MODULE-1: Introduction to Cyber Security

Syllabus: Introduction to Cyber Security, Basic Cyber Security Concepts, layers of

security, Vulnerability, Assets and Threat, motive of attackers, active attacks, passive
attacks, Software attacks, hardware attacks, Cyber Threats-Cyber Warfare, Cyber
terrorism, Cyber Espionage, etc., Comprehensive Cyber Security Policy.

T0 : Introduction:
• Cyber Security is referred to the security offered through online services to protect the
online information.
• With an increasing amount of people getting connected to the Internet, the security
threats are alsomassively increasing.
• It may be impossible to prevent hacking, but effective security controls
including strong passwords and the use of firewalls can prevent damage to a
certain extent.

Hacker:
A hacker is a person who uses computers to gain unauthorized access to data.

Types of Hackers:
Black Hat Hackers: (Unethical Hacker or Security Cracker)
These people hack the system illegally to steal money or to achieve their own illegal
goals. They find the banks or organization with weak security and steal money or
credit card information, they can also modify or destroy confidential data.

White Hat Hackers: (Ethical Hacker or Penetration Tester)

These people use the same technique used by the black hat hackers, but they can only
hack the system that they have permission to hack in order to test the security of the
system. They focus on securing and protecting IT System. White Hat Hacker is legal.

Grey Hat Hackers:

Grey Hat Hackers are hybrid of Black hat hackers & White hat hackers
They can hack any system even if they don’t have permission to test the security of the
system but they will never steal money or damage the system.

T1: Basic Cyber Security Concepts

Def1: It is the body of technologies, processes and practices designed to protect networks,
devices, programs and data from attack, theft, damage, modification or unauthorized access.
It is also called as Information Technology Security.

Def2: Cyber Security is the setoff principles and practices designed to protect the computing
resources and online information against threats.
 (A) Basic Principles of Security
CIA Triad
The CIA Triad is actually a security model that has been developed to help people think about
various parts of IT security.

CIA triad broken down into three parts further:

(i)Confidentiality:
Protecting confidentiality is dependent on being able to define and enforce certain access
levels for information. This process involves separating information into various collections
that are organized by authorized user, who needs to access the information and how sensitive
that information actually is - i.e. the amount of damage suffered if the confidentiality was
breached.
Standard measures to establish confidentiality include: Data Encryption, Two-factor
authentication, Biometric Verification, Security Tokens.

(ii)Integrity:
This is an essential component of the CIA Triad and designed to protect data from deletion or
modification from any unauthorized party, and it ensures that when an authorized person
makes a change that should not have been made the data damage.
Standard measures to guarantee Integrity include: Cryptography checksums, Using file
permissions, Uninterrupted power supplies, Data backups.

(iii)Availability:
This is the final component of the CIA Triad and refers to the actual availability of your data.
Authentication mechanisms, access channels and systems all have to work properly for the
information they protect and ensure it's available when it is needed.
Standard measures to guarantee Availability include: Backing up data to external drives,
Implementing firewalls, Having backup power supplies, Data redundancy.

The CIA triad goal of availability is the situation where information is available when and
where it is rightly needed.

( B )Key terms in Security –

Authorization, Authentication, and Non-repudiation processes and methods, which are
some of the main controls aimed at protecting the C-I-A triad.

To make information available or accessible/modifiable to those who need it and who can be
trusted with it (for accessing and modification), organizations use authentication and
authorization.

Authentication is proving that a user is the person he or she claims to be. That proof may
involve something the user knows (such as a password), something the user has (such as a
“smartcard”), or something about the user that proves the person’s identity (such as a
fingerprint).

Authorization is the act of determining whether a particular user (or computer system) has the
right to carry out a certain activity, such as reading a file or running a program.

Non-repudiation: Users must be authenticated before carrying out the activity they are
authorized to perform. Security is strong when the means of authentication —the user cannot
later deny that he or she performed the activity that is not available. This is non-repudiation.

( C ) Security Problems in Cyber field:

1. Viruses & Worms:

A virus is a program that is loaded into the computer without user’s knowledge and runs
against the user’s wish.
Remedy: Install a security suite that protects the computer against threats such as viruses and
worms. (e.g., Antivirus)

2. Malware: (MALicious softWARE)

Malware is any software that infects and damages a computer system without the owner’s
knowledge or permission.
Remedy: Download an anti-malware program that also helps prevent infection. Activate
network protection firewall, antivirus.

3. Trojan Horse:
Trojan horse are email viruses that can duplicate themselves, steal information or harm the
computer system. These viruses are the most serious threats to computers.
Remedy: Security suits such as Avast Internet Security, which will prevent from
downloading Trojan Horses.

4. Password Cracking:
Password attacks are attacks by hackers that are able to determine passwords or find
passwords to different protected electronic areas and social network sites.
Remedy: Use always strong password. Never use same password for two different sites.

5. Phishing:
In Phishing process, the attacker crafts the harmful site in such a way that the victim feels it
to be an authentic site, thus falling prey to it. The most common mode of phishing is by
sending spam emails that appear to be authentic and thus, taking away all credentials from the
victim. The main motive of the attacker behind phishing is to gain confidential information
like Password, Credit card details, Social security numbers, Date of birth, etc.
T2: Layers of Security

The 7 layers of cyber security mainly center on the mission critical assets.

1. Mission Critical Assets: This is the data which need to be protected.

2. Data Security: It protects the storage and transfer of data.
3. Application Security: It protects access to an application which handles the mission
critical assets and internal security of the application.
4. Endpoint Security: It protects the connection between devices and the network.
5. Network Security: It protects an organization’s network to prevent unauthorized
access of the network.
6. Perimeter Security: It includes both the physical and digital security methodologies
that protect the overall business.
7. The Human Layer: Humans are the weakest link in any cyber security posture.
Human security control includes phishing simulations and access management control that
protect mission critical assets from a wide variety of human threats, including cyber
criminals, malicious insiders and negligent users.

T3: Vulnerability
• A vulnerability is a weakness that can be exploited by cybercriminals to gain
unauthorized access to a computer system.
• A vulnerability is a weakness that can be exploited by a malicious actor. For example,
unpatched software or overly permissive accounts can provide a gateway for
cybercriminals to access the network and gain a foothold within the IT environment.
• A threat is a malicious act that can exploit a security vulnerability.
• A risk is what happens when a cyber threat exploits a vulnerability. It represents the
damage that could be caused to the organization in the event of a cyberattack.

Common types of vulnerabilities in cybersecurity include:

(i)Server Misconfigurations
(ii)Unsecured APIs
(iii)Outdated or unpatched software
(iv)Zero-day vulnerabilities
(v)Weak or stolen user credentials
(vi)RunTime Threats

(i)Server Misconfigurations:
Server Misconfigurations are the largest threat to both cloud and application security.
Because many application security tools require manual configuration, this process can be
rife with errors and take considerable time to manage and update.

(ii)Unsecured APIs:
• Another common security vulnerability is unsecured application programming
interfaces (APIs). APIs provide a digital interface that enables applications or
components of applications to communicate with each other over the internet or via a
private network.
• APIs are one of the few organizational assets with a public IP address. If not properly
and adequately secured, they can become an easy target for attackers to breach.

(iii)Outdated or unpatched software:

• Software vendors periodically release application updates to either add new features
and functionalities or patch known cybersecurity vulnerabilities. Unpatched or
outdated software often make for an easy target for advanced cybercriminals. As with
system misconfigurations, adversaries are on the prowl for such weaknesses that can
be exploited.
• While software updates may contain valuable and important security measures, it is
the responsibility of the organization to update their network and all endpoints.

(iv)Zero-day vulnerabilities:
• A zero-day vulnerability refers to a security flaw that has been discovered by a threat
actor but is unknown to the enterprise and software vendor. The term “zero-day” is
used because the software vendor was unaware of their software vulnerability, and
they had “0” days to work on a security patch or an update to fix the issue;
meanwhile it is a known vulnerability to the attacker.
• Zero-day attacks are extremely dangerous for companies because they can be very
difficult to detect. To effectively detect and mitigate zero-day attacks, a coordinated
defence is needed.
• Some of the security measures that can be taken to avoid this attack are: deploying
a complete endpoint security solution that combines technologies including next-gen
antivirus (NGAV), endpoint detection and response (EDR) and threat intelligence.

(v)Weak or stolen user credentials:

 • Many users fail to create unique and strong passwords for each of their accounts.
Reusing or recycling passwords and user IDs creates another potential avenue of
exploitation for cybercriminals.
• Weak user credentials are most often exploited in brute force attacks when a threat
actor tries to gain unauthorized access to sensitive data and systems by systematically
trying as many combinations of usernames and guessed passwords as possible. If
successful, the actor can enter the system and masquerade as the legitimate user.

(vi) RunTime Threats:

• Misunderstanding the “Shared Responsibility Model” (i.e., Runtime Threats), In
this context, Cloud networks adhere to what is known as the “shared responsibility
model”. This means that much of the underlying infrastructure is secured by the cloud
service provider. However, the organization is responsible for everything else,
including the operating system, applications and data.
• Unfortunately, this point can be misunderstood, leading to the assumption that cloud
workloads are fully protected by the cloud provider. This results in users unknowingly
running workloads in a public cloud that are not fully protected, meaning adversaries
can target the operating system and the applications to obtain access.

T4: Assets and Threat

Asset:
An asset is any data, device or other component of an organization’s systems that is valuable
– often because it contains sensitive data or can be used to access such information.
For example: An employee’s desktop computer, laptop or company phone would be
considered an asset, as would applications on those devices. Likewise, critical infrastructure,
such as servers and support systems, are assets.
An organization’s most common assets are information assets. These are things such as
databases and physical files – i.e. the sensitive data that you store.

Threat:
A threat is any incident that could negatively affect an asset – for example, if it’s lost,
knocked offline or accessed by an unauthorized party.
• Threats can be categorized as circumstances that compromise the confidentiality,
integrity or availability of an asset, and can either be intentional or accidental.
• Intentional threats include things such as criminal hacking or a malicious insider
stealing information, whereas accidental threats generally involve employee error, a
technical malfunction or an event that causes physical damage, such as a fire or
natural disaster.

Different sources of Cyber Threats:

Here are several common sources of cyber threats against organizations:
 A. Nation states—hostile countries can launch cyber-attacks against local companies
and institutions, aiming to interfere with communications, cause disorder, and inflict
damage.
B. Terrorist organizations—terrorists conduct cyber-attacks aimed at destroying or
abusing critical infrastructure, threaten national security, disrupt economies, and cause
bodily harm to citizens.
C. Criminal groups—organized groups of hackers aim to break into computing systems
for economic benefit. These groups use phishing, spam, spyware and malware for
extortion, theft of private information, and online scams.
D. Hackers—individual hackers target organizations using a variety of attack
techniques. They are usually motivated by personal gain, revenge, financial gain, or
political activity. Hackers often develop new threats, to advance their criminal ability
and improve their personal standing in the hacker community.
E. Malicious insiders—an employee who has legitimate access to company assets, and
abuses their privileges to steal information or damage computing systems for
economic or personal gain. Insiders may be employees, contractors, suppliers, or
partners of the target organization. They can also be outsiders who have compromised
a privileged account and are impersonating its owner.

T5: Motive of Attackers

The categories of cyber-attackers enable us to better understand the attacker’s motivations

and the actions they take.
As shown in Figure, operational cyber security risks arise from three types of actions:
i) inadvertent actions (generally by insiders) that are taken without malicious or
harmful intent;
ii) deliberate actions (by insiders or outsiders) that are taken intentionally and are meant
to do harm; and
iii) inaction (generally by insiders) such as a failure to act in a given situation, either
because of a lack of appropriate skills, knowledge, guidance, or availability of the Correct
person to take action of primary concern.
The main motivation behind attacker, planning a attack lies mainly with deliberate actions:
1. Political motivations: examples include destroying, disrupting, or taking control of
targets; espionage; and making political statements, protests, or retaliatory actions.
2. Economic motivations: examples include theft of intellectual property or other
economically valuable assets (e.g., funds, credit card information); fraud; industrial espionage
and sabotage; and blackmail.
3. Socio-cultural motivations: examples include attacks with philosophical, theological,
political, and even humanitarian goals. Socio-cultural motivations also include fun, curiosity,
and a desire for publicity or ego gratification.

T6: Active Attacks

Active attacks:
• Active attacks are a type of cybersecurity attack in which an attacker attempts to alter,
destroy, or disrupt the normal operation of a system or network. Active attacks
involve the attacker taking direct action against the target system or network.
• An active attack is a network exploit in which a hacker attempts to make changes to
data on the target or data enroute to the target.

Types of Active attacks:

A. Masquerade
B. Modification of messages
C. Repudiation
D. Replay
E. Denial of Service

A. Masquerade: in this attack, the intruder pretends to be a particular user of a system to

gain access or to gain greater privileges than they are authorized for. A masquerade may be
attempted through the use of stolen login IDs and passwords, through finding security gaps in
programs or through bypassing the authentication mechanism.

B. Message modification: In this attack, an intruder alters packet header addresses to direct a
message to a different destination or modify the data on a target machine.

C. Repudiation:
Repudiation attacks are a type of cybersecurity attack in which an attacker attempts to
deny or repudiate actions that they have taken, such as making a transaction or sending a
message. These attacks can be a serious problem because they can make it difficult to track
down the source of the attack or determine who is responsible for a particular action.
There are several types of repudiation attacks, including:
• Message repudiation attacks: Here in message repudiation attack, an attacker sends a
message and then later denies having sent it. This can be done by using spoofed or
falsified headers or by exploiting vulnerabilities in the messaging system.
 • Transaction repudiation attacks: In a transaction repudiation attack, an attacker
makes a transaction, such as a financial transaction, and then later denies having made
it. This can be done by exploiting vulnerabilities in the transaction processing system
or by using stolen or falsified credentials.
• Data repudiation attacks: In a data repudiation attack, an attacker modifies or deletes
data and then later denies having done so. This can be done by exploiting
vulnerabilities in the data storage system or by using stolen or falsified credentials.

D. Session replay: In this type of attack, a hacker steals an authorized user’s log in
information by stealing the session ID. The intruder gains access and the ability to do
anything the authorized user can do on the website.

E. In a denial of service (DoS) attack, users are deprived of access to a network or web
resource. This is generally accomplished by overwhelming the target with more traffic than it
can handle. In a distributed denial-of-service (DDoS) exploit, large numbers of
compromised systems (sometimes called a botnet or zombie army) attack a single target.

T7: Passive Attacks

Passive Attacks are relatively scarce from a classification perspective, but can be carried out
with relative ease, particularly if the traffic is not encrypted.
Passive attacks involve an attacker passively monitoring or collecting data without altering
or destroying it. Examples of passive attacks include eavesdropping, where an attacker
listens in on network traffic to collect sensitive information, and sniffing, where an attacker
captures and analyses data packets to steal sensitive information.

Types of Passive attacks:

A. Eavesdropping (tapping)
B. Traffic Analysis
C. The release of message content

A. Eavesdropping (tapping): the attacker simply listens to messages exchanged by two

entities. For the attack to be useful, the traffic must not be encrypted. Any unencrypted
information, such as a password sent in response to an HTTP request, may be retrieved by the
attacker.

B. Traffic analysis: Here the attacker looks at the metadata transmitted in traffic in order to
deduce information relating to the exchange and the participating entities, e.g. the form of the
exchanged traffic (rate, duration, etc.). In the cases where encrypted data are used, traffic
analysis can also lead to attacks by cryptanalysis, whereby the attacker may obtain
information or succeed in unencrypting the traffic.
Illustration:
• Suppose that we had a way of masking (encryption) information, so that the attacker
even if captured the message could not extract any information from the message.
 • The opponent could determine the location and identity of communicating host and
could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that was
taking place.

C. The release of message content:

Telephonic conversation, an electronic mail message, or a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.

T8: Software attacks

Malicious code (sometimes called malware) is a type of software designed to take over or
damage a computer user's operating system, without the user's knowledge or approval.
It can be very difficult to remove and can cause very damaging.

Common malware examples are listed in the following table:

Virus It is a type of malicious software program that spread throughout the
computer files without the knowledge of a user. It is a self-replicating
malicious computer program that replicates by inserting copies of itself
into other computer programs when executed. It can also execute
instructions that cause harm to the system.
A virus:
• Requires a host to replicate and usually attaches itself to a host file
or a hard drive sector.
• Replicates each time the host is used.
• Often focuses on destruction or corruption of data.
• Usually attaches to files with execution capabilities such as .doc,
.exe, and .bat extensions.
• Often distributes via e-mail. Many viruses can e-mail themselves to
everyone in your address book.
• Examples: Stoned, Michelangelo, Melissa, etc..
Worm It is a type of malware whose primary function is to replicate itself to
spread to uninfected computers. It works same as the computer virus.
Worms often originate from email attachments that appear to be from
trusted senders.
A worm:
• Can install a backdoor in the infected computer.
• Is usually introduced into the system through a vulnerability.
• Infects one system and spreads to other systems on the network.
• Example: Code Red.
Trojan Horse It is a malicious program that occurs unexpected changes to computer
setting and unusual activity, even when the computer should be idle. It
misleads the user of its true intent. It appears to be a normal application
but when opened/executed some malicious code will run in the
background.
A Trojan horse:
• Cannot replicate itself.
 • Often contains spying functions (such as a packet sniffer) or
backdoor functions that allow a computer to be remotely controlled
from the network.
• Often is hidden in useful software such as screen savers or games.
• Example: Back Orifice, Net Bus, Whack-a-Mole.
Logic Bomb A Logic Bomb is malware that lies dormant until triggered. A logic bomb
is a specific example of an asynchronous attack.
• A trigger activity may be a specific date and time, the launching of
a specific program, or the processing of a specific type of activity.
• Logic bombs do not self-replicate.

T9: Hardware attacks

Hardware attacks are malicious attacks that exploit vulnerabilities in hardware devices to
breach system security.

There are several types of hardware attacks, including:

• Side-channel attacks: These attacks allow cybercriminals to gain indirect access to
sensitive information.
• Modification attacks: These attacks interfere with the normal functionality of a
device, injecting harmful software that exposes vulnerabilities.
• Evil maid attacks: These attacks occur when an attacker gains physical access to a
device and installs malicious software.

Common hardware attacks include:

• Manufacturing backdoors, for malware or other penetrative purposes; backdoors
aren’t limited only to software, they also affect embedded radio- frequency
identification (RFID) chips and memory.
• Eavesdropping by gaining access to protected memory without opening other
hardware
• Inducing faults, causing the interruption of normal behaviour
• Hardware modification tampering with invasive operations
• Backdoor creation; the presence of hidden methods for bypassing normal computer
authentication systems
• Counterfeiting product assets that can produce extraordinary operations and those
made to gain malicious access to systems.

T10: Cyber Threats

Cyber Threats:
A cyber threat or cybersecurity threat is a malicious act intended to steal or damage data or
disrupt the digital wellbeing and stability of an enterprise. Cyber threats include a wide range
of attacks ranging from data breaches, computer viruses, denial of service, and numerous
other attack vectors.

Cyber Warfare
Cyber warfare refers to the use of digital attacks -- like computer viruses and hacking -- by
one country to disrupt the vital computer systems of another, with the aim of creating
damage, death and destruction. Future wars will see hackers using computer code to attack an
enemy's infrastructure, fighting alongside troops using conventional weapons like guns and
missiles.
Cyber warfare involves the actions by a nation-state or international organization to attack
and attempt to damage another nation's computers or information networks through, for
example, computer viruses or denial-of-service attacks.

Cyber Crime:
Cybercrime is criminal activity that either targets or uses a computer, a computer network or
a networked device. Cybercrime is committed by cybercriminals or hackers who want to
make money. Cybercrime is carried out by individuals or organizations.
Some cybercriminals are organized, use advanced techniques and are highly technically
skilled. Others are novice hackers.

Cyber Terrorism:
Cyber terrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks
and threats of attacks against computers, networks and the information stored therein when
done to intimidate or coerce a government or its people in furtherance of political or social
objectives.
Examples are hacking into computer systems, introducing viruses to vulnerable networks,
web site defacing, Denial-of-service attacks, or terroristic threats made via electronic
communication.

Cyber Espionage:
Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and information
without the permission and knowledge of the holder of the information from individuals,
competitors, rivals, groups, governments and enemies for personal, economic, political or
military advantage using methods on the Internet.

T11: Comprehensive Cyber Security Policy.

• Security policies are a formal set of rules which is issued by an organization to ensure
that the user who are authorized to access company technology and information assets
comply with rules and guidelines related to the security of information.
• A security policy also considered to be a "living document" which means that the
document is never finished, but it is continuously updated as requirements of the
technology and employee changes.
• We use security policies to manage our network security. Most types of security
policies are automatically created during the installation. We can also customize
policies to suit our specific environment.

Need of Security policies-

1) It increases efficiency.
2) It upholds discipline and accountability
3) It can make or break a business deal
4) It helps to educate employees on security literacy

There are some important cyber security policies (also called comprehensive cyber
security policy) recommendations described below-

A. Virus and Spyware Protection policy:

It helps to detect threads in files, to detect applications that exhibits suspicious behaviour.
Removes, and repairs the side effects of viruses and security risks by using signatures.

B. Firewall Policy:
It blocks the unauthorized users from accessing the systems and networks that connect to the
Internet.
It detects the attacks by cyber criminals and removes the unwanted sources of network traffic.

C. Intrusion Prevention policy:

This policy automatically detects and blocks the network attacks and browser attacks. It also
protects applications from vulnerabilities and checks the contents of one or more data
packages and detects malware which is coming through legal ways.

D. Application and Device Control policy:

This policy protects a system's resources from applications and manages the peripheral
devices that can attach to a system.
The device control policy applies to both Windows and Mac computers whereas application
control policy can be applied only to Windows clients.

Question Bank:
1. Write a note on:
A. Hacker and different types of hackers 5M (Answer Hint: Topic# T0)
B. Basic Principles of Security (CIA Triad) 5M (Answer Hint: Topic# T1)

2. Summarize the following terms: (10M)

A. Cyber Security B. Authentication C. Authorization D. Non-Repudiation E. Vulnerability
(Answer Hint: Topic# T0, T1)

3. Write a note on various security problems in cyber field. 10M (Answer Hint: Topic# T1)

4. With neat diagram, demonstrate different layers of security. 10M

(Answer Hint: Topic# T2)

5. Explain different types of vulnerabilities, that arise in cyber security field. 10M
(Answer Hint: Topic# T3)
6. Write a note on:
A. Assets and Threats 5M (Answer Hint: Topic# T4)
B. Hardware Attacks 5M (Answer Hint: Topic# T9)

7. Explain different sources of Cyber Threats in detail. 10M (Answer Hint: Topic# T4)

8. Explain software attacks and its various types in detail. 10M (Answer Hint: Topic# T8)

9. Explain passive attacks and its various types in detail. 10M (Answer Hint: Topic# T7)

10. Explain active attacks and its various types in detail. 10M (Answer Hint: Topic# T6)

11. Write a note on Cyber Threats concept in detail. 10M (Answer Hint: Topic# T10)

12. Explain Comprehensive Cyber Security Policy recommendations in detail 10M

(Answer Hint: Topic# T11)

13. With neat diagram, show the different reasons due to which hacker is motivated to
launch an Attack 10M (Answer Hint: Topic# T5)