Unit-1 CyberSecurity

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 22

Cybersecurity Risk

 Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and
reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other
organizations, and the Nation.

What is Risk? An organization’s risk profile fluctuates depending on internal and external environmental factors. It incorporates not just
the potential or probability of a negative event, but the impact that event may have on your infrastructure. And though risk can never be
100% eliminated—cybersecurity is a persistently moving target, after all—it can be managed to a level that satisfies your organization’s
tolerance for risk. No matter how you deal with it, the end goal remains the same—to keep your overall risk low, manageable and known. 

What is cybersecurity risk?


Cybersecurity risk is the probability of exposure, loss of critical assets and sensitive information, or reputational harm as a result of a cyber
attack or breach within an organization’s network. Across industries, cybersecurity must remain top of mind and organizations should work to
implement a cybersecurity risk management strategy to protect against constantly advancing and evolving cyber threats.

Who is responsible for cybersecurity risk in an organization?


Many organizations believe that the responsibility of cybersecurity risk management falls solely on the IT and security teams. In reality, an
effective cybersecurity strategy is reliant upon organization-wide awareness. It’s also important that businesses have an established incident
response plan that clearly outlines individual responsibilities, when these responsibilities should be carried out, and the specific steps that
each user or department should take in the event of an attack. This plan should act as a roadmap for the entire organization on how to
respond to threats. Having a thorough incident response plan in place is one of the most crucial steps to securing your network.

What are common cybersecurity risks?


Cybersecurity risks come in many forms, vary from one industry to the next, and are constantly evolving. However, there are a few key
considerations to keep in mind when putting together your organization’s cybersecurity risk management program.

Below, we outline the common security risks organizations face:

Third-party vendor risk


Third and fourth-party vendors allow organizations to outsource particular business operations, helping to cut down on cost and enhance
operational efficiency. These vendors often have insider access to an organization’s most sensitive data, including customers’ personal
identifying information (PII).

It’s important for organizations to maintain complete and continuous visibility of all entities within their entire network. Third-party risk
management enables organizations to take advantage of the benefits that vendors can provide without compromising on security.

Employees and contractors (insider threats)


As previously mentioned, insiders with access to the network, such as employees and contractors, play a big role in maintaining an
organization’s cybersecurity posture. For this reason, cybersecurity awareness and social engineering training is a necessity. Insiders should
be able to identify various risks and understand what should be done once they are discovered. When insiders have a complete
understanding of the various risks they should be aware of, then proactive steps can be taken to mitigate risk.

Organizations should implement a Zero Trust Security model, which is a security method that operates around the belief that access should
be administered based on each user or device’s specific job function. This helps to limit the number of opportunities for insiders to
negligently or maliciously take advantage of their access controls.
Lacking compliance measures
As data privacy increasingly becomes a concern for customers, more regulatory compliance standards such as PCI, HIPAA, and GDPR are
being put into place. While these regulations are an important point of consideration that should be followed, it’s important to understand
that maintaining compliance with these standards does not guarantee an organization is secured from attackers.

Traditional point-in-time assessments are no longer sufficient as organizations can drift in and out of compliance between audits. Instead,
an effective cybersecurity strategy should include the ability to continuously monitor your entire network ecosystem for non-compliance so
that your organization can shift to meet evolving industry requirements.

Improperly secured intellectual property and sensitive information


In today’s digital world, companies are gathering more customer information than ever. This sensitive data allows organizations to optimize
customer experiences and guide future decisions, but it also opens them up to a great deal of risk, especially if critical information or
intellectual property is not properly secured. Organizations should examine their industry’s regulations regarding data protection to ensure
that the proper security measures are accounted for.

Data Breach

A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of
the system’s owner. A small company or large organization may suffer a data breach. Stolen data may involve sensitive,
proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national
security.

The effects brought on by a data breach can come in the form of damage to the target company’s reputation due to a
perceived ‘betrayal of trust.’ Victims and their customers may also suffer financial losses should related records be part of
the information stolen.

Most data breaches are attributed to hacking or malware attacks. Other frequently observed breach methods include the
following:

 Insider leak: A trusted individual or person of authority with access privileges steals data.

 Payment card fraud: Payment card data is stolen using physical skimming devices.

 Loss or theft: Portable drives, laptops, office computers, files, and other physical properties are lost or stolen.

 Unintended disclosure: Through mistakes or negligence, sensitive data is exposed.

 Unknown: In a small of number of cases, the actual breach method is unknown or undisclosed

Phases of a Data Breach

 Research
The attacker, having picked a target, looks for weaknesses to exploit: employees, systems, or the network. This entails long
hours of research on the attacker’s part and may involve stalking employees’ social media profiles to find what sort of
infrastructure the company has.

 Attack

Having scoped a target’s weaknesses, the attacker makes initial contact either through a network-based or social attack.

In a network-based attack, the attacker exploits weaknesses in the target’s infrastructure to instigate a breach. These
weaknesses may include, but are not limited to SQL injection, vulnerability exploitation, and/or session hijacking.

In a social attack, the attacker uses social engineering tactics to infiltrate the target network. This may involve a maliciously
crafted email sent to an employee, tailor-made to catch that specific employee’s attention. The email can phish for
information, fooling the reader into supplying personal data to the sender, or come with a malware attachment set to execute
when downloaded.

 Exfiltrate

Once inside the network, the attacker is free to extract data from the company’s network. This data may be used for either
blackmail or cyberpropaganda. The information an attacker collects can also be used to execute more damaging attacks on
the target’s infrastructure.

How do Data Breaches happen?


The assumption is that a data breach is caused by an outside hacker, but that's not always true.

Reasons for how data breaches happen might sometimes be traced back to intentional attacks. However, it can just as easily result from a
simple oversight by individuals or flaws in a company’s infrastructure.

Here’s how a data breach can occur:

 An Accidental Insider. An example would be an employee using a co-worker's computer and reading files without having the proper
authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized
person, the data is considered breached.
 A Malicious Insider. This person purposely accesses and/or shares data with the intent of causing harm to an individual or company.
The malicious insider may have legitimate authorization to use the data, but the intent is to use the information in nefarious ways.
 Lost or Stolen Devices. An unencrypted and unlocked laptop or external hard drive — anything that contains sensitive information —
goes missing.
 Malicious Outside Criminals. These are hackers who use various attack vectors to gather information from a network or an individual.

Malicious Methods used to Breach Data


Since malicious data breaches result from cyberattacks, you should know what to watch for.

Here are some popular methods used by hackers

 Phishing

 Brute Force Attacks

 Malware

Phishing. These social engineering attacks are designed to fool you into causing a data breach. Phishing attackers pose as people or
organizations you trust to easily deceive you. Criminals of this nature try to coax you into handing over access to sensitive data or provide
the data itself.
Brute force attacks. In a more brash approach, hackers might enlist software tools to guess your passwords.
Brute force attacks
work through all the possibilities for your password until they guess correctly. These attacks take some time but have become rapid as
computer speeds continue to improve. Hackers even hijack other devices like yours via malware infections to speed up the process. If your
password is weak, it might only take a few seconds to crack it.

Malware. Your device’s operating system, software, hardware, or the network and servers you’re connected to can have security flaws.
These gaps in protection are sought out by criminals as the perfect place to shove malware into. Spyware specifically is ideal for stealing
private data while being completely undetected. You might not find this infection until it’s too late.

What is a Threat in Cybersecurity?


A cybersecurity threat is a malicious and deliberate attack by an individual or organization to gain unauthorized
access to another individual’s or organization’s network to damage, disrupt, or steal IT assets, computer networks,
intellectual property, or any other form of sensitive data.

Types of Cybersecurity Threats


While the types of cyber threats continue to grow, there are some of the most common and prevalent cyberthreats
that present-day organizations need to know about. The top 10 cyber security threats are as follows:

1) Malware

Malware attacks are the most common cyber security threats. Malware is defined as malicious software, including
spyware, ransomware, viruses, and worms, which gets installed into the system when the user clicks a dangerous
link or email. Once inside the system, malware can block access to critical components of the network, damage the
system, and gather confidential information, among others.

2) Phishing

Cybercriminals send malicious emails that seem to come from legitimate resources. The user is then tricked into
clicking the malicious link in the email, leading to malware installation or disclosure of sensitive information like
credit card details and login credentials

3) Spear Phishing

Spear phishing is a more sophisticated form of a phishing attack in which cybercriminals target only privileged users
such as system administrators and C-suite executives.

4) Man in the Middle Attack

Man in the Middle (MitM) attack occurs when cybercriminals place themselves between a two-party communication.
Once the attacker interprets the communication, they may filter and steal sensitive data and return different
responses to the user.

5) Denial of Service Attack

Denial of Service attacks aims at flooding systems, networks, or servers with massive traffic, thereby making the
system unable to fulfill legitimate requests. Attacks can also use several infected devices to launch an attack on the
target system. This is known as a Distributed Denial of Service (DDoS) attack.
The year 2019 saw a staggering 8.4 million DDS attacks.

6) SQL Injection

A Structured Query Language (SQL) injection attack occurs when cybercriminals attempt to access the database by
uploading malicious SQL scripts. Once successful, the malicious actor can view, change, or delete data stored in the
SQL database.
SQL injection accounts for nearly 65.1% of all web application attacks.

7) Zero-day Exploit

A zero-day attack occurs when software or hardware vulnerability is announced, and the cybercriminals exploit the
vulnerability before a patch or solution is implemented.
It is predicted that zero-day attacks will rise to one per day by 2021.

8) Advanced Persistent Threats (APT)

An advanced persistent threat occurs when a malicious actor gains unauthorized access to a system or network and
remains undetected for an extended time.
45% of organizations feel that they are likely to be the target of an APT.

9) Ransomware

Ransomware is a type of malware attack in which the attacker locks or encrypts the victim’s data and threatens to
publish or block access to data unless a ransom is paid. Learning more about ransomware threats  can help
companies prevent and cope with them better.
2021.

10) DNS Attack

A DNS attack is a cyber attack in which cybercriminals exploit vulnerabilities in the Domain Name System (DNS).
The attackers leverage the DNS vulnerabilities to divert site visitors to malicious pages (DNS Hijacking) and remove
data from compromised systems (DNS Tunneling).

Here are some of the common sources of cyber threats:

1) Nation States

Cyber attacks by a nation can inflict detrimental impact by disrupting communications, military activities, and
everyday life.

2) Criminal Groups

Criminal groups aim to infiltrate systems or networks for financial gain. These groups use phishing, spam, spyware,
and malware to conduct identity theft, online fraud, and system extortion.

3) Hackers

Hackers explore various cyber techniques to breach defenses and exploit vulnerabilities in a computer system or
network. They are motivated by personal gain, revenge, stalking, financial gain, and political activism. Hackers
develop new types of threats for the thrill of challenge or bragging rights in the hacker community.

4) Terrorist Groups

Terrorists conduct cyber attacks to destroy, infiltrate, or exploit critical infrastructure to threaten national security,
compromise military equipment, disrupt the economy, and cause mass casualties.

5) Hacktivists

Hacktivists carry out cyberattacks in support of political causes rather than for financial gain. They target industries,
organizations, or individuals who don’t align with their political ideas and agenda.
6) Malicious Insiders

97% of surveyed IT leaders expressed concerns about insider threats in cyber security . Insiders can include
employees, third-party vendors, contractors, or other business associates who have legitimate access to enterprise
assets but misuse that accesses to steal or destroy information for financial or personal gain.

7) Corporate Spies

Corporate spies conduct industrial or business espionage to either make a profit or disrupt a competitor’s business
by attacking critical infrastructure, stealing trade secrets, and gaining access

What is a Cyber Attack?

A cyber attack is an attempt to disable computers, steal data, or use a breached computer system to
launch additional attacks. Cybercriminals use different methods to launch a cyber attack that includes
malware, phishing, ransomware, man-in-the-middle attack, or other methods.

Types of Cyber Attacks

1. Malware

Malware is a term that describes malicious software, including spyware, ransomware, viruses, and
worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous
link or email attachment that then installs risky software.

2. Phishing

Phishing is the method of sending fraudulent communications that seems to come from a reputable
source, usually through email. The goal is to steal or get sensitive data like credit card and login
information or to install malware on the victim’s machine. Phishing is an increasingly common
cyberthreat.

3. Man-in-the-middle attack

Man-in-the-middle (MitM) attacks, also called eavesdropping attacks, occur when attackers insert
themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal
data.

Two common points of entry for MitM attacks:

On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device and the network.
Without knowing, the visitor passes all information through the attacker.

Once malware has breached a device; an attacker can install software to process all of the victim’s
information. 

4. Denial-of-service attack
A denial-of-service attack fills systems, servers, or networks with traffic that exhaust resources and
bandwidth. That makes the system incapable to fulfill legitimate requests. Attackers also use multiple
compromised devices to launch this attack. This is known as a distributed-denial-of-service (DDoS)
attack.

5. SQL injection

A Structured Query Language (SQL) injection happens when an attacker inserts malicious code into a
server that uses SQL and forces the server to reveal information it normally would not. An attacker could
carry out a SQL injection simply by submitting malicious code into a vulnerable website search box.

6. Zero-day exploit

A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is
implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day
vulnerability threat detection requires constant awareness.

7. DNS Tunneling

DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It sends HTTP and
other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. However,
there are also malicious reasons to use DNS Tunneling VPN services. They can be used to disguise
outbound traffic as DNS, concealing data that is typically shared through an internet connection. For
malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the
attacker’s infrastructure. It can also be used for command and control callbacks from the attacker’s
infrastructure to a compromised system.

What are examples of a Cyber Attack?

Here are some examples of common cyber attacks and types of data breaches:

 Identity theft, fraud, extortion


 Malware, phishing, spamming, spoofing, spyware, trojans and viruses
 Stolen hardware, such as laptops or mobile devices
 Denial-of-service and distributed denial-of-service attacks
 Breach of access
 Password sniffing
 System infiltration
 Website defacement
 Private and public Web browser exploitsv
 Instant messaging abuse
 Intellectual property (IP) theft or unauthorized access

What happens during a Cyber Attack?


A cyber attack happens when cybercriminals try to gain illegal access to electronic data stored on a
computer or a network. The intent might be to inflict reputational damage or harm to a business or
person, or theft of valuable data. Cyber attacks can target individuals, groups, organizations, or
governments.

Ways to prevent Cyber Attacks

There are 7 key strategies we recommend to use to protect a Small and Medium Business or
organization from cyber attacks.

 USE Multi-Factor Authentication

One of the most effective ways to prevent cyber attacks is to ensure that multi-factor authentication has
been enabled for all applications that access the internet in an organization.

Having only a password login for employees is not enough. If employee passwords are compromised
through a hack or through a phishing scam, cybercriminals may be able to easily access to the systems.

Enabling a multi-factor authentication process for logins instead will require employees to provide
several pieces of information instead of just one. As a result, security will be heightened. It will be much
more difficult for any unauthorized person to access the systems.

 CREATE Robust Internal Controls

To prevent cyber attacks in an organization it’s also crucial that there are robust internal controls in
place. Access controls will help ensure that system access is updated immediately once employees,
contractors, and vendors leave the organization.

Controlling access for the system is essential for cyber attack prevention. When someone leaves the
organization, then access must be revoked due to security reasons. If the access is not revoked for the
former employees, contractors, and other relevant parties, they may be able to access the
organizational system later on.

By monitoring who has access to the organizational systems, one can ensure greater security and can
prevent security threats and potential problems in the future.

 MANAGE Third-Party Security

In order to prevent cyber attacks and security threats, it’s also critical that one takes measures to
manage third-party cyber risk.

It’s important to understand the responsibilities when it comes to third-party security. If there are any
vendors or third parties who need to access organizational system, it’s crucial to be aware of the risks
and to ensure heightened security.
Creating tight security controls, identifying potential cyber threats, and monitoring the network are all
crucial to ensure that the system is secure.

 EDUCATE Organizational Employees

Employee education is also one of the biggest keys to improving business security.

Organization should conduct cyber security awareness training when onboarding new employees.
Employees should be provided with extra training at regular intervals. Holding annual training sessions
can help ensure that the entire staff is aware of how to guard against security threats.

It’s also important to educate all the employees in the organization about phishing. Employees should
be aware of as to what are and what aren’t considered normal requests via email and other
correspondence methods.

This will create a business mode that is much more secure overall.

 CREATE Data Backups

Organization should make regular backups of important business data. Backing up the data is an
essential way to keep the business going strong. It’s an important measure to avoid a worst-case
scenario whereby any crucial business data is lost.

Ensuring regular data backups makes sure that whatever happens the business won’t be at a total loss.

 KEEP Entire Systems Updated

Keeping the systems and business software up to date is also a critical part of protecting any business.
Running the latest software makes the data more secure and also makes business remain strong against
all odds in the long run.

While some business owners find it frustrating for any need for constant updates, they’re necessary.
New problems and vulnerabilities will come up in business software from time to time. Updates exist to
patch software vulnerabilities and to guard against potential security threats.

There are sometimes significant expenses associated with updates to software and hardware. Yet, the
result is usually well worth it.

 INSTALL Antivirus Software and a Firewall

Finally, one must prevent security breaches and cyber attacks by installing antivirus software. Every
computer in the organization should have an antivirus installed and then it must be updated regularly.
One should ensure that a firewall is always in place.
What Is an Exploit?
An exploit is a program, or piece of code, designed to find and take advantage of a security flaw or vulnerability in an
application or computer system, typically for malicious purposes such as installing malware. An exploit is not malware itself,
but rather it is a method used by cybercriminals to deliver malware.

The Different Types of Exploits


 Hardware
Hardware, to various degrees, must run on an OS, whether it be a complex OS for a PC or a simpler OS for an edge device. Vulnerabilities in the OS
become entry points for an exploit, which can corrupt the memory or cause the device to “freeze.”

 Software
Software bugs, a normal consequence of software development, can become vulnerabilities open to exploits if not patched or fixed. Some of the common
exploit methods include memory safety violations, input validation errors, side-channel attacks, and privilege confusion bugs.

 Network
Each of the components of a network offers the possibility of vulnerability, whether hardware, software, or firewall configurations. Some attacks that
may be part of an exploit can be domain hijacking, DoS and distributed denial-of-service (DDoS) attacks, and malware. 

 Personnel
Even personnel can be exploited. Cyber criminals may target their devices and credentials by means of social engineering attacks, spear phishing,
and honey trapping. Training and access control are crucial to mitigating this vulnerability.

 Physical Site
Exploits can be conducted on-site and if deficient physical security or inadequate access control exists. Just as a thief can break in and steal, a cyber
criminal can break in (physically or remotely) and conduct an exploit that compromises an entire network.

Groups in Which Exploits Can Be Categorized


 Zero-day Exploits
This is a previously unknown exploit or an unknown opportunity for an exploit due to vulnerabilities. Anticipating zero-day exploits is crucial to developing patches
or other strategies for mitigating the vulnerability or threat.

 Known Vulnerabilities
Known vulnerabilities have been identified and documented. Patches and other “fixes” can be issued, but cyber criminals can also get hold of the documentation and
design an exploit. The main risk factor is that organizations often do not apply the patch or repair an issue quickly enough to eliminate a vulnerability.

How Do Exploits Occur?


 Remote Exploits
Remote exploits are run on an external computer, via an intranet or other network, exploiting a security vulnerability without prior access to the system. Its purpose is
to either access or steal data or install malware to either a single computer or a complete system or network.

 Local Exploits
Local exploits can only be run if the malicious party has access to a machine on the network using a compromised account.

 Client Exploits
Client exploits influence or attack a user, misleading the user to click and download malware that can then compromise the network or system.

What Is an Exploit Kit?


Exploit kits silently and automatically seek to exploit any vulnerabilities identified on a user’s machine when they are web browsing. They are largely automated in
nature and have become the preferred method for the distribution of remote access tools (RATs) or mass malware by cyber criminals, especially those seeking to
profit from an exploit. 

Often, the goal is to gain control of devices in a simplified and automated manner. A sequence of events takes place within an exploit kit for the attack to be
successful. It starts with a redirect to a landing page, followed by the execution of the exploit, and finally, the delivery of the payload, gaining control of the host. 
Exploit kits can also be used in penetration testing to evaluate the security of the system. For example, the Fortinet exploit kit is used to run a simulation exercise
on a system to detect vulnerabilities.

How To Recognize an Exploit Attack


 Slow Performance
There are multiple issues that can cause a machine or system to run slowly, and infection as the result of an exploit is one of them. So if you are used to seeing fast
performance, and your device slows suddenly as if bogged down, it may be due to a malware infection.

 Frequent Crashes or Freezes


Freezing, crashing, and the dreaded blue screen of death can all be caused by technical issues due to incompatibility between hardware and software, but malware
infections can also be the cause.

 Unexplained Changed Settings


Unusual behavior and changes you do not recall making, such as a changed default homepage in your browser, can be annoying, but they can be much more than
annoying if caused by malicious software or unauthorized access.

 Tons of Pop-ups or Ads Where they Should Not Be


Numerous pop-ups can disguise concealed malware threats, and annoying ads may actually be monitoring your browsing activity, hoping to collect data and
passwords. Unsolicited emails and special offers may also be concealing similar intent.

 Loss of Storage Space


Rapid, sudden loss of storage space can be the result of several underlying issues, but infection with malware is a primary reason and must be investigated before
being eliminated as a possible cause.

Information Gathering

Gathering information is the first step where a hacker tries to get information about the target. Hackers use different sources and tools to get
more information, and some of them are briefly explained here. This informations will be useful for you to become an ethical hacker.

Information Gathering is the act of gathering different kinds of information against the targeted victim or system. It is the first step or the
beginning stage of Ethical Hacking, where the penetration testers or hackers (both black hat or white hat) performed this stage; this is a
necessary and crucial step to be performed. The more the information gathered about the target, the more the probability to obtain relevant
results. Information gathering is not just a phase of security testing; it is an art that every penetration-tester (pen-tester) and hacker should
master for a better experience in penetration testing. There are various tools, techniques, and websites, including public sources such as
Whois, nslookup that can help hackers gather information. This step is necessary because you may need any information (such as his pet
name, best friend's name, age, or phone number to perform password guessing attack or other kinds of attacks) while performing attacks on
any target.

Information gathering can be classified into three major categories:

1. Footprinting
2. Scanning
3. Social engineering

1. Footprinting
Footprinting is the technique to collect as much information as possible about the targeted
network/victim/system. It helps hackers in various ways to intrude on an organization's
system. This technique also determines the security postures of the target. Footprinting can
be active as well as passive. Passive footprinting/pseudonymous footprinting involves collecting
data without the owner, knowing that hackers gather his/her data. In contrast, active footprints
are created when personal data gets released consciously and intentionally or by the owner's
direct contact.
Sub branches Footprinting
Other than types of footprinting, some branches of footprinting a learner should know before gathering information.

 Open-Source Footprinting.
 Network-based Footprinting.
 DNS Interrogation.
Open-Source Footprinting
This type of footprinting is the safest, holding all legal limitations, and hackers can do it without fear because it is illegal and, hence, coined
the term Open-source. Examples of this type include: finding someone's email address, phone number, scanning IP through automated tools,
search for his age, DOB, house address, etc. Most companies provide information about their companies on their official website without
realizing that hackers can benefit from that information provided by them.

Network-based Footprinting
Using this footprinting category, hacktivists can retrieve information such as user name, information within a group, shared data among
individuals, network services, etc.

DNS Interrogation
After gathering the information needed from the different areas using various techniques, the hacker usually queries the DNS using pre-
existing tools. Many freeware tools are available online to perform DNS interrogation.

2. Scanning
Scanning is another essential step, which is necessary, and it refers to the package of techniques and procedures used to identify hosts, ports,
and various services within a network. Network scanning is one of the components of intelligence gathering and information retrieving
mechanism an attacker used to create an overview scenario of the target organization (target organization: means the group of people or
organization which falls in the prey of the Hacker). Vulnerability scanning is performed by pen-testers to detect the possibility of network
security attacks. This technique led hackers to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, or
weak encryption algorithms. So a pen-tester and ethical hacker list down all such vulnerabilities found in an organization's network.

Scanning is of three types:

 Network Scanning
 Port Scanning
 Vulnerability Scanning

Objectives of Network Scanning


1. To discover live hosts/computer, IP address, and open ports of the victim.
2. To discover services that are running on a host computer.
3. To discover the Operating System and system architecture of the target.
4. To discover and deal with vulnerabilities in Live hosts.

Port Scanning
It is a conventional technique used by penetration testers and hackers to search for open doors from which hackers can access any
organization's system. During this scan, hackers need to find out those live hosts, firewalls installed, operating systems used, different devices
attached to the system, and the targeted organization's topology. Once the Hacker fetches the victim organization's IP address by scanning
TCP and UDP ports, the Hacker maps this organization's network under his/her grab. Amap is a tool to perform port scanning.

Vulnerability Scanning
It is the proactive identification of the system's vulnerabilities within a network in an automated manner to determine whether the system can
be exploited or threatened. I this case, the computer should have to be connected to the internet.

Tools and Steps Used


If a hacker wants to perform ICMP (Internet Control Message Protocol) scanning, it can be done manually. The steps are:

 Open Windows OS
 Press Win+R (Run) buttons in combination
 In the Run, type- cmd
 Type the command: ping IP Address or type:  ping DomainName

3. Social Engineering
Hackers and malicious attackers always try to gain information by other means if they couldn't access otherwise. They continuously keep
searching for information they can obtain from their victim and wreak havoc on the network's resources. Social Engineering is something
different from physical security exploits (like shoulder surfing and dumpster driving). Shoulder Surfing is the direct observation technique,
such as looking over victims' shoulder to get information - what he/she's typing or what password, PIN, security pattern locks the victim is
entering. Dumpster diving is a form of modern salvaging of wastes such as papers, hard copy, documentation, paper-based records
discarded in large commercial, residential, industrial, and construction containers. Hackers do this famous dumpster driving to search for
particular information from that discarded waste.

What is Social Engineering?


It is an attack vector that relies mostly on human interaction and often involves tricking people. In other words, social engineering refers to
the psychological manipulation of a human being into performing actions by interacting with them and then breaking into normal security
postures. It's like a trick of confidence to gather information and gain unauthorized access by tricking or doing fraud.

Social engineering is the term used for a broad range of malicious activities accomplished through human
interactions. It uses psychological manipulation to trick users into making security mistakes or giving away
sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim
to gather necessary background information, such as potential points of entry and weak security protocols,
needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli
for subsequent actions that break security practices, such as revealing sensitive information or granting
access to critical resources.

Social engineering attack techniques


Social engineering attacks come in many different forms and can be performed anywhere where human
interaction is involved. The following are the five most common forms of digital social engineering assaults.

1. Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure
users into a trap that steals their personal information or inflicts their systems with malware.

The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the
bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see
them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to
it, such as a label presenting it as the company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic
malware installation on the system.
Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist
of enticing ads that lead to malicious sites or that encourage users to download a malware-infected
application.

2. Scareware
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to
think their system is infected with malware, prompting them to install software that has no real benefit
(other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software,
rogue scanner software and fraudware.

A common scareware example is the legitimate-looking popup banners appearing in your browser while
surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware
programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a
malicious site where your computer becomes infected.

Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy
worthless/harmful services.

3. Pretexting
Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by
a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.

The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank
and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are
ostensibly required to confirm the victim’s identity, through which they gather important personal data.

All sorts of pertinent information and records is gathered using this scam, such as social security numbers,
personal addresses and phone numbers, phone records, staff vacation dates, bank records and even
security information related to a physical plant.

4. Phishing
As one of the most popular social engineering attack types, phishing scams are email and text message
campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into
revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain
malware.

An example is an email sent to users of an online service that alerts them of a policy violation requiring
immediate action on their part, such as a required password change. It includes a link to an illegitimate
website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter
their current credentials and new password. Upon form submittal the information is sent to the attacker.

Given that identical, or near-identical, messages are sent to all users in phishing campaigns, detecting and
blocking them are much easier for mail servers having access to threat sharing platforms.

5. Spear phishing
This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or
enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging
to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of
the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better
success rates if done skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant,
sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does,
thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to
change their password and provides them with a link that redirects them to a malicious page where the
attacker now captures their credentials.
Nmap: Discover your network
What is Nmap?
Nmap is an open-source utility for network discovery. Network Mapper is a security auditing and network scanning independent tool
developed by Gordon Lyon. It is used by network administrators to detect the devices currently running on the system and the port number
by which the devices are connected.

Many systems and network administrators are used for managing network inventory, service upgrade schedules, monitoring
hosts and service uptime.

Nmap Definition

At the top-level, Nmap is defined as a tool that can detect or diagnose services that are running on an Internet-connected system by a
network administrator in their networked system used to identify potential security flaws. It is used to automate redundant tasks, such as
monitoring the service.

Working of Nmap

Nmap is convenient during penetration testing of networked systems. Nmap provides the network details, and also helps to determine the
security flaws present in the system. Nmap is platform-independent and runs on popular operating systems such
as Linux, Windows and Mac.

Nmap is a useful tool for network scanning and auditing purposes.

o It can search for hosts connected to the Network.


o It can search for free ports on the target host.
o It detects all services running on the host with the help of operating system.
o It also detects any flaws or potential vulnerabilities in networked systems.

It is effortless to work with the Nmap. With the release of a new graphical user interface called GenMap User, it performs many tasks such as
saving and comparing scan results, scanning the results in a database, and visualize the network system topology graphically, etc.

Advantages of Nmap

Nmap has a lot of advantages that make it different from other network scanning tools. Nmap is open-source and free to use.

Some other advantages are listed below.

o It is used for auditing network systems as it can detect new servers.


o It will search for subdomain and Domain Name System
o With the help of Nmap Scripting Engine (NSE), interaction can be made with the target host.
o It determines the nature of the service in the host and performs whether the host is a mail service or a web server.

Essential skills

Nmap offers various technologies to scan the networks, such as TCP Connect scanning, FTP bounce scanning, TCP reverse identification
scanning, etc. to scan the Network. One should start with Nmap to learn all of the techniques.

Why should we use Nmap?


If you are a network administrator, it is required to check target hosts, determine free and occupied ports, and perform security vulnerability
scans. It offers all utilities, whether we need to monitor a single host or multiple hosts.

Nmap is used for regular network audits. Nevertheless, it can perform redundant tasks such as managing network inventory, scheduling
service upgrades, and monitoring various uptime and downtime services.

It also lists the status of services such as open, filtered, unfiltered or closed.

The output is extended to reverse operating system type, MAC address, device type, and also DNS names.

Types of Nmap scan

Different types of scans can be done using Nmap.

TCP Scan

It completes a three-way handshake between you and a closet target system. The TCP scan is very noisy and cannot be detected with
almost any effort because services can log onto the sender IP address and trigger an intrusion detection system.

UDP Scan

The UDP scan is used to check if there is a UDP port and listening for incoming requests to the target the machine. Unlike the TCP,  UDP has
no mechanism to react with positive acceptability, so there is a chance for false-positive scan results.  UDP scans are used to reveal Trojan
horses, which run on a UDP port or to reveal the hidden RPC services. These scans are slow because the machines slow down their
responses to such traffic as a precaution.

SYN Scan

It is another form of TCP scan. Nmap crafts a sync packet, the first packet sent to establish is a TCP connection.

ACK Scan

ACK scans are used to determine a particular port that has been filtered. It proves to be extremely helpful when trying to check for firewalls
and their current regulations.

Bang Scan

The bang scan is like SYN scans. It sends the TCP fin packet instead of RST packet (reset packet) if it receives the input so that false scans and
negativity are seen in the scan. But it may be under the radar of some IDS programs and many countermeasures.

Full Scan

The null scan is very secretive, and as the name suggests what they do - they set all header fields to zero. It is not a valid packet, and targets
will not know how to deal with packet.

Xmas Scan

Computers running windows will not respond to X MAS scans due to the way they implement their TCP stack. A set of flags triggered within
a scanning packet derives its Name that is sent for scanning. XMAS scans are used to manipulate PSH, URG and FIN flags in TCP headers.

RPC Scan
RPC scans are used to search for machines that respond to Remote Procedure Call services ( RPC). It allows remote to run on a particular
machine under a particular set of connections. The RPC service can run on various ports. Therefore, regular scans are challenging to detect if
RPC services are running.

IDE Scan

IDE scan is the most secure scan as packets are bounced from external hosts. Control is not required on the host, but the host must fulfil a
specific set of conditions.

Nmap Functions

Most of Nmap's standard functions are executed by using a single command.

There are the following Nmap functions, as follows:

1. Ping Scanning

The ping scanning gives information about every active IP on your Network. We can perform a ping scan by using the below command:

1. #nmap-sn<target>  
2. -PS/PA/PU/PY[portlist]: TCP SYN/ ACK, UDP or SCTP discovery to given ports.  

2. Port Scanning

Port scanning is one of the most popular forms of reconnaissance ahead of a hack, helping attackers determine which ports are most
susceptible.

There are many ways to execute port scanning using Nmap.

1. # sS TCP SYN scan  
2. # sT TCP connect scan  
3. # sU UDP scans  
4. # sY SCTP INIT scan  
5. # sN TCP NULL  

3. Host scanning

Host scanning provides a detailed description of a particular host or IP address. As mentioned above, you can scan a host using the following
command:

1. # Nmap -sp <target IP range>  
4. OS Scanning

OS scanning is the most powerful feature of Nmap. It sends TCP and UDP packets to a port and analyzes the response when using this type
of scan. It compares the response to a database of operating systems and returns information on a host's  OS. To run the OS scan, use the
command, given below:

1. Nmap -O <target IP>  

5. Scan the Most Popular Ports

If you are running Nmap on a home server, this command is easy. It scans ' popular' ports for a host. You can use the command given below
to scan the popular ports:

1. Nmap - Top-ports 20 192.168.1.106  

Replace "20" with the number of ports you want to scan. It gives a brief output that details the most common ports status and allows you to
see if you have any unnecessarily open ports.

6. Output to a file

If we want the output of results of Nmap scan of any file, you can add an extension to the command.

1. Add:-oN output.txt  

The command is the output of results to a text file.

1. -oX output.xml  

7. Disable DNS Name Resolution

Finally, we can speed up your Nmap scan by using the -n parameter to disable inverted DNS resolution. It is useful to perform a wide network
scan.

For example, add-en to turn off the DNS resolution for the required ping scans.

Zenmap
Nmap(Network Mapper) is the second program that we're going to look. It is a huge tool and has many uses. Nmap is used to gather
information about any device. Using the Nmap, we can gather information about any client that is within our network or outside our network,
and we can gather information about clients just by knowing their IP. Nmap can be used to bypass firewalls, as well as all kinds of protection
and security measures. In this section, we're going to learn some of the basic Nmap commands that can be used to discover clients that are
connected to our network, and also discover the open ports on these clients.

We're going to use Zenmap, which is the graphical user interface for Nmap. If we type zenmap on the Terminal, we'll bring up the application
like this:
In the Target field, we're going to put our IP address. In the Profile drop-down menu, we can have various profiles:

In the Target filed, if you want to gather information of only one IP address, we can just enter that address. We can also enter a range like we
did with netdiscover. We're going to enter 198.168.1.1/24. Then we are going to select the Ping scan from the Profile drop-down menu and
hit the Scan button:

The preceding scan is kind of a quick scan, but it doesn't show too much information, as we can see in the preceding screenshot. It only
shows the connected devices. This scan is very quick. We are able to see the connected devices on the left-hand panel, and we can see their
IP addresses, their MAC addresses, and their vendors.

The next scan we're going to learn is the Quick Scan. Now, the Quick scan is going to be slightly slower than the Ping scan. But in Quick
scan, we will get more information than the Ping scan. We're going to be able to identify the open ports on each device:

In the above screenshot, we can see that it shows the open ports on each one of the discovering devices. The main router has an open port
called 53/tcp. 80/tcp is the port used at the router setting page because it runs on a web server.
Port scanning
 Port scanning is a method of detecting vulnerable nodes in a network by accessing different ports on a host (a device connected to the
network) or the same port on different hosts. It can be used by cybercriminals in the preparatory phase of an attack to harvest information
about the target host, as well as by information security experts as a tool for locating vulnerable nodes in IT infrastructure.

Types of port scanning

There are several types of port scanning:

 Horizontal scanning or network scanning sends requests to the same port on different hosts. Attackers use horizontal scanning
to prepare for a mass attack.
 Vertical scanning sends requests to different ports on the same host. Attackers typically use vertical scanning to look for
vulnerabilities in a preselected target.

Port scanning methods

There are various methods of checking which ports are open and accessible externally. The most common are:

 SYN scanning. The attacker sends a SYN (synchronization) request to the target port over TCP. If the port is open, it returns a
SYN-ACK (synchronization acknowledgment) packet. The scanner then terminates the session without establishing a connection.
If the port is closed, it responds with an RST (reset) packet, indicating that it cannot be accessed. If the port is located behind
a firewall, the request does not generate a response at all. This is the most common scanning method because it does not require
an established connection and is not logged by most simple event-tracking tools. On the other hand, SYN scanning requires
superuser privileges on the device that sends the requests and which might not belong to the attacker.
 TCP scanning. This is the simplest scanning method that does not require special rights. It uses the network functions of the
operating system to establish a full TCP connection. However, this type of scan is easy to detect and block.
 UDP scanning. Determines the status of ports used by UDP services. Unlike TCP, UDP is a connectionless protocol. That means
if the port is open and the sent data is delivered successfully, the scanner does not receive a response, whereas a closed port
returns an ICMP error message. This method can give a false indication of the available network services: if the target port is
protected by a firewall or the system blocks ICMP messages, the scanner does not receive a response and deems the port open.
 FIN scanning. Used to reveal open ports hidden behind a firewall, the method is similar to SYN scanning but involves sending
FIN (finish) packets (requests to end the connection). Unlike SYN requests, many firewalls do not block such packets. Closed
ports generally answer with an RST packet. Open ones do not respond. In some operating systems, however, all ports respond to
FIN requests in the same way, so the method is not very precise.
 ACK scanning. Used to collect information about firewalls, their rules, and ports filtered by them. ACK packets are normally used
in established connections, so simple traffic filtering rules let them through. If a packet fails to get through, that means the port is
protected by a firewall with more advanced rules.

Port-scanning objectives

Port scanning determines:

 Port status (open, closed, firewall-protected);


 Services running on ports;
 Device type, OS family.

Cybercriminals use this information in preparing attacks. For example, they can exploit vulnerabilities in externally accessible network
services, the device operating system, and elsewhere.

Information security experts use this information to better protect company resources. The scan identifies vulnerable services that should be
placed behind a firewall and unused ports that can be closed.
Network Scanning

INTRODUCTION
Network scanning refers to the use of a computer network to gather information regarding computing systems. Network
scanning is mainly used for security assessment, system maintenance, and also for performing attacks by hackers.

The purpose of network scanning is as follows:

 Recognize available UDP and TCP network services running on the targeted hosts
 Recognize filtering systems between the user and the targeted hosts
 Determine the operating systems (OSs) in use by assessing IP responses
 Evaluate the target host's TCP sequence number predictability to determine sequence prediction attack and TCP
spoofing.

TYPES
Scanning is primarily of three types. These are network scanning, port scanning, and vulnerability scanning.

A) Network scanning
Network scanning helps to discover any live computer or hosts, open ports, and the IP address of a victim. It helps to
discover the services that are running on any host computer. It allows the decoding of the system architecture of any target
and the operating system. The method helps to deal with and discover if there are any vulnerabilities in a live host.

B) Port scanning
Post scanning is a conventional method that is used to penetrate into the hackers and the testers to search if there are any
open doors from where the hacker will be capable of accessing the system of the organization. It tries to figure out the route
of the hacker, to find out the live hosts, the operating system that is used, and the installed firewalls as well as the topology
of the targeted organization.

Once the hacker gets the IP address of the organization of the victim using the UDP and the TCP ports the hacker will map
the network of the organization and put it in his grab. A map is a tool that is used to carry out port scanning techniques.

C) Vulnerability scanning
The vulnerability scanning method proactively identifies the vulnerability of the network in an automated method that helps to
find out whether the system may be threatened or exploited. To carry out this type of scanning the computer needs to be
connected to the internet.

USES
Using the tools for network scanning is important if you are running several devices on the network. It is also useful if you
have a large network to include various subnets. It is impossible to manage such a vast network and this can expose the
business to various security threats. This is why you need scanning networks to scan the system.

Here are the uses of network scanning

 Automates the IP network scanning


 It helps to manage the subnets with the subnetwork scanning
 It scans the network device correctly from end to end
 It streamlines the scanning of the network and helps to detect if there are any rogue devices which helps to enhance the security network
 It helps to set role-based access management
The scanning tools may make use of passive scanning to reveal many kinds of critical information related to your network. It
works like a network discover and a management tool for performance management to determine the networks and devices
on your system and to create a network topology. It is also possible to scan the network information to determine to see
whether or not the device is working correctly or if there are faults in your network.
 The network scanning tools help to monitor and examine the vendors that run on multi networks. 
 It also gives a very visual appealing insight like comparative graphs and heat maps.
 It helps to understand the network from the perspective of a node by node. 
 It also pinpoints and troubleshoots the problems and to discover the weak parts that could be vulnerable to an attack.
 The IP address scanning network is focused on managing and discovering the devices that are based on information of IP across various
subnets.

You might also like