Unit 4

4.1 Concepts of Cyber Security

− Cyber security is the protection to defend internet-connected devices and services
from malicious attacks by hackers, spammers, and cybercriminals.
− cyber attacks are usually aimed at accessing, changing, or destroying sensitive
information; extorting money from users; or interrupting normal business processes
and Cyber security has been used as a catch-all term in the media to describe the
process of protection against every form of cybercrime, from identity theft to
international digital weapons.

4.1.1 Types of Threats

− Cyber terrorism. This threat is a politically-based attack on computers and
information technology to cause harm and create widespread social disruption.
− Malware. This threat encompasses ransomware, spyware, viruses, and worms. It
can install harmful software, block access to your computer resources, disrupt the
system, or covertly transmit information from your data storage.
− Trojans. Like the legendary Trojan horse of mythology, this attack tricks users into
thinking they're opening a harmless file. Instead, once the trojan is in place, it attacks
the system, typically establishing a backdoor that allows access to cybercriminals.
− Botnets. This especially hideous attack involves large-scale cyber attacks conducted
by remotely controlled malware-infected devices. Think of it as a string of computers
under the control of one coordinating cybercriminal. What are worse, compromised
computers becomes part of the botnet system.
− Adware. This threat is a form of malware. It's often called advertisement-supported
software. The adware virus is a potentially unwanted program (PUP) installed
without your permission and automatically generates unwanted online
advertisements.
− SQL injection. A Structured Query Language attack inserts malicious code into a SQL-
using server.
− Phishing. Hackers use false communications, especially e-mail, to fool the recipient
into opening it and following instructions that typically ask for personal information.
Some phishing attacks also install malware.
− Man-in-the-middle attack. MITM attacks involve hackers inserting themselves into a
two-person online transaction. Once in, the hackers can filter and steal desired data.
MITM attacks often happen on unsecured public Wi-Fi networks.
− Denial of Service. DoS is a cyber attack that floods a network or computer with an
overwhelming amount of “handshake” processes, effectively overloading the system
and making it incapable of responding to user requests.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 1
 Unit 4

4.1.2 Advantages of Cyber Security

− Without solid cyber security defences, it would be easy to destroy modern-day
essentials like the power grids and water treatment facilities that keep the world
running smoothly.
− Simply put, cyber security is critically important because it helps to preserve the
lifestyles we have come to know and enjoy.
− CIA Triad
− The security of any organization starts with three principles: Confidentiality, Integrity,
and Availability. This is called as CIA, which has served as the industry standard for
computer security since the time of first mainframes.
− Confidentiality: The principles of confidentiality assert that only authorized parties
can access sensitive information and functions. Example: military secrets.
− Integrity: The principles of integrity assert that only authorized people and means
can alter, add, or remove sensitive information and functions. Example: a user
entering incorrect data into the database.
− Availability: The principles of availability assert that systems, functions, and data
must be available on-demand according to agreed-upon parameters based on levels
of service.

4.2 Basic Terminologies:

4.2.1 IP Address, MAC Address
What is a MAC Address?
The term MAC address is an acronym for Media Access Control Address. The MAC Address
refers to a unique identifier that gets assigned to a Network Interface Card/ Controller
(NIC). It has a 64-bit or 48-bit address linked and connected to the concerned network
adapter. The MAC Address can exist in a hexadecimal format. This type of address exists in
six separate sets of two characters/ digits – separated from each other using colons.

What is an IP Address?
The term IP Address is an acronym for Internet Protocol Address. An IP Address refers to
the address that assists a user in identifying a network connection. It also goes by
the Logical Address name provided to individual connections in the present network. An IP
address lets us understand and control the way in which various devices communicate on
the Internet. It also defines the specific behaviour of various Internet routers.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 2
 Unit 4

Difference between MAC Address and IP Address

Parameters MAC Address IP Address

Full-Form The term MAC address is an acronym The term IP Address is an

for Media Access Control Address. acronym for Internet Protocol
Address.

Number of It is a hexadecimal address of six This address is either an eight-

Bytes bytes. byte or a six-byte one.

Protocol Used You can retrieve a device attached to You can retrieve a device
for Retrieval the MAC address using the ARP attached to the IP address using
protocol. the RARP protocol.

Provider The Manufacturer of NIC Cards An ISO (Internet Service

provides a device with its MAC Provider) provides a device’s IP
address. address.

Use The primary use of a MAC address is The IP address, on the other
to ensure the physical address of a hand, defines a computer’s
given device/ computer. logical address.

Operation The MAC address primarily operates The IP address primarily

on the data link layer. operates on the network layer.

Alteration and This address does not alter or change This address gets modified
Changes with the passing time and change of depending on the change in
environment. environment and time.

Third-Party Any third party can find out a device’s The IP address stays hidden
Access MAC address. from display in front of any third
party.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 3
 Unit 4

4.2.2 Domain name Server (DNS)

− DNS stands for "Domain Name System”. DNS is a protocol within the set of standards for
how computers exchange data on the internet and on many private networks, known
as the TCP/IP protocol suite.
− Its purpose is vital, as it helps convert easy-to-understand domain names like
"howstuffworks.com" into an Internet Protocol (IP) address, such as 70.42.251.42 that
computers use to identify each other on the network. It is, in short, a system of
matching names with numbers.
− Domain: There are various kinds of DOMAIN:
− Generic domain: .com (commercial) .edu (educational) .mil (military) .org (non profit
organization) .net (similar to commercial) all these are generic domain.
− Country domain .in (India) .us .uk
− Inverse domain if we want to know what is the domain name of the website. IP to
domain name mapping. So DNS can provide both the mapping for example to find the IP
addresses of geeksforgeeks.org then we have to type nslookup www.geeksforgeeks.org.
− Organization of Domain:
−

How DNS works

DNS servers convert URLs and domain names into IP addresses that computers can
understand and use. They translate what a user types into a browser into something the
machine can use to find a webpage. This process of translation and lookup is called DNS
resolution.

The basic process of a DNS resolution follows these steps:

1. The user enters a web address or domain name into a browser.

2. The browser sends a message, called a recursive DNS query, to the network to find
out which IP or network address the domain corresponds to.
3. The query goes to a recursive DNS server, which is also called a recursive resolver,
and is usually managed by the internet service provider (ISP). If the recursive
resolver has the address, it will return the address to the user, and the webpage will
load.
4. If the recursive DNS server does not have an answer, it will query a series of other
servers in the following order: DNS root name servers, top-level domain (TLD) name
servers and authoritative name servers.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 4
 Unit 4

5. The three server types work together and continue redirecting until they retrieve a
DNS record that contains the queried IP address. It sends this information to the
recursive DNS server, and the webpage the user is looking for loads. DNS root name
servers and TLD servers primarily redirect queries and rarely provide the resolution
themselves.
6. The recursive server stores, or caches, the A record for the domain name, which
contains the IP address. The next time it receives a request for that domain name, it
can respond directly to the user instead of querying other servers.
7. If the query reaches the authoritative server and it cannot find the information, it
returns an error message.
4.2.3 DHCP, Router, Bots
DHCP:
− Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that
automatically provides an Internet Protocol (IP) host with its IP address and other
related configuration information such as the subnet mask and default gateway.
− RFCs 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF)
standard based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares
many implementation details. DHCP allows hosts to obtain required TCP/IP
configuration information from a DHCP server.

Why use DHCP?

− Every device on a TCP/IP-based network must have a unique unicast IP address to
access the network and its resources. Without DHCP, IP addresses for new
computers or computers that are moved from one subnet to another must be
configured manually; IP addresses for computers that are removed from the network
must be manually reclaimed.
− With DHCP, this entire process is automated and managed centrally. The DHCP
server maintains a pool of IP addresses and leases an address to any DHCP-enabled
client when it starts up on the network. Because the IP addresses are dynamic
(leased) rather than static (permanently assigned), addresses no longer in use are
automatically returned to the pool for reallocation.
− The network administrator establishes DHCP servers that maintain TCP/IP
configuration information and provide address configuration to DHCP-enabled
clients in the form of a lease offer. The DHCP server stores the configuration
information in a database

Benefits of DHCP
− Reliable IP address configuration. DHCP minimizes configuration errors caused by
manual IP address configuration, such as typographical errors, or address conflicts
caused by the assignment of an IP address to more than one computer at the same
time.
− Reduced network administration. DHCP includes the following features to reduce
network administration:
− Centralized and automated TCP/IP configuration.
− The ability to define TCP/IP configurations from a central location.
− The ability to assign a full range of additional TCP/IP configuration values by means
of DHCP options.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 5
 Unit 4

− The efficient handling of IP address changes for clients that must be updated
frequently, such as those for portable devices that move to different locations on a
wireless network.
− The forwarding of initial DHCP messages by using a DHCP relay agent, which
eliminates the need for a DHCP server on every subnet.

Routers:
− A device that forwards data packets (units of info) from one network to another.
− Based on routing tables (lists of addresses, permissions etc) and routing protocols,
routers read the network address in each transmission and make a decision on how
to send it based on the most expedient route (determined by traffic load, line costs,
speed, bad lines)
− Routers are used to segment networks to balance and filter traffic for security
purposes and policy management
− They are also used at the edge of the n/w to connect remote offices
− Router can only route a message that is transmitted by a routable protocol (e.g.
Internet Protocol)
− Routers have to inspect n/w address in the protocol, so they process data and thus
add overhead.
− Most routers are specialized computers that are optimized for communications
− Router functions can also be implemented by adding routing software to file server.
(e.g. Windows 2000 include routing software)
− The operating system can route from one n/w to another, if each is connected to its
own n/w adapter (or NIC), in the server.
Bots:
− An autonomous program on the internet or another network that can interact with
systems or users.
− A ‘bot’ – short for robot – is a software program that performs automated,
repetitive, pre-defined tasks. Bots typically imitate or replace human user behavior.
Because they are automated, they operate much faster than human users. They
carry out useful functions, such as customer service or indexing search engines, but
they can also come in the form of malware – used to gain total control over a
computer.
− Internet bots can also be referred to as spiders, crawlers, or web bots.
− Bots can be:
Chatbots
− Bots that simulate human conversation by responding to certain phrases with
programmed responses. for example google assistant
Social bots
− Bots which operate on social media platforms, and are used to automatically
generate messages, advocate ideas, act as a follower of users, and as fake accounts
to gain followers themselves. As social networks become more sophisticated, it is
becoming harder for social bots to create fake accounts. It is difficult to identify
social bots because they can exhibit similar behavior to real users.
Shop bots

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 6
 Unit 4

− Bots that shop around online to find the best price for products a user is looking for.
Some bots can observe a user’s patterns in navigating a website and then customize
that site for the user.
Spider bots or web crawlers
− Bots that scan content on webpages all over the internet to help Google and other
search engines understand how best to answer users’ search queries. Spiders
download HTML and other resources, such as CSS, JavaScript, and images, and use
them to process site content.
Malicious bots /Web scraping crawlers
− Bots that scrape content, spread spam content, or carry out credential stuffing
attacks Bots that read data from websites with the objective of saving them offline
and enabling their reuse. This may take the form of scraping the entire content of
web pages or scraping web content to obtain specific data points, such as names and
prices of products on e-commerce websites.
− In some cases, scraping is legitimate and may be allowed by website owners. In
other instances, bot operators may be violating website terms of use or stealing
sensitive or copyrighted material.
Knowbots
− Bots that collect knowledge for users by automatically visiting websites to retrieve
information which fulfils certain criteria.
Monitoring bots
− Bots used to monitor the health of a website or system. Downdetector.com is an
example of an independent site that provides real-time status information, including
outages, of websites and other kinds of services.
Transactional bots
− Bots used to complete transactions on behalf of humans. For example, transactional
bots allow customers to make a transaction within the context of a conversation.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 7
 Unit 4

Download bots
− Bots that are used to automatically download software or mobile apps. They can be
used to manipulate download statistics – for example, to gain more downloads on
popular app stores and help new apps appear at the top of the charts.
− They can also be used to attack download sites, creating fake downloads as part of a
Denial of Service (DoS) attack.
Ticketing bots
− Bots which automatically purchase tickets to popular events, with the aim of
reselling those tickets for a profit. This activity is illegal in many countries, and even
when not against the law, it can be a nuisance to event organizers, legitimate ticket
sellers, and consumers. Ticketing bots are often sophisticated, emulating the same
behaviors as human ticket buyers.
Why do cybercriminals use bots?
− 1. To steal financial and personal information
− 2. To attack legitimate web services
− 3. To extort money from victims
− 4. To make money from zombie and botnet systems

4.3 Common Types of Attacks:

A cyber attack is a malicious attempt by an organization or individual to breach a network

containing sensitive data of individuals or organizations. Attackers use a variety of different
methods to exploit their victims' networks. Here are some of the most common types of
cyber attacks:
− Brute force attack
− Advanced persistent threat (APT)
− Ransomware
− Denial-of-service (DoS) and distributed denial-of-service (DDoS)
− Phishing
− Credential stuffing
− Man-in-the-middle attack
− SQL injection
− Cross-site scripting (XSS)

4.3.1 Distributed Denial of Service

− DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a
cybercrime in which the attacker floods a server with internet traffic to prevent
users from accessing connected online services and sites.
− Motivations for carrying out a DDoS vary widely, as do the types of individuals and
organizations eager to perpetrate this form of cyberattack. Some attacks are carried
out by disgruntled individuals and hacktivists wanting to take down a company's
servers simply to make a statement, have fun by exploiting cyber weakness, or
express disapproval.
− Other distributed denial-of-service attacks are financially motivated, such as a
competitor disrupting or shutting down another business's online operations to
steal business away in the meantime.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 8
 Unit 4

− Others involve extortion, in which perpetrators attack a company and install

hostageware or ransomware on their servers, then force them to pay a large
financial sum for the damage to be reversed.
− DDoS attacks are on the rise, and even some of the largest global companies are not
− immune to being "DDoS'ed". The largest attack in history occurred in February 2020
to none other than Amazon Web Services (AWS), overtaking an earlier attack on
GitHub two years prior.
− DDoS ramifications include a drop in legitimate traffic, lost business, and reputation
damage.

− A DDoS attack aims to overwhelm the devices, services, and network of its intended
target with fake internet traffic, rendering them inaccessible to or useless for
legitimate users.
DoS vs. DDoS
− A distributed denial-of-service attack is a subcategory of the more general denial-
ofservice (DoS) attack. In a DoS attack, the attacker uses a single internet
connection to barrage a target with fake requests or to try and exploit a
cybersecurity vulnerability.
− DDoS is larger in scale. It utilizes thousands (even millions) of connected devices to
fulfill its goal.
Botnets
− Botnets are the primary way distributed denial-of-service-attacks are carried out.
The attacker will hack into computers or other devices and install a malicious piece
of code, or malware, called a bot. Together, the infected computers form a network
called a botnet. The attacker then instructs the botnet to overwhelm the victim's
servers and devices with more connection requests than they can handle.

Types of DDoS Attacks

Even though the end goal of a DDoS attack is always to overwhelm the system, the means
to achieve the goal can differ. Three broad types of DDoS attacks are as follows
Volume-Based or Volumetric Attacks
− This type of attack aims to control all available bandwidth between the victim and
the larger internet. Domain name system (DNS) amplification is an example of a
volume-based attack. In this scenario, the attacker spoofs the target's address, then
sends a DNS name lookup request to an open DNS server with the spoofed address.
− When the DNS server sends the DNS record response, it is sent instead to the target,
resulting in the target receiving an amplification of the attacker’s initially small
query.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 9
 Unit 4

Protocol Attacks
− Protocol attacks look to exhaust resources of a server or those of its networking
systems like firewalls, routing engines, or load-balancers.
load . An example of a protocol
attack is the SYN flood attack.

− Before two computers can initiate a secure communication channel – they must
perform a TCP handshake. A TCP handshake is a means for two parties to exchange
preliminary information. A SYN packet is typically the first step of the TCP
handshake, indicating to the server that the client wants to start a new channel.

− In a SYN flood attack, the attacker floods the server with numerous SYN packets,
each containing spoofed IP addresses. The server responds to each packet (via SYN-
SYN
ACKs), requesting the client to complete the handshake. However, the client(s) never
respond, and the server keeps waiting. Eventually, it crashes after waiting too long
for too many responses.

−
−

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

 Unit 4

Application-Layer Attacks
− The application layer is where the server generates the response to an incoming
client request. For example, if a user enters hhttp://www.xyz.com/learning/
earning/ on their
browser, an HTTP request is sent to the server, requesting the learning page page. The
server will fetch all the information related to the page, package it in a response, and
send it back to the browser.

− This information fetching and packagin

packaging happens on the application layer. An
application layer attack occurs when a hacker uses different bots/machines to
repeatedly request the same resource from the server, eventually overwhelming it.

− The most common type of application layer attacks are the HTTP flood attacks in
which malicious actors just keep sending various HTTP requests to a server using
different IP addresses. One example of this is asking a server to generate PDF
documents over and over again. Since the IP address and other identifiers change in
every request, the server can’t detect that it’s being attacked.

−
4.3.2 Man in the Middle, Email Attack
Man in the middle:
− Just as the name suggests, the man
man-in-the-middle
middle is like an eavesdropper between
two sessions where the communication between two parties is monitored and
intercepted. The goal of such an attack is to steal financial or login information
of users.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

 Unit 4

Types of man-in-the-middle attacks:

- IP spoofing
- DNS spoofing
- HTTPS spoofing
- SSL hijacking
- Email hijacking
- Wi-Fi eavesdropping
- Stealing browser cookies
To help prevent man-in-the-middle attacks:
− Enable encryption on your router. If your modem and router can be accessed by
anyone off the street, they can use "sniffer" technology to see the information that
is passed through it.
− Use strong credentials and two-factor authentication. Many router credentials are
never changed from the default username and password. If a hacker gets access to
your router administration, they can redirect all your traffic to their hacked servers.
− Immediately logging out of a secure application when it’s not in use.
− Use a VPN. A secure virtual private network (VPN) will help prevent man-in-the-
middle attacks by ensuring that all the servers you send data to are trusted.

Email attack:
This is one popular example of an email cyberattack, which has just used email as an attack
vector to steal the user’s credentials and other sensitive or personal data so it can be
leveraged for malicious intent.
Types of Email Attacks
1. Phishing
Phishing is a type of deception. Cybercriminals utilize email, instant messaging, and
other social media to impersonate a trusted individual to obtain information such as
login credentials.When an evil entity sends a false email that appears to be from a
legitimate, trustworthy source, it is known as phishing. The goal of the message is
to deceive the receiver into downloading malware or disclosing personal or financial
information.
Spear phishing is a form of phishing attack that is very specific in its approach. While
phishing and spear-phishing use emails to contact their victims, spear-phishing
delivers personalized emails to a single individual. Before sending the email, the
criminal researches the target's interests.
2. Vishing
It is a type of phishing that employs voice communication technologies. Using voice-
over IP technologies, criminals can fake calls from legitimate sources. Victims may
also get a recorded message that purports to be from an official source. Criminals
attempt to steal the victim's identity by obtaining credit card numbers or other
personal information. Vishing takes advantage of people's faith in the telephone
system.
3. Smishing
It is a sort of phishing that uses mobile phones to send text messages. To earn the
victim's trust, criminals imitate a legitimate source. A smishing attack might, for

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 12
 Unit 4

example, send the victim a webpage URL. Malware is installed on the victim's phone
when they access the page.
4. Whaling
A phishing assault that targets high-profile targets within a business, such as senior
executives, is known as whaling. Politicians and celebrities are also possible targets.
5. Pharming
Pharming is the impersonation of a reputable website to dupe individuals to submit
their personal information. Pharming leads consumers to a phony website that
appears to be legitimate. Victims then provide their data under the impression that
they have reached a legitimate website.
6. Spyware
It is software that allows a criminal to collect data about a user's computer
activity. Activity trackers, keystroke collecting, and data capture are all standard
features of spyware. A spyware frequently adjusts its security settings in an attempt
to circumvent security measures. Spywares often come along with legitimate
applications or Trojan horses. Many shareware sites are infected with spyware.
7. Scareware
It is software that uses fear to encourage the user to execute a specified action.
Scareware creates pop-up windows that seem like those found in operating systems.
These windows display fake messages claiming that the system is in danger or
requires the execution of a specific program to resume regular operation. In
actuality, there are no issues, and malware infects the user's PC if they agree and
permit the indicated program to run.
8. Adware
Adware generates cash for its makers by displaying unpleasant pop-ups. By tracking
the pages visited, the malware may be able to determine the user's interests. It can
then send relevant pop-up advertisements to those websites. Adware is installed by
default in some software versions.
9. Spam
Unsolicited emails are referred to as spam (also known as junk mail). Spam is almost
always a form of advertising. Spams can contain hazardous links, viruses, or false
content. The ultimate goal is to collect sensitive data like a social security number
or bank account details. The majority of spams originate from numerous computers
connected to a network infected with a virus or worm. These infected computers
send out as many spam emails as they can.
4.3.2 Password Attack, Malware
Password Attacks
− Because passwords are the most commonly used mechanism to authenticate users
to an information system, obtaining passwords is a common and effective attack
approach. Access to a person’s password can be obtained by looking around the
person’s desk, ‘‘sniffing’’ the connection to the network to acquire unencrypted
passwords, using social engineering, gaining access to a password database or
outright guessing. The last approach can be done in either a random or systematic
manner:
− Brute-force password guessing means using a random approach by trying different
passwords and hoping that one work some logic can be applied by trying passwords
related to the person’s name, job title, hobbies or similar items.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 13
 Unit 4

− In a dictionary attack, a dictionary of common passwords is used to attempt to gain

access to a user’s computer and network. One approach is to copy an encrypted file
that contains the passwords, apply the same encryption to a dictionary of
commonly used passwords, and compare the results.
− In order to protect yourself from dictionary or brute-force attacks, you need to
implement an account lockout policy that will lock the account after a few invalid
password attempts. You can follow these account lockout best practices in order to
set it up correctly.

Preventing Password Attacks

The best way to fix a password attack is to avoid one in the first place. Ask your IT
professional about proactively investing in a common security policy that includes:

− Multi-factor authentication. Using a physical token (like a Yubikey) or a personal

device (like a mobile phone) to authenticate users ensures that passwords are not
the sole gate to access.
− Remote access. Using a smart remote access platform like OneLogin means that
individual websites are no longer the source of user trust. Instead, OneLogin ensures
that the user's identity is confirmed, then logs them in.
− Biometrics. A malicious actor will find it very difficult to replicate your fingerprint or
facial shape. Enabling biometric authentication turns your password into only one of
several points of trust that a hacker needs to overcome.

Malware:
Malware is intrusive software that is designed to damage and destroy computers and
computer systems. Malware is a contraction for “malicious software.” Examples of common
malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware.

Types of Malware Attacks

− Most malware types can be classified into one of the following categories:
− Virus: When a computer virus is executed, it can replicate itself by modifying other
programs and inserting its malicious code. It is the only type of malware that can
“infect” other files and is one of the most difficult types of malware to remove.
− Worm: A worm has the power to self-replicate without end-user involvement and
can infect entire networks quickly by moving from one machine to another.
− Trojan: Trojan malware disguises itself as a legitimate program, making it one of the
most difficult types of malware to detect. This type of malware contains malicious
code and instructions that, once executed by the victim, can operate under the
radar. It is often used to let other types of malware into the system.
− Hybrid malware: Modern malware is often a “hybrid” or combination of malicious
software types. For example, “bots” first appear as Trojans then, once executed, act
as worms. They are frequently used to target individual users as part of a larger
network-wide cyber attack.
− Adware: Adware serves unwanted and aggressive advertising (e.g., pop-up ads) to
the end-user.
− Malvertising: Malvertising uses legitimate ads to deliver malware to end-user
machines.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 14
 Unit 4

− Spyware: Spyware spies on the unsuspecting end-user, collecting credentials and

passwords, browsing history and more.
− Ransomware: Ransomware infects machines, encrypts files and holds the needed
decryption key for ransom until the victim pays. Ransomware attacks targeting
enterprises and government entities are on the rise, costing organizations millions as
some pay off the attackers to restore vital systems. Cyptolocker, Petya and Loky are
some of the most common and notorious families of ransomware.
− Over the years, malware has been observed to use a variety of different delivery
mechanisms, or attack vectors. While a few are admittedly academic, many attack
vectors are effective at compromising their targets. These attack vectors generally
occur over electronic communications such as email, text, vulnerable network
service, or compromised website, malware delivery can also be achieved via physical
media (e.g. USB thumb drive, CD/DVD, etc.).
Prevention:
Typically, businesses focus on preventative tools to stop breaches. By securing the
perimeter, businesses assume they are safe. Some advanced malware, however, will
eventually make their way into your network. As a result, it is crucial to deploy technologies
that continually monitor and detect malware that has evaded perimeter defenses. Sufficient
advanced malware protection requires multiple layers of safeguards along with high-level
network visibility and intelligence.

How to Prevent Malware Attacks

To strengthen malware protection and detection without negatively impacting business
productivity, organizations often take the following steps:

− Use anti-virus tools to protect against common and known malware.

− Utilize endpoint detection and response technology to continuously monitor and
respond to malware attacks and other cyber threats on end-user machines.
− Follow application and Operating System (OS) patching best practices.
− Implement the principle of least privilege and just-in-time access to elevate account
privileges for specific authorized tasks to keep users productive without providing
unnecessary privileges.
− Remove local administrator rights from standard user accounts to reduce the attack
surface.
− Apply application grey listing on user endpoints to prevent unknown applications,
such as new ransomware instances, from accessing the Internet and gaining the
read, write and modify permissions needed to encrypt files.
− Apply application whitelisting on servers to maximize the security of these assets.
− Frequently and automatically backup data from endpoints and servers to allow for
effective disaster recovery.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 15
 Unit 4

4.4 Hackers:
4.4.1 Various Vulnerabilities:
What is Vulnerability in Cyber Security?
Vulnerability in cyber security refers to any weakness in an information system, system
processes, or internal controls of an organization. These vulnerabilities are targets for
lurking cybercrimes and are open to exploitation through the points of vulnerability.
These hackers are able to gain illegal access to the systems and cause severe damage
to data privacy. Therefore, cyber security vulnerabilities are extremely important to
monitor for the overall security posture as gaps in a network can result in a full-scale breach
of systems in an organization.
Examples of Vulnerabilities
Below are some examples of vulnerability:
− A weakness in a firewall that can lead to malicious hackers getting into a computer
network
− Lack of security cameras
− Unlocked doors at businesses

Types of Vulnerabilities
Below are some of the most common types of cybersecurity vulnerabilities:
− System Misconfigurations
Network assets that have disparate security controls or vulnerable settings can
result in system misconfigurations. Cybercriminals commonly probe networks for
system misconfigurations and gaps that look exploitable. Due to the rapid digital
transformation, network misconfigurations are on the rise. Therefore, it is important
to work with experienced security experts during the implementation of new
technologies.
− Out-of-date or Unpatched Software
Similar to system misconfigurations, hackers tend to probe networks for unpatched
systems that are easy targets. These unpatched vulnerabilities can be exploited by
attackers to steal sensitive information. To minimize these kinds of risks, it is
essential to establish a patch management schedule so that all the latest system
patches are implemented as soon as they are released.
− Missing or Weak Authorization Credentials
A common tactic that attackers use is to gain access to systems and networks
through brute force like guessing employee credentials. That is why it is crucial that
employees be educated on the best practices of cybersecurity so that their login
credentials are not easily exploited.
− Malicious Insider Threats
Whether it’s with malicious intent or unintentionally, employees with access to
critical systems sometimes end up sharing information that helps cyber criminals
breach the network. Insider threats can be really difficult to trace as all actions will
appear legitimate. To help fight against these types of threats, one should invest in
network access control solutions, and segment the network according to employee
seniority and expertise.
− Missing or Poor Data Encryption
It’s easier for attackers to intercept communication between systems and breach a
network if it has poor or missing encryption. When there is poor or unencrypted

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 16
 Unit 4

information, cyber adversaries can extract critical information and inject false
information onto a server. This can seriously undermine an organization’s efforts
toward cyber security compliance and lead to fines from regulatory bodies.
− Zero-day Vulnerabilities
Zero-day vulnerabilities are specific software vulnerabilities that the attackers have
caught wind of but have not yet been discovered by an organization or user.In these
cases, there are no available fixes or solutions since the vulnerability is not yet
detected or notified by the system vendor. These are especially dangerous as there
is no defense against such vulnerabilities until after the attack has happened. Hence,
it is important to remain cautious and continuously monitor systems for
vulnerabilities to minimize zero-day attacks.

Vulnerability Remediation
− To always be one step ahead of malicious attacks, security professionals need to
have a process in place for monitoring and managing the known vulnerabilities.
Once a time-consuming and tedious manual job, now it is possible to continuously
keep track of an organization’s software inventory with the help of automated tools,
and match them against the various security advisories, issue trackers, or databases.
− If the tracking results show that the services and products are relying on risky code,
the vulnerable component needs to be located and mitigated effectively and
efficiently.
− The following remediation steps may seem simple, but without them, organizations
may find themselves in a bit of difficulty when fighting against hackers.
− Step 1: Know Your Code – Knowing what you’re working with is crucial and the first
step of vulnerability remediation. Continuously monitoring software inventory to be
aware of which software components are being used and what needs immediate
attention will significantly prevent malicious attacks.
− Step 2: Prioritize Your Vulnerabilities – Organizations need to have prioritization
policies in place. The risk of the vulnerabilities needs to be evaluated first by going
through the system configuration, the likelihood of an occurrence, its impact, and
the security measures that are in place.
− Step 3: Fix – Once the security vulnerabilities that require immediate attention are
known, it is time to map out a timeline and work plan for the fix.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 17
 Unit 4

4.4.1.1 Injection attacks, Changes in security settings

Injection attack
This type of attack allows an attacker to inject code into a program or query or inject
malware onto a computer in order to execute remote commands that can read or modify a
database, or change data on a web site.

Types of Injection Attacks

Injection attack Description Potential impact

Code The attacker injects application code written in Full system compromise
injection the application language. This code may be
used to execute operating system commands
with the privileges of the user who is running
the web application. In advanced cases, the
attacker may use additional privilege escalation
vulnerabilities, which may lead to full web
server compromise.
CRLF The attacker injects an unexpected CRLF Cross-site Scripting (XSS)
injection (Carriage Return and Line Feed) character
sequence. This sequence is used to split an
HTTP response header and write arbitrary
contents to the response body. This attack may
be combined with Cross-site Scripting (XSS).
Cross-site The attacker injects an arbitrary script (usually Account impersonation
Scripting in JavaScript) into a legitimate website or web Defacement Run arbitrary
(XSS) application. This script is then executed inside JavaScript in the victim’s
the victim’s browser. browser
Email This attack is very similar to CRLF injections. Spam relay Information
Header The attacker sends IMAP/SMTP commands to disclosure
Injection a mail server that is not directly available via a
web application.
Host The attacker abuses the implicit trust of the Password-reset poisoning
Header HTTP Host header to poison password-reset Cache poisoning
Injection functionality and web caches.
SQL The attacker injects SQL statements that can Authentication bypass
Injection read or modify database data. In the case of Information disclosure Data
(SQLi) advanced SQL Injection attacks, the attacker loss Sensitive data theft Loss
can use SQL commands to write arbitrary files of data integrity Denial of
to the server and even execute OS commands. service Full system
This may lead to full system compromise. compromise
OS The attacker injects operating system Full system compromise
Command commands with the privileges of the user who
Injection is running the web application. In advanced
cases, the attacker may exploit additional
privilege escalation vulnerabilities, which may
lead to full system compromise.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 18
 Unit 4

Changes in security settings:

− Security misconfiguration is the lack of proper security in server or web apps,
opening up your business to cyber threats.
− This kind of misconfiguration runs rampant, commonly occurring when levels of the
application stack are upgraded while others are left untouched, as the default
settings may have included insecurities that go unaddressed.
− Running an application with debug enabled in production
− Having directory listing (which leaks valuable information) enabled on the server
− Running outdated software (think Word Press plugging, old PhpMyAdmin)
− Running unnecessary services
− Not changing default keys and passwords (which happens more frequently than
you’d believe)
− Revealing error handling information (e.g., stack traces) to potential attackers
4.4.1.2 Exposure of Sensitive Data
− Sensitive data is anything that should not be accessible to unauthorized access,
known as sensitive data. Sensitive data may include personally identifiable
information (PII), such as Social Security numbers, financial information, or login
credentials.
− Sensitive Data Exposure occurs when an organization unknowingly exposes
sensitive data or when a security incident leads to the accidental or unlawful
destruction, loss, alteration, or unauthorized disclosure of, or access to sensitive
data.
− Such Data exposure may occur as a result of inadequate protection of a database,
misconfigurations when bringing up new instances of data stores, inappropriate
usage of data systems, and more.
Sensitive Data Exposure can of the following three types:
Confidentiality Breach: where there is unauthorized or accidental disclosure of, or
access to, sensitive data.
Integrity Breach: where there is an unauthorized or accidental alteration of sensitive
data.
Availability Breach: where there is an unauthorized or accidental loss of access to, or
destruction of, sensitive data. This will include both the permanent and temporary
loss of sensitive data.
How Sensitive Data is Exposed
− Most cyberattacks initially target vulnerabilities that expose sensitive data to gain a
further foothold of the application stack. Several threats expose this information,
whether it is on the move or at rest.
Sensitive Data at Rest
A web application typically stores data in servers, files, databases, archives,
networks, and other applications. The security of this data depends on the controls
put in place to protect these components. Numerous attacks target unaddressed
vulnerabilities in these components to access sensitive data. For instance, hackers
can use Trojan Horses or Malicious Payloads to access system data via unauthorized
downloads without a robust detection mechanism.
Sensitive Data in Transit
While data is moving between different services and applications, it remains
vulnerable to attack vectors. Man-in-the-Middle (MITM) attack are typically geared

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 19
 Unit 4

toward intercepting data moving between servers, channels, and APIs. It is

important to secure channels that transmit data within the organization’s network,
as these attackers could impersonate parties to access more sensitive data.
4.4.1.3 Breach in authentication protocol
− A security breach is any incident that results in unauthorized access to computer
data, applications, networks or devices. It results in information being accessed
without authorization. Typically, it occurs when an intruder is able to bypass security
mechanisms.
Types of security breaches
− There are a number of types of security breaches depending on how access has been
gained to the system:
− An exploit attacks system vulnerability, such as an out of date operating system.
Legacy systems which haven't been updated, for instance, in businesses where
outdated and versions of Microsoft Windows that are no longer supported are being
used, are particularly vulnerable to exploits.
− Weak passwords can be cracked or guessed. Even now, some people are still using
the password 'password', and 'pa$$word' is not much more secure.
− Malware attacks, such as phishing emails can be used to gain entry. It only takes one
employee to click on a link in a phishing email to allow malicious software to start
spreading throughout the network.
− Drive-by downloads use viruses or malware delivered through a compromised or
spoofed website.
− Social engineering can also be used to gain access. For instance, an intruder phones
an employee claiming to be from the company's IT helpdesk and asks for the
password in order to 'fix' the computer.
− An authentication protocol is a type of computer communications protocol or
cryptographic protocol specifically designed for transfer of authentication data
between two entities.
− It allows the receiving entity to authenticate the connecting entity (e.g. Client
connecting to a Server) as well as authenticate itself to the connecting entity (Server
to a client) by declaring the type of information needed for authentication as well as
syntax. It is the most important layer of protection needed for secure
communication within computer networks

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 20
 Unit 4

Authentication protocols developed for PPP Point-to-Point Protocol

PAP - Password Authentication Protocol
− Password Authentication Protocol is one of the oldest authentication
protocols. Authentication is initialized by the client sending a packet
with credentials (username and password) at the beginning of the connection, with
the client repeating the authentication request until acknowledgement is received
received.
−

− It is highly insecure because credentials are sent "in the clear" and repeatedly,
making it vulnerable even to the most simple attacks like eavesdropping and man-in-
man
the-middle
middle based attacks.
CHAP - Challenge-handshake
handshake authentication p protocol
− The authentication process in this protocol is always initialized by the server/host
and can be performed anytime during the session, even repeatedly. Server sends a
random string (usually 128B long). The client uses password and the string receive
received
as parameters for MD5 hash function and then sends the result together with
username in plain text.
− Server uses the username to apply the same function and compares the calculated
and received hash. An authentication is successful or unsuccessful.
EAP - Extensible Authentication Protocol
− EAP was originally developed for PPP(Point
PPP(Point-to-Point
Point Protocol) but today is
widely used in IEEE 802.3
802.3, IEEE 802.11(WiFi) or IEEE 802.16 as a part of IEEE
802.1x authentication framework.
− The latest version is standardized in RFC 5247. The advantage of EAP is that it
is only a general authentication framework for client
client-server
server authentication - the
specific way of authentication is defined in its many versions called EAP
EAP--methods.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

 Unit 4

4.4.2 Types of Hackers: White hat and Black hat

− A Hacker is a person who is intensely interested in the mysterious workings of any

computer operating system. Hackers are most often programmers. They gather
advanced knowledge of operating systems and programming languages and discover
loopholes within systems and the reasons for such loopholes.
− Hackers can be classified into three different categories:
− Black Hat Hacker
− Black-hat Hackers are also known as an Unethical Hacker or a Security
Cracker. These people hack the system illegally to steal money or to achieve
their own illegal goals. They find banks or other companies with weak
security and steal money or credit card information. They can also modify or
destroy the data as well. Black hat hacking is illegal.
White Hat Hacker

− White hat Hackers are also known as Ethical Hackers or a Penetration Tester.
White hat hackers are the good guys of the hacker world.
− These people use the same technique used by the black hat hackers. They
also hack the system, but they can only hack the system that they have
permission to hack in order to test the security of the system. They focus on
security and protecting IT system. White hat hacking is legal.

Gray Hat Hacker

− Gray hats Hackers are Hybrid between Black hat Hackers and White hat hackers.
They can hack any system even if they don't have permission to test the security
of the system but they will never steal money or damage the system.
− In most cases, they tell the administrator of that system. But they are also illegal
because they test the security of the system that they do not have permission to
test. Grey hat hacking is sometimes acted legally and sometimes not.

Asst. Prof. Nayna N Mistry(M.C.A,NET,GSET)

Sutex bank college of computer applications and sciencePage 22