Introduction To Cyber Security

1
Topics
 Chapter 0 : Course Introduction

 Chapter 1: The Need for Cybersecurity
Cyber Security, Online Identity, IoT and Big data, CIA triad, Checksum, Consequences of a
Security Breach, Types of Attack, Internal and External threats, Cyberwarfare
 Chapter 2: Attacks, Concepts and Techniques
Google’s Project Zero, Rowhammer exploitation, Categorizing Security Vulnerabilities, Malware
Types, Social Engineering, Network sniffing, Phishing, Vulnerability Exploitation, APT, DoS,
DDoS, SEO Poisoning, Impact Reduction
 Chapter 3: Protecting Your Data and Privacy
Key Reinstallation Attacks (KRACK), Passphrase Generating, NIST Password requirement,
Encrypting File System (EFS) of Windows, Data Backup, SDelete of Microsoft, Two-factor
Authentication, OAuth, Email and Web Browser Privacy, Analysing risky online behavior
 Chapter 4: Protecting the Organization
Firewall Types, Port Scanning using Nmap, Security best practices, zero-day attack, Botnet, Kill
Chain, Behavior-based security, Honeypots, Cisco AMP, NetFlow, CSIRT, SIEM, DLP, IDS, and
IPS
 Chapter 5: Will Your Future Be in Cybersecurity?
Educational and career paths for cybersecurity, Job search engines, Legal and Ethical Issues in
Cybersecurity
ii
Contents
Chapter 0: Course Introduction

0.1 Packet Trace
0.2 Student Resources
0.3 Welcome
Chapter 1: The Need for Cybersecurity
1.1 What is cybersecurity?
1.2 Your online and offline identity
1.3 Introduction to Organizational Data
1.4 Confidentiality, Integrity and Availability (CIA Triad)
1.5 Internet of Things and Big Data
1.6 LAB-Compare Data with a Hash
1.7 Consequences of a Security Breach
1.8 Types of Attackers
1.9 Internal and External Threats
1.10 What is Cyberwarfare
1.11 Breaking Down Stuxnet
1.12 Stuxnet: Anatomy of a Computer Virus
1.13 The Purpose of Cyberwarfare
1.14 Supply Chain Risk Management
1.15 Supply Chain Risk Defined
1.16 Managing Cyber-Risk and Security in the Global Supply Chain
1.17 Cybercrime or Cyberwarfare?
1.18 Hacktivism
1.19 When Cyber-crime is an act of cyberwar
1.20 Terms and Concepts Practice
1.21 Quiz – Cybersecurity Ethics
1.22 Chapter One Quiz
Chapter 2: Attacks, Concepts and Techniques
2.1 Finding Security Vulnerabilities
2.2 SYNful Knock
2.3 Rowhammer attack
2.4 Categorizing Security Vulnerabilities
2.5 Quick Quiz: Security Vulnerability
2.6 Types of Malware
2.7 Rootkits as Fast as Possible
2.8 The difference between viruses, worms and Trojans
2.9 A brief history of computer virus
2.10 Symptoms of Malware
2.11 Quick Quiz: Types of Virus
2.12 Social Engineering
2.13 Wi-Fi Password Cracking
iii
2.14 Windows hashing basics
2.15 Using Minikatz to crack Windows password
2.16 Phishing
2.17 Vulnerability Exploitation
2.18 Advanced Persistent Threats
2.19 Whois
2.20 DOS
2.21 DDOS
2.22 SEO Poisoning
2.23 Quick Quiz: Identify the Attack Type
2.24 Blended Attack
2.25 Blended Threats: Get the facts
2.26 CodeRed Windows Worm
2.27 Email-Worm.Win32.Klez.E
2.28 SQL Slammer
2.29 Conflicker worm
2.30 What is Impact Reduction?
2.31 A social engineering walkthrough
2.32 Google Hack
2.34 Chapter Two Quiz
Chapter 3: Protect Your Data and Privacy
3.1 Protecting your computing Device
3.2 Shodan, a web-based IoT device scanner
3.3 Functions and importance of Windows Firewall
3.4 Use Wireless Networks Safely
3.5 Key Reinstallation Attacks (KRACK)
3.6 Protect yourself while using wireless network
3.7 Use Unique Password for each online account
3.8 LAB: Create and store strong password
3.9 Encrypt Your Data
3.10 Backup your data
3.11 Deleting your data permanently
3.12 Lab: Who Owns Your Data?
3.13 How secure is your data when it’s stored in the cloud?
3.14 Two Factor Authentication
3.15 OAuth 2.0
3.16 Do not share too much on social media
3.17 Email and web browser privacy
3.18 Discover your own risky online behavior
3.19 Safety tips
3.21 Chapter Three Quiz
Chapter 4: Protect the Organization
4.1 Firewall Types
iv
4.2 Firewall Types and Generation Explain
4.3 Quick Quiz: Identify the firewall type
4.4 Port Scanning: Zenmap
4.5 Quick Quiz: Identify the Port Scan Response
4.6 Security Appliances
4.7 Quick Quiz: Identify the Security Appliance
4.8 VPN Routers
4.9 Detecting Attack in real time
4.10 Protecting Against Malware
4.11 Security Best Practices
4.12 SANS, Botnet
4.13 The Kill chain in cyberdefense
4.14 Quick Quiz: Order of the Stages of Kill chain
4.15 Behavior-Based Security
4.16 What are honeypots?
4.17 NetFlow
4.18 CSIRT
4.19 Security Playbook
4.20 Tools for Incident Prevention and detection
4.21 Fundamentals of ISE
4.22 SIEM
4.23 Data Loss Prevention (DLP)
4.24 IDS and IPS
4.25 Quick Quiz: Identify Cybersecurity Approach Terminology
4.26 Terms and Concept Practice
4.27 Chapter Four Quiz
Chapter 5: Will Your Future Be in Cybersecurity

5.1 Legal Issues in Cybersecurity
5.2 Ethical issues in Cybersecurity
5.3 Cybersecurity Jobs
5.4 Quick Quiz: Identity Hat Color
Final Assessment
v
About
This is a hand note of Sazzad Saju, student at Hajee Mohammad Danesh Science & Technology
University, Dinajpur, Bangladesh. Department of Computer Science and Engineering. This hand
note contains details information from different source related to Cybersecurity. Majority of this
note are from Cisco’s Introduction to Cyber Security course and noted in 2020. As this e-book is
part of a study material hence there is no copyright. I believe study materials should be free. But
using this book as business purpose is highly forbidden. Otherwise share this pdf to spread
knowledge and consciousness about staying secure online. Thank You…
Sazzad Saju
CSE, HSTU
Email: sazzadsaju17@gmail.com
iv
Chapter 0: Course Introduction
0.1 Packet Tracer

Enroll, download and start learning valuable tips and best practices for using our innovative, virtual
simulation tool, Cisco Packet Tracer. You'll also earn a Networking Academy digital badge. Introduction
Packet Tracer.
Neso Academy tutorial on Packet Tracer –“Basics of Packet Tracer”.
0.2 Student Resources
 Career Advice : Access career resources specifically tailored to help NetAcad students to be
successful in the workplace.
 Talent Bridge: Register now with Talent Bridge. Find great job opportunities with Cisco and Cisco
partners.
 Certification and Vouchers: Save money on vouchers for Cisco certification exams!
 Course Catalog: Choose a course, practice what you learn, and become an IT professional.
0.3 Welcome
Did you know you can make a career out of that?
 Cybersecurity Guru
 Cybersecurity Forensic Expert
 Information Security Expert
 Ethical Hacker
In this course, you will do the following:
 Learn the basics of being safe online.

 Learn about different types of malware and attacks, and how organizations are protecting
themselves against these attacks.
 Explore the career options in cybersecurity.
1
Chapter 1: The Need for Cybersecurity
Cybersecurity professionals must have the same skills as the cyber attackers, but cybersecurity
professionals must work within the bounds of the local, national and international law. Cybersecurity
professionals must also use their skills ethically.
1.1 What is cybersecurity?
The connected electronic information network has become an integral part of our daily lives. Cybersecurity
is the ongoing effort to protect these networked systems and all of the data from unauthorized use or harm.
On a personal level, you need to safeguard your identity, your data, and your computing devices. At the
corporate level, it is everyone’s responsibility to protect the organization’s reputation, data, and customers.
At the state level, national security, and the safety and well-being of the citizens [নাগরিকদেি কল্যাণ] are at
stake [জরিত].
1.2 Your online and offline identity

As more time is spent online, your identity, both online and offline, can affect your life. Online identity
should only reveal a limited amount of information about you. The username should not include any
personal information. It should be something appropriate and respectful.
Your data
This personal information can uniquely identify you as
an individual. This data includes the pictures and
messages that you exchange with your family and
friends online. Other information, such as name, social
security number, date and place of birth, or mother‘s
maiden name, is known by you and used to identify you.
Medical records: Every time you go to the doctor’s
office, more information is added to your electronic
health records (EHRs). Your EHR includes your
physical health, mental health, and other personal
information that may not be medically-related. The
EHR may also include information about your family.
Medical devices, such as fitness bands, use the cloud
platform to enable wireless transfer, storage and display
of clinical data like heart rates, blood pressures and blood sugars.
Education Records: As you progress through your education, information about your grades and test
scores, your attendance, courses taken, awards and degrees rewarded, and any disciplinary reports may be
in your education record.
Employment and Financial Records: Your financial record may include information about your income
and expenditures. Tax records could include paycheck stubs, credit card statements, your credit rating and
other banking information. Your employment information can include your past employment and your
performance.
2
The Need for Cybersecurity
Where is your data?

A part of your medical record for the visit can be also at the insurance company.
The store loyalty cards maybe a convenient way to save money for your purchases. However, the store is
compiling a profile of your purchases and using that information for its own use. The profile shows a buyer
purchases a certain brand and flavor of toothpaste regularly. The store uses this information to target the
buyer with special offers from the marketing partner. By using the loyalty card, the store and the marketing
partner have a profile for the purchasing behavior of a customer.
When you share your pictures online with your friends, do you know who may have a copy of the
pictures? Because the pictures were posted online, they are also saved on servers located in different parts
of the world.
Your computing devices

Your computing devices do not just store your data. Now these devices have become the portal to your data
and generate information about you. If you want to pay your credit card bill online, you access the website
of your bank to transfer the funds using your computing devices.
With all this information about you available online, your personal data has become profitable to hackers.
They want your money
Your online credentials are valuable. These credentials give the thieves access to your accounts.
Approximately 10,000 American Airlines and United accounts were hacked, cybercriminals booked free
flights and upgrades using these stolen credentials. A criminal could also take advantage of your
relationships. They could access your online accounts and your reputation to trick you into wiring money
to your friends or family. They do not just steal your money; they could also steal your identity and ruin
your life.
They want your identity
Besides stealing your money for a short-term monetary [আরথিক] gain, the criminals want long-term profits
by stealing your identity. As medical costs rise, medical identity theft is also on the rise. The identity thieves
can steal your medical insurance and use your medical benefits for themselves. An identity thief can file a
fake tax return and collect the refund. The legitimate [বৈধ] filers will notice when their returns are rejected
by IRS (Internal Revenue Service). With the stolen identity, they can also open credit card accounts and
run up debts in your name. This will cause damage to your credit rating and make it more difficult for you
to obtain loans.
1.3 Introduction to Organizational Data
Corporate data includes personnel information, intellectual properties, and financial data.
 The personnel information includes application materials, payroll, offer letters, employee
agreements, and any information used in making employment decisions.
 Intellectual property, such as patents, trademarks and new product plans, allows a business to gain
economic advantage over its competitors. This intellectual property can be considered a trade
secret; losing this information can be disastrous for the future of the company.
 The financial data, such as income statements, balance sheets, and cash flow statements of a
company gives insight into the health of the company.
3
1.4 Internet of Things and Big Data

With the emergence of the Internet of Things (IoT), there is a lot more data to manage and secure. IoT is a
large network of physical objects, such as sensors and equipment that extend beyond the traditional
computer network. We have expanded storage capacity and storage services through the cloud and
virtualization, lead to the exponential growth of data. (big data). With the velocity, volume, and variety of
data generated by the IoT and the daily operations of business, the confidentiality, integrity and availability
of this data is vital to the survival of the organization.
1.5 Confidentiality, Integrity and Availability (CIA Triad [ত্রয়ী])

Confidentiality, integrity and availability, known as the CIA triad, is a guideline for information security
for an organization.
 Confidentiality ensures the privacy of data by restricting access through authentication encryption.
Another term for confidentiality would be privacy. Company policies should restrict access to the
information to authorized personnel and ensure that only those authorized individuals view this
data. The data may be compartmentalized [divide into sections or categories] according to the
security or sensitivity level of the information. Methods to ensure confidentiality include data
encryption, username ID and password, two factor authentication, and minimizing exposure of
sensitive information.
 Integrity assures that the information is accurate and trustworthy. Data must be unaltered during
transit and not changed by unauthorized entities. File permissions and user access control can
prevent unauthorized access. Version control can be used to prevent accidental changes by
authorized users. Backups must be available to restore any corrupted data, and checksum hashing
can be used to verify integrity of the data during transfer. A checksum is used to verify the integrity
of files, or strings of characters, after they have been transferred from one device to another across
your local network or the Internet. Checksums are calculated with hash functions. Some of the
common checksums are MD5, SHA-1, SHA-256, and SHA-512. A hash function uses a
mathematical algorithm to transform the data into fixed-length value that represents the data. The
hashed value is simply there for comparison. From the hashed value, the original data cannot be
retrieved directly. For example, if you forgot your password, the password must be reset.
 Availability ensures that the information is accessible to authorized people. Maintaining
equipment, performing hardware repairs, keeping operating systems and software up to date, and
creating backups ensure the availability of the network and data to the authorized users. Plans
should be in place to recover quickly from natural or man-made disasters. Security equipment or
software, such as firewalls, guard against downtime due to attacks such as denial of service (DoS).
Denial of service occurs when an attacker attempts to overwhelm [bury or drown beneath a huge
mass] resources so the services are not available to the users.
Downtime [time during which a machine, especially a computer, is out of action or unavailable for use.]
1.6 LAB-Compare Data with a Hash
It is important to understand when data has been corrupted or it has been tampered with.
Create a file: hash.txt. Input: MITx
With the software: HashCalc, Gives md5: c1e3765c4a44036c9c394168b4d52a08
Minor change made to file [MIT], now hash, md5: 9d831a7fe53d9aa303466f6f2a370b70
4
Notice:
 Just changing MITx to MIT and entire result has changes

 md5, sha1, sha256 all have different hash lengths.
1.7 Consequences of a Security Breach

The expertise necessary to set up and maintain the secure network can be
expensive. Attackers will always continue to find new ways to target networks.
Eventually, an advanced and targeted cyberattack will succeed. The priority
will then be how quickly your security team can respond to the attack to
minimize the loss of data, downtime, and revenue. Anything posted online can
live online forever, even if you were able to erase all the copies in your
possession. If your servers were hacked, the confidential personnel information
could be made public. The hackers can also take down the company website
causing the company to lose revenue. Network has been breached, this could
lead to leaked confidential documents, revealed trade secrets, and stolen
intellectual property. The company may need to focus less on growing and more
on repairing its reputation.
Security Breach Example 1
The online password manager, LastPass, detected unusual activity on its network in July 2015. It turned
out that hackers had stolen user email addresses, password reminders, and authentication hashes.
Fortunately for the users, the hackers were unable to obtain anyone’s encrypted password vaults.
Even though there was a security breach, LastPass could still safeguard the users’ account information.
LastPass requires email verification or multi-factor authentication whenever there is a new login from an
unknown device or IP address. The hackers would also need the master password to access the account.
LastPass users also have some responsibility in safeguarding their own accounts. The users should always
use complex master passwords and change the master passwords periodically. The users should always
beware of Phishing attacks. An example of a Phishing attack would be if an attacker sent fake emails
claiming to be from LastPass. The users should never click the embedded links in an email. Most
importantly, the users should enable multi-factor authentication when available for any website that offers
it.
If the users and service providers both utilize the proper tools and procedures to safeguard the users’
information, the users’ data could still be protected, even in the event of security breach.

The high tech toy maker for children, Vtech, suffered a security breach to its database in November 2015.
This breach could affect millions of customers around the world, including children. The data breach
exposed sensitive information including customer names, email addresses, passwords, pictures, and chat
logs.
A toy tablet had become a new target for hackers. The information was not secured properly, and the
company website did not support secure SSL communication. Even though the breach did not expose any
credit card information and personal identification data, the company was suspended on the stock exchange
because the concern over the hack was so great.
5
Even though the company informed its customers that their passwords had been hashed, it was still possible
for the hackers to decipher them. The passwords in the database were scrambled using MD5 hash function,
but the security questions and answers were stored in plaintext. Unfortunately, MD5 hash function has
known vulnerabilities. The hackers can determine the original passwords by comparing millions of pre-
calculated hash values.
With the information exposed in this data breach, cybercriminals could use it to create email accounts,
apply for credits, and commit crimes before the children were old enough to go to school. For the parents
of these children, the cybercriminals could take over the online accounts because many people reuse their
passwords on different websites and accounts.
The security breach not only impacted the privacy of the customers, it ruined the company’s reputation, as
indicated by the company when its presence on the stock exchange was suspended.
For parents, it is a wake-up call to be more vigilant about their children’s privacy online and demand better
security for children’s products.
Equifax Inc. is one of the nationwide consumer credit reporting agencies in the United States. This
company collects information on millions of individual customers and businesses worldwide. Based on the
collected information, credit scores and credit reports are created about the customers. This information
could affect the customers when they apply for loans and when they are looking for employment.
In September 2017, Equifax publicly announced a data breach event. The attackers exploited [take
advantage of] a vulnerability [েু ৈিল্তা] in the Apache Struts web application software. The company
believes that millions of U.S. consumers' sensitive personal data were accessed by the cyber criminals
between May and July of 2017. The personal data includes the customers' full names, Social Security
numbers, birth dates, addresses and other personally identifiable information.
Equifax established a dedicated web site that allows the consumers to determine if their information was
compromised, and to sign up for credit monitoring and identity theft protection. Using a new domain name,
instead of using a subdomain of equifax.com, this allowed nefarious parties to create unauthorized websites
with similar names. These websites can be used as part of a phishing scheme to trick you into providing
personal information. Furthermore, an employee from Equifax provided an incorrect web link in social
media for worried customers. Fortunately, this web site was taken down within 24 hours. It was created by
an individual who use it as an educational opportunity to expose the vulnerabilities that exists in Equifax's
response page.
As a concerned consumer, you may want to quickly verify if your information was compromised, so you
can minimize the impact. In a time of crisis, you may be tricked into using unauthorized websites. You
should be cautious about providing personal information so you do not become a victim again. Furthermore,
companies are responsible for keeping our information safe from unauthorized access. Companies need to
regularly patch and update their software to mitigate exploitation of known vulnerabilities. Their employees
should be educated and informed about the procedures to safeguard the information and what to do in the
event of a breach.
Unfortunately, the real victims of this breach are the individuals whose data may have been compromised.
In these situations, the most you can do is be vigilant when you are providing personally identifiable
information over the Internet. Check your credit reports regularly (once per month or once per
6
quarter). Immediately report any false information, such as applications for credit that you did not initiate,
or purchases on your credit cards that you did not make.
Consumer credit: Consumer credit is personal debt taken on to purchase goods and services. A credit card
is one form of consumer credit.
A credit reporting agency: is a business that maintains historical credit information on individuals and
businesses. They receive reports from lenders and various other sources which are compiled in a credit
report that includes a credit score when issued. They may also be referred to as a credit reporting bureau.
Links:
 How Do Credit Reporting Agencies Get And Keep My Information?

 How massive Equifax data breach happened?
LAB: What was taken?
In this lab, you will explore a few security breaches to determine what was taken, what exploits [ক়ীরতিকল্াপ]
were used, and what you can do to protect yourself.
February 28, 2017
Article 29 Working Party still not happy with Windows 10 privacy controls
European Union data protection watchdogs, Article 29 Working Party, have said they still have concerns
about the privacy settings of Microsoft’s Windows 10 operating system, despite the US Company
announcing changes to the installation process.
The watchdog, which enforces data protection law, wrote to Microsoft last year expressing concerns about
the default installation settings of Windows 10 and users’ apparent lack of control over the company’s
processing of their data.
Despite a new installation screen presenting users with five options to limit or switch off Microsoft’s
processing of their data, the Working Party was not clear to what extent users would be informed about the
specific data being collected.
In 2015 Microsoft executive vice president Terry Myerson emphasized that the information the company
collects is encrypted and doesn’t include personal identifiers, content or files.
Microsoft views data that it does and doesn’t collect at three levels, “safety and reliability data”,
“personalisation data” and “advertising data we don’t collect,” The “safety and reliability data” has already
been used to fix a bug that caused some PCs to crash and reboot, according to the post. Myerson said
personalisation data is used for recommending apps, text completion suggestions, and other things the user
may like. What is not done, Myerson said, is scan emails or personal messages to deliver targeting
advertising.
The group asked for more explanation of Microsoft’s processing of personal data for various purposes,
including advertising. “Microsoft should clearly explain what kinds of personal data are processed for what
purposes. Without such information, consent [সম্মতি] cannot be informed, and therefore, not valid.” Working
Party group said in a statement.
7
Fill out this:
 Incident Date: 2015

 Affected Organization: Microsoft
 How many victims? What was taken? : Millions of Microsoft Windows 10 users across the
world. Excessive user data were taken.
 What exploits were used? How do you protect yourself? : Default installation process of
Windows 10 gives away permission of collecting data and user’s apparent lack of control over the
company’s processing of their data. Using UNIX or Linux instead of Windows 10, until Microsoft
gives a clear explanation of collecting data.
 Reference Source: European Union data protection watchdogs, Article 29 Working Party.
Missing drives contained PHI on 950K Centene customers

Six hard drives containing personal and health information on clients of health insurance company Centene
Corp. have gone missing. What type of information? Social Security numbers, birthdates, health data,
names, addresses, and insurance identification numbers for 950,000 patients. Six hard drives
remain unaccounted for after the health insurer conducted an inventory of information technology assets.
“Notifying all affected individuals and all appropriate regulatory agencies while it continues its
investigation.” CEO said in a statement. Centene will offer free credit and healthcare monitoring to those
affected. The company reinforcing and reviewing its procedures related to managing its IT assets.
Fill out this:
 Incident date: 2016

 Affected organization: health insurance company Centene Corp.
 How many victims and what was taken? : 950,000 were victims and their data was taken
including Social Security numbers, birthdates, health data, names, addresses, and insurance
identification numbers
 What exploits [activities] were used, How do you protect yourself: Six hard drives gone missing
containing personal and health information of 950,000 clients of Centene Corp. The solution is
reinforcing and reviewing procedures related to managing IT assets of the Corp.
 Reference source: Centene Corp.
After reading about the security breaches, what can you do to prevent these types of breaches?
Ans: As an user of Windows 10 or any other software I need to build a clear idea if they are collecting my
data for advertising and business purpose and if they do what data that they are collecting. If those are
personal data, emails and messaging, we must not give away permissions in a process like default
installation. We need to find an alternatives.
And in an organization, if it is a notable Corp., it should have a secure system of managing IT assets within
the organization. But if they had those incident of missing drives, it’ll be their responsibility to inform us
and protect our information. We need to follow their instruction afterward.
8
1.8 Types of Attackers

Attackers are individuals or groups who attempt to exploit vulnerability for personal or financial gain.
Attackers are interested in everything, from credit cards to product designs and anything with value.
 Amateurs – These people are sometimes called Script Kiddies. They are usually attackers with
little or no skill, often using existing tools or instructions found on the Internet to launch attacks.
They may be using basic tools, but the results can still be devastating.
 Hackers – This group of attackers break into computers or networks to gain access. Depending on
the intent of the break-in, these attackers are classified as white, gray, or black hats.
The white hat attackers break into networks or computer systems to discover weaknesses so that the
security of these systems can be improved. These break-ins are done with prior permission and any results
are reported back to the owner. Black hat attackers take advantage of any vulnerability for illegal personal,
financial or political gain. Gray hat attackers are somewhere between white and black hat attackers. Some
gray hat hackers publish the facts about the vulnerability on the Internet so that other attackers can exploit
it.
 Organized Hackers – These hackers include organizations of cyber criminals, hacktivists,

terrorists, and state-sponsored hackers. Cyber criminals are usually groups of professional
criminals focused on control, power, and wealth. They may even provide cybercrime as a service
to other criminals. State-sponsored attackers gather intelligence or commit sabotage on behalf of
their government. These attackers (state-sponsored) are usually highly trained and well-funded, and
their attacks are focused on specific goals that are beneficial to their government.
1.9 Internal and External Threats

 Internal security threats: Attacks can be originated from within an organization or from outside
of the organization. An internal user, such as an employee or contract partner, can accidently or
intentionally:
o Mishandle confidential data
o Threaten the operations of internal servers or network infrastructure devices
o Facilitate outside attacks by connecting infected USB media into the corporate computer
system
o Accidentally invite malware onto the network through malicious email or websites
Internal threats also have the potential to cause greater damage than external threats, because internal users
have direct access to the building and its infrastructure devices. Employees also have knowledge of the
corporate network, its resources, and its confidential data, as well as different levels of user or
administrative privileges.
 External Security Threats: External threats from amateurs or skilled attackers can exploit
vulnerabilities in network or computing devices, or use social engineering to gain access.
9
Fig: Type of Attackers
1.10 What is Cyberwarfare

Cyberspace has become another important dimension of warfare, where nations can carry out conflicts
without the clashes of traditional troops and machines. This allows countries with minimal military presence
to be as strong as other nations in cyberspace. These attackers have the resources and expertise to launch
massive Internet-based attacks against other nations to cause damage or disrupt services, such as shutting
down a power grid.
An example of a state-sponsored attack involved the Stuxnet malware that was designed to damage Iran’s
nuclear enrichment plant. Stuxnet malware did not hijack targeted computers to steal information. It was
designed to damage physical equipment that was controlled by computers. It used modular coding that was
programmed to perform a specific task within the malware. It used stolen digital certificates so the attack
appeared legitimate to the system.
1.11 Breaking Down Stuxnet
 Non-trivial distribution. Primarily spread via USB sticks.
 The next one, sophistication. This is an intelligent worm. Initially targeting Windows computers,
where it even installs its own drivers using a stolen but legitimate certificate. The offending
certificate gets revoked of course, but then another one gets added within 24 hours.
 Our third point, modular coding. Multiple control servers. When two run into each other, they
compare versions and make sure that they're both updated.
 Fourth point, unique targeting. Stuxnet is looking for a particular model of PLC. That's
programmable logic controller. Stuxnet will leverage the vulnerability in the controller software to
reach in and change very specific bits of data. Shut things off. Don't grease a bearing for 10 minutes.
Don't sound an alarm. This is really unique knowledge.
 Our final point, motive. Stuxnet does not threaten. It performs sabotage. Really has no criminal
focus. Does not spread indiscriminately or steal credit card information or login credentials. It
targets infrastructure, our most essential necessities like power, water, safety and much, much
more. These are older systems. These things don't get watched over and patched by technical
handlers who understand these kind of things.
10
1.12 Stuxnet: Anatomy of a Computer Virus

In June 2009, a computer virus called STUXNET was discovered lurking in the data banks of power plants,
traffic control system and factories around the world. 20 times more complex than any previous virus code.
It had an array of capabilities, among them the ability to turn up the pressure inside nuclear reactors or
switch off oil pipelines and Stuxnet could tell the system operators everything was normal. Unlike most
viruses Stuxnet doesn’t carry the usual forged security clearance that the helps viruses burrow into systems.
It actually had a real clearance stolen from one of the most reputable computer technology companies in
the world, it exploited security gaps that system creators are unaware of. This holes are known as zero days
and the most successful viruses exploit them. The details of a zero day can be sold on the black market
$100,000. Stuxnet took advantage of 20 zero days but once it got into a system, it didn’t always activate
buried deep in the Stuxnet code was a specific target. Without the target, the virus remained dormant.
What was it looking to shutdown?
The centrifuges that spin nuclear material at Iran’s enrichment facilities. Stuxnet was a weapon the first to
be made entirely out of code. The Washington-based Institute for Science and International security says
the virus may have shut down a thousand centrifuges at Natanz Iran’s main enrichment facility in 2010. In
November, International Atomic Energy Agency the UN’s nuclear watchdog said Iran had suspended
work at its nuclear facilities without explaining why. Many observers credited Stuxnet. The Iranian
government conceded the virus’s infection of the Bashir nuclear facility still under construction meant that
switching the plant on could lead to National electricity blackouts. Iran has responded to the attack with an
open call for hackers to join the Iranian Revolutionary Guard and has reportedly amassed the second largest
online army in the world.
No evidence beyond who was behind. Contain references to Hebrew bible.
The evolution has been so fast that nine months after its detection the first virus that could crash power
grids or destroy oil pipelines is available online for anyone to download and tinker with. It’s an open source
weapon. No way knowing who will use it, or what they’ll use it for.
Watche:
 Stuxnet Anatomy of a Computer Virus

1.13 The Purpose of Cyberwarfare
The main purpose of cyberwarfare is to gain advantage over adversaries [রৈদিাধ়ী], whether they are nations
or competitors.
A nation can continuously invade other nation’s infrastructure, steal defense secrets, and gather information
about technology to narrow the gaps in its industries and military. Besides industrial and militaristic
espionage [গুপ্তচিৈৃ রি], cyberwar can sabotage the infrastructure of other nations and cost lives in the targeted
nations. For example, an attack can disrupt the power grid of a major city. Traffic would be disrupted
[ৈযাহত]. The exchange of goods and services is halted. Furthermore, compromised sensitive data can give
the attackers the ability to blackmail personnel within the government. The information may allow an
attacker to pretend to be an authorized user to access sensitive information or equipment.
If the government cannot defend against the cyberattacks, the citizens may lose confidence in the
government’s ability to protect them.
Infrastructure: [the basic physical and organizational structures and facilities]
11
Summary of Chapter 1:
 Explains why your personal online identity and data is vulnerable to cyber criminals.
 Gives some tips on how you can protect your personal online identity and data.
 Discussed organizational data: what it is, where it is, and why it must be protected.
 Explained who the cyber attackers are and what they want.
o Cybersecurity professionals must use their skills ethically.
 Explained cyberwarfare and why nations and governments need cybersecurity professionals to help
protect their citizens and infrastructure.
Additional Resources
1.14 Supply Chain Risk Management
Software programming is closer to an art than a science and as a result, software quality is not consistent,
often contains hard-to-detect errors, is put on the market before being adequately tested, and can leave your
system with exploitable weaknesses. When someone publicizes one of the errors as a publicly known
vulnerability we all get to apply patches. There are standards and best practices developed by organizations
to provide software developers tools to reduce software errors and improve overall quality. One such
organization, the Software Assurance Forum for Excellence in Code (SAFECode) works to identify and
promote best practices for developing and delivering more secure and reliable software. Other organizations
such as Open Web Application Security Project (OWASP), and the Build Security In (BSI)
consortium also provide useful tools and practices for the software developer.
A common problem is that the integrated circuits or "chips" used in electronic devices are found to be
previously used, obtained from discarded products, cleaned up, and slipped into a bundle of new chips
destined for a product manufacturer. Home appliances, healthcare devices, cars, and military systems are
all exposed to and suffer from this threat. Business and industry groups as well as international standards
bodies and government agencies are aligned to combat these crimes. Some examples are Organization of
International Standards (ISO) with its publication of "ISO 27036", and SAE International with its
publication of "AS 5553". The Open Group Trusted Technology Forum is developing practices focusing
on supply chain trustworthiness.
1.15 Supply Chain Risk Defined
Risks to the ICT supply chain arise from the loss of confidentiality, integrity, or availability of information
or information systems and reflect the potential adverse impacts to organizational operations (including
mission, functions, image, or reputation), organizational assets, individuals, and other organizations.
Supply chain risk management (SCRM) is the process of understanding these risks, their business
impacts, and how to manage them by mitigating supply chain weaknesses and exploits throughout the
system lifecycle. The U.S. National Institute of Standards and Technologies (NIST) is producing
a guidebook for organizations seeking to understand and adopt practices that will strengthen lifecycle
processes, both prior to and following an acquisition, to make them more resistant to supply chain
exploitation.
It therefore becomes necessary to distinguish counterfeit parts [জাল্] from authentic parts. There are for
example, electronic tests that can compare a particular component to a manufacturer's design standards or
a known-good artifact. These tests measure attributes such as logic circuitry, frequency characteristics, and
12
common electric parameters (e.g., power consumption), all of which combine to help form a digital
"fingerprint."
Patch - [mend or strengthen (fabric or an item of clothing) by putting a piece of material over a hole or
weak point in it.]
1. Cybersecurity problems are mostly supply-chain problems.
2. 63% data breaches linked directly or indirectly to third party access.
Walmart, the recent Equifax breach, Apple, CBS, CNN all of these big breaches happen not because of
problem with their system but because of issues and vulnerabilities with their supplies.
Fig: Attack through Supplier

Attack through supplier, attack through supplier’s supplier, from a supplier of a customer that the local firm
may not have any visibility, from a competitor’s shared supplier etc.
Every supplier has a key to your house, and so if you can’t trust every single supplier with that key then
you have a problem. There’s a lot of access point for hackers. Big companies get better and better at
defending. They’re gonna try a lot of different ways to access those companies. The cyber security is really
a supply chain problem and we can’t just depending on IT people to fix it. Two-third of the attack comes
through the supply chain and purchasing is the interface with that supply chain with those two third of
attacks, purchasing need to be the one to help solve this problem
Watch:
1. Cyber Security in Supply Chains
2. Managing Cyber-Risk and Security in the Global Supply Chain
1.16 Managing Cyber-Risk and Security in the Global Supply Chain
Cyber-Attack: “…offensive maneuver that targets computer information system to either steal, alter, or
destroy…” (1991)
Cyber-attacks have been defined in the early 90s particularly by the military in the U.S. as “offensive
maneuvers …. destroy”, with this definition we could assumed that a cyber-attacks were IT’s domain. So
the domain of Information Technology. And this was largely true until early 2010 when Stuxnet was
discovered.
The dawn of the Stuxnet (2010)
This was a big event in world history in terms of cyber-attack because this came about with some symptoms
that have not seen before. For example there was a higher than usual equipment failure at the nuclear plant
13
in all over Europe but particularly in Iran and this came with no error signs from the control systems so
there was something that did not make sense.
Symptoms:
1. Higher than usual equipment damage due to high rotation speeds
2. Control systems showed nothing was wrong
3. Damages result in equipment replacement
After the investigation had been done in a nuclear plant you normally
have a cycle of control where you have a centrifuge rotation speed
that you need to maintain and this is maintained by a control system,
this is a control loop, which are sensors and as well as velocity
controls. This one sends us how quick is going they send the control
system does something about the sensing speed and adjust the velocity
and this is the normal control loop. A cyber attacker came in the
middle and he took over the rotation speed information. And blocked
what the sensor was telling the control system from the plant and the
attacker with his software told the control system that everything was
fine. So even though the centrifuge was rotating more and more
quickly with higher speed the control system continued to increase
velocity. Thereby resulting in the failure of the system. So why is this
important?
If we conceptualize the supply chain as a layer of physical

activities supported by a layer of information flows. What
happens here is the hacker got in the middle, creating
something in the physical world. So now we were seeing
somebody who could access the information layer and could
eventually have an influence in the physical world. That’s
why so relevant.
The cyber-attacks have been increasing over time. Here we
can see in the graph (2014):
Fig: Security Breaches from 2004 to 2013
14
1.17 Cybercrime or Cyberwarfare?

Cybercrime is the act of committing a crime in a cyber-environment; however, a cybercrime does not
necessarily constitute an act of cyberwarfare. Cyberwarfare can include various forms of sabotage and
espionage with the intent to exploit a nation or government.
1.18 Hacktivism
Hacktivism is the act of misusing a computer system or network for a socially or politically motivated
reason. Individuals who perform hacktivism are known as hacktivists. Not to make money, but political
point to protest.
Watch:
1. John McAfee on cyber espionage
2. Rise of Hacktivists
1.19 When Cyber-crime is an act of cyberwar
Former U.S. cyber-security tsar Richard Clarke describes scenarios in his book Cyber War: The Next Threat to
National Security and What to Do About It of nationwide power blackouts, poison gas clouds and burning oil
refineries, aircraft dropping from the sky and crashing subways. Those are the types of attacks that would seem to
clearly indicate an act of cyberwar, but there are also many nuanced attacks in between that muddy the waters.
The problem is that there are subtle semantic differences in the way different parties apply the terms cybercrime,
cyberwar, cyber espionage, cyber hacktivism, or cyber terrorism. According to Richard Stiennon, it takes a deeper
investigation into the goals and motives of the attack to assign a label to it.
Cyberwar could be characterized as the use of cyber weapons to destroy enemy capabilities and/or populations. Cyber-
crime could be defined as the use of cyber weapons/tools to execute a criminal act driven by any number of reasons.
A cybercriminal is generally motivated purely by profit. That is a different goal than cyber espionage, which seeks to
access intellectual property for military or industrial strategic advantage, or cyberwar, which focuses on actually
sabotaging infrastructure, disrupting critical systems, or inflicting physical damage on an enemy.
You don’t really need to concern yourself with how to label the attack, though. Ultimately, it is hard to imagine any
act of cyberwar that wouldn’t also be a violation of existing laws. In that sense, all cyberwar is cybercrime, but not all
cybercrime is cyberwar.
1. file permissions, user access control, version control, and checksums

- Methods to ensure integrity
2. organizations of cyber criminals, hacktivists, terrorists, and state-sponsored hackers
- organized attackers
3. confidentiality, integrity and availability
- CIA triad components
4. persons or organizations that break into networks or computer systems to discover weaknesses with
the intention to improve the security of these systems
- white hat attackers
15
5. ongoing effort to protect networked systems connected to the Internet and to protect all of the data
from unauthorized use or harm
- cybersecurity
6. also called privacy, which means that data access is restricted to authorized personnel only
- confidentiality
7. codes of behavior that are sometimes, but not always, enforced by laws
- ethics
8. a malware program designed to damage the nuclear enrichment plant of Iran, a program which is
an example of a state-sponsored attack
- Stuxnet
9. persons or organizations that take advantage of any vulnerability for illegal personal, financial, or
political gain
- black hat hackers
10. attacks originating from outside of an organization
- External security threats
11. attacks originating from within an organization
- internal security threats
12. Data encryption, username ID and password, two factor authentication, etc.
- Methods to ensure confidentiality
13. the term that indicates accuracy, consistency, and trustworthiness of the data
- integrity
14. an Internet-based conflict that involves the penetration of computer systems and networks of other
nations
- cyberwarfare
15. a large network of physical objects including sensors and equipment
- IoT
16. the term that describes the services and data being well maintained and able to be accessed all the
time
- availability
17. a global partnership of world governments, industries, and academia dedicated to improving global
capabilities when dealing with cyber threats
- International Multilateral Partnership Against Cyber Threats (IMPACT)
1.21 Quiz –Cybersecurity Ethics
1. During a meeting with the Marketing department, a representative from IT discusses features of an
upcoming product that will be released next year.
a. Ethical
b. Unethical
Ans: Ethical, Both the employee and the manager are within the same department and company so this
behavior would be ethical.
16
2. An employee points out a design flaw in a new product to the department manager.
a. Ethical
b. Unethical
Ans: Ethical. Both the employee and the manager are within the same department and company so this
behavior would be ethical.
3. An employee is at a restaurant with friends and describes an exciting new video game that is under
development at the company the employee works for. Is the behavior of the employee ethical or
unethical?
a. Ethical
b. Unethical
Ans: Unethical. It is not ethical to share a confidential product idea before it is released. Describing the
game to a group of friends outside the company could leak the idea and jeopardize the new product offering.
4. Alicia, a company employee, has lost her corporate identification badge. She is in a hurry to get to
a meeting and does not have time to visit Human Resources to obtain a temporary badge. You lend
her your identification badge until she can obtain a replacement.
a. Ethical
b. Unethical
Ans: Unethical. Employees should never give their credentials to another employee, regardless of the
situation or the familiarity with the other employee. Once your credentials are out of your sight, you have
no idea what they are being used for
5. An employee is laid off after fifteen years with the same company. The employee is then hired by
another company within a week. In the new company, the employee shares documents and ideas
for products that the employee proposed at the original company.
a. Ethical
b. Unethical
Ans: Unethical. Even though the employee was laid off, the employee probably signed a Non-Disclosure
Agreement (NDA) with the original company. Any work or idea developed at the original company,
regardless of who proposed the idea, is still the property of the original company. Depending on the level
of severity of the breach, this could result in legal action.
1.22 Chapter One Quiz
1. Which method is used to check the integrity of data?

a. Backup
b. Authentication
c. Encryption
d. Checksum
2. Which statement describes cyberwarfare?
a. It is simulation software for Air Force pilots that allows them to practice under a simulated
war scenario.
17
b. Cyberwarfare is an attack carried out by a group of script kiddies.

c. It is a series of personal protective equipment developed for soldiers involved in nuclear
war.
d. It is Internet-based conflict that involves the penetration of information systems of other
nations.
3. Fill in the blank.
The individual user profile on a social network site is an example of a/an ___ identity.
4. What three items are components of the CIA triad? (Choose three.)
a. Intervention
b. Availability
c. Access
d. Scalability
e. Integrity
f. Confidentiality
5. What is a reason that internal security threats might cause greater damage to an organization than
external security threats?
a. Internal users have better hacking skills.
b. Internal users can access the corporate data without authentication.
c. Internal users have direct access to the infrastructure devices.
d. Internal users can access the infrastructure devices through the Internet.
6. What is an example of "hacktivism"?
a. A teenager breaks into the web server of a local newspaper and posts a picture of a favorite
cartoon character.
b. A country tries to steal defense secrets from another country by infiltrating government
networks.
c. Criminals use the Internet to attempt to steal money from a banking company.
d. A group of environmentalists launch a denial of service attack against an oil company that
is responsible for a large oil spill.
7. What is the motivation of a white hat attacker?
a. studying operating systems of various platforms to develop a new system
b. taking advantage of any vulnerability for illegal personal gain
c. fine tuning network devices to improve their performance and efficiency
d. discovering weaknesses of networks and systems to improve the security level of these
systems
8. What is another name for confidentiality of information?

a. Privacy
b. Trustworthiness
c. Consistency
d. Accuracy
9. Match
a. gather intelligence or commit sabotage on specific goals on behalf of their government- ?
b. make political statements, or create fear, by causing physical or psychological damage to
victims- ?
c. make political statements in order to create an awareness of issues that are important to
them- ?
18
10. What are three methods that can be used to ensure confidentiality of information? (Choose three.)
a. Data encryption
b. File permission settings
c. Two factor authentication
d. Backup
e. Version control
f. Username ID and password
Chapter One Quiz Answers
1. d
- A checksum value of a block of data is calculated and transmitted with the data. After the data
is received, the checksum hashing is performed again. The calculated value is compared with
the transmitted value to verify the integrity of the data.
2. D
- Cyberwarfare is Internet-based conflict that involves the penetration of the networks and
computer systems of other nations. Organized hackers are typically involved in such an attack.
3. Online
4. 4. b, e, f
- The CIA triad contains three components: confidentiality, integrity, and availability. It is a
guideline for information security for an organization.
5. c
- Internal threats have the potential to cause greater damage than external threats because internal
users have direct access to the building and its infrastructure devices. Internal users may not
have better hacking skills than external attackers. Both internal users and external users can
access the network devices through the Internet. A well designed security implementation
should require authentication before corporate data is accessed, regardless of whether the
access request is from within the corporate campus or from the outside network.
6. d
- Hacktivism is a term used to describe cyberattacks carried out by people who are considered
political or ideological extremists. Hacktivists attack people or organizations that they believe
are enemies to the hacktivist agenda.
7. d
- White hat attackers break into networks or computer systems in order to discover weaknesses
for the purpose of improving the security of these systems. These break-ins are done with
permission from the owner or the organization. Any results are reported back to the owner or
the organization.
8. a
- Privacy is another name for confidentiality. Accuracy, consistency, and trustworthiness
describe integrity of data.
9.
a. State-sponsored attackers
b. Terrorists
c. Hacktivists
10. a, c, f
19
- Methods including data encryption, username ID and password, and two factor authentication
can be used to help ensure confidentiality of information. File permission control, version
control, and backup are methods that can be used to help ensure integrity of information.
20
Chapter 2: Attacks, Concepts and Techniques
Most modern cyberattacks are considered to be blended attacks. Blended attacks use multiple techniques
to infiltrate and attack a system. When an attack cannot be prevented, it is the job of a cybersecurity
professional to reduce the impact of that attack.
2.1 Finding Security Vulnerabilities
Security vulnerabilities are any kind of software or hardware defect. After gaining knowledge of a
vulnerability, malicious users attempt to exploit it. An exploit is the term used to describe a program written
to take advantage of a known vulnerability. The act of using an exploit against a vulnerability is referred to
as an attack.
Software vulnerabilities: Software vulnerabilities are usually introduced by errors in the operating system
or application code, despite all the effort companies put into finding and patching software vulnerabilities,
it is common for new vulnerabilities to surface. Microsoft, Apple, and other operating system producers
release patches and updates almost every day. Application updates are also common. Applications such as
web browsers, mobile apps and web servers are often updated by the companies or organizations
responsible for them.
In 2015, a major vulnerability, called SYNful Knock, was discovered in Cisco IOS. This vulnerability
allowed attackers to gain control of enterprise-grade routers, such as the legacy Cisco 1841, 2811, and 3825
routers. The attackers could then monitor all network communication and had the ability to infect other
network devices. This vulnerability was introduced into the system when an altered IOS version was
installed in the routers. To avoid this, always verify the integrity of the downloaded IOS image and limit
the physical access of the equipment to authorized personnel only.
The goal of software updates is to stay current and avoid exploitation of vulnerabilities. While some
companies have penetration testing teams dedicated to search, find and patch software vulnerabilities before
they can get exploited, third party security researchers also specialize in finding vulnerabilities in software.
Google’s Project Zero is a great example of such practice. Google Security Research can be found here.
Hardware Vulnerability: Hardware vulnerabilities are often introduced by hardware design flaws. RAM
memory for example, is essentially capacitors installed very close to one another. It was discovered that,
due to proximity, constant changes applied to one of these capacitors could influence neighbor capacitors.
Based on that design flaw, an exploit called Rowhammer was created. By repeatedly rewriting memory in
the same addresses, the Rowhammer exploit allows data to be retrieved from nearby address memory cells,
even if the cells are protected.
Hardware vulnerabilities are specific to device models and are not generally exploited through random
compromising attempts.
Zero day vulnerability: is a hole in software that is unknown to the vendor [তিক্রেিা] and is then exploited
by hackers before the vendor becomes aware and hurries to fix it.
2.2 SYNful Knock (sinefull knock)

Router infected with malware. Apparently this malware allowed backdoor access by remote attackers,
basically the attackers could use a special port combination to connect on HTTPS or via telnet and gain
full route access to your router. It will also allowed them to load various modules into the memory of your
21
Attacks, Concepts and Techniques
router to do all kinds of bad things. Now the good news is there’s no vulnerability in cisco routers that
allowed them to load this malware onto your computer. Right now nobody sure how these routers were
infected with this malicious firmware but the malware’s literally overriding your iOS firmware with some
malicious firmware. Most likely the attackers gain remote access using the normal credentials of the router,
perhaps the router was kept in a default password stay. In either case you might be wondering what to do
about this sort of attack. If the flaw is actually in your password, it’s typically harder to catch. Usually your
network security control are behind your router, so my suggestion is actually to take advantages of
checksum or hash values to confirm the firmware that’s running on your devices. Now that we have the
internet of things, all this devices which have updated firmware, we need to start checking that the firmware
loaded on the device is indeed the firmware we expect.
2.3 Rowhammer attack

Rowhammer or row hammer is a type of cyber-attack that exploits a bug in dynamic random-access
memory (DRAM) modules manufactured in 2010 and onwards. This vulnerability can even be exploited
via JavaScript, allowing an attacker to escape a Web browser's security sandbox and gain access to the
system.
The problem with rowhammer has to do with the design of the affected DRAM modules. DRAM cells are
stored in rows and are arranged very close to each other to increase density. Security tests showed that
repeatedly activating rows of memory, e.g., successively writing data to them, can cause the electrical
charge of a cell to leak to adjacent cells, resulting in random bit flips, which can affect or alter the memory
contents. This repeated activation of rows, which is akin to “hammering” a row, is how the term got its
name.
Watch:
 SYNful Knock Pwns IOS

 Rowhammer Attack Explained
2.4 Categorizing Security Vulnerabilities

Most software security vulnerabilities fall into one of the following categories:
Buffer overflow: This vulnerability occurs when data is written beyond the limits of a buffer. Buffers are
memory areas allocated to an application. By changing data beyond the boundaries of a buffer, the
application accesses memory allocated to other processes. This can lead to a system crash, data
compromise, or provide escalation [a rapid increase] of privileges.
Non-validated input – Programs often work with data input. This data coming into the program could have
malicious content, designed to force the program to behave in an unintended way. Consider a program that
receives an image for processing. A malicious user could craft an image file with invalid image dimensions.
The maliciously crafted dimensions could force the program to allocate buffers of incorrect and unexpected
sizes.
Race conditions – This vulnerability is when the output of an event depends on ordered or timed outputs.
A race condition becomes a source of vulnerability when the required ordered or timed events do not occur
in the correct order or proper timing.
Weaknesses in security practices – Systems and sensitive data can be protected through techniques such
as authentication, authorization, and encryption. Developers should not attempt to create their own security
22
algorithms because it will likely introduce vulnerabilities. It is strongly advised that developers use security
libraries that have already created, tested, and verified.
Access-control problems – Access control is the process of controlling who does what and ranges from
managing physical access to equipment to dictating who has access to a resource, such as a file, and what
they can do with it, such as read or change the file. Many security vulnerabilities are created by the improper
use of access controls.
If the attacker has physical access to target equipment, no matter what you set a file’s permissions to, the
operating system cannot prevent someone from bypassing the operating system and reading the data directly
off the disk. To protect the machine and the data it contains, physical access must be restricted and
encryption techniques must be used to protect data from being stolen or corrupted.
2.5 Quick Quiz: Security Vulnerability
2.6 Types of Malware

Malware is any code that can be used to steal data, bypass access controls, or cause harm to, or compromise
a system. Below are a few common types of malware:
Spyware – This malware is design to track and spy on the user. Spyware often includes activity trackers,
keystroke collection, and data capture. In an attempt to overcome security measures, spyware often modifies
security settings. Spyware often bundles itself with legitimate software or with Trojan horses.
Adware – Advertising supported software is designed to automatically deliver advertisements. Adware is
often installed with some versions of software. Some adware is designed to only deliver advertisements but
it is also common for adware to come with spyware.
Bot – From the word robot, a bot is malware designed to automatically perform action, usually online.
While most bots are harmless, one increasing use of malicious bots are botnets. Several computers are
infected with bots which are programmed to quietly wait for commands provided by the attacker.
Ransomware – This malware is designed to hold a computer system or the data it contains captive until a
payment is made. Ransomware usually works by encrypting data in the computer with a key unknown to
the user. Some other versions of ransomware can take advantage of specific system vulnerabilities to lock
down the system. Ransomware is spread by a downloaded file or some software vulnerability.
23
Scareware – This is a type of malware designed to persuade the user to take a specific action based on fear.
Scareware forges pop-up windows that resemble operating system dialogue windows. These windows
convey forged messages stating the system is at risk or needs the execution of a specific program to return
to normal operation. In reality, no problems were assessed or detected and if the user agrees and clears the
mentioned program to execute, his or her system will be infected with malware.
Rootkit – This malware is designed to modify the operating system to create a backdoor. Attackers then
use the backdoor to access the computer remotely. Most rootkits take advantage of software vulnerabilities
to perform privilege escalation and modify system files. It is also common for rootkits to modify system
forensics and monitoring tools, making them very hard to detect. Often, a computer infected by a rootkit
must be wiped and reinstalled.
Virus - A virus is malicious executable code that is attached to other executable files, often legitimate
programs. Most viruses require end-user activation and can activate at a specific time or date. Viruses can
be harmless and simply display a picture or they can be destructive, such as those that modify or delete
data. Viruses can also be programmed to mutate to avoid detection. Most viruses are now spread by USB
drives, optical disks, network shares, or email.
It has the ability to replicate itself and the ability to attach itself to another computer file. A few telltale
signs that your computer may have a virus include: slow response time, random hard drive crashes,
extensive pop up ads. To protect from virus, install a program from only reputable websites, install a quality
firewall program, do not open suspicious emails, or attachments, and make sure you have a good anti-virus
program.
Trojan horse - A Trojan horse is malware that carries out malicious operations under the guise of a desired
operation. This malicious code exploits the privileges of the user that runs it. Often, Trojans are found in
image files, audio files or games. A Trojan horse differs from a virus because it binds itself to non-
executable files.
Worms – Worms are malicious code that replicate themselves by independently exploiting vulnerabilities
in networks. Worms usually slow down networks. Whereas a virus requires a host program to run, worms
can run by themselves. Other than the initial infection, they no longer require user participation. After a
host is infected, the worm is able to spread very quickly over the network. Worms share similar patterns.
They all have an enabling vulnerability, a way to propagate themselves, and they all contain a payload.
Worms are responsible for some of the most devastating attacks on the Internet. In 2001 the Code Red
worm had infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers
Man-In-The-Middle (MitM) – MitM allows the attacker to take control over a device without the user’s
knowledge. With that level of access, the attacker can intercept and capture user information before relaying
it to its intended destination. MitM attacks are widely used to steal financial information. Many malware
and techniques exist to provide attackers with MitM capabilities.
Transport layer security (TLS) is a cryptographic protocol that allows client server applications to
communicate across a network, in a way designed to prevent eavesdropping and tampering. Website authors
should ensure any sensitive information is done over HTTPS, which makes use of the TLS protocol.
Suppose, Owl, is a hacker, he went to a coffee shop, and there are public Wifi, then he turn on his hotspot,
so people can mistake and enter to his wifi, he also sets up a network sniffer, so he inspect any traffic as it
passes through. But victim is safe if they visits sites that implement HTTPS, everything except the domain
of the site is encrypted in the HTTP packets, however anytime victim visits a site that doesn’t use
encryption, Owl can see the conversation, and record unsecured credentials and other sensitive information.
24
Man-In-The-Mobile (MitMo) – A variation of man-in-middle, MitMo is a type of attack used to take

control over a mobile device. When infected, the mobile device can be instructed to exfiltrate user-sensitive
information and send it to the attackers. ZeuS, an example of an exploit with MitMo capabilities, allows
attackers quietly to capture 2-step verification SMS messages sent to users.
The zeus virus often called ziba, is a form of malware that targets your desktop and mobile devices, it has
become one of the most successful pieces of malware in the world afflicting millions of devices, moreover
the virus continues to generate new variants spawning on new hosts and expanding its reach. The Zeus virus
can infiltrate your device in two ways firstly it can come in the form of a link within an email, there have
also been social media campaigns, designed to spread through messages and posts, secondly hackers can
insert the malicious code onto legitimate websites compromising any user that visits. Whether through a
corrupt link or compromised website, once the Zeus virus installs itself onto your device it can perform two
serious actions, firstly it forms part of the botnet which is a network of corrupted machines controlled by
malware zoner. The botnet allows the owner to collect massive amounts of information and execute large-
scale attack. Secondly the malware can act as a financial services Trojan that steals banking credentials
your website monitoring in Keylong. The Zeus virus recognized when a user is on a banking website and
steals the keystrokes used for logging in.
Watch:
 ILOVEYOU worm | Email worm

 What is a Man-in-the-Middle Attack?
 What is ZeuS Virus?
2.7 Rootkits as Fast as Possible
Derived from the concept root access. Creates more problem than other infection. All rootkit serve the same
general function to conceal their own presence or the presence of another piece of malware so that it can
carry out its nefarious deeds on your system without you ever knowing. Because of this concealing behavior
that root kits are often very difficult to remove. Many users in 2000s found out when they realized had
shipped a matric but ton of music CDs with root kit designed for copy protection. These root kits hid the
DRM software which limited what users could do with their optical drives and also caused serious system
slowdowns and introduced a ton of security flaws that other malware creators were able to take advantages
of. And then when Sony finally released a removal tools after news of the rootkit went viral, all it did cause
even more issues. How rootkits hide themselves? Some rootkits just injects themselves into your programs,
the most dangerous form run as part of your operating systems kernel. The core part of your OS that
allows your program to communicate with your hardware, like device drivers. Drivers usually run in kernel
mode, many rootkits disguise themselves as drivers. So must download drivers from trusted sources like
manufactures websites. If the rootkit appears a part of your OS meaning you can’t really trust your antivirus
program to detect it. Other kinds of rootkits even go beyond infecting your OS kernel by doing things like
contaminating your hard drive boot sector often done to break encryption, or getting into your systems
firmware such as your motherboard or GPU bios. If that happen, not even completely reformatting your PC
will help. If I don’t know I have a rootkit, how can I get rid of them? That is a challenge, large companies
have tried strategies like logging suspicious access request through a firewall or dumping everything in a
system memory to look for malicious code, but home users can’t easily do so. Modern motherboards with
UEFI bios have some features to block rootkit such as secure boot, but this solution has been criticized for
keeping a user from doing legitimate things like installing multiple operating system. So some rootkit can
be removed by anti-malware program, and be super careful what you download.
25
2.8 The difference between viruses, worms and Trojans

A computer virus attaches itself to a program or file, enabling it to spread from one computer to another,
leaving infections as it travels. Some virus cause only mildly annoying effects while others can damage
your hardware, software or files. All most all viruses are attached to an executable file, which means the
virus may exist on your computer but it actually cannot infect your computer unless you run or open the
malicious program. Virus cannot be spread without a human action (such as running an infected program)
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms spread from
computer to computer, but unlike a virus, it has the capability to travel without any human action. The
biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer
sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge
devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-
mail address book, then, the worm replicates and sends itself out to everyone listed in each of the receiver’s
address book, and the manifest continue on down the line. Due to the copying nature of a worm and its
capability to travel across networks, the end result in most cases is that the worm consumes too much system
memory (or network bandwidth), causing the Web servers, network servers and individual computers to
stop responding.
The Trojan Horse, at first glance will appear to be useful software but will actually do damage once
installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into
opening them because they appear to be receiving legitimate software or files from a legitimate source.
Some Trojans are designed to be annoying (like changing your desktop, adding silly desktop icons) or they
can cause serious damage by deleting files and destroying information. Trojans are also known to create a
backdoor on your computer that gives malicious users access to your system, possibly allowing confidential
or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by
infecting other files nor do they self-replicate.
2.9 A brief history of computer virus
Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to
a computer, server, client, or computer network.
 In 1970: The first story written about a computer virus is The Scarred Man by Gregory Benford.
Just like their biological analog these types of programs will infect a computer before self-replicating by
spreading themselves to other machines. Now whatever prank was intended to be pulled can be run on
hundreds or thousands or possibly even millions of computers, all because the program itself was designed
to travel. The idea of an autonomously self-replicating entity goes all the way back to 1940s, Theory of
Self-Reproducing Automata (in 1949), John Von Neumann. It wouldn’t be until the early 70s that such
a program would actually exist. Created in 1971 the app we named Creeper was released onto the
ARPANET where it bounce around between computers. The only trace it left was a message printed out
on to the teletype terminal reading I’M THE CREEPER : CATCH ME IF YOU CAN. Later versions of the
program would drop a copy of itself on the visited machine, making Creeper the first program to
automatically spread copies of itself to other machines. In other words, the first computer worm. Eventually
the worms creator Ray Tomlinson, tired of the nuisances program caused created the world’s second
computer worm Reaper. Designed to clean up the mess that the creeper had created across the network.
Just a few years later, (1975), like creeper, Animal (THE ANIMAL GUESSING PROGRAM, john walker,
April 1974) was never designed with no intension. Written in the era of text-based games, Animal was a
popular program among UNIVAC users, where would try to guess what animal the user was thinking of
through a series of yes-or-no questions. After improving the game with the ability to learn from users and
26
expand its database of animals. John Walker described it as a totally new way of distributing software.
Walker added a routine to the program, called PERVADE, which in the background as the user is playing
would make a copy of animal, to every folder the user had access to. In the case of a super user, the program
would be able to copy itself to every directory in the system. And as tape sharing was a common practice
between users of the time, Animal found its way on the systems where it had never been requested. Mostly
harmless, would eventually halted the spread of animal was an unintended side effect of a system update.
One of the main reasons these worms were so effective was the fact that they were set loose on multi-user
systems, meaning that a worm could either propagate by way of a network, like with Creeper. Or through
resources shared between users, in the case of Animal.
 In 1972: The science fiction novel, When HARLIE Was One, by David Gerrold, contains one of
the first fictional representations of a computer virus.
 In 1973: In fiction, the 1973 Michael Crichton movie Westworld made an early mention of the
concept of a computer virus.
 In 1974: The Rabbit (or Wabbit) virus, more a fork bomb than a virus, is written. The Rabbit virus
makes multiple copies of itself on a single computer (and was named "Rabbit" for the speed at
which it did so) until it clogs the system, reducing system performance, before finally reaching a
threshold and crashing the computer.
 In 1981, A program called Elk Cloner, written for Apple II systems, was created by high school
student Richard Skrenta, originally as a prank. The Apple II was particularly vulnerable due to
the storage of its operating system on a floppy disk. Elk Cloner's design combined with public
ignorance about what malware was and how to protect against it led to Elk Cloner being responsible
for the first large-scale computer virus outbreak in history
 The term "virus" is re-coined by Frederick B. Cohen in describing self-replicating computer
programs. In 1984 Cohen uses the phrase "computer virus" (suggested by his teacher Leonard
Adleman) to describe the operation of such programs in terms of "infection". He defines a "virus"
as "a program that can 'infect' other programs by modifying them to include a possibly evolved
copy of itself."
 In 1986, a boot sector virus appear on the IBM PC, dubbed the BRAIN virus (created in Pakistan),
after the company that created it. This virus listed the contact information of the two creators within
the program. The original intent of this virus was to track how far would spread, to help understand
the scope of software piracy. However, the two brothers were student surprised, to find out their
program had managed to cross the globe all the way over to the United States, the brain virus was
an experiment, but it very quickly showed the potential widespread chaos a computer virus could
cause with more destructive payload. In the following years, the numbers of PC viruses would
explode, from few isolated incidents.
Brain is considered the first IBM PC compatible virus, it was created in Lahore, Pakistan by 19-year-
old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.
 1988: One of the largest viral disasters at the time was the Morris worm released onto the internet
in 1988, by Cornell grad student, Robert Tappan Morris. 6000 infections, 10% of the internet at
that time. The worm did damages on the order of thousands to millions of dollars giving Morris
one of the first high-profile convictions for the 1984, Computer Fraud and Abuse Act. Morris worm
becomes the first worm to spread extensively "in the wild"
By the late 80s, the first antivirus software had already arrived on the scene. System like flu shot would
embed themselves within the operating system and alert the user any time a program attempted to modify
27
another file. Another tactic was to search files or the boot sector for specific signatures associated with a
virus.
 1990: A virus could avoid detection while modifying a file by using a custom routine that, went
below the operating system and with the introduction of polymorphic viruses like 1260, the Kota
virus added could be encrypted so that no two infections were alike.
 1992: Michelangelo Virus.
 1995: Concept Virus: the very first macro virus. Rather than using shared software to spread
concept would infect word documents. Though this virus was mostly harmless, it did highlight an
entirely new and much more dangerous vector for infection. After all sharing files was far more
common than sharing software, especially within businesses.
 1999: Happy99: starting with happy99, many viruses and worms would spread by email, talking
advantages of human curiosity, to be activated, upon which they would mail themselves to
whatever email contacts the program would find. Probably the most famous of these mischievous
mass mailing malware menaces was that I Love You worm
 2000: ILOVEYOU: The worm was spread by email as an attached love letter from the previously
infected victim. The attachment was named Love-Letter-For-You.txt.vbs relying on the fact that
windows would truncate the rightmost extension, (just show .txt) the file looked like a text file.
And so they would unintentionally activate the worm, Iloveyou and its variants spread across the
globe in mere hours on May 5th of the year 2000, causing an estimated five to nine billion dollars
in damages from clogging internal mail servers to destroying files on host machines.
A common thread among email worm was some form of social engineering from the firework of happy 99
to the intimate Iloveyou massage in order for the program to spread it needed to encourage the user to
activate it that was until the Blaster (2003) and Sasser (2004) came on the scene.
 Blaster and Sasser (2003, 2004): These worm both made use of exploits within Windows XP and
Windows 2000, spread themselves without any human intervention. This made them not only easy
to catch but also very hard to isolate since they would continue to automatically spread until
manually removed.
 Welchia (2003): Welchia was released making use of the same exploit, rather than cause mayhem
though, the worm was designed to patch the system, as well as blaster worm disinfection. It’s not
always that often you actually find a helpful worm. But Welchia didn’t always manage to patch the
system correctly, it generated traffic that brought many networks down. And at the end of the day,
whether its intension is good or bad, Welchia was still making modifications to other people’s
system without permission, kind of no-no however you slice it.
 Santy (2004): A particularly unique method for propagation for malware online was through the
search engine Google. The 2004 Santy worm which infected websites powered by PHP BB selected
its targets by performing a Google search with term specifically designed to return a list of
vulnerable pages. Of course this meant that the spread of the worm was pretty quickly halted when
Google blocked the specific search query.
Overall viruses have mostly trended away from being mindlessly destructive to being destructive in
financially effective ways, case in point WannaCry (2017)
 WannaCry(2017): an example of ransomware back in 2017, the worm once again proved that
malware was certainly capable of causing significant financial damage to a target but it wins one
step further by also causing significant financial gains to its creator. Ransomware like WannaCry
encrypts the user’s data, demanding a Bitcoin payment in order for the data to be safely decrypted
28
and return. Whether or not that end of the deal is held up is not necessarily guaranteed them.
Allegedly the creators of WannaCry made around $140,000 from ransom payments made through
their worm and inspired similar ransomware programs like Petya (2017), and Thanatos (2018) in
the following years.
First ransomware: AIDS Trojan (1989): It was simple though. The first known attack was initiated in 1989
by Joseph Popp, PhD, an AIDS researcher, who carried out the attack by distributing 20,000 floppy disks
to AIDS researchers spanning more than 90 countries, claiming that the disks contained a program that
analyzed an individual’s risk of acquiring AIDS through the use of a questionnaire. However, the disk also
contained a malware program that initially remained dormant in computers, only activating after a computer
was powered on 90 times. After the 90-start threshold was reached, the malware displayed a message
demanding a payment of $189 and another $378 for a software lease. This ransomware attack became
known as the AIDS Trojan, or the PC Cyborg.
In 2011, a ransomware worm emerged
that imitated the Windows Product
Activation notice, making it more difficult
for users to tell the difference between
genuine notifications and threats.
CryptoLocker was one of the most
profitable ransomware strains of its time.
December 2013, CryptoLocker infected
more than 250,000 systems. It earned
more than $3 million for its creators. Now
a tool available online to recover
encrypted files compromised by
CryptoLocker.
Fig: Percentage distribution of ransomware variants
Watch:
observed by Kaspersky Labs, 2015-2016.
 A brief history of computer virus
 The difference between viruses, worms and Trojans
 Rootkits as Fast as Possible
Read:
 Timelines of computer Viruses

 History of Ransomeware
2.10 Symptoms of Malware
Regardless of the type of malware a system has been infected with, these are common malware symptoms:
 There is an increase in CPU usage.

 There is a decrease in computer speed.
 The computer freezes or crashes often.
 There is a decrease in Web browsing speed.
 Problems with network connections.
 Files are modified.
 Files are deleted.
29
 There is a presence of unknown files, programs, or desktop icons.

 There are unknown processes running.
 Programs are turning off or reconfiguring themselves.
 Email is being sent without the user’s knowledge or consent.
2.11 Quick Quiz: Types of Virus
2.12 Social Engineering

Social engineering is an access attack that attempts to manipulate individuals into performing actions or
divulging confidential information. Ex- appeal to the employee’s greed. These are some types of social
engineering attacks:
 Pretexting - This is when an attacker calls an individual and lies to them in an attempt to gain
access to privileged data.
 Tailgating - This is when an attacker quickly follows an authorized person into a secure location.
 Something for Something (Quid pro quo) - This is when an attacker requests personal information
from a party in exchange for something, like a free gift.
Divulging [make known (private or sensitive information).]
2.13 Wi-Fi Password Cracking
Wi-Fi password cracking is the process of discovering the password used to protect a wireless network.
These are some techniques used in password cracking:
 Social engineering – The attacker manipulates a person who knows the password into providing
it.
 Brute-force attacks – The attacker tries several possible passwords in an attempt to guess the
password. Brute-force attacks take time, complex passwords take much longer to guess. A few
30
password brute-force tools include Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and
Medusa.
Ophcrack can be used to crack suppose Windows passwords. Ophcrack uses rainbow tables, where a
rainbow table is a huge pre-computed list of hash values for every possible combination of characters.
 Network sniffing – By listening and capturing packets sent on the network, an attacker may be
able to discover the password if the password is being sent unencrypted (in plain text). If the
password is encrypted, the attacker may still be able to reveal it by using a password cracking tool.
Watch:
 Getting password hashes with PwDump on Windows

Read:
 Introduction to hashing and how to retrieve Windows 10 password hashes
2.14 Windows hashing basics

LM hash: LAN Manager (LM) hash is an old and weak Windows technique for creating hashed
passwords, which has been disabled by default in current Windows environments. But this can still be
enabled manually on current systems.
The LAN Manager hash is relatively weak and prone to attack compared to the cryptographically stronger
NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can
be compromised if the security database, Security Accounts Manager (SAM), is attacked. By attacking
the SAM file, attackers can potentially gain access to user names and password hashes. Attackers can use
a password-cracking tool to determine what the password is.
Location: Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Search: secpol.msc > here it goes from security settings>
Changes to this policy become effective without a device restart. The above screenshot gives the fact that
that version of windows using NTLM hash technique.
31
2.15 Using Minikatz to crack Windows password

 First step: Export SAM and SECURITY files
Windows 10 anniversary updates, now utilizes AES encryption on the SAM table. Here we need to use
Mimikatz on a windows forensic system to pull out the hashes. Pwdump and other tools no longer work.
Where is this SAM?
Windows> System32> config> SAM
SAM and SYSTEM will be needed for Mimikatz software, here all of these are AES encrypted file.
To export, run> regedit …> export SAM and SECURITY as registry hive files
 Second step: Using Mimikatz to reveal NTLM hash value

An AES 128-bit key can be expressed as a hexadecimal string with 32 characters. It will require 24
characters in base64. An AES 256-bit key can be expressed as a hexadecimal string with 64 characters. It
will require 44 characters in base64. Here as we can see, SAM is 128kb, because it had 32 hexadecimal
characters fed into AES-128
The reason why LM hash is easier to break is because passwords are not case sensitive, password length is
maximum 14 characters and more importantly because it breaks the text in two halves of seven characters
before hashing them separately and concatenating. So if your password is less than seven characters, it
should be a breeze for a hacker to guess the password.
New Technology (NT) LAN Manager (NTLM) hash is the new and more secure way of hashing
passwords used by current Windows operating systems. It first encodes the password using UTF-16-LE
and then hashes with MD-4 hashing algorithm.
32
SAM database file: Security Account Manager (SAM) is the database file that stores the user’s password
in the hashed format. You would need access to this file in order to retrieve hashes from your local or
remote Windows machine. Extract hashed passwords from your Windows desktops using a very popular
and powerful tool — mimikatz. Binaries are available at Github
Move SAM, and system to mimikatz directory:
> Run mimikatz.exe and type lasdump::sam command followed by the file paths of sam and system file.
> If you get an error as below, you will need to elevate permissions of mimkatz. Type token::elevate to
elevate the permissions
Once you have the hash, you can use online NTLM generator utility to generate hashes by yourself and
confirm if it matches.
Tools:
 NTLM generator utility

 UTF-16 encoder
Fig: Here the usage of

mimikatz is illustrated
to reveal NTLM hash
value.
SAM and SYSTEM files can’t copy from Windows, so release from regedit, as registry hive files. The
application downloaded from the github. There .zip file contains source code, can be built from visual
studio, and .7z file contains the .exe file> from 64 bit, run the program, here first we check the command
33
version. That works so, then we command, lsadump::sam /system. Means we’re giving sam and system
files, as there are both in desktop, from properties we get the directory, /system:directory\SYSTEM is the
system directory and /SAM:directory\SAM
Here, /system in smaller case them upper case \SYSTEM. Then SAM is both upper case /SAM and \SAM,
these are important. Otherwise error happens. So finally our hash NTLM is:
705f011864c68c0755b18d0122bcae12
 Third step: Using Crackstation to apply dictionary attack to reveal password

Providing the hash value to Crackstation, reveals the original password by performing dictionary attack. A
huge table of pre calculated hash value.
This way windows password can still crack and that would be vulnerable for Google Chrome Password
Manager User.
Watch:
 Retrieve, Crack Win10 Anniversary local password from SAM/SYSTEM

 Ophcrack Password Cracker
 L0phtCrack 7 Wizard Demo, cracking Windows 10 password
Read:
 How to install and use Mimikatz

 Cracking WPA2 encryption password file
2.16 Phishing
Phishing is when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted
source. The message intent is to trick the recipient into installing malware on their device, or into sharing
personal or financial information.
Spear phishing is a highly targeted phishing attack. While phishing and spear phishing both use emails to
reach the victims, spear phishing emails are customized to a specific person. The attacker researches the
target’s interests before sending the email. For example, an attacker learns the target is interested in cars,
and has been looking to buy a specific model of car. The attacker joins the same car discussion forum where
the target is a member, forges [জাতিযাতি] a car sale offering and sends email to the target. The email contains
a link for pictures of the car. When the target clicks on the link, malware is installed on the target’s
computer.
34
2.17 Vulnerability Exploitation

Exploiting vulnerabilities is another common method of infiltration. Attackers will scan computers to gain
information about them. Below is a common method for exploiting vulnerabilities:
 Step 1. Gather information about the target system. This could be done in many different ways
such as a port scanner or social engineering. The goal is to learn as much as possible about the
target computer.
 Step 2.One of the pieces of relevant information learned in step 1 might be the operating system,
its version, and a list of services running on it.
 Step 3. When the target’s operating system and version is known, the attacker looks for any known
vulnerabilities specific to that version of OS or other OS services.
 Step 4. When a vulnerability is found, the attacker looks for a previously written exploit to use. If
no exploits have been written, the attacker may consider writing an exploit.
Example: an attacker using whois, a public Internet database containing information about domain names
and their registrants. An attacker use the nmap tool, a popular port scanner. With a port scanner, an attacker
can probe ports of a target computer to learn about which services are running on that computer.
2.18 Advanced Persistent Threats

One way in which infiltration [অনু প্রক্রিশ] is achieved is through advanced persistent threats (APTs). They
consist of a multi-phase, long term, stealthy and advanced operation against a specific target. Due to its
complexity and skill level required, an APT is usually well funded. An APT targets organizations or nations
for business or political reasons. APT’s purpose is to deploy customized malware on one or multiple of the
target’s systems and remain undetected. With multiple phases of operation and several customized types of
malware that affect different devices and perform specific functions, an individual attacker often lacks the
skill-set, resources or persistence to carry out APTs.
Watch:
 What is APTs? Types of APTs. How APTs work

2.19 Whois
It can look up any domain, and we can see all of the information that is publicly available.
WHOIS is a query and response protocol that is widely used for querying databases that store the registered
users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous
system, but is also used for a wide range of other information. Whois method use for checking information
about ownership of a domain name like Owner name, email, phone, address, domain create date, expire
date, modification date, hosting serer detail, domain IP.
Visit:
 Whois
35
2.20 DOS
Denial-of-Service (DoS) attacks are a
type of network attack. A DoS attack
results in some sort of interruption of
network service to users, devices, or
applications. There are two major types
of DoS attacks:
1. Overwhelming Quantity of Traffic
- This is when a network, host, or
application is sent an enormous quantity
of data at a rate which it cannot handle.
This causes a slowdown in transmission
or response, or a crash of a device or
service.
2. Maliciously Formatted Packets - This is when a maliciously formatted packet is sent to a host or
application and the receiver is unable to handle it. For example, an attacker forwards packets containing
errors that cannot be identified by the application, or forwards improperly formatted packets. This causes
the receiving device to run very slowly or crash
DoS attacks are considered a major risk because they can easily interrupt communication and cause
significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled
attacker.
2.21 DDOS (Distributed Denial of Service)
A Distributed DoS Attack (DDoS) is similar to a DoS attack but originates from multiple, coordinated
sources. An attacker builds a network of infected hosts, called a botnet. The infected hosts are called
zombies. The zombies are controlled by handler systems. The zombie computers constantly scan and infect
more hosts, creating more zombies. When ready, the hacker instructs handler systems to make the botnet
of zombies carry out a DDoS attack.
DDoS is a cyber-attack on a specific server or network. An intended purpose of disrupting normal operation.
DoS attack is just coming from one source. It’s easier to pinpoint. The server can only close the connection
where the attack coming from. DDoS coming from multiple source simultaneously. When this happen it
will overwhelm the server. The other sources connected to the server face a denial of service. The attacker
get involve other computers by a malicious software.
Botnet – an army of infected computers to do a DDoS attack.
2.22 SEO Poisoning
Search engines such as Google work by ranking pages and presenting relevant results based on users’ search
queries. Depending on the relevancy of web site content, it may appear higher or lower in the search result
list. SEO, short for Search Engine Optimization, is a set of techniques used to improve a website’s ranking
by a search engine. While many legitimate companies specialize in optimizing websites to better position
them, a malicious user could use SEO to make a malicious website appear higher in search results. This
technique is called SEO poisoning. To force a malicious site to rank higher in search results, attackers take
advantage of popular search terms. The most common goal of SEO poisoning is to increase traffic to
malicious sites that may host malware or perform social engineering.
36
2.23 Quick Quiz: Identify the Attack Type
2.24 Blended Attack

Blended attacks are attacks that use multiple techniques to compromise a target. By using several different
attack techniques at once, attackers have malware that are a hybrid of worms, Trojan horses, spyware,
keyloggers, spam and phishing schemes. This trend of blended attacks is revealing more complex
malware and placing user data at great risk.
The most common type of blended attack uses spam email messages, instant messages or legitimate
websites to distribute links where malware or spyware is secretly downloaded to the computer. Another
common blended attack uses DDoS combined with phishing emails. First, DDoS is used to take down a
popular bank website and send emails to the bank's customers, apologizing for the inconvenience. The
email also directs the users to a forged emergency site where their real login information can be stolen.
Many of the most damaging computer worms like Nimbda, CodeRed, BugBear, Klez and Slammer are
better categorized as blended attacks. As shown below:
 Some Nimbda variants used email attachments; file downloads from a compromised web server;
and Microsoft file sharing (e.g., anonymous shares) as propagation methods.
 Other Nimbda variants were able to modify the system’s guest accounts to provide the attacker or
malicious code with administrative privileges.
The recent Conficker and ZeuS/LICAT worms were also blended attacks. Conficker used all the
traditional distribution methods.
2.25 Blended Threats: Get the facts

Blended threats are a text take place via email vector and are deployed through the web. In the past
malware writers essentially set up dedicated websites that would deliver malicious code, and for a web
filtering vendor you could easily identify these sites and put them into your URL library and provide an
effective barrier to stop these attacks. Today hacker, hack a legitimate website and inject malware into that
site. Then they will generate emails that will bypass a traditional spam antivirus filter at the email
gateway, because it doesn’t contain any malware or malicious code. Instead what it contains a link to a site
that would deliver malicious payload. What happen then is they send that email gets through the user, if the
user clicks on that link then the malware gets downloaded and in traditional web filter, because it is a
legitimate site, a traditional web filter won’t catch that exploit coming through the system. And the user
become infected. Once the user become infected they either become part of a botnet network, or it could
37
download some kind of spyware, Trojan or key logger, that would take valuable information, and send
that outside of the network environment.
Let’s discuss the worms that carried a blended attacks. Here we’ll talk about 1. CodeRed Windows Worm
2. Klez.E 3. SQL Slammer worm 4. Conflicker worm
2.26 CodeRed Windows Worm
CodeRed Worm (2001): start spreading and then it stop spreading and instead direct it’s focus on ddosing
whitehouse.gov. The worm didn’t cause any sever downtime, however most people remember it for certain
page, that would display. “Welcome to https://worm.com hacked by Chinese”
2.27 Email-Worm.Win32.Klez.E
Klez.E: This worm surfaced in October 2001. Quickly spread to many pcs due to its interesting email
messages.
You’ll see it’s not a legit program, that’s telling us that QTMF181.EXE does not have enough memory to
start. While display this error message, it drop its main file to windows system directory and begins its mass
mailing routine. This routine selects BOB different phrases from a list of dozens phrases that it has like
“this is a very humor game, I thought you would like it…” and attaches itself and one random file from the
system to the email. So your personal documents might get leaked on the internet. It activates it’s payload
whenever the month is odd and the day is six. And activates it’s super payload whenever its July or January
6th. It checks the date all the time.
The file becomes corrupted, but the name’s there. So when restart, it take forever as the file can’t be loaded.
2.28 SQL Slammer
SQL Slammer worm of 2003
On a Saturday morning, a bunch of text, and calls and notices that the internet was going nuts. 75 thousand
within 10 minutes.
On Saturday 25th January 2003, the internet was hit by a rapacious computer worm now known as SQL
Slammer. Spreading like wildfire over the internet via a bug in a version of Microsoft SQL, it is believed
to have infected over 75,000 machines within a matter of minutes. Globally, over 250,000 computers were
thought to have been affected.
At its height, SQL Slammer, which was the most widespread worm since 2001’s Code Red worm, doubled
in size every 8.5 seconds. Although the worm’s impact was short-lived, the immediacy of this damage was
critical. SQL Slammer, which was only 376 bytes worth of code. The fix for Slammer was relatively simple;
systems could be rebooted, and, if the patch had been installed, the problem was immediately fixed.
2.29 Conflicker worm
Targets the Microsoft Windows operating system, first detected Nov, 2008. Also known as, Downup,
Downadup, Kido. Infected over 15 million computers around the globe including government, business
and home. Largest known infection since since the 2003 Welchia. Conflicker target a flaw in the SMB
network service in Windows 2000, XP, Vista & 7 Beta. Conflicker is really interesting worm to study
because it utilizes many different malware technique making it harder to stop. Once that shellcode was run,
it would join a larger botnet, and be ready to receive its payload, from a daily list of 250 domain names.
And in later variants they increase that up to 50,000 daily domain names making it harder for network
operators to get rid of this problem. These payloads would updates the worm from a new variant and have
the ability to install additional malware like key loggers, root kits and other nefariouos software. The worm
38
itself used encryption to armor itself from detection, and even reset system restore points disabled Windows
automatic updates, Anti-virus updates and more to prevent detection and removal.
Check out the book Worm by Mark Bowden. It’s a fascinating read for those of us in or entering into the
cyber security industry.
Watches:
 Blended Threats: Get the facts

 CodeRed Windows Worm
 Email-Worm.Win32.Klez.E
Read:
 Flashback Friday: SQL Slammer

2.30 What is Impact Reduction?
While the majority of successful companies today are aware of common security issues and put
considerable effort towards preventing them, no set of security practices is 100% efficient. Because a breach
is likely to happen if the prize is big, companies and organizations must also be prepared to contain the
damage.
It is important to understand that the impact of a breach is not only related to the technical aspect of it,
stolen data, damaged databases, or damage to intellectual property, the damage also extends to the
company’s reputation. Responding to a data breach is a very dynamic process.
Below are some important measures a company should take when a security breach is identified, according
to many security experts:
 Communicate the issue. Internally employees should be informed of the problem and called to
action. Externally, clients should be informed through direct communication and official
announcements. Communication creates transparency, which is crucial in this type of situation.
 Be sincere and accountable in case the company is at fault.
 Provide details. Explain why the situation took place and what was compromised. It is also expected
that the company take care of the costs of identity theft protection services for affected customers.
 Understand what caused and facilitated the breach. If necessary, hire forensics experts to research
and learn the details.
 Apply what was learned from the forensics investigation to ensure similar breaches do not happen
in the future.
 Ensure all systems are clean, no backdoors were installed, and nothing else has been compromised.
Attackers will often attempt to leave a backdoor to facilitate future breaches. Make sure this does
not happen.
 Educate employees, partners, and customers on how to prevent future breaches.
Summary
 analyze what has happened after a cyberattack

 explains security software and hardware vulnerabilities
 different categories of security vulnerabilities
 different types of malicious software (known as malware) and the symptoms of malware
 discussed viruses, worms, Trojan horses, spyware, adware, and others.
39
 social engineering, Wi-Fi Password Cracking, Phishing, and vulnerability exploitation.

 different types of denial of service attacks
 worms like Nimbda, CodeRed, BugBear, Klez and slammer are better categorized as blended
attacks.
Additional Resources
2.31 A social engineering walkthrough
Professional social engineer Jim Stickley walks through the steps he typically takes to fool clients into
thinking he's there for fire safety, while he's really proving they are an easy target for a data breach.
Back there was Time when robbers went on a heist, they carted away bags of money, but these days thieves
are after something much more valuable your identity, stealing you social security number, your passwords
even your name from databases that should be secure. It costs billions. One company haired to act like bad
guys in order to keep the worst from happening to you. In 2005, card system solutions had 40 million
credit card numbers exposed to hackers during a security breach. Bank of America lost 1.2 million federal
employee records and is exposing a new trend in crime, one that doesn’t go after the money in your bank
account, but the account itself. Jim Stickley is the new age bank robber, he is hired to do it. His company
trade security works with more than 200 global institutions to test for vulnerabilities in their security system.
Backup tapes contain social security numbers, account information, even passwords. Within 5 minutes the
employee walks away and Jim and Dale are left alone to do their work, they do, moving quickly from room
to room, gaining access to offices, computers and finally the jackpot –the main server. Walking out
everything they needed and no one on their trail.
Q: How easy it is for these people to get in there and steal your identity? Jim: “Getting high tech information
in low tech way.” Q: Once your identity is stolen how hard it is to get it back? Jim: “you virtually never get
it back, it’s out there, that’s stolen, you have to work real hard to get it back.
2.32 Google Hack

Johnny Long pioneered the concept of Google Hacking. A renowned security expert, he has authored and
contributed to many books on computer security. His book Google Hacking for Penetration Testers is a
must read for anyone serious about the field of Google Hacking. He also maintains a website devoted to
providing assistance to non-profits and training for the world’s poorest citizens. His website:
http://www.hackersforcharity.org
Search by google to access different hacked webcame: intitle:"webcamxp 5"
Watch:
 Google Hacking: Use Google search to hack!

 How to rob a bank: A social engineering walkthrough
Read
 Google tricks that will change the way you search
40
1. Improper use of practices that manage physical control of equipment, data, or applications
- access-control problems
2. The use of network data structures that have been created to disrupt the operation of network devices
- maliciously formatted packets
3. Created by Google, this is an example of a third-party permanent team of researchers that is dedicated to
finding software vulnerabilities.
- Project Zero
4. The use of multiple distributed systems to send data that disrupts services provided by networks and
network devices
- Distributed denial-of-services (DDoS)
5. Malware designed to track the actions of users and capture data
- Spyware
6. Usually caused by errors in operating system or application code
- Software vulnerability
7. A way of gaining access to resources that manipulates individuals into performing actions or divulging
[প্রকাশ] confidential information. Attackers attempt to exploit [কাক্রজ িাগান] our willingness to help or exploit
our weaknesses.
- Social engineering
8. A multi-phase, long term, stealthy, and advanced attack against a specific target
- Advanced persistent threat (APT)
9. A highly targeted attack in which emails that appear to be sent from a legitimate source are customized
for specific persons. An attacker researches the interests of the target in order to create an email that tricks
that specific person.
- Spear attack
10. Released by operating system and application producers to avoid exploitation of vulnerabilities
- Security patches and updates
11. Malware designed to automatically perform actions over the Internet
- Bot
12. The use of a software program to challenge a password repeatedly with all the possible values that could
be used for a password, or with a list of words that are commonly used in passwords. Complex passwords
are much more difficult to guess.
41
- Brute-force attack
13. The use of techniques to limit the damage caused by a successful attack. These techniques include ways
of communicating about the attack to employees and clients, investigation of the attack, and measures to
prevent future attacks.
- Impact reduction
14. A public Internet database that contains information about Internet domain names and the people or
organizations that registered the domains. It is a source of information that can be used to exploit system
vulnerabilities.
- whois
15. An attack that interrupts network services to users, devices, or applications
- denial-of-service (DoS)
16. A type of social engineering attack in which an attacker follows an authorized person into a secure
location
- tailgating
17. Malware that carries out malicious operations while appearing to have a desired function. They are
included in non-executable files, unlike viruses, which are executable
- Trojan horse
18. A vulnerability in which data supplied to a program by a user or exploit causes the application to behave
in an unintended way
- Non-valid input
19. Malware designed to modify operating systems to allow unauthorized remote access through a backdoor
- Rootkit
20. A program written to take advantage of a known security vulnerability
- An exploit
21. Software that automatically delivers advertisements. Some types contain spyware
- Adware
22. The use of software to capture packets on a wireless network. Unencrypted passwords can be captured
and used in an attack, and encrypted passwords could be cracked with a software tool.
- Network sniffing
23. A technique in which an attacker can take control of a device without the owner's knowledge. The
attacker can intercept and capture information that passes through the device on its way to another
destination
- Man-in-the Middle (MitM)
42
24. A DoS attack in which an enormous number of packets are sent to a network at a rate that the network
systems cannot handle. This results in a slowdown of network transmission or response, or the crash of a
device or service
- Overwhelming quantity of traffic
25. Security weaknesses caused by design flaws in computer devices and components. They are usually
limited to specific device models and are commonly exploited through targeted attacks.
- Hardware vulnerability
26. A type of social engineering attack in which an attacker requests personal information in exchange for
something such as a free gift
- Something for something
27. A type of social engineering attack in which an individual lies in order to gain access to privileged
information
- Pretexting
28. Use of a generic fraudulent email that appears to be sent by a legitimate source. The email tricks people
into installing malware or sharing confidential information
- Phishing
29. The manipulation of the ranking of a malicious website in order to attract users to the site so that
malicious code will be distributed or social engineering can be used to gather confidential information
- Search engine optimization (SEO) poisoning
30. A software vulnerability that occurs when data is written beyond the limits of memory areas that are
allocated to an application. This vulnerability can cause an application to access memory that is allocated
to other processes
- Buffer overflow
31. The act of discovering a password that is used to protect a wireless network
- Wi-Fi password cracking
32. Any computer code that can be used to steal data, bypass access controls, or harm or compromise a
system
- Malware
33. The use of multiple techniques to compromise a target
- Blended attack
34. The use of various methods, including software tools or social engineering, to gain information about a
system. This attacker uses this information to find weaknesses that exist in that specific system.
- vulnerability exploitation
43
35. A vulnerability that occurs when an ordered or timed set of processes is disrupted or altered by an
exploit
- Race condition
36. Malicious executable code that can be attached to legitimate programs.
- Virus
37. A network of distributed infected hosts that is used to launch a DDoS attack
- Botnet
38. A popular port scanning tool that can be used to discover vulnerabilities in networked systems
- Nmap
39. The act of using an exploit against a vulnerability with the goal of breaking into the target system
- a cyberattack
40. A type of malware that holds a computer system captive, frequently by encrypting essential data, until
a payment is made to the attacker
- Ransomware
41. An attack that is a variation of (MitM). A mobile device is infected with malware that takes control of
the device and causes it to forward sensitive information to attackers.
- Man in the mobile (MitMO)
42. Malware in the form of malicious code that replicates itself independently by exploiting vulnerabilities
in networks. They spread very rapidly over a network because they run by themselves. All share similar
patterns including an enabling vulnerability, a way to propagate themselves, and a payload
- Worms
2.34 Chapter Two Quiz
1. Which type of attack allows an attacker to use a brute force approach?

a. Social engineering
b. Packet sniffing
c. Denial of service
d. Password cracking
2. What is the purpose of a rootkit?
a. To deliver advertisements without user consent
b. To replicate itself independently of any other programs
c. To gain privileged access to a device while concealing itself
d. To masquerade a legitimate program
Masquerade - a false show or pretense.
44
3. Which example illustrates how malware might be concealed?

a. An attack is launched against the public website of an online retailer with the objective of
blocking its response to visitors
b. A hacker uses techniques to improve the ranking of a website so that users are redirected to a
malicious site
c. A botnet of zombies carry personal information back to the hacker.
d. An email is sent to the employee of an organization with an attachment that looks like an
antivirus update, but the attachment actually consists of spyware.
4. Which tool is used to provide a list of open ports on network devices?
a. Whois
b. Tracert
c. Ping
d. Nmap
5. What is the most common goal of search engine optimization (SEO) poisoning?
a. To trick someone into installing or divulging personal information
b. To increase web traffic to malicious sites
c. To overwhelm a network device with maliciously formed packets
d. To build a botnet of zombies
6. What is the primary goal of a DoS attack?
a. To facilitate access to external networks
b. To prevent the target server from being able to handle additional requests
c. To scan the data on the target server
d. To obtain all addresses in the address book within the server
7. Which two characteristics describe a worm? (Choose two.)
a. Infects computers by attaching to software code
b. Travel to new computers without any intervention or knowledge of the user
c. Is self-replicating
d. Executes when software is run on a computer
e. Hides in a dormant state until needed by an attacker
8. In what way are zombies used in security attacks?
a. They target specific individuals to gain corporate or personal information
b. They are maliciously formed code segments used to replace legitimate applications
c. They probe a group of machines for open ports to learn which services are running
d. They are infected machines that carry out a DDoS attack
Answers
1. Password cracking –
Common ways used to crack Wi-Fi passwords include social engineering, brute-force attacks, and network
sniffing.
2. to gain privileged access to a device while concealing itself –
Malware can be classified as follows:
- Virus (self replicates by attaching to another program or file)
- Worm (replicates independently of another program)
45
- Trojan Horse (masquerades as a legitimate file or program)

- Rootkit (gains privileged access to a machine while concealing itself)
- Spyware (collects information from a target system)
- Adware (delivers advertisements with or without consent)
- Bot (waits for commands from the hacker)
- Ransomware (holds a computer system or data captive until payment is received)
3. An email is sent to the employees of an organization with an attachment that looks like an antivirus
update, but the attachment actually consists of spyware –
An email attachment that appears as valid software but actually contains spyware shows how malware
might be concealed. An attack to block access to a website is a DoS attack. A hacker uses search engine
optimization (SEO) poisoning to improve the ranking of a website so that users are directed to a malicious
site that hosts malware or uses social engineering methods to obtain information. A botnet of zombie
computers is used to launch a DDoS attack.
4. Nmap –
The Nmap tool is a port scanner that is used to determine which ports are open on a particular network
device. A port scanner is used before launching an attack.
5. to increase web traffic to malicious sites –
A malicious user could create a SEO so that a malicious website appears higher in search results. The
malicious website commonly contains malware or is used to obtain information via social engineering
techniques.
6. to prevent the target server from being able to handle additional requests –
A denial of service (DoS) attack attempts to overwhelm a system or process by sending large amounts of
data or requests to the target. The goal is to keep the system so overwhelmed handling false requests that it
is unable to respond to legitimate ones.
7. i) travels to new computers without any intervention or knowledge of the user ii) is self-
replicating –
Worms are self-replicating pieces of software that consume bandwidth on a network as they propagate from
system to system. They do not require a host application, unlike a virus. Viruses, on the other hand, carry
executable malicious code which harms the target machine on which they reside.
8. They are infected machines that carry out a DDoS attack –
Zombies are infected computers that make up a botnet. The zombies are used to deploy a distributed denial
of service (DDoS) attack.
46
Chapter 3: Protect Your Data and Privacy
About
 tips for protecting your devices

 creating strong passwords
 safely using wireless networks
 Maintaining your data securely.
 briefly covers authentication techniques
3.1 Protecting your computing Device
Keep the Firewall On – Whether it is a software
firewall or a hardware firewall on a router, the
firewall should be turned on and updated to
prevent hackers from accessing your personal or
company data. Click Windows 7 and
8.1 or Windows 10 to turn on the firewall in the
respective version of Windows.
Use Antivirus and Antispyware – Malicious
software, such as viruses, Trojan horses, worms,
ransomware and spyware, are installed on your
computing devices without your permission, in
order to gain access to your computer and your
data. Viruses can destroy your data, slow down
your computer, or take over your computer. One way viruses can take over your computer is by allowing
spammers to broadcast emails using your account. Spyware can monitor your online activities, collect your
personal information, or produce unwanted pop-up ads on your web browser while you are online. A good
rule is to only download software from trusted websites to avoid getting spyware in the first place. Antivirus
software is designed to scan your computer and incoming email for viruses and delete them. Sometimes
antivirus software also includes antispyware.
Manage Your Operating System and Browser – Hackers are always trying to take advantage of
vulnerabilities in your operating systems and your web browsers. Update your computer’s operating system
including your web browsers and regularly download and install the latest software patches and security
updates from the vendors.
Protect All Your Devices – Your computing devices, whether they are PCs, laptops, tablets, or
smartphones, should be password protected to prevent unauthorized access. The stored information should
be encrypted, especially for sensitive or confidential data. For mobile devices, only store necessary
information, in case these devices are stolen or lost when you are away from your home.
IoT devices pose an even greater risk than your other computing devices. While desktop, laptop and mobile
platforms receive frequent software updates, most of the IoT devices still have their original firmware. If
vulnerabilities are found in the firmware, the IoT device is likely to stay vulnerable. To make the problem
worse, IoT devices are often designed to call home and require Internet access. To reach the Internet, most
IoT devices manufacturers rely on the customer’s local network. The result is that IoT devices are very
47
Protect Your Data and Privacy
likely to be comprised. The best way to protect yourself from this scenario is to have IoT devices using an
isolated network, sharing it only with other IoT devices.
3.2 Shodan, a web-based IoT device scanner

Shodan is the world's first search engine for Internet-connected devices.
 Explore the Internet of Things: Use Shodan to discover which of your devices are connected to
the Internet, where they are located and who is using them.
 See the Big Picture: Websites are just one part of the Internet. There are power plants, Smart TVs,
refrigerators and much more that can be found with Shodan!
 Monitor Network Security: Keep track of all the computers on your network that are directly
accessible from the Internet. Shodan lets you understand your digital footprint.
 Get a Competitive Advantage: Who is using your product? Where are they located? Use Shodan
to perform empirical market intelligence.
3.3 Functions and importance of Windows Firewall
Windows Firewall is a security application by Microsoft which is used for filtering packets and data
coming to your system through the network. It is used for blocking potentially harmful programs requesting
access to your Windows machine. It also prevent a server from remote code execution. So users can
themselves add programs want to block the access, and similarly add programs which they want to allow
through the firewall. The firewall also prevents certain ports to prevent malicious code which might want
to be executed on your system. You can visualize the windows firewall as a large concrete wall with
numerous doors for entry. A support is just like a door, some doors are always closed unless you tell the
firewall to open it. In this way you are protected from the sneaky activities. So if you want to host a web
service in your network, you need to allow it through the firewall to allow it to make outside connections.
Firewall is a vital security step taken to prevent unauthorized access and hacking activities to some extent.
So it is crucial to enable Windows Firewall for additional windows security.
Visits:
 Shodan, a web-based IoT device scanner

Watch:
 Getting started and having fun with Shodan Search Engine

 What is Windows Firewall. Functions and importance
3.4 Use Wireless Networks Safely
Wireless networks allow Wi-Fi enabled devices, such as laptops and tablets, to connect to the network by
way of the network identifier, known as the Service Set Identifier (SSID). To prevent intruders from
entering your home wireless network, the pre-set SSID and default password for the browser-based
administrative interface should be changed. Hackers will be aware of this kind of default access
information. Optionally, the wireless router can also be configured to not broadcast the SSID, which adds
an additional barrier to discovering the network. However, this should not be considered adequate security
for a wireless network. Furthermore, you should encrypt wireless communication by enabling wireless
security and the WPA2 encryption feature on the wireless router. Even with WPA2 encryption enabled,
the wireless network can still be vulnerable.
In October 2017, a security flaw in the WPA2 protocol was discovered. This flaw allows an intruder to
break the encryption between the wireless router and the wireless client, and allow the intruder to access
48
and manipulate the network traffic. This vulnerability can be exploited using Key Reinstallation Attacks
(KRACK). It affects all modern, protected Wi-Fi networks. For laptops or other devices with wired NIC,
a wired connection could mitigate this vulnerability. Furthermore, you can also use a trusted VPN service
to prevent the unauthorized access to your data while you are using the wireless network.
When you are away from home, a public Wi-Fi hot spot allows you to access your online information and
surf the Internet. However, it is best to not access or send any sensitive personal information over a public
wireless network. To prevent someone from intercepting your information (known as “eavesdropping”)
while using a public wireless network, use encrypted VPN tunnels and services. The VPN service provides
you secure access to the Internet, with an encrypted connection between your computer and the VPN service
provider’s VPN server. With an encrypted VPN tunnel, even if a data transmission is intercepted, it is not
decipherable.
Many mobile devices, such as smartphones and tablets, come with the Bluetooth wireless protocol. This
capability allows Bluetooth-enabled devices to connect to each other and share information. Unfortunately,
Bluetooth can be exploited by hackers to eavesdrop on some devices, establish remote access controls,
distribute malware, and drain batteries. To avoid these issues, keep Bluetooth turned off when you are not
using it.
3.5 Key Reinstallation Attacks (KRACK)
Breaking WPA2 by forcing nonce reuse Discovered by Mathy Vanhoef, 2017
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks.
An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks
(KRACKs). Concretely, attackers can use this novel attack technique to read information that was
previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit
card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern
protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and
manipulate data. For example, an attacker might be able to inject ransomware or other malware into
websites.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations.
Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update
affected products as soon as security updates become available. During our initial research, we discovered
ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected
by some variant of the attacks.
Our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is
because Android and Linux can be tricked into (re)installing an all-zero encryption key. When
attacking other devices, it is harder to decrypt all packets, although a large number of packets can
nevertheless be decrypted.
Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general,
any data or information that the victim transmits can be decrypted. Additionally, depending on the device
being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content
of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that
this extra protection can (still) be bypassed in a worrying number of situations.
Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when
a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point
49
possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way
handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic.
Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks
are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise
Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only
use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK)
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This
is achieved by manipulating and replaying cryptographic handshake messages. When the victim
reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and
receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security,
a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2
protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
3.6 Protect yourself while using wireless network
Encryption is the best way to keep your personal data safe. It works by scrambling the data in a message so
that only the intended recipients can read it. When the address of a website you're visiting starts with
"https" instead of "http," that indicates encryption is taking place between your browser and site.
The two most common types of encryption are Wired Equivalent Privacy (WEP), and Wi-Fi Protected
Access (WPA). The strongest one commonly available is WPA2, so use that if you have the option. Home
Wi-Fi systems and public Wi-Fi access points, or "hotspots," usually will inform you of the encryption they
use.
Learn:
 WPA and WPA2 protocol

 HTTPS protocol
 KRACK research paper
 Demonstrate an attack using Kali Linux
Visits:
 KRACK- Breaking WPA-2 by forcing nonce reuse

 Wireless connection and Bluetooth security tips
Watch:
 KRACK- Bypassing WPA-2 against Android and Linux

3.7 Use Unique Password for each online account
You probably have more than one online account, and each account should have a unique password. That
is a lot of passwords to remember. However, the consequence of not using strong and unique passwords
leaves you and your data vulnerable to cyber criminals. Using the same password for all your online
accounts is like using the same key for all your locked doors, if an attacker was to get your key, he would
have the ability to access everything you own. If criminals get your password through phishing for example,
they will try to get into your other online accounts.
One solution to avoid reusing passwords or using weak passwords is to use a password manager. A
password manager stores and encrypts all of your different and complex passwords. The manager can then
50
help you to log into your online accounts automatically. You only need to remember your master password
to access the password manager and manage all of your accounts and passwords.
Tips for choosing a good password
 Do not use dictionary words or names in any languages

 Do not use common misspellings of dictionary words
 Do not use computer names or account names
 If possible use special characters, such as ! @ # $ % ^ & * ( )
 Use a password with ten or more characters
Use Passphrase Rather Than a Password
To prevent unauthorized physical access to your computing devices, use passphrases, rather than
passwords. It is easier to create a long passphrase than a password, because it is generally in the form of a
sentence rather than a word. The longer length makes passphrases less vulnerable to dictionary or brute
force attacks. Furthermore, a passphrase maybe easier to remember, especially if you are required to change
your password frequently. Here are some tips in choosing good passwords or passphrases:
 Choose a meaningful statement to you

 Add special characters, such as ! @ # $ % ^ & * ( )
 The longer the better
 Avoid common or famous statements, for example, lyrics from a popular song
Recently, United States National Institute for Standards and Technology (NIST) published improved
password requirements. Summary of the new guidelines:
 8 characters minimum in length, but no more than 64 characters
 No common, easily guessed passwords, such as password, abc123
 No composition rules, such as having to include lowercase and uppercase letters and numbers
 Improve typing accuracy by allowing the user to see the password while typing
 All printing characters and spaces are allowed
 No password hints
Visit:
 Digital Identity guideline- NIST
3.8 LAB: Create and store strong password
Passwords are widely used to enforce access to resources. Attackers will use many techniques to learn
users’ passwords and gain unauthorized access to a resource or data. To better protect yourself, it is
important to understand what makes a strong password and how to store it securely.
Strong passwords have four main requirements listed in order of importance:
1. The user can easily remember the password.
2. It is not trivial for any other person to guess a password.
51
3. It is not trivial for a program to guess or discover a password.

4. Must be complex, containing numbers, symbols and a mix of upper case and lower case letters.
Based on the list above, the first requirement is probably the most important because you need to be able
to remember your password. For example, the password: #4ssFrX^-aartPOknx25_70!xAdk<d! is
considered a strong password because it satisfies the last three requirements, but it is very difficult to
remember.
Below is a sample password policy set for a typical organization:
1. The password must be at least 8 characters long
2. The password must contain upper- and lower-case letters
3. The password must contain a number
4. The password must contain a non-alphanumeric character
Analyze the characteristics of a strong password and the common password policy set shown above. Why
does the policy set neglect the first two items? Explain.
 Answer: There is a little difference between policy and requirement. Policy gives a technical
guideline how to meet the requirement. But the rest is up to the user. For example here in the policy,
it’s can’t be determined for the company what will be easy for the user to remember as password.
For another instance, it’s up to individual to determine that his password is not a common one that
somebody can guess, like his name and mobile number using as password. But a company can
certainly check if the password contains a letter, a digit, a non-alphanumeric character etc. So these
are the policy that a company may apply. Therefore, some requirement is up to the individual to
full fill, policy is set for all to apply.
A good way to create strong passwords is to choose four or more random words and string them together.
The password televisionfrogbootschurch is stronger than J0n@than#81. Notice that while the second
password is in compliance with the policies described above, password cracker programs are very efficient
at guessing that type of password. While many password policy sets will not accept the first password,
televisionfrogbootschurch, it is much stronger than the second. It is easier for the user to remember
(especially is associated with an image), it is very long and its random factor makes it hard for password
crackers to guess it.
a) Open a web browser and go to passwordsgenerator.net
b) Select the options to conform to password policy set
c) Generate the password.
Here we’ve generated:
Password: qL26AAPxxkRsWtBe
Remember your password: queen LAPTOP 2 6 APPLE APPLE PARK xbox xbox korean ROPE skype
WALMART tokyo BESTBUY egg
Is the password generated easy to remember?

 Answer: Yeah, they generate a passphrase that becomes easier to remember.
Notice that because the words are appended together, they are not seen as dictionary words.
52
Next,
a) Open a web browser and go to http://preshing.com/20110811/xkcd-password-generator/
b) Generate a random word password by clicking Generate Another! At the top portion of the
webpage.
Here, we’ve generated:

Password: noon shorter porch rose
Is the password generated easy to remember?
 Yeah, it’s easier to remember four random words, than some random characters.
Securely storing password

Notice that some users only trust their passwords to their own memory. Password managers, either local or
remote, must have a password store, and it can be compromised. The password manager password store
must be strongly encrypted and access to it must be tightly controlled. With mobile phone apps and web
interfaces, cloud-based password managers provide anytime, uninterrupted access to its users. A popular
password manager is Last Pass.
What is a strong password then?
Choose a password that is easy to remember but hard to be guessed. Complex passwords are OK as long as
it does not impact more important requirements such as the ability to easily remember it. If a password
manager is used, the need to be easily remembered can be relaxed.
My opinion
I’m using LastPass, It has both android application and web application, No need to memorise any of my
passwords ever except last password, that is the master password. I’m creating larger and larger password,
complex password using LastPass, can classify saved password by creating folders so easier to find one.
Using Pass-Phrase as Master password, so nobody can get that. Better than google chrome password
manager, no master password there, just windows password. We normally have easier windows password,
or log in many times, anybody can know it. Easily windows password is broken, so it’s better to have a
password manager like LastPass. If you use google chrome, export chrome password, can be done in
plaintext, then import to LastPass.
Or, Encrypt password locally with my C++ program, Bornomala Cipher. It would provide more security as
passwords been kept in offline and encrypted.
53
3.9 Encrypt Your Data

You may think you have no secrets and
nothing to hide so why use encryption?
Maybe you think that nobody wants your
data. Most likely, this is probably not true.
Are you ready to show all of your photos and
documents to strangers? Are you ready to
share financial information stored on your
computer to your friends? Do you want to
give out your emails and account passwords
to the general public? This can be even more
troublesome if a malicious application infects
your computer or mobile device and steals
potentially valuable information, such as account numbers and passwords, and other official documents.
That kind of information can lead to identity theft, fraud, or ransom. Criminals may decide to simply encrypt
your data and make it unusable until you pay the ransom.
1. USE EFS: Software programs are used to encrypt files, folders, and even entire drives. Encrypting File
System (EFS) is a Windows feature that can encrypt data. EFS is directly linked to a specific user account.
Only the user that encrypted the data will be able to access it after it has been encrypted using EFS. To
encrypt data using EFS in all Windows versions, follow these steps:
Step 1. Select one or more files or folders.
Step 2. Right-click the selected data >Properties.
Step 3. Click Advanced…
Step 4. Select the Encrypt contents to secure data check box.
Step 5. Files and folders that have been encrypted with EFS are displayed in green, as shown in the figure.
2. Use VeraCrypt: USE VeraCrypt to encrypt files. This is a good practice to have an encrypted drive.
VeraCrypt is simple to use in Windows. One need to first create a volume of required size, then mount a
drive. Than having files on it. Then dismount. Video tutorial and software download link will be provided
bellow.
Problem with VeraCrypt: Here we need to specify the volume before we try to encrypt a file that could be
small or large amount. I would prefer to have an encrypted file or folder exactly the same size and then that
should have a portability so I could share with anyone. And anyone can decrypt it with a proper key and
software. That was my goal.
3.10 Backup your data
Your hard drive may fail. Your laptop could be lost. Your smart phone stolen. Maybe you erased the original
version of an important document. Having a backup may prevent the loss of irreplaceable data, such as
family photos. To back up data properly, you will need an additional storage location for the data and you
must copy the data to that location regularly and automatically.
The additional location for your backed up files can be on your home network, secondary location, or in
the cloud. By storing the backup of the data locally, you have total control of the data. You can decide to
copy all of your data to a network attached storage device (NAS), a simple external hard drive. If you
54
subscribe to a cloud storage service, the cost depends on the amount storage space needed. With a cloud
storage service like Amazon Web Services (AWS), you have access to your backup data as long as you
have access to your account. When you subscribe to online storage services, you may need to be more
selective about the data being backed up due to the cost of the storage and the constant online data transfers.
One of the benefits of storing a backup at an alternate location is that it is safe in the event of fire, theft or
other catastrophes other than storage device failure.
What happens if you don't pay your AWS bill?
 You'll get multiple emails from AWS to pay the outstanding amount. If you fail to pay they will
first suspend your account and terminate it (delete all data) after two months.
[MY LAB] I could have multiple google account, and share from all of the account to one single/master
account in Google Drive. Each account offer 15GB of free storage. With a lots of account and share with
a master account, I can have a lots of data in a single accounts for free. Not sure. Again, there could be a
potential threats that I could need to handle like after not using/ log in for a long periods of time like 2-3
years, a account could be suspended and everything could be deleted. Discover when that will occur.
[MY LAB-2] Format a harddrive and recover data using Get Data Back (GDB)
Watch:
 VeraCrypt: How to encrypt files
Visit:
 Download: VeraCrypt
Backup Data to External Storage
Part One: BackUp to a Local External Disk. Getting started with Backup Tools in Windows:
To access the Backup and Restore utility in Windows 7, follow the steps below:
a) Connect an external drive.
b) Execute the Backup and Restore by using the following path: Start > Control Panel > Backup
and Restore
Backup Documents:
Now that the external disk is connected, we know how to find the backup tools, here two things could
happen. After choosing a backup place, we could let windows backup by default. That will include
everything including files of different users on PC, and the operating system. Or we could choose exactly
what to backup/ create a shadow image. Here we only select the documents, and make a shadow image to
pendrive. Note I don’t need this tools very much as I have onedrive connected. Everything is automatically
copied to onedrive. Even the deleted files is stayed for a few times to backup from onedrive. If internet is a
problem, then we need to do this manually like this.
Advantages:
The Backup files is not a simple copy. It’s a portable file that need to dismount / restore. Now this
compressed single file can be uploaded to drives or share perhaps. Can be Restore anywhere.
List a few of cloud-based backup services. Best cloud backup services at a glance:
55
1. IDrive
2. OneDrive
3. Backblaze Business
4. Carbonite Safe
5. CrashPlan
6. SOS Online Backup
7. SugarSync Business
8. Dropbox Business
Research the services you listed above. Are these services free?
 IDrive 5GB
 Google drive- 15GB
Are the services listed by you platform dependent?
 No, cloud based services are not platform dependent.
Can you access your data from all devices you own (desktop, laptop, tablet and phone)?
 Yeah, anything with internet connection.
Notice that Dropbox and OneDrive allow you to create a folder on your computer that acts as a link to the
cloud drive. Once created, files copied to that folder are automatically uploaded to the cloud by the
cloud-service client that is always running.
Schedule Backup: you can use any backup tools of your choice to schedule cloud backups. Use Windows
Backup and Restore to back up your files to Dropbox. Open Windows Backup and Restore and configure
it to use the new Dropbox folder as a backup destination.
3.11 Deleting your data permanently
When you move a file to the recycle bin or trash and delete it permanently, the file is only inaccessible from
the operating system. Anyone with the right forensic tools can still recover the file due to a magnetic trace
left on the hard drive. In order to erase data so that it is no longer recoverable, the data must be overwritten
with ones and zeroes multiple times. To prevent the recovery of deleted files, you may need to use tools
specifically designed to do just that. The program SDelete from Microsoft (for Vista and higher), claims to
have the ability to remove sensitive files completely. Shred for Linux and Secure Empty Trash for Mac
OS are some tools that claim to provide a similar service.
The only way to be certain that data or files are not recoverable is to physically destroy the hard drive or
storage device. It has been the folly [েু দভিেয] of many criminals in thinking their files were impenetrable or
irrecoverable.
Besides storing data on your local hard drives, your data may also be stored online in the cloud. Those
copies will also need to be deleted. Take a moment to ask yourself, “Where do I save my data? Is it backed
up somewhere? Is it encrypted? When you need to delete your data or get rid of a hard drive or computer,
ask yourself, “Have I safeguarded the data to keep it from falling into the wrong hands?”
Watch:
 SDelete: Secure Delete Data and Clear Free Spaces on Drives
56
3.12 [Lab] Who Owns Your Data?

Objectives: Explore the ownership of your data when that data is not stored in a local system.
Part 1: Explore the Terms of Service Policy
Part 2: Do You Know What You Signed Up For?
If you are using online services to store data or communicate with your friends or family, you probably
entered into an agreement with the provider. The Terms of Service, also known as Terms of Use or Terms
and Conditions, is a legally binding contract that governs the rules of the relationship between you, your
provider, and others who use the service.
Social Media
 Facebook: https://www.facebook.com/policies
 Instagram: http://instagram.com/legal/terms/
 Twitter: https://twitter.com/tos
 Pinterest: https://about.pinterest.com/en/terms-service
Online Storage
 iCloud: https://www.apple.com/legal/internet-services/icloud/en/terms.html
 Dropbox: https://www.dropbox.com/terms2014
 OneDrive: http://windows.microsoft.com/en-us/windows/microsoft-services-agreement
Facebook T&C: We use your personal data to help determine which ads to show you. We don't sell your
personal data to advertisers, and we don't share information that directly identifies you (such as your name,
email address or other contact information) with advertisers unless you give us specific permission.
 Do you have an account with an online service provider? If so, have you read the Terms of Service
agreement?
 Not really
 What is the data use policy?
 The Data Use Policy is a compulsory legal disclosure of how a website operator collects,
retains and shares personally identifiable information.
 What are the privacy settings?
 Privacy settings are controls available on many social networking and other websites that
allow users to limit who can access your profile and what information visitors can see.
 What does security policy mean?
 A security policy is a written document in an organization outlining how to protect the
organization from threats, including computer security threats, and how to handle situations
when they do occur.
 What happens to your data when you close your account?
 All your information is permanently deleted from Facebook after about one month. If you
only deactivate your account, Facebook will not delete any information and you may
reactivate. While deactivated your friends will still see you in their lists. Some
information may remain in backup copies and logs for up to 90 days.
 What can you do to protect yourself?
57
3.13 How secure is your data when it’s stored in the cloud?
As cloud storage becomes more common, data security is an increasing concern. Companies and schools
have been increasing their use of services like Google Drive for some time, and lots of individual users
also store files on Dropbox, Box, Amazon Drive, Microsoft OneDrive and the like. They’re no doubt
concerned about keeping their information private – and millions more users might store data online if they
were more certain of its security.
Data stored in the cloud is nearly always stored in an encrypted form that would need to be cracked before
an intruder could read the information.
Commercial cloud storage systems encode each user’s data with a specific encryption key. Without it, the
files look like gibberish – rather than meaningful data. But who has the key? It can be stored either by the
service itself, or by individual users. Most services keep the key themselves, letting their systems see and
process user data, such as indexing data for future searches. These services also access the key when a user
logs in with a password, unlocking the data so the person can use it. This is much more convenient than
having users keep the keys themselves. But it is also less secure: Just like regular keys, if someone else has
them, they might be stolen or misused without the data owner knowing.
Letting users keep control: A few less popular cloud services, including Mega and SpiderOak, require
users to upload and download files through service-specific client applications that include encryption
functions. That extra step lets users keep the encryption keys themselves. For that additional security, users
forgo some functions, such as being able to search among their cloud-stored files.
These services aren’t perfect – there’s still a possibility that their own apps might be compromised or
hacked, allowing an intruder to read your files either before they’re encrypted for uploading or after being
downloaded and decrypted. And, of course, if a user loses the password, the data is irretrievable.
Protecting yourself: To maximize cloud storage security, it’s best to combine the features of these various
approaches. Before uploading data to the cloud, first encrypt it using your own encryption software. Then
upload the encoded file to the cloud. To get access to the file again, log in to the service, download it and
decrypt it yourself.
This, of course, prevents users from taking advantage of many cloud services, like live editing of shared
documents and searching cloud-stored files. And the company providing the cloud services could still
modify the data, by altering the encrypted file before you download it.
The best way to protect against that is to use authenticated encryption. This method stores not only an
encrypted file, but additional metadata that lets a user detect whether the file has been modified since it was
created.
Watch:
 What you agree to in facebook’s terms of services, NBC news

Read:
 How secure is your data when it’s stored in the cloud?

3.14 Two Factor Authentication
Popular online services, such as Google, Facebook, Twitter, LinkedIn, Apple and Microsoft, use two factor
authentication to add an extra layer of security for account logins. Besides the username and password, or
58
personal identification number (PIN) or pattern, two factor authentication requires a second token, such
as a:
 Physical object - credit card, ATM card, phone, or fob

 Biometric scan - fingerprint, palm print, as well as facial or voice recognition
Even with two factor authentication, hackers can still gain access to your online accounts through attacks
such as phishing attacks, malware, and social engineering.
3.15 OAuth 2.0
Open Authorization (OAuth) is an open standard protocol
that allows an end user’s credentials to access third party
applications without exposing the user’s password. OAuth
acts as the middle man to decide whether to allow end users
access to third party applications. For example, say you want
to access web application XYZ, and you do not have a user
account for accessing this web application. However, XYZ
has the option to allow you to log in using the credentials
from a social media website ABC. So you access the website
using the social media login.
For this to work, the application ‘XYZ’ is registered with ‘ABC’ and is an approved application. When you
access XYZ, you use your user credentials for ABC. Then XYZ requests an access token from ABC on
your behalf. Now you have access to XYZ. XYZ knows nothing about you and your user credentials, and
this interaction is totally seamless for the user. Using secret tokens prevents a malicious application from
getting your information and your data.
3.16 Do not share too much on social media

If you want to keep your privacy on social media, share as little information as possible. You should not
share information like your birth date, email address, or your phone number on your profile. The people
who need to know your personal information probably already know it. Do not fill out your social media
profile completely, only provide the minimum required information. Furthermore, check your social media
settings to allow only people you know to see your activities or engage in your conversations.
The more personal information you share online, the easier it is for someone to create a profile about you
and take advantage of you offline.
Have you ever forgotten the username and password for an online account? Security questions like “What
is your mother’s maiden name?” or “In what city were you born?” are supposed to help keep your account
safe from intruders. However, anyone who wants to access your accounts can search for the answers on the
Internet. You can answer these questions with false information, as long as you can remember the false
answers. If you have a problem remembering them, you can use password manager to manage them for
you.
3.17 Email and web browser privacy
Anyone with physical access to your computer, or your router, can view which websites you have visited
using web browser history, cache, and possibly log files. This problem can be minimized by enabling the
in-private browsing mode on the web browser. Most of the popular web browsers have their own name for
private browser mode:
59
 Microsoft Internet Explorer: InPrivate

 Google Chrome: Incognito
 Mozilla Firefox: Private tab / private window
 Safari: Private: Private browsing
With private mode enabled, cookies are disabled, and temporary Internet files and browsing history are
removed after closing the window or program.
Keeping your Internet browsing history private may prevent others from gathering information about your
online activities and enticing [] you to buy something with targeted ads. Even with private browsing enabled
and cookies disabled, companies are developing different ways of fingerprinting users in order to gather
information and track user behavior. For example, the intermediary devices, such as routers, can have
information about a user’s web surfing history.
Ultimately, it is your responsibility to safeguard your data, your identity, and your computing devices.
When you send an email, should you include your medical records? The next time you browse the Internet,
is your transmission secure? Just a few simple precautions may save you problems later.
[Enticing: attractive or tempting]
3.18 Discover your own risky online behavior

Objectives: Explore actions performed online that may compromise your safety or privacy.
A. Explore the terms of service policy:
a. What kind of information do you share with social media sites?
1) Everything; I rely on social media to keep in touch with friends and family. (3 points)
2) Articles and news I find or read (2 points)
3) It depends; I filter out what I share and with whom I share. (1 point)
4) Nothing; I do not use social media. (0 points)
b. When you create a new account in an online service, you:
1) Re-use the same password used in other services to make it easier to remember. (3 points)
2) Create a password that is as easy as possible so you can remember it. (3 points)
3) Create a very complex password and store it in a password manager service. (1 point)
4) Create a new password that is similar to, but different from, a password used in another service. (1
point)
5) Create an entirely new strong password. (0 points)
c. When you receive an email with links to other sites:
1) You do not click the link because you never follow links sent to you via email. (0 points)
2) You click the links because the email server has already scanned the email. (3 points)
3) You click all links if the email came from a person you know. (2 points)
4) You hover the mouse on links to verify the destination URL before clicking. (1 point)
d. A pop-up window is displayed as you visit a website. It states your computer is at risk and you should
download and install a diagnostics program to make it safe:
1) You click, download, and install the program to keep your computer safe. (3 points)
2) You inspect the pop-up windows and hover over the link to verify its validity. (3 points)
60
3) Ignore the message, making sure you don’t click it or download the program and close the website.
(0 points)
e. When you need to log into your financial institution’s website to perform a task, you:
1) Enter your login information immediately. (3 points)
2) You verify the URL to ensure it is the institution you were looking for before entering any
information. (0 points)
3) You don’t use online banking or any online financial services. (0 points)
f. You read about a program and decide to give it a try. You look around the Internet and find a trial version
on an unknown site, you:
1) Promptly download and install the program. (3 points)
2) Search for more information about the program creator before downloading it. (1 points)
3) Do not download or install the program. (0 points)
g. You find a USB drive while walking to work. you:
1) Pick it up and plug it into your computer to look at its contents. (3 points)
2) Pick it up and plug it into your computer to completely erase its contents before re-using it. (3
points)
3) Pick it up and plug it into your computer to run an anti-virus scan before re-using it for your own
files (3 points)
4) Don’t pick it up. (0 points)
h. You need to connect to the Internet and you find an open Wi-Fi hotspot. You:
1) Connect to it and use the Internet. (3 points)
2) Don’t connect to it and wait until you have a trusted connection. (0 points)
3) Connect to it and establishes a VPN to a trusted server before sending any information. (0 points)
B. Analyze your online behavior:
The higher your score, the less safe your online behaviors are. The goal is to be 100% safe by paying
attention to all your online interactions. This is very important as it only takes one mistake to compromise
your computer and data.
Add up the points from Part 1. Record your score.
 0: You are very safe online.
 0 – 3: You are somewhat safe online but should still change your behavior to be completely safe.
 3 – 17: You have unsafe behavior online and have a high risk of becoming compromised.
 18 or more: You are very unsafe online and will be compromised.
Survey:
 Google Form: Analyzing Risky Online Behavior Survey
3.19 Safety tips

a. The more information you share on social media, the more you allow an attacker to know you.
With more knowledge, an attacker can craft a much more targeted attack. For example, by sharing
with the world you went to a car race, an attacker can craft a malicious email coming from the
61
ticketing company responsible for the race event. Because you have just been to the event, the email
seems more credible.
b. Reusing passwords is a bad practice. If you reuse a password in a service under attackers’ control,
they may be successful when attempting to log in as you in other services.
c. Emails can be easily forged to look legitimate. Forged emails often contain links to malicious sites
or malware. As a general rule, do not click embedded links received via email.
d. Do not accept any unsolicited software, especially if it comes from a web page. It is extremely
unlikely that a web page will have a legitimate software update for you. It is strongly recommended
to close the browser and use the operating system tools to check for the updates.
e. Malicious web pages can be easily made to look like a bank or financial institution website. Before
clicking the links or providing any information, double-check the URL to make sure it is the correct
web page.
f. When you allow a program to run on your computer, you give it a lot of power. Choose wisely
before allowing a program to run. Research to make sure the company or individual behind the
program is a serious and legitimate author. Also, only download the program from the official
website of the company or individual.
g. USB drives and thumb drives include a tiny controller to allow computers to communicate with it.
It is possible to infect that controller and instruct it to install malicious software on the host
computer. Because the malware is hosted in the USB controller itself and not in the data area, no
amount of erasing or anti-virus scanning will detect the malware.
h. Attackers will often deploy fake Wi-Fi hotspots to lure users. Because the attacker has access to all
the information exchanged via the compromised hotspot, users connected to that hotspot are at risk.
Never use unknown Wi-Fi hot spots without encrypting your traffic through a VPN. Never provide
sensitive data such as credit card numbers while using an unknown network (wired or wireless).
Summary
 tips for protecting your devices

 creating strong passwords
 safely using wireless networks
 data backups, data storage and deleting your data permanently
 Authentication techniques were discussed
1. hardware or software that prevents hackers from accessing your personal or company data
 firewall
2. a program that scans a computer for malicious software and deletes it
 antivirus
3. monitors online activities and collects personal information without permission
 spyware
4. destroys data and can slow down a computer
 virus
5. to use the latest software and security patches/updates
 secure the browser and operating system
6. a web based device scanner
 Shodan
62
7. The process of converting information into a form where an unauthorized party cannot read it
 Encryption
8. An encrypted connection between a computer and a VPN server to prevent data interception
 Encrypted VPN
9. Adds an additional barrier in discovering the network and provides minimal security
 Disable an SSID broadcast
10. An open standard protocol that allows an end user to access third party applications without
exposing the password of the user
 Open Authorization (Oauth)
11. Physically destroy the hard drive or storage device
 How can you make a file unrecoverable?
12. A software or service that stores and encrypts different and complex passwords for use with online
accounts
 Password manager
13. Connect to a specific wireless network by the way of a network identifier
 Service Set Identifier (SSID)
14. A public location to surf the Internet but where it is best not to access or send any sensitive personal
information
 Public Wi-Fi hot spot
15. In addition to a username and password, the requirement of a second token, such as a credit card
or phone number, to verify the credentials of a user
 Two Factor authentication
16. Do not use dictionary word or names in any languages. Do not use common misspellings of
dictionary words. Do not use computer names or account names. If possible use special characters,
such as ! @ # % ^ & * ( ). Use at least a ten character password.
 How can you make a secure password?
17. Prevents the loss of irreplaceable data through a local or cloud storage solution
 Data backup
18. Enable wireless security and use WPA2 encryption feature
 Encrypt wireless communication
19. Methods of keeping Internet browsing history private by automatically disabling cookies, deleting
temporary Internet files, and having browsing history removed after closing the window or program
 Microsoft Internet Explorer: InPrivate, Google Chrome: Incognito, Mozilla Firefox:
Private tab/ private window, Safari: Private: Private browsing
3.21 Chapter Three Quiz
1. A consumer would like to print photographs stored on a cloud storage account using a third party online
printing service. After successfully logging into the cloud account, the customer is automatically given
access to the third party online printing service. What allowed this automatic authentication to occur?
a. The cloud storage service is an approved application for the online printing service.
b. The password entered by the user for the online printing service is the same as the password used
on the cloud storage service.
c. The user is on an unencrypted network and the password for the cloud storage service is viewable
by the online printing service.
63
d. The account information for the cloud storage service was intercepted by a malicious application.
Ans: Open Authorization is an open standard protocol that allows end users to access third party
applications without exposing the user password. The correct answer is: The cloud storage service is an
approved application for the online printing service
2. How can users working on a shared computer keep their personal browsing history hidden from other
workers that may use this computer?
a. Operate the web browser in private browser mode.
b. Reboot the computer after closing the web browser.
c. Move any downloaded files to the recycle bin.
d. Use only an encrypted connection to access websites.
Ans: When a computer user browses the web in private mode, the following occurs:
 Cookies are disabled.

 Temporary Internet files are removed after closing the window.
 Browsing history is removed after closing the window.
The correct answer is: Operate the web browser in private browser mode.
3. A user is having difficulty remembering passwords for multiple online accounts. What is the best solution
for the user to try?
a. Write the passwords down and place them out of sight.
b. Save the passwords in a centralized password manager program.
c. Create a single strong password to be used across all online accounts.
d. Share the passwords with the network administrator or computer technician.
Ans: A password manager can be used to store and encrypt multiple passwords. A master password can be
implemented to protect the password manager software.
The correct answer is: Save the passwords in a centralized password manager program.
4. A network administrator is conducting a training session to office staff on how to create a strong and
effective password. Which password would most likely take the longest for a malicious user to guess or
break?
a. mk$$cittykat104#
b. super3secret2password1
c. 10characters
d. drninjaphd
Ans: When choosing a good password:
 Do not use dictionary words or names in any languages.

 Do not use common misspellings of dictionary words.
 Do not use computer names or account names.
 If possible use special characters, such as ! @ # $ % ^ & * ( ).
 Use a ten character password or more.
The correct answer is: mk$$cittykat104#
64
5. Which configuration on a wireless router is not considered to be adequate security for a wireless network?
a. modify the default SSID and password of a wireless router
b. enabling wireless security
c. implement WPA2 encryption
d. prevent the broadcast of an SSID
Ans: A wireless router can be configured to not allow the SSID to be broadcast, but that configuration is
not considered to be adequate security for a wireless network
The correct answer is: prevent the broadcast of an SSID
6. What is the best method to prevent Bluetooth from being exploited?
a. Always use a VPN when connecting with Bluetooth.
b. Always disable Bluetooth when it is not actively used.
c. Only use Bluetooth to connect to another smartphone or tablet.
d. Only use Bluetooth when connecting to a known SSID.
Ans: Bluetooth is a wireless technology that can be exploited by hackers to eavesdrop, establish remote
access controls, and distribute malware. A user should keep Bluetooth turned off when not in use.
The correct answer is: Always disable Bluetooth when it is not actively used.
7. Why do IoT devices pose a greater risk than other computing devices on a network?
a. Most IoT devices do not require an Internet connection and are unable to receive new updates.
b. IoT devices cannot function on an isolated network with only an Internet connection.
c. Most IoT devices do not receive frequent firmware updates.
d. IoT devices require unencrypted wireless connections.
Ans: IoT devices commonly operate using their original firmware and do not receive updates as frequently
as laptops, desktops, and mobile platforms.
The correct answer is: Most IoT devices do not receive frequent firmware updates.
8. A user is surfing the Internet using a laptop at a public WiFi cafe. What should be checked first when the
user connects to the public network?
a. if the laptop web browser is operating in private mode
b. if the laptop requires user authentication for file and media sharing
c. if the laptop Bluetooth adapter is disabled
d. if the laptop has a master password set to secure the passwords stored in the password manager
Ans: When a user connects to a public network, it is important to know if the computer is configured with
file and media sharing and that it requires user authentication with encryption.
The correct answer is: if the laptop requires user authentication for file and media sharing
9. Which technology removes direct equipment and maintenance costs from the user for data backups?
a. network attached storage
b. a cloud service
c. an external hard drive
65
d. a tape
Ans: The cost of cloud storage commonly depends on the amount of storage space needed. The cloud
provider will maintain the equipment and the cloud user will have access to the backup data.
The correct answer is: a cloud service
10. As data is being stored on a local hard disk, which method would secure the data from unauthorized
access?
a. data encryption
b. deletion of sensitive files
c. two factor authentication
d. a duplicate hard drive copy
Ans: Data encryption is the process of converting data into a form where only a trusted, authorized person
with a secret key or password can decrypt the data and access the original form.
The correct answer is: data encryption
11. Which type of technology can prevent malicious software from monitoring user activities, collecting
personal information, and producing unwanted pop-up ads on a user computer?
a. two factor authentication
b. password manager
c. firewall
d. antispyware
Ans: Antispyware software is commonly installed on a user machine to scan and remove malicious spyware
software installed on a device.
The correct answer is: antispyware
12. How can a user prevent others from eavesdropping on network traffic when operating a PC on a public
Wi-Fi hot spot?
a. Use WPA2 encryption.
b. Create strong and unique passwords.
c. Disable Bluetooth.
d. Connect with a VPN service.
Ans: When a user connects through an encrypted VPN tunnel on a public Wi-Fi network, any data being
sent or received from the user will be undecipherable.
The correct answer is: Connect with a VPN service.
রকছু প্রশ্ন
পাৈরল্ক হটস্পদট কাদনক্ট কিদল্, দেখদত হদৈ দেখাদন দকান দেদেনরিযাল্ ইনফিদেিন দেেন দফেৈুদক ল্গইদনি জদনয
ইউজাি দনে/পােওযােি চায রকনা। েরে চায তদৈ তা দেওযা োদৈ না। কািণ দেদেদত্র তা হযাকাদিি কাদছ চদল্ োৈাি একটা
েম্ভাৈনা থাদক, রেদিক্ট দেইন দটক্সদট।
66
আি েরে দেদেনরিযাল্ ইনফিদেিন নাও ল্াদগ, তািপদিও হযাকাি চাইদল্ দকান ওদযৈোইদট ঢুকরছ ইতযারে দেদখ রনদত
পাদি। এজদনয রভরপএন ইউজ কিদল্ দেই ইনদফািদেিনও এনরেপদটে আকাদি পাে হয। ফদল্ ইভেড্ররপিংএ পিদল্ও দকান
ইনদফািদেিন পাে হয না।
অদনকেেয WPA-2 key reinstallation attack এটাক হদল্ আি HTTPS কাজ কদি না। তাই োটা এনরেদেে আকাদি
পাে হয না। এদেদত্রও হযাকাি ৈযাকগ্রাউদে দথদক েরনটরিিং কিদত পাদি। আি হুট কদি এই HTTPS দপ্রাদটাকল্ কাজ না
কিদল্ আি দেইরেদক দখযাল্ও থাদক না। এই েু দোগদক কাদজ ল্াগায তািা। এখন রেরল্যন েল্াি কুদযশ্চানঃ HTTPS েরে
রিকেদতা এনরেপিন কদি আি রভরপএনও েরে এনরেপিন এি কাজ কদি, তাহদল্ রক েু ইৈাি এনরেপিন হদে েখন
আেিা রভরপএন চারল্দয HTTPS এ ওদযৈ ব্রাউরজিং করি?
67
Chapter 4: Protecting the Organization
This chapter:
 briefly covers the many types of firewalls, security appliances, and software that are currently used
 explains botnets, the kill chain, behavior-based security
 using NetFlow to monitor a network.
4.1 Firewall Types

A firewall is a wall or partition that is designed to prevent fire from spreading from one part of a building
to another. In computer networking, a firewall is designed to control, or filter, which communications are
allowed in and which are allowed out of a device or network.
A firewall can be installed on a single computer with the purpose of protecting that one computer (host-
based firewall), or it can be a stand-alone network device that protects an entire network of computers and
all of the host devices on that network (network-based firewall).
Over the years, as computer and network attacks have become more sophisticated, new types of firewalls
have been developed which serve different purposes in protecting a network. Here is a list of common
firewall types:
 Network Layer Firewall – filtering based on source and destination IP addresses

 Transport Layer Firewall –filtering based on source and destination data ports, and filtering based
on connection states
 Application Layer Firewall –filtering based on application, program or service
 Context Aware Application Firewall – filtering based on the user, device, role, application type,
and threat profile
 Proxy Server – filtering of web content requests like URL, domain, media, etc.
 Reverse Proxy Server – placed in front of web servers, reverse proxy servers protect, hide, offload,
and distribute access to web servers
 Network Address Translation (NAT) Firewall – hides or masquerades [ছদ্মদৈি] the private
addresses of network hosts
 Host-based Firewall – filtering of ports and system service calls on a single computer operating
system
4.2 Firewall Types and Generation Explain

We can break firewall down into a couple different types. Types of Firewall:
 Packet Filters
 Stateful Firewalls
 Circuit-Level Gateways/Firewalls
 Application Level Gateway/Firewalls
Firewall technologies have evolved a lot over the past 30 years. It a common these days for firewalls to be
able to do a lot of different things. Nobody cares what would generation of firewall it is, unless you’re
talking about the history of firewalls. Where I’d start how firewalls evolved all that stuff matters.
Packet Filters: Simplest of the firewalls, a packet filtering router is nothing than a router with an access
control list. The access control list is kinda limited in term of what it can do. It looks at source and/or
68
Protecting the Organization
destination IP address, it can look at the protocol that’s in use whether it’s IP or even IP X, IP version 6 so
can look at the protocol that’s in use, it can also look at the next layer of protocol that’s in use for instance
TCP, UDP, GRE, ICMP etc. So it has the capacity to go in and identify protocols and permit or deny them
based upon the protocol that’s in use. You can identify where the traffic is coming from or going to, based
on the IP address. It can also go in and look at things like a DHCP for quality of service related stuff.
Benefits: comparatively inexpensive, fast, fairly easy to implement, Ubiquitous in routers & switches, We
see this kind of functionality in huge numbers of devices, from wireless access points to layer 3 switches,
old-fashioned routers
Disadvantages: Savvy attackers will get around them, they are not insurmountable, now they’re going to
keep the average person from doing things that you don’t want them to do but with somebody’s got
sufficient motive opportunity means then they’re going to very easily bypass this. The other big thing with
packet filtering routers or packet filtering firewalls that they look at each packets as if it was a unique entity,
no other information is relevant or pertinent. When the packet comes in the packet filtering firewall looks
at it makes a decision, based upon its rule set and either permits or denies it. And then moves on to the next
packet and there’s no memory of the packet that came before and so packets are coming in the decision, is
made on them one by one, with absolutely no consideration for anything that came before it. When we talk
about the other package types or are the firewall types that’s actually a problem. For that reason you could
call them stateless firewalls, (nobody actually calls it). Don’t handle fragmentation very well, looking at
the payload is something that is oftentimes very high on people’s list of priorities and a regular packet router
can’t do it. Because it is so comparatively easy to circumvent and it maintains no concept of state, and it
has no capacity to go in and inspect the application-layer payload, the packet filtering router is considered
to be the least secure form of firewall. But they do have a place in the world, I don’t take it that means that
they don’t work at all, because they do.
[There is an experiment at the next part of the video (bellow) which illustrate “you cannot defend yourself
from the internet using just packet filtering routers” There was two types of attack. Need a VM to do that.]
Will be continue…
Watch:
 Firewall Types & Generations Explained - Part 1 of 2

 Firewall Types & Generations Explained - Part 2 of 2
4.3 Quick Quiz: Identify the firewall type
69
[Masquerade = ছদ্মদৈি]
4.4 Port Scanning

Port-scanning is a process of probing [অনু েন্ধান] a computer, server or other network host for open ports.
In networking, each application running on a device is assigned an identifier called a port number. This
port number is used on both ends of the transmission so that the right data is passed to the correct
application. Port-scanning can be used maliciously as a reconnaissance [পুনরুদ্ধাি] tool to identify the
operating system and services running on a computer or host, or it can be used harmlessly by a network
administrator to verify network security policies on the network.
For the purposes of evaluating your own computer network’s firewall and port security, you can use a port-
scanning tool like Nmap to find all the open ports on your network. Port-scanning can be seen as a
precursor to a network attack and therefore should not be done on public servers on the Internet, or on a
company network without permission.
To execute an Nmap port-scan of a computer on your local home network, download and launch a program
such as Zenmap, provide the target IP address of the computer you would like to scan, choose a default
scanning profile, and press scan. The Nmap scan will report any services that are running (e.g., web
services, mail services, etc.) and port numbers. The scanning of a port generally results in one of three
responses:
 Open or Accepted – The host replied indicating a service is listening on the port.
 Closed, Denied, or Not Listening – The host replied indicating that connections will be denied to
the port.
 Filtered, Dropped, or Blocked – There was no reply from the host.
To execute a port-scan of your network from outside of the network, you will need to initiate the scan from
outside of the network. This will involve running an Nmap port-scan against your firewall or router’s public
IP address. To discover your public IP address, use a search engine such as Google with the query “what is
my ip address”. The search engine will return your public IP address.
To run a port-scan for six common ports against your home router or firewall, go to the Nmap Online Port
Scanner at https://hackertarget.com/nmap-online-port-scanner/ and enter your public IP address in the input
box: IP address to scan… and press Quick Nmap Scan. If the response is open for any of the ports: 21, 22,
25, 80, 443, or 3389 then most likely, port forwarding has been enabled on your router or firewall, and you
are running servers on your private network , as shown in the figure.
70
Fig: Using Zenmap to find open ports
Zenmap is a cool, free tool that you can use to discover network devices, either on your home network, or
your work network. It’s a tool that really awesome if you want to figure out if you have any unauthorized
devices or rogue devices on your network. Before you can figure out what devices are unauthorized, you
first have to establish a baseline. [run a scan later on and compared it against that baseline]
Once caveat with Zenmap is for it to be accurate, for network discovery, we need to run the tool from the
same subnet that we’re scanning against. This is because Zenmap uses arping to discover the devices. If
we relied on ping, or looking for open TCP ports, we will miss a lot of devices. Because a lot of devices
71
typically have inbound traffic blocked, including ICMP echo request, If that device is different subnet, the
scanner subnet, subnet we’re running Zenmap from, we won’t be able to discover that device.
 What is Zenmap? How use to scan subnet? How to add notes and save scan as a Baseline?
How to add a new scan and compare against baseline?
Zenmap is a graphical user interface for Nmap. All it really does is just nmap on tha back, in the background.
Cmd> ipconfig> I got my ip address (IPV4)
 What will be my subnet mask with CIDR notation (/24) ?

Like 192.168.0.1/24
/24 => Subnet Mask: 255.255.255.0
When subnet mask is: 255.255.255.0, then CIDR is /24
Again, 255.255.248.0 gives CIDR/21
Here 192.168.43 this are going to be a part of the network ID, because the mask includes all 1’s there
(255.255.255) (11111111.11111111.11111111) => 24
Ip address, 4th part: 192, subnet mask 4th part: 0
IP : 11000000 (192)
SNM: 00000000
So, we can’t use anything, 0
Subnet Mask: 192.168.43.0/24
If 4th part of subnet mask is 110000000, we could use the first two in the ip address, so it would be
192.168.43.192/CIDR, as 192 was part of the subnet mask (in the binary form)
If 4th part of the subnet mask was 10000000, we could use only first one bit in the ip address, so it would
be so 10000000 = 128, so
192.168.43.128/CIDR
 Zenmap- Lab:
Use the subnet mask 192.168.43.0/24 as target
-Pn means-> don’t ping the host, just assume it’s online,
-n -> we don’t really need to go into a reverse lookup of the IP address to the hostname
72
-F -> which would do a fast scan

Go to profile> Profile name
Scan…
For more into/help -> go to cmd -> type ‘nmap’

A list will open, where
-F: Fast mode - Scan fewer ports than the default scan (top 100 ports)
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
-Pn: Treat all hosts as online -- skip host discovery
In the left, we can see all the devices, we can see OPPO mobile phone connected to the home network.
We’re able to figure out what devices are on our subnet, without any port’s ping open on the device, or
without having to ping that device.
You can click on services here. This will show you all the services discovered on this particular subnet.
This might be your baseline, if you know these devices, you could make a comment (click on host, then
click a host, host details> then comment like ‘domain controller’)
You may wanna same this result, this will be our baseline. Go scan> save scan> give a name (discovery 1)
save to a location.
73
Next, get another scan, save scan result, (can view this in webpage), go Tools> Compare result> open two
XML file, this will compare, also from ‘Scan Output’ under A scan and B scan, we can see the files
individually.
Watch:
 How to use Zenmap to discover your network devices

 IPv4 Addressing: Network IDs and Subnet Masks
4.5 Quick Quiz: Identify the Port Scan Response
Host did not replied -> Dropped
Host replied indicating the connection will be denied to the port -> Not listening
Host replied indicating the connection will be denied to the port -> Closed
Host replied indicating a service is listening to the port -> Open
Host did not replied -> Filtered
Host replied indicating the connection will be denied to the port -> Denied
Host replied indicating a service is listening to the port -> Accepted
4.6 Security Appliances [েিঞ্জাে]

Today there is no single security appliance or piece of technology that will solve all network security needs.
Because there is a variety of security appliances and tools that need to be implemented, it is important that
they all work together. Security appliances are most effective when they are part of a system.
Security appliances can be stand-alone devices, like a router or firewall, a card that can be installed into a
network device, or a module with its own processor and cached memory. Security appliances can also be
software tools that are run on a network device. Security appliances fall into these general categories:
 Routers - Cisco Integrated Services Router (ISR) routers, have many firewall capabilities
besides just routing functions, including traffic filtering, the ability to run an Intrusion Prevention
System (IPS), encryption, and VPN capabilities for secure encrypted tunneling.
 Firewalls - Cisco Next Generation Firewalls have all the capabilities of an ISR router, as well as,
advanced network management and analytics.
 IPS - Cisco Next Generation IPS devices, are dedicated to intrusion prevention.
 VPN - Cisco security appliances are equipped with a Virtual Private Network (VPN) server and
client technologies. It is design.
 Malware/Antivirus - Cisco Advanced Malware Protection (AMP) comes in next generation
Cisco routers, firewalls, IPS devices, Web and Email Security Appliances and can also be installed
as software in host computers for secure encrypted tunneling.
 Other Security Devices – This category includes web and email security appliances, decryption
devices, client access control servers, and security management systems.
74
4.7 Quick Quiz: Identify the Security Appliance
Remember:
 Intrusion Prevention System (IPS)

 Advanced Malware Protection (AMP)
 Virtual Private Network (VPN)
 Integrated Services Router (ISR)
4.8 VPN Routers
If you use a VPN service, you’ve likely already encountered the annoyance of having to install the VPN
software onto all of your devices. The advantages to going the VPN router are obvious: you get to encrypt
your data, remain anonymous online, and even access region-restricted websites. While it’s possible to
install a VPN on a normal Wi-Fi router, it’s simpler to get a VPN router. Best VPN routers in markets are:
1. ZyXEL USG60W: Best small business VPN router. The business-focused ZyXEL USG60W
router VPN is a great solution for small offices. In addition to VPN connectivity it features multi-
threat mechanisms such as a firewall and Kaspersky anti-virus to protect your network from
threats and spam. This router with VPN can even help with productivity. It supports content
filtering that allows you to deny access to non-business-related websites like YouTube, Facebook,
Netflix, and others. It also has an integrated WLAN controller, making it easy to spread the internet
connection throughout the office. The ZyXEK USG60W is an all-in-one solution. It lets you
manage VPN, wireless, and security from one device, have price $399.99
2. Linksay WRT AC3400: Best VPN router for home usage. The Linksays WRT AC3200 is open
source ready, so you can customize it with OpenWrt and DD-WRT. You can set up a secure VPN,
turn the router into a web server, detect network intrusion and more. The router also features Mu-
MIMO technology for delivering a fast Wi-Fi connection to multiple devices simultaneously, and
it has a companion app for creating separate guest networks, prioritizing your devices, and setting
parental controls. The Linksys WRT AC3200 offers loads of features, means it isn’t the cheapest
router out there.
75
4.9 Detecting Attack in real time

Software is not perfect. When a hacker exploits
a flaw in a piece of software before the creator
can fix it, it is known as a zero-day attack.
Due to the sophistication [জরটল্] and enormity
of zero-day attacks found today, it is becoming
common that network attacks will succeed and
that a successful defense is now measured in
how quickly a network can respond to an
attack. The ability to detect attacks as they
happen in real-time, as well as stopping the
attacks immediately, or within minutes of
occurring, is the ideal goal. Unfortunately,
many companies and organizations today are
unable to detect attacks until days or even
months after they have occurred.
Real Time Scanning from Edge to Endpoint - Detecting attacks in real time requires actively scanning
for attacks using firewall and IDS/IPS network devices. Next generation client/server malware detection
with connections to online global threat centers must also be used. Today, active scanning devices and
software must detect network anomalies [অেঙ্গরত] using context-based analysis and behavior detection.
DDoS Attacks and Real Time Response - DDoS is one of the biggest attack threats requiring real-time
response and detection. DDoS attacks are extremely difficult to defend against because the attacks originate
from hundreds, or thousands of zombie hosts, and the attacks appear as legitimate traffic, as shown in the
figure above. For many companies and organizations, regularly occurring DDoS attacks cripple Internet
servers and network availability. The ability to detect and respond to DDoS attacks in real-time is crucial.
ম ারাি অি দ্যা মটাতর
দেদকান রেদেে হযাকে হদত পাদি। রেদফন্স হদল্া এটাক হৈাি পি কত দ্রুত রিস্পন্স কিা োয এি দেজািদেন্ট। কািণ
অদনক দকাম্পারন আদছ োিা রেদনি পি রেন ইদভি োদেি পি োে এভাদৈই চল্দছ, আইদেরন্টফাই কিদত পাদিরন দে তাদেি
রেদেে হযাকে হদয আদছ। কািণ হযাকািিা এিকে দকান কাে কদি ৈদে না, দে হযাকে হওযাি োদথ োদথ ৈুদে দফল্দৈ
েৈাই অথৈা দকান দনারটরফদকিন আেদৈ! এটাক রেদটকে কিাি জদনয করন্টরনউযাে ফাযািওযযাল্, IDS/IPS রেভাইদেি
োধযদে দেন কদি দেদত হদৈ দে এটাক হৈাি েদতা দকান োেরপরেযাে ৈযাপাি ঘটদল্া রকনা। আেেদনি েদধয একটা ৈি
আেেন হদল্া DDoS এটাক। আদগ দথদক একটা ৈট দনট রেদযট কদি এটা, ভাইোি রেরিরৈউদটি োধযদে। েখন হাজাি
খাদনক ৈা এইিকে অদনক অদনক রপরে ৈটদনদটি আওতায চদল্ আদে, তখন হযাকাদিি কাদছ অদনকটা েু পাি করম্পউটাি
হাদত পাওযাি েদতা ৈযাপাি ঘদট। কািণ এই ৈটদনদট থাকা েৈ রপরে রেদল্ একোদথ এটাক রেদল্ অদনক রেরপইউ পাওযাি
ইউজ কিা োয, আি দেই এটাক দিকাদনাি উপায থাদক না। আৈাি রজরু দে এটাক হদল্ও আদগ দথদক প্ররতদিাদধি ৈযাৈস্থা
দনই দেদহতু দেটা রেদেদেি ৈাগ দথদক হয। এইজদনয আোন্ত হদত পাদি দকান দকাম্পারন রকন্তু এটাদকি োদথ োদথ ৈযাৈস্থা
রনদত হদৈ এৈিং েত দ্রুত েম্ভৈ।
76
4.10 Protecting Against Malware

How do you provide defense against the constant presence of zero-day attacks, as well as advanced
persistent threats (APT) that steal data over long periods of time? One solution is to use an enterprise-
level advanced malware detection solution that offers real-time malware detection.
Network administrators must constantly monitor the network for signs of malware or behaviors that reveal
the presence of an APT. Cisco has an Advanced Malware Protection (AMP) Threat Grid that analyzes
millions of files and correlates [েম্পরকিত] them against hundreds of millions of other analyzed malware
artifacts [রনেিিন]. This provides a global view of malware attacks, campaigns, and their distribution. AMP
is client/server software deployed on host endpoints, as a standalone server, or on other network security
devices.
AMP Threat Grid Benefits: Cisco AMP Threat Grid benefits security functions across the organization-
1. Secure Operations Center Team: Get more accurate actionable data.
2. Incidence Response Team: Use forensically sound information to understand suspicious
behavior faster
3. Threat Intelligence Team: Proactively [েরেযভাদৈ] improve security infrastructure
4. Security Infrastructure Engineering Team: Consume and act on threat information faster and
in an automated manner
Back in days, organization depends on Antivirus or IPS, to defend from attack. It evaluate traffic in a single
point of time. Based on no intelligent, it lets the good stuff in and bad stuff out. Now nation-states/crime
syndicates creates advance malware, it by pass the one time single protection, disrupting functions and
stealing confidential information. Where no tools shows visibility in the scope of malware breach or the
capability to stop it. Furthermore so many attacks and alerts, it’s hard to distinguished real threats from the
noise. To hire third party, or investigate on own, would cost huge time and money, that it makes our work
fails. Cisco’s AMP solutions, provides protection before, during and after an attack. If a good file now
works badly, AMP’s is there to catch it. And sends a prioritized alert. User can quickly get a picture of
what’s going on, on his system. Helps to find where affected and how to stop it.
Watch:
 Cisco Advanced Malware Protection (AMP)

 Advanced Malware Protection (AMP) & Threat Grid on Cisco Email Security
4.11 Security Best Practices
Many national and professional organizations have published lists of security best practices. The following
is a list of some security best practices:
 Perform Risk Assessment – Knowing the value of what you are protecting will help in justifying
security expenditures [ৈযয]
 Create a Security Policy – Create a policy that clearly outlines [রূপদিখা] company rules, job duties,
and expectations.
 Physical Security Measures – Restrict access to networking closets [কে], server locations, as well
as fire suppression [েেন]
 Human Resource Security Measures – Employees should be properly researched with
background checks.
77
 Perform and Test Backups – Perform regular backups and test data recovery from backups.
 Maintain Security Patches and Updates – Regularly update server, client, and network device
operating systems and programs.
 Employ Access Controls – Configure user roles and privilege levels as well as strong user
authentication.
 Regularly Test Incident Response – Employ an incident response team and test emergency
response scenarios.
 Implement a Network Monitoring, Analytics and Management Tool - Choose a security
monitoring solution that integrates with other technologies.
 Implement Network Security Devices – Use next generation routers, firewalls, and other security
appliances.
 Implement a Comprehensive Endpoint Security Solution – Use enterprise level antimalware
and antivirus software.
 Educate Users – Educate users and employees in secure procedures.
 Encrypt data – Encrypt all sensitive company data including email.
Some of the most helpful guidelines are found in organizational repositories such as the National Institute
of Standards and Technology (NIST) Computer Security Resource Center. One of the most widely known
and respected organizations for cybersecurity training is the SANS Institute. Go here to learn more about
SANS and the types of training and certifications they offer.
4.12 SANS
Training is very good but that’s too expensive. SANS is the most trusted and by far the largest source
for information security training and security certification in the world. SANS provides intensive,
immersion training designed to help you and your staff master the practical steps necessary for defending
systems and networks against the most dangerous threats - the ones being actively exploited. The courses
are full of important and immediately useful techniques that you can put to work as soon as you return to
your offices. To find the best teachers in each topic in the world, SANS runs a continuous competition for
instructors. Last year more than 90 people tried out for the SANS faculty, but only five new people were
selected. Many of the valuable SANS resources are free to all who ask. They include the very
popular Internet Storm Center (the Internet's early warning system), the weekly news digest (NewsBites),
the weekly vulnerability digest (@RISK), and more than 1,200 award-winning, original information
security research papers.
 SANS Information Security Reading Room - More than 3070 original research papers in 111
important categories of security
 SANS Weekly Bulletins and Alerts - Definitive updates on security news and vulnerabilities
 SANS Security Policy Project - Free Security Policy Templates - Proven in the real world
Visit:
 GIAC Certification
 SANS
78
4.12 Botnet
A botnet is a group of bots, connected through the Internet, with the ability to be controlled by a malicious
individual or group. A bot computer is typically infected by visiting a website, opening an email attachment,
or opening an infected media file.
A botnet can have tens of thousands, or even hundreds of thousands of bots. These bots can be activated to
distribute malware, launch DDoS attacks, distribute spam email, or execute brute force password
attacks. Botnets are typically controlled through a command and control server.
Cyber criminals will often rent out Botnets, for a fee, to third parties for nefarious purposes.
4.13 The Kill chain in cyberdefense

In cybersecurity, the Kill Chain is the stages of an information systems attack. Developed by Lockheed
Martin as a security framework for incident detection and response, the Cyber Kill Chain is comprised of
the following stages:
 Stage 1. Reconnaissance - The attacker gathers information about the target.

 Stage 2. Weaponization - The attacker creates an exploit and malicious payload to send to the
target.
 Stage 3. Delivery - The attacker sends the exploit and malicious payload to the target by email or
other method.
 Stage 4. Exploitation - The exploit is executed.
 Stage 5 Installation - Malware and backdoors are installed on the target.
 Stage 6. Command and Control - Remote control of the target is gained through a command and
control channel or server.
 Stage 7. Action - The attacker performs malicious actions like information theft, or executes
additional attacks on other devices from within the network by working through the Kill Chain
stages again.
[exploit: make full use of and derive benefit from (a resource)]
To defend against the Kill Chain, network security defenses are designed around the stages of the Kill
Chain. These are some questions about a company’s security defenses, based on the Cyber Kill Chain:
79
 What are the attack indicators at each stage of the Kill Chain?
 Which security tools are needed to detect the attack indicators at each of the stages?
 Are there gaps in the company’s ability to detect an attack?
According to Lockheed Martin, understanding the stages of Kill Chain allowed them to put up defensive
obstacles, slow down the attack, and ultimately prevent the loss of data. The figure shows how each stage
of the Kill Chain equates to an increase in the amount of effort and cost to inhibit and remediate attacks.
4.14 Quick Quiz: Order of the Stages of Kill chain
[Reconnaissance: military observation of a region to locate an enemy or ascertain strategic features.]
80
4.15 Behavior-Based Security

Behavior-based security is a form of threat detection that does not rely on known malicious signatures,
but instead uses informational context to detect anomalies [অসঙ্গতি] in the network. Behavior-based
detection involves capturing and analyzing the flow of communication between a user on the local network
and a local, or remote destination. These communications, when captured and analyzed, reveal context and
patterns of behavior which can be used to detect anomalies. Behavior-based detection can discover the
presence of an attack by a change from normal behavior.
 Honeypots - A Honeypot is a behavior-based detection tool that first lures the attacker in by
appealing to the attacker’s predicted pattern of malicious behavior, and then, when inside the
honeypot, the network administrator can capture, log, and analyze the attacker’s behavior. This
allows an administrator to gain more knowledge and build a better defense.
 Cisco’s Cyber Threat Defense Solution Architecture - This is a security architecture that uses
behavior-based detection and indicators, to provide greater visibility, context, and control. The goal
is to know who, what, where, when, and how an attack is taking place. This security architecture
uses many security technologies to achieve this goal.
4.16 What are honeypots?

Recent innovation in intrusion detection technology, they are the traps that are designed to basically attract
the potential intruders and track their activities. The main aim of such systems is basically to collect the
information about the intruder’s activities deviate [তিচ্ুযি করা] them from accessing the critical systems and
use them to stay on top of the system for some time so that the network administrator can take actions
accordingly. Honeypots are fabricated to look like real systems by putting real looking information into
them so that they can appear valuable to the potential intruders however legitimate users are not allowed to
know about or access the systems. If anyone actually accessed a honeypot, he or she is a potential attacker.
Honeypots are basically equipped with different sensors and loggers to detect the access and tracks the
intruder’s activities. How it works? In the IT network they allow a system for example the RDP port 3389
is allowed and the username and password also will be a very generic username and password which can
be cracked very easy. For example, there’s a public IP and the port 3389 is allowed and the username and
password is ‘system admin’ and ‘system admin’. So this is a honeypot system, that actually separated from
81
the rest of the corporate network and any intruder or any attacker actually comes into the system, breaks
the password, what he will see is it like a real system, with all the network connections and all but that
system is actually it’s nothing but it’s a honeypot. The attacker is fooled in this way, and this is one of the
latest intrusion detection technology, that they have and one more really good thing about honeypot, is they
come up with sensors and loggers, that actually detect the access and blocks the certain privileges to the
attacker. So here by doing honeypot, a company can get a lot of insights into what an attacker is looking to
access, as well as his main motive in order to get access to the corporate system inside the network.
Cisco system cyber security solution: within cyber threat defense there’s a few components that make it
work, one we partnered with a company called Lancope that brings it all together under single pane of
glass, the cisco piece is net flow produced by our routers and switches that kind of act like a phone bill for
your network, it sees every piece of information that goes across your network and feeds it in the land coat
for them to correlate. So besides just bringing and looking at the data we need to know who is actually
accepting this information or who the bad guy is in the network. So that is actually that pieces of Cisco
context information from our identity services engine that kind of feeds who what where when why and
how of a cyber-threat defense.
Watch:
 What are honeypots? Network Security

4.17 NetFlow
NetFlow technology is used to gather information about data flowing through a network. NetFlow
information can be likened to a phone bill for your network traffic. It shows you who and what devices are
in your network, as well as when and how users and devices accessed your network. NetFlow is an
important component in behavior-based detection and analysis. Switches, routers, and firewalls equipped
with NetFlow can report information about data entering, leaving, and travelling through the network.
Information is sent to NetFlow Collectors that collect, store, and analyze NetFlow records.
NetFlow is able to collect information on usage through many different characteristics of how data is moved
through the network, as shown in the figure. By collecting information about network data flows, NetFlow
is able to establish baseline behaviors on more than 90 different attributes.
82
When a packet enters an interface, that the router hasn’t seen before, it will decide whether or not to route
the Datagram and if it forwards the Datagram, it will make an entry in the flow cache on the router based
on matching criteria in the packet. The flow cache entry contains things like the destination and source IP
addresses the destination and source ports, the source interface, the protocol, the bytes and some other
details, are all entered into the flow cache, the packet is then routed out the destination interface. As the
following packets that match an existing flow entry come into the router, the byte and packet counters keep
incrementing for each additional Datagram, until the connection between the hosts involved in a flow is
torn down, so packets that enter the router that don’t have a matching flow entry are first determined to be
routable and if they are accepted they are then forwarded after a flow cache entry is made a flow cache can
contain hundreds of thousands of entries and in some cases into the millions.
Now when the flow is expire they are exported off to the NetFlow collector which will constantly analyze
and archive the flows for future reference. The NetFlow collector can then provide details on things like
the threats detected, the network topology, top interfaces and of course graphical trends.
Netflow is used for finding bandwidth hogs, hunting down network threats, isolating application slowness
issues, and even for usage based billing by some service providers. Many hardware vendors are now
adopting IPFIX which is the official standard for all flow technologies, both netflow and IPFIX can be
performed in hardware or software. They can be used to export information real time right down to the
second and they can be used for both flow and packet sampling much like s flow.
Watch:
 What is NetFlow
4.18 CSIRT
Many large organizations have a Computer Security Incident
Response Team (CSIRT) to receive, review, and respond to
computer security incident reports, as shown in Figure at right.
The primary mission of CSIRT is to help ensure company,
system, and data preservation by performing comprehensive
investigations into computer security incidents. To prevent
security incidents, Cisco CSIRT provides proactive threat
assessment, mitigation [প্রশ ন] planning, incident trend
analysis, and security architecture review, as shown in bellow.
[Proactive- (of a person, policy, or action) creating or controlling a situation by causing something to happen
rather than responding to it after it has happened.]
83
Cisco’s CSIRT collaborates with Forum of Incident Response and Security Teams (FIRST), the
National Safety Information Exchange (NSIE), the Defense Security Information Exchange (DSIE),
and the DNS Operations Analysis and Research Center (DNS-OARC).
There are national and public CSIRT organizations like the CERT Division of the Software Engineering
Institute at Carnegie Mellon University, that are available to help organizations, and national CSIRTs,
develop, operate, and improve their incident management capabilities.
Watch:
 Security Incident Response Team

4.19 Security Playbook
Technology is constantly changing. That means cyberattacks are evolving too. New vulnerabilities and
attack methods are discovered continuously. Security is becoming a significant business concern because
of the resulting reputation and financial impact from security breaches. Attacks are targeting critical
networks and sensitive data. Organizations should have plans to prepare for, deal with, and recover from a
breach.
One of the best way to prepare for a security breach is to prevent one. There should be guidance on
identifying the cybersecurity risk to systems, assets, data, and capabilities, protecting the system by the
implementation of safeguards and personnel training, and detecting cybersecurity event as soon as possible.
When a security breach is detected, appropriate actions should be taken to minimize its impact and damage.
The response plan should be flexible with multiple action options during the breach. After the breach is
contained and the compromised systems and services are restored, security measures and processes should
be updated to include the lessons learned during the breach.
All this information should be compiled into a security playbook. A security playbook is a collection of
repeatable queries (reports) against security event data sources that lead to incident detection and response.
Ideally the security playbook must accomplish the following actions:
 Detect malware infected machines.

 Detect suspicious network activity.
 Detect irregular authentication attempts.
84
 Describe and understand inbound and outbound traffic.

 Provide summary information including trends, statistics, and counts.
 Provide usable and quick access to statistics and metrics.
 Correlate events across all relevant data sources.
4.20 Tools for Incident Prevention and detection
These are some of the tools used to detect and prevent security incidents:
 SIEM – A Security Information and Event Management (SIEM) system is software that
collects and analyzes security alerts, logs and other real time and historical data from security
devices on the network.
 DLP – Data Loss Prevention Software (DLP) is a software or hardware system designed to stop
sensitive data from being stolen from or escaping a network. A DLP system may focus on file
access authorization, data exchange, data copying, user activity monitoring, and more. DLP
systems are designed to monitor and protect data in three different states: data in-use, data in-motion
and data at-rest. Data in-use is focused on the client, data in-motion refers to data as it travels
through the network, and data at-rest refers to data storage.
 Cisco ISE and TrustSec – Cisco Identity Services Engine (Cisco ISE) and Cisco TrustSec
enforce access to network resources by creating role-based access control policies that segment
access to the network (guests, mobile users, employees) without added complexity. Traffic
classification is based on user or device identity
4.21 Fundamentals of ISE
I remember my first security policy. So simple. Good stuff on, bad stuff off. Over the years, however,
defining good and bad as gotten really difficult. So one policy quickly became two, then 10, then more and
forget about just defining these policies, I need to enforce them as well. Now there's compliance and the
need to prove I'm secure. On top of all that, everyone's bringing in his or her favorite Wi-Fi device and
expecting full network access. Keeping up with this stuff takes time, people, and money, not to mention
how I translate policy terms like location, users, devices, and applications into geek speak like IPs, MACs,
ACLs, ports, and 802.1x. Enough! An answer for us.
The Cisco Identity Servers Engine or ISE is an identity-based policy platform that enables compliance,
enhances security, and streamlines operations. Its unique architecture lets you gather real-time contextual
information about users and devices to proactively enforce governance policy across the entire network
infrastructure. As the central policy component for Cisco's TrustSec Solution, ISE is the single source for
policy definition, control, and reporting.
Let me show you the tool set. Triple A. Authentication, authorization, and accounting. Hey, what's your
username and your password? Cool. Now let me give you access to just what you need and by the way, I'm
logging this whole session just in case. Posture. Is this device clean? Carrying any suspicious applications
or viruses? No? Profiler. You say you're a printer, but now you act like a web camera? I'm going to show
you the door. Out! And now, guest management. Just need temporary access? No problem. You get just
enough access, but when your time is up, it's up. And automatically. Nice thing for me, I don't even have
to set you up as a guest. All that's handled by the person who wanted you to visit.
Now many of you are saying to yourself right now, self, this sounds just like Cisco NAC and ACS. And
you're right. That's where it starts. ISE combines the functionality of both, but with simpler deployment and
common management. Moving forward, ISE will extend more deeply into the network, into the data center,
85
and the application stack. The Cisco Identity Services Engine is the single source of truth for end points all
across the network.
Now, there are really just two packages to understand here. The base package is all about authentication,
ID, and guest services like what you find in Cisco ACS and NAC Guest Server. The advanced package
adds profiling and posture services into the mix. A deeper more intelligent analysis of anything requesting
access. NAC Appliance and Profiler, they'd be your reference points here. And anticipating your next
logical question, no, this does not mean end of life for NAC or ACS. Every network is different. ICS is for
those of us who want to consolidate policies in an 802.1x framework. If that's not you because say you want
a choke point that's in line, or maybe you're just looking to authenticate a network device admins or
something. Well, existing NAC or ACS products? They're going to be a better fit.
Now unlike other solutions, Cisco ISE has the ability to run specific functions at critical points in the
network. For example, a pair of ISE appliances for administration, maintenance, and troubleshooting, and
logging, and a high availability configuration. This could be located centrally, but with distributed
appliances for making policy decisions as close to the user or device as possible communicating to your
Cisco network infrastructure for enforcement. This is a really important design point to call out here. Cisco
ISE works with your existing network devices, switches, wireless controllers, VPN concentrators, to
balance the workload and keep enforcement as close to the end point as possible. If you have legacy gear
in your network, no worries. ISE can make enforcement work with these as well. Now this example was a
large network design simply to illustrate the flexibility available.
Our assault on complexity continues now with a simple interface including things like a centralized
dashboard with hotlinks to more details, flexible filtering of your active session, drag and drop re-ordering
of rules, reusable objects. You're just going to love the clarity ISE provides here. Visibility into what just
happened, when it happened, who or what was involved and how it was taken care of. We all know that
complexity is the enemy of good security. This is why the ISE dashboard and the reporting tools, the live
logs, are so robust and valuable.
4.22 SIEM
What is a SIEM? SIEM stands for security information and event management. It’s a system that
collects log files, security alerts, and events into one place. So security teams can more easily analyze data.
You can think of a SIEM as a log management system, specialized for security. SIEMs collect all this
information from other security systems like endpoint security, Firewalls, Intrusion detection systems,
and the like. They were necessitated with the growth and the number of security systems. The logs and
alerts from these systems, needed to be stored centrally, so that analysts didn’t have to go to each individual
security product to conduct the investigations. SIEMs offer powerful log search features, the ability to
trigger alerts using rules, and reports that organizations can provide to auditors to demonstrate compliance
with various regulations. That’s the old definitions of SIEM. In 2017, the analyst firm Gartner, updated
86
their definition of a SIEM, They added two new and important technologies, UEBA and SOAR. Two more
acronyms for you to remember, UEBA stands for user and entity behavior analytics. And is an analytic
slayer that tracks normal and abnormal behavior for users and entities, like databases, servers and devices.
It helps analysts spot abnormal behaviors, like login from an usual location, or machine uploading large
amounts of information for the first time. Both are potential signs of a security issue. SOAR stands for
Security Orchestration automation and response, SOAR automates what security analysts need to do to
respond to security incidents. Remember how the original SIEM meant analysts didn’t need to go each
individual security system to clock logs? Well they would still need to, if they wanted to respond to an
incident. SOAR eliminates that. Let’s say there’s malware found on a laptop. An analyst would normally
go to the Endpoint Security system, quarantine the computer, and then maybe search for the source of the
malware in an IDS or an IPS to make sure no one else is affected. With SOAR, the analyst can automate
the quarantine action, from the SIEM. They don’t need to log into the endpoint security system, and with a
modern SIEM that has UEBA, the system automatically discovers that the malware come from a phishing
link in an email. So now the analyst wants to block that link in other emails, so no one else gets affected.
This is where orchestration comes in.
SIEMs can be used for a number of purposes, in fact that’s why they are often the foundational platform
for the security operations center, the SOC. You can still use your SIEM to demonstrate compliance with
regulations like SOX, HIPPA, and GDPR. But a more advanced use would be zero-day detection, where
unusual behavior would help detect something you’ve never seen before. Some companies use SIEM for
insider threat detection, or threat hunting. This is a proactive search for usual activities inside an
organization. Lastly, with SOAR a SIEM can help to automate the SOC from detection through
investigation and response.
4.23 Data Loss Prevention (DLP)

The two major camps are Network based or Endpoint based DLP.
Endpoint DLP or eDLP: With eDLP an agent lives on the endpoint and gives you visibility into the data
as it is created, as in when that Excel file with social security numbers is created or updated. This file can
then be tagged to alert you that it contains sensitive data. The agent also sees processes such as copy/paste,
print, etc. and can protect sensitive data from being burned to a CD or DVD drive, or being copied to a
USB device. Finally the agent being on the endpoint itself, is always protecting the data, even if the laptop
is off the corporate network and in a local coffee shop using a public wireless network. “Endpoint Data
Loss Prevention requires the deployment and ongoing maintenance of agent software on every protected
system” The core downside of an agent is the management that’s required. Each machine requires the agent
be deployed, or added to the core load, then updated or patched like any other piece of software. The
complexity comes from the volume and geographic spread of the laptops, desktops and servers in your
network.
Network DLP or nDLP: this lives on the network, typically as a box or virtual machine that traffic passes
through. Network DLP is also referred to as data in motion protection. nDLP can be inserted into a network
with little to no overhead. nDLP sees data as it moves throughout the network and enforces the policies at
that time, meaning when a user attempts to email a sensitive file, the nDLP device inspect the traffic and
can, through pre-defined policies, block, quarantine, audit, forward, notify, or encrypt all automatically.
nDLP also has visibility into web traffic such as social media sites. “Network Data Loss Prevention requires
that devices be on your network in order to pretect them”. The core downside of the nDLP is if the device
is off the network and not on a corporate VPN, you don’t have visibility into what’s happening with that
data. So now you have two options. How to decide which is right for you? The answer depends. Here are
the key questions to consider: How much control over the endpoint do you have? If you’re allowing access
87
to the corporate network and corporate data to machines you are unable to modify, then nDLP is the only
choice here for the short term. Changes to the endpoint policy are typically long term plans in most
organizations.
Watches:
 What Type of Data Loss Prevention (DLP) is right for your Organization? Endpoint DLP vs.
Network DLP
 What is SIEM? Explained
 Overview of Trustsec and Terminology
4.24 IDS and IPS

An Intrusion Detection System (IDS), shown in the figure, is either a dedicated network device, or one of
several tools in a server or firewall that scans data against a database of rules or attack signatures, looking
for malicious traffic. If a match is detected, the IDS will log the detection, and create an alert for a network
administrator. The Intrusion Detection System does not take action when a match is detected so it does not
prevent attacks from happening. The job of the IDS is merely to detect, log and report.
The scanning performed by the IDS slows down the network (known as latency). To prevent against
network delay, an IDS is usually placed offline, separate from regular network traffic. Data is copied or
mirrored by a switch and then forwarded to the IDS for offline detection. There are also IDS tools that can
be installed on top of a host computer operating system, like Linux or Windows.
An Intrusion Prevention System (IPS) has the ability to block or deny traffic based on a positive rule or
signature match. One of the most well-known IPS/IDS systems is Snort. The commercial version of Snort
is Cisco’s Sourcefire. Sourcefire has the ability to perform real-time traffic and port analysis, logging,
content searching and matching, and can detect probes, attacks, and port scans. It also integrates with other
third party tools for reporting, performance and log analysis.
4.25 Quick Quiz: Identify Cybersecurity Approach Terminology
88
Here,
 DLP: Data Loss Prevention
 ISE: Identity Services Engine
 CSIRT: Computer Security Incident Response Team
 IDS: Intrusion Detection System (IDS)
 SIEM: security information and event management
 IPS: Intrusion prevention system
Watch:
 Snort: installation and sniffing packets
4.26 Terms and Concept Practice
1. the process of probing a computer, server, or other network host for open ports
 port scanning
2. protects the network by controlling what traffic is allowed in, as well as allowed out
 firewall
3. a security appliance that has the ability to block or deny traffic based on a positive rule or a signature
match
 IPS/IDS
4. True or False. Today there are single security appliances that will solve all the network security
needs of an organization.
 False
5. This attack disrupts services by simply overwhelming servers and network devices with bogus
traffic.
 DDoS
6. True or False. A botnet can have tens of thousands of bots, or even hundreds of thousands.
 True
7. the process of probing [অনু সন্ধান] a computer, server, or other network host for open ports
 port scanning
8. a type of security measure that restricts access to networking closets, server locations, as well as
fire suppression [দ্ ন]
89
 physical security
9. a conceptual outline of the stages of an information systems attack
 Kill Chain
10. a tool used to gather information about data flowing through a network
 NeTFlow
4.27 Chapter Four Quiz
1. What type of attack disrupts services by overwhelming network devices with bogus traffic?
a. DDoS
b. zero-day
c. port scans
d. brute force
Ans: DDoS, or distributed denial of service, attacks are used to disrupt service by overwhelming network
devices with bogus traffic. The correct answer is: DDoS.
2. A ___ is a group of compromised or hacked computers (bots) controlled by an individual with malicious
intent.
Ans: A compromised or hacked computer that is controlled by a malicious individual or group is known as
a bot. A group of these hacked computers under the control of a malicious individual or group is known as
a botnet. The correct answer is: botnet
3. Which tool can identify malicious traffic by comparing packet contents to known attack signatures?
a. Zenmap
b. IDS
c. Nmap
d. Netflow
Ans: An IDS, or intrusion detection system, is a device that can scan packets and compare them to a set of
rules or attack signatures. If the packets match attack signatures, then the IDS can create an alert and log
the detection. The correct answer is: IDS
4. Which protocol is used by the Cisco Cyberthreat Defense Solution to collect information about the traffic
that is traversing the network?
a. NAT
b. NetFlow
c. Telnet
d. HTTPS
Ans: NetFlow is used both to gather details about the traffic that is flowing through the network, and to
report it to a central collector. The correct answer is: NetFlow
90
5.
Ans: The correct answer is: anomalies

6. Which tool can perform real-time traffic and port analysis, and can also detect port scans, fingerprinting
and buffer overflow attacks?
a. Snort
b. Netflow
c. SIEM
d. Nmap
Ans: Snort is an open source intrusion protection system (IPS) that is capable of performing real-time traffic
and port analysis, packet logging, content searching and matching, as well as detecting probes, attacks, port
scans, fingerprinting, and buffer overflow attacks. The correct answer is: Snort
7. Fill in the blank.
Any device that controls or filters traffic going in or out of the network is known as a ____.
Ans: A firewall is a network device used to filter inbound or outbound traffic or both. The correct answer
is farewall.
8. What is the last stage of the Cyber Kill Chain framework?

a. remote control of the target device
b. gathering target information
c. creation of malicious payload
d. malicious action
Ans: The Cyber Kill Chain describes the phases of a progressive cyberattack operation. The phases
include the following:
 Reconnaissance
 Weaponization
 Delivery
 Exploitation
 Installation
 Command and control
 Actions on objectives
In general, these phases are carried out in sequence. However, during an attack, several phases can be
carried out simultaneously, especially if multiple attackers or groups are involved. The correct answer
is: malicious action
91
Chapter 5: Will Your Future Be in Cybersecurity?
This chapter:
 Covers the legal and ethical issues that arise when working in cybersecurity.
 There are educational paths towards certifications that you may wish to pursue with the Cisco
Networking Academy. Some of these certifications are prerequisites to Specialization Certificates
in many areas of networking, including cybersecurity.
 The Networking Academy Talent Bridge page (netacad.com under Resources) provides good
information to help you write a great résumé and prepare for a job interview. It also contains listings
for Cisco and Cisco Partner jobs.
5.1 Legal Issues in Cybersecurity
Cybersecurity professionals must have the same skills as hackers, especially black hat hackers, in order to
protect against attacks. One difference between a hacker and a cybersecurity professional is that the
cybersecurity professional must work within legal boundaries.
 Personal Legal Issues

You do not even have to be an employee to be subject to cybersecurity laws. In your private life, you may
have the opportunity and skills to hack another person’s computer or network. There is an old saying, “Just
because you can does not mean you should.” Keep this in mind. Most hackers leave tracks, whether they
know it or not, and these tracks can be followed back to the hacker.
Cybersecurity professionals develop many skills which can be used for good or evil. Those who use their
skills within the legal system, to protect infrastructure, networks, and privacy are always in high demand.
 Corporate Legal Issues

Most countries have some cybersecurity laws in place. They may have to do with critical infrastructure,
networks, and corporate and individual privacy. Businesses are required to abide by these laws.
In some cases, if you break cybersecurity laws while doing your job, it is the company that may be punished
and you could lose your job. In other cases, you could be prosecuted, fined, and possibly sentenced.
In general, if you are confused about whether an action or behavior might be illegal, assume that it is illegal
and do not do it. Your company may have a legal department or someone in the human resources department
who can answer your questions before you do something illegal.
 International Law and Cybersecurity

The area of cybersecurity law is much newer than cybersecurity itself. As mentioned before, most countries
have some laws in place, and there will be more laws to come.
5.2 Ethical issues in Cybersecurity

Ethical issues in cybersecurity can be depicted as follows:
92
Will Your Future Be in Cybersecurity?
In addition to working within the confines of the law, cybersecurity professionals must also demonstrate
ethical behavior.
 Personal Ethical Issues

A person may act unethically and not be subject to prosecution, fines or imprisonment. This is because the
action may not have been technically illegal. But that does not mean that the behavior is acceptable. Ethical
behavior is fairly easy to ascertain [তনরূপণ করা]. It is impossible to list all of the various unethical behaviors
that can be exhibited by someone with cybersecurity skills. Below are just two. Ask yourself:
o Would I want to discover that someone has hacked into my computer and altered images in my
social network sites?
o Would I want to discover that an IT technician whom I trusted to fix my network, told colleagues
personal information about me that was gained while working on my network?
If your answer to any of these questions was ‘no’, then do not do such things to others.
 Corporate Ethical Issues

Ethics are codes of behavior that are sometimes enforced by laws. There are many areas in cybersecurity
that are not covered by laws. This means that doing something that is technically legal still may not be the
ethical thing to do. Because so many areas of cybersecurity are not (or not yet) covered by laws. Many IT
professional organizations have created codes of ethics for persons in the industry. Below is a list of
organizations with Codes of Ethics:
The Association of Information Technology Professionals (AITP) has both a code of ethics and a
standard of conduct found here.
o CompTIA Professional and Student Membership (formerly AITP) is your pathway to a rewarding
technology career. Whether you’re a student or a practicing technology professional, CompTIA is
where you belong!’
93
o CompTIA members are trusted, skilled, and knowledgeable tech professionals. If you’re
CompTIA certified, you’re already a member! Not CompTIA certified? Find your path to
membership. Student membership - $29/year. Basic student membership -free
Cisco has a team devoted exclusively to ethical business conduct. Go here to read more about it.
This site contains an eBook about Cisco’s Code of Business Conduct, and a pdf file. In both files is an
“Ethics Decision Tree”, as shown in the figure above. Even if you do not work for Cisco, the questions and
answers found in this decision tree can easily be applied to your place of work. As with legal questions, in
general, if you are confused about whether an action or behavior might be unethical, assume that it is
unethical and do not do it. There may be someone in your company’s human resources or legal department
who can clarify your situation before you do something that would be considered unethical.
Search online to find other IT-related organizations with codes of ethics. Try to find what they all have in
common.
o Cisco/CCNA will benefit you more than CompTIA A+
o The natural progression to network engineer or system engineer is from a helpdesk role, without
this sort of experience, it’s very difficult.
o CompTIA certificates expired? Yes.
o A+ certificates suits for beginner, to get in a help desk. But to get to above that skip A+
o A person was promoted to junior network admin just because he was working on CCNA
o Network Plus, Server plus those also are great certs (A+ certs). They covering the basics. Cisco
certs, Microsoft certs already do that for you. Skip the network plus or server plus.
Watch:
 CompTIA or Cisco? Should I get the CompTIA A+/Network+ OR the Cisco CCNA/CCENT –
Microsoft MCSA?
Visits:
 CompTIA official for earning certification on A+, Network+, Security+
5.3 Cybersecurity Jobs

Many other businesses and industries are hiring cybersecurity professionals. There are several online search
engines to help you find the right job in cybersecurity:
 ITJobMatch – The ITJobMatch search engine specializes in IT jobs of every kind, all over the
globe.
 Monster – Monster is a search engine for all types of jobs. The link provided goes directly to
cybersecurity jobs.
 CareerBuilder – CareerBuilder is also a search engine for all types of jobs. The link provided goes
directly to cybersecurity jobs.
These are just three of many different online job search sites. Even if you are just starting your education
in IT and cybersecurity, looking at job search engines is a good way to see what kinds of jobs are available,
all over the world.
Depending on your interest in cybersecurity, different types of jobs can be available to you, and they can
require specialized skills certifications. For example, a penetration tester, also known as an ethical
94
hacker, searches and exploits security vulnerabilities in applications, networks and systems. To become a
penetration tester, you will need to gain experience in other IT jobs, such as security administrator, network
administrator, and system administrator. Each one of these jobs requires its own set of skills that will help
you become a valuable asset to an organization.
The Cisco Networking Academy provides many courses for you to continue your education in
Cybersecurity. We encourage you to enroll in the next course, Cybersecurity Essentials, to continue to
build strong foundational knowledge in Cybersecurity. Check out the Cisco Networking Academy and see
a list of courses that are available. Furthermore, you can also access career resources available in Cisco
Networking Academy.
Just for fun, click here to read a graphic novel about a cybersecurity superhero!
5.4 Quick Quiz: Identity Hat Color
NetAcad can support your education and your career. Cisco Cert Exams and Discount Vouchers:
You have worked hard to complete this course. Now it is time to think about how your new skills and
knowledge can help when talking industry-recognized certification exams. Now only that, netacad.com
might also be able to help save you money on the cost of exam.
Summary
 Discussing the legal and ethical issues that professionals in cybersecurity commonly face.
 Presented educational and career paths for those who wish to become cybersecurity professionals.
 Three external Internet job search engines are presented for you to explore.
95
Final Assessment
You will have 3 attempts to complete the exam. This exam contains content learned in this course. Essay
questions are designed for reflection and will not be scored. Other items are scored using the Weighted
Model where each MCSA (Multiple-Choice Single-Answer) is worth two points and each MCMA
(Multiple-Choice Multiple-Answer) is worth one point for each correct option. If more options are selected
than required, the student will receive a score of zero.
1. What are two objectives of ensuring data integrity? (Choose two.)
a. Access to the data is authenticated
b. Data is encrypted while in transit and when stored on disk
c. Data is available all the time
d. Data is not changed by unauthorized entities
e. Data is unaltered during transit
Ans: d,e
2. A medical office employee sends emails to patients about recent patient visits to the facility. What
information would put the privacy of the patients at risk if it was included in the email?
a. First and last name
b. Contact information
c. Next appointment
d. Patient records
Ans: d
3. The IT department is reporting that a company web server is receiving an abnormally high number
of web page requests from different locations simultaneously. Which type of security attack is
occurring?
a. Adware
b. DDoS
c. Social engineering
d. Spyware
e. Phishing
Ans: b
4. What action will an IDS take upon detection of malicious traffic?
a. Reroute malicious traffic to a honeypot
b. Drop only packets identified as malicious
c. Block or deny all traffic
d. Create a network alert and log the detection
Ans: d
5. When describing malware, what is a difference between a virus and a worm?
a. A virus can be used to launch a DoS attack (but not a DDoS), but a worm can be used to launch
both DoS and DDoS attacks.
b. A virus can be used to deliver advertisements without user consent, whereas a worm cannot.
c. A virus focuses on gaining privileged access to a device, whereas a worm does not.
96
Final Assessment
d. A virus replicates itself by attaching to another file, whereas a worm can replicate itself
independently.
Ans: d
6. What is the best approach to prevent a compromised IoT device from maliciously accessing data
and devices on a local network?
a. Place all IoT devices that have access to the Internet on an isolated network
b. Disconnect all IoT devices from the Internet
c. Install a software firewall on every network device
d. Set the security settings of workstation web browsers to a higher level
Ans: a
7. What tool is used to lure an attacker so that an administrator can capture, log, and analyze the
behavior of the attack?
a. Nmap
b. Honeypot
c. Netflow
d. IDS
Ans: b
8. A web server administrator is configuring access settings to require users to authenticate first before
accessing certain web pages. Which requirement of information security is addressed through the
configuration?
a. Confidentiality
b. Scalability
c. Availability
d. Integrity
Ans: a
9. What is the best method to avoid getting spyware on a machine?
a. Install software only from trusted websites
b. Install the latest operating system updates
c. Install the latest antivirus updates
d. Install the latest web browser updates
Ans: a
10. True or False? An employee does something as a company representative with the knowledge of
that company and this action is deemed illegal. The company would be legally responsible for this
action.
a. True
b. False
Ans: a
11. For what purpose would a network administrator use the Nmap tool?
a. identification of specific network anomalies
b. detection and identification of open ports
97
Final Assessment
c. collection and analysis of security alerts and logs

d. protection of the private IP addresses of internal hosts
ans: b
12. What is the main purpose of cyberwarfare?
a. to protect cloud-based data centers
b. to develop advanced network devices
c. to simulate possible war scenarios among nations
d. to gain advantage over adversaries
ans: d
13. What is one main function of the Cisco Security Incident Response Team?
a. to ensure company, system, and data preservation
b. to design polymorphic malware
c. to provide standards for new encryption techniques
d. to design next generation routers and switches that are less prone to cyberattacks
ans: a
14. Which stage of the kill chain used by attackers focuses on the identification and selection of targets?
a. Weaponization
b. Exploitation
c. Delivery
d. Reconnaissance
Ans: d
15. What type of attack uses zombies?
a. Spear phishing
b. Trojan horse
c. DDoS
d. SEO poisoning
Ans: c
16. Which statement describes cybersecurity?
a. It is a standard-based model for developing firewall technologies to fight against
cybercriminals.
b. It is an ongoing effort to protect Internet-connected systems and the data associated with those
systems from unauthorized use or harm.
c. It is a framework for security policy development.
d. It is the name of a comprehensive security application for end users to protect workstations
from being attacked.
Ans: b
17. What are two security implementations that use biometrics? (Choose two.)
a. Credit card
b. Fob
c. Phone
98
Final Assessment
d. Fingerprint
e. Voice recognition
Ans: d,e
18. A company is experiencing overwhelming visits to a main web server. The IT department is
developing a plan to add a couple more web servers for load balancing and redundancy. Which
requirement of information security is addressed by implementing the plan?
a. Scalability
b. Availability
c. Confidentiality
d. Integrity
Ans: b
19. What is an example of the a Cyber Kill Chain?
a. A group of botnets
b. A combination of virus, worm, and Trojan Horse
c. A series of worms based on the same core code
d. A planned process of cyberattack
Ans: d
20. Which two tools used for incident detection can be used to detect anomalous behavior, to detect
command and control traffic, and to detect infected hosts? (Choose two.)
a. NetFlow
b. Honeypot
c. Intrusion detection system
d. A reverse proxy server
e. Nmap
Ans: a,c
21. Which technology creates a security token that allows a user to log in to a desired web application
using credentials from a social media website?
a. In-private browsing mode
b. Open Authorization
c. VPN service
d. Password manager
Ans: b
[END]
99
100

Introduction To Cyber Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Cyber Security

Uploaded by

Copyright:

Available Formats

1

 Chapter 0 : Course Introduction

Chapter 0: Course Introduction

Chapter 5: Will Your Future Be in Cybersecurity

0.1 Packet Tracer

 Learn the basics of being safe online.

1.2 Your online and offline identity

Where is your data?

Your computing devices

They want your identity

1.4 Internet of Things and Big Data

1.5 Confidentiality, Integrity and Availability (CIA Triad [ত্রয়ী])

Create a file: hash.txt. Input: MITx

With the software: HashCalc, Gives md5: c1e3765c4a44036c9c394168b4d52a08

Minor change made to file [MIT], now hash, md5: 9d831a7fe53d9aa303466f6f2a370b70

 Just changing MITx to MIT and entire result has changes

1.7 Consequences of a Security Breach

Security Breach Example 2

 How Do Credit Reporting Agencies Get And Keep My Information?

LAB: What was taken?

Fill out this:

 Incident Date: 2015

Missing drives contained PHI on 950K Centene customers

Fill out this:

 Incident date: 2016

1.8 Types of Attackers

 Organized Hackers – These hackers include organizations of cyber criminals, hacktivists,

1.9 Internal and External Threats

Fig: Type of Attackers

1.10 What is Cyberwarfare

1.12 Stuxnet: Anatomy of a Computer Virus

 Stuxnet Anatomy of a Computer Virus

Fig: Attack through Supplier

If we conceptualize the supply chain as a layer of physical

Fig: Security Breaches from 2004 to 2013

1.17 Cybercrime or Cyberwarfare?

1.20 Terms and Concepts Practice

1. file permissions, user access control, version control, and checksums

1.21 Quiz –Cybersecurity Ethics

1.22 Chapter One Quiz

1. Which method is used to check the integrity of data?

b. Cyberwarfare is an attack carried out by a group of script kiddies.

8. What is another name for confidentiality of information?

Chapter One Quiz Answers

2.2 SYNful Knock (sinefull knock)

2.3 Rowhammer attack

 SYNful Knock Pwns IOS

2.4 Categorizing Security Vulnerabilities

2.5 Quick Quiz: Security Vulnerability

2.6 Types of Malware

Man-In-The-Mobile (MitMo) – A variation of man-in-middle, MitMo is a type of attack used to take

 ILOVEYOU worm | Email worm

2.8 The difference between viruses, worms and Trojans

 Timelines of computer Viruses

 There is an increase in CPU usage.

 There is a presence of unknown files, programs, or desktop icons.

2.12 Social Engineering

 Getting password hashes with PwDump on Windows

 Introduction to hashing and how to retrieve Windows 10 password hashes

2.14 Windows hashing basics

2.15 Using Minikatz to crack Windows password

 Second step: Using Mimikatz to reveal NTLM hash value

 NTLM generator utility