1.

1 - Overview of Security:

Computer data is vulnerable when it travels between computers.

Cryptography safeguards data during transmission, using secret codes and modern mathematics.
Computer Security protects data and thwarts hackers.
Network Security secures data during transmission, and Internet Security does so over interconnected
networks.

1.2 - Protection vs. Security:

Protection manages threats within the system.

Security manages threats outside the system.
Protection focuses on internal threats, while Security focuses on external threats.
Protection controls resource access, Security safeguards resources from external users.
Protection involves setting protection information, while Security involves user verification and anti-
malware.

1.3 - Goals and Aspects of Security:

Confidentiality conceals message meanings through encryption.

Data Integrity ensures messages remain unchanged, using hashing and digital signatures.
Authentication proves user/system identity, often through digital certificates.
Risk Management balances resources with the level of risk.

1.4 - Data Integrity:

Data integrity ensures data accuracy, completeness, and security.

It involves keeping data complete, accurate, consistent, and safe.
Risk management balances security investments with asset value.

1.5 - Data Availability and Privacy:

Availability ensures system and data access when needed.

Attacks like denial-of-service disrupt access.
Privacy protects sensitive information with consent from the owner.

1.6 - Security Problems:

Worms and viruses infect systems, requiring anti-malware solutions.

Abuse of account privileges can be mitigated with least privileged access.
Insufficient defense in depth can be addressed with network segmentation.
Insufficient IT security management can be resolved with skilled workforce or outsourcing.
Ransomware threats require antivirus software, patch updates, and user education.

1.7 - User Authentication:

Authentication identifies users requesting system access.

Password-based authentication uses strong passwords.
Multi-factor authentication combines multiple identity methods.
Certificate-based authentication uses digital certificates.
Biometric authentication relies on unique biological characteristics like facial recognition, fingerprints,
speaker recognition, and eye scanners.

Data Integrity (1.4):

Data integrity ensures accuracy, completeness, and consistency of data.

It also involves data safety for regulatory compliance and security.
Maintained through processes, rules, and standards during design.
 Assurance that digital data is uncorrupted and only accessible to authorized users.
Key aspects of data integrity:
Complete: Data retains all elements, no filtering or truncation.
Accurate: Data remains unaltered, consistent with test conditions.
Consistent: Data remains unchanged over time and with access frequency.
Safe: Securely stored and only accessible by authorized parties.
Involves authentication, authorization, encryption, backup, and access logging.

Risk Management (1.4):

Balancing security expenses with asset value is crucial.

Spending more on security than asset worth is wasteful.
Security involves managing known threats and minimizing losses from vulnerabilities.
Central themes: risk analysis and risk management.
Three possible outcomes when risks are understood:
Mitigating risks (countermeasures).
Acquiring insurance against potential losses.
Accepting risks and managing consequences.

Risk assessment considers: - Consequence of a loss. - Likelihood of loss occurrence.

2.1 - Program Threats:

Security Attacks:

Four general categories of attacks:

Interruption: Attack on availability (e.g., hardware destruction, cutting communication lines).

Interception: Attack on confidentiality (e.g., unauthorized access, wiretapping).

Modification: Attack on integrity (e.g., unauthorized tampering with data).

Fabrication: Attack on authenticity (e.g., inserting counterfeit objects).

Rapidly Evolving Threat Landscape:

Challenge of network security due to evolving cyber threats.

Attackers find new ways to exploit networks, requiring constant defense updates.

Bigger Attack Surface:

Expanding security strategy's scope is challenging.

All users are responsible for security, necessitating regular updates.

Bring Your Own Device (BYOD) and Remote Work:

BYOD policy increases network complexity and attack surface.

Personal devices require security measures.
Remote work via unsecured public networks increases risks.

Cloud Security:

Cloud vendors and service providers handle some security.

Organizations are responsible for securing their data and applications.
Unified security strategy needed for hybrid environments.

Types of Network Security Technologies and Solutions:

Firewall/NGFW (Next-Generation Firewall):

Controls inbound and outbound network traffic using predefined security rules.
Prevents malicious traffic from entering the network.
NGFWs can block malware and application-layer attacks.

WAF (Web Application Firewall):

Filters, monitors, and blocks HTTP traffic for web services.

Prevents exploitation of known vulnerabilities (e.g., XSS, SQL injection).

Intrusion Prevention Systems (IPS):

Detects and prevents network security attacks (e.g., DoS, exploitation of vulnerabilities).
Quickly blocks known vulnerability exploits.

Network Segmentation:

Defines boundaries between network segments based on function, role, or risk.

Enhances access control and security, segregating sensitive data.

Microsegmentation:

Divides networks into separate security segments with specific controls.

Uses network virtualization to apply security policies to virtual machines (VMs).
Enhances network resistance to attacks.

Secure Remote Access:

Controls user and device access to internal or cloud resources.

Includes authentication, endpoint security, privilege elevation, and secure remote connections.
Part of modern access control and zero trust network access (ZTNA).

Virtual Private Networks (VPNs):

Masks users' IP addresses, location, and encrypts data.

Provides a secure server to connect to the Internet on behalf of the user.
Protects users on unsafe networks (e.g., public WiFi) from data theft.

Zero Trust Network Access (ZTNA):

Shifts to suspecting all entities, including internal users.

Enforces granular access controls based on the principle of least privilege.
Protects against internal and external threats.

2.2 - Worms, Viruses, Trojan Horses, and Trap Doors:

Worms:

Rapidly replicating malware that spreads across network devices.

Consumes bandwidth, overloads systems, and disrupts reliability.
Can be controlled remotely.
Example: WannaCry ransomware worm.

Viruses:

Code fragments embedded in legitimate programs.

Self-replicating and designed to infect other programs.
Can modify or destroy files, causing system crashes.
 Four phases: dormant, propagation, triggering, execution.

Trojan Horse:

Malicious code that deceives users into loading and executing it.
Cannot replicate like viruses or worms.
Allows cybercriminals to perform harmful actions on a computer.

Trap Door:

A secret entry point into a program for bypassing security.

Difficult to detect, used for debugging and testing.
Can become a threat when exploited by dishonest individuals.

Common Attacks and Countermeasures:

IP Address Spoofing: Transmitting packets with a false source IP address.

Countermeasure: Discard packets with inside source addresses arriving on external interfaces.
**Source Routing Attacks:** Allowing the source station to specify the packet's route.

Countermeasure: Discard packets using this option.

**Tiny Fragment Attacks:** Creating extremely small fragments to evade inspection.

Countermeasure: Discard packets with TCP protocol and IP Fragment offset equal to 1.

2.3 - Stack and Buffer Overflow:

Attackers exploit buffer overflow issues by overwriting an application's memory, changing its execution
path, and causing damage or data exposure.

Types of Buffer Overflow Attacks:

Stack-based Buffer Overflow: More common, targets stack memory during function execution.
Heap-based Buffer Overflow: Harder to execute, floods memory allocated for a program beyond
current runtime operations.

Attackers can intentionally feed input that overflows the buffer and overwrites memory areas containing
executable code, effectively replacing it with their own instructions.

2.4 - System Threats - Intruders:

Intruders are individuals who attempt to breach security, ranging from benign exploration to serious data
theft or system disruption.

Three Classes of Intruders:

Benign Intruders: Explore the internet out of curiosity, consume resources, and may slow system
performance, but not necessarily malicious.
Misfeasors: Authorized users who misuse their granted access and privileges for unauthorized
purposes.
Clandestine Users: Individuals with administrative control who misuse their power, often for
financial gains.

Intruders pose significant security threats by stealing confidential information, selling it to third parties, and
exploiting system vulnerabilities.

2.5 - Communication Threats - Tapping and Piracy:

Communication threats involve various types of threats, including threats to physically harm others.

Threats to Kill or Physically Injure: Threats to harm individuals, their spouses, children, parents, or
siblings.
Network Taps: Devices used to monitor and access data transmitted over a network, typically for
security and monitoring purposes.
Piracy: The illegal use, copying, modification, distribution, sharing, or selling of copyrighted
computer software. Software piracy is a violation of copyright laws.

2.6 - Firewalls:

A firewall is a network security device, either hardware or software-based, that monitors incoming and
outgoing traffic based on a defined set of security rules. It accepts, rejects, or drops traffic according to these
rules. Key points about firewalls include:

Accept: Allows the traffic to pass.

Reject: Blocks the traffic and replies with an "unreachable error."
Drop: Blocks the traffic without any reply.

Firewalls create a barrier between secured internal networks and untrusted external networks, such as the
Internet. They serve to protect the internal network from external threats and provide a controlled link.

Firewall Design Principles:

Firewalls are used to establish an outer security perimeter between the local network and the internet.
They act as a single choke point for security and audit purposes.
Firewalls can be a single system or a set of cooperating systems.
They must be immune to penetration, typically using a trusted system with a secure operating system.

Four Techniques Firewalls Use to Control Access:

Service Control: Determines the types of internet services that can be accessed, inbound or outbound.
It may filter traffic based on IP address and TCP port number, provide proxy software, or host server
software.
Direction Control: Specifies the direction in which service requests can be initiated and allowed to
flow through the firewall.
User Control: Controls access to services based on the user attempting to access them.
Behavior Control: Regulates how specific services are used.

Capabilities of Firewalls:

Establish a single choke point to keep unauthorized users out, block vulnerable services, and protect
against IP spoofing and routing attacks.
Provide a location for monitoring security-related events, enabling audits and alarms.
Serve as a platform for various non-security-related internet functions.
Be used for IPsec implementations.

Limitations of Firewalls:

Cannot protect against attacks that bypass the firewall via internal systems with dial-out capabilities or
modem pools for dial-in.
Do not protect against internal threats, such as insider attacks.
Cannot prevent the transfer of virus-infected programs or files.

Need for Firewalls:

Before firewalls, network security relied on Access Control Lists (ACLs) on routers. ACLs lacked the ability
to determine the nature of blocked packets and couldn't effectively keep threats out of the network. Firewalls
became necessary to secure internal networks from unauthorized traffic.

Working of Firewalls:

Firewalls match network traffic against defined rules.

Rules specify actions for traffic based on criteria like source/destination addresses and port numbers.
Outgoing traffic is usually allowed unless specifically restricted.
Incoming traffic is scrutinized, especially for protocols like TCP, UDP, and ICMP.

2.7 - Security Methodology - The Three D's of Security:

The Three D's of Security refer to the strategies used to enhance security:

Deter: The goal is to discourage attacks or threats from happening in the first place. This can be
achieved through visible security measures, policies, and practices that make it less attractive or more
difficult for attackers to target a system or organization.
Detect: This involves identifying and verifying threats as they occur or shortly after. Detection
mechanisms, such as intrusion detection systems (IDS) and security monitoring tools, help in spotting
suspicious or malicious activities.
Delay: Delaying a threat means postponing its impact or the time it takes to reach critical assets. This
provides additional time for response and mitigation. Delay mechanisms can include physical barriers,
access controls, and network segmentation.

By incorporating these three principles into security strategies, organizations aim to reduce vulnerabilities
and enhance their overall security posture.

2.8 - Strategy and Attacks:

In the realm of cybersecurity, it's crucial to understand various aspects of attacks, including their tactics,
techniques, and procedures (TTPs). Here's a breakdown:

Tactics: Tactics are the highest-level descriptions of a threat actor's behavior. They represent the
overall goals behind an attack and the general strategies followed to execute that attack. For example,
a tactic might involve infiltrating a website to steal customer credit card information.
Techniques: Techniques provide a more detailed description of the threat actor's actions within the
context of a tactic. These methods outline how the threat actor plans to achieve their goals. Examples
of techniques include e-skimming, magecart attacks, JavaScript injection attacks, or cross-site
scripting (XSS).
Procedures: Procedures are the most detailed level of an attack description. They provide a step-by-
step account of the attack, including the specific tools and methods used to orchestrate it.
Cybersecurity analysts often use an attack's procedures to create profiles or fingerprints for threat
actors or groups.

Understanding these aspects of attacks helps cybersecurity professionals and organizations better prepare for
and defend against various threats.

2.9 - Website Attacks - SQL Injection, XSS, LDAP, Injection Attacks:

Website attacks are malicious activities aimed at exploiting vulnerabilities in websites. These attacks can lead
to unauthorized access, data theft, introduction of malicious content, or alteration of a website's content. Here
are some common website attacks:

SQL Injection (SQLi):

SQL Injection is an attack that targets a web application's database by manipulating the SQL queries it
sends to the database.
Attackers input malicious SQL statements into web forms or other input fields to exploit
vulnerabilities in the application.
 Successful SQLi attacks can result in unauthorized access to data, data theft, and even the
manipulation or deletion of data.

Cross-Site Scripting (XSS):

Cross-Site Scripting (XSS) attacks involve injecting malicious scripts into trusted websites.
Attackers insert scripts, often written in JavaScript, into web pages that are then executed by
unsuspecting users.
XSS attacks can steal cookies, change user settings, hijack user sessions, and deface websites,
potentially leading to impersonation and data breaches.

LDAP Injection:

LDAP Injection attacks occur when web applications don't adequately validate user input, creating a
vulnerability that allows unauthorized modifications to LDAP statements.
Attackers can manipulate queries and control their meaning using metacharacters, leading to
unauthorized queries or content modification within the LDAP tree.
LDAP Injection can expose sensitive data, including credentials, roles, permissions, and more.

Injection Attacks (Code Injection, Command Injection, CCS Injection):

Injection attacks involve injecting malicious code or commands into web applications.
In Code Injection, attackers exploit vulnerabilities to inject and execute code within the application's
web server.
Command Injection occurs when attackers insert operating system commands that execute on the
host system.
CCS Injection exploits vulnerabilities in the ChangeCipherSpec processing in some versions of
OpenSSL to seize encryption key materials and access communications.

These injection attacks are common and dangerous web threats. They can lead to data breaches, data
manipulation, denial of service (DoS) attacks, and server compromises. Protecting web applications against
these attacks is crucial for maintaining security.