1

RESTD

Table of Content

Ser Lesson Pds Page No

Lec Prac
1 Intro to Cyber Security 2 2
2 Intro to Ethical Hacking 2 7
3 Scanning NW 2 25
4 Vulnerability Analysis - 2 31
5 System Hacking 2 - 38
6 Malware Threats - 2 45
7 Social Engineering 1 2 55
8 Hardening & Whitelisting 1 63
9 Hacking web Application 2 66

RESTD
 2
RESTD

Cyber Security
1. Definition. Cyber Security is a process that’s designed to protect networks and
devices from external threats. Businesses typically employ Cyber Security
professionals to protect their confidential information, maintain employee productivity,
and enhance customer confidence in products and services. The world of Cyber
Security revolves around the industry standard of privacy/ confidentiality, integrity, and
availability. Privacy means data can be accessed only by authorized parties; integrity
means information can be added, altered, or removed only by authorized users; and
availability means systems, functions, and data must be available on-demand according
to agreed-upon parameters. The main element of Cyber Security is the use of
authentication mechanisms. For example, a user name identifies an account that a user
wants to access, while a password is a mechanism that proves the user is who he
claims to be.
2. Cyber Criminals Motivates. The main motive behind the cybercrime is to disrupt
regular business activity and critical infrastructure. Cybercriminals also commonly
manipulate stolen data to benefit financially, cause financial loss, damage a reputation,
achieve military objectives, and propagate religious or political beliefs. Some don’t even
need a motive and might hack for fun or simply to showcase their skills. Here’s a
breakdown of the most common types:
a. Black-Hat Hackers. Black-hat hackers use fake identities to conduct malicious
activities for a profit
b. Gray-Hat Hackers. They work both with malicious intent and as legitimate
security analysts
c. White-Hat Hackers. White-hat hackers work as security analysts to detect and
fix flaws and protect against malicious hackers
d. Suicide Hackers. They aim to openly bring down the critical infrastructure for a
social cause
e. Script Kiddies. They are unskilled hackers who run scripts and software
created by more experienced hackers
f.Cyber Terrorists. They create fear by disrupting large-scale computer networks;
motivated by religious or political beliefs

RESTD
 3
RESTD

g. State-Sponsored Hackers. They penetrate government networks, gain top-

secret information, and damage information systems; paid by a hostile
government
h. Hacktivists. Promote political agendas by secretly defacing and disabling
websites
3. As data breaches, hacking, and cybercrime reach new heights, companies are
increasingly relying on Cyber Security specialists to identify potential threats and protect
valuable data. So what do Cyber Security experts actually do? On any given day, they:
a. Find, test, and repair weaknesses within a company’s infrastructure
b. Monitor systems for malicious content
c. Identify network breaches
d. Install regular software updates, firewalls, and antivirus protection
e. Strengthen areas where attacks may have occurred
4. They work in one or more of these common Cyber Security domains to keep data
safe:
a. Asset security: Analyze networks, computers, routers, and wireless access
points
b. Security architecture and engineering: Standardize security policies and
procedures
c. Communication and network security: Regulate cloud storage and data transfer
d. Identity and access management: Track user authentication and accountability
e. Security operations: Monitor security to identify attacks
f.Security assessment and testing: Test security policies to ensure compliance
with industry standards
g. Software development security: Create and repeatedly test code
h. Security and risk management: Identify potential risks and implement
appropriate security controls
5. Cyber Security experts employ different tactics to secure computer systems and
networks. Some of the best practices include:
a. Using two-way authentication
b. Securing passwords
c. Installing regular updates

RESTD
 4
RESTD

d. Running antivirus software

e. Using firewalls to disable unwanted services
f.Avoiding phishing scams
g. Employing cryptography, or encryption
h. Securing domain name servers, or DNS
6. The Different Types of Cybersecurity. Cyber security is a wide field covering
several disciplines. It can be divided into seven main pillars:
a. Network Security. Most attacks occur over the network, and network security
solutions are designed to identify and block these attacks. These solutions
include data and access controls such as Data Loss Prevention (DLP), IAM
(Identity Access Management), NAC (Network Access Control), and NGFW
(Next-Generation Firewall) application controls to enforce safe web use policies.
Advanced and multi-layered network threat prevention technologies include IPS
(Intrusion Prevention System), NGAV (Next-Gen Antivirus), Sandboxing, and
CDR (Content Disarm and Reconstruction). Also important are network
analytics, threat hunting, and automated SOAR (Security Orchestration and
Response) technologies.
b. Cloud Security. As organizations increasingly adopt cloud computing, securing
the cloud becomes a major priority. A cloud security strategy includes cyber
security solutions, controls, policies, and services that help to protect an
organization’s entire cloud deployment (applications, data, infrastructure, etc.)
against attack. While many cloud providers offer security solutions, these are
often inadequate to the task of achieving enterprise-grade security in the cloud.
Supplementary third-party solutions are necessary to protect against data
breaches and targeted attacks in cloud environments.
c. Endpoint Security. The zero-trust security model prescribes creating micro-
segments around data wherever it may be. One way to do that with a mobile
workforce is using endpoint security. With endpoint security, companies can
secure end-user devices such as desktops and laptops with data and network
security controls, advanced threat prevention such as anti-phishing and anti-
ransomware, and technologies that provide forensics such as endpoint
detection and response (EDR) solutions.

RESTD
 5
RESTD

d. Mobile Security. Often overlooked, mobile devices such as tablets and

smartphones have access to corporate data, exposing businesses to threats
from malicious apps, zero-day, phishing, and IM (Instant Messaging) attacks.
Mobile security prevents these attacks and secures the operating systems and
devices from rooting and jailbreaking. When included with an MDM (Mobile
Device Management) solution, this enables enterprises to ensure only
compliant mobile devices have access to corporate assets.
e. IoT Security. While using Internet of Things (IoT) devices certainly delivers
productivity benefits, it also exposes organizations to new cyber threats. Threat
actors seek out vulnerable devices inadvertently connected to the Internet for
nefarious uses such as a pathway into a corporate network or for another bot in
a global bot network. IoT security protects these devices with discovery and
classification of the connected devices, auto-segmentation to control network
activities, and using IPS as a virtual patch to prevent exploits against vulnerable
IoT devices. In some cases, the firmware of the device can also be augmented
with small agents to prevent exploits and runtime attacks.
f. Application Security. Web applications, like anything else directly connected
to the Internet, are targets for threat actors. Since 2007, OWASP (Open
Worldwide Application Security Project) has tracked the top 10 threats to critical
web application security flaws such as injection, broken authentication,
misconfiguration, and cross-site scripting to name a few. With application
security, the OWASP Top 10 attacks can be stopped. Application security also
prevents bot attacks and stops any malicious interaction with applications and
APIs. With continuous learning, apps will remain protected even as DevOps
releases new content.
g. Zero Trust. The traditional security model is perimeter-focused, building walls
around an organization’s valuable assets like a castle. However, this approach
has several issues, such as the potential for insider threats and the rapid
dissolution of the network perimeter. As corporate assets move off-premises as
part of cloud adoption and remote work, a new approach to security is needed.
Zero trust takes a more granular approach to security, protecting individual

RESTD
 6
RESTD

resources through a combination of micro-segmentation, monitoring, and

enforcement of role-based access controls.

RESTD
 7
RESTD

Introduction to Ethical Hacking

1. Ethical Hacker. Also known as “white hats,” ethical hackers are security experts
that perform these security assessments. The proactive work they do helps to improve
an organization’s security posture. With prior approval from the organization or owner of
the IT asset, the mission of ethical hacking is opposite from malicious hacking.
2. Key concepts of Ethical Hacking . Hacking experts follow four key protocol
concepts:
a. Stay legal. Obtain proper approval before accessing and performing a security
assessment.
b. Define the scope. Determine the scope of the assessment so that the ethical
hacker’s work remains legal and within the organization’s approved boundaries.
c. Report vulnerabilities. Notify the organization of all vulnerabilities discovered
during the assessment. Provide remediation advice for resolving these
vulnerabilities.
d. Respect data sensitivity. Depending on the data sensitivity, ethical hackers
may have to agree to a non-disclosure agreement, in addition to other terms
and conditions required by the assessed organization.
3. Difference between Ethical Hackers & malicious Hackers . Ethical hackers use
their knowledge to secure and improve the technology of organizations. They provide
an essential service to these organizations by looking for vulnerabilities that can lead to
a security breach. An ethical hacker reports the identified vulnerabilities to the
organization. Additionally, they provide remediation advice. In many cases, with the
organization’s consent, the ethical hacker performs a re-test to ensure the vulnerabilities
are fully resolved. Malicious hackers intend to gain unauthorized access to a resource
(the more sensitive the better) for financial gain or personal recognition. Some malicious
hackers deface websites or crash backend servers for fun, reputation damage, or to
cause financial loss. The methods used and vulnerabilities found remain unreported.
They aren’t concerned with improving the organizations security posture. An ethical
hacker should have a wide range of computer skills. They often specialize, becoming
subject matter experts (SME) on a particular area within the ethical hacking domain.
All ethical hackers should have:
a. Expertise in scripting languages.

RESTD
 8
RESTD

b. Proficiency in operating systems.

c. A thorough knowledge of networking.
d. A solid foundation in the principles of information security.
4. Problems that hacking identify. While assessing the security of an
organization’s IT asset(s), ethical hacking aims to mimic an attacker. In doing so, they
look for attack vectors against the target. The initial goal is to perform reconnaissance,
gaining as much information as possible. Once the ethical hacker gathers enough
information, they use it to look for vulnerabilities against the asset. They perform this
assessment with a combination of automated and manual testing. Even sophisticated
systems may have complex countermeasure technologies which may be vulnerable.
They don’t stop at uncovering vulnerabilities. Ethical hackers use exploits against the
vulnerabilities to prove how a malicious attacker could exploit it. Some of the most
common vulnerabilities discovered by ethical hackers include:
a. Injection attacks
b. Broken authentication
c. Security misconfigurations
d. Use of components with known vulnerabilities
e. Sensitive data exposure
After the testing period, ethical hackers prepare a detailed report. This documentation
includes steps to compromise the discovered vulnerabilities and steps to patch or
mitigate them.
5. Information Security Threats . The main types of information security threats
are:
a. Malware attack
b. Social engineering attacks
c. Software supply chain attacks
d. Advanced persistent threats (APT)
e. Distributed denial of service (DDoS)
f. Man-in-the-middle attack (MitM)
g. Password attacks

RESTD
 9
RESTD

a. Malware attack. Attacks use many methods to get malware into a user’s device,
most often social engineering. Users may be asked to take an action, such as
clicking a link or opening an attachment. In other cases, malware uses
vulnerabilities in browsers or operating systems to install themselves without the
user’s knowledge or consent. Once malware is installed, it can monitor user
activities, send confidential data to the attacker, assist the attacker in penetrating
other targets within the network, and even cause the user’s device to participate
in a botnet leveraged by the attacker for malicious intent. Malware attacks
include:
(1). Trojan virus tricks a user into thinking it is a harmless file. A Trojan can
launch an attack on a system and can establish a backdoor, which attackers
can use.
(2). Ransomware prevents access to the data of the victim and threatens to
delete or publish it unless a ransom is paid. Learn more in our guide
to ransomware prevention.
(3). Wiper malware intends to destroy data or systems, by overwriting targeted
files or destroying an entire file system. Wipers are usually intended to send
a political message, or hide hacker activities after data exfiltration.
(4). Worms this malware is designed to exploit backdoors and vulnerabilities to
gain unauthorized access to operating systems. After installation, the worm
can perform various attacks, including Distributed Denial of Service (DDoS).
(5). Spyware this malware enables malicious actors to gain unauthorized access
to data, including sensitive information like payment details and credentials.
Spyware can affect mobile phones, desktop applications, and desktop
browsers.
(6). File less malware this type of malware does not require installing software on
the operating system. It makes native files such as PowerShell and WMI
editable to enable malicious functions, making them recognized as legitimate
and difficult to detect.
(7). Application or website manipulation OWASP outlines the top 10 application
security risks, ranging from broken access controls and security
misconfiguration through injection attacks and cryptographic failures. Once

RESTD
 10
RESTD

the vector is established through service account acquisition, more malware,

credential, or APT attacks are launched.
b. Social engineering attacks . Social engineering attacks work by psychologically
manipulating users into performing actions desirable to an attacker, or divulging
sensitive information. Social engineering attacks include:
(1). Phishing: Attackers send fraudulent correspondence that seems to come
from legitimate sources, usually via email. The email may urge the user to
perform an important action or click on a link to a malicious website, leading
them to hand over sensitive information to the attacker, or expose
themselves to malicious downloads. Phishing emails may include an email
attachment infected with malware.
(2). Spear phishing: A variant of phishing in which attackers specifically target
individuals with security privileges or influence, such as system
administrators or senior executives.
(3). Malvertising: Online advertising controlled by hackers, which contains
malicious code that infects a user’s computer when they click, or even just
view the ad. Malvertising has been found on many leading online
publications.
(4). Drive-by downloads: Attackers can hack websites and insert malicious
scripts into PHP or HTTP code on a page. When users visit the page,
malware is directly installed on their computer; or, the attacker’s script
redirects users to a malicious site, which performs the download. Drive-by
downloads rely on vulnerabilities in browsers or operating systems. Learn
more in the guide to drive-by downloads.
(5). Scareware security software : Pretends to scan for malware and then
regularly shows the user fake warnings and detections. Attackers may ask
the user to pay to remove the fake threats from their computer or to register
the software. Users who comply transfer their financial details to an attacker.
(6). Baiting: Occurs when a threat actor tricks a target into using a malicious
device, placing a malware-infected physical device, like a USB, where the
target can find it. Once the target inserts the device into their computer, they
unintentionally install the malware.

RESTD
 11
RESTD

(7). Vishing: Voice phishing (vishing) attacks use social engineering techniques
to get targets to divulge financial or personal information over the phone.
(8). Whaling: This phishing attack targets high-profile employees (whales),
such as the chief executive officer (CEO) or chief financial officer (CFO).
The threat actor attempts to trick the target into disclosing confidential
information.
(9). Pretexting: Occurs when a threat actor lies to the target to gain access to
privileged data. A pretexting scam may involve a threat actor pretending to
confirm the target’s identity by asking for financial or personal data.
(10). Scareware: A threat actor tricks the victim into thinking they inadvertently
downloaded illegal content or that their computer is infected with malware.
Next, the threat actor offers the victim a solution to fix the fake problem,
tricking the victim into downloading and installing malware.
(11). Diversion theft: Threat actors use social engineers to trick a courier or
delivery company into going to a wrong drop-off or pickup location,
intercepting the transaction.
(12). Honey trap: A social engineer assumes a fake identity as an attractive
person to interact with a target online. The social engineer fakes an online
relationship and gathers sensitive information through this relationship.
(13). Tailgating or piggybacking : Occurs when a threat actor enters a secured
building by following authorized personnel. Typically, the staff with
legitimate access assumes the person behind is allowed entrance, holding
the door open for them.
(14). Pharming: An online fraud scheme during which a cybercriminal installs
malicious code on a server or computer. The code automatically directs
users to a fake website, where users are tricked into providing personal
data.

RESTD
 12
RESTD

c. Software supply chain attacks . A software supply chain attack is a cyber-attack

against an organization that targets weak links in its trusted software update and
supply chain. A supply chain is the network of all individuals, organizations,
resources, activities, and technologies involved in the creation and sale of a
product. A software supply chain attack exploits the trust that organizations have
in their third-party vendors, particularly in updates and patching. This is
especially true for network monitoring tools, industrial control systems, “smart”
machines, and other network-enabled systems with service accounts. An attack
can be made in many places against the vendor continuous integration and
continuous delivery (CI/CD) software lifecycle, or even against third-party
libraries and components as seen via Apache and Spring. Types of software
supply chain attacks:
(1). Compromise of software build tools or dev/test infrastructure
(2). Compromise of devices or accounts owned by privileged third-party vendors
(3). Malicious apps signed with stolen code signing certificates or developer IDs
(4). Malicious code deployed on hardware or firmware components
(5). Malware pre-installed on devices such as cameras, USBs, and mobile
phones
d. Advanced persistent threats (APT) . When an individual or group gains
unauthorized access to a network and remains undiscovered for an extended
period of time, attackers may exfiltrate sensitive data, deliberately avoiding
detection by the organization’s security staff. APTs require sophisticated
attackers and involve major efforts, so they are typically launched against nation
states, large corporations, or other highly valuable targets. Common indicators of
an APT presence include:
(1). New account creation : The P in Persistent comes from an attacker
creating an identity or credential on the network with elevated privileges.
(2). Abnormal activity: Legitimate user accounts typically perform in patterns.
Abnormal activity on these accounts can indicate an APT is occurring,
including noting a stale account which was created then left unused for a
time suddenly being active.

RESTD
 13
RESTD

(3). Backdoor/ Trojan horse malware : Extensive use of this method enables
APTs to maintain long-term access.
(4). Odd database activity: A sudden increase in database operations with
massive amounts of data.
(5). Unusual data files: The presence of these files can indicate data has been
bundled into files to assist in an exfiltration process.
e. Distributed denial of service (DDoS) . The objective of a denial of service (DoS)
attack is to overwhelm the resources of a target system and cause it to stop
functioning, denying access to its users. Distributed denial of service (DDoS) is a
variant of DoS in which attackers compromise a large number of computers or
other devices, and use them in a coordinated attack against the target system.
DDoS attacks are often used in combination with other cyberthreats. These
attacks may launch a denial of service to capture the attention of security staff
and create confusion, while they carry out subtler attacks aimed at stealing data
or causing other damage. Methods of DDoS attacks include:
(1). Botnets: Systems under hacker control that have been infected with
malware. Attackers use these bots to carry out DDoS attacks. Large botnets
can include millions of devices and can launch attacks at devastating scale.
(2). Smurf attack: sends Internet Control Message Protocol (ICMP) echo
requests to the victim’s IP address. The ICMP requests are generated from
‘spoofed’ IP addresses. Attackers automate this process and perform it at
scale to overwhelm a target system.
(3). TCP SYN flood attack : Attacks flood the target system with connection
requests. When the target system attempts to complete the connection, the
attacker’s device does not respond, forcing the target system to time out.
This quickly fills the connection queue, preventing legitimate users from
connecting.

RESTD
 14
RESTD

f. Man-in-the-middle attack (MitM) . When users or devices access a remote

system over the internet, they assume they are communicating directly with the
server of the target system. In a MitM attack, attackers break this assumption,
placing themselves in between the user and the target server. Once the attacker
has intercepted communications, they may be able to compromise a user’s
credentials, steal sensitive data, and return different responses to the user. MitM
attacks include:
(1). Session hijacking: An attacker hijacks a session between a network
server and a client. The attacking computer substitutes its IP address for
the IP address of the client. The server believes it is corresponding with the
client and continues the session.
(2). Replay attack: A cybercriminal eavesdrops on network communication and
replays messages at a later time, pretending to be the user. Replay attacks
have been largely mitigated by adding timestamps to network
communications.
(3). IP spoofing: An attacker convinces a system that it is corresponding with a
trusted, known entity. The system thus provides the attacker with access.
The attacker forges its packet with the IP source address of a trusted host,
rather than its own IP address.
(4). Eavesdropping attack: Attackers leverage insecure network
communication to access information transmitted between the client and
server. These attacks are difficult to detect because network transmissions
appear to act normally.
(5). Bluetooth attacks: Because Bluetooth is often open in promiscuous mode,
there are many attacks, particularly against phones, that drop contact cards
and other malware through open and receiving Bluetooth connections.
Usually this compromise of an endpoint is a means to an end, from
harvesting credentials to personal information.

RESTD
 15
RESTD

g. Password attacks. A hacker can gain access to the password information of an

individual by ‘sniffing’ the connection to the network, using social engineering,
guessing, or gaining access to a password database. An attacker can ‘guess’ a
password in a random or systematic way. Password attacks include:
(1). Brute-force password guessing : An attacker uses software to try many
different passwords, in hopes of guessing the correct one. The software can
use some logic to trying passwords related to the name of the individual, their
job, their family, etc.
(2). Dictionary attack: A dictionary of common passwords is used to gain
access to the computer and network of the victim. One method is to copy an
encrypted file that has the passwords, apply the same encryption to a
dictionary of regularly used passwords, and contrast the findings.
(3). Pass-the-hash attack: An attacker exploits the authentication protocol in a
session and captures a password hash (as opposed to the password
characters directly) and then passes it through for authentication and lateral
access to other networked systems. In these attack types, the threat actor
doesn’t need to decrypt the hash to obtain a plain text password.
(4). Golden ticket attack: A golden ticket attack starts in the same way as a
pass-the-hash attack, where on a Kerberos (Windows AD) system the
attacker uses the stolen password hash to access the key distribution center
to forge a ticket-granting-ticket (TGT) hash. Mimikatz attacks frequently use
this attack vector.
6. Cyber Attack vector. The method or way by an adversary can breach or infiltrate an
entire network/system. Attack vectors (or threat vectors) enable hackers to exploit
system vulnerabilities, including the human element. Any security incident in which
sensitive, protected, or confidential data is accessed or stolen by an unauthorized
party, jeopardizing an organization’s brand, customers, and assets. Incidents such as
DDoS, Bitcoin mining etc. are also security breaches. Data breaches are the most
common, but not all security incidents concern data theft. Common Types of Cyber-
Attack Vectors are:
a. Compromised Credentials. The username and password continue to be the most
common type of access credential. Compromised credentials describe a case

RESTD
 16
RESTD

where user credentials, such as usernames and passwords, are exposed to

unauthorized entities. This typically happens when unsuspecting users fall prey to
phishing attempts and enter their login credentials on fake websites. When lost,
stolen or exposed, compromised credentials can give the intruder an insider’s
access. Although monitoring and analysis within the enterprise can identify
suspicious activity, these credentials effectively bypass perimeter security and
complicate detection. The risk posed by a compromised credential varies with the
level of access it provides. Privileged access credentials, which give administrative
access to devices and systems, typically pose a higher risk to the enterprise than
consumer credentials. And it is not only humans who hold credentials. Servers,
network devices and security tools often have passwords that enable integration
and communication between devices. In the hands of an intruder, these machine-
to-machine credentials can allow movement throughout the enterprise, both
vertically and horizontally, giving almost unfettered access. Do following to avoid
this type of cyber-attack:
(1). Common usernames and weak passwords can lead to compromised
credentials, so it’s important that the enterprise has effective password policies
that ensure suitable password strength.
(2). Password sharing across services makes all applications that share
credentials vulnerable as a consequence of the breach of one service or
application in the cohort. Do not reuse the same password to access multiple
apps and systems.
(3). Using two-factor authentication via a trusted second factor can reduce the
number of breaches that occur due to compromised credentials within an
organization.
a. Weak and Stolen Credentials. Weak passwords and password reuse make
credential exposure a gateway for initial attacker access and propagation. Recent
malware attacks such as Mirai highlight this threat not only for managed devices
but also IoT connected devices.
Apps and protocols sending login credentials over your network pose a significant
security threat. An attacker connected to your network can easily locate and utilize
these credentials for lateral movement. For example, in the Target attack,

RESTD
 17
RESTD

adversaries were able to steal Active Directory credentials and propagate their
attack into the enterprise payment network. Do following to avoid it:
(1). Track password hygiene and use across your entire enterprise to identify high
risk users and their devices.
b. Malicious Insiders. A malicious insider is an employee who exposes private
company information and/or exploits company vulnerabilities. Malicious insiders
are often unhappy employees. Users with access to sensitive data and networks
can inflict extensive damage through privileged misuse and malicious intent. Do
following to avoid it:
(1). Keep an eye out for disgruntled employees and monitor data and network
access for every device and user to expose insider risk.
c. Missing or Poor Encryption. Data encryption translates data into another form
that only people with access to a secret key or password can read. Encrypted data
is commonly referred to as cipher text, while unencrypted data is called plaintext.
The purpose of data encryption is to protect digital data confidentiality as it is
stored on computer systems and transmitted using the internet or other computer
networks. Strong encryption must be applied to data at rest, in-motion, and where
suitable, in-processing.
Missing / poor encryption leads to sensitive information including credentials being
transmitted either in plaintext, or using weak cryptographic ciphers or protocols.
This implies that an adversary intercepting data storage, communication, or
processing could get access to sensitive data using brute-force approaches to
break weak encryption. Do following to avoid this type of attack vector:
(1). Don’t rely solely on low-level encryption or assume that following compliance
means that the data is securely encrypted.
(2). Ensure that sensitive data is encrypted at rest, in-transit, and in processing.

RESTD
 18
RESTD

d. Misconfiguration. Misconfiguration is when there is an error in system

configuration. For example, if setup pages are enabled or a user uses default
usernames and passwords, this can lead to breaches. With setup/app server
configuration not disabled, the hacker can determine hidden flaws, and this
provides them with extra information. Misconfigured devices and apps present an
easy entry point for an attacker to exploit. Do following to avoid this type of cyber-
attack:
(1). Put procedures and systems in place that tighten your configuration process
and use automation wherever possible. Monitoring application and device
settings and comparing these to recommended best practices reveals the
threat for misconfigured devices located across your network.
e. Ransomware. Ransomware is a form of cyber-extortion in which users are unable
to access their data until a ransom is paid. Users are shown instructions for how to
pay a fee to get the decryption key. The costs can range from a few hundred
dollars to thousands, payable to cybercriminals in Bitcoin. Do following to avoid
ransomware attacks:
(1). Make sure you have systems in place that protect all your devices from
ransomware including keeping your operating system patched and up-to-date
to ensure you have fewer vulnerabilities to exploit and not installing software
or giving it administrative privileges unless you know exactly what it is and
what it does.
f. Phishing. Phishing is a cybercrime tactic in which the targets are contacted by
email, telephone or text message by someone posing as a legitimate institution to
lure individuals into providing sensitive data such as personally identifiable
information, banking and credit card details, and passwords. It continues to be one
of the most effective social engineering attack vectors. Some phishing schemes
are incredibly intricate and can sometimes look completely innocent. The Office of
Personnel Management (OPM) hack demonstrates how phishing can defeat
almost all layers of traditional security such as email gateways and endpoint
controls. Do following to avoid phishing attacks:
(1). Measuring web browsing and email click-through behavior for users and
devices provides valuable risk insight for your enterprise.

RESTD
 19
RESTD

g. When in doubt, it’s best to call the organization you received the email from to
determine if it is a phishing scam or not.
h. Trust Relationships. Trust relationships refer to a certain level of trust that exists
between users and systems. For example, trust relationships can connect two

domains, so a user only has to log in once in order to access resources. The two
domains in a trust relationship are the trusted domain (the domain that
authenticates the user the first time), and the trusting domain (the domain that
relies on the trusted domain to authenticate users and gives access to its
resources without re-authenticating the user). One common breach scenario
example is when credentials are cached on the trusted client, which then gets
breached, wreaking havoc.

RESTD
 20
RESTD

7. Information Security Controls. Information security controls are the building blocks
of cybersecurity and risk management. Designed to block threats and minimize risk,
information security controls may be any policies, techniques, solutions,
technologies, or actions that can protect an organization’s information from the threat
of breach or compromise. Information security controls are measures taken to
reduce information security risks such as information systems breaches, data theft,
and unauthorized changes to digital information or systems. These security
controls are intended to help protect the availability, confidentiality, and integrity of
data and networks, and are typically implemented after an information security risk
assessment. The challenge when deploying information security controls is
determining which controls will be most effective at protecting the organization and its
data. Security teams must have clear visibility of the assets to be protected, the
threats and risks facing the organization, and how well existing cybersecurity
controls have performed. Yet, with a constantly expanding attack surface that now
encompasses cloud and remote environments, it’s increasingly difficult for security
teams to achieve this visibility. Bit sight for Security Performance Management
delivers the clarity that security and risk leaders need to identify risk throughout the
digital ecosystem and select the information security controls that will best serve to
mitigate it. Bitsight also enables security leaders to continuously monitor the
performance of information security controls set in place, and to identify the
investments and actions that will yield the highest measurable impact over time.
8. Types of Information Security Controls
Types of information security controls include security policies, procedures, plans,
devices and software intended to strengthen cybersecurity. There are three
categories of information security controls:
a. Preventive controls are intended to help prevent cybersecurity incidents.
b. Detective controls are designed to recognize attacks while they are in progress
and provide alerts to security teams.
c. Corrective controls come into play after a security incident and are intended to
help minimize damage from an attack or to restore business systems.
9. There are variety of information security controls within each category. Some controls
are technical - for example, deploying antivirus software, configuring firewalls,

RESTD
 21
RESTD

patching vulnerabilities, or requiring multi-factor authentication. Administrative

controls include establishing cybersecurity policy, conducting security awareness
education, or developing incident response plans. Physical controls may include
things like video surveillance, locks on server cabinets, and ID cards required to gain
physical access to a property. In a successful security program, information security
controls must be aligned with type and severity of risk present in the organization’s
attack surface. To implement the most effective controls, security teams need insight
into the areas of highest risk and how well existing controls have performed to
mitigate that risk. That’s where Bit sight can help. Security controls come in the form
of:
a. Access controls including restrictions on physical access such as security
guards at building entrances, locks, and perimeter fences
b. Procedural controls such as security awareness education, security framework
compliance training, and incident response plans and procedures
c. Technical controls such as multi-factor user authentication at login (login) and
logical access controls, antivirus software, firewalls
d. Compliance controls such as privacy laws and cyber security frameworks and
standards.
9. Penetration Testing Concept. A penetration test (pen test) is an authorized
simulated attack performed on a computer system to evaluate its security.
Penetration testers use the same tools, techniques, and processes as attackers to
find and demonstrate the business impacts of weaknesses in a system. Penetration
tests usually simulate a variety of attacks that could threaten a business. They can
examine whether a system is robust enough to withstand attacks from authenticated
and unauthenticated positions, as well as a range of system roles. With the right
scope, a pen test can dive into any aspect of a system. Ideally, software and systems
were designed from the start with the aim of eliminating dangerous security flaws. A
pen test provides insight into how well that aim was achieved. Pen testing can help
an organization
a. Find weaknesses in systems
b. Determine the robustness of controls

RESTD
 22
RESTD

c. Support compliance with data privacy and security regulations (e.g. PCI,
DSS, HIPAA, GDPR)
d. Provide qualitative and quantitative examples of current security posture and
budget priorities for management
10. Phases of pen testing. Pen testers simulate attacks by motivated adversaries. To
do this, they typically follow a plan that includes the following steps:
a. Reconnaissance. Gather as much information about the target as possible from
public and private sources to inform the attack strategy. Sources include internet
searches, domain registration information retrieval, social engineering,
nonintrusive network scanning, and sometimes even dumpster diving. This
information helps pen testers map out the target’s attack surface and possible
vulnerabilities. Reconnaissance can vary with the scope and objectives of the pen
test; it can be as simple as making a phone call to walk through the functionality of
a system.
b. Scanning. Pen testers use tools to examine the target website or system for
weaknesses, including open services, application security issues, and open source
vulnerabilities. Pen testers use a variety of tools based on what they find during
reconnaissance and during the test.
c. Gaining access. Attacker motivations can include stealing, changing, or deleting
data; moving funds; or simply damaging a company’s reputation. To perform each
test case, pen testers determine the best tools and techniques to gain access to
the system, whether through a weakness such as SQL injection or through
malware, social engineering, or something else.
d. Maintaining access. Once pen testers gain access to the target, their simulated
attack must stay connected long enough to accomplish their goals of exfiltrating
data, modifying it, or abusing functionality. It’s about demonstrating the potential
impact.
11. Types of pen testing. A comprehensive approach to pen testing is essential for
optimal risk management. This entails testing all the areas in your environment.
a. Web apps. Testers examine the effectiveness of security controls and look for
hidden vulnerabilities, attack patterns, and any other potential security gaps that
can lead to a compromise of a web app.

RESTD
 23
RESTD

b. Mobile apps. Using both automated and extended manual testing, testers look
for vulnerabilities in application binaries running on the mobile device and the
corresponding server-side functionality. Server-side vulnerabilities include
session management, cryptographic issues, authentication and authorization
issues, and other common web service vulnerabilities.
c. Networks. This testing identifies common to critical security vulnerabilities in an
external network and systems. Experts employ a checklist that includes test
cases for encrypted transport protocols, SSL certificate scoping issues, use of
administrative services, and more.
d. Cloud. A cloud environment is significantly different than traditional on-
premises environments. Typically, security responsibilities are shared between
the organization using the environment and the cloud services provider.
Because of this, cloud pen testing requires a set of specialized skills and
experience to scrutinize the various aspects of the cloud, such as
configurations, APIs, various databases, encryption, storage, and security
controls.
e. Containers. Containers obtained from Docker often have vulnerabilities that
can be exploited at scale. Misconfiguration is also a common risk associated
with containers and their environment. Both of these risks can be uncovered
with expert pen testing.
f.Embedded devices (IoT). Embedded / Internet of Things (IoT) devices such as
medical devices, automobiles, in-home appliances, oil rig equipment, and
watches have unique software testing requirements due to their longer life
cycles, remote locations, power constraints, regulatory requirements, and more.
Experts perform a thorough communication analysis along with a client/server
analysis to identify defects that matter most to the relevant use case.
g. Mobile devices. Pen testers use both automated and manual analysis to find
vulnerabilities in application binaries running on the mobile device and the
corresponding server-side functionality. Vulnerabilities in application binaries
can include authentication and authorization issues, client-side trust issues,
misconfigured security controls, and cross-platform development framework
issues. Server-side vulnerabilities can include session management,

RESTD
 24
RESTD

cryptographic issues, authentication and authorization issues, and other

common web service vulnerabilities.
h. APIs. Both automated and manual testing techniques are used to cover the
OWASP API Security Top 10 list. Some of the security risks and vulnerabilities
testers look for include broken object level authorization, user authentication,
excessive data exposure, lack of resources / rate limiting, and more.
i.CI/CD pipeline. Modern Dev Sec Ops practices integrate automated and
intelligent code scanning tools into the CI/CD pipeline. In addition to static tools
that find known vulnerabilities, automated pen testing tools can be integrated
into the CI/CD pipeline to mimic what a hacker can do to compromise the
security of an application. Automated CI/CD pen testing can discover hidden
vulnerabilities and attack patterns that go undetected with static code scanning.

RESTD
 25
RESTD

Scanning Networks.
Network scanning is a procedure for identifying active devices on a network by
employing a feature or features in the network protocol to signal devices and await
a response. Most network scanning today is used in monitoring and management,
but scanning can also be used to identify network elements or users for attacks.
The specific protocol features used in scanning depends on the network, but
for IP networks scanning normally sends a simple message (a ping for example) to
each possible IP address in a specified range, and then uses another protocol to
obtain data on the devices if a response to the ping is received. When used by
monitoring and management systems, scanning is used to identify current network
users, determine the state of systems and devices, and take an inventory of
network elements. Often an inventory of devices is compared against a list of
expected devices as a measure of health. All these are legitimate management
functions and are used routinely by network administrators. Network is the
backbone of any information technology infrastructure, over which data and
resources are shared. In today’s world, when the network is being used for
almost everything, “Network Security” is of critical importance. If the network is
not secure, any other control is not worth applying! Network scanning is the
process or technique by which we scan the network to gain details such as
active hosts, open ports including running TCP and UDP services, open
vulnerabilities, details about the host like operating system and much more. For
IP (internet protocol) networks, generally “ping” is used for reaching a host and
checking its status. Ping is an ICMP (Internet Control Message Protocol) utility
and sends packets to the target and receives an ICMP echo reply. Within an
organization, network scanning is used by monitoring and management
systems. These are legitimate uses of scanning and are very regularly used by
network management tools and network administrators. On the other side,
scanning used by an attacker relies on the same tools and protocols as used by
network administrators for monitoring and management. The attacker would first
obtain the IP address range of the target network generally using DNS or the
whois protocol. Once the attacker has the IP range, he would scan the network
for active host, their operating systems and related details as discussed above.

RESTD
 26
RESTD

Finally, with all this information, the attacker may attempt to breach the target
systems. Scanning used by attackers relies on the same tools and protocols as
monitoring/management scanning. An attacker would normally first obtain the IP
address range assigned to a company using the domain name system (DNS) or
the WHOIS protocol. Addresses within that address range would then be scanned
looking for servers, their operating systems, the system architecture, and the
services running on each. The attacker can then attempt to breach the target
systems and applications. Network scanning assists in assessing an organization’s
entire IT infrastructure to identify existing flaws and vulnerabilities. A thorough
network scanner assists in quantifying risks and planning the remediation process
to address the issue. In other words, network scanning is critical for network
health. All devices, connecting points, filtering systems, active hosts, operating
systems, and traffic are covered. Port scanning, sensing TCP sequence numbers
on active hosts, and discovering UDP and TCP services on networks are also
included. For the best results, always use advanced and intelligent network tools.
1. Network Scanning Tools. Network or IP Scanning Tools are programs that
detect network flaws and protect the system from unusual behavior. It is a simple way to
secure your computer network. Network tools have evolved into a vital role in network
security today. The following is a handpicked list of the Top Network Scanners,
complete with popular features
a. Auvik
b. SolarWinds Network Scanner
c. Advanced IP Scanner
d. Intruder
e. Acunetix
f.Paessler
g. OpenVas
h. Angry IP Scanner
i.WireShark
j.Perimeter 81
k. Beyond Trust
l.Thousand Eyes

RESTD
 27
RESTD

m. Qualys
n. Nessus
o. Nmap IP Scanner
p. Spiceworks IP Scanner
q. Nagios
r. Snort
s. Splunk
t.Fiddler
2. Types of Network scanning. Scanning is the second step in ethical hacking. It
helps the attacker get detailed information about the target. Scanning could be
basically of three types:
a. Port Scanning: Detecting open ports and running services on the target host
b. Network Scanning: Discovering IP addresses, operating systems, topology,
etc.
c. Vulnerability Scanning: Scanning to gather information about known
vulnerabilities in a target
Port scanning could be further divided into 5 types:
a. Ping Scan: This is the simplest scan. Ping scan sends ICMP packets and wait
for the response from the target. If there is a response, the target is considered
to be active and listening.
b. TCP Half Open: Also, referred to as SYN scan, this is another very common
type of scanning method.
c. TCP Connect: TCP connect is similar to TCP half open, except for the fact that
a complete TCP connection is established in TCP connect port scanning.
d. UDP: UDP is used by very common services like DNS, SNMP, DHCP. So,
sending a UDP packet and waiting for a response helps gather information
about UDP ports.
e. Stealth Scanning: As the word says, stealth means a quieter activity. When an
attacker wants to be undetected while scanning, a stealth scan is used.
3. Banner Grabbing. Banner Grabbing is the term used to refer to the technique of
grabbing information of a system available on a certain network and all the services
running on its open ports. The Administrator can use this technique totally or take

RESTD
 28
RESTD

inventory of the system and its services on their available network. Banner hacking is
often applicable for performing white hat hacking endeavors as well as for grey hacking.
This technique can gain information from banners and configurable text-based welcome
screens from network hosts. These banners and network hosts generally contain
information about the system. One of the important points of banner grabbing is that this
technique is intended to be used by the administrator only. A few examples of service
ports that are used for the Banner Grabbing technique are HyperText Transfer Protocol
(HTTP), File Transfer Protocol (FTP), and Service Mail Transfer Protocol (SMTP).
a. Techniques for Banner Grabbing. There are two types of techniques available
to perform Banner Grabbing. This section of the article will cover different
techniques used for Banner Grabbing.
b. Active Banner Grabbing: This technique is the most popular and widely used
technique for Banner Grabbing. In this type of Banner Grabbing, the packets
are sent to the remote host, and then they wait for the response to analyze the
data. The sender can craft or modify the packets according to them. It involves
opening a TCP (Transmission Control Protocol) connection or similar
connection between an original host and the remote host. This Banner
Grabbing type is active because the sender’s connection is logged into the
remote host. Active Banner Grabbing may not always prove secure as while
hacking, IDS (Intrusion Detection System) can catch the exploitation against the
target computer or system.
c. Passive Banner Grabbing: On the other hand, this technique is less risky than
Active Banner Grabbing, as, in this technique, high-level exposure to the
connection is avoided. As the directed connection to the host is avoided, other
intimidating Software and Systems are used as a gateway to connect. Passive
Banner Grabbing can also tally all the information available on the system, and
this technique is much less risky than Active Banner Grabbing.
d. Tools for Banner Grabbing: There are various kinds of tools available to
perform the technique of Banner Grabbing. In this section of the article, Banner
Grabbing tools are described, and below are some of the most popular and top
tools available for using the Banner Grabbing technique.

RESTD
 29
RESTD

(1). Telnet: It is the most popular and best tool for using the technique of
banner Grabbing. Telnet web tool is the cross-platform that is available,
which helps to interact with remote servers for banner grabbing. Telnet
allows querying any service only by typing telnet IP PORT, where IP
represents the IP address of the network and PORT represents the portal
where the remote host is running.
(2). Wget: This tool is popularly used for Active Banner Grabbing, as this tool
helps to connect to the remote host or the local host. The syntax used for
Wget is IP address -q -S, where IP address is the network address, -q will
help suppress the output, and -S is used as the parameter that will print
the header file sent by the HTTPS server and FPS server.
(3). cURL: This works exactly the same as Wget. It also connects to the
remote host or the local host, but the only difference is in the syntax
format. The syntax used for cURL is curl -s -I IP address | grep -e “Server,”
where -s is responsible for avoiding showing the process of error
messages i.e., it mutes the output, -I am the parameter that is responsible
for showing header file all the requested pages. At last, grep is used to get
the final output from the server.
(4). Nmap: It is an amazing tool for performing Banner Grabbing. It helps to
get information from the targeted system very easily. The syntax used to
use Nmap is nmap –sV –version-intensity 5 site_name -p 80, where -sV
allows to learn the software version, and by writing –version-intensity 5,
the sender can get the maximum information needed from the targeted
system.
(5). NC: NetCat or NC is another tool used for fetching information using the
banner-grabbing technique. It is known to be the oldest and the most
popular tool used on UNIX ad Linux. This tool’s syntax is written as nc -V
IP POST. This helps in getting the FPS banner and the latest software
version.
(6). ASR: ASR stands for Attack Surface Reduction and is one of the best
tools available to reduce the attack area. ASR tool is considered ideal for

RESTD
 30
RESTD

IT managers and security leaders. This web tool will help in discovering
unseen areas of your online assets.
16. The technique of banner Grabbing can be used by the authorities to get
credential information from some systems and can also be used by non-ethical hackers
who would try to invade and steal information from the targeted system for authorities.
The former is known as white hat hacking, while the latter one is called grey hacking.
Banner Grabbing helps tally the information available on a system by connecting to its
host server. The banner grabbing technique is of two types; one is Active Banner
Grabbing, while the other is Passive Banner Grabbing. There are several tools available
for attempting Banner Grabbing. A few examples of these tools are telnet, cURL, Wget,
etc.
Are you looking at upskilling in new-age technologies like Cybersecurity? Then you are
at the right place. UNext offers tech enthusiasts the most industry-relevant emerging
technologies learning opportunities and has curated an array of programs to help them
master the same. Do check them out today without fail.
17. Penetration test. A penetration test simulates a hacker attempting to get into a
business system through hands-on research and the exploitation of vulnerabilities.
Actual analysts, often called ethical hackers, search for vulnerabilities and then try to
prove that they can be exploited. Using methods like password cracking, buffer
overflow, and SQL injection, they attempt to compromise and extract data from a
network in a non damaging way. Penetration tests are an extremely detailed and
effective approach to finding and remediating vulnerabilities in software applications and
networks. A good way to illustrate the benefits of a penetration test would be to use an
analogy from the medical world. When something is wrong inside your body you can go
get an X-ray to help diagnose your problem. The image produced by a simple X-ray
machine can detect an obvious break in bone structure but is fuzzy and not good for
seeing soft tissue damage. If you really want to find out in detail what might be going on
inside a body, you need to have an MRI done that results in a detailed 3D model of
bone and soft tissues together. That is similar to the difference between a simple
vulnerability scan (fuzzy X-ray) and a penetration test (detailed MRI). If you really want
to find deep issues in your application or network, you need a penetration test. And if

RESTD
 31
RESTD

you modify your systems and software over time, a regular penetration test is a great
way to ensure continued security.

RESTD
 32
RESTD

Vulnerability Analysis
A vulnerability assessment is the testing process used to identify and assign severity
levels to as many security defects as possible in a given timeframe. This process may
involve automated and manual techniques with varying degrees of rigor and an
emphasis on comprehensive coverage. Using a risk-based approach, vulnerability
assessments may target different layers of technology, the most common being host-,
network-, and application-layer assessments.
A vulnerability assessment is the testing process used to identify and assign severity
levels to as many security defects as possible in a given timeframe. This process may
involve automated and manual techniques with varying degrees of rigor and an
emphasis on comprehensive coverage. Using a risk-based approach, vulnerability
assessments may target different layers of technology, the most common being host-,
network-, and application-layer assessments.
Vulnerability testing helps organizations identify vulnerabilities in their software and
supporting infrastructure before a compromise can take place. But, what exactly is
a software vulnerability?
1. Definition of Vulnerability Assessment. A vulnerability can be defined in two
ways:
a. A bug in code or a flaw in software design that can be exploited to cause harm.
Exploitation may occur via an authenticated or unauthenticated attacker.
b. A gap in security procedures or a weakness in internal controls that when
exploited results in a security breach.
2. Vulnerability Assessment objectives. There are three primary objectives of a
vulnerability assessment.
a. Identify vulnerabilities ranging from critical design flaws to simple
misconfigurations.
b. Document the vulnerabilities so that developers can easily identify and
reproduce the findings.
c. Create guidance to assist developers with remediating the identified
vulnerabilities.
Vulnerability testing can take various forms. One method is Dynamic Application
Security Testing (DAST). A dynamic analysis testing technique that involves executing

RESTD
 33
RESTD

an application (most commonly a Web application), DAST is performed specifically to

identify security defects by providing inputs or other failure conditions to find defects in
real time. Conversely, Static Application Security Testing (SAST) is the analysis of an
application’s source code or object code in order to identify
vulnerabilities without running the program.
The two methodologies approach applications very differently. They are most effective
at different phases of the software development life cycle (SDLC) and find different
types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-
site scripting (XSS) and SQL injection earlier in the SDLC. DAST, on the other hand,
uses an outside-in penetration testing approach to identify security vulnerabilities while
Web applications are running.
Another method of vulnerability assessment in and of itself, penetration testing entails
goal-oriented security testing. Emphasizing an adversarial approach (simulating an
attacker’s methods), penetration testing pursues one or more specific objectives
(e.g., capture the flag).
3. Types of Vulnerability Assessment. There are several types of vulnerability
assessments. These include:
a. Host assessment: The assessment of critical servers, which may be
vulnerable to attacks if not adequately tested or not generated from a tested
machine image.
b. Network and wireless assessment: The assessment of policies and practices
to prevent unauthorized access to private or public networks and network-
accessible resources.
c. Database assessment: The assessment of databases or big data systems for
vulnerabilities and misconfigurations, identifying rogue databases or insecure
dev/test environments, and classifying sensitive data across an organization’s
infrastructure.
d. Application scans: The identifying of security vulnerabilities in web
applications and their source code by automated scans on the front-end or
static/dynamic analysis of source code.
4. Vulnerability Management: Vulnerability management can be defined as “the
cyclical practice of identifying, classifying, remediating, and mitigating

RESTD
 34
RESTD

vulnerabilities."1 Organizations use vulnerability management to preemptively defend

against the exploitation of vulnerabilities in company applications, software and
networks. Organizations that can effectively implement vulnerability management will be
significantly safer from data breaches and theft. This process can be viewed in five key
steps:
a. Outline vulnerability management policy.
b. Discover existing vulnerabilities.
c. Analyze current level of security and rank vulnerabilities by threat
level/remediation actions required.
d. Mitigate the causes of vulnerabilities.
e. Maintain security through ongoing testing and discovery.
5. Vulnerability Management Policy. Defining policy is the crucial first step of
vulnerability management. An effective vulnerability management policy should do the
following:
a. Define the level of security that an organization wants to maintain.
b. Set guidelines for vulnerability management practices (from testing to
remediation and maintenance).
c. Classify vulnerabilities by risk/threat and remediation effort.
d. Determine how often scans will be performed and allotted remediation times.
e. Define access-control policy for all devices connected to company networks.
f.Outline the consequences of noncompliance with vulnerability management
policy.
6. Vulnerability Management Solutions. There are many commercially available
vulnerability management solutions. These offerings range from automated vulnerability
management systems to vulnerability scanning tools that require implementation by the
organization. Vulnerability management solutions often include features such as policy
management, application scanning/testing, vulnerability remediation, network and
vulnerability monitoring, and reporting (vulnerabilities, compliance issues, etc). Effective
solutions should offer scalability and ease of implementation/integration. It is also
important that vulnerability management solutions provide tracking and metrics for
measuring success.

RESTD
 35
RESTD

7. Combining Threat and Vulnerability Management. The effectiveness of

vulnerability management depends on the organization’s ability to keep up with current
security threats and trends. Today’s application security threatscape is constantly
evolving and, as a result, organizations need to be proactive in their threat and
vulnerability management efforts. Most vulnerability management tools or systems will
provide updates as new threats emerge, but organizations should still engage in threat
research and analysis on a regular basis.
8. Network Vulnerability Management. A comprehensive organizational
cybersecurity program requires that enterprises engage in both application and network
vulnerability management. While application vulnerability management protects the
“front door” to a company’s data, network vulnerability management protects the “back
door.” Both must be secured for an enterprise to adequately protect its critical data.
Organizational security teams must integrate their network security vulnerability
management efforts with their application security efforts to ensure that new threats are
protected across both layers. Network vulnerability management typically involves the
use of tools such as antivirus programs, firewalls and/or intrusion detection systems. In
addition to using these tools, security teams should regularly run security tests against
the network from the outside in. This tests the network from the attacker’s perspective,
allowing testers to discover vulnerabilities before attackers have the chance.
9. Vulnerability Scoring Systems. The Common Vulnerability Scoring System
(CVSS) is an open framework used by organizations across the world to determine the
severity of cybersecurity vulnerabilities. These scores provide a valuable common
benchmark for cybersecurity teams, who use CVSS scoring as part of their vulnerability
management programs. However, CVSS base scoring is not without significant
limitations. Cybersecurity teams benefit from universal frameworks or benchmarks they
can use to evaluate and compare threats and risks. One of the most popular such
frameworks is CVSS scoring, a vulnerability rating method used to determine the
severity of cyber vulnerabilities and help guide the order in which they should be
addressed.
The CVSS framework was launched in 2005, based on research done by the National
Infrastructure Advisory Council (NIAC). Shortly after creating the first version of
the vulnerability rating framework, NIAC selected the Forum of Incident Response and

RESTD
 36
RESTD

Security Teams (FIRST) to be the custodian of the CVSS framework. In subsequent

years, CVSS has been updated multiple times to improve the utility of the framework.
10. How to Calculate CVSS Score. CVSS scores are calculated using a variety of
metrics. The CVSS score range is between 0 and 10, with 10 representing the most
severe, with 7 to 8.9 representing “high” severity and 9 to 10 representing “severe.” In
addition to the widely used base scores, other scores exist that account for a variety of
more complex factors. In addition to base scores, CVSS factors include temporal and
environmental metrics.
a. Base metrics are used to measure qualities intrinsic to a vulnerability (meaning
they do not change over time). Base metrics also have three subscore
elements: exploitability, impact and scope.
b. Temporal metrics are used to measure characteristics that evolve over the
lifetime of a vulnerability. These measure the current state of exploitability and
the availability of remediation tools (such as patches).
c. Environmental metrics are used to measure vulnerabilities that are dependent
on a specific implementation or environment. Organizations can modify the
measurements of base CVSS metrics depending on the mitigations they
currently have or the value of assets.
Since its creation, CVSS scoring has become deeply entrenched within the realm of
cybersecurity, and is considered the primary or default manner in which to gauge the
severity of a vulnerability by many organizations, including the National Vulnerability
Database, the Open Source Vulnerability Database and the CERT Coordination Center.
Yet CVSS scoring also has some significant limitations.
11. The Limitations of the CVSS Framework . CVSS base scores only represent
the severity of a vulnerability. They do not consider the risk that severity poses to your
specific environment or provide a true cyber risk score. Without that key risk context, it
is possible to prioritize vulnerability remediation effectively. While some vulnerabilities
may be severely critical in a broad sense, they may not pose any risk at all to your
specific security environment. Base CVSS scores are publicly available and easy to
access through a number of major databases. As a result, they are often the first place
some security teams look when it is time to prioritize and patch. However, relying on
these base scores in a vacuum is often a serious mistake, as they do not provide key

RESTD
 37
RESTD

risk context, account for real world exploits or consider the availability of mitigations.
Proceeding without this information may cause a VM team to waste precious time
focusing on vulnerabilities that pose no threat, instead of devoting their resources
toward addressing the much smaller number of exposures that pose the greatest risk to
business-critical assets.
12. Vulnerability assessment: Security scanning process . The security scanning
process consists of four steps: testing, analysis, assessment and remediation.
a. Vulnerability identification (testing). The objective of this step is to draft a
comprehensive list of an application’s vulnerabilities. Security analysts test the
security health of applications, servers or other systems by scanning them with
automated tools, or testing and evaluating them manually. Analysts also rely on
vulnerability databases, vendor vulnerability announcements, asset
management systems and threat intelligence feeds to identify security
weaknesses.
b. Vulnerability analysis. The objective of this step is to identify the source and
root cause of the vulnerabilities identified in step one. It involves the
identification of system components responsible for each vulnerability, and the
root cause of the vulnerability. For example, the root cause of a vulnerability
could be an old version of an open source library. This provides a clear path for
remediation – upgrading the library.
c. Risk assessment. The objective of this step is the prioritizing of vulnerabilities.
It involves security analysts assigning a rank or severity score to each
vulnerability, based on such factors as:
(1). Which systems are affected.
(2). What data is at risk.
(3). Which business functions are at risk.
(4). Ease of attack or compromise.
(5). Severity of an attack.
(6). Potential damage as a result of the vulnerability.
d. Remediation. The objective of this step is the closing of security gaps. It’s
typically a joint effort by security staff, development and operations teams, who

RESTD
 38
RESTD

determine the most effective path for remediation or mitigation of each

vulnerability. Specific remediation steps might include:
(1). Introduction of new security procedures, measures or tools.
(2). The updating of operational or configuration changes.
(3). Development and implementation of a vulnerability patch.
Vulnerability assessment cannot be a one-off activity. To be effective,
organizations must operationalize this process and repeat it at regular intervals. It
is also critical to foster cooperation between security, operation and development
teams – a process known as DevSecOps.
13. Vulnerability assessment tools. Vulnerability assessment tools are designed to
automatically scan for new and existing threats that can target your application. Types
of tools include:
a. Web application scanners that test for and simulate known attack patterns.
b. Protocol scanners that search for vulnerable protocols, ports and network
services.
c. Network scanners that help visualize networks and discover warning signals like
stray IP addresses, spoofed packets and suspicious packet generation from a
single IP address.
It is a best practice to schedule regular, automated scans of all critical IT systems. The
results of these scans should feed into the organization’s ongoing vulnerability
assessment process.

RESTD
 39
RESTD

System Hacking
System hacking is defined as the compromise between computer systems and software
to access the target computer and steal or misuse their sensitive information.
The malware and the attacker identify and exploit the vulnerability of the computer
system to gain unauthorized access.
1. Hacking Linux system. Linux is an operating system based on Unix OS created
by Linus Torvalds. It is assembled over the model of open-source software development
and distribution. Hackers use varied techniques to hack into Linux systems:
a. Hacking Linux using the SHADOW file.
b. Another technique used is bypassing the user password option in Linux.
c. Other technique includes detecting the bug on Linux distribution and taking
advantage of the same.
2. Hacking Mac OS. For hackers, hacking a Mac OS is as normal as hacking any
other operating system. Various ways that hackers adopt to hack into Mac OS are:
a. One Python command to bypass anti-virus
b. One Ruby command to bypass anti-virus
c. One Tclsh command to bypass
d. Use recovery mode to extract and brute-force the hash
e. Use single-user mode to configure a backdoor
f.Connect to backdoors from anywhere.
3. Hacking Android phone. Android system hacking is done in the following ways:
a. Install malware or a Trojan in the victim’s phone and control it remotely via your
own device.
b. Creating a shell terminal with admin access in the victim’s phone.
c. Using Spynote can also be one of the modes of android hacking.
d. METASPLOIT and MSFVENOM
e. Using ADB (Android Debug Bridge)
f.Spy apps
g. Stagefright exploit
h. Keyloggers- Kikde iOWL and Shadow- Kids keylogger
4. Hacking Windows. Out of the several tried techniques of hacking Windows
systems, the one that is usually preferred by hackers is Social Engineering. Once the

RESTD
 40
RESTD

hacker finds a Windows computer open, he can easily modify the existing password and
give a new one thereby taking control of the same, without the owner being aware.
5. Phases of System Hacking. There are five phases in penetration testing. It
includes: -
a. Reconnaissance – Majorly used to gather data
b. Scanning – Used to gather further intelligence on the data
c. Gaining access – Takes control of one or more network devices to extract
data.
d. Maintaining access – Gains more data from the targeted environment
e. Covering tracks – Remove traces of detecting the attack.
There are various concepts of hacking such as the phase of pen-testing, footprinting,
scanning, enumeration, system hacking, sniffing traffic, and so on.
a. Footprinting. Footprinting, also known as reconnaissance, is used for
gathering all possible data about the target system. It can be active or passive.
The collected data is used to intrude into the system and decide the attack
types on the system based on security. A lot of information such as domain
name, IP address, namespace, email id, location, history of the website can be
found by this method.
Several tools are used to gather information such as:-
(1). Crawling: Surf the internet to gain information
(2). Whois: Lookup of the website to get information like email, registration, etc.
(3). Search engines: Google, Bing, and other search sites to get data
(4). Traceroute: Used to trace a path between the user and the target system
on the networks.
(5). Netcraft: Tool to gather information about web servers on both server and
client sides.
(6). Nslookup: Querying DNS server to extract information
(7). The Harvester: Used to catalog email and subdomains.
(8). Nmap: Used for scanning and used to find open ports of the target.
(9). Nessus: To find vulnerabilities in the ports.
(10). Nexpose: Similar to Nessus
(11). MEDUSA: Used to gain authentication service in the target machine.

RESTD
 41
RESTD

(12). Hydra: To break authentication system

(13). Metasploit: Used to exploit the system.
b. Network scanning. Scanning is the second stage of information gathering where
the hacker tries to do a deep search into the system to look for valuable
information. Ethical hackers try to prevent organization’s attacks by using this
network scanning effectively. The tools and techniques used for scanning are –
(1). Crafted packets
(2). TCP flags
(3). UDP scans
(4). Ping sweeps
The hackers try to identify a live system using a protocol, blueprint the same
network, and perform vulnerability scans to find weaknesses in the system. There
are three types of scanning –
(1). Port scanning – Used to find open ports
(2). Network scanning – Used to find the IP address
(3). Vulnerability scanning – find weaknesses or vulnerabilities
c. Gaining Access. Here the hacker uses different techniques and tools to gain
maximum data from the system. They are:-
(1). Password cracking: Methods like Bruteforce, dictionary attack, rule-based
attack, rainbow table are used. Bruteforce is trying all combinations of the
password. A dictionary attack is trying a list of meaningful words until the
password matches. The rainbow table takes the hash value of the password
and compares it with pre-computed hash values until a match is discovered.
(2). Password attacks: Passive attacks such as wire sniffing, replay attack.
Active online attacks such as Trojans, keyloggers, hash injection,
and phishing. Offline attacks such as pre-computed hash, distributed
network, and rainbow. Non-electronic attacks such as shoulder surfing,
social engineering, and dumpster diving.
d. Maintaining Access. Once you gain access to the system using various
password cracking methods, the next step is to maintain the access in the system.
To remain undetected, one has to secure their presence. To secure the hacker
can install a hidden infrastructure to keep access to the backdoor open. Trojan

RESTD
 42
RESTD

horses, covert channels, and rootkits are used. A trojan horse provides access at
the application level, used to gain remote access. A covert channel is where the
data can be sent through secret communication tunnels. A rootkit is a malware
type that hides from the system, they conceal to bypass the computer security
measures.
e. Covering Tracks. All the traces of attack such as log files, intrusion detection
system alarms are removed to cover the tracks. Removes all files and folders
created, modifies logs and registry once the hacker leaves the system. Using
reverse Http shells and ICMP tunnels also helps to cover tracks.
6. Password Cracking. Password cracking is the most enjoyable hacks for bad
guys. It increases the sense of exploration and useful in figuring out the password. The
password cracking may not have a burning desire to hack the password of everyone.
The actual password of the user is not stored in the well-designed password-based
authentication system. Due to this, the hacker can easily access to user's account on
the system. Instead of a password, a password hash is stored by the authentication
system. The hash function is a one-way design. It means it is difficult for a hacker to find
the input that produces a given output. The comparison of the real password and the
comparison of two password hash are almost good. The hash function compares the
stored password and the hash password provided by the user. In the password cracking
process, we extract the password from an associated passwords hash. Using the
following ways, we can accomplish it:
a. Dictionary attack: Most of the users use common and weak passwords. A hacker
can quickly learn about a lot of passwords if we add a few punctuations like
substitute $ for S and take a list of words.
b. Brute-force guessing attack: A given length has so many potential passwords. If
you use a brute-force attack, it will guarantee that a hacker will eventually crack
the password.
c. Hybrid Attack: It is a combination of Dictionary attack and Brute force attack
techniques. This attack firstly tries to crack the password using the dictionary
attack. If it is unsuccessful in cracking the password, it will use the brute-force
attack.

RESTD
 43
RESTD

7. How to create a strong password . There are 12 tools for password cracking.
These tools use different password cracking algorithm to crack the password. Mostly
tools of password cracking are free. So you should maintain a strong password. The
following tips are important while creating the password:
a. The most important factor is password length. The Length of password increases
the complexity of password guessing brute force attack. The password can be
cracked in a minute if it is made by random 7 characters. If the password is 10
characters, it takes more time as compared to 7 characters.
b. The brute force password guessing will become more difficult if the user uses a
variety of characters. Due to this, the hackers have to try various options for each
password's character. Special characters and incorporate numbers also increase
the difficulty for the hacker.
c. In the credential stuffing attack, the hacker uses the stolen password from one
online account to the other accounts. So it would be best to use a unique, random
and long password for all your online accounts.
8. What to avoid for a strong password . Cybercriminal or hacker knows all the clever
tricks that users use while creating their passwords. Some common avoidable
password mistakes are as follows:
a. Dictionary word: Using the dictionary attacks, every word in the dictionary is
tested in seconds.
b. Personal information: The dictionary words are birthplace, relative's name,
birthdate, favorite name, pet's name, your name and so on. If they are not, there
are various tools in the market that grab the information of the users from social
media and build a wordlist for the hackers.
c. Patterns: Most commonly used passwords are asdfgh, qwerty, 123457678,
1111111, and so on. Every password cracker has these passwords on their list.
d. Character Substitution: The well-known character substitutions are $ for S and 4
for A. These substitutions are automatically tested by dictionary attacks.
e. Number and special character: Most people use a special character and number
at the end of the password. The password cracker developer uses these patterns.
f. Common passwords: Some companies like Splashdata publish a list every year
which contains the most commonly used passwords. Just like the attacker, they

RESTD
 44
RESTD

crack the breached password and create these lists. While creating the password,
you should never use these lists.
g. Random password: You should maintain your online account password as
unique, random and long. To store the password for online accounts, you should
use the password manager.
9. Escalating Privileges. As organizations rely more on remote work capabilities
and larger cloud systems, their vulnerability to cyberattacks increases. Privilege
escalation attacks are a prevalent and complex threat, and any network can become a
target. Organizations need multiple defense strategies when any asset can become an
entry point for intruders. Understanding the privilege escalation process is an important
first step toward prevention and defense against extensive network attacks.
A privilege escalation attack is a cyberattack designed to gain unauthorized privileged
access into a system. Attackers exploit human behaviors, design flaws or oversights in
operating systems or web applications. This is closely related to lateral movement -
tactics by which a cyber-attacker moves deeper into a network in search of high-
value assets. The result is an internal or external user with unauthorized system
privileges. Depending on the extent of the breach, bad actors can do minor or major
damage. This might be a simple unauthorized email or a ransomware attack on vast
amounts of data. Left undetected, attacks can result in advanced persistent
threats (APTs) to operating systems. A privilege escalation technique can be
executed locally or remotely. Local privilege escalation begins onsite, often by
someone inside the organization. Remote escalation can begin from almost
anywhere. For a determined attacker, either approach can be effective.
10. Types of Privilege Escalation. Attacks are grouped into two primary types:
a. Horizontal privilege escalation (or account takeover), an attacker gains
privileged access to a standard user account with lower-level privileges.
The intruder might steal an employee’s username and password, gaining
access to email, files and any web applications or subnetworks to which
they belong. Having obtained this foothold, the attacker can move
horizontally through the network, expanding their sphere of privileged
access among similarly privileged accounts.

RESTD
 45
RESTD

b. Vertical privilege escalation (or privilege elevation) begins similarly, with

an attacker using a foothold to try to escalate vertically, gaining access to
accounts with higher privilege. For example, they might target accounts
with administrator privileges or root access permissions, such as an IT
helpdesk worker or a system administrator. A privileged account can be
used to invade other accounts.

RESTD
 46
RESTD

Malware Threats
1. Malware Definition. A software designed to interfere with a computer's normal
functioning, malware is a blanket term for viruses, trojans, and other destructive
computer programs threat actors use to infect systems and networks in order to gain
access to sensitive information. Malware (short for “malicious software”) is a file or
code, typically delivered over a network, that infects, explores, steals or conducts
virtually any behavior an attacker wants. And because malware comes in so many
variants, there are numerous methods to infect computer systems. Though varied in
type and capabilities, malware usually has one of the following objectives:
a. Provide remote control for an attacker to use an infected machine.
b. Send spam from the infected machine to unsuspecting targets.
c. Investigate the infected user’s local network.
d. Steal sensitive data.
2. Types of Malware. Malware is an inclusive term for all types of malicious
software. Malware examples, malware attack definitions and methods for spreading
malware include:
a. Adware: While some forms of adware may be considered legitimate, others
make unauthorized access to computer systems and greatly disrupt users.
b. Botnets: Short for “robot network,” these are networks of infected computers
under the control of single attacking parties using command-and-control
servers. Botnets are highly versatile and adaptable, able to maintain
resilience through redundant servers and by using infected computers to relay
traffic. Botnets are often the armies behind today's distributed denial-of-
service (DDoS) attacks.
c. Crypto-jacking: is malicious cryptomining (the process of using computing
power to verify transactions on a blockchain network and earning
cryptocurrency for providing that service) that happens when cybercriminals
hack into both business and personal computers, laptops, and mobile devices
to install software.
d. Malvertising: Malvertising is a portmanteau of “malware + advertising”
describing the practice of online advertising to spread malware. It typically

RESTD
 47
RESTD

involves injecting malicious code or malware-laden advertisements into

legitimate online advertising networks and webpages.
e. Polymorphic malware: Any of the above types of malware with the capacity
to “morph” regularly, altering the appearance of the code while retaining the
algorithm within. The alteration of the surface appearance of the software
subverts detection via traditional virus signatures.
f. Ransomware: Is a criminal business model that uses malicious software to
hold valuable files, data or information for ransom. Victims of a ransomware
attack may have their operations severely degraded or shut down entirely.
g. Remote Administration Tools (RATs): Software that allows a remote
operator to control a system. These tools were originally built for legitimate
use, but are now used by threat actors. RATs enable administrative control,
allowing an attacker to do almost anything on an infected computer. They are
difficult to detect, as they don’t typically show up in lists of running programs
or tasks, and their actions are often mistaken for the actions of legitimate
programs.
h. Rootkit: Programs that provide privileged (root-level) access to a computer.
Rootkits vary and hide themselves in the operating system.
i. Spyware: Malware that collects information about the usage of the infected
computer and communicates it back to the attacker. The term includes
botnets, adware, backdoor behavior, keyloggers, data theft and net-worms.
j. Trojans Malware: Malware disguised in what appears to be legitimate
software. Once activated, malware Trojans will conduct whatever action they
have been programmed to carry out. Unlike viruses and worms, Trojans do
not replicate or reproduce through infection. “Trojan” alludes to the
mythological story of Greek soldiers hidden inside a wooden horse that was
given to the enemy city of Troy.
k. Virus Malware: Programs that copy themselves throughout a computer or
network. Malware viruses piggyback on existing programs and can only be
activated when a user opens the program. At their worst, viruses can corrupt
or delete data, use the user’s email to spread, or erase everything on a hard
disk.

RESTD
 48
RESTD

l. Worm Malware: Self-replicating viruses that exploit security vulnerabilities to

automatically spread themselves across computers and networks. Unlike
many viruses, malware worms do not attach to existing programs or alter
files. They typically go unnoticed until replication reaches a scale that
consumes significant system resources or network bandwidth.
3. Trojan Concepts. A Trojan, or Trojan horse, is a type of malware that conceals
its true content to fool a user into thinking it's a harmless file. Like the wooden horse
used to sack Troy, the "payload" carried by a Trojan is unknown to the user, but it can
act as a delivery vehicle for a variety of threats.
a. Types of Trojan viruses
Some of the most common types of Trojan virus include:
(1). Backdoor Trojans: This type of Trojan allows hackers to remotely
access and control a computer, often for the purpose of uploading,
downloading, or executing files at will.
(2). Exploit Trojans: These Trojans inject a machine with code
deliberately designed to take advantage of a weakness inherent to a
specific piece of software.
(3). Rootkit Trojans: These Trojans are intended to prevent the discovery
of malware already infecting a system so that it can affect maximum
damage.
(4). Banker Trojans: This type of Trojan specifically targets personal
information used for banking and other online transactions.
(5). Distributed Denial of Service (DDoS) Trojans: These are
programmed to execute DDoS attacks, where a network or machine is
disabled by a flood of requests originating from many different sources.
(6). Downloader Trojans: These are files written to download additional
malware, often including more Trojans, onto a device.
b. Recognizing and detect a Trojan virus
Because Trojans are used as a delivery device for a number of different
types of malware, if you suspect your device may have been breached by a
Trojan, you should look for many of the same telltale signs of malicious
software. These may include:

RESTD
 49
RESTD

(1). Poor device performance- Is your computer or mobile device running

slowly or crashing more frequently than normal?
(2). Strange device behavior- Are programs running you didn’t initiate or
are other unexplained processes being executed on your device?
(3). Pop-up and spam interruptions- Are you noticing an uptick in the
number of interruptions from browser pop-ups or email spam?
If your device is exhibiting these symptoms, it’s possible a Trojan virus has
managed to sneak its payload onto your computer. Try searching your computer
for any programs or applications you don’t remember installing yourself. Enter
any unrecognized file names or programs into a search engine to determine if
they are recognized Trojans.
Finally, if you haven’t already, scan your computer with antivirus software to see
if it has uncovered a malicious file.
c. Examples of Trojans
(1). Zeus: Also known as Zbot, Zeus is a successful Trojan malware
package with many variants used to carry out a number of different
types of attack. It’s perhaps most well-known for its successful hack of
the U.S. Department of Transportation.
(2). Wirenet: Wirenet is a password-stealing Trojan notable for being
among the first to target Linux and OSX users, many of whom were
migrating from Windows operating systems based on perceived
security flaws.
(3). Mobile banking Trojans: Webroot has documented a number of
Trojans written to target mobile banking apps for the purpose of
stealing login credentials or replacing legitimate apps with malicious
ones.
Protect your computer from Trojan horse threats As with protecting against most
common cybersecurity threats, effective cybersecurity software should be your
front line of protection. An effective internet security solution should run fast,
frequent scans and alert you as soon as a Trojan virus is detected

RESTD
 50
RESTD

4. Viruses & Worm. The table given below shows a comparative analysis between
the points of difference between a virus and worm. One must go through it carefully to
analyse how each of them can harm a computer device.

Difference Between Virus and Worm

Computer Virus Computer Worm

A computer virus is a program, wherein A computer worm is an independent

a code copies itself and replicates itself malicious program, which when enters a
to other programs/files on a device and system can start causing harm/damage to
may result in corrupting or damaging the the device
device

An initiation is required by the host, i.e., A worm only needs to enter the device,
a virus spreads only when an infected then it can automatically affect the other
program is executed in a device files and programs. No execution is needed

Few different types of computer viruses Few of the different types of computer
include: worms are as follows:
 Boot sector virus  Internet worms
 Direct Action virus  Instant messaging worms
 Polymorphic virus  Email worms
 Macro virus  File sharing worms
 Spacefiller virus  Internet relay chat (IRC) worms
 Overwrite virus
 File Infector virus

A virus may spread when a file is open A worm only requires a medium to enter the
and then the same malicious code is device. This may be through the internet,
copied and spread around whenever email, online messaging applications, etc.
other files are opened in the host
computer

RESTD
 51
RESTD

Time taken by a virus to spread in the A worm can quickly spread through a
system is lesser in comparison to a device
worm

A virus corrupts the files or deletes them On the other hand, a worm also affects the
automatically bandwidth and network connections of the
device

Examples of computer virus include Examples of computer worm include Morris

Creeper, Blaster, Slammer, etc. worm, storm worm, etc.

5. Malware Analysis. Malware analysis is the process of understanding the

behavior and purpose of a suspicious file or URL. The output of the analysis aids in
the detection and mitigation of the potential threat.
The key benefit of malware analysis is that it helps incident responders and security
analysts:
a. Pragmatically triage incidents by level of severity
b. Uncover hidden indicators of compromise (IOCs) that should be blocked
c. Improve the efficacy of IOC alerts and notifications
d. Enrich context when threat hunting
6. Types of Malware Analysis The analysis may be conducted in a manner that is
static, dynamic or a hybrid of the two.
a. Static Analysis. Basic static analysis does not require that the code is
actually run. Instead, static analysis examines the file for signs of malicious
intent. It can be useful to identify malicious infrastructure, libraries or packed
files. Technical indicators are identified such as file names, hashes, strings
such as IP addresses, domains, and file header data can be used to
determine whether that file is malicious. In addition, tools like disassemblers
and network analyzers can be used to observe the malware without actually
running it in order to collect information on how the malware works.
However, since static analysis does not actually run the code, sophisticated
malware can include malicious runtime behavior that can go undetected . For
example, if a file generates a string that then downloads a malicious file

RESTD
 52
RESTD

based upon the dynamic string, it could go undetected by a basic static

analysis. Enterprises have turned to dynamic analysis for a more complete
understanding of the behavior of the file.
b. Dynamic Analysis. Dynamic malware analysis executes suspected
malicious code in a safe environment called a sandbox. This closed system
enables security professionals to watch the malware in action without the risk
of letting it infect their system or escape into the enterprise network. Dynamic
analysis provides threat hunters and incident responders with deeper
visibility, allowing them to uncover the true nature of a threat. As a secondary
benefit, automated sandboxing eliminates the time it would take to reverse
engineer a file to discover the malicious code. The challenge with dynamic
analysis is that adversaries are smart, and they know sandboxes are out
there, so they have become very good at detecting them. To deceive a
sandbox, adversaries hide code inside them that may remain dormant until
certain conditions are met. Only then does the code run.
c. Hybrid Analysis (includes both of the techniques above) . Basic static
analysis isn’t a reliable way to detect sophisticated malicious code, and
sophisticated malware can sometimes hide from the presence of sandbox
technology. By combining basic and dynamic analysis techniques, hybrid
analysis provides security team the best of both approaches - primarily
because it can detect malicious code that is trying to hide, and then can
extract many more indicators of compromise (IOCs) by statically and
previously unseen code. Hybrid analysis helps detect unknown threats, even
those from the most sophisticated malware.
For example, one of the things hybrid analysis does is apply static analysis to
data generated by behavioral analysis – like when a piece of malicious code
runs and generates some changes in memory. Dynamic analysis would
detect that, and analysts would be alerted to circle back and perform basic
static analysis on that memory dump. As a result, more IOCs would be
generated and zero-day exploits would be exposed.

RESTD
 53
RESTD

7. Cyber Security Measures. Businesses should use different cyber security

measures to keep their business data, their cashflow and their customers safe
online. These measures should aim to prevent risks from various sources, including:
a. internet-borne attacks, eg spyware or malware
b. user-generated weaknesses, eg easily guessed passwords or misplaced
information
c. inherent system or software flaws and vulnerabilities
d. subvert system or software features
8. Essential cyber security measures. The following processes and tools are
fairly easy to introduce and, combined, they will give you a basic level of security
against the most common IT risks.
a. Use strong passwords. Strong passwords are vital to good online security.
Make your password difficult to guess by:
(1). Using a combination of capital and lower-case letters, numbers and
symbols
(2). Making it between eight and 12 characters long
(3). Avoiding the use of personal data
(4). Changing it regularly
(5). Never using it for multiple accounts
(6). Using two-factor authentication
Create a password policy for your business to help staff follow security best
practices. Look into different technology solutions to enforce your password policy,
eg scheduled password reset. For detailed guidance on passwords, read the
National Cyber Security Centre's (NCSC) guide on using passwords to protect
your data and consider different password strategies that could boost your
business security.
b. Control access to data and systems . Make sure that individuals can only
access data and services for which they are authorised. For example, you
can:
(1). Control physical access to premises and computers network
(2). Restrict access to unauthorised users
(3). Limit access to data or services through application controls

RESTD
 54
RESTD

(4). Restrict what can be copied from the system and saved to storage
devices
(5). Limit sending and receiving of certain types of email attachments
Modern operating systems and network software will help you to achieve
most of this, but you will need to manage the registration of users and user
authentication systems - e.g. passwords. For more information, read NCSC's
introduction to identity and access management controls.
c. Put up a firewall. Firewalls are effectively gatekeepers between your computer
and the internet. They act as a barrier to prevent the spread of cyber threats such as
viruses and malware. It's important to set up firewall devices properly and check them
regularly to ensure their software/firmware is up to date, or they may not be fully
effective. Read more about firewalls in server security.
d. Use security software. You should use security software, such as anti-spyware,
anti-malware and anti-virus programs, to help detect and remove malicious code if it
slips into your network. See our detailed guidance to help you detect spam, malware
and virus attacks.
e. Update programs and systems regularly , Updates contain vital security
upgrades that help protect against known bugs and vulnerabilities. Make sure that you
keep your software and devices up-to-date to avoid falling prey to criminals.
f. Monitor for intrusion. You can use intrusion detectors to monitor systems and
unusual network activity. If a detection system suspects a potential security breach, it
can generate an alarm, such as an email alert, based on the type of activity it has
identified. See more on cyber security breach detection.
g. Raise awareness. Your employees have a responsibility to help keep your
business secure. Make sure that they understand their role and any relevant policies
and procedures, and provide them with regular cyber security awareness and training.
Read about insider threats in cyber security.

9. Anti-Malware Software. Anti-malware is any resource that protects computers

and systems against malware, including viruses, spyware and other harmful programs.
Anti-malware resources are comprehensive solutions that maintain computer security
and protect sensitive data that is transmitted by a network or stored on local devices.

RESTD
 55
RESTD

Anti-malware tools often include multiple components, including anti-spyware and

phishing tools, as well as antivirus solutions for prominent viruses, which are isolated
and identified by security resources. Anti-malware tools may employ scanning,
strategies, freeware or licensed tools to detect rootkits, worms, Trojans and other types
of potentially damaging software. Each type of malware resource carries its own
interface and system requirements, which impact user solutions for a given device or
system.

RESTD
 56
RESTD

Social Engineering
Social engineering refers to all techniques aimed at talking a target into revealing
specific information or performing a specific action for illegitimate reasons.
1. Social engineering in IT. Though such form of trickery has always existed, it
has significantly evolved with ICT technologies. In this new context, social engineering
techniques in IT can be looked at from two different angles:
a. Either by using psychological manipulation to get further access to an IT
system where the actual objective of the scammer resides, e.g.
impersonating an important client via a phone call to lure the target into
browsing a malicious website to infect the target's workstation;
b. Using IT technologies as support to psychological manipulation techniques
to achieve an objective outside the IT realm, e.g. obtaining banking
credentials via a phishing attack to then steal the target's money. The
increasing use of IT technologies has naturally led to an increase in the use of such
techniques, as well as to their combination, to such a point that most cyber-attacks
nowadays include some form of social engineering.
2. Social engineering Techniques. This entry will cover some of the most
common techniques: pretexting, baiting, quid pro quo and tailgating. Phishing attacks
also rely upon social engineering; this topic has been covered in a previous
entry: Phishing/Spear phishing.
a. Pretexting. This technique the use of a pretext - a false justification for a
specific course of action - to gain trust and trick the victim. Example: the
attacker claims to work for IT support and requests the target's password for
maintenance purposes. Proper identification and authentication processes,
policies and trainings should be in place to circumvent such attacks.
b. Baiting. Baiting involves luring the victim into performing a specific task by
providing easy access to something the victim wants.
Security policies such as an air gap and the blocking of non-authorised
software and hardware will thwart most attempts, though staff should also
be reminded not to trust unknown sources.

RESTD
 57
RESTD

c. Quid pro quo. Quid Pro Quo, "something for something" in Latin, involves a
request for information in exchange for a compensation. Quid pro quo
attacks are relatively easy to detect given the asymmetrical value of the
information compared to the compensation, which is opposite for the
attacker and the victim. In these cases the best countermeasure remains
the victim integrity and ability to identify, ignore and report.
d. Tailgating. Tailgating is the act of following an authorised person into a
restricted area or system. Access to nonpublic areas should be controlled
by access policies and/or the use of access control technologies, the more
sensitive the area the stricter the combination. Th obligation to wear a
badge, the presence of a guard and actual anti-tailgating doors such as
mantraps with RFID access control should be sufficient to deter most
attackers.
3. Insider Threats. Insider threats present a complex and dynamic risk affecting
the public and private domains of all critical infrastructure sectors. Defining these threats
is a critical step in understanding and establishing an insider threat mitigation program.
The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as
the threat that an insider will use their authorized access, intentionally or unintentionally,
to do harm to the department’s mission, resources, personnel, facilities, information,
equipment, networks, or systems. Insider threats manifest in various ways: violence,
espionage, sabotage, theft, and cyber acts. An insider is any person who has or had
authorized access to or knowledge of an organization’s resources, including personnel,
facilities, information, equipment, networks, and systems.
Examples of an insider may include:
a. A person the organization trusts, including employees, organization
members, and those to whom the organization has given sensitive
information and access.
b. A person given a badge or access device identifying them as someone with
regular or continuous access (e.g., an employee or member of an
organization, a contractor, a vendor, a custodian, or a repair person).
c. A person to whom the organization has supplied a computer and/or network
access.

RESTD
 58
RESTD

d. A person who develops the organization’s products and services; this group
includes those who know the secrets of the products that provide value to
the organization.
e. A person who is knowledgeable about the organization’s fundamentals,
including pricing, costs, and organizational strengths and weaknesses.
f. A person who is knowledgeable about the organization’s business strategy
and goals, entrusted with future plans, or the means to sustain the
organization and provide for the welfare of its people.
g. In the context of government functions, the insider can be a person with
access to protected information, which, if compromised, could cause
damage to national security and public safety.
4. Insider Threat. Insider threat is the potential for an insider to use their authorized
access or understanding of an organization to harm that organization. This harm can
include malicious, complacent, or unintentional acts that negatively affect the
integrity, confidentiality, and availability of the organization, its data, personnel, or
facilities. External stakeholders and customers of the Cybersecurity and
Infrastructure Security Agency (CISA) may find this generic definition better suited
and adaptable for their organization’s use. CISA defines insider threat as the threat
that an insider will use their authorized access, wittingly or unwittingly, to do harm to
the department’s mission, resources, personnel, facilities, information, equipment,
networks, or systems. This threat can manifest as damage to the department through
the following insider behaviors:
a. Espionage
b. Terrorism
c. Unauthorized disclosure of information
d. Corruption, including participation in transnational organized crime
e. Sabotage
f. Workplace violence
g. Intentional or unintentional loss or degradation of departmental resources or
capabilities
5. Types of Insider Threats
a. Unintentional Threat

RESTD
 59
RESTD

(1). Negligence: An insider of this type exposes an organization to a threat

through carelessness. Negligent insiders are generally familiar with
security and/or IT policies but choose to ignore them, creating risk for
the organization. Examples include allowing someone to “piggyback”
through a secure entrance point, misplacing or losing a portable
storage device containing sensitive information, and ignoring
messages to install new updates and security patches.
(2). Accidental: An insider of this type mistakenly causes an unintended
risk to an organization. Examples include mistyping an email address
and accidentally sending a sensitive business document to a
competitor, unknowingly or inadvertently clicking on a hyperlink,
opening an attachment in a phishing email that contains a virus, or
improperly disposing of sensitive documents.
b. Intentional Threats: The intentional insider is often synonymously
referenced as a “malicious insider.” Intentional threats are actions
taken to harm an organization for personal benefit or to act on a
personal grievance. For example, many insiders are motivated to “get
even” due to a perceived lack of recognition (e.g., promotion, bonuses,
desirable travel) or termination. Their actions can include leaking
sensitive information, harassing associates, sabotaging equipment,
perpetrating violence, or stealing proprietary data or intellectual
property in the false hope of advancing their careers.
(1). Other Threats. Collusive Threats – A subset of malicious insider
threats is referred to as collusive threats, where one or more
insiders collaborate with an external threat actor to compromise
an organization. These incidents frequently involve cybercriminals
recruiting an insider or several insiders to enable fraud,
intellectual property theft, espionage, or a combination of the
three.
(2). Third-Party Threats. Additionally, third-party threats are typically
contractors or vendors who are not formal members of an
organization, but who have been granted some level of access to

RESTD
 60
RESTD

facilities, systems, networks, or people to complete their work.

These threats may be direct or indirect threats.
6. Social Media Impersonation. Impersonation in social networks refers to
accounts that use the name, image, or other identifying elements of a person, company,
or organization for fraudulent purposes. Generally speaking, it is the act when a person
pretends to be someone else on social media platforms. Social media impersonation
differs from other legitimate uses of a brand or person, such as fan accounts, parodies
or criticism, and information pages. Identity theft and impersonation are not exactly the
same thing. Impersonation by itself is not a criminal offense (unless the person being
impersonated is a police officer, a doctor, or a solicitor). When it comes to the
impersonation of a brand, however, the actions taken in order to carry out such an act
involve illegal actions, such as trademark infringements, breaches of privacy, and
financial fraud. Identity theft involves the theft of your personal information or your
business’s private data in order to gain access to your financial details. Impersonation is
more simply the act of someone pretending to be an individual or a business.
a. Types of impersonation. There are many different types of impersonation,
from phishing scams that ask for personal information to be sent to an
outside account to full-blown online fraud that has you buying products from
illegitimate sellers. Here are some of the most common ways scammers
have been impersonating brands:
(1). Phishing: By impersonating a brand (or its employees), scammers
seek to obtain sensitive customer information or data, such as social
security numbers, passwords or bank details. The financial sector
(particularly many FinTech companies, which tend to have more
interaction with their users through social networks) is one of the most
impacted by these practices.
(2). Counterfeiting: These are fake pages of a brand that try to deceive
its consumers by selling them inauthentic products. They often
operate through aggressive advertising campaigns that target brand
consumers and redirect them to a website outside the social network
where the transaction takes place. This practice affects a multitude of

RESTD
 61
RESTD

industries, but is particularly relevant in the luxury and fashion

industries.
(3). Fake news: These are accounts that impersonate politicians,
celebrities, public institutions or advertising agencies, among others,
with the aim of disclosing false information and news.
(4). Scams: Although not always carried out by impersonating a third
party, many of the main frauds on the Internet (coupons, romance
fraud, 491 scam, account takeover, etc.) have their origin in identity
theft through social networks.
b. Impersonators Operation. The way impersonators operate is very diverse
and depends on the social network, the objectives pursued by the
impersonator and his level of sophistication. However, there are some
common behaviors that have been observed in different impersonation
attacks:
(1). There is usually a correlation between the number of impersonations
a brand suffers from and its social media presence. At one end,
brands that do not have an official account are often an easy target for
fraudsters, who will try to take advantage of this gap to deceive the
brand’s followers. At the other end, we tend to observe that brands
with more presence (number of followers, posts, campaigns, etc.) are
also a prime target for impersonators, as they know there is a large
base of brand customers to defraud.
(2). Impersonators often use the same photos, names, descriptions,
posts, hashtags, etc. as the official accounts. It is also common for
them to impersonate “support” or “customer service” pages or run
raffles and promotions. The fact that a given account has few posts
does not imply that it is risk-free: it may be sending private messages
or running aggressive ad campaigns on the social network and
redirecting those affected to external web pages on which to defraud
them.
(3). On many social networks, newly created accounts can take up to
several days to appear in search results. The most sophisticated

RESTD
 62
RESTD

impersonators take advantage of these periods when they are less

visible to launch very aggressive attacks, often through ad campaigns
targeted directly at the brand’s consumers.
(4). The type of social network strongly determines the forms of
impersonation. On networks such as LinkedIn, for example,
impersonations of brand executives or employees are more likely to
be encountered. In networks such as Facebook, impersonations are
most commonly done through “Pages”, although sometimes they are
also carried out through “Profiles”, “Groups” or “Events”. It is important
to understand the way each platform works and its audience in order
to correctly identify the different types of impersonation.
a. Social Identity Theat. According to social identity theory, group members
may experience different kinds of identity threats. Group-status threat
occurs when the perceived competence of the group is devalued. Group
members may also experience various forms of social identity threats, one
of which takes place when the moral behaviour of their group is called into
question. The latter form of threat is sometimes experienced even by group
members who can in no way be held personally accountable for
their group’s behaviour, as when citizens of a certain country may feel guilt
or shame for crimes committed by their country long before they were born.
b. Group members can also experience social identity threat when they think
that their group is not sufficiently acknowledged as a separate entity with
unique characteristics. Such group-distinctiveness threat is experienced
when different groups of people are included in larger,
more inclusive groups, nations, or organizations, such as members of
linguistic minorities who strive for political autonomy or workers in a small
company that is taken over in an organizational merger. In addition,
categorization threat occurs when individuals are treated as group
members at times when they would prefer not to be, as when a woman
who is a lawyer is addressed in court on the basis of her gender instead of
her profession. Acceptance threat occurs when individuals fail to gain
acceptance and inclusion in the groups of which they consider themselves

RESTD
 63
RESTD

members, such as when a manager of Asian descent is not invited to join a

local Asian business club.
c. To cope with identity threat, group members will respond differently
depending on the degree to which they identify with the group. In addition
to the perceived characteristics of the social structure (and the
opportunities and restrictions implied), the psychological significance of
group membership and the loyalty and commitment to the group and its
members also determine how people cope with identity threat. See
also conformity; deindividuation.

RESTD
 64
RESTD

Hardening & Whitelisting

1. Systems Hardening. Systems hardening is a collection of tools, techniques, and
best practices to reduce vulnerability in technology applications, systems, infrastructure,
firmware, and other areas. The goal of systems hardening is to reduce security risk by
eliminating potential attack vector s and condensing the system’s attack surface. By
removing superfluous programs, accounts functions, applications, ports, permissions,
access, etc. attackers and malware have fewer opportunities to gain a foothold within
your IT ecosystem.
Systems hardening demands a methodical approach to audit, identify, close, and
control potential security vulnerabilities throughout your organization. There are several
types of system hardening activities, including:
a. Application hardening
b. Operating system hardening
c. Server hardening
d. Endpoint hardening
e. Database hardening
f. Network hardening
Although the principles of system hardening are universal, specific tools and techniques
do vary depending on the type of hardening you are carrying out. System hardening is
needed throughout the lifecycle of technology, from initial installation, through
configuration, maintenance, and support, to end-of-life decommissioning. Systems
hardening is also a requirement of mandates such as PCI DSS and HIPAA, and is
increasingly demanded by cyber insurers.
2. Hardening a System. You harden a system by reducing the “attack surface,” the
combination of all the potential flaws and backdoors in technology can be exploited by
threat actors. These vulnerabilities can occur in many ways. Common attack surface
vulnerabilities include:
a. Default passwords: Attackers can leverage automated password crackers
to guess the defaults. The attack surface this presents could be large if the
same defaults are used across many different endpoints--from desktops to
IoT--or accounts.

RESTD
 65
RESTD

b. Hardcoded passwords and other credentials stored in plain text files can
increase the attack surface in a couple important ways. If they are forgotten
in deployed code or otherwise publicly exposed, the hardcoded credentials
can provide a backdoor into the organization.
c. Unpatched software and firmware vulnerabilities are historically one of the
biggest contributors to attack surfaces. While patching will mitigate a
vulnerability, patches are not always available as in the case of zero day
threats. Moreover, some patches may be too disruptive to implement or not
economically feasible.
d. Lack, or deficiency, of privileged access controls. With the expansion of the
cloud and all things digital transformation privileged accounts and access
has exploded. The privileged account attack surface is not just humans and
employees, but also increasingly involves machines and vendors. In cloud
environments, privileged access and accounts may be dynamic and
ephemeral, further complicating efforts to gain visibility and control over this
massive risk.
e. Poorly configured BIOS, firewalls, ports, servers, switches, routers, or other
parts of the infrastructure. With the strong growth in cloud and hybrid
infrastructure, IT environments are becoming increasingly complex. This
complexity is fertile ground for misconfigurations not only can cause systems
to crash or misfire, but also can create dangerous security holes.
Misconfigurations like open ports have resulted in some of the worst cloud
breaches in recent years, such as by inadvertently exposing data buckets or
providing publicly accessible backdoors to critical infrastructure
f. Unencrypted, or inadequately encrypted, network traffic or data at rest can
make it easy for attackers to access data or eavesdrop on conversations and
access and potentially gain important information (such as passwords)
needed to advance an attack.
g. Additionally, the Center for Internet Security (CIS) maintains updated
guidelines on their site around best practice system configurations for
specific use cases. The CIS Benchmarks include over 100 guidelines across
25 vendor product families (Amazon Linux, Amazon AWS, Apple iOS, Apple

RESTD
 66
RESTD

Mac OS, Checkpoint Firewall, Cisco, Docker, Google Cloud, Microsoft

Azure, etc.).

RESTD
 67
RESTD

Hacking Web Application

1. Web Application. In this tutorial, we will learn the basic concepts of a web
application, how it works, its advantages and disadvantages.
a. Definition of Web-application. A web-application is an application program that
is usually stored on a remote server, and users can access it through the use of
Software known as web-browser. It is a type of computer program that usually runs with
the help of a web browser and also uses many web technologies to perform various
tasks on the internet. A web application can be developed for several uses, which can
be used by anyone like it can be used as an individual or as a whole organization for
several reasons
In general, a web application can contain online shops (or we can also say them e-
commerce shops), webmail's, calculators, social media platforms, etc. There is also
some kind of web application that usually requires a special kind of web browser to
access them. We cannot access those kinds of web applications by using regular web-
browsers. However, most of the web applications available on the internet can be
accessed using a standard web browser.
If we talk about the web application in general, a web application usually uses a
combination of the server-side scripts such as PHP, ASP, for handling the information/
data storage and retrieval of the data.
Some of them also use the client-side scripts such as JavaScript, HTML to represent
the data/information in front of the users, and some of the web applications are also
using both server-side and client-side at the same time.
It allows the users to communicate with the organization or companies by using the
online form, online forums, shopping carts, content management system, and much
more.
Apart from that web applications also allow its users to create documents, share them,
or share the data/ information. By using the web application, users can collaborate on
same projects by event when they are not available on the same geographical location.
After knowing that what a web application is, there may be a question hitting in mind
that how it will work.
Working of a web- application

RESTD
 68
RESTD

In general, web-application does not require downloading them because, as we already

discussed, the web application is a computer program that usually resides on the
remote server. Any user can access it by using one of the standard web browsers such
as Google Chrome, Safari, Microsoft Edge, etc., and most of them are available free for
everyone.
A web application are generally coded using the languages supported by almost every
web-browsers such as HTML, JavaScript because these are the languages that rely on
the web browsers to render the program executable.
Some of the web applications are entirely static due to which they not required any
processing on the server at all while, on the other hand, some web applications are
dynamic and require server-side processing.
To operate a web- application, we usually required a web server (or we can say some
space on the web-server for our programs/application's code) to manage the clients'
upcoming requests and required an application server.
The application server performs the task that requested by the clients, which also may
need a database to store the information sometimes. Application server technologies
range from ASP.NET, ASP, and ColdFusion to PHP and JSP.
A standard web application usually has short development cycles and can be easily
developed with a small team of developers. As we all know, most of the currently
available web applications on the internet are written using the programming languages
such as the HTML (or Hypertext Markup Language), CSS (or Cascading Style Sheets),
and JavaScript that are used in creating front-end interface (Client-side programming).

To create the web applications script, server-side programming is done by using

programming languages such as Java, Python, PHP, and Ruby, etc. Python and Java
are the languages that are usually used for server-side programming.

RESTD