Cybersecurity

Fundamentals
Security+ ‫اإلعداد لشهادة‬

Hemaya.org.sa

@HemayaGroup
1.
Security 101

The Basics of Information Security

Hemaya.org.sa @HemayaGroup

2
 Nothing is ever completely or
truly secure. There is always a
way around or through any
security precaution that we
construct.

3
 The Basics of Cyber Security
◎ Information security (or cyber security or digital security):
Is the act of protecting data and information systems from
unauthorized access, unlawful modification and disruption,
disclosure, corruption, and destruction

◎ Unauthorized access:
Access to computer resources and data without consent of
the owner. It might include approaching the system,
communicating, storing and retrieving data.

◎ Malicious software:
Known as malware, this includes computer viruses, worms,
Trojan horses, spyware, rootkits, adware, ransomware.

◎ Anti-malware software:
Anti-malware protects a computer from the various forms
of malware and, if necessary, detects and removes them.

4
The CIA of Computer Security

Confidentiality Integrity Availability

This concept centers This means that To ensuring that

on preventing the data has not been authorized parties
disclosure of tampered with. are able to access
information to the information
unauthorized when needed
persons

5
The AAA of Computer Security:
Authentication Authorization Accounting

The process of The process of The process of

identifying an granting or denying keeping track of a
individual, usually a user access to user's activity while
based on a network resources accessing the
username and once the user has network resources
password been authenticated.

6
Part 1 . Threats,
Attacks
Malware types

Hemaya.org.sa @HemayaGroup

7
MALWARE:
Malware refers to software that has been designed for
some nefarious purpose

◎ Malware could do many things:

• Gather information
• Participate in a group
• Show you advertising
• Encrypt your data
• Destroy your data or machine!
• And many other possibilities….
8
Malware types

◎ Viruses
◎ Ransomware
◎ Worms
◎ Trojan Horse
◎ Rootkit
◎ Keylogger
◎ Adware/Spyware
◎ Botnet
◎ Logic Bomb
◎ Crypto Miner

9
 Viruses

A virus is a program or piece of code

that runs on your computer
without your knowledge

◎ Designed to attach themselves

to other code and replicate

◎ Replicates when an infected file

executes or launches

10
Types of Viruses

• Polymorphic:
• Change its code using encryption key
• Each copy looks different after each use
• Changes are designed not to affect the
functionality

• Armored:
• Tricking the Antivirus into thinking that it is
located in a different place from where it
actually resides.

• Boot sector:
• Loads into the first sector of the hard drive;
when the computer boots, the virus then
loads into memory

11
Ransomware:
A malware that restrict access to a computer
and demands that a ransom be paid.

• Probably a fake ransom

• Locks your computer “by the police”
• The ransom may be avoided
• A security professional may be able to remove it

• Crypto-malware (most new ransomware are like this):

Encrypts files on a system and then leaves them unusable either
permanently acting as a denial of service, or temporarily until a
ransom is paid, making it ransomware.

12
13
 Protecting against ransomware

• Always have a backup - an offline backup

• Keep your operating system up to date
• Keep your applications up to date
• Keep your anti-virus up to date

ExamAlert
Ransomware is unique, in that the attacker directly demands payment,
often through cryptocurrencies. The amount requested often is relatively
low, to ensure a higher likelihood of payment.

14
 Worm

A worm is a piece of code that attempt

to penetrate networks and computer
systems and create a new copy of itself
on the penetrated system.

• Doesn’t need you to do anything

• Self-propagates and spreads quickly
• Stuxnet is a good Example

ExamAlert
Viruses are executed by some type of action, such as running a program.
Worms act like a virus but also have the ability to travel without human action.

15
 Trojan Horse

A piece of software that appears to do

one thing but hides some other functionality

• Must be copied and installed by the user

• Doesn’t really care much about replicating
• May open the gates for other programs
• Remote Access Trojans (RATs) is a Trojan that
help to gain unauthorized access to a target system

ExamAlert
Trojans trick users by disguising their true intent to deliver a malicious
payload. When executed, a remote access Trojan provides a remotely
accessible backdoor for an attacker to covertly monitor the system or easily
gain entry.

16
Rootkit

A piece of software that can be installed

and hidden on a computer mainly
to compromise the system and gain
escalated privileges

• Modifies core system files

• You won’t see it in Task Manager
• Also invisible to traditional anti-virus

17
 Finding and Removing rootkits

• Look for the unusual

• Anti-malware scans
• Use a remover specific to the rootkit

ExamAlert
Rootkits can be included as part of software packages, can be
installed through an unpatched vulnerability, or can be
downloaded and installed by users.

18
Keylogger

A keylogger is a piece of software that logs

all of the keystrokes that a user enters.

* There are also hardware keylogger but need physical access to install.

• Web site login URLs, passwords,

messages, search engine queries
• Send it to the bad guys

19
Adware

A programs that are designed to display

advertisements on your computer and
redirect your search requests to advertising
websites and collect marketing-type data about you

• Pop-ups
• May be included with other software
• May cause performance issues
• Many spies on personal information
• Can be harmful sometimes.

20
Spyware

A software that “spies” on users,

recording and reporting on their activities.
It can record keystrokes, files, passwords …etc.

• Advertising, identity theft, affiliate fraud

• Browser monitoring - Capture surfing habits

Trojan Horse vs Spyware ?

21
Bots and Botnet

A piece of software that performs some task,

under the control of another program.

• Once your machine is infected, it becomes a bot

• Sits around. Wait for instructions.
• Botnet is a group of bots working together
• Distributed Denial of service (DDoS).
• Botnets can be for sale or provided as a service.

22
Logic Bomb

A piece of code that sits dormant for

a period of time until some event or
date invokes its malicious payload

• Often left by someone with grudge

• Difficult to identify
• Difficult to recover if it goes off

23
Crypto Miner

Crypto currency mining or Cryptojacking uses

computing resources of businesses and
home users to mine for cryptocurrencies or
steal cryptocurrency wallets.

24
Backdoor

Backdoors were originally nothing more than methods

used by software developers to ensure that they could
gain access to an application even if something were
to happen in the future to prevent normal access
methods

• Backdoor using trojan or spyware

• Some malware software can take advantage of
backdoors created by other malware

25
Time for some questions and break

26
Part 1 . Threats,
Attacks
Attacks Types

Hemaya.org.sa @HemayaGroup

27
 Social Engineering

Social engineering is the process by which an attacker

seeks to extract useful information from users, often
by just tricking them into
helping the attacker.

• Social engineering is extremely successful

because it relies on
human emotions.

ExamAlert
the best defense against social engineering
is ongoing user awareness and education.

28
Principles of Social Engineering
(Reasons for Effectiveness)

• Authority:
I’m calling from the help desk/office of the CEO/police.
• Intimidation
There will be bad things if you don’t help
• Consensus / social proof
Your co-worker Jill did this for me last week
• Scarcity/ Urgency
Act quickly, don’t think
• Familiarity / liking
Someone you know, we have common friends
• Trust
I’m from IT, and I’m here to help

29
Phishing Attacks

Phishing is an attempt to acquire sensitive

information by masquerading as a trustworthy
entity via electronic communication, usually email.

Exam Alert
Phishing combines technical deceit with the
elements of traditional social engineering. Be sure
to know the variants of phishing attacks.

30
Phishing types
Spear phishing:
This is a targeted version of phishing. Whereas phishing often
Involves mass emailing, spear phishing might go after a specific
individual.
Whaling:
Whaling is identical to spear phishing, except for the size of the fish.
Whaling employs spear phishing tactics but goes after high-profile
targets such as an executive within a company.
Vishing:
This attack is also known as voice phishing. The attacker uses fake
caller ID to appear as a trusted organization and attempts to get
the individual to enter account details via the phone.
Smishing:
Also known as SMS phishing, this attack uses phishing methods
through text messaging.

31
 The big phish

• March 19, 2016

• Former chairman of the 2016 Hillary Clinton
• Gmail personal account with messages from 2007
through 2016
• Podesta used the bit.ly link in the email to “reset” his
password
• Wasn’t actually a Google reset link
• Every email was made available on WikiLeaks
• Don’t underestimate the effects of phishing

32
Tailgating (Piggybacking)

following closely behind someone who has authorized

physical access within an environment.

Watch for tailgating:

• Policy for visitors
• You should be able to identify anyone
• Mantrap
• Who are you and why are you here?

33
Impersonation

Impersonation is simply a method in which

someone assumes the character or
appearance of someone else.

Protect against Impersonation

○ Always verify before revealing info
○ Call back, verify through 3rd parties

34
Dumpster Diving

Digging through a company’s

trash bins or dumpsters to gain
information

• Gather details that can be used for a different

attack
• Just after end of month end of quarter
• Always Shred your documents
• Wipe out devices before getting rid of them

35
Shoulder Surfing

Looking over someone’s

shoulder to obtain information

• Many people want to see for Curiosity, industrial

espionage, competitive advantage
• Be careful for your password and ATM PIN
• Use privacy filters

36
Hoaxes

A message warning the recipients of

a non-existent computer virus threat.
The message is usually a chain e-mail
that tells the recipients to forward it to
everyone they know.

• Consume lots of resources and time

• If it sounds too good to be true

37
Watering Hole Attacks

The attacker attacks a site that the

target frequently visits.
The goal is often to compromise
the larger environment
• if your network was really secure
• You didn’t even plug in that USB key from the
parking lot
• Not opening any email attachments.
• Then attacker may use Watering hole to get to
you

38
APPLICATION/SERVICE ATTACKS

• Denial-of-service (DoS) :
In a DoS attack, the attacker attempts to deny authorized
users access to the computer system or network itself. This
can be accomplished by crashing the system—taking it
offline—or by sending so many requests that the machine is
overwhelmed.

39
DoS Attacks:

• SYN flood :

This attack takes advantage of the TCP three-way handshake.

The source system sends a flood of SYN requests but never
sends the final ACK, thus creating half-open TCP sessions.

40
DoS Attacks:
• Smurf/smurfing:
The attacker sends (ICMP) ping packets to the broadcast address of the
network, replacing the original source address in the ping packets with the
source address of the victim.

• Fraggle attack :
The same as Smurf but uses User Datagram Protocol UDP

41
DoS Attacks:

• Ping flood:
A ping flood attempts to block service or reduce activity
on a host by sending ping requests directly to the victim.
A variation of this type of attack is the ping of death, in
which the packet size is too large (more than 32 bytes)
and the system does not know how to handle the packets.

42
DoS Attacks:
• The Teardrop:
Packet fragments are sent in a jumbled and confused
order. When the receiving device attempts to
reassemble them, but won’t know how to handle the
request. Older versions of operating systems will
simply just crash when this occurs.

• Land attack:
Packet sent to the victim system with the same source
and destination IP address

43
Distributed Denial-of-Service
(DDoS)
DoS attacks are conducted using a single
attacking system. A DoS attack employing
multiple attacking systems is known as
a distributed denial-of-service
(DDoS) attack.

• Launch an army of computers to

bring down a service
• This is why the bad guys have
botnets
• Thousands or millions of
computers at your command

44
 Man-in-the-Middle
An attacker intercepts traffic and then tricks
the parties at both ends into believing that they
are communicating with each other

• Redirects your traffic then passes it on

to the destination
• You never know your traffic was
redirected.
• Will be limited if the communication is
encrypted

ExamAlert
A man-in-the-middle attack takes place when a
computer intercepts traffic and either eavesdrops on the
traffic or alters it.

45
Man-in-the-Browser
A Trojan Horse or similar malware to gain
important information from users of
websites, especially banking and credit
card information

• Different input fields are added to the

website
• Transfer money without you knowing.

46
ARP Poisoning
Every hardware has MAC address that must be
associated with an IP address. Address Resolution
Protocol (ARP), which operates at Layer 2 (data link
layer) of the OSI model, associates MAC addresses
to IP addresses. ARP is a simple lower-layer
protocol that consists of requests and replies
without validation.

• ARP request “Who has this IP address?”

• ARP reply “I have that IP address; my MAC
address is…”
• Reverse ARP request (RARP) “Who has this MAC
address?”
• RARP reply “I have that MAC address; my IP
address is…”

47
Buffer Overflow
In a buffer overflow, the input buffer that is used to hold program input is
overwritten with data that is larger than the buffer can hold.

• 7- to 10-character phone number instead receives a string of 150

characters?
• Will fill memory, overwriting other portions of the programs
• The program can execute a command supplied by the attacker.
• Inherit the level of privilege enjoyed by the program being exploited.
• Poor programming and programming language weaknesses

48
Injection
When user input is used without input validation, Injection
flaws allow attackers to relay malicious code through an
application to another system.

• Enabled because of bad programming

• The application should properly handle input and
output
• So many different data types
• HTML, SQL, XML, LDAP, etc.

49
Cross-Site Scripting (XSS)
The cause of the XSS is weak user input
validation. If input is not validated properly,
an attacker can include a script in their
input cause unwanted action on user’s
browser.

• Hacker plants his malicious code in a

vulnerable website (e.g. in URL or via
comments)
• When the victim opens that trusted
website the hacker’s code will get
executed in the victim browser.

• Takes advantage of the trust a user has

for a site.
• Websites should sanitize all inputs.
50
Cross-site request forgery (CSRF )
This attack causes end users to execute an
unwanted action on a site they are already
logged into.

• Cross-site Request forgery happens in

authenticated sessions when the server
trusts the user/browser

• Cross-Site scripting doesn't need an

authenticated session and can be exploited
when the vulnerable website doesn't do the
basics of validating or escaping input.

• Websites should not accept scripts from

other sites (Same Origin Policy)

51
Privilege Escalation
Privilege escalation is the result of actions that allows
an adversary to obtain a higher level of permissions
on a system or network.

• Exploit a vulnerability
• Gain higher-level access to a system
From normal user to an admin
• Higher-level access means more capabilities

52
DNS Poisoning (Spoofing)
An attack that exploits vulnerabilities in the domain
name system (DNS) to divert Internet traffic away
from legitimate servers and towards fake ones.

• Your ISP runs its own DNS servers

• Your router functions as a DNS server
• An attacker pointing google.com to his site

53
Zero Day
An attack to exploit computer application vulnerabilities that are
unknown to others or even the software developer and not
patched yet.

• Someone is working to find the next big vulnerability

Your router functions as a DNS server
• The good guys share these with the developer

Exam Alert
Effective security policies, training, and mitigating controls are
more effective, even compared to the most aggressive patch-
management strategies, when it comes to zero-day exploits.

54
Hijacking Attacks
Hijacking is a form of attack where the attacker
hijacks a user’s experience, typically after the
exchange of credentials.

• Session Hijacking :
An attacker uses source-routed IP packets to insert
commands into an active communication

Preventing Session Hijacking:

• Encrypt end-to-end
• They can’t capture your session ID if they can’t
see it
• Firefox extension: HTTPS Everywhere, Force-TLS
• Personal VPN (OpenVPN, Wireguard, etc.)

55
Hijacking and Related Attacks
• Clickjacking:
You’re clicking on a button but you’re actually
clicking on something else (hidden button or
object).

• URL Hijacking (Typosquatting):

URL hijacking is a generic name for a wide
range of attacks that target the URL
If the correct URL is used, you get the desired
content. If the URL is tampered with or altered

● Take advantage of poor spelling

● Looks like the real site, please login

56
Driver Manipulation

Code that is not part of the OS and is developed by

firms other than the OS developer

- Not protected as other parts of the core system.

• Shimming:
Shimming is the process of putting a layer of
code between the device driver and the
operating system.

• Windows has it’s own shim for backwards

compatibility

57
WIRELESS ATTACKS

Wireless is connecting users to networks via a radio

signal, freeing machines from wires.

Wired vs. wireless Attacks

• Similar to a wired attacks

• Wireless is harder to protect
• Much easier to capture the data
• This is a big concern for the security
professional

58
Replay Attack

Attacks where the attacker simply sends a data

element (e.g. a data packet) which was previously
sent by some other user, in the hope of reproducing
the effect.

EXAM TIP
The best method for defending against replay attacks is
through the use of good encryption

59
Rogue access points
Access point that has been added to one's network
without one's knowledge.

Evil Twins
Access point that looks and acts just like a
legitimate AP and entices the end-user to connect
to our access point.

• Configure it exactly the same way as an existing

network.
• Same SSID and security settings.
• Overpower the existing access points.
• Send Disassociation frame with spoofed MAC of
the victim to Access point.

60
Jamming
Jamming is a form of denial of service that
specifically targets the radio spectrum aspect of
wireless.

WPS
Wi-Fi Protected Setup (WPS) is a network security
standard that was created to provide users with an
easy method of configuring wireless networks

• Allows “easy” setup of a mobile device

• A passphrase can be complicated to a novice
• PIN configured on access point
• Must be entered on the mobile device
Or push a button on the access point

61
Bluejacking
Sending of unauthorized messages to another
Bluetooth device

• Typical functional distance is about 10 meters

and Bluetooth should be enabled

Bluesnarfing
Instead of sending an unsolicited message to the
victim’s phone, the attacker copies off the victim’s
information

• If you know the file, you can download it without

authentication
• This weakness was patched

62
RFID
Radio frequency identification (RFID) tags are used in a wide range
of use cases. From tracking devices to keys

◉ Active tags have a power source

◉ Passive tags utilize the RF energy transmitted to them for
power
◉ Access badges
◉ Pet/Animal identification
◉ Anything that needs to be tracked

RFID Attacks:
◉ Data capture
◉ View communication
◉ Spoof the reader
◉ Write your own data to the tag

63
Cryptographic Attacks
The basic intention of an attacker is to break a
cryptosystem and to find the plaintext from the
ciphertext.

• You’ve encrypted data and sent it to another

person
• Is it really secure?
• How do you know?

Brute Force
The password-cracking program attempts all
possible password combinations.

64
Dictionary
A password-cracking program that uses a list of dictionary
words to try to guess the password

• People use common words as passwords

• You can find them in the dictionary (password, ninja,
football, admin)
• Many common wordlists available on the internet
• Some are customized by language or line of work

Hybrid Attack
Dictionary Attack method as well as brute force attack

65
Rainbow Tables

Cracking passwords that have been hashed. Rainbow

tables can most easily be thought of as a very large set of
precomputed hash values for every possible combination
of characters.

• An optimized, pre-built set of hashes

• Doesn’t need to contain every hash
• The calculations have already been done
• Remarkable speed increase

66
Known Plaintext/Ciphertext

if an attacker knows any of the plaintext that has been

encrypted and have the resulting encrypted file, with a
flawed encryption algorithm you can use that to break the
rest of the encryption.

67
Downgrade

The attacker takes advantage of a commonly employed

principle to support backward compatibility, to downgrade
the security to a lower or nonexistent state

• Example :
Intercepting web traffic and redirecting the user from the
secure, HTTPS version of a website to an unencrypted
HTTP version.

68
Time for some questions and break

69
OSI Model

70