CYBER SECURITY ESSENTIALS

UNIT 1: Security roles and security controls : information security roles, security
control and framework
types, threat actor types and attack Vectors, Threat Intelligence Sources.
Performing security assessments : assess organizational security with network
reconnaissance
tools, security concerns with general vulnerability types, vulnerability scanning
techniques,
penetration testing concepts
Social engineering and malware : social engineering techniques, indicators of
malware-based
attacks
• Security roles and security
controls : information security
roles, security control and
framework types, threat actor
types and attack Vectors, Threat
Intelligence Sources.
Principles of Information Security
• The fundamental principles (tenets) of
information security are confidentiality,
integrity, and availability.
• Every element of an information security
program (and every security control put in
place by an entity) should be designed to
achieve one or more of these principles.
• Together, they are called the CIA Triad.
• Confidentiality measures are designed to
protect against unauthorized disclosure of
information.
• The objective of the confidentiality principle is
to ensure that private information remains
private and that it can only be viewed or
accessed by individuals who need that
information in order to complete their job
duties.
• Integrity involves protection from
unauthorized modifications (e.g., add, delete,
or change) of data.
• The principle of integrity is designed to ensure
that data can be trusted to be accurate and
that it has not been inappropriately modified.
• Availability is protecting the functionality of
support systems and ensuring data is fully
available at the point in time (or period
requirements) when it is needed by its users.
• The objective of availability is to ensure that
data is available to be used when it is needed
to make decisions.
• Effectively executing all three tenets of the Security
Triad creates an ideal outcome from an information
security perspective.

• WHICH OF THE FOLLOWING IS NOT A PRINCIPLE OF

INFORMATION SECURITY?
• a) INTEGRITY
• b) AUTHENTICATION
• c) CONFIDENTIALITY
• d) AVAILABILITY
• Consider this example: An organization obtains
or creates a piece of sensitive data that will be
used in the course of its business operations.
Because the data is sensitive, that data should
only be able to be seen by the people in the
organization that need to see it in order to do
their jobs. It should be protected from access
by unauthorized individuals. This is an
example of the principle of confidentiality.
• When the individual that needs that piece of
data to perform a job duty is ready to utilize it,
it must be readily accessible (i.e. online) in a
timely and reliable manner so the job task can
be completed on time and the company can
continue its processing. This describes the
principle of availability.
• And finally, the data will be used in calculations
that affect business decisions and investments
that will be made by the organization. Therefore,
the accuracy of the data is critical to ensure the
proper calculations and results upon which
decisions will be made. The assurance that the
data has not been improperly tampered with and
therefore can be trusted when making the
calculations and resulting decisions is the
principle of integrity.
• Information Security Roles and Responsibilities
• Overall responsibility
• Chief Security Officer (CSO)
• Chief Information Security Officer (CISO)
• Managerial
• Technical
• Information Systems Security Officer (ISSO)
• Non-technical
• Due care/liability
• Information Security Business Units
• Security Operations Center (SOC)
• DevSecOps
• Development, security, and operations
• Incident response
• Cyber incident response team (CIRT)
• Computer security incident response team (CSIRT)
• Computer emergency response team (CERT)
• security control and framework types
• Security Control Categories
• Technical
• Controls implemented in operating systems,
software, and security appliances
• Operational
• Controls that depend on a person for
implementation
• Managerial
• Controls that give oversight of the system
• Security Control Functional Types
• Preventive
• Physically or logically restricts unauthorized access
• Operates before an attack
• Detective
• May not prevent or deter access, but it will identify and record
any attempted or successful intrusion
• Operates during an attack
• Corrective
• Responds to and fixes an incident and may also prevent its
reoccurrence
• Operates after an attack
• Physical
• Controls such as alarms, gateways, and locks that
deter access to premises and hardware
• Deterrent
• May not physically or logically prevent access, but
psychologically discourages an attacker from
attempting an intrusion
• Compensating
• Substitutes for a principal control
What is cyber security framework?
• A cybersecurity framework provides a common language and
set of standards for security leaders across countries and
industries to understand their security postures and those of
their vendors.
• With a framework in place that follows common cybersecurity
standards, it becomes much easier to define the processes and
procedures that your organization must take to assess, monitor,
and mitigate cybersecurity risk.
CYBER SECURITY FRAMEWORK
Information security and cybersecurity tasks can be classified as five
functions, following the framework developed by the National Institute
of Standards and Technology (NIST) (nist.gov/cyberframework/online-
learning/five-functions):
• Identify—develop security policies and capabilities. Evaluate risks, threats, and
vulnerabilities and recommend security controls to mitigate them.
• Protect—procure/develop, install, operate, and decommission IT hardware and
software assets with security as an embedded requirement of every stage of this
operations life cycle.
• Detect—perform ongoing, proactive monitoring to ensure that controls are
effective
and capable of protecting against new types of threats.
• Respond—identify, analyze, contain, and eradicate threats to systems and data
security.
• Recover—implement cybersecurity resilience to restore systems and data if other
controls are unable to prevent attacks.
 Have a look on these 7 cyber security
frameworks.
1.NIST Cybersecurity Framework
2.ISO 27001 and ISO 27002
3.SOC2 (Service Organization Control 2)
4.NERC-CIP (North American Electric Reliability
Corporation- Critical Infrastructure Protection)
5.HIPAA (Health Insurance Potability And
Accountability Act)
6.GDPR( The General Data Protection Regulation)
7.FISMA( The Federal Information Security
Management Act)
 Question time????
You have implemented a secure
web gateway that blocks access to
a social networking site. How
would you categorize this type of
security control?
A company has installed motion-
activated floodlighting on the
grounds around its premises.
What class and function is this
security control?
A firewall appliance intercepts a
packet that violates policy. It
automatically updates its Access
Control List to block all further
packets from the source IP. What
TWO functions is the security
control performing?
If a company wants to ensure it is
following best practice in choosing
security controls, what type of
resource would provide guidance?
A business is expanding rapidly
and the owner is worried about
tensions between its established
IT and programming divisions.
What type of security business
unit or function could help to
resolve these issues?
• Information Security Standards, Regulations,
and Compliance, Authentication,
Authorization, and Accounting (AAA)
 Information Security Standards
• a level of quality
OR
• a level of quality that you compare something
else with
 Information Security Regulations
• an official rule that controls how something is
done
OR
• the control of something by using rules
• Regulations are in place to help companies
improve their information security strategy by
providing guidelines and best practices based
on the company’s industry and type of data
they maintain.
• Non-compliance with these regulations can
result in severe fines, or worse, a data breach.
• Most companies are subject to at least one
security regulation.
• The difficulty comes in determining which
ones apply and interpreting what policies and
controls are required to reach compliance.
• Part of that difficulty is because regulations are not
written in a way that can be easily understood by
the average person.
• Often, partnering with a security professional is
necessary to decode relevant requirements and
devise an implementation plan.
• These professionals have experience implementing
systems, policies, and procedures to satisfy the
requirements of various regulations and enhance
the security of an organization.
• Many(security professional) have obtained
credentials, such as the HISP (Holistic
Information Security Practitioner), that
signifies they have a deeper understanding of
the system controls required to reach
compliance.
 Information Security Compliance
• the act of obeying an order, rule, or request
OR
• the act or process of doing what you have
been asked or ordered to do

• Information Security Compliance: Which

regulations relate to me?
• Assessing which rules and regulations apply to
an organization is no easy feat.
• Often, organizations need to comply with
multiple frameworks and regulations, many of
which have overlapping qualities.
• This entry is part of a series of information
security compliance articles. In subsequent
articles we will discuss the specific regulations
and cybersecurity frameworks, describing
their precise applications. These include, but
are not limited to:
• EXAMPLE:
• Think of a local hospital. It does deal with
patients and other healthcare-related data.

• With the regulation identified, the hospital

must look carefully at what sort of protection
it must offer patients and place safeguards in
effect to prevent a breach of security. On the
ground level, it cannot give away information
without the express consent of the patient.
• While the example of the local hospital only had
to comply with one regulation, companies often
find they must meet the requirements of many
regulations.
• In such cases, the best method to approach the
situation is to outline all of the regulations that
will impact the company first, and then determine
which security controls need to be implemented
to satisfy all of the requirements effectively.
• There are often overlapping requirements
built into different regulations, so by breaking
it down into two phases, companies can
reduce the amount of time and money they
would otherwise spend by reducing the
duplicate effort of implementing competing
systems.
•AAA
• Authentication –
The process by which it can be identified that the user,
which wants to access the network resources, VALID OR
NOT by asking some credentials such as username and
password.
• As network administrators, we can control how a user is
authenticated if someone wants to access the network.
• Some of these methods include using the local database
of that device (router) or sending authentication
requests to an external server.
• Authorization –
It provides capabilities to enforce policies on
network resources after the user has gained
access to the network resources through
authentication.
• After the authentication is successful,
authorization can be used to determine what
resources is the user allowed to access and
the operations that can be performed.
• For example, if a junior network engineer (who
should not access all the resources) wants to access
the device then the administrator can create a view
that will allow particular commands only to be
executed by the user (the commands that are
allowed in the method list).
• The administrator can use the authorization
method list to specify how the user is authorized to
network resources i.e through a local database or
ACS server.
• Accounting –
It provides means of monitoring and capturing
the events done by the user while accessing
the network resources. It even monitors how
long the user has access to the network. The
administrator can create an accounting
method list to specify what should be
accounted for and to whom the accounting
records should be sent.
 Vulnerability, Threat, and Risk

• As part of security assessment and monitoring, security teams

must identify ways in which their systems could be attacked.
These assessments involves vulnerabilities, threats, and risk:
– Vulnerability is a weakness that could be triggered
accidentally or exploited intentionally to cause a security
breach.
– Threat is the potential for someone or something to exploit
a vulnerability and breach security. A threat may be
intentional or unintentional. The person or thing that
poses the threat is called a threat actor or threat agent.
– Risk is the likelihood and impact (or consequence) of a
threat actor exploiting a vulnerability. To assess risk, you
identify a vulnerability and then evaluate the likelihood of it
being exploited by a threat and the impact that a successful
exploit would have.
• Threat actor types and attack Vectors
• Hackers, Script Kiddies, and Hacktivists
– The “Lone Hacker”
• White hats versus black hats versus gray hats
• Authorized versus non-authorized versus semi-
authorized
– Script kiddies
– Hacker teams and hacktivists
 What is threat actor???
• A cyber threat actor is any individual or group that poses a
threat to cybersecurity. Threat actors are the perpetrators
behind cyberattacks, and are often categorized by a variety of
factors, including motive, type of attack, and targeted sector.
OR
• “Threat actor” is a broad term that encompasses a wide
variety of individuals and groups categorized based on their
skill set, resources, or motivation for attack.
 What is attack vector?
• The path and tool used by malicious threat
actor to intrude a computer system is referred
as attack vector.
 Attributes of threat actors
• It includes
– Internal vs external threat actors
– Level of sophistication/capability
– Resources/funding
Cont.…
• Black hat hackers are criminals who break
into computer networks with malicious intent. They
may also release malware that destroys files, holds
computers hostage, or steals passwords, credit card
numbers, and other personal information.

• Black hats are motivated by self-serving reasons, such as

financial gain, revenge, or simply to spread havoc.
Sometimes their motivation might be ideological, by
targeting people they strongly disagree with.
• Some black hat organizations even have call centers,
which they use to make outbound calls, pretending to
work for a well-known technology organization such as
Microsoft.
• In this scam, the hacker tries to convince potential victims
to allow remote access to their computers or download
software. By granting access or downloading the
recommended software, the victim inadvertently enables
criminals to harvest passwords and banking information or
take over the computer and use it to launch attacks on
others.
• One of the most famous black hat hackers is
Kevin Mitnick, who, at one point, was the most
wanted cybercriminal in the world. As a black hat
hacker, he hacked into over 40 major corporations,
including IBM and Motorola, and even the US
National Defense warning system. He was
subsequently arrested and served time in jail.
Following his release, he became a cybersecurity
consultant who uses his hacking knowledge for
white hat hacking purposes.
• White hat hackers – sometimes also
called “ethical hackers” or “good hackers” –
are the antithesis of black hats. They exploit
computer systems or networks to identify
their security flaws so they can make
recommendations for improvement.
• White hat hackers use their capabilities to
uncover security failings to help safeguard
organizations from dangerous hackers.
• White hat hacker tactics and skills include:
• 1. Social engineering
• White hat hackers commonly use social engineering (“people
hacking”) to discover weaknesses in an organization’s
“human” defenses. Social engineering is about tricking and
manipulating victims into doing something they should not
(making wire transfers, sharing login credentials, and so on).
• 2. Penetration testing
• Penetration testing aims to uncover vulnerabilities and
weaknesses in an organization’s defenses and endpoints so
they can be rectified.
• 3. Reconnaissance and research
• This involves researching the organization to discover
vulnerabilities within the physical and IT infrastructure.
The objective is to gain enough information to identify
ways to legally bypass security controls and mechanisms
without damaging or breaking anything.
• 4. Programming
• White hat hackers create honeypots that serve as decoys
to lure cybercriminals to distract them or help the white
hats gain valuable information about the attackers.
• honeypots : It mimics a target for hackers,
and uses their intrusion attempts to gain
information about cybercriminals and the way
they are operating or to distract them from
other targets.
• 5. Using a variety of digital and physical tools
• This includes hardware and devices that allow
the penetration testers to install bots and
other malware and gain access to the network
or servers.
• Somewhere between white and black are
gray hat hackers. Gray hat hackers
enact a blend of both black hat and
white hat activities. Gray hat hackers often
look for vulnerabilities in a system without the
owner's permission or knowledge. If issues are
found, they report them to the owner,
sometimes requesting a small fee to fix the
problem.
• Some gray hat hackers like to believe they are
doing something good for companies by hacking
their websites and invading their networks
without permission. Still, company owners rarely
appreciate unauthorized forays into their business
information infrastructure.
• Often, a gray hat's real intention is to show off
their skills and gain publicity — maybe even
appreciation — for what they consider a
contribution to cybersecurity.
• Script Kiddies: a hacker or cracker who uses
pre-written scripts or existing programmes to
uncover vulnerabilities in target systems.
These users frequently are unaware of the
complexity of the scripts they are running and
the harm they cause as a result.
• Hacktivists: Groups of criminals known as
hacktivists collaborate to launch
cyberattacks in favour of political causes.
• Attack Surface and Vectors

– Attack surface
• Points where an attacker can discover/exploit vulnerabilities in a
network or application
– Vectors
• Direct access
• Removable media
• Email
• Remote and wireless
• Supply chain
• Web and social media
• Cloud
 Threat Intelligence Sources
• Threat Intelligence: Digital technologies lie at the heart of
nearly every industry today.
• The automation and greater connectedness they afford have
revolutionized the world’s economic and cultural institutions —
but they’ve also brought risk in the form of cyberattacks.
• Threat intelligence is knowledge that allows you to
prevent or mitigate those attacks.
• Rooted in data, threat intelligence provides context — like who
is attacking you, what their motivation and capabilities are, and
what indicators of compromise in your systems to look for —
that helps you make informed decisions about your security.
• Threat intelligence is evidence-based
knowledge, including context, mechanisms,
indicators, implications and action-oriented
advice about an existing or emerging menace
or hazard to assets.
• Threat Intelligence Sources:
– Threat Intelligence Feeds
– subscription-based threat intelligence platforms
• Performing security assessments :
assess organizational security with
network reconnaissance tools,
security concerns with general
vulnerability types, vulnerability
scanning techniques, penetration
testing concepts
• assess organizational security with network
reconnaissance tools:
• ipconfig/ifconfig/ip, ping,
• and arp: The arp command displays and
modifies the Internet-to-adapter address
translation tables.
• route and tracert/traceroute
• pathping/mtr
• Pathping: provides statistics for latency and
packet loss along a route over a longer
measuring period. pathping is a Windows tool;
the equivalent on Linux is mtr.
• IP Scanners: An IP scanner performs host
discovery and identifies how the hosts are
connected together in an internetwork.
• and Nmap: The Nmap Security Scanner (nmap.org) is
one of the most popular open-source IP scanners.
Nmap can use diverse methods of host discovery, some
of which can operate stealthily and serve to defeat
security mechanisms such as firewalls and intrusion
detection. The tool is open-source software with
packages for most versions of Windows, Linux, and
macOS. It can be operated with a command line or via a
GUI (Zenmap).
• If a host is detected, Nmap performs a port scan against
that host to determine which services it is running.
• Service Discovery: Having identified active IP hosts
on the network and gained an idea of the network
topology, the next step in network reconnaissance
is to work out which operating systems are in use,
which network services each host is running, and,
if possible, which application software is
underpinning those services. This process is
described as service discovery.
• and Nmap
• Netstat: show the state of TCP/UDP ports on
the local machine.

• and nslookup: The nslookup command

queries internet domain name servers.
• Other Reconnaissance and
Discovery Tools:
• theHarvester: theHarvester is a tool for gathering
open-source intelligence (OSINT) for a particular
domain or company name
(github.com/laramies/theHarvester). It works by
scanning multiple public data sources to gather
emails, names, subdomains, IPs, URLs and other
relevant data.
• Dnsenum: dnsenum packages a number of tests into a single query.
• scanless
• curl
• Nessus
• Packet Capture and tcpdump
• Packet Analysis and Wireshark
• Packet Injection and Replay
• hping
• Tcpreplay
• Metasploit
• Sn1Per
• Netcat
• security concerns with general
vulnerability types:
• Software Vulnerabilities and Patch
Management
• Zero-day and Legacy Platform Vulnerabilities
• Weak Host Configurations
• Weak Network Configurations
• vulnerability scanning techniques:
• Intrusive versus Non-intrusive Scanning
• Credentialed versus Non-credentialed
Scanning
• False Positives, False Negatives, and Log
Review
• Threat Hunting
• Non-intrusive scans
simply identify a vulnerability and
report on it so you can fix it.

• Intrusive scans attempt to

exploit a vulnerability when it is
found.
• Credentialed scanning, using
privileged credentials, provides in-
depth vulnerability analysis and
accurate results, assessing systems
and apps not usually accessible
without authentication.
• Uncredentialed scanning,
without privileged credentials, is less
accurate but can still reveal
exploitable basic vulnerabilities.
• False positives are security alerts
incorrectly categorized as suggesting a threat
when there is none.

• A false negative is an attack missed by

security tools because it is inactive, very
sophisticated or the security architecture in
place lacks the technological ability to identify it.
• Log review is the process of
reviewing computer-generated event
logs to proactively identify bugs,
security threats or other risks.
• Threat hunting is the
practice of proactively searching for
cyber threats that are lurking
undetected in a network.
• Cyber threat hunting digs deep to
find malicious actors in your
environment that have slipped past
your initial endpoint security
defenses.
penetration testing concepts
• This service gives you knowledge about
current security defects, assesses the
efficiency of security measures already in
place, and gives you the ability to take
further activities to address identified
issues and boost security.
• Pen Test Attack Life Cycle

• The penetration testing process typically goes

through five phases:
– Planning and reconnaissance,
– scanning,
– gaining system access,
– persistent access,
– and the final analysis/report.
• In a red team/blue team exercise,
the red team is made up of
offensive security experts who try to
attack an organization’s
cybersecurity defenses.

• The blue team defends against

and responds to the red team attack.
• Social engineering and
malware : social
engineering techniques,
indicators of malware-
based attacks
 social engineering techniques

• What is social engineering?

• Social engineering involves both face-to-face and
written interaction.

• Instead of using technical hacking, social engineering

uses human nature to trick people into risking
their own or their company's security.
• Social engineering tricks people into paying
money to criminals, sending information they
shouldn't transmit, installing software they
shouldn't download, visiting websites they
shouldn't visit, and other blunders that
compromise their security or that of their
organisations.
• Social engineering is frequently referred to as

"human hacking"
since it targets human weaknesses
rather than flaws in technical or digital
systems.

Any student have been subjected to social engineering

attempt and what the experience was like.
• Social Engineering Principles:
– Reciprocity - An attacker's act of friendliness compels the victim
to reciprocate by providing sensitive information demands.
– Commitment and Consistency - Even if they know it
shouldn't be done, an employee still complies with an attacker's request
for login credentials because they first consented to provide it.
– Social Proof - Individuals frequently replicate what other people do.
– Authority - An intruder assumes the identity of an authoritative figure,
either from the target organisation or from society at large, such as a police
officer, attorney, etc.
– Liking - People are easily influenced by those they like.
– and Scarcity - An attacker claims to urgently want a set of
credentials in order to access company software and finish a sales call
that is about to expire.
• indicators of malware-based attacks

• Analyze probable indicators to identify

the kind of attack given a scenario.
 There are four main kinds of network
threats:
• External threats: Threats made by outside
organizations or individuals, attempting to get
into your network.
• Internal threats: These are threats from
malicious insiders, such as disgruntled or
improperly vetted employees who are working
for someone else.
• Structured threats: Organized attacks by
attackers who know what they’re doing and
have a clear aim or goal in mind.
• Unstructured attacks: Disorganized attacks,
often by amateurs with no concrete goal in
mind.
 Some common types of cyber security attacks

1. Malware
2. Phishing
3. Man-in-the-Middle (MitM) Attacks
4. Denial-of-Service (DOS) Attack
5. SQL Injections
6. Zero-day Exploit
7. Password Attack
8. Cross-site Scripting
9. Rootkits
10. Internet of Things (IoT) Attacks
1. Malware
• A botnet is a network of infected computers
that can be controlled remotely and forced to
send spam, spread malware, or stage DDoS
attacks — without the consent of the device
owners.
• A botnet is a group of computers linked
together with malware and controlled by the
botnet creator, known as a bot herder. Bot
herders infect computers to form botnets,
which they control as a group to initiate wide-
scale cyberattacks, send spam, and conduct
phishing campaigns.
2. Phishing
3. Man-in-the-Middle (MitM) Attacks
4. Denial-of-Service (DOS) Attack
5. SQL Injections
6. Zero-day Exploit
 7. Password Attack
• Dictionary attack
• Brute force
• Man In The Middle
8. Cross-site Scripting
 9. Rootkits
• Rootkits are installed inside legitimate
software, where they can gain remote control
and administration-level access over a system.
The attacker then uses the rootkit to steal
passwords, keys, credentials, and retrieve
critical data.
10. Internet of Things (IoT) Attacks
• IoT attacks are becoming more popular due to
the rapid growth of IoT devices and (in
general) low priority given to embedded
security in these devices and their operating
systems.
• ADDITIONAL READING
IS STRONGLY
RECOMMENDED
 References
• https://www.ibm.com/topics/social-engineeri
ng
• https://www.kaspersky.co.in/resource-center/
threats/how-to-avoid-social-engineering-attac
ks
• https://us.norton.com/internetsecurity-emerg
ing-threats-what-is-social-engineering.html
• https://www.upguard.com/blog/social-engine
ering
• https://www.barracuda.com/glossary/social-e
ngineering