UNIT-IV

 Introduction to Key Security Tools

With remotely working becoming the new normal, every organization, no matter how big
or small, requires cyber security experts proficient in cyber security tools and techniques. At
present, no organization can escape cyber threats and security issues without a good cyber
security team. Hackers are always on the move to find loopholes in security systems to put
companies in distress and benefit from it.
The different aspects of cyber security, including application security, information security,
network security, disaster recovery, operational security, and more are necessary to provide
security from multiple cyber threats that take the form of Ransomware, Malware, Phishing, and
more. Thus, cyber security tools play an important role when it comes to the protection of
sensitive and private data of businesses as well as individuals.
WHAT IS NETWORK SECURITY?
Network security and security tools encompass several devices, technologies, and
processes. In its simplest form, it is a set of techniques used to protect the system, accessibility,
applications, confidentiality, data, and network from cyber threats. Network security is a need of
the hour knowledge to escape unauthorized data access, identify theft and stay safe from cyber-
attacks. Information Security, App Security, Cybersecurity, Operational Security, Disaster
Recovery, etc., are just a few types of network security.
WHAT ARE THE BENEFITS OF NETWORK SECURITY?
It is imperative to have an authorization and authentication system in place to protect the
data and system from cyber threats, identify new users, monitor traffic, approve or block
unauthorized access. In network security offers many other benefits as well like increasing
productivity, managing network traffic, enhancing network performance, protecting customers’
confidentiality, gaining customer trust, reducing the feasibility of websites going down, and
ensuring the safe data sharing between data sources and employees.
Network security covers a wide range of functions. Some of its common capabilities include:
· Firewalls
· Sandboxing
· Traffic analysis
· Malware detection
· Endpoint security
· Network Access Control
· Network mapping and visibility
Therefore, every organization and industry needs to maintain a degree of network security
solutions in place to protect its vulnerabilities from ever-growing cyber threats.
 Introduction to firewall
Nowadays, it is a big challenge to protect our sensitive data from unwanted and
unauthorized sources. There are various tools and devices that can provide different security
levels and help keep our private data secure. One such tool is a 'firewall' that prevents
unauthorized access and keeps our computers and data safe and secure.
What is a Firewall
A firewall can be defined as a special type of network security device or a software
program that monitors and filters incoming and outgoing network traffic based on a defined set
of security rules. It acts as a barrier between internal private networks and external sources (such
as the public Internet).

VIJAYAM BUSINESS SCHOOL Page 1

Cybersecurity
 The primary purpose of a firewall is to allow non-threatening traffic and prevent
malicious or unwanted data traffic for protecting the computer from viruses and attacks. A
firewall is a cybersecurity tool that filters network traffic and helps users block malicious

software from accessing the Internetin infected computers.

Firewall: Hardware or Software
This is one of the most problematic questions whether a firewall is a hardware or
software. As stated above, a firewall can be a network security device or a software program on a
computer. This means that the firewall comes at both levels, i.e., hardware and software, though
it's best to have both.
Each format (a firewall implemented as hardware or software) has different functionality
but the same purpose. A hardware firewall is a physical device that attaches between a computer
network and a gateway. For example, a broadband router. On the other hand, a software firewall
is a simple program installed on a computer that works through port numbers and other installed
software.
Apart from that, there are cloud-based firewalls. They are commonly referred to as FaaS
(firewall as a service). A primary advantage of using cloud-based firewalls is that they can be
managed centrally. Like hardware firewalls, cloud-based firewalls are best known for providing
perimeter security
Why Firewall
Firewalls are primarily used to prevent malware and network-based attacks. Additionally,
they can help in blocking application-layer attacks. These firewalls act as a gatekeeper or a
barrier. They monitor every attempt between our computer and another network. They do not
allow data packets to be transferred through them unless the data is coming or going from a user-
specified trusted source.
Firewalls are designed in such a way that they can react quickly to detect and counter-
attacks throughout the network. They can work with rules configured to protect the network and
perform quick assessments to find any suspicious activity. In short, we can point to the firewall
as a traffic controller.
Some of the important risks of not having a firewall are:
Open Access
If a computer is running without a firewall, it is giving open access to other networks.
This means that it is accepting every kind of connection that comes through someone. In this
case, it is not possible to detect threats or attacks coming through our network. Without a
firewall, we make our devices vulnerable to malicious users and other unwanted sources.

VIJAYAM BUSINESS SCHOOL Page 2

Cybersecurity
Lost or Comprised Data
Without a firewall, we are leaving our devices accessible to everyone. This means that
anyone can access our device and have complete control over it, including the network. In this
case, cybercriminals can easily delete our data or use our personal information for their benefit.
Network Crashes
In the absence of a firewall, anyone could access our network and shut it down. It may
lead us to invest our valuable time and money to get our network working again.
Therefore, it is essential to use firewalls and keep our network, computer, and data safe and
secure from unwanted sources.
How does a firewall work?
A firewall system analyzes network traffic based on pre-defined rules. It then filters the
traffic and prevents any such traffic coming from unreliable or suspicious sources. It only allows
incoming traffic that is configured to accept.
Typically, firewalls intercept network traffic at a computer's entry point, known as a port.
Firewalls perform this task by allowing or blocking specific data packets (units of
communication transferred over a digital network) based on pre-defined security rules. Incoming
traffic is allowed only through
trusted IPaddresses, or sources.
Functions of Firewall
As stated above, the firewall works as
a gatekeeper. It analyzes every
attempt coming to gain access to our
operating system and prevents traffic
from unwanted or non-recognized
sources.
 Since the firewall acts as a
barrier or filter between the computer
system and other networks (i.e., the
public Internet), we can consider it as a traffic controller. Therefore, a firewall's primary
function is to secure our network and information by controlling network traffic,
preventing unwanted incoming network traffic, and validating access by assessing
network traffic for malicious things such as hackers and malware.
Generally, most operating systems (for example - Windows OS) and security software come with
built-in firewall support. Therefore, it is a good idea to ensure that those options are turned on.
Additionally, we can configure the security settings of the system to be automatically updated
whenever available.
Firewalls have become so powerful, and include a variety of functions and capabilities with
built-in features:
o Network Threat Prevention
o Application and Identity-Based Control
o Hybrid Cloud Support
o Scalable Performance
o Network Traffic Management and Control
o Access Validation
o Record and Report on Events

VIJAYAM BUSINESS SCHOOL Page 3

Cybersecurity
  Types of Firewall
There are mainly three types of firewalls, such as software firewalls, hardware firewalls, or
both, depending on their structure. Each type of firewall has different functionality but the same
purpose.
A hardware firewall is a physical device that attaches between a computer network and a
gateway. For example- a broadband router. A hardware firewall is sometimes referred to as
an Appliance Firewall. On the other hand, a software firewall is a simple program installed on a
computer that works through port numbers and other installed software. This type of firewall is
also called a Host Firewall.
Besides, there are many other types of firewalls depending on their features and the level of
security they provide. The following are types of firewall techniques that can be implemented as
software or hardware:
o Packet-filtering Firewalls
o Circuit-level Gateways
o Application-level Gateways (Proxy Firewalls)
o Stateful Multi-layer Inspection (SMLI) Firewalls
o Next-generation Firewalls (NGFW)
o Threat-focused NGFW
o Network Address Translation (NAT) Firewalls
o Cloud Firewalls
o Unified Threat Management (UTM) Firewalls

 Packet-filtering Firewalls
A packet filtering firewall is the most basic type of firewall. It acts like a management
program that monitors network traffic and filters incoming packets based on configured security
rules. These firewalls are designed to block network traffic IP protocols, an IP address, and a
port number if a data packet does not match the established rule-set.
While packet-filtering firewalls can be considered a fast solution without many resource
requirements, they also have some limitations. Because these types of firewalls do not prevent
web-based attacks, tare not the safest.
Circuit-level Gateways
Circuit-level gateways are another simplified type of firewall that can be easily
configured to allow or block traffic without consuming significant computing resources. These
types of firewalls typically operate at the session-level of the OSI model by verifying TCP
VIJAYAM BUSINESS SCHOOL Page 4
Cybersecurity
(Transmission Control Protocol) connections and sessions. Circuit-level gateways are designed
to ensure that the established sessions are protected.
Typically, circuit-level firewalls are implemented as security software or pre-existing
firewalls. Like packet-filtering firewalls, these firewalls do not check for actual data, although
they inspect information about transactions. Therefore, if a data contains malware, but follows
the correct TCP connection, it will pass through the gateway. That is why circuit-level gateways
are not considered safe enough to protect our systems.
 Application-level Gateways (Proxy Firewalls)
Proxy firewalls operate at the application layer as an intermediate device to filter
incoming traffic between two end systems (e.g., network and traffic systems). That is why these
firewalls are called 'Application-level Gateways'.
Unlike basic firewalls, these firewalls transfer requests from clients pretending to be
original clients on the web-server. This protects the client's identity and other suspicious
information, keeping the network safe from potential attacks. Once the connection is established,
the proxy firewall inspects data packets coming from the source. If the contents of the incoming
data packet are protected, the proxy firewall transfers it to the client.
Stateful Multi-layer Inspection (SMLI) Firewalls
Stateful multi-layer inspection firewalls include both packet inspection technology and TCP
handshake verification, making SMLI firewalls superior to packet-filtering firewalls or circuit-level
gateways. Additionally, these types of firewalls keep track of the status of established connections.
In simple words, when a user establishes a connection and requests data, the SMLI
firewall creates a database (state table). The database is used to store session information such as
source IP address, port number, destination IP address, destination port number, etc. Connection
information is stored for each session in the state table. Using stateful inspection technology,
these firewalls create security rules to allow anticipated traffic.
In most cases, SMLI firewalls are implemented as additional security levels. These types
of firewalls implement more checks and are considered more secure than stateless firewalls.
Next-generation Firewalls (NGFW)
Many of the latest released firewalls are usually defined as 'next-generation firewalls'.
However, there is no specific definition for next-generation firewalls. This type of firewall is
usually defined as a security device combining the features and functionalities of other firewalls.
These firewalls include deep-packet inspection (DPI), surface-level packet inspection, and TCP
handshake testing, etc.
NGFW includes higher levels of security than packet-filtering and stateful inspection
firewalls. Unlike traditional firewalls, NGFW monitors the entire transaction of data, including
packet headers, packet contents, and sources.
Threat-focused NGFW
Threat-focused NGFW includes all the features of a traditional NGFW. Additionally,
they also provide advanced threat detection and remediation. These types of firewalls are capable
of reacting against attacks quickly. With intelligent security automation, threat-focused NGFW
set the security of the overall defense system.
In addition, these firewalls use retrospective security systems to monitor suspicious
activities continuously. They keep analyzing the behavior of every activity even after the initial
inspection. Due to this functionality, threat-focus NGFW dramatically reduces the overall time
taken from threat detection to cleanup.

VIJAYAM BUSINESS SCHOOL Page 5

Cybersecurity
Network Address Translation (NAT) Firewalls
Network address translation or NAT firewalls are primarily designed to access Internet
traffic and block all unwanted connections. These types of firewalls usually hide the IP addresses
of our devices, making it safe from attackers.
When multiple devices are used to connect to the Internet, NAT firewalls create a unique
IP address and hide individual devices' IP addresses. As a result, a single IP address is used for
all devices. By doing this, NAT firewalls secure independent network addresses from attackers
scanning a network for accessing IP addresses. This results in enhanced protection against
suspicious activities and attacks.
In general, NAT firewalls works similarly to proxy firewalls. Like proxy firewalls, NAT
firewalls also work as an intermediate device between a group of computers and external traffic.
Cloud Firewalls
Whenever a firewall is designed using a cloud solution, it is known as a cloud firewall
or FaaS (firewall-as-service). Cloud firewalls are typically maintained and run on the Internet
by third-party vendors. This type of firewall is considered similar to a proxy firewall. The reason
for this is the use of cloud firewalls as proxy servers. However, they are configured based on
requirements.
The most significant advantage of cloud firewalls is scalability. Because cloud firewalls
have no physical resources, they are easy to scale according to the organization's demand or
traffic-load. If demand increases, additional capacity can be added to the cloud server to filter out
the additional traffic load. Most organizations use cloud firewalls to secure their internal
networks or entire cloud infrastructure.
Unified Threat Management (UTM) Firewalls
UTM firewalls are a special type of device that includes features of a stateful inspection
firewall with anti-virus and intrusion prevention support. Such firewalls are designed to provide
simplicity and ease of use. These firewalls can also add many other services, such as cloud
management, etc.
Which firewall architecture is best?
When it comes to selecting the best firewall architecture, there is no need to be explicit. It
is always better to use a combination of different firewalls to add multiple layers of protection.
For example, one can implement a hardware or cloud firewall at the perimeter of the network,
and then further add individual software firewall with every network asset.
Size of the organization
If an organization is large and maintains a large internal network, it is better to implement
such firewall architecture, which can monitor the entire internal network.
Availability of resources
If an organization has the resources and can afford a separate firewall for each hardware
piece, this is a good option. Besides, a cloud firewall may be another consideration.
Requirement of multi-level protection
The number and type of firewalls typically depend on the security measures that an
internal network requires. This means, if an organization maintains sensitive data, it is better to
implement multi-level protection of firewalls. This will ensure data security from hackers.
 XML Gateway-Firewalls:
An XML Gateway is an externally-facing DMZ tier of a web services platform. Generally, this
DMZ tier will be facing the Internet, but it may simply be between business units or facing a

VIJAYAM BUSINESS SCHOOL Page 6

Cybersecurity
leased line connecting one entity to another. It can be implemented using a software solution
(such as web services support in a JEE container like WAS or JBoss) or a hardware solution
(using SOA Appliances).
The XML Gateway fills some or all of following functions(depending on the environment and
architecture):
 Efficient XML parsing & transformations.
 Advertising a consistent web service API to external clients.
 Serves as an entry point for Web Service traffic into an organization’s systems.
 Serves as the termination point for inbound connections for web service calls.
 Especially SSL connections.
 Serves as an outbound proxy for all internal web service consumers.
 Transforming between internally-facing and externally-facing security models.
 Identity Tokens
 Encryption/Digital Signature requirements.
 Etc.
 Authentication and authorization point for both incoming and outgoing Web Service calls.
 Termination point of message-level security (WS-Security, XML Encryption, XML Digital
Signature).
 Schema validation of XML-based message payloads.
 Could also be validation of other types of payloads.
 Routes messages appropriately to backend systems-ie, Service Provider tiers.
 Data transformations, potentially.
 Protocol transformations, potentially.
 Service mediation, potentially.
 Support for multiple Message Exchange Patterns (MEPs)
 Synchronous Request Respond
 Asynchronous Request and Respond
 Fire-and-Forget (Asynchronous one-way)

 Stateless and Stateful :

Stateful and Stateless firewalls appear to be familiar but they are way different from each other
in terms of capability, functions, principles, etc. There are different types of firewalls and the
incoming and outgoing traffic follows the set of rules organizations have determined in these
firewalls. The main concern of the users is to safeguard the important data and information and
prevent them from falling into the wrong hands. To secure that, they have the option to choose
among the firewalls that can fulfill their requirements. they are looking for. The firewall provides
critical protection to the business and its information.
1. stateful firewall
This firewall monitors the full state of active network connections. A stateful firewall tracks the
state of network connections when it is filtering the data packets. These firewalls can watch the
traffic streams end to end. Stateful firewalls are aware of the communication path and can
implement various IP security functions such as tunnels or encryptions. These firewalls are faster
and perform better under heavier traffic and are better in identifying unauthorized or forged
communication.
2. how stateful firewall works

VIJAYAM BUSINESS SCHOOL Page 7

Cybersecurity
 Stateful Firewall inspects packets and if the packets match with the rule in the firewall then it is
allowed to go through. The packets which are approved by this firewall can travel freely in the
network.
3. stateful firewall example
Could be The example is the Transport Control Protocol(TCP.) It saves the record of its
connection by saving its port number, source, and destination, IP address, etc.
4. stateless firewall
This firewall watches the network traffic and is based on the source and the destination or other
values. They have no data on the traffic patterns and restrict the pattern based on the destination
or the source. It is also termed as the Access control list ( ACL). This firewall does not inspect
the traffic. It just works according to the set of rules and filter
5. how stateless firewall works
Stateless firewalls monitor the incoming traffic packets. They allow or deny packets into their
network based on the source and the destination address, or some other information like traffic
type. They just monitor some basic information of the packets and restriction or permission
depends upon that.
6. stateless firewall example
An example of a Stateless firewall is File Transfer Protocol (FTP). This is the most common
way of receiving the sending files between two computers..
7. difference between the stateful and stateless firewall
Stateful firewalls are smarter and responsible to monitor and detect the end-to-end traffic stream,
and to defend according to the traffic pattern and flow. It filters the packets based on the full
context given to the network connection. These firewalls are faster and work excellently, under
heavy traffic flow. They are also better at identifying forged or unauthorized communication.
On the other hand, a stateless firewall is basically an Access Control List ( ACLs) that contains
the set of rules which allows or restricts the flow of traffic depending upon the source, IP
address, destination, port number, network protocols, and some other related fields. This firewall
doesn’t interfere in the traffic flow, they just go through the basic information about them, and
allowing or discard depends upon that. But there is a chance for the forged packets or attack
techniques may fool these firewalls and may bypass them.
8. Advantages and disadvantages of a stateful firewall and a stateless
firewallStateful firewall advantages-
 This firewall is smarter and faster in detecting forged or unauthorized communication. This can
also make future filtering decisions on the cumulative of past and present findings.
 Not many ports are required to open for effective communication in this firewall.
 The balance between the proxy security and the packet filter performance is good.
 Powerful memory.
 Extensive logging capabilities.
 Robust attack prevention.
Stateful firewall disadvantages-
 The data transfer rate is slow.
 The firewall must be updated with the latest available technologies else it may allow the hackers
to compromise or take control of the firewall.
 This firewall demands a high memory and processing power as in stateful firewall tables have to
maintain and to pass the access list, logic is used.
 Some of these firewalls may be tricked to allow or attract outside connections.
VIJAYAM BUSINESS SCHOOL Page 8
Cybersecurity
 Stateless firewall advantages-
 These firewalls are less complex.
 Stateless firewalls are very simple to implement.
 Performance delivery is very fast.
 Perform excellent under pressure and heavy traffic.
 As compared to a stateful firewall, stateless firewalls are much cheaper. But these days, you
might see significant drops in the cost of a stateful firewall too.
Stateless firewall disadvantages-
 The main disadvantage of this firewall is trust. This firewall assumes that the packet information
can be trusted. It does not examine the entire packet but just check if the packets satisfy the
existing set of security rules.
 This firewall doesn’t monitor or inspect the traffic.
 To provide and maximize the desired level of protection, these firewalls require some
configurations.
 The packet will pass the firewall if an attacker sends SYN/ACK as an initial packet in the
network, the host will ignore it.
9. choosing between stateful firewall and stateless firewall
There are various firewalls present in the market nowadays, and the question to choose depends
on your business’s needs and nature. The firewall provides security for all kinds of businesses. It
is up to you to decide what type of firewall suits you the most.
 What kind of traffic flow you intend to monitor.
 What operating system best suits your requirements.
 How will this firewall fit into your network?
 What suits best to your organization, an appliance, or a network solution.
 And above all, you must know the reason why you want to implement a firewall.
10. firewall for small business
Stateless firewalls are cheaper compared to the stateful firewall. A small business may not afford
the cost of a stateful firewall. Small businesses can opt for a stateless firewall and keep their
business running safely. The traffic volumes are lower in small businesses, so is the threat. The
fast-paced performance with the ability to perform better in heavier traffics of this firewall
attracts small businesses. Few trusted people in a small office with normal and routine
capabilities can easily go along with a stateless firewall.
11. firewall for large establishments
Mainly Stateful firewalls provide security to large establishments as these are powerful and
sophisticated. Because of the dynamic packets filtering, these firewalls are preferred by large
establishments as they offer better security features. Stateful firewalls are powerful. They,
monitor, and detect threats, and eliminate them. Large corporations opt for a stateful firewall
because it provides levels of security layers along with continuous monitoring of traffic.
 Firewall Configuration
A basic guide to configure a firewall in 5 steps: create zones, configure settings, and review
firewall rules.
As the first line of defense against online attackers, your firewall is a critical part of your
network security. Configuring a firewall can be an intimidating project, but breaking down the
work into simpler tasks can make the work much more manageable. The following guidance will
help you understand the major steps involved in firewall configuration.

VIJAYAM BUSINESS SCHOOL Page 9

Cybersecurity
There are many suitable firewall models that can be used to protect your network. You can
consult a HIPAA security expert or PCI security expert to learn more about your options. The
following steps are critical, regardless of the firewall model you choose. This guide assumes that
you are using a business grade firewall that supports multiple internal networks (or zones) and
performs stateful packet inspection.
As a heads up, due to the technical nature of firewalls, a detailed step-by-step guide is
beyond the scope of this blog post. However, I will provide some direction to help illustrate the
process so you can understand how to configure a firewall in 5 steps.
Step 1: Secure your firewall
If an attacker is able to gain administrative access to your firewall it is “game over” for your
network security. Therefore, securing your firewall is the first and most important step of this
process. Never put a firewall into production that is not properly secured by at least the following
configuration actions:
Update your firewall to the latest firmware.

 Delete, disable, or rename any default user accounts and change all default passwords.
Make sure to use only complex and secure passwords.
 If multiple administrators will manage the firewall, create additional administrator
accounts with limited privileges based on responsibilities. Never use shared user
accounts.
 Disable simple network management protocol (SNMP) or configure it to use a secure
community string.
Step 2: Architect your firewall zones and IP addresses
In order to protect the valuable assets on your network, you should first identify what the assets
(for example, payment card data or patient data) are. Then plan out your network structure so
that these assets can be grouped together and placed into networks (or zones) based on similar
sensitivity level and function.
For example, all of your servers that provide services over the internet (web servers, email
servers, virtual private network (VPN) servers, etc.) should be placed into a dedicated zone that
will allow limited inbound traffic from the internet (this zone is often called a demilitarized zone
or DMZ). Servers that should not be accessed directly from the internet, such as database servers,
must be placed in internal server zones instead. Likewise, workstations, point of sale devices,
and voice over Internet protocol (VOIP) systems can usually be placed in internal network
zones.
Generally speaking, the more zones you create, the more secure your network. But keep in mind
that managing more zones requires additional time and resources, so you need to be careful when
deciding how many network zones you want to use.
If you are using IP version 4, Internal IP addresses should be used for all of your internal
networks. Network address translation (NAT) must be configured to allow internal devices to
communicate on the Internet when necessary.
Once you have designed your network zone structure and established the corresponding IP
address scheme, you are ready to create your firewall zones and assign them to your firewall
interfaces or subinterfaces. As you build out your network infrastructure, switches that support
virtual LANs (VLANs) should be used to maintain level-2 separation between the networks.
Step 3: Configure access control lists

VIJAYAM BUSINESS SCHOOL Page 10

Cybersecurity
Now that you have established your network zones and assigned them to interfaces, you should
determine exactly which traffic needs to be able to flow into and out of each zone.
This traffic will be permitted using firewall rules called access control lists (ACLs), which are
applied to each interface or subinterface on the firewall. Make your ACLs specific to the exact
source and/or destination IP addresses and port numbers whenever possible. At the end of every
access control list, make sure there is a “deny all” rule to filter out all unapproved traffic. Apply
both inbound and outbound ACLs to each interface and subinterface on your firewall so that only
approved traffic is allowed into and out of each zone.
Whenever possible, it is generally advised to disable your firewall administration interfaces
(including both secure shell (SSH) and web interfaces) from public access. This will help to
protect your firewall configuration from outside threats. Make sure to disable all unencrypted
protocols for firewall management, including Telnet and HTTP connections.
Step 4: Configure your other firewall services and logging
If your firewall is also capable of acting as a dynamic host configuration protocol (DHCP)
server, network time protocol (NTP) server, intrusion prevention system (IPS), etc., then go
ahead and configure the services you wish to use. Disable all the extra services that you don’t
intend to use.
Step 5: Test your firewall configuration
Don’t forget to verify that your firewall is blocking traffic that should be blocked
according to your ACL configurations. Testing your firewall should include both vulnerability
scanning and penetration testing. Always remember to keep a backup of your firewall
configuration saved in a secure place so that all of your hard work is not lost in the event of a
hardware failure.
Firewall management
With your firewall in production, you have finished your firewall configuration, but firewall
management has just begun. Logs must be monitored, firmware must be updated, vulnerability
scans must be performed, and firewall rules must be reviewed at least every six months. Last of
all, be sure to document your process and be diligent about performing these ongoing tasks to
ensure t6hat your firewall continues to protect your network.

 Antivirus/Antimalware
Antivirus software, or antivirus software (abbreviated to AV software), also known
as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer
viruses, hence the name. However, with the proliferation of other malware, antivirus
software started to protect from other computer threats. In particular, modern antivirus
software can protect users from malicious browser helper objects (BHOs), browser
hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms,
malicious LSPs, dialers, fraud tools, adware, and spyware.
Some products also include protection from other computer threats, such as
infected and malicious URLs, spam, scam and phishing attacks, online

VIJAYAM BUSINESS SCHOOL Page 11

Cybersecurity
 identity (privacy), online banking attacks, social engineering techniques, advanced
persistent threat (APT), and botnet DDoS attacks.
Identification methods
There are several methods which antivirus engines can use to identify malware:

 Sandbox detection: a particular behavioural-based detection technique that, instead of

detecting the behavioural fingerprint at run time, it executes the programs in a virtual
environment, logging what actions the program performs. Depending on the actions logged,
the antivirus engine can determine if the program is malicious or not. If not, then, the
program is executed in the real environment.
 Data mining techniques: one of the latest approaches applied in malware detection. Data
mining and machine learning algorithms are used to try to classify the behaviour of a file (as
either malicious or benign) given a series of file features that are extracted from the file
itself.
Signature-based detection
When a malware arrives in the hands of an antivirus firm, it is analysed by malware
researchers or by dynamic analysis systems. Then, once it is determined to be a malware, a
proper signature of the file is extracted and added to the signatures database of the antivirus
software. Although the signature-based approach can effectively contain malware outbreaks,
malware authors have tried to stay a step ahead of such software by writing "oligomorphic",
"polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of
themselves or otherwise modify themselves as a method of disguise, so as to not match virus
signatures in the dictionary.
Heuristics
Many viruses start as a single infection and through either mutation or refinements by
other attackers, can grow into dozens of slightly different strains, called variants. Generic
detection refers to the detection and removal of multiple threats using a single virus definition.
While it may be advantageous to identify a specific virus, it can be quicker to detect a
virus family through a generic signature or through an inexact match to an existing signature.
Virus researchers find common areas that all viruses in a family share uniquely and can thus
create a single generic signature. These signatures often contain non-contiguous code,
using wildcard characters where differences lie.
Rootkit detection
Anti-virus software can attempt to scan for rootkits. A rootkit is a type
of malware designed to gain administrative-level control over a computer system without being
detected. Rootkits can change how the operating system functions and in some cases can tamper
with the anti-virus program and render it ineffective. Rootkits are also difficult to remove, in
some cases requiring a complete re-installation of the operating system.
Real-time protection
Real-time protection, on-access scanning, background guard, resident shield, auto protect, and
other synonyms refer to the automatic protection provided by most antivirus, anti-spyware, and
other anti-malware programs. This monitors computer systems for suspicious activity such as
computer viruses, spyware, adware, and other malicious objects. Real-time protection detects

VIJAYAM BUSINESS SCHOOL Page 12

Cybersecurity
threats in opened files and scans apps in real-time as they are installed on the device. When
inserting a CD, opening an email, or browsing the web, or when a file already on the computer is
opened or executed
Performance and drawbacks
Antivirus software has some drawbacks, first of which that it can impact a computer's
performance..
Antivirus software itself usually runs at the highly trusted kernel level of the operating
system to allow it access to all the potential malicious process and files, creating a potential
avenue of attack. Anti-virus software has highly privileged and trusted access to the underlying
operating system, which makes it a much more appealing target for remote attacks. Additionally
anti-virus software is "years behind security-conscious client-side applications like browsers or
document readers. It means that Acrobat Reader, Microsoft Word or Google Chrome are harder
to exploit than 90 percent of the anti-virus products out there", researcher with Coseinc, a
Singapore-based information security consultancy.
Alternative solutions
Antivirus software running on individual computers is the most common method
employed of guarding against malware, but it is not the only solution. Other solutions can also be
employed by users, including Unified Threat Management (UTM), hardware and network
firewalls, Cloud-based antivirus and online scanners.
Hardware and network firewall
Network firewalls prevent unknown programs and processes from accessing the system.
However, they are not antivirus systems and make no attempt to identify or remove anything.
They may protect against infection from outside the protected computer or network, and limit the
activity of any malicious software which is present by blocking incoming or outgoing requests
on certain TCP/IP ports. A firewall is designed to deal with broader system threats that come
from network connections into the system and is not an alternative to a virus protection system.
Cloud antivirus
Cloud antivirus is a technology that uses lightweight agent software on the protected
computer, while offloading the majority of data analysis to the provider's infrastructure,cloud
antivirus involves scanning suspicious files using multiple antivirus engines. This approach was
proposed by an early implementation of the cloud antivirus concept called CloudAV. CloudAV
was designed to send programs or documents to a network cloud where multiple antivirus and
behavioral detection programs are used simultaneously in order to improve detection rates.
Parallel scanning of files using potentially incompatible antivirus scanners is achieved by
spawning a virtual machine per detection engine and therefore eliminating any possible issues.
CloudAV can also perform "retrospective detection," whereby the cloud detection engine rescans
all files in its file access history when a new threat is identified thus improving new threat
detection speed. Finally, CloudAV is a solution for effective virus scanning on devices that lack
the computing power to perform the scans themselves.
Online scanning
Some antivirus vendors maintain websites with free online scanning capability of the
entire computer, critical areas only, local disks, folders or files. Periodic online scanning is a
good idea for those that run antivirus applications on their computers because those applications
are frequently slow to catch threats. One of the first things that malicious software does in an

VIJAYAM BUSINESS SCHOOL Page 13

Cybersecurity
attack is disable any existing antivirus software and sometimes the only way to know of an attack
is by turning to an online resource that is not installed on the infected computer
Specialized tools
Virus removal tools are available to help remove stubborn infections or certain types of
infection. Examples include Avast Free Anti- Malware, AVG Free Malware Removal
Tools, and Avira AntiVir Removal Tool. It is also worth noting that sometimes antivirus
software can produce a false positive result, indicating an infection where there is none.
A rescue disk that is bootable, such as a CD or USB storage device, can be used to run
antivirus software outside of the installed operating system, in order to remove infections while
they are dormant. A bootable antivirus disk can be useful when, for example, the installed
operating system is no longer bootable or has malware that is resisting all attempts to be removed
by the installed antivirus software.
 Penetration test Methodologies
Penetration testing encompasses various manual and automated techniques to simulate an
attack on an organization’s information systems. An ethical hacker or pen tester generally
conducts pen testing, who tries to break into the corporate information systems and identify and
exploit known and unknown vulnerabilities before an actual attacker or a malicious actor does.
The security tester primarily carries out an active analysis of the target system to identify
any potential threats or vulnerabilities that could result from improper system configuration,
system infrastructure flaws or operational incompetency.
Why should an organisation carry out pen testing?
To determine threats and weaknesses in the overall infrastructure, both hardware, and
software, to develop a sound security control system.To uncover gaps within the organisation
existing security posture and address them specifically and effectively. To ensure that the
security system or controls in place are effective and mitigate the risks of an attack. To prioritise
attack vectors and secure attack avenues that are more prone to an attack. To discover existing
bugs in the security control system and fix them. To determine and detect the possible magnitude
of the breach and to improve the overall security response time to an attack.

Penetration Testing Stages

Security test or Penetration test involves simulated

breaching of any number of applications or systems such as application protocol interfaces,
front-end or back-end servers, security infrastructure, and unsensitised inputs to detect
vulnerabilities and threats.

VIJAYAM BUSINESS SCHOOL Page 14

Cybersecurity
The pen testing process usually includes five stages and helps the organisation to fine-tune their
environment for fixing security loopholes.
The stages are as follows:
1. Planning and Reconnaissance
This stage includes defining the scope, priorities, and goals to be achieved. It also states
the primary critical systems to be tested or addressed and types of test to be performed.
The reconnaissance stage includes gathering intelligence like passive and active information on
network and domain names or mail servers et al. of the target system to better understand how a
target works and its potential entry points.
2. Scanning
This stage involves understanding how the target system responds to various automated
intrusion attempts and attacks. This is typically done using following.
Static Analysis – Inspects the application source code before a program is run by comparing it to
a set of coding rules followed by debugging
Dynamic Analysis – is the testing and evaluation of the security system by executing data in real-
time. The objective here is to find errors or vulnerabilities in real-time by scanning the
application or systems using automated security scanning tools. Static or dynamic analysis is
followed by manual verification of vulnerabilities or errors to eliminate false positives.
3. Gaining Access or Exploitation
In this stage, the vulnerabilities identified are actively exploited to gain access to the
system or valuable information. The vulnerabilities can be exploited by escalating privileges,
stealing data, intercepting traffic and injecting malicious code to understand or observe the
magnitude of the damage caused.
4. Maintaining Access
The objective of this stage is to check if persistence access can be maintained after
gaining access to the application or its underlying system. The longer the attacker maintains
access to the system, the more in-depth access he/she gains. The goal is to imitate and detect
advanced persistent threats that often remain in a system without being detected.
5. Analysis and Reporting
The results of the test are then compiled into a detailed report. The report primarily
contains vulnerabilities that were exploited, sensitive data that was breached and accessed, and
the amount of time the security tester could remain in the system before getting detected.
Penetration Testing Methods
Many penetration testing methods are depending upon the security system and the level
of motivation of the organisation. A security expert or a Cyber Security Firm should help you
choose or determine a perfect match as per the organisation’s requirements.
The different types of pen testing methods are as follows. Depending upon the type of
information a security expert or a pen tester has, the methods can be divided into:
Black Box
A black box assessment is carried out with little information provided to the pen tester.
The security consultant or the tester will have very limited knowledge about the security control
system or the infrastructure. Typically, the consultant will undertake the reconnaissance
methodology to gain information about the system and security infrastructure.
White Box
In the white box assessment, the tester or the consultant is provided with information and
detailed documentation regarding the infrastructure, applications, equipment’s and security
VIJAYAM BUSINESS SCHOOL Page 15
Cybersecurity
control system such as system architecture documents, source code and more. It is a
comprehensive assessment method to identify and detect external as well internal vulnerabilities.
Grey Box
In this assessment method, the tester is provided with user-level knowledge and
information needed to assess the security control system. The testers are also granted limited
access and partial knowledge to the web applications and the internal network infrastructure.
Physical Penetration Tests
The organisation should be wary of hackers adopting a physical approach to gain facility
access either as a standalone attack or to complement their technical attacks. The following are
physical penetration tests:
Scoping Unsecured Areas: In this method, hackers’ scope or search areas or systems that
are vulnerable and are more prone to a breach or an attack. This may include smoking areas,
maintenance docks, and unguarded entrances with the least resistance and visibility to gain
facility access.
Piggybacking: Piggybacking, tailgating or eavesdropping are some methods wherein a
hacker closely follows the employees or maintenance workers that have access to the facility
area.
Social Engineering Test
These tests verify the Human Network of an organisation. This test helps determine and
secure an attack from within an organization from the employee who is either initiating an attack
or has his credentials or privileged access compromised. The types of attacks are:
Phishing: A deceptive method wherein personal information is gained by sending across
malicious or infected codes via mail or messages.
Pretexting: Pretexting is a form of identity theft wherein the hackers present themselves as
someone else who is a part of an organisation and gain access to the security infrastructure or
sensitive data.
most common types of pen testing / security testing:
Types of Penetration Testing
Network Penetration Testing
A network penetration test is the most common and in-demand pen test method, which helps
detect and exploit vulnerabilities in the network system or infrastructure. There are three types of
Network pen testing, external, internal, and wireless.
External Network Penetration Testing: .
This test generally targets network areas like Firewall configuration, firewall bypass, IPS
deception and DNS level attacks. Vulnerability scanning is a type of test or an automated process
that utilises the shelf tools to scan and detect known vulnerabilities in your system.
A combination of automated and manual exploitation techniques is a process wherein the
vulnerabilities after detection are targeted, and a variety of attacks are simulated against these
weaknesses with an aim to completely take over the internet-facing systems.
Internal Network Pen Testing: This test includes identifying or detecting security network
weaknesses within your internal systems or infrastructure. This test too includes vulnerability
scanning and exploitation techniques to detect the vulnerabilities and then exploit them to see
how the internal systems respond.
The internal network pen test fundamentally evaluates the potential of an exploit by an internal
user or an unauthorised attack by an employee of the organisation, such as potential unauthorised
access and leak of personal credentials or information.
VIJAYAM BUSINESS SCHOOL Page 16
Cybersecurity
Wireless Penetration Testing: Wireless systems allow hackers or attackers an opportunity to
hack into or infiltrate the organisation’s network security system.
Wireless pen testing allows access to the consultant into the system who then tries to detect
vulnerabilities and exploit them allowing them privileged access to sensitive information,it
allows the consultants to demonstrate the potential impact of the breach in the wireless network.
Web Application Penetration Testing
Web application penetration testing is a testing method wherein applications on the network are
checked for any vulnerabilities or security issues caused by faulty or insecure development, weak
design, or improper coding.
Mobile Application Penetration Testing
Similar to web applications, mobile applications too, is an important arena for an
organisation. Mobile application penetration testing or security testing is an empowered and
simulated hacking attempt against a native mobile application running on devices such as
Android, Windows, and iOS.
Penetration testing tools:
There is a full suite of automated testing tools available now, which allows you to carry
out penetration testing efficiently. The following are some of the well-known tools used for Pen
testing:
Kali Linux
Kali Linux is a Linux-based
operating system containing vast arrays of
tools and can be used for end-to-end
penetration testing from information
gathering to reporting.
Kali has over 600 ethical hacking
tools and contains special tools used for
brute force password cracking. Tools
include vulnerability analysis, web applications, information gathering, wireless attacks, reverse
engineering, password cracking, spoofing, sniffing and other advanced exploitation tools.
Metasploit
It help in managing security assessments, detects threats and flaws, and probable weak
points. This tool helps set up a watertight and robust security control system that is difficult to
breach. The GUI of Metasploit is easy to use and is open-source software.
Wireshark
Wireshark is a network analyzer tool that captures and interprets network traffic. It
provides both offline analysis and network real-time capture options.
Generally used to understand data packets flow and TCP/IP issues. It provides details of packet
moments and network activities.
ZED attack Proxy
This tool is similar to one of the most popular proxy and scanning tool BURP suite and is
almost as effective except that it is completely free.
Aircrack
Aircrack NG is a set of tools and a software suite that helps you attack and defend
wireless networks. The tools package includes a detector, packet sniffer, WEP/WPA cracker, and
so on. Aircrack primarily intercepts the packets, captures them, and then reads the packet

VIJAYAM BUSINESS SCHOOL Page 17

Cybersecurity
patterns to crack the wireless system. Aircrack is open-source software and mainly used to check
Wi-Fi connections
John the Ripper
Passwords are the most vulnerable and are easy to attack in an information system. JTR is
a password-cracking tool that cracks encryption and provides the password.
Costing And Budgeting Of Penetration Testing
The costing and budgeting depend on several factors and is not constant. The following
factors affect the cost of penetration testing service.
Objective: The pricing fairly depends on the objectives or aims you wish to accomplish.
Whether it is to test the physical access of a small organisation or transmission station of a
utility, the pricing differs. The size is a factor when it comes to pricing. The pricing differs when
an entire network, including external and internal networks. The information you make available
to the security tester also affects the pricing. The greater and more complex the objectives in
number, the higher is the pricing.
Scope: Scope helps to determine organisations objectives and amount of time a tester or a
essential to check whether the Pen test has the desired effect or not. The pricing policy differs
when Retesting is taken into consideration.

 Vulnerability Tests
Vulnerability Testing also called Vulnerability Assessment is a process of evaluating
security risks in software systems to reduce the probability of threats. The purpose of
vulnerability testing is reducing the possibility for intruders/hackers to get unauthorized access of
systems. It depends on the mechanism named Vulnerability Assessment and Penetration
Testing(VAPT) or VAPT testing.
A vulnerability is any mistake or weakness in the system’s security procedures, design,
implementation or any internal control that may result in the violation of the system’s security
policy.
Vulnerability Assessment Process
Here is the step by step Vulnerability Assessment Process to identify the system vulnerabilities.

Step 1) Goals & Objectives : – Define

goals and objectives of Vulnerability
Analysis.
Step 2) Scope : – While performing the
Assessment and Test, Scope of the
Assignment needs to be clearly defined.
The following are the three possible scopes that exist:
 Black Box Testing : – Testing from an external network with no prior knowledge of the
internal network and systems.
 Grey Box Testing : – Testing from either external or internal networks with the
knowledge of the internal network and system. It’s the combination of both Black Box
Testing and White Box Testing.
 White Box Testing : – Testing within the internal network with the knowledge of the
internal network and system. Also known as Internal Testing.

VIJAYAM BUSINESS SCHOOL Page 18

Cybersecurity
Step 3) Information Gathering: – Obtaining as much information about IT environment such
as Networks, IP Address, Operating System Version, etc. It’s applicable to all the three types of
Scopes such as Black Box Testing, Grey Box Testing and White Box Testing.
Step 4) Vulnerability Detection: – In this process, vulnerability scanners are used to scan the IT
environment and identify the vulnerabilities.
Step 5) Information Analysis and Planning: – It will analyze the identified vulnerabilities to
devise a plan for penetrating into the network and systems.
How to do Vulnerability Assessment
Following is the step by step process on How
to do Vulnerability Assessment:
Step 1) Setup:
 Begin Documentation
 Secure Permissions
 Update Tools
 Configure Tools
Step 2) Test Execution:
 Run the Tools
 Run the captured data packet (A packet is the unit of data that is routed between an origin
and the destination. When any file, for example, e-mail message, HTML file, Uniform
Resource Locator(URL) request, etc. is sent from one place to another on the internet, the
TCP layer of TCP/IP divides the file into a number of “chunks” for efficient routing, and
each of these chunks will be uniquely numbered and will include the Internet address of
the destination. These chunks are called packets. When all the packets are arrived, they
will be reassembled into the original file by the TCP layer at the receiving end while
running the assessment tools
Step 3) Vulnerability Analysis:
 Defining and classifying network or System resources.
 Assigning priority to the resources( Ex: – High, Medium, Low)
 Identifying potential threats to each resource.
 Developing a strategy to deal with the most prioritized problems first.
 Defining and implementing ways to minimize the consequences if an attack occurs.
Step 4) Reporting
Step 5) Remediation:
 The process of fixing the vulnerabilities.
 Performed for every vulnerability
Types of a vulnerability scanner
1. Host Based
 Identifies the issues in the host or the system.
 The process is carried out by using host-based scanners and diagnose the vulnerabilities.
 The host-based tools will load a mediator software onto the target system; it will trace the
event and report it to the security analyst.
2. Network-Based
 It will detect the open port, and identify the unknown services running on these ports.
Then it will disclose possible vulnerabilities associated with these services.
 This process is done by using Network-based Scanners.
3. Database-Based
VIJAYAM BUSINESS SCHOOL Page 19
Cybersecurity
  It will identify the security exposure in the database systems using tools and techniques to
prevent from SQL Injections. (SQL Injections: – Injecting SQL statements into the
database by the malicious users, which can read the sensitive data’s from a database and
can update the data in the Database.)
Tools for Vulnerability Scanning
1) Acunetix
Intuitive and easy to use, Acunetix by Invicti helps small to medium-
sized organizations ensure their web applications are secure from costly
data breaches. It does so by detecting a wide range of web security issues
and helping security and development professionals act fast to resolve them.
Features:
 Advanced scanning for 7,000+ web vulnerabilities, including OWASP Top 10 such as
SQLi and XSS
 Automated web asset discovery for identifying abandoned or forgotten websites
 Advanced crawler for the most complex web applications, incl. multi-form and
password-protected areas
 Combined interactive and dynamic application security testing to discover vulnerabilities
other tools miss
 Proof of exploit provided for many types of vulnerabilities
 DevOps automation through integrations with popular issue tracking and CI/CD tools
 Compliance reporting for regulatory standards, such as PCI DSS, NIST, HIPAA, ISO
27001, and more.
2) Intruder
Intruder is a powerful online vulnerability scanner that discovers
security weaknesses across your IT environment. Offering industry-
leading security checks, continuous monitoring and an easy-to-use
platform, Intruder keeps businesses of all sizes safe from hackers.
Features:
 Best-in-class threat coverage with over 10,000 security checks
 Checks for configuration weaknesses, missing patches, application weaknesses (such as
SQL injection & cross-site scripting) and more
 Automatic analysis and prioritisation of scan results
 Intuitive interface, quick to set-up and run your first scans
 Proactive security monitoring for the latest vulnerabilities
 AWS, Azure and Google Cloud connectors
 API integration with your CI/CD pipeline
Advantages of Vulnerability Assessment
 Open Source tools are available.
 Identifies almost all vulnerabilities
 Automated for Scanning.
 Easy to run on a regular basis.
Disadvantages of Vulnerability Assessment
 High false positive rate
 Can easily detect by Intrusion Detection System Firewall.
 Often fail to notice the latest vulnerabilities.
Vulnerability Testing Methods
VIJAYAM BUSINESS SCHOOL Page 20
Cybersecurity
Active Testing
 Inactive Testing, a tester introduces new test data and analyzes the results.
 During the testing process, the testers create a mental model of the process, and it will
grow further during the interaction with the software under test.
 While doing the test, the tester will actively involve in the process of finding out the new
test cases and new ideas. That’s why it is called Active Testing.
Passive Testing
 Passive testing, monitoring the result of running software under test without introducing
new test cases or data
Network Testing
 Network Testing is the process of measuring and recording the current state of network
operation over a period of time.
 Testing is mainly done for predicting the network operating under load or to find out the
problems created by new services.
 We need to Test the following Network Characteristics:-
 Utilization levels
 Number of Users
 Application Utilization
Distributed Testing
 Distributed Tests are applied for testing distributed applications, which means, the
applications that are working with multiple clients simultaneously. Basically, testing a
distributed application means testing its client and server parts separately, but by using a
distributed testing method, we can test them all together.
 The test parts will interact with each other during the Test Run. This makes them
synchronized in an appropriate manner. Synchronization is one of the most crucial points
in distributed testing.

VIJAYAM BUSINESS SCHOOL Page 21

Cybersecurity