network. Care should be taken that the evidence is not changed while in transit. Analysis is
generally done on the copy of real evidence. If there is any dispute over the copy, the real can
be produced in court.
Forensics specialist should ensure that he/she has proper legal authority to seize, copy and
examine the data. As a general rule, one should not examine digital information unless one
Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits
the information in the computer’s main memory. Performing forensic investigation on main
memory is called live analysis. Sometimes the decryption key might be available only in
RAM. Turning off the system will erase the decryption key. The process of creating and
exact duplicate of the original evidence is called imaging. Some tools which can create entire
hard drive images are:
• DCFLdd
• Iximager
• Guymager
The original drive is moved to secure storage to prevent tampering. The imaging process is
verified by using the SHA-1 or any other hashing algorithms.
In digital forensics, only a few sequences of events might produce evidence. But the possible
number of sequences is very huge. The digital evidence must be analyzed to determine the
type of information stored on it. Examples of forensics tools:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis
After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. The report contains all the details about the evidence in analysis, interpretation,
and attribution steps. As a result of the findings in this phase, it should be possible to confirm
or discard the allegations. Some of the general elements in the report are:
7. Testifying
Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be
taken when collecting digital evidence are:
• No action taken by law enforcement agencies or their agents should change the evidence
• When a person to access the original data held on a computer, the person must be competent
to do so
• An audit trial or other record of all processes applied to digital evidence should be created
and preserved
• The person in-charge of the investigation has overall responsibility for ensuring that the law
and these are adhered to
Chain of Custody
The chain of custody is a chronological written record of those individuals who have had
custody of the evidence from its initial acquisition to its final disposition. A chain of custody
begins when an evidence is collected and the chain is maintained until it is disposed off. The
chain of custody assumes continuous accountability.
• Piracy
• Vandalism
• Credit card theft
• Theft of service
• Identity theft
• Manipulation of data
• Denial-of-service Attacks
• Scanning
• Footprinting & Reconnaissance
• Enumeration
• System Hacking
• Escalation of Privileges
• Covering Track
Technical Skills
1. The Ethical Hackers must have strong knowledge in all Operating Systems like
Windows, Linux, and Mac.
2. The Ethical Hackers should be skilled with Networking and have a strong knowledge of
basic and detailed concepts in technologies, software, and hardware applications.
3. Ethical Hackers must know all kinds of attacks.
Non-Technical Skills
1. Communication Skills
2. Learning Ability
3. Problem-solving skills
4. Proficient in the security policies
5. Awareness of laws, standards, and regulations.
Ethical hacking is a key component of risk evaluation, auditing, and counter-frauds. The
scope for the Ethical Hackers is high and it is one of the rapidly growing career s at
present as many malicious attackers cause a threat to the business and its networks.
Industries like Information Technology and Banking Sectors hire several Ethical hackers
to protect their data and infrastructure. Also, in the upcoming days, the demand for this
profile is going to be high compared to other profiles due to an increased threat of
vulnerabilities.
Many security vector attacks are financially motivated, with attackers stealing money from
people and organizations or data and personally identifiable information (PII) to then hold the
owner to ransom. The types of hackers that infiltrate a network are wide-ranging. They could
be disgruntled former employees, politically motivated organized groups, hacktivists,
professional hacking groups, or state-sponsored groups.
Cybersecurity attacks are launched using an attack vector. This could be through malware or
a phishing attack, which aims to steal user credentials and gain unauthorized access to
corporate data or resources. Social engineering is another way to launch an attack.
The attack surface is the total network area an attacker can use to launch cyber attack vectors
and extract data or gain access to an organization’s systems. Devices and people are part of
an organization’s attack surface because their vulnerabilities, such as weak passwords or
unpatched software, can be exploited by an attacker.
Hackers use multiple threat vectors to exploit vulnerable systems, attack devices and
networks, and steal data from individuals. There are two main types of hacker vector
attacks: passive attacks and active attacks.
Passive Attack
A passive attack occurs when an attacker monitors a system for open ports or vulnerabilities
to gain or gather information about their target. Passive attacks can be difficult to detect
because they do not involve altering data or system resources. Rather than cause damage to
an organization’s systems, the attacker threatens the confidentiality of their data.
Passive attack vectors include passive reconnaissance, which sees the attacker monitor an
organization’s systems for vulnerabilities without interacting with them through tools like
session capture, and active reconnaissance, where the attacker uses methods like port scans to
engage with target systems.
An active attack vector is one that sets out to disrupt or cause damage to an organization’s
system resources or affect their regular operations. This includes attackers launching attacks
against system vulnerabilities, such as denial-of-service (DoS) attacks, targeting users’ weak
passwords, or through malware and phishing attacks.
There are many types of attack vectors, with cyber criminals using many methods to target
large or small organizations from any industry, as well as individuals from nearly every
business level. Some of the most common threat vectors are listed below.
Compromised Credentials
Weak and compromised credentials are the most-used attack vector as people continue to use
weak passwords to protect their online accounts and profiles. Compromised credentials occur
when information like usernames or passwords are exposed to a third party such as mobile
apps and websites. This is frequently caused by victims of a phishing attempt revealing their
login details to an attacker by entering them on a spoofed website. Lost and stolen credentials
enable an intruder to access user accounts and corporate systems without detection, then
escalate their access level within a network.
Employees must use strong passwords and consider using a password manager to limit the
chances of an attacker stealing their credentials. To avoid the risk of compromised
credentials, organizations must move away from relying on passwords alone and deploy
multi-factor authentication (MFA) to verify users’ identities. Employee education is also vital
to ensuring users understand the security risks they face and the signs of a potential
cyberattack.
Malware
Malware is a term that describes various strands of malicious software, which include
ransomware, spyware, Trojans, and viruses. Cyber criminals use malware as a threat vector to
help them gain access to corporate networks and devices, then steal data or damage systems.
Phishing is an email, Short Message Service (SMS), or telephone-based attack vector that
sees the attacker pose as a trusted sender to dupe the target into giving up sensitive data, such
as login credentials or banking details.
Organizations can protect their employees and customers from phishing attacks by using
spam filters, deploying MFA, ensuring software is patched and updated, and blocking
malicious websites. However, the best way to defend against phishing is to assume that every
email is part of a phishing attack. This also comes down to employee education and relies on
employees' awareness of common security risks, such as never clicking any link within an
email.
Insider Threats
Some security attacks come from inside the organization, through employees exposing
confidential information to attackers. While this can be accidental, malicious insiders expose
corporate data or vulnerabilities to third parties. These are often unhappy or disgruntled
employees with access to sensitive information and networks.
It can be difficult for organizations to spot malicious insiders, largely because they are
authorized users with legitimate access to corporate networks and systems. Therefore,
businesses should monitor network access for unusual activity or users accessing files or
systems they would not normally, which could be an indicator of insider risk.
Encryption is a technique that hides the true meaning of a message and protects digital data
by converting it into a code or ciphertext. This ensures that the data within a message cannot
be read by an unauthorized party, which helps prevent cyber criminals from stealing sensitive
information.
Missing, poor, or weak encryption leads to the transmission of sensitive data in plaintext.
This risks its exposure to unauthorized parties if intercepted or obtained through a brute-force
attack. To avoid this, users should use strong encryption methods, including Advanced
Encryption Standard (AES) or Rivest-Shamir-Adleman (RSA) encryption, and always ensure
sensitive information is encrypted while at rest, in processing, and in transit.
Organizations and users can avoid this type of attack by ensuring their software, operating
systems, and servers are patched. This means applying a software update or fixing code to a
program or server to remove the vulnerability. Regular patching by software developers is the
best strategy for mitigating potential attacks. To assist with this and prevent any gaps that
could present a vulnerability to an attacker, users should ensure automatic software updates
are enabled.
A DDoS attack occurs when an attacker overloads a server with internet traffic using multiple
machines, also known as a botnet. This prevents users from accessing services and can force
the organization’s site to crash.
A DDoS attack can be mitigated through the use of firewalls to filter and prevent malicious
traffic. Other defense tools include regular risk assessments, traffic differentiation to scatter
traffic and prevent a targeted attack, and rate-limiting to restrict the number of requests a
server can receive.
1. Reconnaissance
Reconnaissance, also known as the preparatory phase, is where the hacker gathers
information about a target before launching an attack and is completed in phases prior to
exploiting system vulnerabilities. One of the first phases of Reconnaissance is dumpster
diving. It is during this phase that the hacker finds valuable information such as old
passwords, names of important employees (such as the head of the network department), and
performs an active reconnaissance to know how the organization functions. As a next step,
the hacker completes a process called footprinting to collect data on the security posture,
reduces the focus area such as finding out specific IP addresses, identifies vulnerabilities
2. Scanning
In this phase, the hacker identifies a quick way to gain access to the network and look for
information. There are three methods of scanning: pre-attack, port scanning/sniffing, and
information extraction. Each of these phases demonstrates a specific set of vulnerabilities that
the hacker can utilize to exploit the system's weaknesses. The pre-attack phase is where the
hacker scans the network for specific information based on the information gathered during
reconnaissance. The port scanner or sniffing phase is where scanning includes the use of
dialers, port scanners, vulnerability scanners, and other data-gathering equipment. The
information extraction phase is where the attackers collect information about ports, live
machines and OS details to launch an attack.
3. Gain Access
The hacker gains access to the system, applications, and network, and escalates their user
privileges to control the systems connected to it.
4. Maintain Access
Here, the hacker secures access to the organization’s Rootkits and Trojans and uses it to
launch additional attacks on the network.
5. Cover Tracks
Once the hacker gains access, they cover their tracks to escape the security personnel. They
do this by clearing the cache and cookies, tampering the log files, and closing all the open
ports. This step is important because it clears the system information making hacking a great
deal harder to track.
Foot printing
• Domain name
• IP Addresses
• Namespaces
• Employee information
• Phone numbers
• E-mails
• Job Information
In the following section, we will discuss how to extract the basic and easily accessible
information about any computer system or network that is linked to the Internet.
• IPR Issues
Yet another incidence is the Blue Cross Blue Shield (BCBS) Data Breach
in October 2009 the theft of 57 hard drives from a BlueCross BlueShield of
Tennessee training facility puts the private information of approximately 500,000
customers at risk in at least 32 states.
The two lessons to be learnt from this are:
1. Physical security is very important.
2. Insider threats cannot be ignored.
The key challenges from emerging new information threats to organizations are as
follows:
1. Industrial espionage: There are several tools available for web
administrators tomonitor and track the various pages and objects that
are accessed on their website.
Confidential information leakage: “Insider attacks” are the worst ones. Typically, an
organization is protected from external threats by your firewall and antivirus solutions
The internal costs typically involve people costs, overhead costs and productivity losses. The
internal costs, in order from largest to the lowest and that has been supported by the
benchmark study mentioned:
1. Detection costs.(25%)
2. Recovery costs.(21%)
3. Post response costs.(19%)
4. Investigation costs.(14%)
5. Costs of escalation and incident management.(12%)
6. Cost of containment.(9%)
• The consequences of cybercrimes and their associated costs, mentioned
1. Information loss/data theft.(42%)
2. Business disruption.(22%)
3. Damages to equipment, plant and property.(13%)
4. Loss of revenue and brand tarnishing.(13%)
5. Other costs.(10%)
• The impact on organizations by various cyber crimes
1. Virus,worms and Trojans-100%
2. Malwares-80%
3. Botnets-73%
4. Web based attacks-53%
5. Phishing and Social engineering-47%
6. Stolen devices-36%
7. Malicious insiders-29%
8. Malicious code-27%
• Average days taken to resolve
cyber Attacks
1. Attacks by Malicious insiders-42
days
2. Malicious code-39 days
3. Web based attacks-19 days
4. Data lost due to stolen devices-10 days
5. Phishing and social engineering attacks-9 days
The most often quoted reasons by employees, for use of pirated software, are as
follows:
Following are the most typical reasons why organizations use social media marketing to promote
their products and services:
1. To be able to reach to a larger target audience in a more spontaneous and instantaneous
manner without paying large advertising fees.
2. To increase traffic to their website coming from other social media websites by using Blogs
5. To collect potential customer profiles. Social media sites have information such asuser
profile data, which can be used to target a specific set of users for advertising
There are other tools too that organizations use; industry practices indicate the following:
1. Twitter is used with higher priority to reach out to maximum marketers in the technology
space and monitor the space.
2. Professional networking tool LinkedIn is used to connect with and create a community
oftop executives from the Fortune 500.
3. Facebook as the social group or social community tool is used to drive more traffic to
Websense website and increase awareness about Websense.
4. YouTube (the video capability tool to run demonstrations of products/services, etc.) is used
to increase the brand awareness and create a presence for corporate videos.
5. Wikipedia is also used for brand building and driving traffic.