UNIT-I

Introduction to Cyber Security

Cyber Security Introduction - Cyber Security Basics:

Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. Attackers are now
using more sophisticated techniques to target the systems. Individuals, small-scale businesses or large
organization, are all being impacted. So, all these firms whether IT or non-IT firms have understood the
importance of Cyber Security and focusing on adopting all possible measures to deal with cyber threats.

What is cyber security?

"Cyber security is primarily about people, processes, and technologies working together to encompass the full
range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response,
resiliency, and recovery policies and activities, including computer network operations, information assurance,
law enforcement, etc."
OR
Cyber security is the body of technologies, processes, and practices designed to protect networks, computers,
programs and data from attack, damage or unauthorized access.

• The term cyber security refers to techniques and practices designed to protect digital data.
• The data that is stored, transmitted or used on an information system.
OR
Cyber security is the protection of Internet-connected systems, including hardware, software, and data from
cyber-attacks.
It is made up of two words one is cyber and other is security.
• Cyber is related to the technology which contains systems, network and programs or data.
• Whereas security related to the protection which includes systems security, network security and
application and information security.

Why is cyber security important?

Listed below are the reasons why cyber security is so important in what’s become a predominant digital world:

• Cyber-attacks can be extremely expensive for businesses to endure.

• In addition to financial damage suffered by the business, a data breach can also inflict untold
reputational damage.
• Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using more
sophisticated ways to initiate cyber-attacks.

• Regulations such as GDPR are forcing organizations into taking better care of the personal data they
hold. Because of the above reasons, cyber security has become an important part of the business and the focus
now is on developing appropriate response plans that minimize the damage in the event of a cyber-attack.

But, an organization or an individual can develop a proper response plan only when he has a good grip on cyber
security fundamentals.

Cyber security Fundamentals – Confidentiality:

Confidentiality is about preventing the disclosure of data to unauthorized parties.

It also means trying to keep the identity of authorized parties involved in sharing and holding data private and
anonymous.

Often confidentiality is compromised by cracking poorly encrypted data, Man-in-the-middle (MITM) attacks,
disclosing sensitive data.

Standard measures to establish confidentiality include:

• Data encryption
• Two-factor authentication
• Biometric verification
• Security tokens

Integrity

Integrity refers to protecting information from being modified by unauthorized parties. Standard measures to
guarantee integrity include:
• Cryptographic checksums
• Using file permissions
• Uninterrupted power supplies
• Data backups

Availability

Availability is making sure that authorized parties are able to access the information when needed.

Standard measures to guarantee availability include:

• Backing up data to external drives

• Implementing firewalls
• Having backup power supplies
• Data redundancy

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter computer
code, logic or data and lead to cybercrimes, such as information and identity theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks
2) System-based attacks Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important web-based attacks
are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the application and fetch
the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.
2. DNS Spoofing

DNS spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS resolver's cache
causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer or any
other computer. The DNS spoofing attacks can go on for a long period of time without being detected and can
cause serious security issues.

3. Session Hijacking

It is a security attack on a user session over a protected network. Web applications create cookies to store the
state and user sessions. By stealing the cookies, an attacker can have access to all of the user data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like user login credentials and credit
card number. It occurs when an attacker is masquerading as a trustworthy entity in electronic communication.

5. Brute force

It is a type of attack which uses a trial and error method. This attack generates a large number of guesses and
validates them to obtain actual data like user password and personal identification number. This attack may be
used by criminals to crack encrypted data, or by security, analysts to test an organization's network security.

6. Denial of Service

It is an attack which meant to make a server or network resource unavailable to the users. It accomplishes this
by flooding the target with traffic or sending it information that triggers a crash. It uses the single system and
single internet connection to attack a server. It can be classified into the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured in bit per
second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get original password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a web server to deliver
web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is available on the
web server or to execute malicious files on the web server by making use of the include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and server and acts as a
bridge between them. Due to this, an attacker will be able to read, insert and modify the data in the intercepted
connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a computer network. Some of the
important system-based attacks are as follows-

1. Virus

It is a type of malicious software program that spread throughout the computer files without the knowledge of a
user. It is a self-replicating malicious computer program that replicates by inserting copies of itself into other
computer programs when executed. It can also execute instructions that cause harm to the system.

2. Worm

It is a type of malware whose primary function is to replicate itself to spread to uninfected computers. It works
same as the computer virus. Worms often originate from email attachments that appear to be from trusted
senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting and unusual activity, even when
the computer should be idle. It misleads the user of its true intent. It appears to be a normal application but
when opened/executed some malicious code will run in the background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may create a backdoor so that an
application or operating system can be accessed for troubleshooting or other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other network services. Some bots program
run automatically, while others only execute commands when they receive specific input. Common examples of
bots program are the crawler, chatroom bots, and malicious bots.

The 7 layers of cyber security should center on the mission critical assets you are seeking to protect.

1: Mission Critical Assets – This is the data you need to protect

2: Data Security – Data security controls protect the storage and transfer of data.
3: Application Security – Applications security controls protect access to an application, an application’s access
to your mission critical assets, and the internal security of the application. 4: Endpoint Security – Endpoint
security controls protect the connection between devices and the network.
5: Network Security – Network security controls protect an organization’s network and prevent unauthorized
access of the network.
6: Perimeter Security – Perimeter security controls include both the physical and digital security methodologies
that protect the business overall.
7: The Human Layer – Humans are the weakest link in any cyber security posture. Human security controls
include phishing simulations and access management controls that protect mission critical assets from a wide
variety of human threats, including cyber criminals, malicious insiders, and negligent users.

Vulnerability, threat, Harmful acts

As the recent epidemic of data breaches illustrates, no system is immune to attacks. Any company that manages,
transmits, stores, or otherwise handles data has to institute and enforce mechanisms to monitor their cyber
environment, identify vulnerabilities, and close up security holes as quickly as possible.
Before identifying specific dangers to modern data systems, it is crucial to understand the distinction between
cyber threats and vulnerabilities.

Cyber threats are security incidents or circumstances with the potential to have a negative outcome for your
network or other data management systems.
Examples of common types of security threats include phishing attacks that result in the installation of malware
that infects your data, failure of a staff member to follow data protection protocols that cause a data breach, or
even a tornado that takes down your company’s data headquarters, disrupting access.

Vulnerabilities are the gaps or weaknesses in a system that make threats possible and tempt threat actors to
exploit them.

Types of vulnerabilities in network security include but are not limited to SQL injections, server
misconfigurations, cross-site scripting, and transmitting sensitive data in a non- encrypted plain text format.
When threat probability is multiplied by the potential loss that may result, cyber security experts, refer to this as
a risk.

SECURITY VULNERABILITIES, THREATS AND ATTACKS –

Categories of vulnerabilities
• Corrupted (Loss of integrity)
• Leaky (Loss of confidentiality)
• Unavailable or very slow (Loss of availability)
– Threats represent potential security harm to an asset when vulnerabilities are exploited
- Attacks are threats that have been carried out
• Passive – Make use of information from the system without affecting system resources
• Active – Alter system resources or affect operation
• Insider – Initiated by an entity inside the organization
• Outsider – Initiated from outside the perimeter
Computer criminals
Computer criminals have access to enormous amounts of hardware, software, and data; they have the potential
to cripple much of effective business and government throughout the world. In a sense, the purpose of computer
security is to prevent these criminals from doing damage.
We say computer crime is any crime involving a computer or aided by the use of one. Although this definition
is admittedly broad, it allows us to consider ways to protect ourselves, our businesses, and our communities
against those who use computers maliciously.
One approach to prevention or moderation is to understand who commits these crimes and why. Many studies
have attempted to determine the characteristics of computer criminals. By studying those who have already used
computers to commit crimes, we may be able in the future to spot likely criminals and prevent the crimes from
occurring.

CIA Triad
The CIA Triad is actually a security model that has been developed to help people think about various parts of
IT security.

CIA triad broken down:

Confidentiality

It's crucial in today's world for people to protect their sensitive, private information from unauthorized access.

Protecting confidentiality is dependent on being able to define and enforce certain access levels for information.

In some cases, doing this involves separating information into various collections that are organized by who
needs access to the information and how sensitive that information actually is - i.e. the amount of damage
suffered if the confidentiality was breached.

Some of the most common means used to manage confidentiality include access control lists, volume and file
encryption, and Unix file permissions.

Integrity

Data integrity is what the "I" in CIA Triad stands for.

This is an essential component of the CIA Triad and designed to protect data from deletion or modification from
any unauthorized party, and it ensures that when an authorized person makes a change that should not have
been made the damage can be reversed.

Availability

This is the final component of the CIA Triad and refers to the actual availability of your data. Authentication
mechanisms, access channels and systems all have to work properly for the information they protect and ensure
it's available when it is needed.

Understanding the CIA triad

The CIA Triad is all about information. While this is considered the core factor of the majority of IT security, it
promotes a limited view of the security that ignores other important factors.

For example, even though availability may serve to make sure you don't lose access to resources needed to
provide information when it is needed, thinking about information security in itself doesn't guarantee that
someone else hasn't used your hardware resources without authorization.

It's important to understand what the CIA Triad is, how it is used to plan and also to implement a quality
security policy while understanding the various principles behind it. It's also important to understand the
limitations it presents. When you are informed, you can utilize the CIA Triad for what it has to offer and avoid
the consequences that may come along by not understanding it.

Assets and Threat

What is an Asset: An asset is any data, device or other component of an organization’s systems that is valuable
– often because it contains sensitive data or can be used to access such information.
For example: An employee’s desktop computer, laptop or company phone would be considered an asset, as
would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are
assets. An organization’s most common assets are information assets. These are things such as databases and
physical files – i.e. the sensitive data that you store

What is a threat: A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked
offline or accessed by an unauthorized party.

Threats can be categorized as circumstances that compromise the confidentiality, integrity or availability of an
asset, and can either be intentional or accidental.

Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas
accidental threats generally involve employee error, a technical malfunction or an event that causes physical
damage, such as a fire or natural disaster.

Motive of Attackers

The categories of cyber-attackers enable us to better understand the attackers' motivations and the actions they
take. As shown in Figure, operational cyber security risks arise from three types of actions: i) inadvertent
actions (generally by insiders) that are taken without malicious or harmful intent; ii) deliberate actions (by
insiders or outsiders) that are taken intentionally and are meant to do harm; and iii) inaction (generally by
insiders), such as a failure to act in a given situation, either because of a lack of appropriate skills, knowledge,
guidance, or availability of the correct person to take action Of primary concern here are deliberate actions, of
which there are three categories of motivation.

1. Political motivations: examples include destroying, disrupting, or taking control of targets; espionage;
and making political statements, protests, or retaliatory actions.
2. Economic motivations: examples include theft of intellectual property or other economically valuable
assets (e.g., funds, credit card information); fraud; industrial espionage and sabotage; and blackmail.
3. Socio-cultural motivations: examples include attacks with philosophical, theological, political, and even
humanitarian goals. Socio-cultural motivations also include fun, curiosity, and a desire for publicity or ego
gratification.

Types of cyber-attacker actions and their motivations when deliberate

Active attacks: An active attack is a network exploit in which a hacker attempts to make changes to data on the
target or data en route to the target.

Types of Active attacks:

Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain access or to gain
greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen login
IDs and passwords, through finding security gaps in programs or through bypassing the authentication
mechanism.

Session replay: In this type of attack, a hacker steals an authorized user’s log in information by stealing the
session ID. The intruder gains access and the ability to do anything the authorized user can do on the website.

Message modification: In this attack, an intruder alters packet header addresses to direct a message to a different
destination or modify the data on a target machine.
In a denial of service (DoS) attack, users are deprived of access to a network or web resource. This is generally
accomplished by overwhelming the target with more traffic than it can handle.

In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems (sometimes called a
botnet or zombie army) attack a single target.

Passive Attacks: Passive attacks are relatively scarce from a classification perspective, but can be carried out
with relative ease, particularly if the traffic is not encrypted.

Types of Active attacks:

Eavesdropping (tapping): the attacker simply listens to messages exchanged by two entities. For the attack to be
useful, the traffic must not be encrypted. Any unencrypted information, such as a password sent in response to
an HTTP request, may be retrieved by the attacker.

Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce information relating
to the exchange and the participating entities, e.g. the form of the exchanged traffic (rate, duration, etc.). In the
cases where encrypted data are used, traffic analysis can also lead to attacks by cryptanalysis, whereby the
attacker may obtain information or succeed in unencrypting the traffic.

Software Attacks: Malicious code (sometimes called malware) is a type of software designed to take over or
damage a computer user's operating system, without the user's knowledge or approval. It can be very difficult to
remove and very damaging. Common malware examples are listed in the following table:

Attack Characteristics
Virus A virus is a program that attempts to damage a computer system and replicate itself to other computer
systems. A virus:

• Requires a host to replicate and usually attaches itself to a host file or a hard drive sector.
• Replicates each time the host is used.
• Often focuses on destruction or corruption of data.
• Usually attaches to files with execution capabilities such as .doc, .exe, and .bat extensions.
• Often distributes via e-mail. Many viruses can e-mail themselves to everyone in your address book.
• Examples: Stoned, Michelangelo, Melissa, I Love You.
Worm A worm is a self-replicating program that can be designed to do any number of things, such as delete
files or send documents via e-mail. A worm can negatively impact network traffic just in the process of
replicating itself. A worm:

• Can install a backdoor in the infected computer.

• Is usually introduced into the system through a vulnerability.
• Infects one system and spreads to other systems on the network.
• Example: Code Red.
Trojan horse A Trojan horse is a malicious program that is disguised as legitimate software. Discretionary
environments are often more vulnerable and susceptible to Trojan horse attacks because security is user focused
and user directed. Thus the compromise of a user account could lead to the compromise of the entire
environment. A Trojan horse:

• Cannot replicate itself.

• Often contains spying functions (such as a packet sniffer) or backdoor functions that allow a computer to
be remotely controlled from the network.
• Often is hidden in useful software such as screen savers or games.
• Example: Back Orifice, Net Bus, Whack-a-Mole.
Logic Bomb A Logic Bomb is malware that lies dormant until triggered. A logic bomb is a specific
example of an asynchronous attack.

• A trigger activity may be a specific date and time, the launching of a specific program, or the processing
of a specific type of activity.
• Logic bombs do not self-replicate.

Hardware Attacks:
Common hardware attacks include:

• Manufacturing backdoors, for malware or other penetrative purposes; backdoors aren’t limited to
software and hardware, but they also affect embedded radio- frequency identification (RFID) chips and
memory
• Eavesdropping by gaining access to protected memory without opening other hardware
• Inducing faults, causing the interruption of normal behavior

• Hardware modification tampering with invasive operations

• Backdoor creation; the presence of hidden methods for bypassing normal computer authentication
systems
• Counterfeiting product assets that can produce extraordinary operations and those made to gain
malicious access to systems.

Cyber Threats-Cyber Warfare: Cyber warfare refers to the use of digital attacks -- like computer viruses and
hacking -- by one country to disrupt the vital computer systems of another, with the aim of creating damage,
death and destruction. Future wars will see hackers using computer code to attack an enemy's infrastructure,
fighting alongside troops using conventional weapons like guns and missiles.
Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to
damage another nation's computers or information networks through, for example, computer viruses or denial-
of-service attacks.

Cyber Crime:

Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked
device. Cybercrime is committed by cybercriminals or hackers who want to make money. Cybercrime is carried
out by individuals or organizations.
Some cybercriminals are organized, use advanced techniques and are highly technically skilled. Others are
novice hackers.

Cyber Terrorism:

Cyber terrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of
attacks against computers, networks and the information stored therein when done to intimidate or coerce a
government or its people in furtherance of political or social objectives.
Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing,
Denial-of-service attacks, or terroristic threats made via electronic communication.

Cyber Espionage:

Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and information without the
permission and knowledge of the holder of the information from
individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military
advantage using methods on the Internet.

Security Policies:

Security policies are a formal set of rules which is issued by an organization to ensure that the user who are
authorized to access company technology and information assets comply with rules and guidelines related to the
security of information.

A security policy also considered to be a "living document" which means that the document is never finished,
but it is continuously updated as requirements of the technology and employee changes.

We use security policies to manage our network security. Most types of security policies are automatically
created during the installation. We can also customize policies to suit our specific environment.

Need of Security policies-

1) It increases efficiency.

2) It upholds discipline and accountability

3) It can make or break a business deal

4) It helps to educate employees on security literacy

There are some important cyber security policies recommendations describe below-

Virus and Spyware Protection policy:

• It helps to detect threads in files, to detect applications that exhibits suspicious behavior.
• Removes, and repairs the side effects of viruses and security risks by using signatures.
Firewall Policy:

• It blocks the unauthorized users from accessing the systems and networks that connect to the Internet.
• It detects the attacks by cybercriminals and removes the unwanted sources of network traffic.
Intrusion Prevention policy:

• This policy automatically detects and blocks the network attacks and browser attacks.
• It also protects applications from vulnerabilities and checks the contents of one or more data packages
and detects malware which is coming through legal ways.

Application and Device Control:

• This policy protects a system's resources from applications and manages the peripheral devices that can
attach to a system.
• The device control policy applies to both Windows and Mac computers whereas application control
policy can be applied only to Windows clients.