Introduction

Information Security Overview

Essentioal Terminology:

• Hack Value: Hack value is the notion among hackers to evaluate something that is worth doing or is interesting. Hackers derive great satisfaction form breaking down the toughest network security and consider it their accomplishment as it is something that not everyone can do.

• Vulnerability: Vulnerability is the existence of weakness, design or an implementation error that, when exploited, leads to an unexpected and undesirable event compromising the security of the system. Simply put vulnerability is a security loophole that allows an attacker to enter the system by bypassing various user authentications.

• Exploit: An exploit is a breach of IT system security through vulnerabilities in the context of an attack on a system or network. It also refers to malicious software or commands that can cause unanticipated behavior of legitimate software or hardware through attackers taking advantage of the vulnerabilities.

• Payload: Payload is the part of a malware or an ana exploit code that performs the intended malicious actions, which can include creating backdoor access to a victim's machine, damaging or deleting files, committing data theft and hijacking computer. Hackers use various methods to execute the payload. For example, they can activate a logic bomb, execute an infected program or use an unprotected computer connected to a network.

• Zero-Day Attack: In a Zero-Day attack the attacker exploits vulnerabilities in a computer application before the software developer can release a patch for them.

• Daisy Chaining: It involves gaining access to one network and/or computer and then using the same information to gain access to multiple networks and computers that contain desirable information.

• Doxing: Doxing refers to gathering and publishing personally identifiable information such as an individual's name and email address or other sensitive information pertaining to an entire organization. People with malicious intent collect this information from publicly accessible channels such as the databases, social media and the Internet.

• Bot: A "bot" (a contraction of "robot") is a software application or program that can be controlled remotely to execute or automate predefined task. Hackers use bots as agents that carry out malicious activity over the Internet. Attackers use infected machines to launch distributed denial-of-service (DDoS) attacks, keylogging, spying, etc

---

Elements of Information Security:

Information security is 'the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable.

It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation

• Confidentiality: Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs).

• Integrity: Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes -the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data).

• Availability: Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered machines, antivirus software to combat malware, and distributed denial-of-service (DDoS) prevention systems.

• Authenticity: Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents.

• Non-Repudiation: Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation.

---

Information Security Threats & Attack Vectors

Motives, Goals, and Objectives of Information Security Attacks

Attackers generally have motives (goals), and objectives behind their information security attacks. A motive originates out of the notion that a target system stores or processes something valuable, which leads to the threat of an attack on the system. The purpose of the attack may be to disrupt the target organization's business operations, to steal valuable information for the sake of curiosity, or even to exact revenge. Therefore, these motives or goals depend on the attacker's state of mind, their reason for carrying out such an activity, as well as their resources and capabilities. Once the attacker determines their goal, they can employ various tools, attack techniques, and methods to exploit vulnerabilities in a computer system or security policy and controls.

---

Information Warfare

The term information warfare or Info War refers to the use of information and communication technologies (ICT) for competitive advantages over an opponent.

Examples of information warfare weapons include viruses, worms, Trojan horses, logic bombs, trap doors, nanomachines and microbes, electronic jamming, and penetration exploits...

Each form of information warfare consists of both defensive and offensive strategies.

• Defensive Information Warfare: Involves all strategies and actions to defend against attacks on ICT assets. • Offensive Information Warfare: Involves attacks against the ICT assets of an opponent.

---

Hacking Concepts

What is Hacking?

Hacking in the field of computer security refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources.

It involves a modifying system or application features to achieve a goal outside its creator's original purpose.

Hacking can be done to steal, pilfer, or redistribute intellectual property, thus leading to business loss.

Hacking on is computer networks is generally done using scripts or other network programming. Network hacking techniques include creating viruses and worms, performing denial-of-service (DoS) attacks, establishing unauthorized remote access connections to a device using trojans or backdoors, creating botnets, packet sniffing, phishing, and password cracking.

---

Who is a Hacker?

Everyone can be a hacker, either and expert or a newbie doing it just for fun. Thats why we have Hacker Classes.

---

Hacker Classes

• Hackers usually fall into one of the following categories, according to their activities:

• Black Hats: Black hats are individuals who use their extraordinary computing skills fo illegal or malicious purposes. This category of hacker is often involved in criminal activities. They are also known as crackers.

• White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the system owner.

• Gray Hats: Gray hats are the individuals who work both offensively and defensively at various times. Gray hats might help hackers to find various vulnerabilities in a system or network and, at the same time, help vendors to improve products (software or hardware) by checking limitations and making them more secure.

• Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers who sacrifice their life for an attack and are thus not concerned with the consequences of their actions.

• Script Kiddies: Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers. They usually focus on the quantity rather than the quality of the attacks that they initiate.

• Cyber Terrorists: Cyber terrorists are individuals with a wide a range of skills, motivated by religious or political beliefs, to create fear of large-scale disruption of computer networks.

• State-Sponsored Hackers: State-sponsored hackers are individuals employed by the government to penetrate, gain top-secret information from, and damage the information systems of other governments.

• Hacktivist: Hacktivism is when hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as to boost their own reputations in both the online and offline arenas. They are individuals who use hacking to promote a political agenda, especially by defacing or disabling websites.

---

Hacking Phases

In general, there are five phases of hacking: • Reconnaissance • Scanning • Gaining Access • Maintaining Access • Clearing Tracks

Reconnaissance

Reconnaissance refers to the preparatory phase in which an attacker gathers as much information as possible about the target prior to launching the attack.

It could be the future point of return, noted for ease of entry for an attack when more about the target is known on a broad scale.

The reconnaissance target range may include the target organization's clients, employees, operations, network, and systems.

Reconnaissance can be passive or active. Passive reconnaissance means gathering infomration about the target without directly interacting with it. Active reconnaissance meaans directly interacting with the target. (calling helpdesk at the firm that is ur target for example)

Scanning

Scanning is the phase is the pre-attack phase where the attacker scanse the network for specific information on the basis of information gathered during reconnaissance.

Scanning can include use of dialers, port scaners, network mappers, ping tools etc.

Attackers extract informations such as live machines, port, status, OS details, device type, system uptime etc. to lounch the attack.

Gaining Access

This is the phase in which real hacking occurs. Attackers use vulnerabilities identified during the reconnaissance and scanning phases to gain access to the target system and network.

The attacker can now try to escalate privileges to obtain complete control over the system.

Maintaining Access

This is the phase in which real hacking occurs. Attackers use vulnerabilities identified during the reconnaissance and scanning phases to gain access to the target system and network.

Attackers may prevent the system from being owned by other attackers by securing their access with a backdoor, rootkit or trojans.

Clearing Tracks

This is the phase in which real hacking occurs. Attackers use vulnerabilities identified during the reconnaissance and scanning phases to gain access to the target system and network.

They use toolssuch as PsTools, Netcat or trojans to erase their footprint from the systems log files.

This is the phase in which real hacking occurs. Attackers use vulnerabilities identified during the reconnaissance and scanning phases to gain access to the target system and network.

---

Ethical Hacking Concepts

What is Ethical Hacking?

Ethical hacking is the practice of employing computer and network skills for assisting organizations in testing their networks security for possible loopholes and vulnerabilities.

---

Scope and Limitations

An ethical hacker should know the penalties of unauthorized hacking into a system. No ethical hacking activities associated with a network-penetration test or security audit should begin before receiving a signed legal document giving the ethical hacker express permission to perform the hacking activities from the target organization. Ethical hackers must be judicious with their hacking skills and recognize the consequences of misusing those skills.

The ethical hacker must follow certain rules to fulfill their ethical and moral obligations. They must do the following: • Gain authorization from the client and have a signed contract giving the tester permission to perform the test. • Maintain confidentiality when performing the test and follow a Nondisclosure Agreement (NDA) with the client for the confidential information disclosed during the test. The information gathered might contain sensitive information, and the ethical hacker must not disclose any information about the test or the confidential company data to a third party. • Perform the test up to but not beyond the agreed-upon limits. For example, ethical hackers should perform DoS attacks only if they have previously agreed upon this with the client. Loss of revenue, goodwill, and worse consequences could befall an organization whose servers or applications are unavailable to customers because of the testing.

---

Information Security Control

Information Assurance (IA)

IA refers to the assurance of the integrity, availability, confidentiality, and authenticity of information and information systems during the usage, processing, storage, and transmission of information.

---

Defense-in-Depth

Defense-in-depth is a security strategy in which security professionals use several protection layers throughout an information system. This strategy uses the military principle that it is more difficult for an enemy to defeat complex and multi-layered defense system than to penetrate a single barrier. Defense-in-depth helps to prevent direct attacks against an information system and its data because a break in one layer only leads the attacker to the next layer. If a hacker gains access to a system, defense-in-depth minimizes any adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent a recurrence of the intrusion.

---

Information Security Policies

• Security policies are the foundation of security infrastructure • Information security policy defines the basic security requirements and rules to be implemented in order to protect and secure an organization's information systems

Goals of Security Policies

1. Maintain an outline for the management and administration of network security

2. Protect an organization's computing resources

3. Eliminate legal liabilities arising from employees or third parties

4. Prevent waste of the company's computing resources

5. Prevent unauthorized modifications of data

6. Reduce risks caused by illegal use of system resources

7. Differentiate the users' access rights

8. Protect confidential, proprietary information from theft, misuse, and unauthorized disclosure

---

Physical Security

• Physical security is the first layer of protection in any organization • It involves the protection of organizational assets from environmental and man-made threats

---

What is Risk?

Risk refers to the degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or its resources, under specified conditions.

Alternatively, risk can also be: • The probability of the occurrence of a threat or an event that will damage, cause loss to, or have other negative impacts on the organization, either from internal or external liabilities. • The possibility of a threat acting upon an internal or external vulnerability and causing harm to a resource. • The product of the likelihood that an event will occur and the impact that the event might have on an information technology asset.

Risk Level

Risk level is an assessment of the resulted impact on the network. Various methods exist to differentiate the risk levels depending on the risk frequency and severity. One of the common methods used to classify risks is to develop a two-dimensional matrix.

Risk Matrix

The risk matrix scales the risk occurrence or likelihood probability, along with its consequences or impact. It is the graphical representation of risk severity and the extent to which the controls can or will mitigate it.

Risk Management

Risk management is the process of identifying, assessing, responding to, and implementing the activities that control how the organization manages the potential effects of risk.

The four key steps commonly termed as risk management phases are: • Risk Identification • Risk Assessment • Risk Treatment • Risk Tracking and Review

---

Incident Management

Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore the system to normal service operations as soon as possible, and prevent recurrence of the incident.

---

SIEM & SOAR

Security Information and Event Management (SIEM) is software that aggregates and analyzes information from several different sources across the entire infrastructure. So, instead of going through every security appliance's console, you get one centralized solution to find the alerts and react accordingly. This solution not only centralizes the information but also performs a deep analysis of the information to find hidden patterns and see if your company is under attack.

Security Orchestration, Automation, and Response (SOAR) will help you with threat and vulnerability management, security incident response, and security operations automation by bringing order to the alerts your SIEM creates. It will give you more insight into what steps come next and what actions need immediate attention.

---

Data leakage

Data leakage refers to unauthorized access or disclosure of sensitive or confidential data. Data leakage may happen electronically through an email or malicious link or via some physical method such as device theft or hacker break-ins.

---

What is Data Loss Prevention (DLP)?

DLP is the identification and monitoring of sensitive data to ensure that end users do not send sensitive information outside the corporate network.

---

---

Penetration Testing

• Penetration testing is a method of evaluating the security of an information system or network by simulating an attack to find out vulnerabilities that an attacker could exploit • Security measures are actively analyzed for design weaknesses, technical flaws, and vulnerabilities • It not only points out vulnerabilities but also documents how the weaknesses can be exploited • The results are delivered to executive management and technical audiences in a comprehensive report

---

Blue and Red Teaming

Blue Teaming • An approach where set of security responders perform an analysis of an information system to assess the adequacy and efficiency of its security controls • The blue team has access to all organizational resources and information • Their primary role is to detect and mitigate the red team (attackers) activities, and to anticipate how surprise attacks might occur

Red Teaming • An approach where a team of ethical hacker performs penetration test on an information system with no or very limited access to the organization's internal resources • The penetration test may be conducted with or without warning • The goal is to detect network and system vulnerabilities and check security from an attacker's perspective of the network, system, or information accessibility