Ethical Hacking Essentials PDF

Summary

This document is a guide to ethical hacking essentials. Topics covered include information security fundamentals, threats, and countermeasures. It provides a comprehensive overview of various aspects of ethical hacking, including network attacks, web application attacks, and social engineering.

Full Transcript

Ethical Hacking Essentials (EHE)

Table of Contents

Module 01: Information Security Fundamentals

- Information Security Fundamentals

- Information Security Laws and Regulations

Module 02: Ethical Hacking Fundamentals

- Cyber Kill Chain Methodology

- Hacking Concepts and Hacker Classes

- Different Phases of Hacking Cycle

- Ethical Hacking Concepts, Scope, and Limitations

- Ethical Hacking Tools

Module 03: Information Security Threats and Vulnerability Assessment

- Threat and Threat Sources

- Malware and its Types

- Vulnerabilities

- Vulnerability Assessment

Module 04: Password Cracking Techniques and Countermeasures

- Password Cracking Techniques

- Password Cracking Tools

- Password Cracking Countermeasures

Module 05: Social Engineering Techniques and Countermeasures

- Social Engineering Concepts and its Phases

- Social Engineering Techniques

- Insider Threats and Identity Theft

- Social Engineering Countermeasures

Module 06: Network Level Attacks and Countermeasures

- Sniffing

- Packet Sniffing Concepts

- Sniffing Techniques

- Sniffing Countermeasures

- Denial-of-Service

- DoS and DDoS Attacks

- DoS and DDoS Attack Countermeasures

- Session Hijacking

- Session Hijacking Attacks

- Session Hijacking Attack Countermeasures

Module 07: Web Application Attacks and Countermeasures

- Web Server Attacks

- Web Server Attacks

- Web Server Attack Countermeasures

- Web Application Attacks

- Web Application Architecture and Vulnerability Stack

- Web Application Threats and Attacks

- Web Application Attack Countermeasures

- SQL Injection Attacks

- SQL Injection Attacks

- SQL Injection Attack Countermeasures

Module 08: Wireless Attacks and Countermeasures

- Wireless Terminology

- Wireless Encryption

- Wireless Network-Specific Attack Techniques

- Bluetooth Attacks

- Wireless Attack Countermeasures

Module 09: Mobile Attacks and Countermeasures

- Mobile Attack Anatomy

- Mobile Platform Attack Vectors and Vulnerabilities

- Mobile Device Management (MDM) Concept

- Mobile Attack Countermeasures

Module 10: IoT and OT Attacks and Countermeasures

- IoT Attacks

- IoT Concepts

- IoT Threats and Attacks

- IoT Attack Countermeasures

- OT Attacks

- OT Concepts

- OT Threats and Attacks

- OT Attack Countermeasures

Module 11: Cloud Computing Threats and Countermeasures

- Cloud Computing Concepts

- Container Technology

- Cloud Computing Threats

- Cloud Attack Countermeasures

Module 12: Penetration Testing Fundamentals

- Fundamentals of Penetration Testing and its Benefits

- Strategies and Phases of Penetration Testing

- Guidelines and Recommendations for Penetration Testing

**Module 01: Information Security Fundamentals**

- Information Security Fundamentals

- Information security is a state of well-being of information and
infrastructure in which the possibility of theft, tampering, and
disruption of information and services is low or tolerable

- Need for Security

- Evolution of technology, focused on ease of use

- Rely on the use of computers for accessing, providing, or
just storing information

- Increased network environment and network-based applications

- Direct impact of security breach on the corporate asset base
and goodwill

- Increasing complexity of computer infrastructure
administration and management

- Elements of Information Security

- Confidentiality

- Integrity

- Availability

- Authenticity

- Non-repudiation

- The Security, Functionality, and Usability Triangle

- Security: Restrictions

- Functionality: Features

- Usability: GUI

- Security Challenges

- Compliance to government laws and regulations

- Lack of qualified and skilled cybersecurity professionals

- Difficulty in centralizing security in a distributed
computing environment

- Difficulty in overseeing end-to-end processes due to complex
IT infrastructure

- Fragmented and complex privacy and data protection
regulations

- Use of a serverless architecture and applications that rely
on third-party cloud providers

- Compliance issues and issues with data removal and retrieval
due to the implementation of Bring Your Own Device (BYOD)
policies in companies

- Relocation of sensitive data from legacy data centers to the
cloud without proper configuration

- Weak links in supply-chain management

- Increase in cybersecurity risks such as data loss and
unpatched vulnerabilities and errors due to the usage of
shadow IT

- Shortage of research visibility and training for IT
employees

- Motives, Goals, and Objectives of Information Security Attacks

- Attacks = Motive (Goal) + Method + Vulnerability

- A motive originates out of the notion that the target system
stores or processes something valuable, and this leads to
the threat of an attack on the system

- Attackers try various tools and attack techniques to exploit
vulnerabilities in a computer system or its security policy
and controls in order to fulfil their motives

- Motives behind information security attacks

- Disrupting business continuity

- Stealing information and manipulating data

- Creating fear and chaos by disrupting critical
infrastructures

- Causing financial loss to the target

- Damaging the reputation of the target

- Classification of Attacks

- Passive Attacks

- Do not tamper with the data and involve intercepting and
monitoring network traffic and data flow on the target
network

- Examples include sniffing and eavesdropping,
Footprinting, Network traffic analysis and Decryption of
weakly encrypted traffic

- Active Attacks

- Tamper with the data in transit or disrupt the
communication or services between the systems to bypass
or break into secured systems

- Examples include DoS, Man-in-the-Middle, session
hijacking, and SQL injection

- Close-in Attacks

- Are performed when the attacker is in close physical
proximity with the target system or network in order to
gather, modify, or disrupt access to information

- Examples include social engineering such as
eavesdropping, shoulder surfing, and dumpster diving

- Insider Attacks

- Involve using privileged access to violate rules or
intentionally cause a threat to the organization's
information or information systems

- Examples include theft of physical devices and planting
keyloggers, backdoors, and malware

- Distribution Attacks

- Occur when attackers tamper with hardware or software
prior to installation

- Attackers tamper with the hardware or software at its
source or in transit

- Information Security Attack Vectors

- Cloud Computing Threats:

- Cloud computing is an on-demand delivery of IT
capabilities where sensitive data of organizations, and
their clients is stored. Flaw in one client's
application cloud allow attackers to access other
client's data

- Advanced Persistent Threats (APT):

- An attack that is focused on stealing information from
the victim machine without the user being aware of it

- Viruses and Worms:

- The most prevalent networking threat that are capable of
infecting a network within seconds

- Ransomware:

- Restricts access to the computer system's files and
folders and demands an online ransom payment to the
malware creator(s) in order to remove the restrictions

- Mobile Threats:

- Focus of attackers has shifted to mobile devices due to
increased adoption of mobile devices for business and
personal purposes and comparatively lesser security
controls

- Botnet

- A huge network of the compromised systems used by an
intruder to perform various network attacks

- Insider Attack

- An attack performed on a corporate network or on a
single computer by an entrusted person (insider) who has
authorized access to the network

- Phishing

- The practice of sending an illegitimate email falsely
claiming to be from a legitimate site in an attempt to
acquire a user's personal or account information

- Web Application Threats

- Attackers target web applications to steal credentials,
set up phishing site, or acquire private information to
threaten the performance of the website and hamper its
security

- IoT Threats

- IoT devices include many software applications that are
used to access the device remotely

- Flaws in the IoT devices allows attackers access into
the device remotely and perform various attacks

- Information Security Laws and Regulations

- Payment Card Industry Data Security Standard (PCI
DSS) [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org/)

- A proprietary information security standard for
organizations that handle cardholder information for major
debit, credit, prepaid, e-purse, ATM, and POS cards

- PCI DSS applies to all entities involved in payment card
processing --- including merchants, processors, acquirers,
issuers, and service providers, as well as all other
entities that store, process, or transmit cardholder data

- PCI Data Security Standard, High Level Overview:

- Build and Maintain a Secure Network

- Install and maintain a firewall configuration to
protect cardholder data

- Do not use vendor-supplied defaults for system
passwords and other security parameters

- Protect Cardholder Data

- Protect stored cardholder data

- Encrypt transmission of cardholder data across open,
public networks

- Maintain a Vulnerability Management Program

- Use and regularly update anti-virus software or
programs

- Develop and maintain secure systems and applications

- Implement Strong Access Control Measures

- Restrict access to cardholder data by business need
to know

- Assign a unique ID to each person with computer
access

- Restrict physical access to cardholder data

- Regularly Monitor and Test Networks

- Track and monitor all access to network resources
and cardholder data

- Regularly test security systems and processes

- Maintain an Information Security Policy

- Maintain a policy that addresses information
security for all personnel

- ISO/IEC 27001:2013 [https://www.iso.org](https://www.iso.org/)

- Specifies the requirements for establishing, implementing,
maintaining, and continually improving an information
security management system within the context of the
organization

- It is intended to be suitable for several different types of
use, including:

- Use within organizations to formulate security
requirements and objectives

- Use within organizations as a way to ensure that
security risks are cost-effectively managed

- Use within organizations to ensure compliance with laws
and regulations

- Defining new information security management processes

- Identifying and clarifying existing information security
management processes

- Use by the management of organizations to determine the
status of information security management activities

- Implementing business-enabling information security

- Use by organizations to provide relevant information
about information security to customers

- Health Insurance Portability and Accountability Act
(HIPAA) [https://www.hhs.gov](https://www.hhs.gov/)

- Electronic Transaction and Code Set Standards

- Requires every provider who does business electronically
to use the same health care transactions, code sets, and
identifiers

- Privacy Rule

- Provides federal protections for the personal health
information held by covered entities and gives patients
an array of rights with respect to that information

- Security Rule

- Specifies a series of administrative, physical, and
technical safeguards for covered entities to use to
ensure the confidentiality, integrity, and availability
of electronically protected health information

- National Identifier Requirements

- Requires that health care providers, health plans, and
employers have standard national numbers that identify
them attached to standard transactions

- Enforcement Rule

- Provides the standards for enforcing all the
Administration Simplification Rules

- Sarbanes Oxley Act
(SOX) [https://www.sec.gov](https://www.sec.gov/)

- Enacted in 2002, the Sarbanes-Oxley Act is designed to
protect investors and the public by increasing the accuracy
and reliability of corporate disclosures

- The key requirements and provisions of SOX are organized
into 11 titles:

- Title I:

- Public Company Accounting Oversight Board (PCAOB)
provides independent oversight of public accounting
firms providing audit services ("auditors")

- Title II

- Auditor Independence establishes the standards for
external auditor independence, intended to limit
conflicts of interest and address new auditor
approval requirements, audit partner rotation, and
auditor reporting requirements

- Title III

- Corporate Responsibility mandates that senior
executives take individual responsibility for the
accuracy and completeness of corporate financial
reports

- Title IV

- Enhanced Financial Disclosures describe enhanced
reporting requirements for financial transactions,
including off-balance-sheet transactions, pro-forma
figures, and the stock transactions of corporate
officers

- Title V

- Analyst Conflicts of Interest consist of measures
designed to help restore investor confidence in the
reporting of securities analysts

- Title VI

- Commission Resources and Authority defines practices
to restore investor confidence in securities
analysts

- Title VII

- Studies and Reports includes the effects of the
consolidation of public accounting firms, the role
of credit rating agencies in the operation of
securities markets, securities violations and
enforcement actions, and whether investment banks
assisted Enron, Global Crossing, or others to
manipulate earnings and obfuscate true financial
conditions

- Title VIII

- Corporate and Criminal Fraud Accountability
describes specific criminal penalties for fraud by
the manipulation, destruction, or alteration of
financial records, or other interference with
investigations while providing certain protections
for whistle-blowers

- Title X

- White Collar Crime Penalty Enhancement increases the
criminal penalties associated with white-collar
crimes and conspiracies. It recommends stronger
sentencing guidelines and specifically adds the
failure to certify corporate financial reports as a
criminal offense

- Title IX

- Corporate Tax Returns states that the Chief
Executive Officer should sign the company tax return

- Title XI

- Corporate Fraud Accountability identifies corporate
fraud and record tampering as criminal offenses and
assigns them specific penalties. It also revises
sentencing guidelines and strengthens their
penalties. This enables the SEC to temporarily
freeze large or unusual payments

- The Digital Millennium Copyright Act
(DMCA) [https://www.copyright.gov](https://www.copyright.gov/)

- The DMCA is a United States copyright law that implements
two 1996 treaties of the World Intellectual Property
Organization (WIPO)

- It defines the legal prohibitions against the circumvention
of technological protection measures employed by copyright
owners to protect their works, and against the removal or
alteration of copyright management information

- The Federal Information Security Management Act
(FISMA) [https://csrc.nist.gov](https://csrc.nist.gov/)

- The FISMA provides a comprehensive framework for ensuring
the effectiveness of information security controls over
information resources that support Federal operations and
assets. It includes:

- Standards for categorizing information and information
systems by mission impact

- Standards for minimum security requirements for
information and information systems

- Guidance for selecting appropriate security controls for
information systems

- Guidance for assessing security controls in information
systems and determining security control effectiveness

- Guidance for security authorization of information
systems

- General Data Protection Regulation
(GDPR) [https://gdpr.eu](https://gdpr.eu/)

- GDPR regulation was put into effect on May 25, 2018 and one
of the most stringent privacy and security laws globally

- The GDPR will levy harsh fines against those who violate its
privacy and security standards, with penalties reaching tens
of millions of euros

- GDPR Data Protection Principles:

- Lawfulness, fairness, and transparency

- Purpose limitation

- Data minimization

- Accuracy

- Storage limitation

- Integrity and confidentiality

- Accountability

- Data Protection Act 2018
(DPA) [https://www.legislation.gov.uk](https://www.legislation.gov.uk/)

- The DPA is an act to make provision for the regulation of
the processing of information relating to individuals; to
make provision in connection with the Information
Commissioner's functions under specific regulations relating
to information; to make provision for a direct marketing
code of practice, and connected purposes

- The DPA protects individuals concerning the processing of
personal data, in particular by:

- Requiring personal data to be processed lawfully and
fairly, based on the data subject's consent or another
specified basis,

- Conferring rights on the data subject to obtain
information about the processing of personal data and to
require inaccurate personal data to be rectified, and

- Conferring functions on the Commissioner, giving the
holder of that office responsibility to monitor and
enforce their provisions

- Cyber Law in Different Countries

- United States

- Section 107 of the Copyright Law mentions the doctrine
of "fair
use" [https://www.copyright.gov](https://www.copyright.gov/)

- Online Copyright Infringement Liability Limitation
Act [https://www.uspto.gov](https://www.uspto.gov/)

- The Lanham (Trademark) Act (15 USC §§ 1051 -
1127) [https://www.uspto.gov](https://www.uspto.gov/)

- The Electronic Communications Privacy
Act [https://fas.org](https://fas.org/)

- Foreign Intelligence Surveillance
Act [https://fas.org](https://fas.org/)

- Protect America Act of
2007 [https://www.justice.gov](https://www.justice.gov/)

- Privacy Act of
1974 [https://www.justice.gov](https://www.justice.gov/)

- National Information Infrastructure Protection Act of
1996 [https://www.nrotc.navy.mil](https://www.nrotc.navy.mil/)

- Computer Security Act of
1987 [https://csrc.nist.gov](https://csrc.nist.gov/)

- Freedom of Information Act
(FOIA) [https://www.foia.gov](https://www.foia.gov/)

- Computer Fraud and Abuse
Act [https://energy.gov](https://energy.gov/)

- Federal Identity Theft and Assumption Deterrence
Act [https://www.ftc.gov](https://www.ftc.gov/)

- Australia [https://www.legislation.gov.au](https://www.legislation.gov.au/)

- The Trade Marks Act 1995

- The Patents Act 1990

- The Copyright Act 1968

- Cybercrime Act 2001

- United
Kingdom [https://www.legislation.gov.uk](https://www.legislation.gov.uk/)

- The Copyright, Etc. and Trademarks (Offenses And
Enforcement) Act 2002

- Trademarks Act 1994 (TMA)

- Computer Misuse Act 1990

- The Network and Information Systems Regulations 2018

- Communications Act 2003

- The Privacy and Electronic Communications (EC Directive)
Regulations 2003

- Investigatory Powers Act 2016

- Regulation of Investigatory Powers Act 2000

- China

- Copyright Law of the People's Republic of China
(Amendments on October 27,
2001) [http://www.npc.gov.cn](http://www.npc.gov.cn/)

- Trademark Law of the People\'s Republic of China
(Amendments on October 27,
2001) [http://www.npc.gov.cn](http://www.npc.gov.cn/)

- India

- The Patents (Amendment) Act, 1999, Trade Marks Act,
1999, The Copyright Act,
1957 [http://www.ipindia.nic.in](http://www.ipindia.nic.in/)

- Information Technology
Act [https://www.meity.gov.in](https://www.meity.gov.in/)

- Germany

- Section 202a. Data Espionage, Section 303a. Alteration
of Data, Section 303b. Computer
Sabotage [https://www.cybercrimelaw.net](https://www.cybercrimelaw.net/)

- Italy

- Penal Code Article 615
ter [https://www.cybercrimelaw.net](https://www.cybercrimelaw.net/)

- Japan

- The Trademark Law (Law No. 127 of 1957), Copyright
Management Business Law (4.2.2.3 of
2000) [https://www.iip.or.jp](https://www.iip.or.jp/)

- Canada

- Copyright Act (R.S.C., 1985, c. C-42), Trademark Law,
Canadian Criminal Code Section
342.1 [https://laws-lois.justice.gc.ca](https://laws-lois.justice.gc.ca/)

- Singapore

- Computer Misuse
Act [https://sso.agc.gov.sg](https://sso.agc.gov.sg/)

- South Africa

- Trademarks Act 194 of
1993 [http://www.cipc.co.za](http://www.cipc.co.za/)

- Copyright Act of
1978 [https://www.nlsa.ac.za](https://www.nlsa.ac.za/)

- South Korea

- Copyright Law Act No.
3916 [https://www.copyright.or.kr](https://www.copyright.or.kr/)

- Industrial Design Protection
Act [https://www.kipo.go.kr](https://www.kipo.go.kr/)

- Belgium

- Copyright Law,
30/06/1994 [https://www.wipo.int](https://www.wipo.int/)

- Computer
Hacking [https://www.cybercrimelaw.net](https://www.cybercrimelaw.net/)

- Brazil

- Unauthorized modification or alteration of the
information
system [https://www.domstol.no](https://www.domstol.no/)

- Hong Kong

- Article 139 of the Basic
Law [https://www.basiclaw.gov.hk](https://www.basiclaw.gov.hk/)

**Module 02: Ethical Hacking Fundamentals**

- Cyber Kill Chain Methodology

- The cyber kill chain methodology is a component of
intelligence-driven defense for the identification and
prevention of malicious intrusion activities

- It helps security professionals to understand the adversary's
tactics, techniques, and procedures beforehand

- Reconnaissance

- Gather data on the target to probe for weak points

- Activities of the adversary include the following:

- Gathering information about the target organization
by searching the Internet or through social
engineering

- Performing analysis of various online activities and
publicly available information

- Gathering information from social networking sites
and web services

- Obtaining information about websites visited

- Monitoring and analyzing the target organization's
website

- Performing Whois, DNS, and network footprinting

- Performing scanning to identify open ports and
services

- Weaponization

- Create a deliverable malicious payload using an exploit
and a backdoor

- The following are the activities of the adversary:

- Identifying appropriate malware payload based on the
analysis

- Creating a new malware payload or selecting,
reusing, modifying the available malware payloads
based on the identified vulnerability

- Creating a phishing email campaign

- Leveraging exploit kits and botnets

- Delivery

- Send weaponized bundle to the victim using email, USB,
etc.

- The following are the activities of the adversary:

- Sending phishing emails to employees of the target
organization

- Distributing USB drives containing malicious payload
to employees of the target organization

- Performing attacks such as watering hole on the
compromised website

- Implementing various hacking tools against the
operating systems, applications, and servers of the
target organization

- Exploitation

- Exploit a vulnerability by executing code on the
victim's system

- Exploiting software or hardware vulnerabilities to gain
remote access to the target system

- Installation

- Install malware on the target system

- The following are the activities of the adversary:

- Downloading and installing malicious software such
as backdoors

- Gaining remote access to the target system

- Leveraging various methods to keep backdoor hidden
and running

- Maintaining access to the target system

- Command and Control

- Create a command and control channel to communicate and
pass data back and forth

- The following are the activities of the adversary:

- Establishing a two-way communication channel between
the victim's system and the adversary-controlled
server

- Leveraging channels such as web traffic, email
communication, and DNS messages

- Applying privilege escalation techniques

- Hiding any evidence of compromise using techniques
such as encryption

- Actions on Objectives

- Perform actions to achieve intended objectives/goals

- Tactics, Techniques, and Procedures (TTPs)

- The term Tactics, Techniques, and Procedures (TTPs) refers
to the patterns of activities and methods associated with
specific threat actors or groups of threat actors

- Tactics are the guidelines that describe the way an attacker
performs the attack from beginning to the end

- Techniques are the technical methods used by an attacker to
achieve intermediate results during the attack

- Procedures are organizational approaches that threat actors
follow to launch an attack

- Adversary Behavioral Identification

- Adversary behavioral identification involves the
identification of the common methods or techniques followed
by an adversary to launch attacks on or to penetrate an
organization's network

- It gives the security professionals insight into upcoming
threats and exploits

- Adversary Behaviors

- Internal Reconnaissance

- Use of PowerShell

- Unspecified Proxy Activities

- Use of Command-Line Interface

- HTTP User Agent

- Command and Control Server

- Use of DNS Tunneling

- Use of Web Shell

- Data Staging

- Indicators of Compromise (IoCs)

- Indicators of Compromise (IoCs) are the clues, artifacts,
and pieces of forensic data found on the network or
operating system of an organization that indicate a
potential intrusion or malicious activity in the
organization's infrastructure

- IoCs act as a good source of information regarding the
threats that serve as data points in the intelligence
process

- Security professionals need to perform continuous monitoring
of IoCs to effectively and efficiently detect and respond to
evolving cyber threats

- Categories of Indicators of Compromise

- Understanding IoCs helps security professionals to quickly
detect the threats against the organization and protect the
organization from evolving threats

- For this purpose, IoCs are divided into four categories:

- Email Indicators

- Used to send malicious data to the target
organization or individual

- Examples include the sender's email address, email
subject, and attachments or links

- Network Indicators

- Useful for command and control, malware delivery,
identifying the operating system, and other tasks

- Examples include URLs, domain names, and IP
addresses

- Host-Based Indicators

- Found by performing an analysis of the infected
system within the organizational network

- Examples include filenames, file hashes, registry
keys, DLLs, and mutex

- Behavioral Indicators

- Used to identify specific behavior related to
malicious activities

- Examples include document executing PowerShell
script, and remote command execution

- Listed below are some of the key Indicators of Compromise
(IoCs):

- Unusual outbound network traffic

- Unusual activity through a privileged user account

- Illegitimate files and software

- Geographical anomalies

- Multiple login failures

- Increased database read volume

- Large HTML response size

- Multiple requests for the same file

- Mismatched port-application traffic

- Unusual usage of ports and protocols

- Suspicious registry or system file changes

- Unusual DNS requests

- Malicious emails

- Unexpected patching of systems

- Signs of Distributed Denial-of-Service (DDoS) activity

- Service interruption and the defacement

- Bundles of data in the wrong places

- Web traffic with superhuman behavior

- A drastic increase in bandwidth usage

- Malicious hardware

- Hacking Concepts and Hacker Classes

- What is Hacking?

- Hacking refers to exploiting system vulnerabilities and
compromising security controls to gain unauthorized or
inappropriate access to a system's resources

- It involves modifying system or application features to
achieve a goal outside of the creator's original purpose

- Hacking can be used to steal and redistribute intellectual
property, leading to business loss

- Who is a Hacker?

- An intelligent individual with excellent computer skills who
can create and explore computer software and hardware

- For some hackers, hacking is a hobby to see how many
computers or networks they can compromise

- Some hackers' intentions can either be to gain knowledge or
to probe and do illegal things

- Some hack with malicious intent such as to steal business
data, credit card information, social security numbers,
email passwords, and other sensitive data

- Hacker Classes/Threat Actors

- Black Hats

- Individuals with extraordinary computing skills; they
resort to malicious or destructive activities and are
also known as crackers

- White Hats

- Individuals who use their professed hacking skills for
defensive purposes and are also known as security
analysts

- Gray Hats

- Individuals who work both offensively and defensively at
various times

- Suicide Hackers

- Individuals who aim to bring down the critical
infrastructure for a \"cause\" and are not worried about
facing jail terms or any other kind of punishment

- Script Kiddies

- An unskilled hacker who compromises a system by running
scripts, tools, and software that were developed by real
hackers

- Cyber Terrorists

- Individuals with a wide range of skills who are
motivated by religious or political beliefs to create
the fear through the large-scale disruption of computer
networks

- State-Sponsored Hackers

- Individuals employed by the government to penetrate and
gain top-secret information from, and damage the
information systems of other governments

- Hacktivist

- Individuals who promote a political agenda by hacking,
especially by using hacking to deface or disable website

- Hacker Teams

- A consortium of skilled hackers having their own
resources and funding. They work together in synergy for
researching the state-ofthe- art technologies

- Industrial Spies

- Individuals who perform corporate espionage by illegally
spying on competitor organizations and focus on stealing
information such as blueprints and formulas

- Insider

- Any employee (trusted person) who has access to critical
assets of an organization. They use privileged access to
violate rules or intentionally cause harm to the
organization's information system

- Criminal Syndicates

- Groups of individuals that are involved in organized,
planned, and prolonged criminal activities. They
illegally embezzle money by performing sophisticated
cyberattacks

- Organized Hackers

- Miscreants or hardened criminals who use rented devices
or botnets to perform various cyber-attacks to pilfer
money from victims

- Different Phases of Hacking Cycle

- Hacking Phases

- Reconnaissance

- Scanning

- Gaining Access

- Maintaining Access

- Clearing Tracks

- Hacking Phase: Reconnaissance

- Reconnaissance refers to the preparatory phase where an
attacker seeks to gather information about a target prior to
launching an attack

- Reconnaissance Types

- Passive Reconnaissance

- Involves acquiring information without directly
interacting with the target

- For example, searching public records or news
releases

- Active Reconnaissance

- Involves directly interacting with the target by any
means

- For example, telephone calls to the target's help
desk or technical department

- Hacking Phase: Scanning

- Scanning refers to the pre-attack phase when the attacker
scans the network for specific information based on
information gathered during reconnaissance

- Scanning can include the use of dialers, port scanners,
network mappers, ping tools, and vulnerability scanners

- Attackers extract information such as live machines, port,
port status, OS details, device type, and system uptime to
launch attack

- Hacking Phase: Gaining Access

- Gaining access refers to the point where the attacker
obtains access to the operating system or applications on
the target computer or network

- The attacker can gain access at the operating system,
application, or network levels

- The attacker can escalate privileges to obtain complete
control of the system

- Examples include password cracking, buffer overflows, denial
of service, and session hijacking

- Hacking Phase: Maintaining Access

- Maintaining access refers to the phase when the attacker
tries to retain their ownership of the system

- Attackers may prevent the system from being owned by other
attackers by securing their exclusive access with backdoors,
rootkits, or Trojans

- Attackers can upload, download, or manipulate data,
applications, and configurations on the owned system

- Attackers use the compromised system to launch further
attacks

- Hacking Phase: Clearing Tracks

- Clearing tracks refers to the activities carried out by an
attacker to hide malicious acts

- The attacker's intentions include obtaining continuing
access to the victim's system, remaining unnoticed and
uncaught, and deleting evidence that might lead to their
prosecution

- The attacker overwrites the server, system, and application
logs to avoid suspicion

- Ethical Hacking Concepts, Scope, and Limitations

- What is Ethical Hacking?

- Ethical hacking involves the use of hacking tools, tricks,
and techniques to identify vulnerabilities and ensure system
security

- It focuses on simulating the techniques used by attackers to
verify the existence of exploitable vulnerabilities in a
system's security

- Ethical hackers perform security assessments for an
organization with the permission of concerned authorities

- Consider the following definitions:

- The noun "hacker" refers to a person who enjoys learning
the details of computer systems and stretching their
capabilities.

- The verb "to hack" describes the rapid development of
new programs or the reverse engineering of existing
software to make it better or more efficient in new and
innovative ways.

- The terms "cracker" and "attacker" refer to persons who
employ their hacking skills for offensive purposes.

- The term "ethical hacker" refers to security
professionals who employ their hacking skills for
defensive purposes.

- Why Ethical Hacking is Necessary

- To beat a hacker, you need to think like one!

- Ethical hacking is necessary as it allows for counter
attacks against malicious hackers through anticipating the
methods used to break into the system

- Reasons why organizations recruit ethical hackers

- To prevent hackers from gaining access to the
organization's information systems

- To uncover vulnerabilities in systems and explore their
potential as a security risk

- To analyze and strengthen an organization's security
posture

- To provide adequate preventive measures in order to
avoid security breaches

- To help safeguard customer data

- To enhance security awareness at all levels in a
business

- Ethical Hackers Try to Answer the Following Questions

- What can an intruder see on the target system?
(Reconnaissance and Scanning phases)

- What can an intruder do with that information? (Gaining
Access and Maintaining Access phases)

- Does anyone at the target organization notice the
intruders' attempts or successes? (Reconnaissance and
Covering Tracks phases)

- Are all components of the information system adequately
protected, updated, and patched?

- How much time, effort, and money are required to obtain
adequate protection?

- Are the information security measures in compliance with
legal and industry standards?

- Scope and Limitations of Ethical Hacking

- Scope

- Ethical hacking is a crucial component of risk
assessment, auditing, counter fraud, and information
systems security best practices

- It is used to identify risks and highlight remedial
actions. It also reduces ICT costs by resolving
vulnerabilities

- Limitations

- Unless the businesses already know what they are looking
for and why they are hiring an outside vendor to hack
systems in the first place, chances are there would not
be much to gain from the experience

- An ethical hacker can only help the organization to
better understand its security system; it is up to the
organization to place the right safeguards on the
network

- Skills of an Ethical Hacker

- Technical Skills

- In-depth knowledge of major operating environments, such
as Windows, Unix, Linux, and Macintosh

- In-depth knowledge of networking concepts, technologies,
and related hardware and software

- A computer expert adept at technical domains

- The knowledge of security areas and related issues

- High technical knowledge of how to launch sophisticated
attacks

- Non-Technical Skills

- The ability to quickly learn and adapt new technologies

- A strong work ethic and good problem solving and
communication skills

- Commitment to an organization's security policies

- An awareness of local standards and laws

- Ethical Hacking Tools

- Reconnaissance Using Advanced Google Hacking Techniques

- Google hacking refers to the use of advanced Google search
operators for creating complex search queries to extract
sensitive or hidden information that helps attackers find
vulnerable targets

- Popular Google advanced search
operators [http://www.googleguide.com](http://www.googleguide.com/)

- \[cache:\] Displays the web pages stored in the Google
cache

- \[link:\] Lists web pages that have links to the
specified web page

- \[related:\] Lists web pages that are similar to the
specified web page

- \[info:\] Presents some information that Google has
about a particular web page

- \[site:\] Restricts the results to those websites in the
given domain

- \[allintitle:\] Restricts the results to those websites
containing all the search keywords in the title

- \[intitle:\] Restricts the results to documents
containing the search keyword in the title

- \[allinurl:\] Restricts the results to those containing
all the search keywords in the URL

- \[inurl:\] Restricts the results to documents containing
the search keyword in the URL

- \[location:\] Finds information for a specific location

- Reconnaissance Tools

- Web Data
Extractor [http://www.webextractor.com](http://www.webextractor.com/)

- It extracts targeted contact data (email, phone, and
fax) from the website, extracts the URL and meta tags
(title, description, keyword) for website promotion, and
so on

- Whois Lookup

- [https://whois.domaintools.com](https://whois.domaintools.com/)

- [https://www.tamos.com](https://www.tamos.com/)

- IMCP Traceroute

- TCP Traceroute

- UDP Traceroute

- Scanning Tools

- Nmap [https://nmap.org](https://nmap.org/)

- Use Nmap to extract information such as live hosts on
the network, open ports, services (application name and
version), types of packet filters/ firewalls, as well as
operating systems and versions used

- MegaPing [http://www.magnetosoft.com](http://www.magnetosoft.com/)

- Includes scanners such as Comprehensive Security
Scanner, Port scanner (TCP and UDP ports), IP scanner,
NetBIOS scanner, and Share Scanner

- Unicornscan

- In Unicornscan, the OS of the target machine can be
identified by observing the TTL values in the acquired
scan result

- Hping2/Hping3 [http://www.hping.org](http://www.hping.org/)

- NetScanTools
Pro [https://www.netscantools.com](https://www.netscantools.com/)

- SolarWinds Port
Scanner [https://www.solarwinds.com](https://www.solarwinds.com/)

- PRTG Network
Monitor [https://www.paessler.com](https://www.paessler.com/)

- OmniPeek Network Protocol
Analyzer [https://www.liveaction.com](https://www.liveaction.com/)

- Enumeration Tools

- Nbtstat
Utility [https://docs.microsoft.com](https://docs.microsoft.com/)

- The nbtstat utility in Windows displays NetBIOS over
TCP/IP (NetBT) protocol statistics, NetBIOS name tables
for both the local and remote computers, and the NetBIOS
name cache

- nbtstat \[-a RemoteName\] \[-A IP Address\] \[-c\]
\[-n\] \[-r\] \[-R\] \[-RR\] \[-s\] \[-S\] \[Interval\]

- NetBIOS
Enumerator [http://nbtenum.sourceforge.net](http://nbtenum.sourceforge.net/)

- NetBIOS Enumerator helps to enumerate details, such as
NetBIOS names, Usernames, Domain names, and MAC
addresses, for a given range of IP addresses

- Other NetBIOS Enumeration Tools:

- Global Network
Inventory [http://www.magnetosoft.com](http://www.magnetosoft.com/)

- Advanced IP
Scanner [https://www.advancedip-scanner.com](https://www.advancedip-scanner.com/)

- Hyena [https://www.systemtools.com](https://www.systemtools.com/)

- Nsauditor Network Security
Auditor [https://www.nsauditor.com](https://www.nsauditor.com/)

**Module 03: Information Security Threats and Vulnerability Assessment**

- Threat and Threat Sources

- What is a Threat?

- A threat is the potential occurrence of an undesirable event
that can eventually damage and disrupt the operational and
functional activities of an organization

- Attackers use cyber threats to infiltrate and steal data
such as individual's personal information, financial
information, and login credentials

- Examples of Threats

- An attacker stealing sensitive data of an organization

- An attacker causing a server to shut down

- An attacker tricking an employee into revealing
sensitive information

- An attacker infecting a system with malware

- An attacker spoofing the identity of an authorized
person to gain access

- An attacker modifying or tampering with the data
transferred over a network

- An attacker remotely altering the data in a database
server

- An attacker performing URL redirection or URL forwarding

- An attacker performing privilege escalation for
unauthorized access

- An attacker executing denial-of-service (DoS) attacks
for making resources unavailable

- An attacker eavesdropping on a communication channel
without authorized access

- Threat Sources

- Natural

- Fires

- Floods

- Power failures

- Unintentional

- Unskilled administrators

- Accidents

- Lazy or untrained employees

- Intentional

- Internal

- Fired employee

- Disgruntled employee

- Service providers

- Contractors

- External

- Hackers

- Criminals

- Terrorists

- Foreign intelligence agents

- Corporate raiders

- Malware and its Types

- Malware is malicious software that damages or disables computer
systems and gives limited or full control of the systems to the
malware creator for the purpose of theft or fraud

- Malware programmers develop and use malware to:

- Attack browsers and track websites visited

- Slow down systems and degrade system performance

- Cause hardware failure, rendering computers inoperable

- Steal personal information, including contacts

- Erase valuable information, resulting in substantial data
loss

- Attack additional computer systems directly from a
compromised system

- Spam inboxes with advertising emails

- Different Ways for Malware to Enter a System

- Instant Messenger applications

- Portable hardware media/removable devices

- Browser and email software bugs

- Untrusted sites and freeware web applications/ software

- Downloading files from the Internet

- Email attachments

- Installation by other malware

- Bluetooth and wireless networks

- Common Techniques Attackers Use to Distribute Malware on the
Web. Security Threat Report
([https://www.sophos.com](https://www.sophos.com/))

- Black hat Search Engine Optimization (SEO)

- Ranking malware pages highly in search results

- Social Engineered Click-jacking

- Tricking users into clicking on innocent-looking
webpages

- Spear-phishing Sites

- Mimicking legitimate institutions in an attempt to steal
login credentials

- Malvertising

- Embedding malware in ad-networks that display across
hundreds of legitimate, high-traffic sites

- Compromised Legitimate Websites

- Hosting embedded malware that spreads to unsuspecting
visitors

- Drive-by Downloads

- Exploiting flaws in browser software to install malware
just by visiting a web page

- Spam Emails

- Attaching the malware to emails and tricking victims to
click the attachment

- Components of Malware

- The components of a malware software depend on the
requirements of the malware author who designs it for a
specific target to perform intended tasks

- Crypter: Software that protects malware from undergoing
reverse engineering or analysis

- Downloader: A type of Trojan that downloads other
malware from the Internet on to the PC

- Dropper: A type of Trojan that covertly installs other
malware files on to the system

- Exploit: A malicious code that breaches the system
security via software vulnerabilities to access
information or install malware

- Injector: A program that injects its code into other
vulnerable running processes and changes how they
execute to hide or prevent its removal

- Obfuscator: A program that conceals its code and
intended purpose via various techniques, and thus, makes
it hard for security mechanisms to detect or remove it

- Packer: A program that allows all files to bundle
together into a single executable file via compression
to bypass security software detection

- Payload: A piece of software that allows control over a
computer system after it has been exploited

- Malicious Code: A command that defines malware's basic
functionalities such as stealing data and creating
backdoors

- Types of Malware

- Trojans

- Viruses

- Ransomware

- Computer Worms

- Rootkits

- PUAs or Grayware

- Spyware

- Keylogger

- Botnets

- Fileless Malware

- What is a Trojan?

- It is a program in which the malicious or harmful code is
contained inside an apparently harmless program or data,
which can later gain control and cause damage

- Trojans get activated when a user performs certain
predefined actions

- Trojans create a covert communication channel between the
victim computer and the attacker for transferring sensitive
data

- Indications of Trojan Attack

- The computer screen blinks, flips upside-down, or is
inverted so that everything is displayed backward

- The default background or wallpaper settings change
automatically

- Web pages suddenly open without input from the user

- The color settings of the operating system (OS) change
automatically

- Antivirus programs are automatically disabled

- Pop-ups with bizarre messages suddenly appear

- How Hackers Use Trojans

- Delete or replace critical operating system files

- Record screenshots, audio, and video of victim's PC

- Use victim's PC for spamming and blasting email messages

- Download spyware, adware, and malicious files

- Disable firewalls and antivirus

- Create backdoors to gain remote access

- Steal personal information such as passwords, security
codes, and credit card information

- Encrypt the data and lock out the victim from accessing the
machine

- Common Ports used by Trojans

- Types of Trojans

- Remote Access Trojans

- Backdoor Trojans

- Botnet Trojans

- Rootkit Trojans

- E-Banking Trojans

- Point-of-Sale Trojans

- Defacement Trojans

- Service Protocol Trojans

- Mobile Trojans

- IoT Trojans

- Security Software Disabler Trojans

- Destructive Trojans

- DDoS Attack Trojans

- Command Shell Trojans

- Creating a Trojan

- Trojan Horse construction kits help attackers to construct
Trojan horses of their choice

- The tools in these kits can be dangerous and can backfire if
not properly executed

- Trojan Horse Construction Kits

- DarkHorse Trojan Virus Maker

- Trojan Horse Construction Kit

- Senna Spy Trojan Generator

- Batch Trojan Generator

- Umbra Loader - Botnet Trojan Maker

- Theef RAT Trojan

- Theef is a Remote Access Trojan written in Delphi.
It allows remote attackers access to the system via
port 9871

- What is a Virus?

- A virus is a self-replicating program that produces its own
copy by attaching itself to another program, computer boot
sector or document

- Viruses are generally transmitted through file downloads,
infected disk/flash drives, and as email attachments

- Characteristics of Viruses

- Infect other programs

- Transform themselves

- Encrypt themselves

- Alter data

- Corrupt files and programs

- Self-replicate

- Purpose of Creating Viruses

- Inflict damage on competitors

- Realize financial benefits

- Vandalize intellectual property

- Play pranks

- Conduct research

- Engage in cyber-terrorism

- Distribute political messages

- Damage networks or computers

- Gain remote access to a victim\'s computer

- Indications of Virus Attack

- Processes require more resources and time, resulting in
degraded performance

- Computer beeps with no display

- Drive label changes and OS does not load

- Constant antivirus alerts

- Computer freezes frequently or encounters an error such as
BSOD

- Files and folders are missing

- Suspicious hard drive activity

- Browser window "freezes"

- Stages of Virus Lifecycle

- Design: Development of virus code using programming
languages or construction kits.

- Replication: The virus replicates for a period within the
target system and then spreads itself.

- Launch: The virus is activated when the user performs
specific actions such as running an infected program.

- Detection: The virus is identified as a threat infecting
target system.

- Incorporation: Antivirus software developers assimilate
defenses against the virus.

- Execution of the damage routine: Users install antivirus
updates and eliminate the virus threats.

- How does a Computer Get Infected by Viruses?

- When a user accepts files and downloads without properly
checking the source

- Opening infected e-mail attachments

- Installing pirated software

- Not updating and not installing new versions of plug-ins

- Not running the latest antivirus application

- Clicking malicious online ads

- Using portable media

- Connecting to untrusted networks

- Types of Viruses

- System or Boot Sector Virus

- File and Multipartite Virus

- Macro and Cluster Virus

- Stealth/Tunneling Virus

- Encryption Virus

- Sparse Infector Virus

- Polymorphic Virus

- Metamorphic Virus

- Overwriting File or Cavity Virus

- Companion/Camouflage Virus

- Shell and File Extension Virus

- FAT and Logic Bomb Virus

- Web Scripting Virus

- Email and Armored Virus

- Add-on and Intrusive Virus

- Direct Action or Transient Virus

- Terminate & Stay Resident Virus

- Creating a Virus

- A virus can be created in two different ways:

- Writing a Virus Program

- Using Virus Maker Tools

- DELmE's Batch Virus Maker

- Bhavesh Virus Maker SKW

- Deadly Virus Maker

- SonicBat Batch Virus Maker

- TeraBIT Virus Maker

- Andreinick05\'s Batch Virus Maker

- Ransomware

- A type of malware that restricts access to the computer
system's files and folders

- Demands an online ransom payment to the malware creator(s)
to remove the restrictions

- Dharma

- Dharma is a dreadful ransomware that attacks victims
through email campaigns; the ransom notes ask the
victims to contact the threat actors via a provided
email address and pay in bitcoins for the decryption
service

- eCh0raix

- SamSam

- WannaCry

- Petya and NotPetya

- GandCrab

- MegaCortex

- LockerGoga

- NamPoHyu

- Ryuk

- Cryptgh0st

- Ransomware Families

- Cerber

- CTB-Locker

- Sodinokibi

- BitPaymer

- CryptXXX

- Cryptorbit ransomware

- Crypto Locker Ransomware

- Crypto Defense Ransomware

- Crypto Wall Ransomware

- Computer Worms

- Malicious programs that independently replicate, execute,
and spread across the network connections

- Consume available computing resources without human
interaction

- Attackers use worm payloads to install backdoors in infected
computers

- Monero

- Bondat

- Beapy

- How is a Worm Different from a Virus?

- A Worm Replicates on its own

- A worm is a special type of malware that can replicate
itself and use memory but cannot attach itself to other
programs

- A Worm Spreads through the Infected Network

- A worm takes advantage of file or information transport
features on computer systems and automatically spreads
through the infected network, but a virus does not

- Worm Makers

- Internet Worm Maker Thing

- Internet Worm Maker Thing is an open-source tool used to
create worms that can infect victim\'s drives, files,
show messages, and disable antivirus software

- Some additional worm makers are as follows:

- Batch Worm Generator

- C++ Worm Generator

- Rootkits

- Rootkits are programs that hide their presence as well as
attacker's malicious activities, granting them full access
to the server or host at that time, and in the future

- Rootkits replace certain operating system calls and
utilities with their own modified versions of those routines
that, in turn, undermine the security of the target system
causing malicious functions to be executed

- A typical rootkit comprises of backdoor programs, DDoS
programs, packet sniffers, log-wiping utilities, IRC bots,
etc.

- The attacker places a rootkit by:

- Scanning for vulnerable computers and servers on the web

- Wrapping it in a special package like a game

- Installing it on public computers or corporate computers
through social engineering

- Launching a zero-day attack (privilege escalation,
buffer overflow, Windows kernel exploitation, etc.)

- Objectives of a rootkit:

- To root the host system and gain remote backdoor access

- To mask attacker tracks and presence of malicious
applications or processes

- To gather sensitive data, network traffic, etc. from the
system to which attackers might be restricted or possess
no access

- To store other malicious programs on the system and act
as a server resource for bot updates

- Potentially Unwanted Application or Applications (PUAs)

- Also known as grayware or junkware, are potentially harmful
applications that may pose severe risks to the security and
privacy of data stored in the system where they are
installed

- Installed when downloading and installing freeware using a
third-party installer or when accepting a misleading license
agreement

- Covertly monitor and alter the data or settings in the
system, similarly to other malware

- Types of PUAs

- Adware

- Torrent

- Marketing

- Cryptomining

- Dialers

- Adware

- A software or a program that supports advertisements and
generates unsolicited ads and pop-ups

- Tracks the cookies and user browsing patterns for marketing
purposes and collects user data

- Consumes additional bandwidth, and exhausts CPU resources
and memory

- Indications of Adware

- Frequent system lag

- Inundated advertisements

- Incessant system crash

- Disparity in the default browser homepage

- Presence of new toolbar or browser add-ons

- Slow Internet

- Spyware

- A stealthy program that records the user\'s interaction with
the computer and the Internet without the user\'s knowledge
and sends the information to the remote attackers

- Hides its process, files, and other objects in order to
avoid detection and removal

- Spyware Propagation

- Drive-by download

- Masquerading as anti-spyware

- Web browser vulnerability exploits

- Piggybacked software installation

- Browser add-ons

- Cookies

- What Does the Spyware Do?

- Steals users' personal information and sends it to a
remote server or hijacker

- Monitors users' online activity

- Displays annoying pop-ups

- Redirects a web browser to advertising sites

- Changes the browser's default settings

- Changes firewall settings

- Keylogger

- Keystroke loggers are programs or hardware devices that
monitor each keystroke as the user types on a keyboard, logs
onto a file, or transmits them to a remote location

- It allows the attacker to gather confidential information
about the victim such as email ID, passwords, banking
details, chat room activity, IRC, and instant messages

- What a Keylogger can Do?

- Record every keystroke typed on the user's keyboard

- Capture screenshots at regular intervals, showing user
activity such as typed characters or clicked mouse
buttons

- Track the activities of users by logging Window titles,
names of launched applications, and other information

- Monitor the online activity of users by recording
addresses of the websites visited and with keywords
entered

- Record all login names, bank and credit card numbers,
and passwords, including hidden passwords or data
displayed in asterisks or blank spaces

- Record online chat conversations

- Make unauthorized copies of both outgoing and incoming
email messages

- Botnets

- A Botnet is a collection of compromised computers connected
to the Internet to perform a distributed task

- Attackers distribute malicious software that turns a user's
computer into a bot

- Bot refers to a program or an infected system that performs
repetitive work or acts as an agent or as a user interface
to control other programs

- Why Attackers use Botnets?

- Perform DDoS attacks, which consume the bandwidth of the
victim's computers

- Use sniffer to steal information from one botnet and use
it against another botnet

- Perform keylogging to harvest account login information
for services

- Use to spread new bots

- Perpetrate a "click fraud" by automating clicks

- Perform mass identity theft

- Fileless Malware

- Fileless malware, also known as non-malware, infects
legitimate software, applications, and other protocols
existing in the system to perform various malicious
activities

- Leverages any existing vulnerabilities to infect the system

- Resides in the system's RAM

- Injects malicious code into the running processes such as
Microsoft Word, Flash, Adobe PDF Reader, Javascript, and
PowerShell

- Reasons for Using Fileless Malware in Cyber Attacks

- Stealthy in nature

- Exploits legitimate system tools

- Living-off-the-land

- Exploits default system tools

- Trustworthy

- Uses tools that are frequently used and trusted

- Fileless Propagation Techniques

- Phishing emails

- Legitimate applications

- Native applications

- Infection through lateral movement

- Malicious websites

- Registry manipulation

- Memory code injection

- Script-based injection

- Malware Countermeasures

- Trojan Countermeasures

- Avoid opening email attachments received from unknown
senders

- Block all unnecessary ports at the host and use a
firewall

- Avoid accepting programs transferred by instant
messaging

- Harden weak default configuration settings and disable
unused functionality, including protocols and services

- Monitor the internal network traffic for odd ports or
encrypted traffic

- Avoid downloading and executing applications from
untrusted sources

- Install patches and security updates for the OS and
applications

- Scan external USB drives and DVDs with antivirus
software before using them

- Restrict permissions within the desktop environment to
prevent installation of malicious applications

- Avoid typing commands blindly and implementing
pre-fabricated programs or scripts

- Manage local workstation file integrity through
checksums, auditing, and port scanning

- Run host-based antivirus, firewall, and intrusion
detection software

- Virus and Worm Countermeasures

- Install antivirus software that detects and removes
infections as they appear

- Pay attention to the instructions while downloading
files or programs from the Internet

- Regularly update antivirus software

- Avoid opening attachments received from unknown senders,
as viruses spread via email attachments

- Since virus infections can corrupt data, ensure that you
perform regular data backups

- Schedule regular scans for all drives after the
installation of antivirus software

- Do not accept disks or programs without checking them
first using a current version of an antivirus program

- Do not boot the machine with an infected bootable system
disk

- Stay informed about the latest virus threats

- Check DVDs for virus infection

- Ensure that pop-up blockers are turned on and use an
Internet firewall

- Perform disk clean-up and run a registry scanner once a
week

- Run anti-spyware or anti-adware once a week

- Do not open files with more than one file-type extension

- Be cautious with files sent through instant messenger
applications

- Rootkit Countermeasures

- Reinstall OS/applications from a trusted source after
backing up critical data

- Maintain well-documented automated installation
procedures

- Perform kernel memory dump analysis to determine the
presence of rootkits

- Harden the workstation or server against the attack

- Do not download any files/programs from untrusted
sources

- Install network and host-based firewalls and frequently
check for updates

- Ensure the availability of trusted restoration media

- Update and patch OSs, applications, and firmware

- Regularly verify the integrity of system files using
cryptographically strong digital fingerprint
technologies

- Regularly update antivirus and anti-spyware software

- Keep anti-malware signatures up to date

- Avoid logging into an account with administrative
privileges

- Adhere to the least privilege principle

- Ensure that the chosen antivirus software possesses
rootkit protection

- Do not install unnecessary applications, and disable the
features and services not in use

- Refrain from engaging in dangerous activities on the
Internet

- Close any unused ports

- Periodically scan the local system using host-based
security scanners

- Increase the security of the system using two-step or
multi-step authentication, so that an attacker will not
gain root access to the system to install rootkits

- Never read emails, browse websites, or open documents
while handling an active session with a remote server

- Spyware Countermeasures

- Try to avoid using any computer system that you do not
have a complete control over.

- Never adjust your Internet security setting level too
low because it provides many chances for spyware to be
installed on your computer. Therefore, always set your
Internet browser security settings to either high or
medium to protect your computer from spyware.

- Do not open suspicious emails and file attachments
received from unknown senders. There is a high
likelihood that you will allow a virus, freeware, or
spyware onto the computer. Do not open unknown websites
linked in spam mail messages, retrieved by search
engines, or displayed in pop-up windows because they may
mislead you into downloading spyware.

- Enable a firewall to enhance the security level of your
computer.

- Regularly update the software and use a firewall with
outbound protection.

- Regularly check Task Manager and MS Configuration
Manager reports.

- Regularly update virus definition files and scan the
system for spyware.

- Install anti-spyware software. Anti-spyware is the first
line of defense against spyware. This software prevents
spyware from installing on your system. It periodically
scans and protects your system from spyware.

- Keep your OS up to date.

- Windows users should periodically perform a Windows
or Microsoft update.

- For users of other OSs or software products, refer
to the information given by the OS vendors, and take
essential steps against any vulnerability
identified.

- Perform web surfing safely and download cautiously.

- Before downloading any software, ensure that it is
from a trusted website. Read the license agreement,
security warning, and privacy statements associated
with the software thoroughly to gain a clear
understanding before downloading it.

- Before downloading freeware or shareware from a
website, ensure that the site is safe. Likewise, be
cautious with software programs obtained through P2P
fileswapping software. Before installing such
programs, perform a scan using antispyware software.

- Do not use administrative mode unless it is necessary,
because it may execute malicious programs such as
spyware in administrator mode. Consequently, attackers
may take complete control of your system.

- Do not download free music files, screensavers, or
emoticons from the Internet because when you do, there
is a possibility that are downloading spyware along with
them.

- Beware of pop-up windows or web pages. Never click
anywhere on the windows that display messages such as
"your computer may be infected," or claim that they can
help your computer to run faster. If you click on such
windows, your system may become infected with spyware.

- Carefully read all disclosures, including the license
agreement and privacy statement, before installing any
application.

- Do not store personal or financial information on any
computer system that is not totally under your control,
such as in an Internet café.

- PUAs/Adware Countermeasures

- Always use whitelisted, trusted, and authorized software
vendors and websites for downloading software.

- Always read the end-user license agreement (EULA) and
any other terms and conditions before installing any
program.

- Always turn on the option to detect PUAs in the OS or
antivirus software.

- Regularly update the OS and antivirus software to detect
and patch the latest PUAs.

- Uncheck unnecessary options while performing software
setup to prevent the automatic installation of PUAs.

- Avoid installing programs through the "express method"
or "recommended method" and instead choose custom
installation.

- Be vigilant towards social engineering techniques and
phishing attacks to avert the download of PUAs.

- Install trusted antivirus, anti-adware, or ad-blocker
software to detect and block adware and other malicious
programs.

- Use paid software versions and avoid downloading
freeware and other shareware programs provided by
third-party vendors.

- Employ a firewall to filter data transmission and to
send only authorized and trusted content.

- Carefully examine URLs and email addresses, and avoid
clicking on suspicious links.

- Take time to research and read online reviews before
downloading any software or plug-in.

- Attempt to search for the software in a search engine,
instead of clicking on ads redirecting to software
download.

- Keylogger Countermeasures

- Use pop-up blockers and avoid opening junk emails.

- Install anti-spyware/antivirus programs and keep the
signatures up to date.

- Install professional firewall software and
anti-keylogging software.

- Recognize phishing emails and delete them.

- Regularly update and patch system software.

- Do not click on links in unsolicited or dubious emails
that may direct you to malicious sites.

- Use keystroke interference software that insert
randomized characters into every keystroke.

- Antivirus and anti-spyware software can detect any
installed software, but it is better to detect these
programs before installation. Scan the files thoroughly
before installing them onto the computer and use a
registry editor or process explorer to check for
keystroke loggers.

- Use the Windows on-screen keyboard accessibility utility
to enter a password or any other confidential
information. Use your mouse to enter any information
such as passwords and credit card numbers into the
fields, by using your mouse instead of typing the
passwords with the keyboard. This will ensure that your
information is confidential.

- Use an automatic form-filling password manager or a
virtual keyboard to enter usernames and passwords, as
this will avoid exposure through keyloggers. This
automatic form-filling password manager will remove the
need to type your personal, financial, or confidential
details such as credit card numbers and passwords via
the keyboard.

- Keep your hardware systems secure in a locked
environment and frequently check the keyboard cables for
attached connectors, USB port, and computer games such
as the PS2 that may have been used to install keylogger
software.

- Use software that frequently scan and monitor changes in
your system or network.

- Install a host-based IDS, which can monitor your system
and disable the installation of keyloggers.

- Use one-time password (OTP) or other authentication
mechanisms such as two-step or multi-step verification
to authenticate users.

- Enable application whitelisting to block downloading or
installing of unwanted software such as keyloggers.

- Use VPN to enable an additional layer of protection
through encryption.

- Use process-monitoring tools to detect suspicious
processes and system activities.

- Regularly patch and update software and the OS.

- Fileless Malware Countermeasures

- Remove all the administrative tools and restrict access
through Windows Group Policy or Windows AppLocker

- Disable PowerShell and WMI when not in use

- Disable macros and use only digitally signed trusted
macros

- Install whitelisting solutions such as McAfee
Application Control to block unauthorized applications
and code running on your systems

- Never enable macros in MS Office documents

- Disable PDF readers to run JavaScript automatically

- Disable Flash in the browser settings

- Implement two-factor authentication to access critical
systems or resources connected to the network

- Implement multi-layer security to detect and defend
against memory-resident malware

- Use User Behavior Analytics (UBA) solutions to detect
threats hidden within your data

- Ensure the ability to detect system tools such as
PowerShell and WMIC, and whitelisted application scripts
against malicious attacks

- Run periodic antivirus scans to detect infections and
keep the antivirus program updated

- Install browser protection tools and disable automatic
plugin downloads

- Schedule regular security checks for applications and
regularly patch the applications

- Regularly update the OS with the latest security patches

- Examine all the running programs for any malicious or
new signatures and heuristics

- Enable endpoint security with active monitoring to
protect networks when accessed remotely

- Examine the indicators of compromise on the system and
the network

- Regularly check the security logs especially when
excessive amounts of data leave the network

- Restrict admin rights and provide the least privileges
to the user level to prevent privilege escalation
attacks

- Use application control to prevent Internet browsers
from spawning script interpreters such as PowerShell and
WMIC.

- Carefully examine the changes in the system's usual
behavior patterns compared with the baselines

- Use next-generation antivirus (NGAV) software that
employs advanced technology such as ML (machine
learning) and AI (artificial intelligence) to avoid new
polymorphic malware

- Use baseline and search for known tactics, techniques,
and procedures (TTPs) used by many adversarial groups

- Ensure that you use Managed Detection and Response (MDR)
services that can perform threat hunting

- Ensure that you use tools such as Blackberry Cylance and
Microsoft Enhanced Mitigation Experience Toolkit to
combat fileless attacks

- Disable unused or unnecessary applications and service
features

- Uninstall applications that are not important

- Block all the incoming network traffic or files with the.exe format

- Vulnerabilities

- Refers to the existence of weakness in an asset that can be
exploited by threat agents

- Common Reasons behind the Existence of Vulnerability

- Hardware or software misconfiguration

- Insecure or poor design of the network and application

- Inherent technology weaknesses

- Careless approach of end users

- Vulnerability Classification

- Misconfiguration

- An application running with debug enabled

- Unnecessary administrative ports that are open for an
application

- Running outdated software on the system

- Running unnecessary services on a machine

- Outbound connections to various Internet services

- Using misconfigured SSL certificates or default
certificates

- Improperly authenticated external systems

- Incorrect folder permissions

- Default accounts or passwords

- Set up or configuration pages enabled

- Disabling security settings and features

- Default Installations

- Buffer Overflows

- Unpatched Servers

- Design Flaws

- Operating System Flaws

- Application Flaws

- Open Services

- Default Passwords

- Zero-day/Legacy Platform vulnerabilities

- Examples of Network Security Vulnerabilities

- TCP/IP protocol vulnerabilities

- HTTP, FTP, ICMP, SNMP, SMTP are inherently insecure

- Operating System vulnerabilities

- An OS can be vulnerable because:

- It is inherently insecure

- It is not patched with the latest updates

- Network Device Vulnerabilities

- Various network devices such as routers, firewall, and
switches can be vulnerable due to:

- Lack of password protection

- Lack of authentication

- Insecure routing protocols

- Firewall vulnerabilities

- User account vulnerabilities

- Originating from the insecure transmission of user
account details such as usernames and passwords,
over the network

- System account vulnerabilities

- Originating from setting of weak passwords for
system accounts

- Internet service misconfiguration

- Misconfiguring internet services can pose serious
security risks. For example, enabling JavaScript and
misconfiguring IIS, Apache, FTP, and Terminal
services, can create security vulnerabilities in the
network

- Default password and settings

- Leaving the network devices/products with their
default passwords and settings

- Network device misconfiguration

- Misconfiguring the network device

- Unwritten Policy

- Unwritten security policies are difficult to
implement and enforce

- Lack of Continuity

- Lack of continuity in implementing and enforcing the
security policy

- Politics

- Politics may cause challenges for implementation of
a consistent security policy

- Lack of awareness

- Lack of awareness of the security policy

- Impact of Vulnerabilities

- Information disclosure: A website or application may expose
system-specific information.

- Denial of service: Vulnerabilities may prevent users from
accessing website services or other resources.

- Privilege escalation: Attackers may gain elevated access to
a protected system or resources.

- Unauthorized access: Attackers may gain unauthorized access
to a system, a network, data, or an application.

- Identity theft: Attackers may be able to steal the personal
or financial information of users to commit fraud with their
identity.

- Data exfiltration: Vulnerabilities may lead to the
unauthorized retrieval and transmission of sensitive data.

- Reputational damage: Vulnerabilities may cause reputational
damage to a company's products and security. Reputational
damage has a direct impact on customers, sales, and profit.

- Financial loss: Reputational damage may lead to business
loss. Further, vulnerability exploitation may lead to
expenses for recovering damaged IT infrastructure.

- Legal consequences: If customers' personal data are
compromised, the organization may need to face legal
consequences in the form of fines and regulatory sanctions.

- Hold footprints: Vulnerabilities may allow attackers to stay
undetected even after executing an attack.

- Remote code execution: Vulnerabilities may allow the
execution of arbitrary code from remote servers.

- Malware installation: Vulnerabilities can make it easy to
infect with and spread viruses in a network.

- Data modification: Vulnerabilities may allow attackers to
intercept and alter data in transit.

- Vulnerability Research

- The process of analyzing protocols, services, and
configurations to discover vulnerabilities and design flaws
that will expose an operating system and its applications to
exploit, attack, or misuse

- Vulnerabilities are classified based on severity level (low,
medium, or high) and exploit range (local or remote)

- An administrator needs vulnerability research:

- To gather information about security trends, newly
discovered threats, attack surfaces, attack vectors and
techniques

- To find weaknesses in the OS and applications and alert
the network administrator before a network attack

- To understand information that helps prevent security
problems

- To know how to recover from a network attack

- Resources for Vulnerability Research

- Microsoft Vulnerability Research (MSVR)
([https://www.microsoft