Course: Information and Cyber Security

Introduction to Cybersecurity
Dr. Susmita Mandal
Assistant Professor
Email : msusmita@idrbt.ac.in
Institute for Development and Research in
Programme : PMPBT2025 Banking Technology (IDRBT)
Disclaimer: Academic Orientation Only– We do not recommend any tools / products / orgs
Types of Cybersecurity Threats Part-2

Recap
Topics to be covered..
1. Introduction to cybersecurity
1. Cyber Threats and Prevention
2. Sources of Attack
2. Types Cybersecurity Solutions and
3. Malware, Social engineering, MIM Attacks Tools
 Man-in-the-Middle Attack
A cybercriminal eavesdrops on a network connection to intercept and relay messages between two parties and
steal data.
• Example: A MITM attack is the equivalent of a mailman opening your bank statement, writing down
your account details and then resealing the envelope and delivering it to your door.

Workflow:

Step 1: Interception: The first step intercepts user traffic

through the attacker’s network before it reaches its intended
destination.
• Ex: an attacker makes free, malicious WiFi hotspots
available to the public. Typically named in a way that
corresponds to their location, they aren’t password
protected.

Step 2: Decryption: After interception, any two-way SSL traffic

needs to be decrypted without alerting the user or application.
 Interception Attacks IP spoofing

IP spoofing:
• IP spoofing is similar to DNS spoofing in that the attacker
diverts internet traffic headed to a legitimate website to a
fraudulent website.
• Instead of spoofing the website’s DNS record, the attacker
modifies the malicious site's IP address to make it appear as if it
is the IP address of the legitimate website users intended to
visit.

ARP spoofing: ARP spoofing

It is the process of linking an attacker’s MAC address with
the IP address of a legitimate user on a local area network
using fake ARP messages.
As a result, data sent by the user to the host IP address is
instead transmitted to the attacker.
Interception Attacks
DNS spoofing, also known as DNS cache
poisoning, involves infiltrating a DNS server and DNS spoofing
altering a website’s address record. As a result,
users attempting to access the site are sent by the
altered DNS record to the attacker’s site.

Wi-Fi eavesdropping—an attacker sets up a Wi-Fi

connection, posing as a legitimate actor, such as a
business, that users may connect to.
• The fraudulent Wi-Fi allows the attacker to
monitor the activity of connected users and
intercept data such as payment card details and
login credentials.
 Decryption Attacks

SSL Hijacking SSL Stripping

• Attacker fakes security keys during the connection • Downgrades a secure HTTPS site to an insecure HTTP
setup. version.
• Tricks both the user and the website into thinking • The user sees an insecure page, while the attacker still
they're securely connected. connects securely behind the scenes.

Email Hijacking
• Attacker spoofs a trusted email address (like a bank).
• Tricks users into sharing private info or sending money.
Prevention

• Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of
encryption and verification methods for applications.

• For users, this means:

• Avoiding WiFi connections that aren’t password protected.

• Paying attention to browser notifications reporting a website as being unsecured.

• Immediately logging out of a secure application when it’s not in use.

• Watch for Certificate Warnings: If your browser says a site’s certificate is invalid, don’t proceed.

• Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.
Denial-of-Service attack
• A Denial of Service attack is often achieved using TCP
and UDP packets.
• In a DoS attack, the perpetrators flood the user’s system
with illegal traffic or service requests and stop it from
executing intended tasks.
Signs of attack:
• The incapability to load certain websites
• The extreme volume of spam emails
• Uncharacteristically slow network performance,
including extended load times for files or websites
• Prolonged failure to access specific websites
• A sudden loss of connectivity across devices on the
same network
Denial-of-Service attack Techniques
HTTP Flood DDoS
• Sends many legitimate-looking HTTP requests
• Overwhelms web applications or servers
• Doesn’t need high bandwidth or malformed packets
• Forces the target to use resources for each request

SYN Flood DDoS

•Abuses the TCP handshake (SYN → SYN-ACK →
ACK)
•Sends SYN requests but never completes the
handshake
•Ties up server resources waiting for ACKs
Denial-of-Service attack Techniques(2)
UDP Flood DDoS
• Sends UDP packets to random ports on a target
• Forces the target to reply with “Destination Unreachable”
• Wastes system resources

ICMP Flood
•Sends many ICMP Echo Requests (pings)
•Target tries to reply to each one (Echo Reply)
•Consumes bandwidth and processing power

NTP Amplification
•Exploits open NTP servers to send large replies to the victim
•Amplifies traffic volume (1 request can trigger up to 200
responses)
•High-bandwidth attack using small initial input
Prevention
• Monitor Your Traffic: keep an eye on your traffic for signs of abnormalities, such as a mysterious
spike in traffic and suspicious IP address and geolocation visits. Most DDoS attacks begin with
sharp traffic spikes.
• Make more Bandwidth Available: It is often advisable to make provisions for more bandwidths to
your server than you would normally exhaust.
• Blackhole routing: Also known as blackholing, it discards unwanted traffic destined for a specific
IP address or network, send all the site’s traffic into a blackhole as a defense.
• Rate limiting: Limiting the number of requests a server will accept over a certain time window is
also a way of mitigating denial-of-service attacks.
• While rate limiting is useful in slowing web scrapers from stealing content and for
mitigating brute force login attempts, it alone will likely be insufficient to handle a complex
DDoS attack effectively.
Prevention

Activate a WAF:
• A Web Application Firewall (WAF) is a layer of protection that sits between a
website and the traffic it receives.
• By filtering requests based on a series of rules used to identify DDoS tools.
• One key value of an effective WAF is the ability to quickly implement custom rules in
response to an attack.

Anycast Network Diffusion

• This mitigation approach uses an Anycast network to scatter the attack traffic across
a network of distributed servers to the point where the traffic is absorbed by the
network
• Like channeling a rushing river down separate smaller channels

28-31 July 2020 Financial Cryptography: Future of Secure Banking 12

Injection Attacks

• Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the code
of a web application. Successful attacks may expose sensitive information, execute a DoS attack or
compromise the entire system.

• Though injection attacks come in various forms, key types include:

• SQL injection: Exploits database vulnerabilities through malicious SQL statements, affecting
data integrity and availability.
• Command injection: Executes unauthorized commands on the host operating system,
potentially taking control of the system.
• XML injection: Compromises XML applications by manipulating the processing of XML data
or documents.
 Sample Sql Injection
• Consider a web application login form that queries a database to validate
user credentials.
• The web form has two input fields: username and password The script would replace the value
for request.body.username with johndoe and
the value for request.body.password with the
supplied password.

If the username and password combination does

not match an existing record in the users table,
then the query will not return any rows.

In general, the server-side script to validate the credentials with a SQL query that
looks like this->

SELECT *<p>FROM users</p><p>WHERE SELECT *<p>FROM users</p><p>WHERE

username='${request.body.username}' username='johndoe'
AND</p><p>password='${request.body.pas AND</p><p>password='Fubs8pfD25^b3^*Xq$
sword}'</p> FM5@76'</p>
 Sample Sql injection(2)
• If there is no sanitization of the web form inputs,
consider what would happen if the end user submits
a form with these values instead:

• Without sanitized inputs, the resulting SQL query

would look like this:
(The value for password, though obscured, is the same as that of username.)

SELECT *<p>FROM users</p><p>WHERE

username='' OR '1'='1'
AND</p><p>password='' OR '1'='1'</p>

This query would return all rows from the users table, potentially allowing the malicious attacker to log in successfully as
the first user returned.
Injection attacks
LDAP injection—
• an attacker inputs characters to alter Lightweight
Directory Access Protocol (LDAP) queries.
• These attacks are very severe because LDAP servers
may store user accounts and credentials for an
entire organization.
• Issues: Authentication bypass, Elevation of access
privileges, Resource disclosure

Cross-Site Scripting (XSS)—

• an attacker inputs a string of text containing
malicious JavaScript.
• The target’s browser executes the code, enabling
the attacker to redirect users to a malicious website
or steal session cookies to hijack a user’s session.
• Issues: Account impersonation, Defacement,Run
arbitrary JavaScript in the victim’s browser
Prevention
• Filter input on arrival. At the point where user input is received, filter as strictly as possible based
on what is expected or valid input.
• Encode data on output.
• Before showing user input in a webpage, encode it
• Use the right encoding based on context: HTML, URL, JavaScript, CSS, etc.
• Use appropriate response headers. Set headers like:
• Content-Type (e.g., text/plain, application/json)
• X-Content-Type-Options: nosniff
• Helps browsers handle content safely and as intended
• Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to
reduce the severity of any XSS vulnerabilities that still occur.
State of Malware in India: Report by DSCI & Seqrite
• Data from October 2023 to September 2024 shows 369.01 million detections
across 8.44 million strong installation base.

Analyzing malware subcategory detections

 Network
security

Information
Ways for security

cyber
security Application
Security

Cloud Security
Network Security
• Network security is the practice of securing a computer
network from unauthorized access or attacks.
• The primary goal of network security is to protect a
network’s infrastructure, including servers, routers,
switches, and other network devices.

• Key features of network security:

• Network monitoring and management tools
• Access control and authentication systems
• Data encryption and decryption methods
• Firewall technology
• Regular security audits
 How does network security work?
• Network security combines multiple layers of defenses at
the edge and in the network. Network Security Technologies and Solutions
• Each network security layer implements policies and
controls.
• Authorized users gain access to network resources, but
malicious actors are blocked from carrying out exploits and
threats.

Intrusion detection system (IDS)

• It is an application that monitors network traffic and
searches for known threats and suspicious or malicious
activity.
• The IDS sends alerts to IT and security teams when it detects
any security risks and threats.
• Performs- Signature-based detection, Anomaly-based
detection, others are Reputation-based detection and
Stateful protocol analysis.
Network Security Technologies and Solutions(2)
Intrusion Prevention Systems (IPS)
• IPS technology detects or prevents network
security attacks such as brute force and DoS
attacks and exploitation of known vulnerabilities.
Data Loss Prevention (DLP)
• DLP solutions help prevent employees from
sharing company information and sensitive data
outside the network
• Solves: Data Extrusion, Insider threats, Data
exposure
Virtual Private Networks (VPNs)
• A virtual private network (VPN) protects users’
identities by masking their IP address and location
and encrypting their data.
Network Security Technologies and Solutions(3)

Network Segmentation
• Network segmentation is a technique that enables
organizations to define boundaries between
network segments. A network segment can be a
location housing assets with a common function,
role, or risk within the organization.
• For example, a perimeter gateway, segments a
corporate network from the public Internet. It
blocks potential external threats to keep sensitive
data safe inside the network.

Log Management
Log management involves collecting, storing, and analyzing log data from various sources within a network.
Aggregating log data from servers, applications, and network devices into a centralized repository provides a
comprehensive view of network activity, making it easier to identify patterns and detect anomalies.
Network Security Technologies and Solutions(4)
Firewall/NGFW
• A firewall controls inbound and outbound traffic on
networks using predetermined security rules to
prevent malicious traffic from entering the
network.
• A firewall can be hardware, software, or both.
• Today, most organizations use next-generation
firewalls (NGFW) that can block malware and
application-layer attacks.

WAF
A web application firewall (WAF) is a program that can filter, monitor, and block HTTP traffic flowing to and from
a web service.
Inspecting HTTP traffic enables a WAF to prevent against cross-site scripting (XSS), SQL injections (SQLi), improper
system configuration, and file inclusion.
Network Security Technologies and Solutions(5)
Network Access Control (NAC)
NAC utilizes network administrator tools policies to
prevent unauthorized access to protected networks. It
enables organizations to:
1. Assign specific accounts to internal users
protected with unique credentials.
2. Categorize users according to their job
functions to establish role-based permissions
defining what these users are permitted to
access and do on the network.
3. Grant limited access privileges to various
guest users on a separate network to prevent
them from reaching sensitive information.
4. Register company-approved devices into the
system to ensure the network recognizes
devices allowed to access it.
5. Restrict access according to a device’s
operating system or the installed security
software to prevent high-risk devices from
exposing the network to attacks.
 Network Security Technologies and Solutions(6)

Incident Response Services:

This services are responsible for managing and
mitigating the impact of security incidents, such
as data breaches, malware infections, and cyber-
attacks.
• Key steps include detection, analysis,
containment, eradication, recovery, and post-
incident review:
• Early detection of security incidents • Containment strategies aim to limit the spread of the
involves the monitoring of network traffic, incident and prevent further damage, while eradication
system logs, and security alerts to identify focuses on removing the root cause, such as deleting
suspicious activities. Once an incident is
malware or closing vulnerabilities.
detected, a thorough analysis helps
understand its scope and impact.
• Recovery efforts restore normal operations as quickly
and securely as possible, ensuring that affected
systems are clean and data is intact. A post-incident
review identifies lessons learned and improves future
response strategies.
Network Security Technologies and Solutions(7)
Security Information and Event Management
(SIEM)
• SIEM solutions provide comprehensive visibility
into activities within the protected network.
1. It collects and aggregates log data
generated by the organization’s unified
security framework, including firewalls,
advanced threat protection systems,
IPS, and NAC.
2. Next, it creates a security report
including analyses that flag anomalous
network activities and security
incidents.
Administrators use SIEM analysis to quickly
address threats using various means, like isolating
network environments, blocking malicious
payloads, and restricting user access.
 Network Security Technologies and Solutions(8)

Zero Trust Network Access (ZTNA)

Zero trust security is a model that requires
suspecting all entities, including internal users,
within the networks.

Zero trust network access (ZTNA), or software-

defined perimeter (SDP), solutions enable
organizations to specify and enforce granular access
to applications and grant access according to the
least privileges principle.

This principle allows users to have only the access and permissions required to fulfill their role.
Network Security Technologies and Solutions(9)
Endpoint detection and response(EDR)
• Endpoint security is a software that uses real-time analytics and AI-driven automation that protect against threats
originating at end-user endpoints, such as laptops, smartphones, and tablets, connected to the network.
• The goal is to keep data, devices, and networks safe by applying various mechanisms like antivirus software,
encryption, and DLP.
Cloud Network Security Solutions
• Cloud network security solutions are important for protecting applications, data, and resources in the cloud. They
also secure traffic between an organization’s cloud deployments and its on-premises data center and intranet.
• Common types of cloud network security technologies include virtual private clouds (VPCs), which create a private,
secure network within a cloud provider’s data center, security groups, and cloud access security brokers (CASB).
Email security
• Email gateways are the primary way security breaches happen. Attackers use personal details and clever tricks to
create advanced phishing campaigns, which fool people into visiting harmful sites. An email security application
stops these incoming attacks and monitors outgoing messages to protect sensitive data from getting out.
Network Security Technologies and Solutions(10)

Extended detection and response (XDR)

• XDR integrates data from multiple sources,
including endpoints, networks, cloud
environments, identity and access management,
and applications across an organization's
technology stack to enable faster and more
efficient threat investigation, hunting, and
response.

• Key benefits of XDR include:

• Automated threat detection capabilities
• Streamlined security operations
• Reduced response times
• Improved security posture
Network Security Technologies and Solutions(11)

Identity and access management (IAM)

• (IAM) is a framework of policies, processes, and
technologies that enable organizations to manage
digital identities and control user access to critical
corporate information.
• The core responsibilities of an IAM system are to:
• Verify and authenticate individuals based on their
roles and contextual information such as geography,
time of day, or (trusted) networks
• Capture and record user login events
• Manage and grant visibility of the business’s user
identity database
• Manage the assignment and removal of users’
access privileges
• Enable system administrators to manage and
restrict user access while monitoring changes in
user privileges
Network Security Best Practices
Audit the Network and Security Controls
Auditing the network is essential to obtaining the information needed to assess the organization’s security
posture accurately-
• Identifying potential vulnerabilities that require remediation.
• Locating unused and unnecessary applications that run in the background.
• Determining the firewall’s strength to correct its settings accurately.
• Measuring the state of networked servers, software, applications, and gear.
• Confirming the efficacy of the overall security infrastructure.
• Assessing the status of current server backups.

Create a Backup and Recovery Plan

• Enterprises operate in a threat environment where the question is when they will be breached rather than if.
The goal of a backup and recovery strategy is to minimize downtime and limit the overall costs of breaches
and other incidents.
Network Security Best Practices
Use Network Address Translation
• Network address translation (NAT) helps compensate for the address deficiency of IPv4 networking.
• It translates private addresses within the organization into routable addresses on a public network like the
Internet.
• Organizations use NAT to connect multiple computers to the public Internet using one IP address.
• NAT works alongside firewalls, providing additional protection for internal networks.
Use Centralized Logging and Immediate Log Analysis
• Organizations must record suspicious logins and various computer events to look for anomalies.
• The goal is to reconstruct what has happened during an existing or past attack to identify the necessary
steps to improve the organization’s threat detection process and facilitate a quicker response during future
events.
• For example, an actor can target a sacrificial computer while it actually performs different actions and
monitors to learn how the targeted systems work.
Information Security

• Information security is an umbrella term that covers an organization's efforts to protect information like
protecting sensitive information from unauthorized activities, including inspection, modification, recording,
and any disruption or destruction.
• The goal is to ensure the safety and privacy of critical data such as customer account details, financial data
or intellectual property.

Principles of InfoSec
• The CIA triad: Confidentiality, Integrity and Availability of information
• Information assurance: The ongoing process of achieving confidentiality, integrity and availability of data
within an information system is known as “information assurance.”
• Nonrepudiation: a user cannot deny (that is, repudiate) having made a transaction—such as altering data or
sending a message—because the user needed to pass authentication to perform the transaction in the first
place.
Information Security Threats

• Unsecure or Poorly Secured Systems

• Social Media Attacks
• Social Engineering
• Malware on Endpoints
• Lack of Encryption
• Security Misconfiguration
• Active Attacks: intercepting a communication or message and altering it for
malicious effect.
• Passive Attacks: an attacker monitors, monitors a system and illicitly copies
information without altering it.
Information Security Programs
• Risk assessment: It helps to audits every aspect of a company’s information system. The
assessment helps information security professionals understand the exact risks that they face and
identifies ways to overcome it.
• Identifying vulnerabilities: any weakness in the information technology (IT) infrastructure that
adversaries might exploit to gain unauthorized access to data. Ex: Bugs/malware or malicious
code.
• Identifying threats: Identify threat that exploits a digital vulnerability with respect to the key
principles.
• Incident response planning: strategies like
• Assemble the security team, virtually or in person.
• Verify the source of the threat.
• Act to contain the threat and halt it as soon as possible.
• Determine what, if any, damage has occurred.
• Notify interested parties within the organization, stakeholders and strategic partners.
InfoSec tools and techniques
• Cryptography Information security management systems (ISMS):
• An ISMS includes set of policies and procedures for
• Data loss prevention (DLP) systematically managing an organization's sensitive
data. It addresses employee behavior and processes as
• Endpoint detection and response (EDR) well as data and technology.
• Firewalls • The goal of an ISMS is to minimize risk and ensure
business continuity by proactively limiting the impact
• Intrusion detection (IDS) and intrusion prevention of a security breach.
(IPS) systems • ISO/IEC 27001 is a widely-used ISMS.
• Security information and event management Security operations centers (SOC)
(SIEM) • This is a command center for monitoring the
information systems that an enterprise uses for its IT
• Security operations centers (SOC) infrastructure.
• Information security management systems (ISMS) • This may include everything from preparation, planning
and prevention of the business’s websites, databases,
• Strong authentication measures servers, applications, networks, desktops, data centers,
and a variety of endpoints.
• Threat intelligence
InfoSec tools and techniques

Cryptography Threat intelligence

• It is the practice and study of techniques for • Threat intelligence provides detailed information
secure communication in the presence of about threats, including the threat actors behind
adversarial behavior. them, the tactics, techniques, and procedures
(TTP) involved, and known methods to prevent,
User and entity behavior analytics (UEBA)
protect against, and remediate the threats.
• UEBA is a type of security software that uses
• Strong authentication measures
behavioral analytics, machine learning algorithms
and automation to identify abnormal and
potentially dangerous user and device behavior.
• UEBA is effective at identifying insider threats—
malicious insiders or hackers who use
compromised insider credentials and is used within
SOC.
• UEBA functionality is often included in SIEM, EDR,
XDR, IAM.
Application Security

Application security aims to protect software

application code and data against cyber threats.

Several ways to promote application security

throughout the software development lifecycle (SDLC):
• Introduce security standards and tools during
design and application development phases.
For example, include vulnerability scanning
during early development.
• Implement security procedures and systems to
protect applications in production
environments. For example, perform
continuous security testing.
• Implement strong authentication for
applications that contain sensitive data or are
mission critical.
• Use security systems such as firewalls, web
application firewalls (WAF), and intrusion
prevention systems (IPS).
Summary
• Brief introduction of cybersecurity

• Discussion on cyber threats with few case studies

• Threat mitigation

• Discussion on popular cybersecurity solutions and tools

Next Step
✓Take the quiz?

✓Q & A?

Mail at: msusmita@idrbt.ac.in

41
THANK YOU