Cybersecurity

1.​ SSL

Secure Socket Layer (SSL) provides security to the data that is transferred between web
browser and server. SSL encrypts the link between a web server and a browser which ensures
that all data passed between them remain private and free from attack
Secure Socket Layer Protocols
●​ SSL Record Protocol

●​ Handshake Protocol

●​ Change-Cipher Spec Protocol

●​ Alert Protocol

SSL Record Protocol

SSL Record provides two services to SSL connection.

●​ Confidentiality

●​ Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment is
compressed and then encrypted MAC (Message Authentication Code) generated by algorithms
like SHA (Secure Hash Protocol) and MD5 (Message Digest) is appended. After that encryption
of the data is done and in last SSL header is appended to the data.

Handshake Protocol

Handshake Protocol is used to establish sessions. This protocol allows the client and server to
authenticate each other by sending a series of messages to each other. Handshake protocol uses
four phases to complete its cycle.

●​ Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP

session, cipher suite and protocol version are exchanged for security purposes.

●​ Phase-2: Server sends his certificate and Server-key-exchange. The server end

phase-2 by sending the Server-hello-end packet.

 ●​ Phase-3: In this phase, Client replies to the server by sending his certificate and

Client-exchange-key.

●​ Phase-4: In Phase-4 Change-cipher suite occurs and after this the Handshake Protocol

ends. ​

SSL Certificate
SSL (Secure Sockets Layer) certificate is a digital certificate used to secure and verify the identity
of a website or an online service. The certificate is issued by a trusted third-party called a
Certificate Authority (CA), who verifies the identity of the website or service before issuing the
certificate.
 2.​ KERBEROS

Kerberos provides a centralized authentication server whose function is to authenticate users to

servers and servers to users. In Kerberos Authentication server and database is used for client
authentication. Kerberos runs as a third-party trusted server known as the Key Distribution
Center (KDC). Each user and service on the network is a principal.

The main components of Kerberos are: ​

●​ Authentication Server (AS): ​

The Authentication Server performs the initial authentication and ticket for Ticket

Granting Service. ​

●​ Database: ​

The Authentication Server verifies the access rights of users in the database. ​

●​ Ticket Granting Server (TGS): ​

The Ticket Granting Server issues the ticket for the Server ​

Kerberos Overview:
●​ Step-1: ​

User login and request services on the host. Thus user requests for ticket-granting

service. ​

●​ Step-2: ​

Authentication Server verifies user’s access right using database and then gives

ticket-granting-ticket and session key. Results are encrypted using the Password of the

user. ​

●​ Step-3: ​

The decryption of the message is done using the password then send the ticket to

Ticket Granting Server. The Ticket contains authenticators like user names and network

addresses. ​

●​ Step-4: ​

Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the
 request then creates the ticket for requesting services from the Server. ​

●​ Step-5: ​

The user sends the Ticket and Authenticator to the Server. ​

●​ Step-6: ​

The server verifies the Ticket and authenticators then generate access to the service.

After this User can access the services.

3.​ Types of attack

Phishing: Scammers trick you into giving away your personal info, like passwords or credit card numbers, by
pretending to be someone you trust (like a bank or a website).
DDoS Attack: Attackers send so much traffic to a website or server that it crashes, making it unavailable to real users.
SQL Injection: Hackers use a website's search or input boxes to insert harmful commands into its database, letting
them steal or mess with data.

Malware Attacks

Malware refers to malicious software designed to damage or disrupt systems. Common types of malware include:

●​ Viruses: Malicious programs that attach themselves to legitimate software and spread to other systems.
●​ Worms: Self-replicating programs that spread across networks without human intervention.
●​ Trojans: Malware that masquerades as legitimate software to trick users into installing it.
●​ Ransomware: A type of malware that locks or encrypts files and demands a ransom for their release.
●​ Spyware: Software that secretly monitors a user’s activities and sends the information to a third party.
●​ Adware: Software that displays unwanted ads, often bundled with other software.

Masquerade Attack:

In a Masquerade Attack, a hacker pretends to be someone else. They use someone else's identity to gain unauthorized
access to systems or steal information. For example:

●​ A hacker could send an email pretending to be a trusted person (like your boss) and ask you to do something
harmful, like transferring money or sharing sensitive data.

Modification of Message:

In a Modification of Message attack, a hacker intercepts a message being sent between two parties and changes it
before it reaches the recipient

4.​ Short note on DMZ

Demilitarized Zones (DMZ) are used in cybersecurity. DMZs separate internal networks from the
internet and are often found on corporate networks. A DMZ is typically created on a company’s
internal network to isolate the company from external threats. The DMZ is a network barrier
between the trusted and untrusted networks in a company’s private and public networks. The
DMZ acts as a protection layer through which outside users cannot access the company’s data.

DMZ receives requests from outside users or public networks to access the information and
website of a company. For such type of request, DMZ arranges sessions on the public network. It
cannot initiate a session on the private network. If anyone tries to perform malicious activity on
DMZ, the web pages are corrupted, but other information remains safe.​
The goal of DMZ is to provide access to the untrusted network by ensuring the security of the
private network. DMZ is not mandatory, but a better approach is to use it with a firewall.

5.​ PKI and it's working

Public key infrastructure or PKI is the governing body behind issuing digital certificates. It helps
to protect confidential data and gives unique identities to users and systems. Thus, it ensures
security in communications.

The public key infrastructure uses a pair of keys: the public key and the private key to achieve
security.

working of PKI in steps.

​Encryption:

●​ If someone wants to send you a secure message, they use your public key to "lock"
(encrypt) the message. Since your private key is the only one that can "unlock"
(decrypt) the message, only you can read it.

Digital Signatures:
 ●​ When you send a message, you use your private key to "sign" it. This proves that the
message came from you and hasn’t been tampered with.
●​ Anyone who gets the message can use your public key to verify your signature,
ensuring that it is really from you and hasn’t been altered.

6. Signature-Based IDS/IPS:

1.​ Signature-Based IDS (Intrusion Detection System):

○​ How it works: This system monitors network or system activity and compares it against a database of
known attack signatures (unique patterns of data associated with known attacks).
○​ Example: If an attack pattern (like a specific sequence of data packets or a known virus signature) is
detected in network traffic, the IDS will alert the system administrator or trigger an alarm.
○​ Limitations: It can only detect attacks that have been previously identified and included in its signature
database. It cannot detect new or unknown attacks (zero-day attacks).
2.​ Signature-Based IPS (Intrusion Prevention System):
○​ How it works: Similar to an IDS, but in addition to detecting attacks, an IPS can take action to stop them.
If an attack is detected, the IPS can block the malicious traffic in real-time, preventing further damage.
○​ Example: If a signature matches known malware trying to enter the system, the IPS will block the
connection immediately and log the event.
○​ Limitations: Like IDS, it can only detect attacks that have already been documented and may miss
newer threats.

7. Anomaly-Based Method:

Anomaly-based IDS was introduced to detect unknown malware attacks as new malware is

developed rapidly. In anomaly-based IDS there is the use of machine learning to create a trustful

activity model and anything coming is compared with that model and it is declared suspicious if

it is not found in the model. The machine learning-based method has a better-generalized

property in comparison to signature-based IDS as these models can be trained according to the

applications and hardware configurations.

8. ACL with its purpose

ACL stands for "Access Control List" and its primary purpose is to filter network traffic by defining
rules that allow or deny access to specific devices or IP addresses based on various factors like
source IP, destination IP, protocol, and port number, effectively acting as a security gatekeeper
for a network; essentially deciding which traffic can enter or leave a network depending on
predefined criteria.

Key points about ACLs:

​ Filtering mechanism:​
ACLs examine incoming and outgoing network packets and compare them against a set of
rules to determine whether to allow or block the traffic.
​ Types of ACLs:
●​ Standard ACL: Only considers the source IP address for filtering.
●​ Extended ACL: Offers more granular control by considering additional parameters like
destination IP, protocol, and port number.
​ Implementation:​
ACLs are typically configured on network devices like routers and firewalls to manage
network acces

9. Honeypot based IDS

10 .SET
Secure Electronic Transaction or SET is a security protocol designed to ensure the security and
integrity of electronic transactions conducted using credit cards. Unlike a payment system, SET
operates as a security protocol applied to those payments. It uses different encryption and
hashing techniques to secure payments over the internet done through credit cards. SET
protocol restricts the revealing of credit card details to merchants thus keeping hackers and
thieves at bay.

Steps in a SET Transaction:

Step 1: Cardholder Starts the Purchase

 ●​ The cardholder picks products and goes to the checkout on the merchant’s website.
●​ The cardholder’s browser securely connects with the merchant using a public key.

Step 2: Encrypting Credit Card Info

●​ The cardholder enters their credit card details and encrypts them using a secret key.
●​ They also sign the payment request with their private key to prove it’s really them.

Step 3: Payment Gateway Checks the Info

●​ The merchant sends the encrypted payment info to the payment gateway.
●​ The payment gateway checks the signature to verify the cardholder’s identity using their digital certificate.

Step 4: Bank Validates the Payment

●​ The bank (issuer) checks the cardholder’s details, like card balance and validity.
●​ If everything’s good, the bank sends an approval message to the payment gateway.

Step 5: Confirmation and Finalization

●​ The payment gateway sends the approval to the merchant.

●​ The merchant ships the product to the cardholder, completing the transaction.

11. Alerts and Audit trails

Audit trail is a detailed record that tracks all changes and activities within a system, helping
ensure transparency and accountability. It logs who did what and when, making it easier to
detect and resolve issues. This is crucial for security, compliance, and troubleshooting
As per the definition of the National Institute of Standards and Technology (NIST), an audit trail
is: “A set of records that collectively provide documentary evidence of processing used to aid
in tracing from original transactions forward to related records and reports, and/or backward
from records and reports to their component source transactions.”

Therefore, the audit trail records:

●​ Who: User or the application program and a transaction number.

●​ When: Date and time

●​ Where: Location of user or terminal

●​ What: Data that is being worked upon or is modified.

Example: When checkout from the counter of a market after shopping, the receipt (bill) that we
get is a type of audit trail, we (Who/customer) can find all the necessary information on it like
the date and time (when) of checkout, location of the mall and counter number (Where), and
the items purchased (What/data).