2. History
• 1970’s, Robert Thomas, a researcher for BBN Technologies in Cambridge,
Massachusetts, created the first computer “worm”. It was called The
Creeper.
• It infected computers by hopping from system to system with the message “I’M
THE CREEPER: CATCH ME IF YOU CAN.”
• Ray Tomlinson, the inventor of email, created a replicating program
called The Reaper, the first antivirus software, which would chase
Creeper and delete it.
• In 1988, Robert Morris wrote a program Morris worm that went through
networks, invaded Unix terminals, and copied itself.
• The Morris worm was so aggressive that it slowed down computers to the point
of being unusable. He subsequently became the first person to be convicted
under Computer Fraud and Abuse Act.
3. What is Cyber Security
Cybersecurity is the body of technologies, processes, and practices
designed to protect networks, computers, programs and data from
attack, damage or unauthorized access.
4. Why is cybersecurity important?
• With each passing year, the sheer volume of threats is increasing
rapidly.
• According to the report by McAfee, cybercrime now stands at over $400 billion,
while it was $250 billion two years ago.
• Cyber attacks can be extremely expensive for businesses to endure.
• In addition to financial damage suffered by the business, a data breach can also
inflict untold reputational damage.
• Cyber-attacks these days are becoming progressively destructive.
• Cybercriminals are using more sophisticated ways to initiate cyber attacks.
• Regulations such as General Data Protection Regulation (GDPR)
are forcing organizations into taking better care of the personal data
they hold.
5. The CIA Triad
• Confidentiality, integrity, and availability, also known as the CIA
triad, is a model designed to guide companies and organizations to
form their security policies.
6. Confidentiality
• Confidentiality is about preventing the disclosure of data to
unauthorized parties.
• It also means trying to keep the identity of authorized parties
involved in sharing and holding data private and anonymous.
• Often confidentiality is compromised by cracking poorly encrypted
data, Man-in-the-middle(MITM) attacks, disclosing sensitive data.
• Standard measures to establish confidentiality include:
• Data encryption
• Two-factor authentication
• Biometric verification
• Security tokens
7. Integrity
• Integrity refers to protecting information from being modified by
unauthorized parties.
• It is a requirement that information and programs are changed only in
a specified and authorized manner.
• Challenges that could endanger integrity include turning a machine
into a “zombie computer”, embedding malware into web pages.
• Standard measures to guarantee integrity include:
• Cryptographic checksums
• Using file permissions
• Uninterrupted power supplies
• Data backups
8. Availability
• Availability is making sure that authorized parties are able to access
the information when needed.
• Data only has value if the right people can access it at the right time.
• Information unavailability can occur due to security incidents such as
DDoS attacks, hardware failures, programming errors, human errors.
• Standard measures to guarantee availability include:
• Backing up data to external drives
• Implementing firewalls
• Having backup power supplies
• Data redundancy
13. Classification of Security Hackers
Black Hat Hackers’ objective:
• To steal valuable information from another user
• To steal money through transactions and accounts
• To get access to free music and videos
• Downloading free hacking software which is considered an
illegal activity
• To steal valuable information from military/navy organizations
• To access restricted networking spaces
White Hat Hackers’ objective:
• To improve the security framework in a system
• Developing high security programming language like Linux
• Developing most of the security software for organizations
• Checking and updating security softwares
• Developing programs like pop up blocker, firewall and ad
blocker
14. Vulnerability Scanner
A vulnerability scanner can assess a variety of vulnerabilities across
information systems like computers, network systems, operating systems,
and software applications, that may be:
1. Vendor-originated: this includes software bugs, missing operating system patches,
vulnerable services, insecure default configurations, and web application
vulnerabilities.
2. System administration-originated: this includes incorrect or unauthorised system
configuration changes, lack of password protection policies, and so on.
3. User-originated: this includes sharing directories to unauthorised parties, failure
to run virus scanning software, and malicious activities, such as deliberately
introducing system backdoors activities
15. Benefits of Vulnerability Scanners
• Early detection and handling of known security problems
• Identify security vulnerabilities that may be present in the network, from both
the internal and external perspective.
• Identification of new device or even a new system that may be
connected to the network without authorisation
• The scanner can help identify rogue machines, which might endanger overall
system and network security.
• Verify the inventory of all devices on the network.
• Inventory includes the device type, operating system version and patch level,
hardware configurations and other relevant system information. This
information is useful in security management and tracking.
16. Limitations of Vulnerability Scanners
• Snapshot only: a vulnerability scanner can only assess a "snapshot of
time" in terms of a system or network's security status.
• Scanning needs to be conducted regularly, as new vulnerabilities can emerge, or
system configuration changes can introduce new security holes.
• Human judgement is needed: Vulnerability scanners can only report
vulnerabilities according to the plug-ins installed in the scan database.
• They cannot determine whether the response is a false negative or a false
positive. Human judgement is always needed in analysing the data after the
scanning process.
• Others: a vulnerability scanner is designed to discover known
vulnerabilities only.
• It cannot identify other security threats, such as those related to physical,
operational or procedural issues.
17. Architecture of Vulnerability Scanners
• Scan Engine executes security checks
according to its installed plug-ins,
identifying system information and
vulnerabilities.
• It can scan more than one host at a time and
compares the results against known
vulnerabilities.
• Scan Database stores vulnerability
information, scan results, and other data
used by scanner.
• Number of available plug-ins, and the updating
frequency of plug-ins will vary depending on
vendor. Scanners with an "auto-update" feature
• Each plug-in might contain not only the test
case itself, but also a vulnerability description, a
Common Vulnerabilities and Exposures (CVE)
identifier; and even fixing instructions for a
detected vulnerability.
18. Architecture of Vulnerability Scanners
(Contd..)
• Report Module provides different levels of reports on the scan results,
• Such as detailed technical reports with suggested remedies for system
administrators,
• Summary reports for security managers,
• High-level graph and trend reports for executives.
• User Interface allows the administrator to operate the scanner.
• It may be either a Graphical User Interface (GUI), or just a command line interface.
For enterprise networks : Use Distributed Network Scanners with more
complex architecture, capable of assessing vulnerabilities across multiple or
geographically dispersed networks . Composed
• Remote scanning agents,
• Plug-in update mechanism for those agents,
• Centralised management point.
19. Types of Vulnerability Scanner
• NETWORK-BASED SCANNERS
• Usually installed on a single machine that scans a number of other hosts on
the network.
• It helps detect critical vulnerabilities such as mis-configured firewalls,
vulnerable web servers, risks associated with vendor-supplied software, and
risks associated with network and systems administration.
• Different types of network-based scanners include:
1. Port Scanners that determine the list of open network ports in remote systems;
2. Web Server Scanners that assess the possible vulnerabilities (e.g. potentially dangerous
files) in remote web servers;
3. Web Application Scanners that assess the security aspects of web applications (such as
cross site scripting and SQL injection) running on web servers.
Cross-site Scripting (XSS) is a client-side code injection attack. The actual attack occurs when the victim visits the
web page or web application that executes the malicious code.
SQL injection is a code injection technique that might destroy your database and is one of the most common web
hacking techniques.
20. Types of Vulnerability Scanner (Contd..)
• HOST-BASED SCANNERS
• Scanner is installed in the host to be scanned,
• Has direct access to low-level data, such as specific services and configuration
details of the host's operating system.
• Provide insight into risky user activities such as using easily guessed passwords or
even no password.
• Detect signs that an attacker has already compromised a system, including
looking for suspicious file names, unexpected new system files or device files, and
unexpected privileged programs.
• Perform baseline (or file system) checks not done by Network-based scanners as
they do not have direct access to the file system on the target host.
• Database scanner is an example of a host-based vulnerability scanner.
• It performs detailed security analysis of the authorisation, authentication, and integrity of
database systems, and can identify any potential security exposures in database systems,
ranging from weak passwords and security mis-configurations to Trojan horses.
21. Open Port Service Identification: Introduction
• A port scanner is an application designed to probe a server or host for
open ports.
• Such an application may be used by administrators to verify security policies
of their networks and by attackers to identify network services running on a
host and exploit vulnerabilities.
• A port scan is a process that sends client requests to a range of server
port addresses on a host, with the goal of finding an active port.
• Basically port scan are not attacks, but rather simple probes to determine
services available on a remote machine.
• Portsweep is to scan multiple hosts for a specific listening port.
• For example, an SQL-based computer worm may portsweep looking for hosts
listening on TCP port 1433.
22. Categories
Result of a scan on a port is usually generalized into one of three categories:
• Open or Accepted: The host sent a reply indicating that a service is listening
on the port.
• Closed or Denied or Not Listening: The host sent a reply indicating that
connections will be denied to the port.
• Filtered, Dropped or Blocked: There was no reply from the host.
• Two vulnerabilities of which administrators must be cautioned:
• Security and stability concerns associated with the program responsible for
delivering the service- Open ports.
• Security and stability concerns associated with the operating system that is running
on the host- Open or Closed ports.
• Filtered ports do not present any vulnerabilities.
23. Types
• TCP scanning
• Use the operating system's network functions and are generally the next option to go to
when SYN is not a feasible option
• If a port is open,
• the operating system completes the TCP three-way handshake,
• The scanner immediately closes the connection to avoid performing a Denial-of-service attack.
• Otherwise an error code is returned.
• Advantage of the mode
• No special privileges required for user does not require.
• Disadvantage of the mode
• Since mode prevents low-level control, so this scan type is less common.
• Method is "noisy", particularly if it is a "portsweep“.
• The services can log the sender IP address and Intrusion detection systems can raise an alarm.
24. Types (Contd..)
• SYN scanning
• Another form of TCP scanning.
• Port scanner generates raw IP packets itself, and monitors for responses instead of
running OS based network functions.
• Also known as "half-open scanning", because it never actually opens a full TCP
connection.
• The port scanner generates a SYN packet.
• If the target port is open, it will respond with a SYN-ACK packet.
• The scanner host responds with an RST packet, closing the connection before the
handshake is completed.
• If the port is closed but unfiltered, the target will instantly respond with an RST
packet.
• Advantages,
• Scanner has full control of the packets sent and the timeout for responses, and
allowing detailed reporting of the responses.
25. Types (Contd..)
• UDP scanning
• There are technical challenges as UDP is a connectionless protocol , hence no
equivalent to a TCP SYN packet.
• If a UDP packet is sent to a port that is not open,
• System will respond with an ICMP port unreachable message.
• Hence, use the absence of a response to infer that a port is open.
• However, if a port is blocked by a firewall, this method will falsely report that the port is
open.
• If the port unreachable message is blocked, all ports will appear open.
• Method is also affected by ICMP rate limiting.
• Other scanning Method but rarely used are
• ACK scanning
• Window scanning
• FIN scanning
26. Examples
• For example a scanner could connect to using nmap application to
• port 1 - to see if tcpmux is running.
• Specification describes a multiplexing service that may be accessed with a network
protocol to contact any one of a number of available TCP services of a host on a single,
well-known port number
• port 7 - to see if echo is running.
• Display of data
• port 22 - to see if openssh is available.
• OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for
remotely controlling, or transferring files between, computers.
• port 25 - to see if smtp is available.
• Set of communication guidelines that allow software to transmit an electronic mail over
the internet i
27. Version Check
• Footprinting is the technique to collect as much information as possible
about the targeted network/victim/system.
• It helps hackers in various ways to intrude on an organization's system.
• Use nmap to discover the web server version, Operating System Version
check the servers to make sure that their ports are operating properly, ping
network segments.
• Some commands for version check include
• -sV (Version detection)
• -allports (Don't exclude any ports from version detection)
• -version-intensity <intensity> (Set version scan intensity)
• -version-all (Try every single probe)
• - version-trace (Trace version scan activity)
28. TRAFFIC PROBE
• High-Speed Traffic Processing
• LAN and MAN has evolved to support speeds from 1 Mb/s to 100 Gb/s.
• The total amount of data created or replicated on the planet in 2010 was over
1 zettabyte (143 GB for each of the 7 billion people on the planet.
• This volume of information requires high-speed links between server farms,
cloud storage, and end users to make sure that it can be processed in a timely
and reliable fashion.
• It will not be possible to analyse such huge traffic volumes in the coming 100
GbE network installations with the current generation of network
measurement tools
• FPGA cards (intel 82599, Myri-10G Lanai Z8ES) are still used in applications
which perform in-depth analysis, patter matching, and low latency operations
in 40/100 Gb/s networks
29. TRAFFIC PROBE (Contd..)
• Network Traffic Measurement
• Full packet traces.
• Flow statistics provide information from Internet Protocol (IP).
• Volume statistics are provided by most network appliances for network
management.
• Network Intrusion Detection
• Signature-based approach inspects the evaluated content.
• Anomaly-based detection.
• Stateful protocol analysis.
30. Vulnerability Probe: HTML injection check
• Some security bugs can’t be identified without sending a payload that
exploits a suspected vulnerability.
• Vulnerability probe for a web application. Imagine a web app that has
a search box for users to find text within its pages.
HTML EXAMPLE :-
• <div id="search"><span class="results">Results for '<xss>'...</span>
Example of Cross Site Scripting (XSS)
To do with caution
<script>alert (1)</script>
31. Vulnerability Probe: Buffer Overflow
• A buffer overflow occurs when a program or process attempts to
write more data to a fixed length block of memory (a buffer), than
the buffer is allocated to hold.
• By sending carefully crafted input to an application, an
attacker can cause the application to execute arbitrary code, possibly
taking over the machine
32. Vulnerability Probe: Buffer Overflow
• Minimalist vulnerable program
#include <string.h>
int main(int argc, char *argv[])
{
char buffer[512];
if (argc > 1)
strcpy(buffer,argv[1]);
}
• Compile the program with the following command :
• $ gcc -o vulnerable main.c
33. References
1. What is Cybersecurity? – A Beginner’s Guide to Cybersecurity
World available at https://www.edureka.co/blog/what-is-
cybersecurity/
2. Cybersecurity Fundamentals – Introduction to Cybersecurity
available at https://www.edureka.co/blog/cybersecurity-
fundamentals-introduction-to-cybersecurity/
3. An Overview Of Vulnerability Scanners available at
https://www.infosec.gov.hk/english/technical/files/