Cyber Security Cohort 6

Week 4 Assignment
Q.1 What are containers in computer? How does Docker work? Explain in detail.
Ans. Container: It is a unit of software that consists of all necessary elements and their
dependencies to run in any environment. It provides portable and consistent environment for
smooth running of applications and their dependencies. Developers can use containers to
create, test and deploy applications.

Docker working: Docker is a platform that is used to write, run, execute and to find bugs in the
code. Its working is explained below:

1. First of all Docker image is created by developers. It is read-only template that consists
of code, libraries, and all other dependencies of the application. Docker image is created
from scratch or from a base image. It is lightweight and portable package that can be
shared with different platforms and environments.
2. Docker container is created after image creations. It provides isolated environment for
application to run. It can connect to other networks and attach storage to it.
3. Docker CLI (Command Line Interface) is used to manage Docker containers. It is used
to perform different operations such as starting and stopping containers. According to
requirement, Docker containers can be scaled up or down.
4. Docker containers can be connected and communicate with each other with the help of
Docker networking. They can exchange data and share resources with each other.
5. Docker container use Docker volume to store data in it and share with multiple
containers.
6. Docker Registry is used to store and share Docker images. These images can easily be
accessed and downloaded by other developers.

With the help of Docker’s methodologies; developers can quickly write, test, deploy and
debug the code easily. Developers can develop code locally and can share it by using
Docker container globally.

Q. 2. What is VM Escape attack and how malware or attackers utilize it?

ANS. VM Escape Attack: In this type of attack, attackers gain access of a virtual machine
and through this they try to take control of the host operating system. Virtual machines in a host
operating system are kept isolated from each other but by using VM escape, attackers can
break this security and can take control of host operating systems.

Attackers can use VM Escape attack to access sensitive data and resources of the host system.
Malwares can use this technique to hide their presence on compromised system. This attack
can be performed by using vulnerabilities present in the virtual machine or in host operating
system. They can use other techniques such as buffer overflow attack or race conditions to gain
access of the virtual machine. They can use VM Escape to carry out further attacks. Viruses
may spread across VM and host operating system while sharing data without noticing.
To avoid VM Escape attack both virtual machine and host operating system should use latest
security patches and updates. Virtual machines should be kept isolated from each other and
from the host operating system to save the sensitive data. Ideally, VM should be run on a
bootable USB device. Additionally, keep an eye on any suspicious activity to that may indicate a
VM escape attack.

Q.3 What is EDR? How does it work? Install any open source EDR in your system
(Virtual Machine), check its behavior and provide screenshot.
Ans. EDR: Stands for Endpoint Detection and Response. It is endpoint security solution
that is used to continuously monitor, detect and respond to cyber threats like ransom
ware or malware.
An EDR uses machine learning and behavioral analysis to continuously monitor and
analyze the activities being performed in the network and indicate suspicious activity of
network connections, file system activity, registry changes and other endpoint changes.
In case of security incident, EDR sends alert to security personal that can investigate
and take further actions to mitigate the threat. Some EDR can automatically respond to
threats and take actions such as to remove or isolate infected endpoints to prevent
further spread of the threat. It is very important technology to detect and respond to
endpoint cyber security threats.
Q.4 What are file-less malware and how do they avoid antivirus detection?
Ans. File-less Malware: It doesn’t require creation of file to infect the computer instead it
uses legitimate program to perform its malicious functions. It uses computer memory to
perform its malicious activities instead of hard disk, so often is very difficult to detect it.
This type of malware resides on computer memory and requires no file so, often
antivirus can’t detect them.
 File-less malware take advantage of vulnerabilities present in the antivirus, firewall or
other security software to hide themself. It uses code obfuscation; it makes it difficult for
antivirus to detect them. It uses anti analysis techniques to avoid being analyzed by
security researchers.
It uses scripts like JavaScript to download and execute malicious code, so it is very
difficult for antivirus software to distinguish between legitimate and malicious activities.
Q.5 Use the Lynis tool to audit your own Linux system and provide its reports
screenshot.

Ans.LYNIS: It is open-source auditing tool for security vulnerabilities, configuration issues and
other security risks of Unix/Linux based operating systems. It is command-line tool that provides
suggestions for improving the security of the system. It performs various types of security
checks such as file permissions, password policies, and system logging and more.
Q.6 what is DLP solution? How does it work? Name some of the well-known DLP
solutions.

Ans. DLP: It is combination of traditional software such as firewall and antivirus and advance
solutions such as Artificial Intelligence and Machine Learning to prevent data loss and detect
malicious activities. It provides strategies to protect sensitive data from being stolen or leaked to
unauthorized users.
DLP are of three types: Network, Endpoint, and Cloud DLP. DLP solutions analyze data in
motion or at rest and enforce policies that control how data should be accessed, used and
shared. DLP can identify sensitive data types, monitor data access, encrypt data, and block
unauthorized access. DLP can analyze, detect, and prevent suspicious activities and can
response to malicious activities.

Some DLPs:

Symantec DLP

McAfee DLP

Forcepoint DLP

Cisco DLP

Fidelis DLP

Q.7 What is attack surface? How to find attack surface of any organization?

Ans. Attack Surface: Total number of entry points in an organizations infrastructure that
attackers can use to exploit to gain unauthorized access or carry out other malicious activities is
called attack surface. Attack surface is complex and huge for modern large organizations.

Find Attack Surface: First of all make a list of all software, hardware, and applications being
used in the organization.

Scope of all assets is finding by identifying access points and information flows.

Potential vulnerabilities are fined such as such as outdated software, unpatched software and
weak passwords.

Impact of vulnerability on the organization is measure in case of exploitation.

At the end vulnerabilities are mitigated by applying security patches, updating software, and
enhancing security controls.

Q.8 Explain a summary of the real-world case of a cloud computer attack where
one cloud customer has accessed the data of another cloud customer.

Ans. LinkedIn was attacked by the hackers in 2021. They breached personal data of more than
700 million linkedin users which is more than 93% of the all users. Data stolen from the LinkedIn
was placed on dark web forum in June 2021. LinkedIn try to cover the severness of the attack
by saying that no sensitive data was breached. Company said that attacker only violated
company’s terms of service. But a dark web post indicated that email address, phone number,
geolocation records, and other social media information were breached during the attack. This
data is more than enough for a clever hacker further social engineering attacks. This attack has
opened the eyes of social media users. They should think twice before sharing their personal
information on the social media.

Q.9 Explain a summary of the real-world case of an insider cyber security attack.

Ans. Sometimes a harmless looking action can be a security risk for the company.

In 2017, an employee of the aerospace company Boeing sent an email to his wife for getting
help in formatting of the spread sheet file. His wife was not an employee of the company and
the file contains personal information of more than 36000 his coworkers in the hidden columns.
Although his intend was not to harm the company, he just want to get help for file formatting but
he bypassed company security protocols and send personal information of his coworkers to a
non-employee and a unsecured device. He compromised employee ID, place of birth, and
social security information. The Boeing Company said data was not breached by the hackers for
malicious activities, but they offered two years free credit monitoring to all affected employees.
This incident gives us a lesson that in organizations every step should be taken very carefully. A
very negligible mistake can cause big loss.

Q.10 Explain a summary of the real-world case of an APT Group targeting the
financial sector.

Ans. On June 29 2021 Central bank of Denmark reveal that they were compromised in 2020
global SolarWinds hacking operation. Hackers opened a back door into the bank 7 months ago
and they were not aware of the attack. The Bank said there was no evidence of compromised
beyond the first stage of attack. The attackers break into the bank security and remain for 7
months before officials could find them in the network.