Cyber Security

and
Ethical Hacking
Unit 1: Introduction and Design Principles
Importance of the Subject
• Cyber security
• how to defend devices and services from electronic attacks by nefarious actors
such as hackers, spammers, and cybercriminals.
• Today's professionals focus
• On determining the best way to defend all assets, from computers and
smartphones to networks and databases, from attacks.
• Ethical Hacking
• An authorized practice of detecting vulnerabilities in an application, system, or
organization’s infrastructure and bypassing system security to identify potential
data breaches and threats in a network.
• Aim to investigate the system or network for weak points that malicious hackers
can exploit or destroy.
• They can improve the security footprint to withstand attacks better or divert them.
 Recent Ransomware Attacks
Ransomware is a type of malware that prevents or limits users from accessing their system, either by
locking the system's screen or by locking the users' files until a ransom is paid.

How to prevent Ransomware

• Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to
exploit.
• Don't install software or give it administrative privileges unless you know exactly what it is and what
it does.
• Install antivirus software, which detects malicious programs like ransomware as they arrive, and
whitelisting software, which prevents unauthorized applications from executing in the first place.
• And, of course, back up your files, frequently and automatically! That won't stop a malware attack,
but it can make the damage caused by one much less significant.
Ransomware Statistics
• Ransomware is the second leading cause of data breaches in Q1 2022,
after phishing.
• There were 623.3 million ransomware attacks worldwide in 2021 and
304.6 million detected attacks in 2020. [Statista]
• In the first half of 2022, there were 236.1 million ransomware attempts.
[Statista]
• 76% of organizations suffered one or more ransomware attacks in 2021.
• Of those 76%:
• 42% were unintentionally caused by user actions
• 43% were due to negligence from managers or administrators (risks
concerning software patches, credentials, etc.) [Veeam]
• In 2021, hackers successfully encrypted data in 65% of attacks, up from
54% recorded in 2020. [Sophos]
• In 2021, there was an 82% rise in ransomware incidents, with 2,686
attacks as opposed to 1,474 in 2020. [CrowdStrike]
Phishing attack.
• Phishing is a type of social engineering attack often used to steal user
data, including login credentials and credit card numbers.
• It occurs when an attacker, masquerading as a trusted entity, dupes a
victim into opening an email, instant message, or text message.
Outline of the Topics
• Basic Components of Computer security (CIA)
• Characteristics of Information
• Vulnerabilities
• Threats
• Attacks and controls
• Goals of security
• Classification of hackers Design Principles:
• Various Security attacks
• method of defense
• Design Principles
• Security policies
• types of security policies
Basic Components of Computer security
(CIA)
 Confidentiality: The principles of
confidentiality assert that only authorized
parties can access sensitive information and
functions. Example: military secrets.
 Integrity: The principles of integrity assert
that only authorized people and means can
alter, add, or remove sensitive information
and functions.
Example: a user entering incorrect data into
the database.
 Availability: The principles of availability
assert that systems, functions, and data must
be available on-demand according to agreed-
upon parameters based on levels of service.
multiple layers of security in place to protect
its operations
• Physical security, to protect physical items, objects, or areas from unauthorized
access and misuse
• Personnel security, to protect the individual or group of individuals who are
authorized to access the organization and its operations
• Operations security, to protect the details of a particular operation or series of
activities
• Communications security, to protect communications media, technology, and
content
• Network security, to protect networking components, connections, and contents
• Information security, to protect the confidentiality, integrity and availability of
information assets, whether in storage, processing, or transmission. It is achieved
via the application of policy, education, training and awareness, and technology.
Components of Information Security
Key Information Security Concepts
• Access: A subject or object’s ability to use, manipulate, modify, or affect another
subject or object. Authorized users have legal access to a system, whereas
hackers have illegal access to a system. Access controls regulate this ability.
• Asset: The organizational resource that is being protected. An asset can be
logical, such as a Web site, information, or data; or an asset can be physical, such
as a person, computer system, or other tangible object. Assets, and particularly
information assets, are the focus of security efforts; they are what those efforts
are attempting to protect.
• Attack: An intentional or unintentional act that can cause damage to or
otherwise compromise information and/or the systems that support it. Attacks
can be active or passive, intentional or unintentional, and direct or indirect.
Key Information Security Concepts
• Control, safeguard, or countermeasure: Security mechanisms,
policies, or procedures that can successfully counter attacks, reduce
risk, resolve vulnerabilities, and otherwise improve the security within
an organization.
• Exploit: A technique used to compromise a system. Threat agents
may attempt to exploit a system or other information asset by using it
illegally for their personal gain. Or, an exploit can be a documented
process to take advantage of a vulnerability or exposure, usually in
software, that is either inherent in the software or is created by the
attacker.
Key Information Security Concepts
• Exposure: A condition or state of being exposed. In information
security, exposure exists when a vulnerability known to an attacker is
present.
• Loss: A single instance of an information asset suffering damage or
unintended or unauthorized modification or disclosure. When an
organization’s information is stolen, it has suffered a loss.
• Protection profile or security posture: The entire set of controls and
safeguards, including policy, education, training and awareness, and
technology, that organization implements (or fails to implement) to
protect the asset.
Key Information Security Concepts
• Risk: The probability that something unwanted will happen.
Organizations must minimize risk to match their risk appetite
• Computer can be either the subject or object of the attack.
Key Information Security Concepts
• Threat: A category of objects, persons, or other entities that presents
a danger to an asset. For example, hackers purposefully threaten
unprotected information systems
• Threat agent: The specific instance or a component of a threat.
• For example, all hackers in the world present a collective threat, while Kevin
Mitnick, who was convicted for hacking into phone systems, is a specific
threat agent.
• Vulnerability: A weaknesses or fault in a system or protection
mechanism that opens it to attack or damage. Some examples of
vulnerabilities are a flaw in a software package, an unprotected
system port.
Characteristics of information
• Availability -enables authorized users—persons or computer systems—to access information without
interference or obstruction and to receive it in the required format
• Authenticity - quality or state of being genuine or original, rather than a reproduction or fabrication
• Accuracy-Information has accuracy when it is free from mistakes or errors and it has the value that the
end user expects.
• Confidentiality-y Information has confidentiality when it is protected from disclosure or exposure to
unauthorized individuals or systems. Confidentiality ensures that only those with the rights and
privileges to access information are able to do so
• Integrity - Information has integrity when it is whole, complete, and uncorrupted.
• Utility-quality or state of having value for some purpose or end. Information has value when it can serve
a purpose.
• Possession -The possession of information is the quality or state of ownership or control. Information is
said to be in one’s possession if one obtains it, independent of format or other characteristics. While a
breach of confidentiality always results in a breach of possession, a breach of possession does not
always result in a breach of confidentiality.
Attacks
• Our three goals of security, confidentiality, integrity, and availability
can be threatened by security attacks
Attacks Threatening Confidentiality
• Snooping: Unauthorized access to or interception of data.
• For example, a file transferred through the Internet may contain confidential
information. An unauthorized entity may intercept the transmission and use
the contents for her own benefit.
• Traffic Analysis : Although en-cipherment of data may make it non
intelligible for the interceptor, she can obtain some other type
information by monitoring online traffic.
• For example, she can find the electronic address (such as the e-mail address)
of the sender or the receiver. She can collect pairs of requests and responses
to help her guess the nature of transaction.
Attacks Threatening Integrity
• The integrity of data can be threatened by several kinds of attacks:
modification, masquerading, replaying, and repudiation.
1. Modification After intercepting or accessing information, the attacker
modifies the information to make it beneficial to herself.
• For example, a customer sends a message to a bank to do some transaction. The
attacker intercepts the message and changes the type of transaction to benefit herself
2. Masquerading : (spoofing) happens when the attacker impersonates
somebody else.
• For example, an attacker might steal the bank card and PIN of a bank customer and
pretend that she is that customer. Sometimes the attacker pretends instead to be the
receiver entity. For example, a user tries to contact a bank, but another site pretends
that it is the bank and obtains some information from the user.
Attacks Threatening Integrity
3. Replaying is another attack. The attacker obtains a copy of a message
sent by a user and later tries to replay it.
• For example, a person sends a request to her bank to ask for payment to the
attacker, who has done a job for her.
4. Repudiation This type of attack is different from others because it is
performed by one of the two parties in the communication: the sender or
the receiver. The sender of the message might later deny that she has
sent the message; the receiver of the message might later deny that he
has received the message.
• An example of denial by the receiver could occur when a person buys a product
from a manufacturer and pays for it electronically, but the manufacturer later
denies having received the payment and asks to be paid.
Attacks Threatening Availability
• Denial of Service Denial of service (DoS) is a very common attack. It
may slow down or totally interrupt the service of a system.
Passive Versus Active Attacks
• Passive Attacks
• In a passive attack, the attacker’s goal is just to obtain information. This
means that the attack does not modify data or harm the system. The system
continues with its normal operation.
• Active attack
• may change the data or harm the system.
• Attacks that threaten the integrity and availability are active attacks.
• Easier to detect than to prevent, because an attacker can launch them in a
variety of ways.
Activity 1
• List different types of attacks and identify which of the security goals
is breached in each attack.
Attacks and Security Threats
Activity 2 : Define the type of security attack
in each of the following cases
a. A student breaks into a professor’s office to obtain a copy of the next
day’s test.
b. A student gives a check for $10 to buy a used book. Later she finds
that the check was cashed for $100.
c. A student sends hundreds of e-mails per day to another student
using a phony return e-mail address.
More on Attacks
• Man in the middle attack or TCP hijacking attack, an attacker monitors
(or sniffs) packets from the network, modifies them, and inserts them
back into the network. This type of attack uses IP spoofing to enable
an attacker to impersonate another entity on the network.
security principles
• Economy of mechanism: Keep the design as simple and small as
possible.
• Fail-safe defaults: Base access decisions on permission rather than
exclusion.
• Complete mediation: Every access to every object must be checked
for authority.
• Open design: The design should not be secret, but rather depend on
the possession of keys or passwords.
security principles
• Separation of privilege: Where feasible, a protection mechanism should
require two keys to unlock, rather than one.
• Least privilege: Every program and every user of the system should
operate using the least set of privileges necessary to complete the job.
• Least common mechanism: Minimize mechanisms (or shared variables)
common to more than one user and depended on by all users.
• Psychological acceptability: It is essential that the human interface be
designed for ease of use, so that users routinely and automatically apply
the protection mechanisms correctly.5
Software development security problems
• A buffer overrun (or buffer overflow) is an application error that
occurs when more data is sent to a program buffer than it is designed
to handle.
• Command injection problems occur when user input is passed directly
to a compiler or interpreter. Validation of the input is not done.
• Cross-site Scripting Cross site scripting (or XSS) occurs when an
application running on a Web server gathers data from a user in order
to steal it.
Software development security problems
• Failure to handle errors - Programmers are expected to anticipate
problems and prepare their application code to handle them.
• Failure to Protect Network Traffic - wireless networking comes a
corresponding increase in the risk that wirelessly transmitted data will
be intercepted.
• Failure to Store and Protect Data Securely
• Failure to Use Cryptographically Strong Random Numbers
Software development security problems
• Improper Use of SSL
• Programmers use Secure Sockets Layer (SSL) to transfer sensitive data, such as
credit card numbers and other personal information, between a client and
server.
• most programmers assume that using SSL guarantees security, unfortunately
they more often than not mishandle this technology.
• SSL and its successor, Transport Layer Security (TLS), both need certificate
validation to be truly secure.
• Failure to use Hypertext Transfer Protocol Secure (HTTPS), to validate the
certificate authority and then validate the certificate itself, or to validate the
information against a certificate revocation list (CRL), can compromise the
security of SSL traffic.
Software development security problems

• SQL Injection SQL injection occurs when developers fail to properly

validate user input before using it to query a relational database. For
example, a fairly innocuous program fragment expects the user to
input a user ID and then perform a SQL query against the USERS table
to retrieve the associated name: Accept USER-ID from console;
SELECT USERID, NAME FROM USERS WHERE USERID = USER-ID;
References
• Kahate, A , “Cryptography & Network Security”, 3rd Ed., TMH, 2014 –
Chapter 1
• M. Whitman, H. Mattford, “Principles of Information Security”, 4th Ed.
Cengage Learning,2013—chapter 1 and Chapter 2.