MOD 4 5 HONORS CYBERSECURITY ETHICAL HACKING

Firewall
A firewall is a network security device that monitors and controls incoming and outgoing
network traffic based on predetermined security rules. It acts as a barrier between your
trusted internal network and the untrusted external network (like the Internet). Firewalls
can be hardware, software, or a combination of both, and they help prevent unauthorized
access to or from a private network.
Importance of Firewalls
Firewalls are essential because:
1. They protect internal networks that might not be secure on their own.
2. The Internet has many potential threats, like hackers, cybercriminals, and malicious
software.
3. They help prevent denial of service attacks and unauthorized access to internal data.
4. They centralize network security, acting like a lock on the front door of a house.
Types of Firewalls
Firewalls are generally classified into three types:
1. Packet-Filtering Firewalls (Stateless and Stateful)
o How it works: This type of firewall filters traffic based on criteria like source
and destination IP addresses, ports, and protocols. It examines each data
packet individually to decide whether to allow or block it.
o Stateless Firewalls: They inspect packets without keeping track of the
connection state. They make decisions based solely on the packet's data,
which makes them faster but less secure.
o Stateful Firewalls: These firewalls track the state of active connections,
allowing only packets that are part of a known connection. They are more
secure than stateless firewalls because they understand the context of the
traffic.
2. Application-Level Firewalls (Proxies)
o How it works: An application-level firewall, also known as a proxy firewall,
filters traffic based on the specific application it is associated with (like HTTP,
FTP, or Telnet). It acts as an intermediary, preventing direct communication
between a trusted network and an untrusted network.
o Features:
 It examines packets at the application layer, verifying the data being
sent and received.
  It can filter specific actions, like blocking certain commands that could
be harmful (e.g., blocking the 'FTP put' command to prevent file
uploads).
o Network Address Translation (NAT): It can replace the internal IP address
with its own when sending data to the outside world, hiding internal network
details.
3. Circuit-Level Firewalls
o How it works: Circuit-level firewalls operate at the transport layer (TCP). They
create a virtual connection between the internal and external hosts and
monitor the TCP handshake process to establish that the communication is
legitimate.
o SOCKS Protocol: This is a popular protocol used in circuit-level firewalls. It
creates a secure relay between the client and the server without directly
exposing the internal network.
o Key Feature: Unlike application-level firewalls, circuit-level firewalls don't
inspect the data inside the packets; they just monitor the session state to
ensure that a connection is legitimate.

What is a VPN?
A Virtual Private Network (VPN) is a technology that creates a secure and encrypted
connection over a less secure network, such as the Internet. It allows a user to connect to a
private network (like a company's internal network) from a remote location. VPNs use
tunneling protocols to protect data as it travels between your device and the VPN server,
making it look like you're part of a local network even when you're far away.
How VPNs Work (Example)
Imagine a bank with its head office in Washington, USA, and branches in Mumbai, India, and
Tokyo, Japan. Traditionally, they would need to set up expensive leased lines to connect the
branches securely. However, with a VPN:
 The Washington office has a VPN server that all 100 computers in its local network
connect to.
 An employee in the Mumbai office can use a VPN client to connect to this server.
 The VPN server assigns them an IP address from the Washington office network,
making it appear as if they are working locally from there.
 This secure connection allows data to be shared as if all offices are on the same local
network, even though they are in different countries.
This setup is like extending a private network across different geographical locations using
the public Internet, making it secure and cost-effective.
Uses of VPNs (Example: Spotify)
VPNs can also be used to access content that is restricted by location. For example:
 Spotify, a popular music app, might not be available in India.
 When you connect to a VPN server located in the US, your IP address changes to one
that looks like it's from the US.
 This tricks Spotify into thinking you're in the US, allowing you to access the app from
India.
Key Benefits of VPNs
1. Security: VPNs create an encrypted tunnel between your device and the VPN server,
protecting your data from hackers.
2. Bypassing Restrictions: They help you access websites and content that may be
blocked in your region.
3. Anonymous Browsing: VPNs hide your real IP address, making it difficult for websites
to track your online activities.
Legal Aspects of VPNs
 Legality: VPNs are generally legal in most countries as long as they aren't used for
illegal activities like fraud, cyber theft, or downloading copyrighted content.
 Restrictions: Some countries, like China, restrict the use of VPNs to control access to
information and maintain data security.

Intrusion Detection System (IDS)

Definition:
An Intrusion Detection System (IDS) is security software that monitors a system or network
for suspicious activities, malicious attacks, or security policy violations. It alerts
administrators whenever potential threats or unauthorized interventions are detected,
acting like a burglar alarm for a computer network.

How IDS Works:

1. Monitoring and Detection:
IDS uses sensors to monitor user activities, system vulnerabilities, and file integrity. It
analyzes patterns based on known attack signatures or behavioral anomalies.
 2. Stages of Detection:
o If a signature matches (known attack), IDS cuts the connection, drops the
packet, and alerts the administrator.
o If no match is found, it performs anomaly detection to identify unusual
behaviors.
o For valid packets, IDS conducts stateful protocol analysis to verify consistency
in communication.
3. Automated Threat Updates:
IDS constantly monitors the internet for the latest threats to protect against future
attacks.

Features of IDS:
 Monitors and analyzes user and system activities.
 Conducts audits of system files, configurations, and operating systems.
 Detects errors in system configuration and potential threats.
 Assesses the integrity of system and data files.
 Alerts administrators if a system or network is in danger.

Advantages of IDS:
1. Continuous monitoring of networks and systems for threats.
2. Detects both external attacks and insider threats.
3. Prevents potential damage by early detection of issues.
4. Provides a user-friendly interface for security management.
5. Easily detects and reports any changes to files or directories.

Disadvantage:
While IDS effectively detects threats and locks the network in case of an attack, it cannot
always identify the exact source of the attack.
Types of Intrusion Detection Systems (IDS)
1. Network-Based IDS:
o Monitors traffic on networks or subnets.
o Compares traffic with a database of known attack signatures.
o Deployed at key network points like boundaries or between servers and
networks.
o Advantage: Easy to deploy and cost-effective.
2. Host-Based IDS:
o Installed on individual systems to monitor incoming/outgoing packets and file
integrity.
o Compares snapshots of system files for discrepancies.
o Advantage: Accurately monitors the system without requiring extra
hardware.
3. Signature-Based IDS:
o Matches data with known attack signatures.
o Advantages: High accuracy and quick detection of known attacks.
o Limitation: Cannot detect unknown or new attacks.
4. Anomaly-Based IDS:
o Builds a statistical model of normal traffic (e.g., bandwidth, protocols, ports).
o Alerts the administrator if traffic deviates from the model.
o Advantage: Can detect new and unknown attacks.
5. Passive IDS:
o Detects malicious activities and issues alerts.
o Requires manual action by the administrator.
6. Active/Reactive IDS:
o Detects threats and takes proactive actions like blocking traffic or resetting
connections.
o Also referred to as Intrusion Prevention System (IPS).
Web Server Security (OWASP Top 10)
The Open Web Application Security Project (OWASP) is a non-profit organization that
provides information on how to secure web applications. They focus on making software
security visible and accessible to everyone by providing tools, resources, and best practices
for application security. Here are the OWASP Top 10 Web Application Security Risks and
some ways to prevent them:
1. Injection Attacks:
o These happen when attackers send harmful data to the application, tricking it
into executing unwanted commands (e.g., SQL injection).
o Prevention: Use parameterized queries and always validate user inputs.
2. Broken Authentication and Session Management:
o Weak login methods can let attackers steal passwords or session tokens and
take over user accounts.
o Prevention: Use multi-factor authentication to make accounts more secure.
3. Sensitive Data Exposure:
o When sensitive information (like passwords or credit card details) isn’t
properly protected, attackers can steal it.
o Prevention: Encrypt data when it's stored and while it's being transferred.
4. XML External Entity (XXE) Attacks:
o Poor XML setup can allow attackers to see internal files or run malicious code.
o Prevention: Properly configure XML processors and avoid processing XML
from untrusted sources.
5. Broken Access Control:
o Users might gain access to data or functionality they shouldn’t have.
o Prevention: Regularly test your application for access control issues and
ensure that proper restrictions are in place.
6. Security Misconfiguration:
o This involves settings that aren’t set up properly, such as default passwords or
not keeping software updated.
o Prevention: Regularly update software, review security settings, and avoid
exposing error messages that leak sensitive details.
 7. Cross-Site Scripting (XSS):
o Attackers can inject harmful scripts into your web pages, which might trick
users into clicking on dangerous links.
o Prevention: Always validate and sanitize user inputs, and encode data before
displaying it on the web.
8. Insecure Deserialization:
o This happens when data from external sources is handled without proper
checks, allowing attackers to change or control the application’s behavior.
o Prevention: Validate all serialized data and avoid using untrusted data in
deserialization.
9. Using Components with Known Vulnerabilities:
o If your app uses outdated software components, attackers can exploit their
weaknesses.
o Prevention: Regularly update and replace third-party software with their
latest secure versions.
10. Insufficient Logging and Monitoring:
 Without proper tracking of events and activities, it can take months to detect a
security breach.
 Prevention: Ensure that all security events are logged properly and set up alerts to
detect suspicious activities.

Open Authentication (OAuth)

OAuth is an emerging authentication standard that allows consumers to share their private
resources (e.g., photos, videos, contact lists, bank accounts) stored on one CSP with another
CSP without having to disclose the authentication information (e.g., username and
password). OAuth is an open protocol and it was created with the goal of enabling
authorization via a secure application programming interface (API)—a simple and standard
method for desktop, mobile, and web applications.
1. Request Token: A web application (like a fitness app) asks Google for a request token
to access a user’s data (like their Google Calendar).
2. Verification: Google checks if the web app is registered with them. If everything is
fine, it sends back a request token.
3. Redirect to Authorization Page: The app directs the user to a Google page, where
the user is asked to log in and verify their identity.
4. User Grants or Denies Access: On the Google page, the user can choose to give the
app permission to access their data or deny it.
5. Action Based on User Decision: If the user denies access, they stay on Google’s page.
6. If they grant access, they are sent back to the app’s page.
7. Request Access Token: The app then asks Google to exchange the request token for
an access token.
8. Access Token Issued: Google verifies the request and issues an access token to the
app.
9. Accessing Data: The app sends a request to Google to get the user’s data, using the
access token.
10. Data Transfer: If the token is valid, Google allows the app to access the data.
Phishing and Pharming Techniques

Phishing: Phishing is a form of social engineering attack where attackers impersonate a

trustworthy entity to trick individuals into providing sensitive information like usernames,
passwords, or credit card details. This attack is usually carried out through deceptive emails,
messages, or websites that look legitimate. There are several types of phishing attacks:

 Mass Phishing: The attacker sends fraudulent emails to a large number of recipients,
hoping that some will click on malicious links or download malware.
 Spear Phishing: This is a targeted attack where the attacker customizes the message
for a specific individual or organization, using information that makes the email
appear more legitimate.
 Whaling: A specific type of phishing attack targeting high-profile individuals like
executives or important decision-makers in an organization.

Phishing attacks can lead to severe data breaches, unauthorized access to accounts, and
financial loss. Modern phishing attacks may also involve tricking the user into downloading
malware that could infect their system.

Pharming: Pharming is a more technical attack that aims to redirect a user's website request
to a fraudulent site without their knowledge, even if they type the correct web address.
Unlike phishing, which relies on tricking the user into visiting a fake site, pharming
manipulates the system's DNS settings or takes advantage of vulnerabilities in internet
infrastructure to lead users to malicious sites.

 DNS Spoofing: This is a common pharming technique where the attacker corrupts
the DNS server's data to redirect users to fake websites, despite them entering the
correct URL.
 Hosts File Modification: Attackers modify the local hosts file on a user's computer to
direct web requests to malicious sites without their knowledge.

Countermeasures:
For Phishing:

 Implement two-factor authentication (2FA) to add an extra layer of security to user

accounts.
 Use email filtering tools that can detect and block suspicious emails.

For Pharming:

 Use secure DNS servers and employ DNS security extensions like DNSSEC to prevent
DNS spoofing.
 Regularly update and patch software to protect against vulnerabilities that could be
exploited in pharming attacks.
Clickjacking
Clickjacking (UI Redress Attack): Clickjacking is a technique where attackers trick users into
clicking on a button or link that appears to perform a harmless action but actually triggers a
malicious event. The attack involves layering a transparent frame or element over the
legitimate content on a webpage, so when the user clicks, they are unknowingly interacting
with the hidden element.
How it works:
1. User visits a webpage that looks normal but contains a hidden layer controlled by
the attacker.
2. When the user clicks on a button or link on the visible layer, the action actually
interacts with the hidden layer.
3. This can lead to actions such as revealing sensitive information, executing unwanted
commands, or allowing the attacker to gain control over the user's computer or
account.
Clickjacking can affect any application or web service that doesn't adequately protect its
interface. The technique can also be used to trick users into enabling device permissions,
making unauthorized transactions, or even taking control of social media accounts.

For Clickjacking:
 Use security headers like X-Frame-Options to prevent a website from being
embedded in an iframe, which is a common method of carrying out clickjacking
attacks.
 Implement Content Security Policy (CSP) to block unauthorized content from being
displayed on your web pages.
 Educate users about the risks of clicking on unfamiliar links or buttons without
verifying their source.

Account Harvesting
Account Harvesting is the illegal process of gathering user accounts or email addresses using
methods like malware, phishing, or software to search for emails stored on computers.
Hackers use this data for spamming or credential theft. Tools like "The Harvester" can collect
email accounts from domains.
Protection Against Harvesting Attacks:
1. Multi-factor Authentication (MFA): Even if hackers get your password, they can't
access accounts without a second verification step.
 2. Credential Vaulting: Stores login details in an encrypted vault, so users never see the
actual credentials, making it harder for hackers to steal them.
3. Third-party Management Systems: These systems control and protect access for
vendors and third parties, reducing the risk of credential theft.

SSL/TLS Overview
 SSL (Secure Socket Layer): Developed by Netscape, SSL ensures secure
communication over networks. It operates at the transport layer, creating a secure
channel between a client and server.
 Key Concepts:
o Connection: A transient, peer-to-peer connection established for data
transmission.
o Session: A longer-term association that defines cryptographic parameters and
can manage multiple connections to avoid the cost of renegotiation.

•TLS (Transport Layer Security): An improved version of SSL (RFC 2246) with enhancements
in security features, including better MAC handling and support for additional alert codes.

 HTTP: The standard protocol for transmitting web pages, which becomes HTTPS
when secured with SSL.
 SSL Handshake Protocol: Establishes a secure connection by negotiating SSL versions
and cryptographic algorithms while authenticating the communicating parties.
 SSL Change Cipher Spec Protocol: Informs the recipient to begin using the newly
agreed-upon cryptographic parameters.
 SSL Alert Protocol: Sends notifications about SSL-related issues, indicating whether
the problem is a warning or fatal.
  SSL Record Protocol: Ensures confidentiality through encryption and maintains data
integrity with Message Authentication Codes (MACs), effectively managing secure
data transmission.
 TCP: Ensures reliable delivery of data, upon which SSL operates.
 IP: Routes packets, allowing SSL to function over different networks.

Cross-Site Request Forgery (CSRF)

Definition:
Cross-Site Request Forgery (CSRF) is a security vulnerability that allows an attacker to trick an
authenticated user into unknowingly performing actions on a web application without their
consent. This typically targets actions that change the state of the application, such as
transferring funds or changing account details.
How CSRF Works:
1. User Authentication: When a user is logged into a web application (e.g., online
banking), their session is authenticated.
2. Malicious Link: The attacker sends a link (often via email or social media) that
includes a request to the web application, such as transferring money.
3. User Interaction: If the user clicks the malicious link while still logged into the
application, their browser automatically sends the request with the user’s session
credentials (like cookies).
4. Action Executed: The web application executes the action because it trusts the
request came from the authenticated user.
Example Scenario:
Imagine you’re logged into your bank account and also have Facebook open. An attacker
sends you a link like:
yourbanksite.com/transfer.do?fromaccnt=youraccnt&toaccnt=attackersAccount&amt=2500
If you click this link while logged into your bank, your browser sends the transfer request
using your active session. The transfer happens without your intent, as the bank trusts the
request came from you.
Protection Against CSRF:
The most effective way to prevent CSRF attacks is to implement CSRF tokens:
 Unique Tokens: The server generates a unique token for each user session and
appends it to every state-changing request.
 Validation: When the server receives a request, it checks if the token is valid. If the
token is missing or incorrect, the request is denied.