Module-V: Artificial Intelligence in Cybersecurity

 Auditing IT Infrastructures for Compliance

 Big Data & IoT Security Penetration testing

 Artificial Intelligence in Cybersecurity

 Cyberspace and the Law

 Database Security

 Server Security

 Web Application Security

 IT Security Compliance

 Computer Forensics
What Is AI for Cybersecurity?

Artificial Intelligence (AI) for cybersecurity is where a network security provision enlists artificial intelligence and machine
learning to enhance protection.

The attack surface for cyber threats has been expanding rapidly, spurred on by the explosion in remote working and its
associated increase in the use of Internet-connected services. Traditional signature-based methods of combating these threats
have proven increasingly ineffective. Recognizing a threat, or waiting for notification from users, followed by developing a
signature to recognize and counteract it, is too slow, leaving organizations vulnerable to attack.

This is where AI comes in. The only way to fight against the ever-changing range of emerging threats is for protection
systems to proactively detect them as they appear and adapt accordingly. This system could even operate at the edge on the
endpoint itself.
•Current Technologies put the organization's cyber security at risk. Even with the new advancements in defense strategies,
security professional fails at some point. Combining the strength of Artificial Intelligence in cyber security with the skills of
security professionals from vulnerability checks to defense becomes very effective. Organizations get instant insights, in
turn, get reduced response time. The type of attacks we are prone to currently are -Advanced Malware
•Insider threats
•Transaction frauds
•Encrypted attacks
•Data exfiltration
•The exploitation of run-time application
•Acquisition of accounts
•Network Lateral Movement
Why do we need AI Cybersecurity Detection systems?

 The Rule-based detection systems for the handling of false positive results while handling attacks.

 Hunting of threats efficiently.

 Complete analysis of threat incidents and investigation.

 Threat forecasting

 Retrieve the affected systems, examine the root causes of the attack, and improving the security system.

 Monitoring of security.
What are the core capabilities of the AI-based Cybersecurity System?

System Security
•Network Security
•Cloud Security
•IoT Security
•Malware
•Autonomous Security

Data Security
•Security Analytics
•Threat Prediction
•ML for Cyber
•Social Network Security
•Insider Attack Detection

Application Security
•FinTech and Blockchain
•Risk and Decision making
•Trustworthiness
•Data Privacy
•Spam Detection
AI in Cyber Security: Benefits

1. Artificial Intelligence becomes more intelligent over Time 

The technology of Artificial Intelligence is more efficient and intelligent, as the name suggests, because of its ability by
which it improves network security over a period of time. To learn more about an organization’s network behavior over
a period of time, artificial intelligence takes the help of machine learning and deep learning. The patterns which are
present on the network are recognized by them and after recognizing, the AI technology clusters them together and then
it further proceeds to find out if there were any deviations or if any security incident occurred in the normal traffic. After
analyzing the traffic it finally responds to them. 

2. Artificial Intelligence helps us in identifying unknown Threats 

It becomes necessary to switch to modern solutions in order to prevent new attacks from damaging the system owing to
the increase in malware attacks in sophisticated social engineering, the attackers try new methods to cause harm to the
system. In order to detect and stop unknown threats from ruining an organization’s network infrastructure, artificial
intelligence imbibed in cyber security proves to be one of the best combinations for security technologies. 

3. Artificial Intelligence Can Handle a Lot of Data 

Artificial intelligence comes into the picture to detect any possible threats that are being masked as a normal activity and
it proves to be the best solution as it is very helpful. It basically reads through the large volumes of data and analyzes the
traffic in order to detect any possible threats because of its automated nature which allows it to do so. A residential
proxy is a technology that uses the technology of Artificial Intelligence and helps us in the transferring of data.
Moreover, it can also perform detection and identify any threat which may be present in the traffic. 
4. Artificial Intelligence can manage vulnerability better 

Artificial Intelligence is faster and can help us assess our systems more quickly than cybersecurity personnel, thereby
decreasing our workload and increasing our problem-solving ability by multiple times as it identifies the weak points in
computer systems and business networks and helps businesses to focus on more important security-related tasks. This
makes it possible to manage vulnerability and secure business systems in time. 
The Future of Cybersecurity
Despite all the glowing dialogue around the future of this form of security, there are still limitations to be noted.

ML needs datasets but may conflict with data privacy laws. Training software systems requires plenty of data points to
build accurate models, which doesn’t meld well with “the right to be forgotten.” The human identifiers of some data may
cause violations, so potential solutions will need to be considered. Possible fixes include getting systems to either make
original data virtually impossible to access once software has been trained. Anonymizing data points is also in
consideration, but this will need to be examined further to avoid skewing the program logic.

The industry needs more AI and ML cybersecurity experts capable of working with programming in this scope.
Machine learning network security would benefit greatly from staff that can maintain and adjust it as needed. However, the
global pool of qualified, trained individuals is smaller than the immense global demand for staff that can provide these
solutions.

Human teams will still be essential. Finally, critical thinking and creativity are going to be vital to decision-making. As
mentioned much earlier, ML is not prepared or capable of doing either, and neither is AI. To continue this thread, you’ll
have to use these solutions to augment your existing teams.
AI Cyber Security Analytics Solutions:

1.Perspective Analytics: Determination of the actions required for analysis or response.

2.Diagnostic Analytics: Evaluation of root cause analysis and modus operand of the incidents and attacks.

3.Predictive Analytics: Determination of higher risk users and assets in the future and the likelihood of upcoming

threats.

4.Detective Analytics: Recognition of hidden, unknown threats, bypassed threats, advanced malware, and lateral

movement.

5.Descriptive Analytics: For obtaining the current status and performance of the metrics and trends.
 
Applications of AI in Cybersecurity 

Now that we have a good idea of what AI cybersecurity entails, let’s explore a half-dozen practical applications of it:

1. Enhancing Your Network Security

Network security deals with the protection against destruction, unauthorized access, and misuse of files and data in a
system. It also protects the confidentiality of a network within an organization. AI can be utilized to automatically
analyze the network traffic for any potential breaches or unauthorized access.

In network security, your network architecture and security policies are essential. The network architecture is
responsible for taking care of the ways a business connects to the internet. The architecture is also important for keeping
the business reliably and safely connected to the internet. For managing security on a network, a network policy is
typically used to formalize the guidelines and procedures utilized to keep a network secure. According to Toolbox, AI
can employ security policies and map the network traffic patterns to these policies. 
Some common AI-powered cybersecurity platforms include:
•IBM QRadar
•Cynet
•Darktrace
•FireEye
2. Detecting Advanced Malware

Malware has been a serious threat to the security of organizations, and they evolve very rapidly. According to TechTarget
SearchSecurity, one of the most triumphant accomplishments of AI in cybersecurity is the accurate detection of malware
due to the availability of large amounts of data for training the deep learning models. 

AI cybersecurity threat detection systems are particularly useful for finding malware applications that can keep changing
themselves to avoid getting detected (e.g., polymorphic and metamorphic malware). 
Polymorphic malware is a category of malicious programs that continuously change a portion of their codes and use
encryption (for hiding its code) to evade anti-malware software. These cyber weapons use mutation engines to modify
themselves and continuously evolve so as to make them difficult to detect. Unfortunately, these malicious programs have
become quite common. According to research by Webroot among the malicious software they analyze, 94% of them are
polymorphic in nature. 

Likewise, metamorphic malware is a category of similar malicious programs that change themselves to avoid getting
detected, but they are even harder to detect than their polymorphic counterparts. The prime difference between
metamorphic and polymorphic malware is that the former change its source codes entirely; polymorphic keeps some parts
of its code, only modifying others. 
The reason for rewriting the entire source code is to evade the anti-malware tools more effectively. These malware are
extremely difficult to detect using traditional cybersecurity tools. Thus, the learning and adaptive capabilities of AI
cybersecurity are needed to detect and handle these continuously evolving threats. 
3. Increasing Your Organization’s Data Privacy 
AI cybersecurity systems can help prevent breaches of sensitive organization and customer data. Google has used Tensorflow
to block 100 million spam emails. Tensorflow is a deep learning frame library for preventing image-based emails that are
hard to detect and can also be used to steal organizational data. 

4)    Incident Diagnosis and Response 

While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what
happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions,
software applications and platforms powered by AI can examine past data sets to find the root causes of the incident by
looking back at change and anomaly indicators in the network activities. If the incident analysis discovers a system
vulnerability (instead of malicious exploitation), the predictive analysis could provide insights into the consequences of such
exposure. Once the causes of an incident are identified, prescriptive analytics can be leveraged to respond to the incident
based on recommendations to contain and eradicate the causes of the incident permanently. These recommendations can
cover a wide range of applications varying from taking specific actions, change in strategy, and adoption of new procedures
or processes. These recommendations could also include the need to gather better cyber threat intelligence coming full circle
– from intelligence to surveillance and detection, to diagnosis/response, and back to intelligence
5)    Cyber  Threat Intelligence Reports

Every day, already understaffed cybersecurity professionals regularly face thousands of attacks on their systems and the
malware continues to grow in pace, numbers, and complexity. This cyber-reality has generated an overload of
information that is challenging to collect, organize, and analyze. AI solutions have been deployed to support cyber threat
analysts and address the problem of information overload and current data. These solutions include open-source AI
powered collection tools that gather data on specific cyber threats or vulnerabilities on the Internet.

The information can be compiled and summarized or even be the subject of a report fully written by an AI program
through natural language processing. In today’s world, a variety of commercial industries have adopted similar AI tools
to write news articles, social media posts, legal briefs, and banking reports. The cybersecurity industry also exploits
similar tools to generate automated cyber threat intelligence reports (CTI). Cyber threat intelligence reports provide the
indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly
cyber threats. 
The Cybersecurity Risks of Artificial Intelligence
AI has very promising applications for improving the security of organizations. Simultaneously, it also comes with
problems such as misuse by cybercriminals and nation-state actors. The vast amount of publicly available data that helps
make advanced AI cybersecurity systems more resilient and effective at attack prevention can also be used by
cybercriminals to train their AI systems to bypass them. 
It would not be wrong to say that under unfortunate circumstances, AI can be a double-edged sword in the world of
cybersecurity. Some of the cases in which bad guys can use AI to their advantage are as follows:

1. Developing Evolving Tools That Can Enhance Cyber Attacks 

As we touched on earlier, malware developers can use AI to develop advanced polymorphic and metamorphic malware.
These systems are difficult to detect by traditional anti-malware systems and cause serious problems if they infiltrate your
network and other critical systems. AI can be used to make malware adaptable to detection by training the system on
detection by powerful anti-malware software thus incrementally making the malware better and better. The more time is
spent in training the system for adaptability, the harder it would be to detect such malware.
2. Creating “Deep Fakes” That Make More Convincing Phishing Attacks

Deep fake data can be generated using a vast amount of training data making it possible to bypass the security
systems because such systems are dependent on data. Deep fakes also include facial videos and voices which
match the original one so closely that it is extremely hard to distinguish. 
With sufficient data for training, cybercriminals can use AI to make super realistic deep fakes that can bypass
automated systems and humans as well. One such case is when the 
hackers used deep fake technology to impersonate an energy company CEO’s voice. The attackers used it to
contact one of the CEO’s subordinates to instruct them to transfer $243,000 to a fraudulent account they
controlled.

3. Creating Physical Threats and New Ransomware Opportunities

Self-driving cars use AI for their functioning and security. There is a possibility of attacking these self-driving
cars with AI. This is discussed by Macquarie University, which states that self-driving cars can be vulnerable to
malware attacks. Similarly, AI-based adversarial attacks can be used to fool self-driving cars into
misinterpreting signs.
Auditing IT Infrastructures for Compliance

IT infrastructure assessment help Optimize IT resources through proper gauging of their strengths and weaknesses and
helps in the right sizing, protection, effective utilization, scalability, stability, security, resilience, utilization of the right
technology, and achieve improved efficiency, performance, and uptime.

Infrastructure audit involves proactively reviewing and reducing your risks around the use of IT, demonstrating
compliance with standards with a significant reduction of risk, and damaging IT security/data privacy and protection
breaches.

It will also risk interruptions to your business operations through the implementation of appropriate IT disaster recovery
and business continuity plans.
Importance of an IT security audit

•Protects the critical data resources of an organization.

•Keeps the organization compliant to various security certifications.

•Identifies security loopholes before the hackers.

•Keeps the organization updated with security measures.

•Identifies physical security vulnerabilities.

•Helps in formulating new security policies for the organization.

•Prepares the organization for emergency response in case of a cybersecurity breach.

IoT Penetration testing
IoT penetration testing represents a process of evaluating the different system components of an IoT-based device by
exploiting the present vulnerabilities. This evaluation helps find misconfigurations and remediate them to make the IoT
security framework more secure.

Business entities that apparently just utilize IoT-based equipment need to realize that they act as a conducive ground for
many threat actors to wreak havoc on your security. Since IoT devices are connected via the internet, vigilance and
precaution are necessary. One needs to assess the security shield of IoT devices before putting them in for actual use.

Organizations involved in the manufacture of IoT devices and tools for various purposes need to maintain their security
agility to the highest level possible. They cannot support their customer confidence and growth without ensuring that their
IoT devices offer the required data protection.

With IoT pen-testing, entities can scrutinize the physical security, application-level safety, default installation
configuration, and the overall cybersecurity lifecycle of their device.

Penetration testers usually cover multiple aspects of the IoT framework to ensure complete security readiness. The popular
forms of IoT security testing are:
•IoT device security testing
•IoT network security testing
•IoT cloud API security testing
•IoT device application security testing
•IoT device firmware security testing
What is an IOT Pen Testing Service?

The term Internet of Things (IoT) refers to the use of standard Internet protocols for human-
to-thing or thing-to-thing communication in embedded networks. The IOT penetration
testing goes beyond basic analysis to consider the whole ecosystem of the IoT technology,
covering every segment and how each impacts the security of the whole. This service
 includes the IoT mobile application, cloud APIs, communication and protocols, and
embedded hardware and firmware. An IoT network is one where devices, vehicles, buildings
and other items integrate with electronics, software, sensors, and network connectivity which
enables these objects to collect, exchange data and generally, communicate.

The IoT concept applies  to many sectors:

•Smart Home
•Smart Cities
•Medical & Healthcare
•Industrial Control Systems & Industry 4.0
•Energy
•Automotive
The IoT pen testing phases
Phase-1 Defining the scope
The pen testing team first pen-testing the scope of the test arrangement as per the client’s need. It ultimately depicts the cost,
efforts, goals, and technical procedures involved with the IoT penetration test.

Phase- 2 Attack surface mapping

This phase of attack surface mapping involves defining the entry and exit zones that adversaries can misuse. The pentesting
team developed testing's per their understanding of the IoT device solution and its security architecture. Usually, the IoT
device architecture covers three categories:
•Firmware, software, and applications
•Embedded device
•Radio communications

Phase-3 Vulnerability assessment and exploitation

Once the testers have their detailed security architecture diagram, they evaluate the vulnerabilities of different IoT device
components. Each of the IoT architecture categories of embedded devices, radio communications, and software applications
has its own forms of vulnerabilities. After the testing team has identified the exposures, they utilize the tactics and tools akin
to actual adversaries to sabotage IoT security. IoT devices consist of various interfaces. Hence, command injection, code
injection, and input validation are usually some of the focal points of the attack. Testers also conduct post-exploitation
measures to leave no stone unturned in finding the misconfigurations in the IoT device solution.

Phase-4 Documentation and reporting

At this final stage, the pen testing experts list out all discovered vulnerabilities and share them with the client’s management.
They communicate at length all possible remediation measures in the report to upgrade the IoT security posture.
Approach & Methodology in IOT Pentesting:

1. Scoping
During this phase, an operational environment is discussed and established with the help of written/verbal
communication & scoping questionnaires, defining:

•Legislation/compliance obligations related to pen-testing activities

•Organizational cybersecurity-needs
•Which assets of the organization are to be tested and which are excluded
•Allowed types of attacks
•Testing period and time zones
•Means of communication

2. Attack Surface Mapping

A detailed architecture diagram of the IoT infrastructure is constructed, highlighting all the possible entry points an
adversary can use to penetrate. Active & passive OSINT (Open-Source Intelligence) techniques are used in combination
with neutral observation actions in order to collect as much information as possible regarding the targets to be tested.
The more the information, the most attack vectors can be crafted.
3. Binary & Firmware Analysis

The firmware residing inside the IoT devices, as well as any companion/utility software, is reverse-engineered to discover
potentially sensitive information. You need to hand over the devices to our analysts for a specified period of time, in order
to perform:
•Application binaries de-compilation
•Firmware binaries reverse engineering
•Encryption & obfuscation techniques analysis
•Used 3rd party libraries analysis

4. Hardware & Software Exploitation

The main exploitation activities aim to take control of the IoT device(s) and perform a manipulation of the services the IoT
network provides. These actions include:
•Assessing hardware communication/interconnection protocols
•Tampering protection mechanisms
•Fuzzing & side-Channel attacks
•Assessment & exploitation of wireless protocols
•Attacking protocol-specific vulnerabilities
•Web application & API (hosted or cloud) vulnerability exploitation (incl. OWASP Top10)
•Desktop & Mobile application vulnerability exploitation

5. Reporting
Reports are a crucial step in a penetration testing engagement as the cornerstone deliverable which provide meaningful
insights regarding the security posture of your organization, along with remediation recommendation for each detected risk.
Cyberspace:

Cyberspace mainly refers to the computer which is a virtual network and is a medium electronically designed to help
online communications to occur. This facilitates easy and accessible communications to occur across the world. The
whole Cyberspace is composed of large computer networks which have many sub-networks. These follow the TCP or IP
protocol. 

The TCP (Transmission Control Protocol) is a standard for communications that allows the application programs and
other computing devices to exchange data and messages over a Cyber network. These are designed to send data across the
internet which then makes sure that the sent data are successfully delivered over the networks. It is the standards that are
mostly used to define the rules of the internet and are defined by the Internet Engineering Task Force or IETF. It is a very
commonly used protocol and it ensures that there is an end-to-end delivery of data. 

On the other hand, Internet Protocol or IP is the protocol or method that involves sending data from one device to another
using the internet. Each and every device has an IP address that is unique to it and this gives it its identity. The IP address
enables communication and exchange of data to other devices across the internet. It defines how devices and their
applications will exchange packages of data with each other and connected networks.  All the transfer occurs through
either of the Internet Protocol Suite or protocols i.e. either TCP or IP. 

Cyberspace is that space in which users share information, interact with each other; engage in discussions or social media
platforms, and many other activities
Evolving Technologies in Cyber Space:

1. Artificial Intelligence (AI)

The concept of AI is to imitate the problem-solving and decision-making abilities of the human brain. It involves creating
intelligent computers using advanced programs. AI works on two basic ideas: thinking rationally and acting rationally.
The former deals with thought processes and reasoning, while the latter deals with behavior.

For example, if we provide a thousand photos of trees to the computer, it scans

and stores the data, which can be used to identify the trees. There are two types
of Artificial Intelligence.

•Artificial Narrow Intelligence (ANI): The computer is trained to pivot on a

specific task. It can perform a particular task with a great speed and accuracy
that no human can do. It is used in various applications such as Apple’s Siri,
Amazon’s Alexa, autonomous machines, etc.

•Artificial General Intelligence (AGI): Here, the computer will have general
intelligence like humans. It works based on self-awareness which is used to
solve problems, learn from the past, and plan. This type of AI is purely
theoretical and does not have any practical application.
2.Machine Learning:

It is one of the sub-fields of Artificial Intelligence that works on the concept of self-learning. Instead of programming the
computer to do its task, the computer is allowed to learn from the available data in machine learning. This is also known as
the bottom-up approach.

Machine learning involves programming computers to access the data and use
it for self-learning. The computers look for data patterns to make decisions by
themselves. There is the various real-time application of machine learning, such
as
•Traffic alert- Google maps
•Transportation and communication- Ola, Uber.
•Product recommendations- Amazon, e-bay.
•online video streaming- Netflix, Prime.
3. Internet of Things
As the name suggests, the Internet of Things refers to a fabricated network of physical devices worldwide connected
through the internet. Any device implanted with appropriate sensors, software, and technologies can relate to other devices
over the internet to send and receive data without human intervention. The use of IoT is endless, from household devices
to industrial machines. It means that any device connected over the internet becomes a part of IoT

Once the devices are connected to an IoT network,

they can be operated from any part of the world
without physical contact. It uses sensors, Internet,
Cloud platforms, Machine Learning, and Artificial
Intelligence (AI). The size of the IoT network is
getting bigger each day, like a giant robot. A few
examples of IoT devices are
•Smart home security systems
•Portable health monitors
•Smart factory equipment
•Shipping containers and logistics tracking
•Smart home appliances etc.
4. Block Chain Technology

The blockchain is a decentralized database that differs from a regular database where the data is stored using a hash
function. It stores data in the form of blocks, and the blocks are connected to form a data chain. When the data is stored in a
blockchain, it becomes nearly impossible to tamper, hack or trick the system. Even though various kinds of information can
be stored in blockchain, it is mainly used as a transaction ledger. It is an emerging technology in cyberspace, as its full
potential is not realized. Possible applications of blockchain technology will be fund transfers, sharing of medical data,
personal identity security, voting mechanism, etc. It also forms the base for bitcoin, which could be the future of digital
currency.
5. Encryption Technology

Encryption technology is gaining more importance in cyberspace. It is a process of converting the normal text into
non-readable ciphertext. This prevents unauthorized persons from interpreting or tampering with the data. It is based
on Public Key Infrastructure (PKI), where the encryption and decryption of data are done by Public-Private key
distribution. There are numerous methods in data encryption that are Advanced Encryption Standard (AES), Rivest-
Shamir-Adleman (RSA), Quantum Key Distribution (QKD), Triple DES (Data Encryption Standard, etc. Among these
methods, QKD is highly secured as the QKD uses quantum mechanics for data encryption which cannot be cracked by
normal computing
Database Security:

Database security includes a variety of measures used to secure database management systems from malicious 
cyber-attacks and illegitimate use. Database security programs are designed to protect not only the data within the
database, but also the data management system itself, and every application that accesses it, from misuse, damage,
and intrusion.
Database security encompasses tools, processes, and methodologies which establish security inside a database
environment.
Database Security Threats

Many software vulnerabilities, misconfigurations, or patterns of misuse or carelessness could result in breaches. Here
are a number of the most known causes and types of database security cyber threats.
1.Insider Threats
An insider threat is a security risk from one of the following three sources, each of which has privileged means of entry
to the database:
•A malicious insider with ill-intent
•A negligent person within the organization who exposes the database to attack through careless actions
•An outsider who obtains credentials through social engineering or other methods, or gains access to the database’s
credentials
An insider threat is one of the most typical causes of database security breaches and it often occurs because a lot of
employees have been granted privileged user access.
2.Human Error
Weak passwords, password sharing, accidental erasure or corruption of data, and other undesirable user behaviors are
still the cause of almost half of data breaches reported.
3.The exploitation of Database Software Vulnerabilities
Attackers constantly attempt to isolate and target vulnerabilities in software, and database management software is a
highly valuable target. New vulnerabilities are discovered daily, and all open source database management platforms
and commercial database software vendors issue security patches regularly. However, if you don’t use these patches
quickly, your database might be exposed to attack.
Even if you do apply patches on time, there is always the risk of zero-day attacks, when attackers discover a
vulnerability, but it has not yet been discovered and patched by the database vendor.
4. SQL/NoSQL Injection Attacks
A database-specific threat involves the use of arbitrary non-SQL and SQL attack strings in database queries. Typically,
these are queries created as an extension of web application forms or received via HTTP requests. Any database system
is vulnerable to these attacks, if developers do not adhere to secure coding practices, and if the organization does not
carry out regular vulnerability testing.

5. Buffer Overflow Attacks

Buffer overflow takes place when a process tries to write a large amount of data to a fixed-length block of memory,
more than it is permitted to hold. Attackers might use the excess data, kept in adjacent memory addresses, as the starting
point from which to launch attacks.

5. Denial of Service (DoS/DDoS) Attacks

In a denial of service (DoS) attack, the cybercriminal overwhelms the target service—in this instance the database
server—using a large amount of fake requests. The result is that the server cannot carry out genuine requests from actual
users, and often crashes or becomes unstable.
In a distributed denial of service attack (DDoS), fake traffic is generated by a large number of computers, participating
in a botnet controlled by the attacker. This generates very arge traffic volumes, which are difficult to stop without a
highly scalable defensive architecture. Cloud-based DDoS protection services can scale up dynamically to address very
large DDoS attacks.
server security?
Server security refers to all the processes and tools used to protect the sensitive data, resources, and assets held on a
server.
Servers are frequently targeted by cybercriminals because they tend to hold sensitive and valuable information.
Cybercriminals are always on the lookout to exploit vulnerabilities in server security for financial gain and other
reasons.

In most IT infrastructures, servers are the core of the whole infrastructure. The server is what allows all users to
access the same resources, functionality, and information remotely. When the server is compromised during an
attack, there’s a high likelihood that the whole network and/or system is also compromised.

So, maintaining server security is obviously important. However, even a very small flaw like a weak password,
missed/failed software update, and other relatively simple human errors can lead to a compromised server and
substantial loss for the organization.

This is why to ensure the effectiveness of the server security, we have to consider different layers — from
identifying and managing potential issues in your network, to securing the server’s OS, protecting any software and
applications hosted on your server, and at the most granular level, securing sensitive and regulated data hosted on
the server.
Common server security vulnerabilities
How are cybercriminals attacking your servers? Here are some common mistakes and vulnerabilities that are often exploited
by hackers and cybercriminals:
•Weak passwords

To guess weak passwords, hackers can use malicious bots to perform brute force attacks or credential stuffing attacks. If the
attackers gain possession of admin credentials, they can then access your servers and cause a data breach. The attackers may
also sell your credential information on the dark web.
Make sure you are using a sufficiently strong password that is at least 10 characters long, use a combination of lowercase and
uppercase, symbols, numbers, and spaces, and unique only for this account. Consider using a password manager service to
ensure you are always using strong passwords you won’t forget.

•Patch management
It’s important to use a patch management service to ensure any changes in code are properly tested before installation and
comes from a trusted source.

•Failed or missed updates on software and OS

No software or OS is 100% perfect, and responsible manufacturers will address security vulnerabilities in their software with
security fixes and patches. So, these updates are there for a reason.
However, when a software manufacturer releases a patch note, they are also announcing this vulnerability to the public
(including cybercriminals). This is why you should always update your OS and software as soon as patches are made
available.
Cybercriminals are constantly exploiting vulnerabilities in software, so running an outdated software version will
significantly increase your risks of data breaches.
•Misconfigured network ports
An improper server configuration, especially regarding network ports, can easily be exploited by cybercriminals. It’s
very important to configure and optimize the server according to the server security best practices.

•Unused accounts
Old and forgotten accounts are often used by hackers (after a successful brute force attack, for example) to gain
access to the server. Make sure to perform periodic cleanups of old and obsolete accounts.

•Poor physical security

Not all outside threats to your server’s security are digital in nature. When, for example, thieves gain physical access
to your server, it is also compromised. Poorly secured dongle keys can also be very dangerous for your server’s
security.
Basic server security guidelines
As mentioned in the introduction, we should treat server security in layers. Here are the basic steps of securing a web
server that we can use as a foundation for the next layers:
1.Make sure to regularly update the server’s OS (operating system) and all applications/software hosted on the server
2.Configure the server’s OS to meet server security best practices: enable only necessary applications and services, and
disable all unnecessary ones.
3.Set all the account passwords (change all the default passwords) and use sufficiently strong passwords. Remove
default accounts properly.
4.Regularly monitor security-related announcements related to your server (i.e. follow your server manufacturer’s blog)
5.Employ SSL (Secure Socket Layer) and TLS (Transport Layer Security) according to the data hosted on the server to
implement encryption and authentication.
6.Configure the server according to the manufacturer/vendor’s best practices. This may include installing the server
software on a designated host provider, putting required access controls to sensitive/confidential files, and so on.
7.Creating log files for future investigations and recovery purposes. Assign specific log file names accordingly, and
make sure your log files won’t fill up the hard drive. Configure the log files to capture all the potentially risky activities
(failed logins, sudden spikes in requests, unauthorized user access, etc. )
8.Document all changes you’ve made to the system and application hosted in the server, and test all proposed changes
before launching them.
Server security checklist
Now that we’ve discussed the basics of what good server security should look like, let’s share our server security checklist to
ensure you have it all covered:
Step 1: Identify and record your server details
The first and arguably the most crucial step is to identify and make a note of all the important details of your server, like its
MAC address, identification number, model name, etc. This is important so that you can get the right manual, check for
compatibility with third-party software, and so on.
Step 2: Ensure physical protection
As mentioned, physical vulnerabilities can also cause serious data breaches and other threats to your server. Make sure your
server is properly secured physically to prevent unauthorized access. For example, restrict access to the room where the server
is physically located and only allow as few people as possible in this area. Ensure the keys to this room are always stored
securely.
Step 3: Set up event logs
Enable traceability and accountability for everyone accessing the server by configuring event logs. Monitor these logs regularly
and attend to any suspicious activity including, but not limited to, suspicious account login, changes in system configurations,
and changes in permissions. Ideally, your event logs should be backed up on a separate server.
Step 4: Regularly update OS and software
Set a weekly (if possible, daily) schedule to update OS and any software or application hosted on the server. You should
implement updates as soon as they are available.
Step 5: Remove unnecessary software
Regularly remove old and unused software, applications and OS components. Disable
any unnecessary services. Forgotten unused applications can be just another gateway
for hackers to invade your server.
Step 6: Monitor hardware performance
Vulnerabilities in hardware can also be fatal. Make sure to regularly maintain your
hardware and perform routine inspections to identify damaged components that might
need replacing.
Step 7: Maintain authenticity and integrity
Enforce authentication protocols as needed, for example enforcing the use of
password managers and two-factor authentication (2FA) for all system administrators.
Remove older administrator accounts that are no longer used.
Step 8: Regular backup
Automate regular server backups with the 3-2-1 backup rule (3 backups, 2 on the
same site with the server but on different devices/mediums, and 1 backup copy off-
site). Regularly check whether your backups are operating as expected. Test the
backup recovery images as needed.
Web Application Security:

Web application security (also known as Web AppSec) is the idea of building websites to function as expected,
even when they are under attack. The concept involves a collection of security controls engineered into a Web
application to protect its assets from potentially malicious agents. Web applications, like all software, inevitably
contain defects. Some of these defects constitute actual vulnerabilities that can be exploited, introducing risks to
organizations. Web application security defends against such defects. It involves leveraging secure development
practices and implementing security measures throughout the software development life cycle (SDLC), ensuring that
design-level flaws and implementation-level bugs are addressed.Appli

Web security testing aims to find security vulnerabilities in Web applications and their configuration. The primary
target is the application layer (i.e., what is running on the HTTP protocol). Testing the security of a Web application
often involves sending different types of input to provoke errors and make the system behave in unexpected ways.
These so called “negative tests” examine whether the system is doing something it isn’t designed to do.
It is also important to understand that Web security testing is not only about testing the security features (e.g.,
authentication and authorization) that may be implemented in the application. It is equally important to test that other
features are implemented in a secure way (e.g., business logic and the use of proper input validation and output
encoding). The goal is to ensure that the functions exposed in the Web application are secure.
cation Security
What are common web app security vulnerabilities?
Attacks against web apps range from targeted database manipulation to large-scale network disruption. Let’s explore some of
the common methods of attack or “vectors” commonly exploited.
•Cross site scripting (XSS) - XSS is a vulnerability that allows an attacker to inject client-side scripts into a webpage in order to access
important information directly, impersonate the user, or trick the user into revealing important information.
•SQL injection (SQi) - SQi is a method by which an attacker exploits vulnerabilities in the way a database executes search queries. Attackers
use SQi to gain access to unauthorized information, modify or create new user permissions, or otherwise manipulate or destroy sensitive data.
•Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks - Through a variety of vectors, attackers are able to overload a
targeted server or its surrounding infrastructure with different types of attack traffic. When a server is no longer able to effectively process
incoming requests, it begins to behave sluggishly and eventually deny service to incoming requests from legitimate users.
•Memory corruption - Memory corruption occurs when a location in memory is unintentionally modified, resulting in the potential for
unexpected behavior in the software. Bad actors will attempt to sniff out and exploit memory corruption through exploits such as code
injections or buffer overflow attacks.
•Buffer overflow - Buffer overflow is an anomaly that occurs when software writing data to a defined space in memory known as a buffer.
Overflowing the buffer’s capacity results in adjacent memory locations being overwritten with data. This behavior can be exploited to inject
malicious code into memory, potentially creating a vulnerability in the targeted machine.
•Cross-site request forgery (CSRF) - Cross site request forgery involves tricking a victim into making a request that utilizes their
authentication or authorization. By leveraging the account privileges of a user, an attacker is able to send a request masquerading as the user.
Once a user’s account has been compromised, the attacker can exfiltrate, destroy or modify important information. Highly privileged
accounts such as administrators or executives are commonly targeted.
•Data breach - Different than specific attack vectors, a data breach is a general term referring to the release of sensitive or confidential
information, and can occur through malicious actions or by mistake. The scope of what is considered a data breach is fairly wide, and may
consist of a few highly valuable records all the way up to millions of exposed user accounts.
What is computer forensics?

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a
particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics
is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what
happened on a computing device and who was responsible for it.

Computer forensics -- which is sometimes referred to as computer forensic science -- essentially is data recovery with
legal compliance guidelines to make the information admissible in legal proceedings. The terms digital forensics
 and cyber forensics are often used as synonyms for computer forensics.

Digital forensics starts with the collection of information in a way that maintains its integrity. Investigators then
analyze the data or system to determine if it was changed, how it was changed and who made the changes. The use of
computer forensics isn't always tied to a crime.

The forensic process is also used as part of data recovery processes to gather data from a crashed server, failed drive,
reformatted operating system (OS) or other situation where a system has unexpectedly stopped working.
Why is computer forensics important?

In the civil and criminal justice system, computer forensics helps ensure the integrity of digital evidence
presented in court cases. As computers and other data-collecting devices are used more frequently in every
aspect of life, digital evidence -- and the forensic process used to collect, preserve and investigate it -- has
become more important in solving crimes and other legal issues.

The average person never sees much of the information modern devices collect. For instance, the computers in
cars continually collect information on when a driver brakes, shifts and changes speed without the driver being
aware. However, this information can prove critical in solving a legal matter or a crime, and computer
forensics often plays a role in identifying and preserving that information.
Digital evidence isn't just useful in solving digital-world crimes, such as data theft, network breaches and illicit
online transactions. It's also used to solve physical-world crimes, such as burglary, assault, hit-and-run
accidents and murder.

Businesses often use a multilayered data management, data governance and network security strategy to keep
proprietary information secure. Having data that's well managed and safe can help streamline the forensic
process should that data ever come under investigation.
Types of computer forensics

There are various types of computer forensic examinations. Each deals with a specific aspect of information
technology. Some of the main types include the following:
•Database forensics. The examination of information contained in databases, both data and related metadata.

•Email forensics. The recovery and analysis of emails and other information contained in email platforms, such as
schedules and contacts.

•Malware forensics. Sifting through code to identify possible malicious programs and analyzing their payload.
Such programs may include Trojan horses, ransomware or various viruses.
How does computer forensics work?
Forensic investigators typically follow standard procedures, which vary depending on the context of the forensic
investigation, the device being investigated or the information investigators are looking for. In general, these procedures
include the following three steps:
1.Data collection. Electronically stored information must be collected in a way that maintains its integrity. This often
involves physically isolating the device under investigation to ensure it cannot be accidentally contaminated or tampered
with. Examiners make a digital copy, also called a forensic image, of the device's storage media, and then they lock the
original device in a safe or other secure facility to maintain its pristine condition. The investigation is conducted on the
digital copy. In other cases, publicly available information may be used for forensic purposes, such as Facebook posts or
public Venmo charges for purchasing illegal products or services displayed on the Vicemo website.
2.Analysis. Investigators analyze digital copies of storage media in a sterile environment to gather the information for a
case. Various tools are used to assist in this process, including Basis Technology's Autopsy for hard drive investigations and
the Wireshark network protocol analyzer. A mouse jiggler is useful when examining a computer to keep it from falling
asleep and losing volatile memory data that is lost when the computer goes to sleep or loses power.
3.Presentation. The forensic investigators present their findings in a legal proceeding, where a judge or jury uses them to
help determine the result of a lawsuit. In a data recovery situation, forensic investigators present what they were able to
recover from a compromised system.
Often, multiple tools are used in computer forensic investigations to validate the results they produce. Learn how a
researcher at Kaspersky Lab in Asia created an open source forensics tool for remotely collecting malware evidence
without compromising system integrity.
What Is IT Compliance?

IT compliance and security both contribute to the protection of a company’s digital assets, but they operate differently.
While effective IT security involves establishing and implementing technical controls to safeguard a company’s assets,
IT compliance—sometimes called IT security compliance or technology compliance—involves meeting the regulatory
or contractual requirements defined by a third party.

Third-party IT compliance regulations your company is required to comply with might come in the form of
government policies, industry regulations, security frameworks, or contractual terms associated with the service or
product you are providing.

Because third parties often determine IT compliance standards, certain regulations might sometimes seem like they go
beyond what your company considers to be strictly necessary. However, failure to comply with information security
compliance standards can have a severe impact on your business.
Lack of IT compliance can result in:
•Diminished customer trust
•Damaged reputation
•Financial ramifications that could result in your company incurring hefty fines
•Legal ramifications that could prevent your company from working in certain markets or locations
Given the seriousness of IT and technology compliance, you must be aware of any information security compliance
standards applicable to your business.
Who Needs IT Compliance?
Whether your company is subject to compliance requirements will depend on several factors, including the country or state
it operates in. Areas with privacy or data laws, like the California Consumer Privacy Act and GDPR, are likely to have
compliance standards you must follow.
Your market is another factor. Heavily regulated markets, like finance and healthcare, typically require businesses to meet
certain standards. You may also have to adhere to specific regulations if you are working with clients who require high
levels of confidentiality. In this case, your client contract or non-disclosure agreement (NDA) may define the compliance
standards you’re expected to meet.
The importance of IT compliance often extends beyond IT security. Your company’s ability to comply with the terms of
your client contract, for example, might be less about security and more about safeguarding service availability and
reliability.
There are many regulations only some types of businesses are legally required to meet. Some of the most well-known of
these regulations are:
•The Health Insurance Portability and Accountability Act (HIPAA): This law in the U.S. dictates how companies
working in the healthcare sector share and handle their patients’ health information (read more here).
•The Sarbanes-Oxley Act (SOX): This financial regulation applies to all publicly traded U.S. companies, foreign
companies doing business in the U.S., and wholly-owned subsidiaries.
•The Payment Card Industry Data Security Standards (PCI-DSS): These standards consist of a group of security
requirements to protect the privacy of consumers when personal credit card details are being transmitted, processed, or
stored by businesses.
•ISO 27001: This is not legally binding, but companies may opt into complying with these information security standards if
they wish to. Doing so demonstrates a commitment to a high standard of IT security.
•DISA STIG: DISA STIG refers to an organization, the Defense Information Systems Agency (DISA), that issues technical
guides called Security Technical Implementation Guides (STIGs). These guides detail how a company should manage its
Benefits of IT Security Compliance
Companies required to comply with certain standards will incur costs associated with creating the necessary systems and
policies to achieve full IT compliance—but there are some notable benefits to meeting information security compliance
standards.
Here are a few of the most significant advantages of IT and technology compliance.
1. Safeguard Your Reputation
Not only are data breaches costly, but they can also have a dramatic impact on a business’ reputation with its customers. In
many cases, bad actors steal personal customer information clients have entrusted the business with. For example, the breach
of MySpace in 2016 resulted in 360 million customer accounts being compromised.
In the aftermath of a data breach, a company must face the difficult task of earning back its customers’ trust. Sometimes, the
damage done is irreparable.
A great benefit of complying with IT and technology compliance regulations is the safety it affords your company’s
reputation.

2. Avoid Penalties and Fines

Companies must be aware of any existing compliance regulations that apply to them to avoid penalties and fines. In some
cases, these penalties can be severe and unsustainable. Detailed below are the fines associated with some of the most well-
known IT compliance acts and regulations.

3. Open the Door to Valuable Partnerships

Organizations that fail to invest in their IT compliance and regularly fall short of the required standards are significantly less
likely to be considered for valuable business partnerships.
If failure to comply with the necessary standards resulted in hefty fines, or damaged reputation, this could have a knock-on
effect on any associated partners. As a result, most businesses are understandably hesitant to establish partnerships with