MODULE 01 network security fundamentals

elements of network security

1. network security controls
2.network security protocols
3.network security devices

network security controls:-

giving access to a authorized user or the thing stands in between user and device to give authorization b
identity management is called network security controls

network security protocols

network security protocols implements security related operations to ensure the security and integrity o
The network security protocols ensure the security of the data passinng through the network.

network security devices

security devices like firewall , ids's(intrusion detection system), ipss(intrusion prevention system)
network security davices that are deployed to protect computer networks from unwantedd traffic and t

GOAL OF NETWORK DEFENSE incolves predicting , protecting , monitoring , analyzing , detecting , and respondin

defend a organization and their information

information assurance(IA) principles

1.Confidentiality
2.availability
3.integrity

Confidentiality:-
information is not disclosed to un-authorized parties or other than authorized user no one can access it(

integrity:-
information trnasfered through from sender to receiver cannot be modified or changed by third party.(e

availability:-
the information is available to only authorized user without disturbance

non-repudiation:- receive request by server cant be denied by sender. authentication:-

types of network defence approaches

1.preventive :-
techniques that use to avoid threads or attacks. It consist of access control mechanism as a firewall, adm
NAC and NAP, cryptographic application such as IPSec and SSL, biometric techniques as speech and faci
2.reactive :-
techniques that use to detect attacks or threads. It includes security monitoring methods such as IDS, SI

3.retrospective:-
it examine the cause of attacks or any other info which help organization to plan a route to recover the d
it includes fault finfing mechanism such as protocol analyzers and traffic monitors. Security forensics tec
4.proactive:-
basically it is a future plan that helps an organization to prevent from attacks or threads in future

network security protocols

radius , tacacs+ , kerberos , pgp , s/mime , secure HTTP , HTTPS , tls , ssl , Ipsec

radius:- remote authentication dial in user services it works on OSI model by using UDP and TCP as transport pro
it works in 3 differents stages such as:-
access request toward the server (id and pass)
access accepted or rejected
access challenges(accounting request)

TACACS+
network security protocols devided into diff layers such as
*transport
*network
*application

Transport:-
it includes TLS and SSL protocols.

TLS:- TLS protocol provides security and dependability of data between two communicating parties.

SSL:- SSl proviides security to the communication between clients and servers

Network layer:-

IPsec:- this protocol authenticate the packets during the transmission of data.

Application layer:-

PGP(pretty good protocol):- it provides cryptographic privacy and authentication for network communication a

S/MIME:- known as Secure/Multi-purpose Internet mail extension. It provides security to mails.

secure HTTP:- it provides security to the data traversing through the www

HTTPS:- it widely used across the internet to secure network communication.

Kerberos:- it is a client-server model that is implemented for authenticating request in computer network

RADIUS:- it provides centralized authentication,authorization,and accounting(AAA) for remote access servers to c

TACACS+ :- it authentication,authorization,and accounting(AAA) fornetwork communication

packet filtering:- useful for implementing the controls that are defined by multiple policies, standards, and gui

MODULE 02

IDNETIFIACTION, AUTHENTICATION AND AUTHORIZATION

ACCESS control
it works as the user sends a request toward the server then the authentication works on access control
and it authorize the request in authorization database which manage by administrator(who add or delet
modify account details in database)then the given request is correct then the access is given either it de

Access control terminologies:-

it includes Subject, Object, Reference Monitor, Operation checks.

reference monitor:- it checks access control rules for specific task

access control princiles:-

it distributed into 3 different types such as

1.Separation of Duties(SoD)
2.need-to-know
3.princile of least privilege

1.Separation of Duties(SoD):-
bassically it’s a brekdown of a task which isure that the no one has the access to perfom all fu
2.need-to-know:-
int this access is provided only to the information that is required for performing a specific task

3.princile of least privilege:-

it extends the need to know principle in providing access to system
it provide access to employee which is not less or not more

Access Control Models:- it’s a standard which provides a predifined framework for implementing the neces
MAC(mandatory access control)
DAC(discretionary access control)
RBAC(role-based access control)
RB-RBAC(rule-based access control)

DAC(discretionary access control):-

end user hass complete access to the information they own

MAC(mandatory access control):-

only administrator or system owner has rights to aaign privileges

RBAC(role-based access control):-

permission are assigned based onn user roles.

RB-RBAC(rule-based access control):-

permissions are asiigned to a user role dynamically based on set of rules defined b

Identity and access management(IAM):- it responsible for providing the rigght individual with right access at the

User Identity Management(IDM):-

it insure that an individual holds a valid identity.

identity Repository:-
in the attributes related to the users identities are stored.

User Access Management (AM):Authorization:-

it involves controlling the access of information for an individual
eg.(A user can only read a file, but not write in it or delete it.)
it divided into different severals types such as

1.centralizwd authorization
2.decentralized authorization
3.implicit authorization
4.ecplicit authorization
1.centralizwd authorization:-

it done using a single centralized authorization unit

it only maintain single database for authorization to all the network resourses or applications
it’s an easy and inexpensive authorization approach

2.decentralized authorization:-

each network resource maintain its authorization unit and performs authorization locally
it maintain iits own database

3.implicit authorization:-

users can access the requested resources on behalf of others

access request goes through a primary resources to access the requested resources

4.ecplicit authorization:-

it requires separate authorizaton for each requested resources

it explicitly maintains authorization for each requested object

User Access Management(AM):Accounting:-

it help to keep track of users actions on the network

it helps in identifying authorized and un-authorized actions
this data can be used for trend analysis, data breach detection, forensics investigation, etc.

MODULE 03 ADMINISTRATIVE CONTROLS

REGULATORY FRAMEWORK it contains set of guidelines and best practices for security
use of regulatory framework according to field of uses

HIPPA(health insurance portability and accountability act

:- any field that deals with health related issues

SOA(sarbanes oxley act

:- public company boards , management and public accounting ferms

FISMA(federal infirmation security management act of 2002

:- a method use to protect information system

GLBA(gramm leach blilet act

:- companies that offer financial product and services

PCI-DSS( payment card industry data security standard

:- companies handling credit card information

PCI-DSS:- payment card industry data security standard

regulatory framework compliance:-

regulatory framework compliance is a set of guidelines and best practices establish
and thus meet their regulatory needs, enhance processes, improve protection and

regulatory framework :-
under this frame work , an organization must document its pilicies, standards as well as proce
.each of them have different purposes thus they cannot be combined in ine document

Polices:-
polices are high level statements dealing with the administrative network security of an organization.
eg. Policy includes email and encryption policies.

standards:-
it comprise specific low lvl mandatory controls related to the implementation of a specific
technology useful for enforcing and supporting policies.
it includes password policy such as password standard such as password complexity , password length e
includes data encryption standard(DES), advanced encryption standard(AES), and rivest-shamir-adleman

procedures, practices and guidelines:-

procedures or standard operating procedures(SOP) comprise step-wise instructions
useful for implementing the controls that are defined by multiple policies, standards, and gui
eg. Process for window installation and data encryption

need of compliance to it:-

to improve security
minimize losses
 maintain trust
increased control

regulatory framework ,laws and acts

PCI-DSS(payment card industry data security standard):-

it is a information security standard for organiation

PCI-DSS high lvl overview requirement

build and maintain a secure network

protect cardholder data
maintain a vulnerability
management program
implement strong access control measures
regularly monitor and test networks
maintain an information security policy

HIPPA(health insurance portability and accountability act

Electronic Transaction and Code Set Standards

Privacy Rule
Security Rule
National Identifier Requirements
Enforcement Rule

Key Elements of Security Policy

Clear Communication
Brief and Clear Information
Defined Scope and Applicability:
Enforceable by Law
Recognizes Areas of Responsibility
Sufficient Guidance

Contents of a Security Policy:-

There are four aspects in security policy implementation:-

High-level Security Requirements:

Security requirements include all
requirements for a system to implement security policies. These are further divide
four types:
Discipline Security Requirements:
Safeguard Security Requirements:
Procedural Security Requirements:
Assurance Security Requirements:

Discipline Security Requirements:

Actions to be taken for various components that
need to be secured such as computer security, operations security, network secur
personnel security, and physical security

Safeguard Security Requirements:

Protective measures required such as protective
measures for access control, malware protection, audit, availability, confidentiality
integrity, cryptography, identification, and authentication

Procedural Security Requirements:

Access policies, accountability, continuity of
operations, and documentation

Assurance Security Requirements: Policies used with the compliance of various

standards, certifications, and accreditations

Policy Description Based on Requirement:

Policy description mainly focuses on the
security disciplines, safeguards, procedures, continuity of operations, a
documentation. Each subset of this policy describes how the system’s a
elements will enforce security.

Security Concept of Operation:

This concept defines the roles, responsibilities, and
functions of a security policy. It focuses on the mission, communications, encrypti
user and maintenance rules, idle time management, privately owned versus public
domain, shareware software rules, and virus protection policy.

Allocation of Security Enforcement to Architecture Elements:

This policy allocates computer system architecture to each system in the program

Information Security Policies

Enterprise Information Security Policy (EISP)

EISP drives an organization’s scope and provides direction to their security policies
policies support organizations by offering ideology, purpose, and methods to creat
environment for enterprises.

Issue Specific Security Policy (ISSP)

ISSP directs the audience on the usage of technology-based systems with the help
These policies address specific security issues in an organization.
System Specific Security Policy (SSSP)
SSSP directs users while configuring or maintaining a system. The implementation
policies focuses on the overall security of a particular system in an organization.

Internet Access Policies:-

Promiscuous Policy
Permissive Policy
Paranoid Policy
Prudent Policy

Promiscuous Policy:- No restrictions on Internet/remote

access
Nothing is blocked

Permissive Policy:- Known dangerous services/

attacks blocked
Policy begins with no restrictions
Known holes plugged; known
dangers stopped

Paranoid Policy:- Everything is forbidden

No Internet connection, or severely
limited Internet usage
Users find ways around overly
severe restrictions

Prudent Policy:- Provides maximum security while

allowing known, but necessary,
dangers
All services are blocked
Safe/necessary services are
enabled individually

MODULE 04 Physical Controls

OSI MODEL(Open Systems Interconnection) how data transfer through network

this model divided into 7 different layers such as

physical layer processing

data link layer data
network layer need
transport layer to
 session layer seems
presentation layer peoples
application layer all

1. Physical Layer transmit raw bit stream over the physical medium
The physical layer is responsible for the physical cable or wireless connection betw
network nodes. It defines the connector, the electrical cable or wireless technology connectin
devices, and is responsible for transmission of the raw data, which is simply a series of 0s and

2. Data Link Layer

defines the format of data on the network

3. Network Layer
decides which physical path the data will take

4. Transport Layer
transmit data using transmission protocols including TCP and UDP

5. Session Layer
maintain connection and is responsible for controlling ports and sessions

6. Presentation Layer
ensure the data is in usable format and is where data encryption occurs

7. Application Layer
human-computer interaction layer, where application can access the network services.

types of physical security controls

preventive controls:- security types like door locks and security guard

detective controls:- includes security controls like motion detector, alarm system and sensors, etc

deterrent controls:- different types of warning signs

reovery controls:- used to recover security violation and restore information and system

compensating controls:-
used as an alternative control when the intended controls failed
eg. Hot sites, backup power system.

module 05 TECHNICAL CONTROLS VIMP TOPIC

different types of network segmentation

networl segmentation:-
is a splitting up the network into smaller network segments

benefits of network segmentation

improved security
better access control
improved monitoring
improved performance
better containment

types of network segmentation:-

physical segmentation
logical segmentation
network virtualization

firewall:- firewall only protects from network threads which came from outside
firewall allows or denied 4 thinngs
1.protocols
2.ports
3.programs
4. ip addresses
thid all goes under the BASTION HOST

Bastion Host:-
it is a computer system designed and configured to protect network resources
from attacks.
it is only host that can addresed directly from public network
it provide limited range of services such as website hosting and mail to ensure
security
need for baston host:-
minimize chances of penetration by intruders
create all logs which used to identify attacks or attempts to attack
it provide an additional lvl of security

DMZ(demilitarized zone):-

IDS/IPS:- it is a additional layer of security under the defense-in-depth

principle
IDS does several things that basic firewall cannot do
it helps to minimize chances of missing security threats that could came from firewall
it works inside the network and firewall works on outside the network to prevent
intrusion

limitations of IDS:-
network logging system
antivirus products
vulnerability assessment tools
cryptographic system

IDS has two different types based on how it reacts

1.Active IDS detects and responds to detectes intrusion

2.Passive IDS only detects intrusions

it also classified into 3 diff types such as

protect network
network based:- protect host
host based:- protect both
hybrid:-

components of IDS
network sensors
alert system
command console
response system
attack signature database
network sensors:- they are hardware and software components that monitors network traffic and
triggers alarm if any abnormal activity is detected

placing an IDS:- internet gateway

in between LAN connections
remote access servers used to receive dial-up connections
VPN devices
either side of firewall

IDS don’t have capability to make own decision, instead it maintain a

database of attacks signatures and patterns

network topology:- IS A physical and logical arrangement of nodes and connections in a networks.
nodes usually includes devices such as devices like switches, routers and software with switch

some tools for intrusion detection:-

1. Snort:- it is an open sourse intrusion detection system, capable of performing

real-time traffic analysis and packet logging on IP networks.

it can perform protocol analysis and content searching/matching and

used to detect a variety of attacks and probes, such as overflow, stealth port
scans and OS fingerprinting attempts

it uses flexible rules language to describe traffic that it should collect or pass
as well as detection engine that utilizes a modular plug-in architecture

Suricata:-

HoneyPot:- it is use to attract and trap hacker who try to attacks the organization
honeypot tools:- honeybot
KFSensor
mongoDB-honeyproxy
modern honey network
Espot
honeypy

Proxy serverss:- it is a dedicated computer and software system virtually located between
a client and actual server

it prevent actual server from real world

VPN(virtual private network):-

used for secured communication and connection
it used encryption method to encrypt packets

components of vpn:-
vpn client
network access server(NAS)
tunnel terminating device(vpn server)
vpn protocol

VPN Concentrators:-
used to create secure connection
it acts as vpn router used to create remote access or site-to-site vpn
it uses tunnel protocol to negotiate security

VPN Types and Categories:-

Client-to-Site (Remote-access) VPNs

eg. Mobile vpn apps

Site-to-Site VPNs

it also known as lan to lan or L2L vpns

There are two types of site-to-site VPNs.

Intranet-based: the connection in between site and single organization

Extranet-based: VPN connectivity is between different organizations such

as business partners, businesses, and clients

Hardware VPNs A hardware VPN provides load balancing, especially for large client loads.

Software VPNs A software VPN minimizes the cost of additional hardware purchases.
It has high scalability.

VPN Core Functionality: Encapsulation

VPN encapsulation protocols:

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)
Secure Shell (SSH)
Socket Secure (SOCKS)

Modeule 06:- VIRTUALIZATION AND CLOUD COMPUTING

TYPES of container
os container
application container

container:-
basically it a storage place where different os systems are stored
 its faster than virtual machines
it have more security problems

cloud computing:- it is a virtual storage place

without any hardware

AWS(amazon web services):-

cloud security tools:-

like clud passafe halo
etc

Module 07:- wireless network security

wireless terminologies:-

GSM universal system used for mobile transportation for wireless networks
worldwide
BANDWIDTH amout of info that broadcast over a connection

ACCESS POINT(AP) used to connect wireless devices to wireless/wired network

BSSID it’s a MAC address of an AP that set up a Basic Service Set(BSS)

ISM BAND it is set of frequencies

HOTSPOT mode of wireless network for public use

classification of wireless network:-

WLAN connects user in local area with a network. Used in single room or entire campus

WPAN it interconnect devices positioned around an individual

the connection in it is wireless also it has very short range
WWAN it covers larger area than WLAN, eg. Region or a nation or even a entire globe
WMAN it access broadband area network by using an exterior antena.
it’s a good alternative for fixed-line network

components of wireless networks:-

access point (AP):- its hardware device that allows wireless communication devices to connect
to a wireless network via standards like wifi,bluetooth,etc
wireless card(NIC):- it is a network interface card build in system for network connection

wireless modem:- it’s a device that receives and transmit network signals wirelessely

wireless bridge:- its used for increasing the coverage area of the wireless network

wireless repeater:- retransmit existing signal captured from wireless router or AP to create
a new network
wireless router:- provides internet access to various devices

wireless gateway:- a device that makes possible for computers and internet capable devices
to access a shared wireless internet connection
wireless usb adapter:-
it’s a external wireless connector for devices which don’t have in build
wireless connecting option

wire less encryption:-

it is a method of encrypting data transmitting through a wireless connection

it devised into severals types such as:-

802.11i :- an IEEE amendment that specifies security mechanism for 802.11 wireless
network

wep:- an encyption algorithm for IEEE 802.11 wireless networkk

eap:- supports multiple authontication methods such as token card , kerberos

and certificated
leap:- a proprietary version of EAP developed by cisco

wpa:- it is an advanced wireless encryption protocol using TKIP and MIC to provide stronger encryption

tkip:- security protocol used in WPA as replacement of WEP

MODULE 08:- mobile device security

MODULDE 09:- IOT DEVICES

IOT:- it’s a network devices having IP addresses and the capability to sense,collect,
and send data using embedded sensors,communication hardware and processors

IOT TOOLS :-
Azure
ibm waston iot platform
cloud iot core
predix
AT&t iot connectivity managements

MODULE 10:- CRYPTOGRAPHY AND PUBLIC KEY INFRASTRUCTURE(PKI)

cryptography:-
in this conversion of data into a scrambled code that is encrypted and
sent across a private or public network
it used to protect email messages,chat sessions,web transactions,
personal data,etc

symmetric encryption:-
it uses single key for encrypting and decrypting data
it used to encrypt large amounts of data

Asymmetric encryption:-
it uses two keys
one key called public key and another one is called private key
it also called public key encryption
its used to encrypt small amount of data
MODULE 11:- DATA SECURITY

IMP STEPS FOR DATA SECURITY

data encryption
data backup
password protection
mirror drive

RAID( redundant array of independent disk technology:-

it’s a method of combining multiple hard drive into one single unit and
writing data across several disk drives, offering fault tollerance
if one drive fails , the system can continue operating

advantages of RAID:-
it enables a balanced overlap of i/o operations
improve system performance
simplify storage management
protect against data loss

SAN:- high speed network connector like ethernet cable, fibre cable etc

NAS:- nas is file based data storage services

its high performance file server

BACKUP METHODS:-

HOT BACKUP:- IMMEDIATE DATA BACKUP

SWITCH OVER IS POSSIBLE
VERY EXPENSIVE

this backup is done when system is running

COLD BACKUP:-

this backup done when system not running(shutdown)

 LEAST EXPENSIVE
SWITCHING OVER DATA BACKUP REQUIRES ADDITIONAL TIME

WARN BACKUP:- IT HYBRID BACKUP

COMBINATON OF HOT AND COLD BACKUP

LESS EXPENSIVE THAN HOT BACKUP

SWITCHING OVER TAKES LESS TIME THAN COLD BACKUP
BUT MORE TIME THAN HOT BACKUP
LESS ACCESSIBLE THAN HOT BACKUP

BACKUP LOCATIONS:-

ONSITE :- EASILY ACCESSED AND RESTORED

LESS EXPENSIVE

BUT DATA LOSS RISK IS GREATER

OFFSITE :- STORING BACKUP ON REMOTE LOCATIONS

DATA SECURED FROM PHYSICAL SECURITY THREADS LIKE FIRE AND FLOOD

PROBLEM EITH REGULAR DATA BACKUP SCHEDULE

CLOUD:- BACKUP STORED ONLINE

DATA IS ENCRYPTED AND FREE FROM PHYSICAL SECURITY THREADS

DATA CAN ACCESS FROM ANYWHERE

NO DIRECT CONTROL OF BACKUP DATA

TAKES MORE TIME TO BACKUP

BACKUP RETENTION:-
its storing and maintaning important information

MODULE 12:- NETWORK TRAFFIC MONITORING

network monitoring required effective thread detection

advantages of network monitoring:-

understanding how data flows in a network

optimizing network performance
 avoiding bandwidth bottlenecks
detecting signs of malicious activity
finding unnecessary and vulnerable apps
investigating security breaches

NETWORK TRAFFIC SIGNATURES:-

it’s a set of traffic characteristics such as a sourse/ destination
IP addresses, ports, transmission control protocpl(TCP) flags, packet length
time ti live(TTL),

signatures are used to define the types of activity on a networks

TYPES OF SIGNATURE:-

normal traffic signature:- accepts traffic patterns allowed to enter the network

attack signature:- suspicious traffic pattern not allowed to enter the network

some tools:-

WIRE SHARK:- widely used network siffers for network monitoring and analysis

END
device to give authorization based on

re the security and integrity of data in transit.

rough the network.

on prevention system)
from unwantedd traffic and threads.

ng , detecting , and responding.

zed user no one can access it(eg. Man in the middle)

d or changed by third party.(eg.man in the middle)

authentication:- is a authorizing user

mechanism as a firewall, admission control mechanism as

echniques as speech and facial recognition.
oring methods such as IDS, SIMS, TRS, IPS.

o plan a route to recover the data.

onitors. Security forensics techniques as CSIRT ans CERT.post-mortem analysis machanism including risk and legal management.

ks or threads in future

UDP and TCP as transport protocol. Also it uses password authentication protocol(PAP), the challenge handshake authentication(CHAP), o
mmunicating parties.

for network communication and enhances the security of emails

n computer network

or remote access servers to communicates with central servers.

k communication

e policies, standards, and guidelines

tion works on access control function

dministrator(who add or delete or
he access is given either it declined.

ation checks.

has the access to perfom all functions by individually.

rming a specific task

k for implementing the necessary lvl of access control

gn privileges

ased on set of rules defined by administrator.

vidual with right access at the right time.

ation for an individual

te in it or delete it.)
es and best practices established in order for organization to follow
esses, improve protection and accomplish any other objective.

ies, standards as well as procedures, practices, and guidelines.

bined in ine document

ecurity of an organization.

on of a specific

omplexity , password length etc or

S), and rivest-shamir-adleman algorithm

ep-wise instructions
e policies, standards, and guidelines
icies. These are further divided into
tions security, network security,

dit, availability, confidentiality,

s, continuity of operations, and

describes how the system’s architecture

on, communications, encryption,

privately owned versus public

o each system in the program.

ction to their security policies. These

urpose, and methods to create a secure

-based systems with the help of guidelines.

rganization.
system. The implementation of these
system in an organization.

7. Application Layer

top most layer of osi model

provide user interface
enables the user to access network
eg.e-mail, web browser, www, instagram
control data integrity( checks the same
 protocols does all work on application la

protocols:- a set of rules that helps in co

applicaton layer protocol:-

r wireless connection between

wireless technology connecting the
ich is simply a series of 0s and 1s, while taking care of bit rate control.
6. Presentation Layer

also known as syntax layer

it present the data to user
ensures that the data transfer is the sam
also do data encryption and code conve
also do compression and decompressio

5. Session Layer

it responsible for opening and closing co

two devices
open and closing time is known as sessi
it ensures that the sessions stays open u
it aslo synchronizes data transfer with c
eg.if 100mb data is transferred this laye
in case of disconnection or crash after 5
s the network services. last checkpoint
that’s why there is no need to transfer a

d sensors, etc
 in a networks.
uters and software with switch and router features
de stronger encryption
 legal management.

shake authentication(CHAP), or extensible authentication(EAP)

 protocol:- HTTP, SMTP 4. Transport Layer

layer of osi model this layer is responssible for e

ser interface it includes taking data from s
he user to access network before sending it to 3d layer
web browser, www, instagram, etc on receivers side transport la
ata integrity( checks the same data transfer without any change before sending to session lay
 does all work on application layer it also done flow control and
flow control:-
:- a set of rules that helps in communication between two hosts

n layer protocol:-
FTP error control:-
TELNET
HTTP, etc

3. Network Layer

n as syntax layer this layer responssible for for

the data to user if two devices communicatin
hat the data transfer is the same as the sender sends network layer breaks up segm
ata encryption and code conversion(ASCII, EBCDIC) it also responsible for reassem
ompression and decompression of file or data it also finds the best physical
rounting

2. Data Link Layer

ible for opening and closing communication between
it similar to the network laye
closing time is known as session except data link layer faciliat
that the sessions stays open until all data is transferred it takes packets from networ
chronizes data transfer with checkpoints it also do flow control and er
mb data is transferred this layer sets checkpoint at every 5mb
disconnection or crash after 52mb the session could be start from

y there is no need to transfer all data from start in case of disconnection or crash
a
 protocols:- transmission control protocol(TCP), user datagram protocol(UDP)

this layer is responssible for end to end communication between two devices
it includes taking data from session layer and breaking into segments
before sending it to 3d layer
on receivers side transport layer is respossible for re-assembling the segments
before sending to session layer
it also done flow control and error control
flow control:-
it determines an optimal speed of transmission to ensure that the
sender with fast speed does nit overwhelm a receiver with slow connection.

error control:-
it performs on the receiver's end by ensuring that the data received is complete,
if isn't then request retransmission

protocol:- IP,ICMP(internet control message protocol), IGMP( internet

group message protocol)
this layer responssible for for facilitating data transfer between two different networks.
if two devices communicatinig on same network the this layer is un=necessary
network layer breaks up segment into smaller unit called packets.
it also responsible for reassembling it on receiving side
it also finds the best physical path for data to reach its destination this known as

it similar to the network layer

except data link layer faciliate data transfer between teo devices on the same network
it takes packets from network layer and breaks it into smaller unit called frames.
it also do flow control and error control only on intra-network communication.
1. Physical Layer

it includes physical devices like cables and switches.

it also converts data into bit/binary form eg. 0 and 1
both devices must agree on signal convertion so that the 1 can be distinguished
from the 0 on both devices.
ETHICAL HACKING ESSENTIAL E|HE

MODULE 01:- INFORMATION SECURITY FUNDAMENTALS

ATTACK= MOTIVE(GOAL + METHOD + VULNERABILITY

elements of network security:-

Confidentiality:-
information is accessible to only authorized user

integrity:-
prevention of improper changes in data

availability:-
responsible for delivering, storing, and
processing information are accessible when required by authorized users

Authenticity:-
ensures the quality of being genuine or uncorrupted.

Non-Repudiation:-
sender of a message cannot later deny
having sent the message and that the recipient cannot deny having received the
message.

security works in triangle called

The Security, Functionality, and Usability Triangle

Functionality: The set of features provided by the system.

Usability: The GUI components used to design the system for ease of use.
Security: Restrictions imposed on accessing the components of the system.

Classification of Attacks

Passive Attacks only monitoring data without interfering sniffing and eavesdropping
Active Attacks disrupt the communication DoS, Man-in-the-Middle, session hijacking, and SQL injec
Close-in Attacks physical with system eavesdropping, shoulder surfing,
and dumpster diving
Insider Attacks tools:-
keyloggers,
backdoors, and malware

Passive Attacks:-
Footprinting
o Sniffing and eavesdropping
o Network traffic analysis
o Decryption of weakly encrypted traffic

Active Attacks:-
o Denial-of-service (DoS) attack
o Bypassing protection mechanisms
o Malware attacks (such as
viruses, worms, ransomware)
o Modification of information
o Spoofing attacks
o Replay attacks
o Password-based attacks
o Session hijacking
o Man-in-the-Middle attack
o DNS and ARP poisoning
o Compromised-key attack
o Firewall and IDS attack
o Profiling
o Arbitrary code execution
o Privilege escalation
o Backdoor access
o Cryptography attacks
o SQL injection
o XSS attacks
o Directory traversal attacks
o Exploitation of application and
OS software

Close-in Attacks:-
o Social engineering (Eavesdropping, shoulder surfing, dumpster diving, and other
methods)

Insider Attacks:-

o Eavesdropping and wiretapping

o Theft of physical devices
o Social engineering
 o Data theft and spoliation
o Pod slurping
o Planting keyloggers, backdoors, or malware

Distribution Attacks:-

o Modification of software or hardware during production

o Modification of software or hardware during distribution

Information Security Attack Vectors:-

Cloud computing threats

Advanced persistent threats (APTs)
Viruses and worms
Ransomware
Mobile threats
Botnet
Insider attack
Phishing
Web application threats
IoT threats

Various Information Security Laws and Regulations

Payment Card Industry Data Security Standard (PCI DSS)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes Oxley Act (SOX)

The Digital Millennium Copyright Act (DMCA)

The Federal Information Security Management Act (FISMA)

General Data Protection Regulation (GDPR)

Data Protection Act 2018 (DPA)

MODULE 02 ETHICAL HACKING FUNDAMENTALS

Cyber Kill Chain Methodology

It helps security professionals to understand the adversary’s tactics, techniques, and procedures beforehand
 Reconnaissance
collecting information about targets

Activities of the adversary include

o Gathering information about the target organization by searching the Internet or

through social engineering
o Performing analysis of various online activities and publicly available information
o Gathering information from social networking sites and web services
o Obtaining information about websites visited
o Monitoring and analyzing the target organization’s website
o Performing Whois, DNS, and network footprinting
o Performing scanning to identify open ports and services

Weaponization

identify the vulnerabilities and techniques that can exploit and gain unauthorized access to the
target organization

o Identifying appropriate malware payload based on the analysis

o Creating a new malware payload or selecting, reusing, modifying the available
malware payloads based on the identified vulnerability
o Creating a phishing email campaign
o Leveraging exploit kits and botnets

Delivery transferring attack method via email , link , usb , etc

o Sending phishing emails to employees of the target organization

o Distributing USB drives containing malicious payload to employees of the target
organization
o Performing attacks such as watering hole on the compromised website
o Implementing various hacking tools against the operating systems, applications, and
servers of the target organization

Exploitation exploitation triggers the

adversary’s malicious code to exploit a vulnerability in the operating system

o Exploiting software or hardware vulnerabilities to gain remote access to the target

system

Installation The adversary downloads and installs more malicious software on the target system to
maintain access to the target network for an extended period

o Downloading and installing malicious software such as backdoors

o Gaining remote access to the target system
 o Leveraging various methods to keep backdoor hidden and running
o Maintaining access to the target system

Command and Control

creates a command and control channel, which establishes two-way

communication between the victim’s system and adversary-controlled server to
communicate and pass data back and forth.

o Establishing a two-way communication channel between the victim’s system and the
adversary-controlled server
o Leveraging channels such as web traffic, email communication, and DNS messages
o Applying privilege escalation techniques
o Hiding any evidence of compromise using techniques such as encryption

Actions on Objectives

controls the victim’s system from a remote location

Tactics, Techniques, and Procedures (TTPs):-

Tactics:- different steps taken under different stageees

Techniques:- methods used for an attack and methods used after attack
to stay hidden

Procedures:- a sequence of actions performed by the threat actors

Adversary Behavior:-.
Adversary behavioral identification involves the identification of the common methods or techniques
followed by an adversary to launch attacks on or to penetrate an organization’s network

Internal Reconnaissance:-
Once the adversary is inside the target network, they follow various techniques and
methods to carry out internal reconnaissance. This includes the enumeration of
systems, hosts, processes, the execution of various commands to find out information
such as the local user context and system configuration, hostname, IP addresses, active
remote systems, and programs running on the target systems

Use of PowerShell:-
PowerShell can be used by an adversary as a tool for automating data exfiltration and
launching further attacks.

Unspecified Proxy Activities:-

create and configure multiple domains pointing to the same host
Use of Command-Line Interface:-
an adversary can make use of the command-line
interface to interact with the target system, browse the files,
read file content, modify
file content, create new accounts, connect to the remote system, and download and
install malicious code

HTTP User Agent:-

An adversary modifies the content of the HTTP user agent field to
communicate with the compromised system and to carry further attacks

Command and Control Server:-

Adversaries use command and control servers to communicate remotely with
compromised systems through an encrypted session.

Use of DNS Tunneling:-

Using DNS tunneling, an adversary
can also communicate with the command and control server, bypass security controls,
and perform data exfiltration.

Use of Web Shell:-

Using a web shell, an adversary performs various tasks such as data exfiltration, file
transfers, and file uploads.

Data Staging:-
the adversary uses data staging
techniques to collect and combine as much data as possible

Indicators of Compromise (IoCs):-

Indicators of Compromise (IoCs) are the clues, artifacts,
and pieces of forensic data found on the network or
operating system of an organization that indicate a
potential intrusion or malicious activity in the
organization’s infrastructure

Categories of Indicators of Compromise:-

Email Indicators Used to send malicious

data to the target
organization or individual

Network Indicators Useful for command and

control, malware delivery,
identifying the operating
system, and other tasks

Host-Based Indicators Found by performing an

 analysis of the infected
system within the
organizational network

Behavioral Indicators Used to identify specific

behavior related to
malicious activities

key Indicators of Compromise (IoCs):

 Unusual outbound network traffic

 Unusual activity through a privileged user account
 Illegitimate files and software
 Geographical anomalies
 Multiple login failures
 Increased database read volume
 Large HTML response size
 Multiple requests for the same file
 Mismatched port-application traffic
 Unusual usage of ports and protocols
 Suspicious registry or system file changes
 Unusual DNS requests
 Malicious emails
 Unexpected patching of systems
 Signs of Distributed Denial-of-Service (DDoS) activity
 Service interruption and the defacement
 Bundles of data in the wrong places
 Web traffic with superhuman behavior
 A drastic increase in bandwidth usage
 Malicious hardware

54
n hijacking, and SQL injection
procedures beforehand
ds or techniques