MODULE 1: Introduction to Cyber Security

1.1.1 What Is Cybersecurity?

Cybersecurity is the ongoing effort to protect individuals, organizations and governments from digital
attacks by protecting networked systems and data from unauthorized use or harm.

I. Personal
On a personal level, you need to safeguard your identity, your data, and your computing devices.
II. Organizational
At an organizational level, it is everyone’s responsibility to protect the organization’s reputation,
data and customers.
III. Organizational
At an organizational level, it is everyone’s responsibility to protect the organization’s reputation,
data and customers.

1.1.2 Protecting Your Personal Data

Personal data is any information that can be used to identify you, and it can exist both offline and online.

Offline identity
 Your offline identity is the real-life persona that you present on a daily basis at home, at school
or at work. As a result, family and friends know details about your personal life, including your
full name, age and address.
 It’s important not to overlook the importance of securing your offline identity. Identity thieves
can easily steal your data from right under your nose when you’re not looking!
Online identity
 Your online identity is not just a name. It’s who you are and how you present yourself to
others online. It includes the username or alias you use for your online accounts, as well
as the social identity you establish and portray on online communities and websites.
 You should take care to limit the amount of personal information you reveal through
your online identity.
1.1.4 Your Data
 Personal data describes any information about you, including your name, social security
number, driver license number, date and place of birth, your mother’s maiden name,
and even pictures or messages that you exchange with family and friends.
 Cybercriminals can use this sensitive information to identify and impersonate you,
infringing on your privacy and potentially causing serious damage to your reputation.
1. Medical records
 Every time you visit the doctor, personal information regarding your physical and mental
health and wellbeing is added to your electronic health records (EHRs). Since the
majority of these records are saved online, you need to be aware of the medical
information that you share.
 And these records go beyond the bounds of the doctor’s office. For example, many
fitness trackers collect large amounts of clinical data such as your heart rate, blood
pressure and blood sugar levels, which is transferred, stored and displayed via the cloud.
Therefore, you should consider this data to be part of your medical records.
2. Education records
Educational records contain information about your academic qualifications and achievements.
However, these records may also include your contact information, attendance records,
disciplinary reports, health and immunization records as well as any special education records
including individualized education programs (IEPs).
3. Employment and financial records
Employment data can be valuable to hackers if they can gather information on your past
employment, or even your current performance reviews.

Your financial records may include information about your income and expenditure. Your tax
records may include paychecks, credit card statements, your credit rating and your bank
account details. All of this data, if not safeguarded properly, can compromise your privacy and
enable cybercriminals to use your information for their own gain.
 Cybercriminals are certainly very imaginative when it comes to gaining access to your money. But
that’s not all they are after — they could also steal your identity and ruin your life.

1.1.9 Identity Theft

Not content with stealing your money for short-term financial gain, cybercriminals are invested in the
long-term gain of identity theft.

Select the cards for two examples of how they might do this.
Medical theft
Rising medical costs have led to an increase in medical identity theft, with cybercriminals stealing
medical insurance to use the benefits for themselves. Where this happens, any medical procedures
carried out in your name will then be saved in your medical records.
Banking
Stealing private data can help cybercriminals access bank accounts, credit cards, social profiles and other
online accounts. Armed with this information, an identity thief could file a fake tax return and collect the
refund. They could even take out loans in your name and ruin your credit rating (and your life as well).
1.2 Organizational Data
1.2.1 The Cube
The McCumber Cube is a model framework created by John McCumber in 1991 to help organizations
establish and evaluate information security initiatives by considering all of the related factors that impact
them. This security model has three dimensions:
1. The foundational principles for protecting information systems.
 Confidentiality is a set of rules that prevents sensitive information from being disclosed to
unauthorized people, resources and processes. Methods to ensure confidentiality
include data encryption, identity proofing and two factor authentication.
 Integrity ensures that system information or processes are protected from intentional or
accidental modification. One way to ensure integrity is to use a hash function or checksum.
 Availability means that authorized users are able to access systems and data when and
where needed and those that do not meet established conditions, are not. This can be
achieved by maintaining equipment, performing hardware repairs, keeping operating
systems and software up to date, and creating backups.
2. The protection of information in each of its possible states.
  Processing refers to data that is being used to perform an operation such as updating a
database record (data in process).
 Storage refers to data stored in memory or on a permanent storage device such as a hard
drive, solid-state drive or USB drive (data at rest).
 Transmission refers to data traveling between information systems (data in transit).
3. The security measures used to protect data.
 Awareness, training and education are the measures put in place by an organization to
ensure that users are knowledgeable about potential security threats and the actions they
can take to protect information systems.
 Technology refers to the software- and hardware-based solutions designed to protect
information systems such as firewalls, which continuously monitor your network in search of
possible malicious incidents.
 Policy and procedure refers to the administrative controls that provide a foundation for how
an organization implements information assurance, such as incident response plans and best
practice guidelines.
1.2.5 Data Security Breaches
The implications of a data security breach are severe, but they are becoming all too common
1.2.6 Consequences of a Security Breach
1. Reputational damage
A security breach can have a negative long-term impact on an organization’s reputation that has taken
years to build. Customers, particularly those who have been adversely affected by the breach, will need
to be notified and may seek compensation and/or turn to a reliable and secure competitor. Employees
may also choose to leave in light of a scandal.
Depending on the severity of a breach, it can take a long time to repair an organization’s reputation.
2. Vandalism
A hacker or hacking group may vandalize an organization’s website by posting untrue information. They
might even just make a few minor edits to your organization’s phone number or address, which can be
trickier to detect.
In either case, online vandalism can portray unprofessionalism and have a negative impact on your
organization’s reputation and credibility.
3. Theft
A data breach often involves an incident where sensitive personal data has been stolen. Cybercriminals
can make this information public or exploit it to steal an individual’s money and/or identity.
4. Loss of revenue
The financial impact of a security breach can be devastating. For example, hackers can take down an
organization’s website, preventing it from doing business online. A loss of customer information may
impede company growth and expansion. It may demand further investment in an organization’s security
infrastructure. And let’s not forget that organizations may face large fines or penalties if they do not
protect online data.
5. Damaged intellectual property
A security breach could also have a devastating impact on the competitiveness of an organization,
particularly if hackers are able to get their hands on confidential documents, trade secrets and
intellectual property.
Search for a few additional examples of recent security breaches. In each case, can you identify:
  what was taken?
 what exploits the attackers used?
 what actions could be taken to prevent the breach from occurring again in the future?
1.3 Cyber Attackers
Attackers are individuals or groups who attempt to exploit vulnerability for personal or financial gain. As
we’ve already seen, they are interested in everything, from credit cards to product designs!
1.4.1 Types of Attackers
Let’s look at some of the main types of cyber attackers who’ll try anything to get their hands on our
information. They are often categorized as white hat, gray hat or black hat attackers.
1. Amateurs
The term 'script kiddies' emerged in the 1990s and refers to amateur or inexperienced hackers who use
existing tools or instructions found on the Internet to launch attacks. Some script kiddies are just curious,
others are trying to demonstrate their skills and cause harm. While script kiddies may use basic tools,
their attacks can still have devastating consequences.
2. Hackers
This group of attackers break into computer systems or networks to gain access. Depending on the intent
of their break in, they can be classified as white, gray or black hat hackers.
 White hat attackers break into networks or computer systems to identify any weaknesses so
that the security of a system or network can be improved. These break-ins are done with prior
permission and any results are reported back to the owner.
 Gray hat attackers may set out to find vulnerabilities in a system but they will only report their
findings to the owners of a system if doing so coincides with their agenda. Or they might even
publish details about the vulnerability on the internet so that other attackers can exploit it.
 Black hat attackers take advantage of any vulnerability for illegal personal, financial or political
gain.
3. Organized hackers
 These attackers include organizations of cyber criminals, hacktivists, terrorists and state-sponsored
hackers. They are usually highly sophisticated and organized, and may even provide cybercrime as a
service to other criminals.
 Hacktivists make political statements to create awareness about issues that are important to them.
 State-sponsored attackers gather intelligence or commit sabotage on behalf of their government.
They are usually highly trained and well-funded and their attacks are focused on specific goals that
are beneficial to their government
1.4.3 Internal and External Threats
Cyber attacks can originate from within an organization as well as from outside of it.
Internal
Employees, contract staff or trusted partners can accidentally or intentionally:
 mishandle confidential data
 facilitate outside attacks by connecting infected USB media into the organization’s computer
system
 invite malware onto the organization’s network by clicking on malicious emails or websites
 threaten the operations of internal servers or network infrastructure devices.
External
Amateurs or skilled attackers outside of the organization can:
  exploit vulnerabilities in the network
 gain unauthorized access to computing devices
 use social engineering to gain unauthorized access to organizational data.
1.5 Cyberwarfare
Cyberwarfare, as its name suggests, is the use of technology to penetrate and attack another nation’s
computer systems and networks in an effort to cause damage or disrupt services, such as shutting down
a power grid.
1.5.1 Sign of the Times (Stuxnet)
One example of a state-sponsored attack involved the Stuxnet malware that was designed not just to
hijack targeted computers but to actually cause physical damage to equipment controlled by computers!
1.5.2 The Purpose of Cyberwarfare
The main reason for resorting to cyberwarfare is to gain advantage over adversaries, whether they are
nations or competitors.
1. To gather compromised information and/or defense secrets
A nation or international organization can engage in cyberwarfare in order to steal defense secrets and
gather information about technology that will help narrow the gaps in its industries and military
capabilities.
Furthermore, compromised sensitive data can give attackers leverage to blackmail personnel within a
foreign government.
2. To impact another nation’s infrastructure
Besides industrial and military espionage, a nation can continuously invade another nation’s
infrastructure in order to cause disruption and chaos.

For example, a cyber attack could shut down the power grid of a major city. Consider the consequences
if this were to happen; roads would be congested, the exchange of goods and services would be halted,
patients would not be able to get the care they would need if an emergency occurred, access to the
internet would be interrupted. By shutting down a power grid, a cyber attack could have a huge impact
on the everyday life of ordinary citizens.

 Cyberwarfare can destabilize a nation, disrupt its commerce, and cause its citizens to lose faith and
confidence in their government without the attacker ever physically setting foot in the targeted
country.

MODULE 2: Attacks, Concepts & Techniques

2.1 Analyzing a Cyber Attack
2.1.1 Types of Malware
Cybercriminals use many different types of malicious software, or malware, to carry out their activities.
Malware is any code that can be used to steal data, bypass access controls, or cause harm to or
compromise a system. Knowing what the different types are and how they spread is key to containing
and removing them.
1. Spyware
Designed to track and spy on you, spyware monitors your online activity and can log every key you press
on your keyboard, as well as capture almost any of your data, including sensitive personal information
such as your online banking details. Spyware does this by modifying the security settings on your
devices.
It often bundles itself with legitimate software or Trojan horses.
2. Adware
Adware is often installed with some versions of software and is designed to automatically deliver
advertisements to a user, most often on a web browser. You know it when you see it! It’s hard to ignore
when you’re faced with constant pop-up ads on your screen.
It is common for adware to come with spyware.
3. Backdoor
This type of malware is used to gain unauthorized access by bypassing the normal authentication
procedures to access a system. As a result, hackers can gain remote access to resources within an
application and issue remote system commands.
A backdoor works in the background and is difficult to detect.
4. Ransomware
This malware is designed to hold a computer system or the data it contains captive until a payment is
made. Ransomware usually works by encrypting your data so that you can’t access it.
Some versions of ransomware can take advantage of specific system vulnerabilities to lock it down.
Ransomware is often spread through phishing emails that encourage you to download a malicious
attachment or through a software vulnerability.
5. Scareware
This is a type of malware that uses 'scare’ tactics to trick you into taking a specific action. Scareware
mainly consists of operating system style windows that pop up to warn you that your system is at risk
and needs to run a specific program for it to return to normal operation.
If you agree to execute the specific program, your system will become infected with malware.
6. Rootkit
This malware is designed to modify the operating system to create a backdoor, which attackers can then
use to access your computer remotely. Most rootkits take advantage of software vulnerabilities to gain
access to resources that normally shouldn’t be accessible (privilege escalation) and modify system files.
Rootkits can also modify system forensics and monitoring tools, making them very hard to detect. In
most cases, a computer infected by a rootkit has to be wiped and any required software reinstalled.
7. Virus
A virus is a type of computer program that, when executed, replicates and attaches itself to other
executable files, such as a document, by inserting its own code. Most viruses require end-user
interaction to initiate activation and can be written to act on a specific date or time.
Viruses can be relatively harmless, such as those that display a funny image. Or they can be destructive,
such as those that modify or delete data.
Viruses can also be programmed to mutate in order to avoid detection. Most viruses are spread by USB
drives, optical disks, network shares or email.
8. Trojan horse
This malware carries out malicious operations by masking its true intent. It might appear legitimate but
is, in fact, very dangerous. Trojans exploit your user privileges and are most often found in image files,
audio files or games.
Unlike viruses, Trojans do not self-replicate but act as a decoy to sneak malicious software past
unsuspecting users.
9. Worms
This is a type of malware that replicates itself in order to spread from one computer to another. Unlike a
virus, which requires a host program to run, worms can run by themselves. Other than the initial
infection of the host, they do not require user participation and can spread very quickly over the
network.
Worms share similar patterns: They exploit system vulnerabilities, they have a way to propagate
themselves, and they all contain malicious code (payload) to cause damage to computer systems or
networks.
Worms are responsible for some of the most devastating attacks on the Internet. In 2001, the Code Red
worm had infected over 300,000 servers in just 19 hours.
2.1.2 Symptoms of Malware
Regardless of the type of malware a system has been infected with, there are some common symptoms
to look out for. These include:
 an increase in central processing unit (CPU) usage, which slows down your device
 your computer freezing or crashing often
 a decrease in your web browsing speed
 unexplainable problems with your network connections
 modified or deleted files
 the presence of unknown files, programs or desktop icons
 unknown processes running
 programs turning off or reconfiguring themselves
 emails being sent without your knowledge or consent.

2.2 Methods of Infiltration

a. Social Engineering
b. Denial-of-Service
c. Distributed DoS
d. Botnet
e. On-Path Attacks
f. SEO Poisoning
g. Wi-fi Password Cracking
h. Password Attacks
i. Cracking Times
1. Social Engineering
Social engineering is the manipulation of people into performing actions or divulging confidential
information. Social engineers often rely on people’s willingness to be helpful, but they also prey on their
weaknesses. For example, an attacker will call an authorized employee with an urgent problem that
requires immediate network access and appeal to the employee’s vanity or greed or invoke authority by
using name-dropping techniques in order to gain this access.
some common types of social engineering attacks.
a. Pretexting
This is when an attacker calls an individual and lies to them in an attempt to gain access to privileged
data.
For example, pretending to need a person’s personal or financial data in order to confirm their identity.
b. Tailgating
This is when an attacker quickly follows an authorized person into a secure, physical location.
c. Something for something (quid pro quo)
This is when an attacker requests personal information from a person in exchange for something, like a
free gift.
2. Denial-of-Service
Denial-of-Service (DoS) attacks are a type of network attack that is relatively simple to carry out, even by
an unskilled attacker. A DoS attack results in some sort of interruption of network service to users,
devices or applications.
the two main types of DoS attacks.
A. Overwhelming quantity of traffic
This is when a network, host or application is sent an enormous amount of data at a rate which it cannot
handle. This causes a slowdown in transmission or response, or the device or service to crash.
B. Maliciously formatted packets
A packet is a collection of data that flows between a source and a receiver computer or application over
a network, such as the Internet. When a maliciously formatted packet is sent, the receiver will be unable
to handle it.

For example, if an attacker forwards packets containing errors or improperly formatted packets that
cannot be identified by an application, this will cause the receiving device to run very slowly or crash.

DoS attacks are considered a major risk because they can easily interrupt communication and cause
significant loss of time and money.
3. Distributed DoS
A Distributed DoS (DDoS) attack is similar to a DoS attack but originates from multiple, coordinated
sources. For example:
 An attacker builds a network (botnet) of infected hosts called zombies, which are controlled by
handler systems.
 The zombie computers will constantly scan and infect more hosts, creating more and more
zombies.
 When ready, the hacker will instruct the handler systems to make the botnet of zombies carry
out a DDoS attack.

4. Botnet
A bot computer is typically infected by visiting an unsafe website or opening an infected email
attachment or infected media file. A botnet is a group of bots, connected through the Internet, that can
be controlled by a malicious individual or group. It can have tens of thousands, or even hundreds of
thousands, of bots that are typically controlled through a command-and-control server.
These bots can be activated to distribute malware, launch DDoS attacks, distribute spam email, or
execute brute-force password attacks. Cybercriminals will often rent out botnets to third parties for
nefarious purposes.
Many organizations. like Cisco, force network activities through botnet traffic filters to identify any
botnet locations.

1. Infected bots try to communicate with a command-and-control host on the Internet.

2. The Cisco Firewall botnet filter is a feature that detects traffic coming from devices infected with
the malicious botnet code.
3. The cloud-based Cisco Security Intelligence Operations (SIO) service pushes down updated filters
to the firewall that match traffic from new known botnets.
4. Alerts go out to Cisco’s internal security team to notify them about the infected devices that are
generating malicious traffic so that they can prevent, mitigate and remedy these.
5. On-Path Attacks
On-path attackers intercept or modify communications between two devices, such as a web browser and
a web server, either to collect information from or to impersonate one of the devices.
This type of attack is also referred to as a man-in-the-middle or man-in-the-mobile attack.
A. man-in-the-middle

A MitM attack happens when a cybercriminal takes control of a device without the user’s knowledge.
With this level of access, an attacker can intercept and capture user information before it is sent to its
intended destination. These types of attacks are often used to steal financial information.

There are many types of malware that possess MitM attack capabilities.
B. man-in-the-mobile
A variation of man-in-middle, MitMo is a type of attack used to take control over a user’s mobile device.
When infected, the mobile device is instructed to exfiltrate user-sensitive information and send it to the
attackers. ZeuS is one example of a malware package with MitMo capabilities. It allows attackers to
quietly capture two-step verification SMS messages that are sent to users.
6. SEO Poisoning
You’ve probably heard of search engine optimization or SEO which, in simple terms, is about improving
an organization’s website so that it gains greater visibility in search engine results.
So what do you think SEO poisoning might be?
Search engines such as Google work by presenting a list of web pages to users based on their search
query. These web pages are ranked according to the relevancy of their content.

While many legitimate companies specialize in optimizing websites to better position them, attackers
take advantage of popular search terms and use SEO to push malicious sites higher up the ranks of
search results. This technique is called SEO poisoning.

The most common goal of SEO poisoning is to increase traffic to malicious sites that may host malware
or attempt social engineering.
7. Wi-Fi Password Cracking
Hackers have other techniques up their sleeves. Some use brute-force attacks, testing possible password
combinations to try and guess a password. Others are able to identify unencrypted passwords by
listening in and capturing packets sent on the network. This is called network sniffing. If the password is
encrypted, they may still be able to reveal it using a password cracking tool.
8. Password Attacks
Entering a username and password is one of the most popular forms of authenticating to a web site.
Therefore, uncovering your password is an easy way for cybercriminals to gain access to your most
valuable information.
some of the common password security attacks.
A. Password spraying
This technique attempts to gain access to a system by ‘spraying’ a few commonly used passwords across
a large number of accounts. For example, a cybercriminal uses 'Password123' with many usernames
before trying again with a second commonly-used password, such as ‘qwerty.’
This technique allows the perpetrator to remain undetected as they avoid frequent account lockouts.
B. Dictionary Attacks
A hacker systematically tries every word in a dictionary or a list of commonly used words as a password
in an attempt to break into a password-protected account
C. Brute-force attacks
The simplest and most commonly used way of gaining access to a password-protected site, brute-force
attacks see an attacker using all possible combinations of letters, numbers and symbols in the password
space until they get it right.

A program such as Ophcrack, L0phtCrack, THC Hydra, RainbowCrack or Medusa will then try each word
and common combinations until it finds a match.
Because brute-force attacks take time, complex passwords take much longer to guess.
D. Rainbow attacks
Passwords in a computer system are not stored as plain text, but as hashed values (numerical values that
uniquely identify data). A rainbow table is a large dictionary of precomputed hashes and the passwords
from which they were calculated.

Unlike a brute-force attack that has to calculate each hash, a rainbow attack compares the hash of a
password with those stored in the rainbow table. When an attacker finds a match, they identify the
password used to create the hash.
E. Traffic Interception
Plain text or unencrypted passwords can be easily read by other humans and machines by intercepting
communications.
If you store a password in clear, readable text, anyone who has access to your account or device,
whether authorized or unauthorized, can read it.
2.3 Security Vulnerability and Exploits
Security vulnerabilities are any kind of software or hardware defect.
A program written to take advantage of a known vulnerability is referred to as an exploit.
A cybercriminal can use an exploit against a vulnerability to carry out an attack, the goal of which is to
gain access to a system, the data it hosts or a specific resource.
1. Hardware Vulnerabilities
Hardware vulnerabilities are most often the result of hardware design flaws. For example, the type of
memory called RAM basically consists of lots of capacitors (a component which can hold an electrical
charge) installed very close to one another. However, it was soon discovered that, due to their close
proximity, changes applied to one of these capacitors could influence neighbor capacitors. Based on this
design flaw, an exploit called Rowhammer was created. By repeatedly accessing (hammering) a row of
memory, the Rowhammer exploit triggers electrical interferences that eventually corrupt the data stored
inside the RAM.

Meltdown and Spectre

Google security researchers discovered Meltdown and Spectre, two hardware vulnerabilities that affect
almost all central processing units (CPUs) released since 1995 within desktops, laptops, servers,
smartphones, smart devices and cloud services.

Attackers exploiting these vulnerabilities can read all memory from a given system (Meltdown), as well as
data handled by other applications (Spectre). The Meltdown and Spectre vulnerability exploitations are
referred to as side-channel attacks (information is gained from the implementation of a computer
system). They have the ability to compromise large amounts of memory data because the attacks can be
run multiple times on a system with very little possibility of a crash or other error.
Hardware vulnerabilities are specific to device models and are not generally exploited through random
compromising attempts. While hardware exploits are more common in highly targeted attacks,
traditional malware protection and good physical security are sufficient protection for the everyday user.
2. Software Vulnerabilities
Software vulnerabilities are usually introduced by errors in the operating system or application code.
Select the logo to find out more about the SYNful Knock vulnerability discovered in Cisco Internetwork
Operating System (IOS) in 2015.

The SYNful Knock vulnerability allowed attackers to gain control of enterprise-grade routers, such as the
legacy Cisco ISR routers, from which they could monitor all network communication and infect other
network devices.
This vulnerability was introduced into the system when an altered IOS version was installed on the
routers. To avoid this, you should always verify the integrity of the downloaded IOS image and limit the
physical access of such equipment to authorized personnel only.
2.3.3 Categorizing Software Vulnerabilities
Most software security vulnerabilities fall into several main categories.
A. Buffer overflow
Buffers are memory areas allocated to an application. A vulnerability occurs when data is written beyond
the limits of a buffer. By changing data beyond the boundaries of a buffer, the application can access
memory allocated to other processes. This can lead to a system crash or data compromise, or provide
escalation of privileges.
B. Non-validated input
Programs often require data input, but this incoming data could have malicious content, designed to
force the program to behave in an unintended way.

For example, consider a program that receives an image for processing. A malicious user could craft an
image file with invalid image dimensions. The maliciously crafted dimensions could force the program to
allocate buffers of incorrect and unexpected sizes.
C. Race conditions
This vulnerability describes a situation where the output of an event depends on ordered or timed
outputs. A race condition becomes a source of vulnerability when the required ordered or timed events
do not occur in the correct order or at the proper time.
D. Weaknesses in security practices
Systems and sensitive data can be protected through techniques such as authentication, authorization
and encryption. Developers should stick to using security techniques and libraries that have already been
created, tested and verified and should not attempt to create their own security algorithms. These will
only likely introduce new vulnerabilities.
E. Access control problems
Access control is the process of controlling who does what and ranges from managing physical access to
equipment to dictating who has access to a resource, such as a file, and what they can do with it, such as
read or change the file. Many security vulnerabilities are created by the improper use of access controls.
Nearly all access controls and security practices can be overcome if an attacker has physical access to
target equipment. For example, no matter the permission settings on a file, a hacker can bypass the
operating system and read the data directly off the disk. Therefore, to protect the machine and the data
it contains, physical access must be restricted, and encryption techniques must be used to protect data
from being stolen or corrupted.
2.3.4 Software Updates
The goal of software updates is to stay current and avoid exploitation of vulnerabilities. Microsoft,
Apple and other operating system producers release patches and updates almost every day and
applications such as web browsers, mobile apps and web servers are often updated by the companies or
organizations responsible for them.

Despite the fact that organizations put a lot of effort into finding and patching software vulnerabilities,
new vulnerabilities are discovered regularly. That’s why some organizations use third party security
researchers who specialize in finding vulnerabilities in software, or actually invest in their own
penetration testing teams dedicated to search, find and patch software vulnerabilities before they can
get exploited.

Google’s Project Zero is a great example of this practice. After discovering a number of vulnerabilities in
various software used by end users, Google formed a permanent team dedicated to finding software
vulnerabilities. You can find out more about Google’s security research here.

MODULE 3: Protecting your Devices and Network

3.1.7 Using a Passphrase
In order to prevent unauthorized access to your devices, you should consider using passphrases instead
of passwords. A passphrase generally takes the form of a sentence eg (‘when your dream comes alive’),
making it easier for you to remember. And because it’s longer than a typical password, it’s less
vulnerable to dictionary or brute-force attacks.
 3.2 Data Maintenance
3.2.1 What Is Encryption?
 Encryption is the process of converting information into a form in which unauthorized parties cannot
read it. Only a trusted, authorized person with the secret key or password can decrypt the data and
access it in its original form.
 Note that the encryption itself does not prevent someone from intercepting the data. It can only
prevent an unauthorized person from viewing or accessing the content. In fact, some criminals may
decide to simply encrypt your data and make it unusable until you pay a ransom.
3.2.2 How Do You Encrypt Your Data?
 Software programs are used to encrypt files, folders and even entire drives.
 Encrypting File System (EFS) is a Windows feature that can encrypt data. It is directly linked to a
specific user account and only the user that encrypts the data will be able to access it after it has
been encrypted using EFS.
 Select the headings to discover how to encrypt data using EFS in all Windows versions.
 Step 1
Select one or more files or folders.

 Step 2
Right click the selected data and go to ‘Properties.’

 Step 3
Find and click ‘Advanced.’
 Step 4
Select the ‘Encrypt contents to secure data’ check box.

 Step 5
Files and folders that have been encrypted with EFS are displayed in green as shown here.

3.2.3 Back Up Your Data

 Having a backup may prevent the loss of irreplaceable data. To back up data properly, you will need
an additional storage location for the data and you must copy the data to that location regularly.

 That’s right!
When you move a file to the recycle bin and delete it permanently, the file is only inaccessible from
the operating system. Anyone with the right forensic tools could still recover the file due to a
magnetic trace left on the hard drive.
 So how do you ensure that erased data is no longer recoverable? Let’s see…
3.2.5 How Do You Delete Your Data Permanently?
1. To erase data so that it is no longer recoverable, it must be overwritten with ones and zeroes multiple times,
using tools specifically designed to do just that. SDelete from Microsoft claims to have the ability to remove
 sensitive files completely. Shred for Linux and Secure Empty Trash for Mac OS X claim to provide a similar
service.
2. The only way to be certain that data or files are not recoverable is to physically destroy the hard drive or
storage device. Many criminals have taken advantage of files thought to be impenetrable or irrecoverable!
3.4 Safeguarding Your Online Privacy
1. use two factor authentication to add an extra layer of security for account logins
2. 3.4.5 Email and Web Browser Privacy
These problems can be minimized by enabling the in-private browsing mode on your web browser. Many of
the most commonly used web browsers have their own name for private browser mode:
 Microsoft Internet Explorer: InPrivate
 Google Chrome: Incognito
 Mozilla Firefox: Private tab or private window
 Safari: Private browsing
When private mode is enabled, cookies — files saved to your device to indicate what websites you’ve visited —
are disabled. Therefore, any temporary internet files are removed and your browsing history is deleted when
you close the window or program. This may help to prevent others from gathering information about your
online activities and trying to entice you to buy something with targeted ads.
Even with private browsing enabled and cookies disabled, companies are constantly developing new ways
of fingerprinting users in order to track their online behavior. For example, some intermediary devices, like
routers, can gather information about a user’s web surfing history.

MODULE 4: Protecting the organization

Firewalls
In computer networking, a firewall is designed to control or filter which communications are allowed in
and which are allowed out of a device or network. A firewall can be installed on a single computer with
the purpose of protecting that one computer (host-based firewall) or it can be a standalone network
device that protects an entire network of computers and all of the host devices on that network
(network-based firewall).
 A NAT firewall filters communications based on source and destination IP addresses.
 A proxy server filters web content requests like URLs, domain names and media types.
 A host-based firewall filters ports and system service calls on a single computer operating
system.
4.1.5 Port Scanning
 In networking, each application running on a device is assigned an identifier called a port number.
This port number is used on both ends of the transmission so that the right data is passed to the
correct application. Port scanning is a process of probing a computer, server or other network host
for open ports. It can be used maliciously as a reconnaissance tool to identify the operating system
and services running on a computer or host, or it can be used harmlessly by a network administrator
to verify network security policies on the network.
how to carry out a port scan on a computer on your local home network.
1. Download and launch a port scanning tool like Zenmap. Enter the IP address of your computer,
choose a default scanning profile and press ‘scan.’
o The scan will report any services that are running, such as web or email services, and their
port numbers.
o The scan will also report one of the following responses:
 I. ‘Open’ or ‘Accepted’ means that the port or service running on the computer can be
accessed by other network devices.
II. ‘Closed,’ ‘Denied’ or ‘Not Listening’ means that the port or service is not running on the
computer and therefore cannot be exploited.
III. ‘Filtered,’ ‘Dropped’ or ‘Blocked’ means that access to the port or service is blocked by a
firewall and therefore it cannot be exploited.

 To execute a port scan from outside of your network, you will need to run it against your firewall or
router’s public IP address.
 Enter the query ‘what is my IP address?’ into a search engine such as Google to find out this
information.
 Go to the Nmap Online Port Scanner, enter your public IP address in the input box and press ‘Quick
Nmap Scan.’ If the response is open for ports 21, 22, 25, 80, 443 or 3389 then most likely, port
forwarding has been enabled on your router or firewall and you are running servers on your private
network.
 The port scan reported an ‘open’ state response. This means that the service running on the
network can be accessed by other network devices. Therefore, if the service contains a vulnerability,
it can be exploited done by an attacker.
4.1.7 Intrusion Detection and Prevention Systems
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are security measures
deployed on a network to detect and prevent malicious activities.
IDS
 An IDS can either be a dedicated network device or one of several tools in a server, firewall or even a
host computer operating system, such as Windows or Linux, that scans data against a database of
rules or attack signatures, looking for malicious traffic.
 If a match is detected, the IDS will log the detection and create an alert for a network administrator.
It will not take action and therefore it will not prevent attacks from happening. The job of the IDS is
to detect, log and report.
 The scanning performed by the IDS slows down the network (known as latency). To prevent network
delay, an IDS is usually placed offline, separate from regular network traffic. Data is copied or
mirrored by a switch and then forwarded to the IDS for offline detection.
 replay
IPS

 An IPS can block or deny traffic based on a positive rule or signature match. One of the most well-
known IPS/IDS systems is Snort. The commercial version of Snort is Cisco’s Sourcefire. Sourcefire can
perform real-time traffic and port analysis, logging, content searching and matching, as well as
detect probes, attacks and execute port scans. It also integrates with other third-party tools for
reporting, performance and log analysis.
4.1.8 Real-Time Detection
 Many organizations today are unable to detect attacks until days or even months after they occur.
 Detecting attacks in real time requires actively scanning for attacks using firewall and IDS/IPS
network devices. Next generation client and server malware detection with connections to online
global threat centers must also be used. Today, active scanning devices and software must detect
network anomalies using context-based analysis and behavior detection.
 DDoS is one of the biggest attack threats requiring real-time detection and response. For many
organizations, regularly occurring DDoS attacks cripple Internet servers and network availability.
These attacks are extremely difficult to defend against because the attacks originate from hundreds,
even thousands, of zombie hosts, and the attacks appear as legitimate traffic.
4.1.9 Protecting Against Malware
 One way of defending against zero-day attacks and advanced persistent threats (APTs) is to use an
enterprise-level advanced malware detection solution, like Cisco’s Advanced Malware Protection
(AMP) Threat Grid.
 This is client/server software that can be deployed on host endpoints, as a standalone server or on
other network security devices. It analyzes millions of files and correlates them against hundreds of
millions of other analyzed malware artifacts for behaviors that reveal an APT. This approach provides
a global view of malware attacks, campaigns and their distribution.
4.1.10 Security Best Practices
Many national and professional organizations have published lists of security best practices. Some of
the most helpful guidelines are found in organizational repositories such as the National Institute of
Standards and Technology (NIST) Computer Security Resource Center.
some of these.
1. Perform a risk assessment
Knowing and understanding the value of what you are protecting will help to justify security
expenditures.
2. Create a security policy
Create a policy that clearly outlines the organization’s rules, job roles, and responsibilities and
expectations for employees.
3. Physical security measures
Restrict access to networking closets and server locations, as well as fire suppression.
4. Human resources security measures
Background checks should be completed for all employees.
5. Perform and test backups
Back up information regularly and test data recovery from backups.
6. Maintain security patches and updates
Regularly update server, client and network device operating systems and programs.
7. Employ access controls
Configure user roles and privilege levels as well as strong user authentication.
8. Regularly test incident response
Employ an incident response team and test emergency response scenarios.
9. Implement a network monitoring, analytics and management tool
Choose a security monitoring solution that integrates with other technologies.
10. Implement network security devices
Use next generation routers, firewalls and other security appliances.
11. Implement a comprehensive endpoint security solution
Use enterprise level antimalware and antivirus software.
12. Educate users
Provide training to employees in security procedures.
One of the most widely known and respected organizations for cybersecurity training is the SANS
Institute. Click here to learn more about SANS and the types of training and certifications they offer.
13. Encrypt data
Encrypt all sensitive organizational data, including email.
4.2 Behavior Approach to Cybersecurity
4.2.1 Behavior-Based Security
Behavior-based security is a form of threat detection that involves capturing and analyzing the flow
of communication between a user on the local network and a local or remote destination. Any
changes in normal patterns of behavior are regarded as anomalies, and may indicate an attack.
Select the images to find out more about two behavior-based detection tools.
1. Honeypots
  A honeypot is a behavior-based detection tool that lures the attacker in by appealing to their
predicted pattern of malicious behavior. Once the attacker is inside the honeypot, the network
administrator can capture, log and analyze their behavior so that they can build a better defense.
 Cisco’s Cyber Threat Defense Solution Architecture
 This security architecture uses behavior-based detection and indicators to provide greater
visibility, context and control. The aim is to know who is carrying out the attack, what type of
attack they are performing and where, when and how the attack is taking place. This security
architecture uses many security technologies to achieve this goal.
4.2.2. NetFlow
 NetFlow technology is used to gather information about data flowing through a network, including
who and what devices are in the network, and when and how users and devices access the network.
 NetFlow is an important component in behavior-based detection and analysis. Switches, routers and
firewalls equipped with NetFlow can report information about data entering, leaving and traveling
through the network.
 This information is sent to NetFlow collectors that collect, store and analyze NetFlow data, which can
be used to establish baseline behaviors on more than 90 attributes, such as source and destination
IP address.

4.2.3 Penetration Testing

  Penetration testing, commonly known as pen testing, is the act of assessing a computer system,
network or organization for security vulnerabilities. A pen test seeks to breach systems, people,
processes and code to uncover vulnerabilities which could be exploited. This information is then
used to improve the system’s defenses to ensure that it is better able to withstand cyber attacks in
the future.
Select the headings to explore the five-step pen test process.
Let's recap the steps involved in carrying out a pen test:
1. Planning allows you to gather as much information as possible about a target system or network
and may involve passive or active reconnaissance (footprinting). = Footprint through the
network to find ways to intrude
2. Scanning a target allows you to identify potential exploitable weaknesses.
3. Exploit any vulnerabilities identified in the network by simulating an attack
You will need to gain access to a network to exploit any vulnerabilities and simulate an attack.
4. Maintaining access, without being detected, means that you can gather further information on a
target’s vulnerabilities.
Gather as much information as you can without being detected
5. You will report any feedback to the organization so that security improvements can be made.
Step 1: Planning
The pen tester gathers as much information as possible about a target system or network, its potential
vulnerabilities and exploits to use against it. This involves conducting passive or active reconnaissance
(footprinting) and vulnerability research.
Step 2: Scanning
The pen tester carries out active reconnaissance to probe a target system or network and identify potential
weaknesses which, if exploited, could give an attacker access. Active reconnaissance may include:
 port scanning to identify potential access points into a target system
 vulnerability scanning to identify potential exploitable vulnerabilities of a particular target
 establishing an active connection to a target (enumeration) to identify the user account, system
account and admin account.
Step 3: Gaining access
The pen tester will attempt to gain access to a target system and sniff network traffic, using various methods
to exploit the system including:
 launching an exploit with a payload onto the system
 breaching physical barriers to assets
 social engineering
 exploiting website vulnerabilities
 exploiting software and hardware vulnerabilities or misconfigurations
 breaching access controls security
 cracking weak encrypted Wi-Fi.
Step 4: Maintaining access
The pen tester will maintain access to the target to find out what data and systems are vulnerable to
exploitation. It is important that they remain undetected, typically using backdoors, Trojan horses, rootkits
and other covert channels to hide their presence.
When this infrastructure is in place, the pen tester will then proceed to gather the data that they consider
valuable.
Step 5: Analysis and reporting
The pen tester will provide feedback via a report that recommends updates to products, policies and training
to improve an organization’s security.
4.2.5 Impact Reduction
While most organizations today are aware of common security threats and put considerable effort into
preventing them, no set of security practices is foolproof. Therefore, organizations must be prepared to
contain the damage if a security breach occurs. And they must act fast!
Select the headings to find out more about the actions organizations should take when a security breach is
identified.
1. Communicate the issue
Communication creates transparency, which is critical in this type of situation.
Internally, all employees should be informed and a clear call to action communicated.
Externally, all clients should be informed through direct communication and official announcements.
2. Be sincere and accountable
Respond to the breach in an honest and genuine way, taking responsibility where the organization is at fault.
3. Provide the details
Be open and explain why the breach took place and what information was compromised. Organizations are
generally expected to take care of any client costs associated with identity theft services required as a result
of a security breach.
4. Find the cause
Take steps to understand what caused and facilitated the breach. This may involve hiring forensics experts to
research and find out the details.
5. Apply lessons learned
Make sure that any lessons learned from forensic investigations are applied to prevent similar breaches from
happening in the future.
6. Check, and check again
Attackers will often attempt to leave a backdoor to facilitate future breaches. To prevent this from
happening, make sure that all systems are clean, no backdoors are installed and nothing else has been
compromised.
7. Educate!
Raise awareness, train and educate employees, partners and clients on how to prevent future breaches.
4.2.6 What Is Risk Management?
Risk management is the formal process of continuously identifying and assessing risk in an effort to reduce
the impact of threats and vulnerabilities. You cannot eliminate risk completely but you can determine
acceptable levels by weighing up the impact of a threat with the cost of implementing controls to mitigate it.
The cost of a control should never be more than the value of the asset you are protecting.
Select the images to find out more about the risk management process.
1. Identify the threats that increase risk. Threats may include processes, products, attacks, potential
failure or disruption of services, negative perception of an organization’s reputation, potential legal
liability or loss of intellectual property.
2. Determine the severity that each threat poses. For example, some threats may have the potential to
bring an entire organization to a standstill, while other threats may be only minor inconveniences. Risk
can be prioritized by assessing financial impact (a quantitative analysis) or scaled impact on an
organization's operation (a qualitative analysis).
 3. Develop an action plan to reduce overall organization risk exposure, detailing where risk can be
eliminated, mitigated, transferred or accepted.
4. Continuously review any risk reduced through elimination, mitigation or transfer actions. Remember, not
all risks can be eliminated, so you will need to closely monitor any threats that have been accepted.
4.3.2 Security Playbook
One of the best ways to prepare for a security breach is to prevent it. Organizations should provide guidance on:
 how to identify the cybersecurity risk to systems, assets, data and capabilities
 the implementation of safeguards and personnel training
 a flexible response plan that minimizes the impact and damage in the event of a security breach
 security measures and processes that need to be put in place in the aftermath of a security
breach.
All this information should be compiled into a security playbook.

A security playbook is a collection of repeatable queries or reports that outline a standardized process for
incident detection and response. Ideally, a security playbook should:
 highlight how to identify and automate the response to common threats such as the detection
of malware-infected machines, suspicious network activity or irregular authentication attempts.
 describe and clearly define inbound and outbound traffic.
 provide summary information including trends, statistics and counts.
 provide usable and quick access to key statistics and metrics.
 correlate events across all relevant data sources.
4.3.3 Tools for Incident Detection and Prevention
There are a range of tools used to detect and prevent security incidents
 An IPS can block or deny traffic based on a positive rule or signature match.
 An IDS scans data against a database of rules or attack signatures, looking for malicious traffic.
 A DLP system is designed to stop sensitive data from being stolen from or escaping a network.
 A SIEM system collects and analyzes security alerts, logs and other real-time and historical data
from security devices on the network
MODULE 5: Protecting the organization
 5.1.1 Legal Issues in Cybersecurity
 In order to protect against attacks, cybersecurity professionals must have the same skills as the
attackers. However, cybersecurity professionals use their skills within the bounds of the law.
 At work or home, you may have the opportunity and skills to hack another person’s computer or
network. But there is an old saying, 'Just because you can does not mean you should.' Most hacks
leave tracks, which can be traced back to you.
5.2.2 Professional Certifications
Cybersecurity certifications are a great way for you to verify your skills and knowledge and can also boost
your career.
Select the headings to reveal more information about some of the most common certifications.
1. EC Council Certified Ethical Hacker (CEH)
This certification tests your understanding and knowledge of how to look for weaknesses and
vulnerabilities in target systems using the same knowledge and tools as a malicious hacker but in a lawful
and legitimate manner.

2. ISC2 Certified Information Systems Security Professional (CISSP)

This is the most recognizable and popular security certification. In order to take the exam, you need
to have at least five years of relevant industry experience.
3. Cisco Certified CyberOps Associate
This certification validates the skills required of associate-level cybersecurity analysts within security
operations centers.