Introduction to Cyber Security:

Cyber Security is a process that’s designed to protect networks and devices from external threats.
Businesses typically employ Cyber Security professionals to protect their confidential information,
maintain employee productivity, and enhance customer confidence in products and services.

The world of Cyber Security revolves around the industry standard of confidentiality, integrity, and
availability, or CIA. Privacy means data can be accessed only by authorized parties; integrity means
information can be added, altered, or removed only by authorized users; and availability means systems,
functions, and data must be available on-demand according to agreed-upon parameters.

The main element of Cyber Security is the use of authentication mechanisms. For example, a user name
identifies an account that a user wants to access, while a password is a mechanism that proves the user is
who he claims to be.

With the rapid proliferation of digital technologies in every facet of modern life, the importance of Cyber
Security has never been more pronounced. From safeguarding sensitive personal information to protecting
critical infrastructure, the stakes are higher than ever before. Our exploration begins with a comprehensive
examination of why Cyber Security matters, delving into real-world examples of cyber attacks and their
far-reaching consequences.

As we venture deeper into the intricacies of Cyber Security, we unravel the basic concepts that underpin
this multifaceted discipline. Students will gain a nuanced understanding of the scope of Cyber Security,
encompassing not only technological aspects but also legal, ethical, and societal considerations. Through
engaging lectures, interactive discussions, and hands-on activities, we aim to demystify the complex
terminology and acronyms that populate the Cyber Security landscape.

Moreover, this week serves as an invitation to cultivate a cybersecurity mindset—a vigilant, proactive
approach to identifying and mitigating digital risks. By fostering a culture of awareness and responsibility,
we empower individuals to become the first line of defense against cyber threats, both in their personal
and professional lives.

In essence, the groundwork for a transformative journey into the ever-evolving world of Cyber Security.
Armed with a newfound appreciation for the challenges and opportunities that lie ahead, students are
poised to embark on a path of discovery, innovation, and empowerment in the pursuit of digital resilience.

1
Cybersecurity streams:

Information Security

Information technology (IT) security analysts and security engineers are common entry-level roles for
those looking to get started in the cybersecurity world. Most information security specialists require a
computer science or software engineering background, and it’s also highly recommended that they
become certified (CompTIA Security+, GCIA, GCIH).

Their main responsibilities are:

• Network security/application security

• Investigating and documenting data breaches or data leaks

• Carrying out security plans and procedures

• Protecting systems from security risks and malware

• Configuring security protocols such as firewalls, intrusion detection systems (IDS),

and intrusion prevention systems (IPS)

• Troubleshooting computer network and security infrastructure

Most cybersecurity analysts and engineers work within a larger team, led by an IT security manager,
security administrator, or security architect. While analysts focus more on identifying and responding to
cyber threats and executing security procedures, engineers are responsible for creating the individual
security systems of a company. Cybersecurity engineers can become certified with Certified Information
Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP).

Security architects are one of the highest levels in information security as they are responsible for
designing the entire security infrastructure of a company. As the main cybersecurity managers, they are
generally less hands-on than engineers and require a broader knowledge of information security to make
executive decisions. They typically report directly to the Chief Information Security Officer (CISO) and
often get promoted to the CISO position later in their careers.

2
IT Auditing & Consulting

An IT auditor performs audits on an organization’s security standards, compliance, and overall

infrastructure to ensure that they can effectively secure their data. Two main cybersecurity certifications
are necessary to become an IT auditor: CISA (Certified Information Systems Auditor) and CISM
(Certified Information Security Manager).

Auditors must have a broad understanding of multiple fields, including:

• Network security infrastructure (firewalls, VPNs, web proxy, IDS/IPS)

• Telecommunications

• Information security and processing

• Computer systems and applications

• Data analysis tools

• Third-Party Risk Management

• Security testing procedures

• Industry security standards

IT auditors are typically a mid-level role, requiring a few years of working in information security (CISA
- 5 years, CISM - 3 years). They can perform standard audits or become security consultants at the highest
level to help identify areas of security needs within an organization.

Ethical Hacking/Penetration Testing

An ethical hacker is a unique job title that attempts to find all of the system vulnerabilities within an
organization to expose flaws or exploits in each system. A CEH has a unique skill set because they must
think like a potential threat actor and stay updated with the latest hacking techniques and tools in the entire
threat landscape. Sometimes companies may put out “bug bounties” to invite ethical hackers to find
vulnerabilities in their systems in exchange for a financial reward.

One important area of ethical hacking is penetration testing. A penetration tester conducts simulated tests
on specific areas of a security system to find new vulnerabilities. This allows organizations to focus on

3
higher risk areas rather than testing the entire system every time. Penetration testers may be given specific
pieces of sensitive information and attempt to penetrate a system to test its security.

Threat Intelligence

Threat intelligence analysts collect existing evidence and data on common attack behaviors, techniques,
and indicators (IOCs and IOAs) and help develop new security plans to address them. Many organizations
make important security decisions based on the threat intelligence data to not only respond to security
incidents but also prevent them.

One particular role of threat intelligence is proactive cyber threat hunting, which aims to anticipate any
potential threats before an actual attack. Their main goal is to review common attack behaviors and
techniques, or TTP (tactics, techniques, and procedures), and apply them to current systems to protect
their attack surface and improve security posture. Experienced threat hunters have a much higher
understanding of the threat landscape than most other fields and require thinking from a threat actor’s
perspective.

OSINT (open-source intelligence) analysts and investigators are also crucial in threat intelligence. OSINT
investigators use specialized methods to gather sensitive information that may be publicly available
online. By identifying which information has been leaked, companies can use that data to improve their
security and prevent future breaches.

Software Development

Software development is a product and client-focused field that helps integrate programs and applications
into an organization’s security structure. Developers are fully involved in the design, testing, and
implementation of systems to make sure they fully meet the needs of a company or individual. By
identifying user pain points, they can use the data to create new features to protect against potential
vulnerabilities.

Cybersecurity software developers must have a wide range of knowledge of all information security fields
to accurately assess what front-end software designs are needed. Developers differ from security engineers
in that they are not responsible for building the security systems directly but instead provide client-facing
solutions for the product. Typically, developers have more substantial knowledge of forward-facing
coding languages, such as HTML, CSS, or JavaScript.

4
Digital Forensics

Digital forensics is a critical function in cybersecurity that focuses on investigating cyberattacks and
figuring out how hackers were able to penetrate a system. They must look for clues to determine which
techniques were used by the cybercriminals to access the networks illegally. There are many branches of
digital forensics, including computer forensics, network forensics, and database forensics.

The main responsibilities of digital forensics and incident response (DFIR) analysts or computer security
and incident response teams (CSIRT) are to:

• Identify common attack behaviors

• Investigate suspicious network activity

• Collect and review digital evidence to create stronger security measures

• Create remediation and recovery procedures

• Assist law enforcement during a cybercrime investigation

Although digital forensics typically waits for an attack to occur before responding, recent advancements
in artificial intelligence (AI) and machine learning (ML) have helped establish preventative measures. As
such, the field of digital forensics is closely tied with cyber threat hunting. Working in digital forensics
requires a strong understanding of the attack landscape to quickly respond to and eliminate threat actors.

Cryptography

Cryptographers have one main responsibility: to write encryption code strong enough to secure important
or sensitive data. Cryptography engineers often come from computer programming, computer
engineering, and mathematics backgrounds because they are expected to write and refine complex
algorithms or ciphers that outside parties can’t break.

Most cryptographers have at least a master’s degree, if not a doctorate, in their field of study. The most
common certification to obtain for cryptography is the EC-Council Certified Encryption Specialist
(ECES).

Because the technology landscape is constantly evolving, cryptographers are expected to stay informed
of the latest cryptology theories, security solutions, and infrastructure designs. Government agencies often
hire the top cryptographers worldwide to protect their classified information, particularly if there is

5
communication involved, to prevent potential hackers from decoding or intercepting encrypted
information.

Common threats against passwords:

Password attacks are one of the most common forms of corporate and personal data breach. A password
attack is simply when a hacker trys to steal your password. In 2020, 81% of data breaches were due to
compromised credentials. Because passwords can only contain so many letters and numbers, passwords
are becoming less safe. Hackers know that many passwords are poorly designed, so password attacks will
remain a method of attack as long as passwords are being used.

1. Phishing

Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will
reveal your personal information voluntarily. Sometimes they lead you to fake "reset your password"
screens; other times, the links install malicious code on your device. We highlight several examples on
the OneLogin blog.

Here are a few examples of phishing:

• Regular phishing. You get an email from what looks like goodwebsite.com asking you to
reset your password, but you didn't read closely and it's actually goodwobsite.com. You
"reset your password" and the hacker steals your credentials.

• Spear phishing. A hacker targets you specifically with an email that appears to be from a
friend, colleague, or associate. It has a brief, generic blurb ("Check out the invoice I attached
and let me know if it makes sense.") and hopes you click on the malicious attachment.

To avoid phishing attacks, follow these steps:

• Check who sent the email: look at the from: line in every email to ensure that the person
they claim to be matches the email address you're expecting.

• Double check with the source: when in doubt, contact the person who the email is from
and ensure that they were the sender.

6
2. Man-in-the-Middle Attack
Man-in-the middle (MitM) attacks are when a hacker or compromised system sits in between two
uncompromised people or systems and deciphers the information they're passing to each other, including
passwords. If Alice and Bob are passing notes in class, but Jeremy has to relay those notes, Jeremy has
the opportunity to be the man in the middle. Similarly, in 2017, Equifax removed its apps from the App
Store and Google Play store because they were passing sensitive data over insecure channels where
hackers could have stolen customer information.

To help prevent man-in-the-middle attacks:

• Enable encryption on your router. If your modem and router can be accessed by anyone
off the street, they can use "sniffer" technology to see the information that is passed through
it.
• Use strong credentials and two-factor authentication. Many router credentials are never
changed from the default username and password. If a hacker gets access to your router
administration, they can redirect all your traffic to their hacked servers.
• Use a VPN. A secure virtual private network (VPN) will help prevent man-in-the-middle
attacks by ensuring that all the servers you send data to are trusted.

3. Brute Force Attack

If a password is equivalent to using a key to open a door, a brute force attack is using a battering ram. A
hacker can try 2.18 trillion password/username combinations in 22 seconds, and if your password is
simple, your account could be in the crosshairs.

7
 To help prevent brute force attacks:
• Use a complex password. The difference between an all-lowercase, all-alphabetic, six-digit
password and a mixed case, mixed-character, ten-digit password is enormous. As your
password's complexity increases, the chance of a successful brute force attack decreases.
• Enable and configure remote access. Ask your IT department if your company uses remote
access management. An access management tool like OneLogin will mitigate the risk of a
brute-force attack.
• Require multi-factor authentication. If multi-factor authentication (MFA) is enabled on your
account, a potential hacker can only send a request to your second factor for access to your
account. Hackers likely won't have access to your mobile device or thumbprint, which means
they'll be locked out of your account.

4. Dictionary Attack

A type of brute force attack, dictionary attacks rely on our habit of picking "basic" words as our password,
the most common of which hackers have collated into "cracking dictionaries." More sophisticated
dictionary attacks incorporate words that are personally important to you, like a birthplace, child's name,
or pet's name.

To help prevent a dictionary attack:

• Never use a dictionary word as a password. If you've read it in a book, it should never be
part of your password. If you must use a password instead of an access management tool,
consider using a password management system.

• Lock accounts after too many password failures. It can be frustrating to be locked out of
your account when you briefly forget a password, but the alternative is often account
insecurity. Give yourself five or fewer tries before your application tells you to cool down.

8
 • Consider investing in a password manager. Password managers automatically generate
complex passwords that help prevent dictionary attacks.

5. Credential Stuffing
If you've suffered a hack in the past, you know that your old passwords were likely leaked onto a
disreputable website. Credential stuffing takes advantage of accounts that never had their passwords
changed after an account break-in. Hackers will try various combinations of former usernames and
passwords, hoping the victim never changed them.

To help prevent credential stuffing:

• Monitor your accounts. There are paid services that will monitor your online identities, but
you can also use free services like haveIbeenpwned.com to check whether your email
address is connected to any recent leaks.
• Regularly change your passwords. The longer one password goes unchanged, the more likely
it is that a hacker will find a way to crack it.
• Use a password manager. Like a dictionary attack, many credential stuffing attacks can be
avoided by having a strong and secure password. A password manager helps maintain those.

9
6. Keyloggers
Keyloggers are a type of malicious software designed to track every keystroke and report it back to a
hacker. Typically, a user will download the software believing it to be legitimate, only for it to install a
keylogger without notice.

To protect yourself from keyloggers:

• Check your physical hardware. If someone has access to your workstation, they can install
a hardware keylogger to collect information about your keystrokes. Regularly inspect your
computer and the surrounding area to make sure you know each piece of hardware.
• Run a virus scan. Use a reputable antivirus software to scan your computer on a regular
basis. Antivirus companies keep their records of the most common malware keyloggers and
will flag them as dangerous.

7. Preventing Password Attacks

The best way to fix a password attack is to avoid one in the first place. Ask your IT professional about
proactively investing in a common security policy that includes:

• Multi-factor authentication. Using a physical token (like a Yubikey) or a personal device

(like a mobile phone) to authenticate users ensures that passwords are not the sole gate to
access.

• Remote access. Using a smart remote access platform like OneLogin means that individual
websites are no longer the source of user trust. Instead, OneLogin ensures that the user's
identity is confirmed, then logs them in.

• Biometrics. A malicious actor will find it very difficult to replicate your fingerprint or facial
shape. Enabling biometric authentication turns your password into only one of several points
of trust that a hacker needs to overcome.

Measures to Protect Passwords

Having identified the most likely threats to passwords, organisations and their users should implement
appropriate behaviours and technical measures to protect against those risks. Measures are likely to
involve both preventing passwords being lost and minimising the damage when they are. Different
systems and information may be subject to different risks, so may require different measures. For

10
example two-factor authentication may be appropriate for researchers and administrators dealing with
sensitive information and operators managing key networks and systems even if it is considered too
costly for general use.

Prevention

Two-factor Authentication:

Most of the attacks described above can be made much harder if the password is not the only thing
required to login. A variety of two-factor systems are available which require in addition either a
biometric measurement (e.g. a fingerprint) or possession of a particular device (which may range from
a dedicated token to a smartphone). Two-factor systems may be somewhat less convenient to use than
simple passwords or be limited to particular hardware, so are most appropriate for accounts that have
access to high-value services or information. For this level of security they may well be easier to use
than a very long and complex static password.

Protecting password files:

To check that the user has typed in the correct password, systems must have a reference to check against.
An attacker who can obtain a copy of this reference file can run cracking programs against it and will
almost inevitably succeed in discovering the passwords for several user accounts. Password files should
therefore be among the best protected information the organisation holds, held on well-secured machines
with limited access and, unless this is impossible, holding only salted hashes rather than the actual
passwords. The choice of hashing algorithm can significantly affect the time to crack a password file -
try to use the strongest (i.e. slowest) one available.

Federated authentication:

Implementing federated or single sign on, using a central authentication server, has several security
benefits. It reduces the number of systems on which passwords need to be stored, and should also ensure
that secure protocols are used to transfer them over networks. Reducing the number of passwords users
need to remember should help them use more complex and secure passphrases. However because the
same password/phrase can now give access to multiple systems, it is even more important to secure the
central authentication server, and for users to be careful against phishing or key logging attacks.

11
Password Complexity:

Making passwords more complex increases the difficulty of attacks that rely on brute force or educated
guessing. However it has no effect on attacks that reset the password or record it as the user types it in.
The invention of rainbow tables as an alternative to brute-force attacks has made even complex
passwords vulnerable in a few minutes if they are too short: most authorities now recommend the use of
passphrases or sequences of random words to ensure sufficient length.

Password Lock-out:

A common approach to reduce the risk of brute-force attempts to log in to an account is to either lock
the account or increase the delay between login attempts when there have been repeated failures. This
can be effective in slowing down attacks and giving responders time to react to an alarm. However it
can cause problems when a user forgets to update a password stored in a browser or device if the
automatic retries trigger the lock-out alarm.

Self-test for Problems:

A number of password cracking programs are available, so it makes sense for authorised staff to run
them against the organisation’s own password files. This must be carefully planned to minimise the
security and legal risks to the organisation, its staff and information: testers should only need to know
that a particular account was cracked, not what its password was. The exercise must be designed to help
users select and remember better passwords, otherwise it risks reducing security rather than enhancing
it.

Detection/Containment

When a password has been compromised, the unauthorised user will normally behave differently from
the authorised one. Logs of when accounts are used, and where from, may reveal early indications when
this happens. It may also be possible to directly identify unauthorised use of the account.

Patterns of Use:

Many accounts will show fairly obvious patterns both in when they are used (what times and what days
of the week), and where users log in from. Indeed these may sometimes be a matter of policy: access to
sensitive information may only permitted at designated locations and times. Changes to these patterns
may indicate that there is a problem with the account.

12
Suspicious Activity:

Most attacks on university accounts seem to be aimed at using the university’s e-mail facilities either to
phish more accounts. Monitoring for spam or phishing mails being sent from university accounts can
often provide an early indication of problems; limiting the rate at which accounts can send mail may
limit the damage caused, though dealing with the problem is still urgent.

Some types of attacker publish passwords, or more commonly password files, that they have been able
to obtain. The aim seems either to be to embarrass the organisation whose security has been breached,
or to seek help in cracking hashed passwords. Monitoring the sites used for publication can therefore be
an effective way to discover problems. Unfortunately most of the use of these sites is legitimate and
harmless, but Janet CSIRT and other incident response teams have developed monitoring tools that
increase the likelihood that an alert will actually indicate a problem.

Password Timeouts:

A method sometimes proposed to limit the impact of password compromises is to require users to change
them regularly. Time-limits for password age used to be set based on the time taken to discover them
using brute-force methods, however since the invention of rainbow tables this would imply lifetimes of
minutes or hours. Protecting hashed passwords against discover is now a better measure against this
threat. Limited lifetimes may still help by disabling unused accounts in case account management
procedures fail to do so, and by ensuring that changes to password policy or technology can be completed
when all old passwords have expired, but these may well imply different expiry time-limits from those
used previously.

CRYPTOGRAPHY:

Cryptography is the practice of developing and using coded algorithms to protect and obscure
transmitted information so that it may only be read by those with the permission and ability to decrypt
it. Put differently, cryptography obscures communications so that unauthorized parties are unable to
access them.

In our modern digital age, cryptography has become an essential cybersecurity tool for protecting
sensitive information from hackers and other cybercriminals.

Cryptology, which encompasses both cryptography and cryptanalysis, is deeply rooted in computer
science and advanced mathematics. The history of cryptography dates back to ancient times when Julius
Caesar created the Caesar cipher to obscure the content of his messages from the messengers who carried
13
them in the first century B.C.. Today, organizations like the National Institute of Standards and
Technology (NIST) continue to develop cryptographic standards for data security.

Core tenets:

Modern cryptography has grown significantly more advanced over time. However, the general idea
remains the same and has coalesced around four main principles.

1. Confidentiality: Encrypted information can only be accessed by the person for whom it is intended
and no one else.

2. Integrity: Encrypted information cannot be modified in storage or in transit between the sender and
the intended receiver without any alterations being detected.

3. Non-repudiation: The creator or sender of encrypted information cannot deny their intention to
send the information.

4. Authentication: The identities of the sender and receiver, as well as the origin and destination of
the information are confirmed.

Common uses for cryptography

1. Passwords:
Cryptography is frequently used to validate password authenticity while also obscuring stored
passwords. In this way, services can authenticate passwords without the need to keep a plain text
database of all passwords which might be vulnerable to hackers.
2. Cryptocurrency:
Cryptocurrencies like Bitcoin and Ethereum are built on complex data encryptions that require
significant amounts of computational power to decrypt. Through these decryption processes, new
coins are “minted” and enter circulation. Cryptocurrencies also rely on advanced cryptography to
safeguard crypto wallets, verify transactions and prevent fraud.

3. Secure web browsing:

When browsing secure websites, cryptography protects users from eavesdropping and man-in-the-
middle (MitM) attacks. The Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

14
protocols rely on public key cryptography to protect data sent between the web server and client
and establish secure communications channels.

Cryptography practical:
Cryptography is the practice of developing and using coded algorithms to protect and obscure
transmitted information so that it may only be read by those with the permission and ability to decrypt
it. Put differently, cryptography obscures communications so that unauthorized parties are unable to
access them.

practical and essential tool for cybersecurity:

• Confidentiality
Cryptography uses encryption to keep data safe from unauthorized access and eavesdroppers. For
example, when you browse a secure website, cryptography protects you from man-in-the-middle
(MitM) attacks.
• Integrity
Cryptographic hash functions ensure that data is not changed from its source to its destination. If
the data is changed, it will be immediately apparent.
• Authentication
Cryptography uses digital signatures and certificates to verify the identity of individuals or systems
involved in communication. This prevents impersonation or spoofing attacks.
• Secure communications
Cryptography protects two-way communications like email, instant messages, and video
conversations. For example, HTTPS uses SSL (Secure Sockets Layer) to ensure a secure channel of
communication between the server and client.
• Secure storage
Encryption can be used to store data securely on devices like USBs, external hard drives, and
memory cards.
• Secure online transactions
Cryptography uses encryption, digital signatures, and authentication protocols to secure online
transactions.
• Secure wireless networks
Cryptography can be used to secure wireless networks from attacks.

15
Sniffing:
In cybersecurity, sniffing is a malicious activity where an attacker intercepts and analyzes data packets
traveling through a network to gain unauthorized access to sensitive information. This is also known
as a packet sniffing attack or network sniffing.

Sniffing can be used to steal personal data like names, addresses, and phone numbers, as well as
financial information like banking details and login credentials. Attackers can use the captured data to
sell or use in other attacks.

Security Audit:
Security audit in cybersecurity of IT systems is an extensive examination and assessment It
highlights weak points and high-risk behaviors to identify vulnerabilities and threats. IT security
audits have the following notable advantages, Evaluation of risks and identification of
vulnerabilities.

In addition to evaluating the organization’s capacity to comply with applicable data privacy
requirements, the auditor will examine every aspect of the security posture to identify any
weaknesses.

Internal IT and security teams, as well as external, third-party businesses, undertake these audits. A
comprehensive evaluation provides the business with a clear picture of its systems and valuable
information on how to effectively address risks.

Vulnerability Scanning:
Vulnerability scanning identifies and forms inventory of all systems and IT assets on a corporate
network. This includes everything from Servers, Storage, Containers, Operating Systems etc. down
to basic installs such as printers. All devices will be identified, and the software will reach out and
identify the operating system for each device. It also seeks out and reports on open ports within the
network.

Patch Management is a common practice within an IT department and almost all IT teams have a
defined operation. The bigger the business, the more necessary it becomes to identify controls and
provide the proper protection against malicious threats. One example is when Microsoft pushed

16
updates out to your home PC, just on a much larger scale. When a team effectively maintains these
controls, they can deliver an IT infrastructure that is secure.

This is extremely relevant to software companies as they must make sure the entire network is
secure. When software companies sell an application, it become their duty to ensure that the
technology is secure and properly conveyed to their subscribers. This is why they run Vulnerability
Scans regularly to compliment the patching process. This way they can see, in full transparency,
everything that must be secured.

DOS:
Denial of Service (DoS) is a cyber-attack on an individual Computer or Website with the intent to
deny services to intended users. Their purpose is to disrupt an organization’s network operations
by denying access to its users. Denial of service is typically accomplished by flooding the targeted
machine or resource with surplus requests in an attempt to overload systems and prevent some or
all legitimate requests from being fulfilled.

Vendor Risk Management:

Vendor risk management (VRM) is a process that helps businesses identify, assess, and reduce risks
associated with working with third-party vendors. VRM is an important part of enterprise risk
management, especially in the context of cyber security, as it helps businesses ensure that third-
party vendors are managing cyber security well.

Vendor Risk Management: Addressing Vendor Risks

Third-Party Legal Risk:
There are many legal risks associated with sharing sensitive information with third parties. For
instance, if your vendor is breached and you lose your customers’ personally identifiable
information (PII) like social security numbers or health care records, the law clearly states that you
are responsible — not your vendor. Or, if you fail to spell out security expectations in your vendor
contract, you may have no legal recourse whatsoever if your vendor compromises your data.

Third-Party Reputational Risk:

So much of third-party vendor risk management is based on reputation. Be sure to ask a lot of
questions at the beginning of the vendor procurement process so that you can weed out the
businesses you’d rather not work with. In addition, you should also monitor news feeds during the
17
 procurement process. After all, you would want to know if a business associate has been hit with a
lawsuit during the time you were engaged with them and how that could affect the performance of
their contract with you. And don’t forget about the reputational harm that could affect your
company if your customers’ sensitive information is stolen due to an insecure vendor.

Third-Party Financial Risk:

Before entering into a business agreement, it is important to be fully aware of a vendor’s financial
history and past performances. Companies often conduct credit monitoring to determine this
information, as well as ask for references from other organizations that have done business with the
vendor. This ensures that a company is fully informed about the vendor's proposed plan before
signing a contract.

Third-Party Cyber Risk:

Of the various risks a vendor poses, there are some things you need periodic updates on, which are
relevant only at certain points of a business relationship. If you’ve established a vendor’s credit
worthiness at the beginning of the process, for example, you’ll likely feel quite comfortable about
their financial standing during the rest of the process. This is a good example of how some elements
of vendor risk management do not require continuous security monitoring.

Vendor Risk Management Strategy:

1. Clear Guidelines in Vendor Contracts:

Your vendor risk management strategy should include a contract that outlines the relationship that
will exist between your business and the vendor. Because of the increasingly interconnected nature
of global supply chains and flow of data, there should be clear guidelines. Any organization should
know what data is being processed and who has access and control of sensitive information.

2. Assessment of Your Vendor's Security Posture:

A key, yet often overlooked, feature of vendor risk management is understanding your vendor’s
cybersecurity program. This allows you to understand how well they’re going to be able to secure
your data, both from a physical and cybersecurity perspective. Using a utility company an example,
a vendor processing HR data with an unsecured port can be just as dangerous as a another vendor
leaving a door unlocked at a power substation.
18
3. Regulation Compliance:
The vendor must also agree to and comply with any regulations that pertain to your industry or
government. Finally, to ensure that all these contract requirements are met, vendor performance must
be monitored on a continuous basis and proactively addressed.

Vendor Risk Management Importantance:

Even if your own internal security measures are strong, integrating third-party vendors who don’t
follow best practices into your IT infrastructure can pose a big risk to your organization. This is
especially true when those vendors handle confidential, sensitive, proprietary, or classified
information. Vendor risk management provides a documented strategy that helps your organization
streamline the VRM process.

• Mitigate third-party risk. A process for accurately assessing the risk of any new vendor,
reducing your organization’s risk exposure over time.
• Minimize operational disruptions. A clear process for vendor risk management ensures that
each component of your organization knows its role in evaluating third-party risk so that no
processes are overlooked or skipped. This ongoing, proactive approach to vendor risk helps your
organization stay ahead of any breach, attack or security incident, ensuring business continuity.
• Provide better ability to meet regulatory compliance. A streamlined process for onboarding
vendors that includes due diligence makes it easier to evaluate vendor compliance and decide
whether or not to enter into a new business relationship or employee measures to remediate the
risk.
• Ensure greater transparency. Since information on vendor risk is open and available across
the organization, executive leadership can work together with your security and business teams
to evaluate the potential impact of risk across the entire vendor ecosystem.

Vendor Risk Management Lifecycle:

Since the level of security risk also varies widely depending on additional factors such as the type of
organization, industry, third-party relationship, technologies, and relevant regulations, organizations
need to continue to employ third-party vendor risk management throughout the lifecycle of the
business relationship.

19
These stages can be divided into three separate periods:

1. Onboarding: Due diligence is conducted at the beginning of the vendor relationship to

evaluate whether or not the business should enter into a relationship with the third party
in question.

2. Ongoing monitoring: Security risks are regularly evaluated during the vendor
relationship to ensure the third party is applying the appropriate security controls to
meet the relevant regulations and standards.

3. Offboarding: Vendors who terminate their relationship with your organization must
have a process for disengaging, deleting and transferring sensitive data and information
formerly shared with your organization so that it cannot pose a future threat.

Risk identification:
One of the biggest challenges is in the very first step: identification of the risks. Cybersecurity is a
constantly evolving field, making risk identification a moving target. Nevertheless, a basic approach
has evolved over time that all risk identification methodologies tend to follow:

• Identify your assets

• Identify the threats to those assets:
• Identify your vulnerabilities to those threats.

Identifying assets:
In order to determine your cyber risk exposure, you need to first decide what your assets are. This
is not as easy as it may seem: you can’t protect everything, so you need to identify the assets that
must be protected, and their priorities.
A series of questions can help to clarify the situation:
• What kind of data do you store in your organization?
• Whose data is it? Yours? Somebody else’s?
• What would be the consequences if something happened to this data?

20
That last question leads us into the CIA – no, not the Central Intelligence Agency (although they
happen to care about such things, too), but rather the fundamental triangle of
cybersecurity: Confidentiality, Integrity, and Availability.

Identifying Threats:
Threat analysis involves the identification of potential sources of harm to the assets (information,
data) that you need to protect.

The world is full of threats, and the boundaries between what constitute relevant “cyber threats”
and other kinds of threats will always be unclear. For example, although hacking is clearly a cyber
threat, environmental factors such as flooding and fire could also threaten your data. You will
have to decide how relevant they are to your situation.

Business-related threats constitute an even grayer area regarding their relevance to cybersecurity.
Equipment failure like broken disks could threaten your data. An emerging source of much
preoccupation is supply-chain security: can you be sure that your suppliers are not delivering
malware to you, intentionally or otherwise? Insider threats, e.g. from disgruntled or idealistic
employees (or former employees) who decide to steal or publish your data constitute another
growing cause for concern.

Some of these types of threats may not always seem related to cybersecurity, but the connection
can be subtle. As always, experience is the key to recognizing threats and correctly prioritizing
them.

Identifying Vulnerabilities:
Once threats have been identified, your next task is to identify weaknesses in your overall
cybersecurity environment that could make you vulnerable to those threats.

It may not always be simple to identify weaknesses and their sources and remedies. For example,
how might you be vulnerable to insider threats? Certainly, by firing or losing an employee who was
in charge of sensitive data. But you might also be vulnerable because of insufficient employee
cybersecurity awareness: perhaps your employees innocently choose weak passwords (recall that
this is how the famous Enigma code was broken in World War II), or are not sufficiently aware of
the dangers of opening attachments to electronic mail messages.

21
Here are some steps to identify cybersecurity risks:
• Understand threats:
Threats can include hostile attacks, human error, configuration failures, and natural disasters.

• Identify vulnerabilities:
Vulnerabilities are weaknesses in an organization's security procedures, internal controls, or
information systems.

• Consider consequences
Consequences are the negative results that occur when threats exploit vulnerabilities.

• Involve employees:
Employees who are involved in day-to-day operations are often best able to identify risks.

• Consider an external perspective:

An external perspective can be beneficial because employees may not always have a clear
understanding of risks.

Some common cybersecurity risks include:

• Insider threats
• Improperly secured intellectual property and sensitive information
• Cyber criminals
• Nation states
• Hacktivists
• Competitors involved in corporate espionage

Once risks have been identified, organizations can use the results to determine how to respond.

Key Steps in Cyber Risk Identification:

• Asset Inventory: Understanding what you need to protect is the starting point. This involves
documenting all hardware, software, and data.

22
 • Threat Modeling: This process involves identifying potential threat sources and scenarios. The
World Economic Forum highlights that "understanding the landscape of threats helps
businesses prioritize defense measures" (World Economic Forum, 2019).

• Vulnerability Assessment: Regularly assess systems for weak spots. This can be through
automated tools or manual testing.

Risk assessment:

Risk assessments are nothing new, and whether you like it or not, if you work in information
security, you are in the risk management business. As organizations rely more on information
technology and information systems to do business, the digital risk threat landscape expands,
exposing ecosystems to new critical vulnerabilities.

The National Institute of Standards and Technology (NIST) has developed a Cybersecurity
Framework to provide a base for risk assessment practices.

Cyber Risk:
Cyber risk is the likelihood of suffering negative disruptions to sensitive data, finances, or business
operations online. Cyber risks are commonly associated with events that could result in a data
breach.

Cyber risks are sometimes referred to as security threats. Examples of cyber risks include:
• Ransomware
• Data leaks
• Phishing
• Malware
• Insider threats
• Cyberattacks

There are practical strategies that you can take to reduce your cybersecurity risk.
Though commonly used interchangeably, cyber risks and vulnerabilities are not the same. A
vulnerability is a weakness that results in unauthorized network access when exploited, and a cyber
risk is the probability of a vulnerability being exploited.

23
Perform a Cyber Risk Assessment:
There are several reasons you want to perform a cyber risk assessment and a few reasons you need
to. Let's walk through them:

• Reduction of Long-Term Costs - Identifying potential threats and vulnerabilities and

then mitigating them can prevent or reduce security incidents, saving your organization
money and/or reputational damage in the long term.

• Provides a Cybersecurity Risk Assessment Template for Future Assessments

- Cyber risk assessments aren't one of the processes; you need to update them
continually; doing a good first turn will ensure repeatable processes even with staff
turnover.

• Better Organizational Knowledge - Knowing organizational vulnerabilities gives you

a clear idea of where your organization needs to improve.

• Avoid Data Breaches - Data breaches can have a huge financial and reputational
impact on any organization.

• Avoid Regulatory Issues - Customer data that is stolen because you failed to comply
with HIPAA, PCI DSS, or APRA CPS 234.

• Avoid Application Downtime - Internal or customer-facing systems must be available

and functioning for staff and customers to do their jobs.

Ideally, organizations should have dedicated in-house teams processing risk assessments. This
means having IT staff with an understanding of how your digital and network infrastructure works,
executives who understand how information flows, and any proprietary organizational knowledge
that may be useful during the assessment.
Small businesses may not have the right people in-house to do a thorough job and must outsource
assessment to a third party. Organizations are also turning to cybersecurity software to monitor
their cybersecurity score, prevent breaches, send security questionnaires, and reduce third-party
risk.
24
We'll start with a high-level overview and drill down into each step in the following sections. After
reviewing this process, you may want to reference this more in-depth overview of the third-party
risk assessment process.

Before you start assessing and mitigating risks, you must understand your data, infrastructure, and
the value of the data you are trying to protect.

Step 1: Determine Informational Value:

Most organizations don't have an unlimited budget for information risk management, so limiting
your scope to the most business-critical assets is best.

To save time and money later, spend some time defining a standard for determining the importance
of an asset. Most organizations include asset value, legal standing, and business importance. Once
the standard is formally incorporated into the organization's information risk management policy,
use it to classify each asset as critical, major, or minor.

Step 2: Identify and Prioritize Assets:

The first step is to identify assets to evaluate and determine the scope of the assessment. This will
allow you to prioritize which assets to assess. You may only want to assess some buildings,
employees, electronic data, trade secrets, vehicles, and office equipment. Remember, not all assets
have the same value.

Fig: Vendor Risk Overview

25
Step 3: Identify Cyber Threats:
A cyber threat is any vulnerability that could be exploited to breach security to cause harm or steal
data from your organization. While hackers, malware, and other IT security risks leap to mind, there
are many other threats:

• Natural disasters: Floods, hurricanes, earthquakes, lightning, and fire can destroy as
much as any cyber attacker. You can, not only lose your data, but your servers too.
When deciding between on-premise and cloud-based servers, consider the potential
impacts of natural disasters.

• System failure: Are your most critical systems running on high-quality equipment? Do
they have good support?

• Human error: Are your S3 buckets holding sensitive information properly configured?
Does your organization have proper education policies covering common
cybercriminal tactics, like malware, phishing, and social engineering?

• Adversarial threats: third-party vendors, insiders, trusted insiders, privileged insiders,

established hacker collectives, ad hoc groups, corporate espionage, suppliers, nation-
states

Step 4: Identify Vulnerabilities:

Now it's time to move from what "could" happen to what has a chance of happening. A vulnerability
is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive
data. Vulnerabilities are found through vulnerability analysis, audit reports, the National Institute
for Standards and Technology (NIST) vulnerability database, vendor data, incident response teams,
and software security analysis.

You can reduce organizational software-based vulnerabilities with proper patch management via
automatic forced updates. But don't forget physical vulnerabilities, the chance of someone gaining
access to an organization's computing system is reduced by having keycard access.

26
Identifying vulnerabilities in your ecosystem is significantly simplified with an Attack Surface
Monitoring solution. Attack Surface Management is an effective strategy for minimizing the
number of attack vectors in your digital footprint to reduce your risk of suffering data breaches.

Step 5: Analyze Controls and Implement New Controls:

Analyze controls that are in place to minimize or eliminate the probability of a threat or
vulnerability. Controls can be implemented through technical means, such as hardware or
software, encryption, intrusion detection mechanisms, two-factor authentication, automatic
updates, continuous data leak detection, or through nontechnical means like security policies and
physical mechanisms like locks or keycard access.

Controls should be classified as preventative or detective controls. Preventive controls attempt to

stop attacks through encryption, firewalls, antivirus, or continuous security monitoring; detective
controls try to discover when an attack has occurred, like continuous data exposure detection.
Learn more about cyber threat exposure management.

Step 6: Calculate the Likelihood and Impact of Various Scenarios on a Per-Year

Basis:
Imagine you have a database that stores all your company's most sensitive information, and that
information is valued at $100 million based on your estimates. You estimate that in the event of a
breach, at least half of your data would be exposed before it could be contained, resulting in an
estimated loss of $50 million.

But you expect this is unlikely to occur, say a one in fifty-year occurrence, this would be equivalent
to an estimated loss of $50m every 50 years or, in annual terms, $1 million yearly. For the latter
scenario, it would make sense to project an annual budget of $1 million for a data breach prevention
program.

Step 7: Prioritize Risks Based on the Cost of Prevention Vs. Information Value:
Use risk level as a basis and determine actions for senior management or other responsible
individuals to mitigate the risk. Here are some general guidelines:

• High-corrective measures to be developed as soon as possible

27
 • Medium - correct measures developed within a reasonable period.
• Low - decide whether to accept the risk or mitigate

Remember, you have now determined the asset's value and how much you could spend to protect
it. The next step is easy: if it costs more to protect the asset than it's worth, it may not make sense
to use preventative control to protect it. That said, remember there could be a reputational impact,
not just a financial impact, so it’s essential to factor that in too.

Also, consider the following:

• Organizational policies
• Reputational damage
• Feasibility
• Regulations
• Effectiveness of controls

Step 8: Document Results from Risk Assessment Reports:

The final step is to develop a risk assessment report to support management in deciding on budgets,
policies, and procedures. The report should describe the risk, vulnerabilities, and value of each
threat, along with the impact and likelihood of occurrence and control recommendations.

As you work through this process, you'll understand what infrastructure your company operates,
what your most valuable data is, and how you can better operate and secure your business. You can
then create a risk assessment policy that defines what your organization must do periodically
to monitor its security posture, how risks are addressed and mitigated, and how you will conduct
subsequent risk assessment processes.

Whether you are a small business or a multinational enterprise, information risk management is at
the heart of cybersecurity. These processes help establish rules and guidelines that answer what
threats and vulnerabilities can cause financial and reputational damage to your business and how
they are mitigated.

28
Cybersecurity Exception Handling:
Cybersecurity exception handling is a process that identifies and addresses errors or exceptional
conditions in a software application. Its primary purpose is to maintain the stability and integrity of
a system, even when unexpected events or errors occur.

Exception handling is a critical programming concept that helps manage errors or unexpected
events that happen when a program is executed. The goal is to deal with errors smoothly without
causing the program to crash.
Cybersecurity exception handling refers to the processes and practices that organizations implement
to manage and respond to unexpected situations or anomalies that arise in their security systems.
Effective exception handling is critical for maintaining the integrity, confidentiality, and availability
of information systems. Here’s an overview of key components and best practices:

Key Components of Cybersecurity Exception Handling:

1. Incident Detection:
o Use of automated monitoring tools to identify unusual activity or breaches.

o Implementation of intrusion detection systems (IDS) and security information

and event management (SIEM) solutions.

2. Logging and Reporting:

o Maintaining detailed logs of security events and anomalies.

o Establishing a clear reporting mechanism for security incidents to ensure timely

communication.

3. Incident Response Plan:

o Developing a comprehensive incident response plan that outlines steps to take
when an exception occurs.

o Defining roles and responsibilities for the incident response team.

29
 4. Risk Assessment:
o Evaluating the impact and likelihood of various types of exceptions.

o Prioritizing responses based on potential risk to the organization.

5. Root Cause Analysis:

o Investigating the underlying causes of exceptions to prevent recurrence.

o Utilizing techniques like the "5 Whys" or fishbone diagrams to identify root
causes.

6. Remediation and Recovery:

o Implementing corrective actions to mitigate the impact of exceptions.

o Establishing recovery procedures to restore systems and data to normal

operations.

7. Documentation and Review:

o Keeping thorough records of all exceptions and responses for future reference.

o Conducting post-incident reviews to evaluate response effectiveness and

identify areas for improvement.

8. Training and Awareness:

o Providing regular training for staff on recognizing and responding to
cybersecurity incidents.

o Fostering a culture of security awareness within the organization.

Best Practices:
• Establish Clear Policies: Define and communicate security policies that include
exception handling procedures.

• Automation: Use automation tools to assist in detection and initial response to incidents.

30
 • Continuous Monitoring: Implement continuous monitoring practices to quickly detect
anomalies.

• Regular Testing: Conduct drills and simulations to test the effectiveness of the incident
response plan.

• Collaboration: Foster collaboration between IT, security, and business units to ensure a
holistic approach to cybersecurity.

cybersecurity privacy:
Cybersecurity, therefore, involves securing data from unauthorized use or access. In terms of
data, privacy refers directly to how companies are able to collect, manage, store, and control the
use of data that you provide.

1. Cybersecurity:
o The protection of computer systems, networks, and data from digital attacks,
unauthorized access, and damage. It encompasses various strategies and
technologies to safeguard the integrity, availability, and confidentiality of
information.
2. Privacy:
o The right of individuals to control their personal information and to know how
it is collected, used, and shared. Privacy ensures that personal data is handled
responsibly and that individuals have a say in its use.

Importance:
• Trust: Effective cybersecurity measures foster user trust, essential for businesses that
handle sensitive information.

• Regulatory Compliance: Many regions have stringent data protection regulations (e.g.,
GDPR, CCPA) that mandate both cybersecurity and privacy protections.

• Reputation: Data breaches can severely damage an organization’s reputation, affecting

customer loyalty and business operations.
31
Key Components:

Cybersecurity Components

1. Network Security:
o Firewalls, intrusion detection systems, and virtual private networks (VPNs) help
protect the network from unauthorized access and attacks.

2. Endpoint Security:
o Protects devices (e.g., computers, mobile devices) from threats through
antivirus software, malware detection, and regular updates.

3. Application Security:
o Involves securing applications during development and deployment to prevent
vulnerabilities that could be exploited.

4. Data Security:
o Measures like encryption, tokenization, and access controls protect sensitive
data from unauthorized access and breaches.

5. Incident Response:
o A well-defined plan for detecting, responding to, and recovering from security
incidents, minimizing damage and restoring normal operations.

Privacy Components:

1. Data Collection Practices:

o Organizations must define what data they collect, ensuring it is necessary and
relevant to their operations.

2. User Consent:
o Obtain explicit consent from users before collecting or processing their personal
data, adhering to principles of transparency.

32
 3. Data Minimization:
o Limit data collection to what is necessary, reducing the risk of exposure and
enhancing user privacy.

4. User Rights:
o Implement processes for users to access, correct, or delete their personal data,
empowering them to control their information.

5. Compliance and Governance:

o Establish policies and procedures that comply with relevant data protection
laws, ensuring regular audits and assessments.

Best Practices:

1. Encryption:
o Use strong encryption protocols for data in transit (e.g., HTTPS, TLS) and at
rest (e.g., AES encryption) to protect sensitive information.

2. Access Controls:
o Implement role-based access controls (RBAC) to ensure only authorized
personnel can access sensitive data and systems.

3. Regular Training:
o Conduct ongoing training for employees on cybersecurity awareness and data
privacy practices to mitigate human errors.

4. Data Breach Response Plan:

o Develop and test a comprehensive incident response plan that includes
procedures for managing data breaches and communicating with affected
individuals.

5. Regular Audits and Assessments:

o Conduct routine audits of both cybersecurity and privacy measures to identify
vulnerabilities and ensure compliance with regulations.

33
Challenges:
1. Evolving Threat Landscape:
o Cyber threats are constantly changing, requiring organizations to stay updated
on the latest security technologies and practices.

2. Balancing Security and Privacy:

o Organizations must find a balance between implementing security measures and
respecting user privacy, which can sometimes conflict.

3. Compliance Complexity:
o Navigating various regulations and standards across jurisdictions can be
challenging, especially for global organizations.

4. User Awareness:
o Many users are unaware of their rights regarding privacy and data protection,
which can lead to a lack of engagement and cooperation.

The interplay between cybersecurity and privacy is critical for organizations to protect sensitive
information and maintain user trust. By implementing robust cybersecurity measures alongside
comprehensive privacy practices, organizations can create a safer digital environment for everyone
involved.

Security Architecture practice:

Security architecture is the strategic design of systems, policies and technologies to protect IT and
business assets from cyberthreats. A well-designed security architecture aligns cybersecurity with
the unique business goals and risk management profile of the organization.

ecurity teams and hackers are often locked in an arms race — competing to outmaneuver each other.
But for organizations to come out ahead, they must shift their risk management approach from
reactive to proactive. That means building in security from the beginning instead of fixing breaches
only when they occur.

34
Key Objectives of Security Architecture:
The main objective of cybersecurity architecture is to reduce the risk of security breaches and
protect organizations from threat actors. Embedding security into business operations is a core
element of that goal.

Today’s CISOs and their teams grapple with distributed and borderless security environments due
to multicloud, hybrid work, digital transformation, the internet of things (IoT) and other key
business trends. Naturally, attack surfaces are growing exponentially alongside these major shifts,
and adversaries find new ways to exploit weaknesses:

• Organizations are under constant threat of attack, including denial of service, data theft,
ransomware and extortion.
• Attackers are more sophisticated through the use of automation, machine learning and
artificial intelligence (AI).
• Attackers have access to larger sources of funding, sometimes through government
sponsors or organized crime.
• A distributed workforce increases the risk of internal breaches caused by malicious
insiders and/or negligence or ignorance by employees.

Security architects closely examine existing processes, technologies and models to understand
where there are gaps. They then build a framework to mitigate the potential damage cyberthreats
can inflict.

As today’s threat landscape grows in complexity, having a well-designed security architecture is

table stakes for every organization. It’s not only a safeguard against modern cyberattacks, but a key
enabler of digital transformation, innovation, customer trust and business growth.

Benefits of Security Architecture:

1. Reduce Security Breaches:
Organizations with a robust cybersecurity architecture don’t simply react to breaches when they
occur—they drastically reduce the volume and severity of threats, if not prevent them altogether.
At the same time, security embedded into an organization’s DNA (such as Zero Trust) ensures that
security is a vital part of every development cycle. This eliminates gaps and enables a risk-free
environment for DevOps to build and innovate.

35
2. Speed Up Response Times:
Skilled hackers can easily identify and exploit disconnects in infrastructure. That’s why many of
today’s breaches are the result of breakdowns in security processes.

A strong security architecture closes those gaps and provides protocols in the event of a breach.
Security teams are equipped to respond immediately and eliminate threats — oftentimes with
cybersecurity automation — before they become a larger problem.

3. Improve Operational Efficiency:

Enterprises employ 31.5 cybersecurity tools on average, bolting on more products as needed. But
the increasing complexity of IT infrastructure can often cause gaps in risk posture — on top of
costing time, money and talent to manage the architecture.

An efficient security architecture — such as those built on cybersecurity consolidation — is

designed with fewer products and vendors. Tools are integrated, where critical updates, threat
response and user experiences are all closely managed. This creates a highly scalable cyber
infrastructure that maximizes operational efficiency.

4. Comply with Industry Regulations:

Organizations everywhere around the world adhere to the regulations set by their region and
industry. For example, healthcare providers in the US must comply with HIPAA regulations, while
businesses in the EU must meet GDPR requirements.

Creating a strong security architecture and incorporating security into every part of the organization
not only helps prevent cyberattacks but also ensures compliance with relevant authorities and
regulations.

Practices for Security Architecture:

1. Develop a Strategy:
Map the current environment, establish objectives, determine the approach and develop the
framework. Solicit input from key stakeholders, including the executive suite, lines of business,
DevOps, IT and more. Have the CISO and cyber team spearhead the effort.

36
2. Establish Key Objectives and Milestones:
Assess the plan for meeting key objectives. This may include cybersecurity consolidation; increased
use of automation, AI and machine learning; Zero Trust; compliance; endpoint protection; and
preventing known and unknown zero-day threats in real time.

3. Train the Organization:

Communicate the plan across the organization, establish education and training programs and use
the architecture as a tool for building a cybersecurity culture within the enterprise. Continue
collaboration and information sharing on an ongoing basis.

4. Run Tests and Audits:

Conduct regular security assessments and audits and combine them with regular incident response
planning and testing.

5. Stay on Top of the Latest Threats:

Keep up with evolving cyberthreats and technologies and be particularly reactive to new types of
threats in real time as your threat intelligence platform detects them.

Cyber Threats and Response:

Cyber threats are acts that can harm a business or organization by disrupting systems, stealing data,
or causing other damage. Cyber threats can come from a variety of sources, including hackers,
terrorist groups, and even trusted employees.

Malware:
Malware is malicious software and refers to any software that is designed to cause harm to computer
systems, networks, or users. Malware can take many forms. Individuals and organizations need to
be aware of the different types of malware and take steps to protect their systems, such as using
antivirus software, keeping software and systems up-to-date, and being cautious when opening
email attachments or downloading software from the internet.

Malware is designed to harm and exploit your computer or network. It can steal sensitive
information like passwords and credit card numbers, disrupt your system’s operations, and even
allow attackers to gain unauthorized access to your device.

37
Some types of malware, such as ransomware, encrypt your files and demand payment to unlock
them, while spyware monitors your activities and sends the information back to the attacker.
Additionally, malware can spread to other devices on the same network, making it a significant
threat. Protecting your devices with up-to-date antivirus software and being cautious about your
open links and attachments can help mitigate these risks.

• Cybercriminals use malware, including all forms of malicious software including

viruses, for various purposes.
• Using deception to induce a victim to provide personal information for identity theft
• Theft of customer credit card information or other financial information
• Taking over several computers and using them to launch denial-of-service attacks
against other networks
• Using infected computers to mine for cryptocurrencies like bitcoin.

Types of Malware:

1. Trojan horse:
A Trojan horse is malware that carries out malicious operations under the appearance of a
desired operation such as playing an online game. A Trojan horse varies from a virus because
the Trojan binds itself to non-executable files, such as image files, and audio files.

2. Worms:
Worms replicate themselves on the system, attaching themselves to different files and looking
for pathways between computers, such as computer network that shares common file storage
areas. Worms usually slow down networks. A virus needs a host program to run but worms can
run by themselves. After a worm affects a host, it is able to spread very quickly over the
network.

3. Viruses:
A Virus is a malicious executable code attached to another executable file. The virus spreads
when an infected file is passed from system to system. Viruses can be harmless or they can
modify or delete data. Opening a file can trigger a virus. Once a program virus is active, it will
infect other programs on the computer.

38
 4. Spyware:
Its purpose is to steal private information from a computer system for a third
party. Spyware collects information and sends it to the hacker.

5. Ransomware:
Ransomware grasps a computer system or the data it contains until the victim makes a
payment. Ransomware encrypts data in the computer with a key that is unknown to the user.
The user has to pay a ransom (price) to the criminals to retrieve data. Once the amount is paid
the victim can resume using his/her system.

6. Logic Bombs:
A logic bomb is a malicious program that uses a trigger to activate the malicious code. The logic
bomb remains non-functioning until that trigger event happens. Once triggered, a logic bomb
implements a malicious code that causes harm to a computer. Cybersecurity specialists recently
discovered logic bombs that attack and destroy the hardware components in a workstation or
server including the cooling fans, hard drives, and power supplies. The logic bomb overdrives
these devices until they overheat or fail.

Malware include significant risks to both individuals and organizations, requiring proactive measures
for protection and removal. Utilizing a combination of antivirus and anti-malware tools with software
updates can effectively protect systems. While detecting and removing malware can be time-
consuming and costly, the benefits of enhanced security, data protection, and increased productivity.

cyber security governance:

This governance describes the way a company manages its information security needs. Ideally, it
protects the integrity, confidentiality, and availability of information. IT managers begin by
identifying all possible risks. They then design proactive policies and frameworks to tackle these
issues at the source.

Information security governance transcends systems and databases. A more holistic approach also
ensures employees understand the importance of confidentiality and their role in maintaining it.

39
Building a governance system requires an in-depth analysis of an organization's information, storage
needs, and security status. These are the five main areas managers need to cover when evaluating
their organizations' information security governance needs.
1. Information Security Strategy:
Managers must create a well-defined plan that aligns well with organizational goals. This strategy
should outline the overall approach for managing and protecting information assets.

2. Policies and Procedures:

Employees need comprehensive and up-to-date policies to help organizations safeguard data. For
example, the effectiveness of multi-factor authentication has dropped from 99% to as little as 30%.
Companies must update policies to match these and other changes.

3. Risk Management:
You can’t manage risk without first identifying the threats present. IT managers should follow a basic
process to address this:

• Identify the potential risks.

• Assess the organization’s exposure to these risks.
• Implement solutions that mitigate these risks.
• Monitor and review how well these solutions protect the organization.

4. Compliance and Audit:

Failure to comply is expensive. In 2022, Morgan Stanley Smith Barney paid a $35 million
settlement to resolve SEC charges of failing to protect personal information. Effective managers
conduct regular audits and assessments to ensure compliance.

Social Engineering:

Social engineering represents a paradigm shift in cyber attacks, shifting the focus from technological
vulnerabilities to exploiting the inherent trust and fallibility of human nature. Through captivating
lectures and real-world case studies, students unravel the myriad forms of social engineering attacks,
from phishing and pretexting to baiting and tailgating. By dissecting the anatomy of these attacks,
students gain invaluable insights into the subtle art of persuasion and manipulation that underpins social
engineering tactics.

40
Organizations should also establish a clear set of security policies to help employees make the best
decisions when it comes to social engineering attempts. Examples of useful procedures to include are:

• Password management: Guidelines such as the number and type of characters that each
password must include, how often a password must be changed, and even a simple rule that
employees should not disclose passwords to anyone--regardless of their position--will help
secure information assets.
• Multi-factor authentication: Authentication for high-risk network services such as modem
pools and VPNs should use multi-factor authentication rather than fixed passwords.
• Email security with anti-phishing defenses: Multiple layers of email defenses can minimize
the threat of phishing and other social-engineering attacks. Some email security tools have
anti-phishing measures built in.

Types of social engineering attacks:

1. Phishing:

Phishing scams are the most common type of social engineering attack. They typically take the form of
an email that looks as if it is from a legitimate source. Sometimes attackers will attempt to coerce the
victim into giving away credit card information or other personal data. At other times, phishing emails
are sent to obtain employee login information or other details for use in an advanced attack against their
company. Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start
with phishing attempts.

Other examples of phishing you might come across are spear phishing, which targets specific individuals
instead of a wide group of people, and whaling, which targets high-profile executives or the C-suite.

2. Watering hole attacks:

Watering hole attacks are a very targeted type of social engineering. An attacker will set a trap by
compromising a website that is likely to be visited by a particular group of people, rather than
targeting that group directly. An example is industry websites that are frequently visited by
employees of a certain sector, such as energy or a public service. The perpetrators behind a watering
hole attack will compromise the website and aim to catch out an individual from that target group.
They are likely to carry out further attacks once that individual's data or device has been
compromised.

41
3. Business email compromise attacks:

Business email compromise (BEC) attacks are a form of email fraud where the attacker masquerades
as a C-level executive and attempts to trick the recipient into performing their business function, for
an illegitimate purpose, such as wiring them money. Sometimes they go as far as calling the
individual and impersonating the executive.

4. USB baiting:

USB baiting sounds a bit unrealistic, but it happens more often than you might think. Essentially
what happens is that cybercriminals install malware onto USB sticks and leave them in strategic
places, hoping that someone will pick the USB up and plug it into a corporate environment, thereby
unwittingly unleashing malicious code into their organization.

Cyber security forensics:

Cyber forensics is an end-to-end investigative process that includes data acquisition, analysis,
documentation; analysis and knowledge extraction; reporting, and presentation in an acceptable
format — all according to the court of law or organizational policies.

Cyber forensics is important for legal compliance and to enforce auditing policies to maintain
the integrity of information. Additionally, it plays a major role in correlating a sequence of actions,
which may contribute to criminal behavior.

In cyber forensics, you’ll typically uncover the following crucial pieces of information:

• Which users can contribute to specific actions

• Details on action sequences performed, authorized, or related to the user
• Information logs and metadata details such as time, file type, size, and volume of data
• The information content such as audio, video, and text files
• The technologies involved.

Cyber forensics requires measures that go far beyond a standard data collection process. That’s
because required information in a legal setting may not be immediately available. How is it different?
Well, it needs recovering and reproduction, authentication and verification, and analysis to connect
the available data insights with the appropriate user and their actions.

42
While the underlying data records may be present, InfoSec experts may require additional access
authorization such as instructions from senior executives, external auditors, and court subpoenas to
extract insights into a structured investigative report.

Phases in a cyber forensics procedure:

Cyber forensics typically follows predefined procedures for extracting information and generating a
structured evidence report:
1. Identification. Determining which evidence is required for the purpose.
2. Preservation. Deciding how to maintain the integrity and security of extracted
evidence.
3. Analysis. Understanding the insights the information does (and does not) provide.
4. Documentation. Creating and recovering data to describe the sequence of actions.
5. Presentation. Offering a structured overview of the extracted insights that lead to a
conclusion.

At all stages of the cyber forensics process, investigators have to follow procedures that satisfy the
comprehensiveness, objectivity, authenticity, and integrity of information uncovered during the
investigation.

Challenges with cyber forensics:

Cyber forensics experts extract data from a variety of sources any technologies that may be used by
an end-user. These include mobile devices, cloud computing services, IT networks, and software
applications.

Distinct vendors develop and operate these technologies. The technology limitations and privacy
measures tend to restrict the investigative capacity of an individual InfoSec expert as they face the
following challenges:
• Data recovery. If the data is encrypted, the investigator will not be able to decrypt the
information without access to encryption keys. New storage tools such as SSD devices may
not offer immediate factory access to recover lost data, unlike traditional magnetic tape and
hard disk drive systems.
• Visibility into cloud system. Investigators may only have access to metadata but not the
information content of the files. The underlying resources may be shared and allocated

43
 dynamically. That lack of access to physical storage systems means that third-party
investigators might not recover lost data.
• Network log big data. Network log data grows exponentially and requires advanced analytics
and AI tools to connect the dots and find insightful relationships between networking activities.
• Multi-jurisdiction data storage. If the data is stored in a different geographic location, cyber
forensics investigators may not have the legal authority to access the required information.

Phishing Email Simulator:

A phishing simulator is a tool that helps organizations test and strengthen their defenses against
phishing attacks. It simulates different types of phishing attacks, such as emails, links or attachments,
in a controlled and safe environment.

Features:
Mirrors real-world cyber threats:
From fraudulent shipping confirmation messages to suspicious gift card and refund offers, Terranova
Security phishing templates replicate real-life attacks that can occur at any time.

Easy-to-use interface:
The Terranova Security Awareness Platform makes creating, deploying, and monitoring simulated
threat scenarios simple from start to finish.
Customizable phishing scenarios:
Administrators can customize any aspect of selected Terranova Security phishing scenarios, from the
phishing email message to the CSS styling of the fake landing page.

Data-driven performance measurement:

Make informed, data-driven decisions regarding your phishing awareness strategy with in-depth
analytics and reporting capabilities.

Types of phishing:
1. Email:
In an email phishing attack, a sense of urgency is predominant. Scammers send out legitimate-
looking emails to multiple recipients, encouraging them to modify their passwords or update
personal information and account details.

44
2. Smishing:
This phishing tactic closely resembles phishing emails. Hackers try to steal confidential
information from individuals by sending text messages insisting they respond or take further
action. If the individual refuses to do so, the criminals sometimes go as far as threatening them.

3. Spear Phising:
This tactic requires the use of emails to conduct an attack against a particular individual or
business. The criminal acquires personal information about their target and uses it to send them a
personalized and trustworthy email.

4. CEO Fraud:
Cyber criminals send emails pretending to be a C-level executive or simply a colleague, usually
requesting a fund transfer or tax information.

Investigation:
Digital forensics plays a crucial role in cyber crime investigations, collecting, preserving, and
analyzing digital evidence. Methods used to identify malicious software involve malware detection
tools such as anti-virus software, intrusion detection systems, and sandbox environments for
dynamic malware analysis.

Key Takeaways:
• Cyber crime investigations are critical in modern digital security, involving multiple
entities like the FBI and Secret Service, who apply traditional techniques and digital
forensics to tackle crimes like hacking, phishing, and data breaches.
• Effective cyber crime investigation requires public-private collaboration and
international cooperation to overcome challenges like jurisdictional issues and the
continuous evolution of technology used by cyber criminals.
• Prevention and response strategies are essential to mitigate cyber crime risks, including
implementing security measures, developing incident response plans, educating
stakeholders, and maintaining robust cyber crime reporting platforms like the IC3.

The Investigation Process:

Let’s examine the investigation process in detail. The preliminary procedures involve:
• Evaluating the situation
45
 • Carrying out an initial inquiry
• Identifying potential evidence
• Securing devices
• Obtaining requisite court orders
• Thoroughly analyzing the gathered information
• It’s akin to piecing together a complex puzzle, requiring meticulous attention to detail
and analytical prowess.

The process also involves the use of specific tools and techniques. Digital forensics plays a crucial
role in cyber crime investigations, collecting, preserving, and analyzing digital evidence. Methods
used to identify malicious software involve malware detection tools such as anti-virus software,
intrusion detection systems, and sandbox environments for dynamic malware analysis.

Tools and Techniques:

1. Digital Forensics:
Digital forensics is like the DNA analysis of the cyber world, playing a pivotal role in investigating
cyber crimes, preventing data breaches, and aiding law enforcement in locating perpetrators. It
involves the identification, preservation, analysis, and documentation of digital evidence for use in
court.

2. Tracking Malicious Software:

Tracking malicious software, or malware, is a key technique in cyber crime investigations. It helps
identify the source and distribution of malware, aiding in the identification and prosecution of cyber
criminals.

3. Analyzing Financial Transactions:

Financial transaction analysis in cyber crime investigations is another vital tool. It encompasses the
identification of fraudulent cyber activities, estimation of financial losses, and the use of various
tools and methods to analyze suspicious financial transactions.

Attestation:
Identity and access attestation is a process that involves verifying and validating the identity of
individuals and managing their access to systems, applications or resources within an organization.

46
 It ensures that only authorized individuals have appropriate access privileges based on their roles
and responsibilities.

Access attestation:
1. Identity Provisioning: The process begins with identity provisioning, where an individual's
identity is created within the organization's identity management system. This involves capturing
and storing relevant information, such as name, contact details, job title and department. The
identity is assigned a unique identifier, often in the form of a username or employee ID.
2. Role-Based Access Control (RBAC) Design: RBAC is a common approach used to manage
access privileges based on job roles. The organization defines different roles and associated
permissions that individuals can be assigned. This step involves analyzing job functions,
responsibilities and access requirements to establish appropriate role definitions.
3. Access Request and Approval: When an individual joins the organization or changes roles,
they may need access to specific systems or resources. In this step, the individual submits an
access request specifying the required access rights. The request is typically routed to the
appropriate manager or supervisor for review and approval. The manager evaluates the access
request against the individual's job responsibilities and approves or denies access accordingly.

Linux:
Linux is an operating system which was developed to be used as an alternative to other existing but
expansive operating systems specially Unix, Windows, Mac OS, MS-DOS, Solaris and others. When
Linus Torvalds was studying at the University of Helsinki, decided to create his own operating
system and keep it as Open Sources so that users from around the world can contribute their
suggestions for improvements.

Features:
Open Source:
• Transparency: The source code is freely available for anyone to view, modify, and
distribute.
• Community Driven: Contributions from developers worldwide lead to continuous
improvement and innovation.

47
Multiuser and Multitasking:
• Multiple Users: Supports multiple users accessing the system simultaneously with
different permissions.
• Multitasking: Can run multiple processes at once, allowing for efficient resource
management.

Security:
• User Permissions: Utilizes a permission-based model to restrict access to files and
processes.
• Built-in Tools: Tools like SELinux and AppArmor enhance security by enforcing
access controls.

File System Hierarchy:

• Standardized Structure: Uses a hierarchical file system structure, making file
organization intuitive.
• Mounting File Systems: Allows dynamic mounting and unmounting of file systems.

Software Management
• Package Managers: Tools like APT, YUM, and Pacman facilitate easy installation,
update, and management of software.
• Repositories: Access to extensive repositories of software, both free and commercial.

Kali Linux:
Kali Linux, known initially as BackTrack Linux, is a free and open-source Linux-based operating
system geared at advanced penetration testing and security auditing. Kali Linux has hundreds of
tools that perform different information security activities, including penetration testing, security
research, computer forensics, and reverse engineering.
It is a cross-platform solution that is easily accessible and offered for free to information security
experts and enthusiasts. Debian has been a very reliable and stable distribution for many years,
offering a solid base for the Kali Linux desktop.

48
 Features of Kali Linux:

• Pre-installed Tools: The latest version of Kali Linux has over 600 penetration tools pre-
installed. After thoroughly examining each tool offered in BackTrack, developers deleted
many scripts that did not work or copied other services that provided the same or comparable
functionality.
• Safe Development Team: The Kali Linux team comprises a small number of people who are
the only ones trusted to contribute packages and communicate with the repository, all while
utilizing various security protocols. Restricting access of essential codebases to external
assets substantially minimizes the danger of source contamination.
• Multilingual OS: Although penetration tools are often designed in English, Kali's developers
have ensured that it contains genuine multilingual support, allowing more users to work in
their local language and locate the tools they require for their penetration testing journey.
• ARM Support: Kali Linux is accessible on a broad range of ARM devices, and ARM
repositories are integrated with the mainline version, so the tools mentioned above are
updated in tandem with the rest of the distribution.

TCP/IP Concepts:

TCP/IP allows computers on the same network to identify and communicate with each other. TCP/IP
is a two-layer protocol, with the transport layer (TCP) responsible for reliable end-to-end
communication and the Internet layer (IP) accountable for routing packets from the host to the host.

1. Overview of TCP/IP

• Layered Architecture: TCP/IP is structured in layers (Application, Transport, Internet,

and Link) that facilitate modularity and interoperability.

• Protocols: Key protocols include TCP, UDP (User Datagram Protocol), IP, HTTP(S),
FTP, SMTP, and others.

2. Vulnerabilities in TCP/IP

• Packet Sniffing: Unencrypted traffic can be intercepted and analyzed using packet-
sniffing tools.

• IP Spoofing: Attackers can forge source IP addresses to impersonate another device.

49
 • Man-in-the-Middle Attacks: Attackers can intercept and alter communication
between two parties.

• Denial of Service (DoS): Overloading a target with excessive requests can disrupt
services.

3. Security Measures

• Firewalls: Control incoming and outgoing network traffic based on predetermined

security rules. They can filter traffic at various layers.

• Intrusion Detection and Prevention Systems (IDPS): Monitor network traffic for
suspicious activity and respond to potential threats.

• Encryption: Protocols like SSL/TLS secure data transmitted over TCP/IP by

encrypting it, protecting against eavesdropping and tampering.

4. TCP/IP Protocol Security

• IPsec (Internet Protocol Security): Provides end-to-end encryption and authentication

at the IP layer, securing IP packets.

• TLS (Transport Layer Security): Secures data transmission over applications like
HTTP (HTTPS) and ensures data integrity and confidentiality.

• SSH (Secure Shell): Secures remote login and command execution, providing
encrypted communications over an unsecured network.

5. Network Segmentation

• Subnets: Dividing a network into smaller subnets can help contain breaches and limit
the lateral movement of attackers.

• Virtual LANs (VLANs): Segregate traffic within a network, enhancing security by

isolating sensitive data.

6. Monitoring and Logging

• Traffic Analysis: Continuous monitoring of TCP/IP traffic can help detect anomalies
that might indicate a security incident.

• Log Management: Collecting and analyzing logs from network devices and servers
can provide insights into security events and help with forensic investigations.

50
7. Incident Response

• Network Forensics: Involves analyzing TCP/IP traffic during an incident to determine

the cause and impact of a breach.

• Response Plans: Establishing protocols for responding to incidents involving TCP/IP

vulnerabilities is essential for minimizing damage.

Reconnaissance and information gathering:

Cyber reconnaissance is a process that threat actors use to find vulnerabilities and attack paths.
During reconnaissance, attackers collect data about their victims and try to avoid being detected by
their target's security team or software.

To perform reconnaissance before carrying out an attack, hackers must determine how far the target
network extends and collect data like open network ports, services running on the ports, and an
overall map of the network. At the same time, the hackers also try to stay unnoticed during the entire
reconnaissance process.

Active vs Passive Reconnaissance:

The two major approaches to reconnaissance — active and passive — have different strategies and
can both be useful for threat actors. Also, pentesters often combine these two approaches to
assess vulnerabilities and prevent harmful exploitation.
Active Reconnaissance:

51
In active reconnaissance strategies, the attackers directly interact with the targeted machines to
enumerate exploitable data. Ping probes, port scanning, or traceroute are a few examples of actively
hunting for routes to access sensitive resources and systems. Because active reconnaissance involves
touching a system directly, it’s easier for users to figure out what you’re doing. Active reconnaissance
is riskier than passive.

Passive Reconnaissance:
Passive reconnaissance is the opposite: attackers don’t engage but instead collect data indirectly. This
involves techniques including, but not limited to, Google dorks, open source intelligence (OSINT),
advanced Shodan searches, WHOIS data, and packet sniffing. Passive reconnaissance can also
include non-digital forms of snooping, such as monitoring buildings for weaknesses, eavesdropping
on conversations, and stealing written credentials.

penetration Testing:

Penetration testing, often referred to as pen testing or ethical hacking, involves simulated cyber
attacks against computer systems, networks, or applications to identify and exploit vulnerabilities
before malicious actors do. Through immersive lectures, hands-on labs, and simulated scenarios,
students gain invaluable insights into the art and science of penetration testing.

The module commences with an exploration of penetration testing methodologies, encompassing a

systematic approach to identifying, prioritizing, and exploiting vulnerabilities in target systems.
From reconnaissance and information gathering to vulnerability assessment, exploitation, and post
exploitation, students learn how to conduct thorough and methodical penetration tests that mimic real
world attack scenarios.

Types of pen testing:

All penetration tests involve a simulated attack against a company's computer systems. However,
different types of pen tests target different types of enterprise assets.

1. Application pen tests:

Application pen tests look for vulnerabilities in apps and related systems, including web applications
and websites, mobile and IoT apps, cloud apps, and application programming interfaces (APIs).

52
2. Network pen tests:
Network pen tests attack the company's entire computer network. There are two broad types of
network pen tests: external tests and internal tests.

In external tests, pen testers mimic the behavior of external hackers to find security issues in internet-
facing assets like servers, routers, websites, and employee computers. These are called “external
tests” because pen testers try to break into the network from the outside.

3. Hardware pen tests:

These security tests look for vulnerabilities in devices connected to the network, such as laptops,
mobile and IoT devices, and operational technology (OT).

Pen testers may look for software flaws, like an operating system exploit that allows hackers to gain
remote access to an endpoint. They may look for physical vulnerabilities, like an improperly secured
data center that malicious actors might slip into. The testing team may also assess how hackers might
move from a compromised device to other parts of the network.

4. Personnel pen tests:

Personnel pen testing looks for weaknesses in employees' cybersecurity hygiene. Put another way,
these security tests assess how vulnerable a company is to social engineering attacks.

Personnel pen testers use phishing, vishing (voice phishing), and smishing (SMS phishing) to trick
employees into divulging sensitive information. Personnel pen tests may also evaluate physical office
security. For example, pen testers might try to sneak into a building by disguising themselves as
delivery people. This method, called "tailgating," is commonly used by real-world criminals.

The penetration testing process:

Before a pen test begins, the testing team and the company set a scope for the test. The scope outlines
which systems will be tested, when the testing will happen, and the methods pen testers can use. The
scope also determines how much information the pen testers will have ahead of time:

• In a black-box test, pen testers have no information about the target system. They
must rely on their own research to develop an attack plan, as a real-world hacker
would.

53
 • In a white-box test, pen testers have total transparency into the target system. The
company shares details like network diagrams, source codes, credentials, and more.

• In a gray-box test, pen testers get some information but not much. For example, the
company might share IP ranges for network devices, but the pen testers have to probe
those IP ranges for vulnerabilities on their own.

Email spoofing:
Email spoofing is a threat that involves sending email messages with a fake sender address. Email
protocols cannot, on their own, authenticate the source of an email. Therefore, it is relatively easy
for a spammer or other malicious actors to change the metadata of an email.

Email spoofing takes advantage of the fact that email, in many ways, is not very different from regular
mail. Each email has three elements: an envelope, a message header, and a message body. An email
spoofer puts whatever they want into each of those fields, not just the body and “To:” fields. This
means they can customize the information in the following fields:
• Mail from:
• Reply to:
• From:
• Subject:
• Date:
• To:

When the email hits the target inbox, the email program reads what is in these fields and generates
what the end-reader sees. If certain information is entered in the right fields, what they see will be
different from what is real, such as from where the email originated. In some attacks, the target is
thoroughly researched, enabling the attacker to add specific details and use the right wording to make
the attack more successful. This is known as “spear phishing.”

54
Email Spoofing Protections:
Technical precautions:
There are a few technical precautions you can take to prevent email spoofing tools from accessing
your system. For example, if you send emails using a subdomain, it can be harder to spoof your
email. You would want to use @help.yourcompany.com instead of @yourcompany.com.

1. Use anti-malware software:

Anti-malware software can prevent email spoofing by identifying then blocking suspicious websites
and detecting spoofing attacks. Once the software has identified a suspicious sender or email, it can
stop the email from ever reaching your inbox. Even though spoofed emails cannot be stopped at the
source, anti-malware software can work like a force field to protect your system from them.

2. Use email signing certificates to protect outgoing emails:

An email signing certificate gives you the ability to encrypt emails so that only the intended recipient
can access the content within the message. You can also apply a digital signature so that the person
receiving the message can make sure the email was sent by you, as opposed to someone spoofing
your email address.

3. Conduct reverse IP lookups to verify the real sender:

With a reverse IP lookup, you can tell if the apparent sender is the real one, as well as where the
email actually came from. You can use an online reverse lookup tool to identify the domain name
associated with the IP address. This is, in effect, an email spoofing test. If the IP address is different
from where the email supposedly came from, you have just identified an email spoofing attack.

Password management:
Passwords are a set of strings provided by users at the authentication prompts of web
accounts. Although passwords still remain as one of the most secure methods of authentication
available to date, they are subjected to a number of security threats when mishandled. The role
of password management comes in handy there. Password management is a set of principles and best
practices to be followed by users while storing and managing passwords in an efficient manner to
secure passwords as much as they can to prevent unauthorized access.

55
There are many challenges in securing passwords in this digital era. When the number of web services
used by individuals are increasing year-over-year on one end, the number of cyber crimes is also
skyrocketing on the other end. Here are a few common threats to protecting our passwords:
• Login spoofing - Passwords are illegally collected through a fake login page by
cybercriminals.
• Sniffing attack - Passwords are stolen using illegal network access and with tools like
key loggers.
• Shoulder surfing attack - Stealing passwords when someone types them, at
times using a micro-camera and gaining access to user data.
• Brute force attack - Stealing passwords with the help of automated tools and gaining
access to user data.
• Data breach - Stealing login credentials and other confidential data directly from the
website database.
All of these threats create an opportunity for attackers to steal user passwords and enjoy unlimited
access benefits. Let's take a look at how individuals and businesses typically manage their passwords.

Traditional methods of password management:

• Writing down passwords on sticky notes, post-its, etc.
• Sharing them via spreadsheets, email, telephone, etc.
• Using simple and easy to guess passwords
• Reusing them for all web applications
• Often forgetting passwords and seeking the help of 'Forgot Password' option

While hackers are equipped with advanced tools and attacks, individuals and businesses still rely
on traditional methods of password management. This clearly raises the need for the best password
management practices to curb security threats.

How to manage passwords:

• Use strong and unique passwords for all websites and applications
• Reset passwords at regular intervals
• Configure two-factor authentication for all accounts
• Securely share passwords with friends, family, and colleagues
• Store all enterprise passwords in one place and enforce secure password policies within
the business environment.

56
Issues Related to Managing Passwords:
The main problem with password management is that it is not safe to use the same password for
multiple sites, therefore having different passwords for different sites and on top of that remembering
them is quite difficult. As per the statistics, more than 65% of people reuse passwords across accounts
and the majority do not change them, even after a known breach. Meanwhile, 25% reset their
passwords once a month or more because they forgot them.

To escape from this situation people often tend to use password managers (A password manager is a
computer program that allows users to store, generate, and manage their passwords for local
applications and online services.). Password managers to a certain extent reduce the problem by
having to remember only one “master password” instead of having to remember multiple passwords.
The only problem with having a master password is that once it is out or known to an attacker, the
rest of all the passwords become available.
The main issues related to managing passwords are as follows:
• Login spoofing
• Sniffing attack
• Brute force attack
• Shoulder surfing attack
• Data breach

Python for cybersecurity:

In cybersecurity, Python is used to write code to identify potential vulnerabilities in networks and
applications, automate security tasks, and develop ML models for threat detection. The key
advantages of using Python for security include:

• Ease of use: it has a clean and readable syntax, allowing security specialists to write
code efficiently and quickly. This enables them to focus on solving problems instead
of getting bogged down in syntax.
• Platform-independent: it can run on various operating systems like Windows, Linux,
and macOS without requiring code modifications. This flexibility is invaluable in
cybersecurity, where operations often span different environments.
• Extensive libraries: it offers a wide range of libraries designed for cybersecurity tasks.
These libraries provide pre-build functionalities that simplify security tasks and speed
up the development process;

57
 • Effortless memory management: it handles memory automatically with its garbage
collector, reducing the risk of memory errors. This allows cybersecurity specialists to
focus on threat analysis and defense rather than managing memory manually.

The main ways to use Python for cybersecurity:

Penetration testing
Penetration testing is an essential practice within cybersecurity designed to assess the security of
systems, applications, and networks by simulating real-world attacks. Python is a powerful ally in
this process because it can automate and simplify complex tasks, analyze results, and look for new
vulnerabilities. In penetration testing, Python helps in several ways:

• Automating reconnaissance and data gathering

Python can automate reconnaissance in penetration testing by collecting data like IP addresses,
open ports, or emails using libraries such as requests, BeautifulSoup, or Shodan. It speeds up
identifying potential attack vectors.
• Vulnerability scanning

Python allows you to write custom scripts to detect vulnerabilities and exploit them. For this,
you can conduct network-based testing using libraries like Socket and Scapy, and automation
tools like Nmap, OpenVAS, and Metasploit.
• Developing custom exploits

With Python, you can write custom scripts to target specific vulnerabilities. This allows you to
test how well systems stand up to unique threats.

INTRUSION DETECTION SYSTEM:

An intrusion detection system (IDS) is an application that monitors network traffic and searches for
known threats and suspicious or malicious activity. The IDS sends alerts to IT and security teams
when it detects any security risks and threats.

Most IDS solutions simply monitor and report suspicious activity and traffic when they detect an
anomaly. However, some can go a step further by taking action when it detects anomalous activity,
such as blocking malicious or suspicious traffic.

58
IDS tools typically are software applications that run on organizations’ hardware or as a network
security solution. There are also cloud-based IDS solutions that protect organizations’ data,
resources, and systems in their cloud deployments and environments.

IDS solutions come in a range of different types and varying capabilities. Common types of intrusion
detection systems (IDS) include:
1. Network intrusion detection system (NIDS): A NIDS solution is deployed at
strategic points within an organization’s network to monitor incoming and outgoing
traffic. This IDS approach monitors and detects malicious and suspicious traffic coming
to and going from all devices connected to the network.
2. Host intrusion detection system (HIDS): A HIDS system is installed on individual
devices that are connected to the internet and an organization’s internal network. This
solution can detect packets that come from inside the business and additional malicious
traffic that a NIDS solution cannot. It can also discover malicious threats coming from
the host, such as a host being infected with malware attempting to spread it across the
organization’s system.
3. Signature-based intrusion detection system (SIDS): A SIDS solution monitors all
packets on an organization’s network and compares them with attack signatures on a
database of known threats.

Benefits of intrusion detection systems:

IDS solutions offer major benefits to organizations, primarily around identifying potential security
threats being posed to their networks and users. A few common benefits of deploying an IDS include:
1. Understanding risk: An IDS tool helps businesses understand the number of attacks
being targeted at them and the type and level of sophistication of risks they face.
2. Shaping security strategy: Understanding risk is crucial to establishing and evolving
a comprehensive cybersecurity strategy that can stand up to the modern threat
landscape. An IDS can also be used to identify bugs and potential flaws in
organizations’ devices and networks, then assess and adapt their defenses to address the
risks they may face in the future.
3. Regulatory compliance: Organizations now face an ever-evolving list of increasingly
stringent regulations that they must comply with. An IDS tool provides them with
visibility on what is happening across their networks, which eases the process of
meeting these regulations.

59
RED TEAMS:
Red team exercises (or “red teaming”) are simulations or assessments designed to evaluate an
organization's IT security structure by placing it under stress or attack. The major goal is identifying
and resolving potential vulnerabilities malicious actors can exploit.

Goals of a Red Team:

A Red Team can be made up of as many as two people and can scale to over 20, depending on the
task. That’s what is most importance make sure that your team is built for the task at hand. Find
experienced, critical thinkers to form the core of your team and continue building it with a diverse
mix of skills. A Red Team should be used alongside your vulnerability assessment and penetration
testing in order to realize its full value.

Physical red teaming focuses on sending a team to gain entry to restricted areas. This is done to test
and optimize physical security such as fences, cameras, alarms, locks, and employee behaviour. As
with technical red teaming, rules of engagement are used to ensure that red teams do not cause
excessive damage during their exercises. Physical red teaming will often involve a reconnaissance
phase where information is gathered and weaknesses in security are identified, and then that
information will be used to conduct an operation (typically at night) to gain physical entry to the
premises. Security devices will be identified and defeated using tools and techniques. Physical red
teamers will be given specific objectives such as gaining access to a server room and taking a portable
hard drive, or gaining access to an executive's office and taking confidential documents.

Managing a red team:

The use of rules of engagement can help to delineate which systems are off-limits, prevent security
incidents, and ensure that employee privacy is respected. The use of a standard operating
procedure (SOP) can ensure that the proper people are notified and involved in planning, and improve
the red team process, making it mature and repeatable. Red team activities typically have a regular
rhythm.

A security operations center(SOC) at the University of Maryland Tracking certain metrics or

key performance indicators (KPIs) can help to make sure a red team is achieving the desired output.
Examples of red team KPIs include performing a certain number of penetration tests per year, or by
growing the team by a certain number of pen testers within a certain time period. It can also be useful
to track the number of compromised machines.
60
 CASE STUDY

PASSWORD MANAGER FOR LINUX AND WINDOWS:

Password Management for Windows, Active Directory, Linux, and Network Devices For changing
these resource passwords, PAM uses tasks. Tasks contains the script that must be executed for
password change and the scheduling option required to execute the script. The tasks are associated
to a vault. For more information about vaults, see Contextual Help. By default, every vault will
have a password change task associated with it. This task is executed for the credentials in the
vault which has the Password Change option set to Yes.

In addition, if you want to perform any automated task after password change, it can be added as a
service task. For example, if you want to perform backup after changing the account password, it can
be defined as a service task. These service tasks are custom tasks for which you need to create a
custom script and add it in the task. For more information about the template for creating a custom
script, contact Customer Support.

For Windows and Active Directory:

PAM provides out-of-the-box scripts to change password of Windows local machine and Active
Directory. In addition to windows account password change, PAM also provides the capability to
change the password of service accounts. PAM provides out-of-the-box scripts to change password
of service accounts, such as such as Windows Services, COM+, Task Scheduler, and IIS Pool. For
other service accounts, you can define a custom script for password change and associate it to a
service task.

These service account tasks are executed only for those credential which have the appropriate service
account associated with it. This association can be defined when adding a credential. When you are
adding a credential for active directory, PAM provides a capability for you to define the machines
where the credential is used for service accounts. This will help in end to end password change of
the Active Directory accounts.

Configuring Password Management:

To configure PAM to change (rotate) password of any resource, you must set the Password Change
option value in the resource configuration to Yes and ensure that all the password change tasks are
61
enabled. If the password change option is set to yes in a resource, this configuration will be inherited
by all credentials in that resource. However, you can override them in the credential configuration.
To modify the password management option of a resource, click Credential Vault Type Vault Name
edit icon next to the required resource.

Configuring Password Management in an Upgraded Setup

After upgrading PAM, if you want to enable password management, perform the following:

Tasks Go To

1. Review the prerequisites and ensure all the required Prerequisites

configurations are complete.
2. Review all password change and service tasks associated Credential Vault > Vault
with the vault and update when the task must be Type > Vault Name > Associated
scheduled for execution. Task > click edit icon next to the
task
3. (Conditional) By default, the out-of-the-box password Credential Vault > Password
policy provided by PAM is associated with every vault. Policies > Help icon
You can choose to use the default policy or create a new
policy and associate with the vault.
4. Perform the following on all the resources: Credential Vault > Vault
Edit the resource and set the Password Change option Type > Vault Name > click edit
as Yes. Also, review and modify all password icon of the required resource
management options, such as reconcile account and so Credential Vault > Vault
on. Type > Vault Name > Resource

62
Test Password Strength:

Source: bitwarden

The password strength project aims to develop a password-strength testing tool. It will provide
users with an easy and efficient way to evaluate the strength of their passwords. The tool will
analyze various factors such as length, complexity, and inclusion of special characters to determine
the strength level. Additionally, it will provide suggestions and tips forcreating stronger
passwords.

The project will focus on creating a user-friendly interface as a web / Desktop application and
incorporating robust algorithms to assess password strength accurately. Ultimately, the goal is to
enhance cybersecurity awareness and empower users to protect their accounts with strong
passwords.

63
Code Implementation:
import re
def check_password_strength(password):
# Initialize score and
reasons for feedback score
=0
feedback = []
# Check for
minimum
length if
len(passwo
rd) >= 8:
score += 1

else:
feedback.append("Password should be at least 8
characters long.") # Check for uppercase letters
if re.search(r'[A-
Z]', password):
score += 1
else:
feedback.append("Password should include at least one
uppercase letter.") # Check for lowercase letters
if re.search(r'[a-z]',
password):
score += 1
else:
feedback.append("Password should include at least one
lowercase letter.") # Check for numbers
if re.search(r'[0-9]',
password):
score += 1
else:
feedback.append("Password should include at
least one number.") # Check for special characters
64
 if re.search(r'[@$!%*?&#]',
password): score += 1
else:
feedback.append("Password should include at least one special character.")

# Provide feedback
based on score if
score == 5:
stren
gth =
"Strong
" elif
score
>= 3:
strength
=
"Moderate"
else:
stren
gth =
"Weak"
return
strength,
feedback

65
# Test the function
password = input("Enter a password to test: ")
strength, feedback = check_password_strength(password) print(f"Password Strength:
{strength}")
if feedback: print("Feedback:") for note in feedback:
print(f"- {note}")

66
 CONCLUSION

Cybersecurity is a complex subject whose understanding requires knowledge and expertise from
multiple disciplines, including but not limited to computer science and information technology,
psychology, eco- nomics, organizational behavior, political science, engineering, sociology,
decision sciences, international relations, and law. In practice, although technical measures are an
important element, cybersecurity is not primarily a technical matter, although it is easy for policy
analysts and others to get lost in the technical details.

Furthermore, what is known about cybersecurity is often compartmented along disciplinary lines,
reducing the insights available from cross-fertilization. This primer seeks to illuminate some of
these connections. Most of all, it attempts to leave the reader with two central ideas. The
cybersecurity problem will never be solved once and for all. Solutions to the problem, limited in
scope and longevity though they may be, are at least as much nontechnical as technical in nature.

National Academies of Sciences, Engineering, and Medicine. 2014. At the Nexus of Cybersecurity
and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies
Press.

67
68