Few InfoSec Concepts

Table of Contents

very imp skill: google/searching

Management

Services Management
Change Management
Incident Management
Problem Management
Build/Release

Regulatory

SEBI
RBI
IRDA
HIPAA
SOC Type 1/2/3
CERT-IN
GDPR
DPAI
IDRBT
RBI Circulars
SOX
PCI DSS
AI Act Read

VA/PT

Response codes
Types of Network Attacks + Web attacks
Tools - Burp, Acunetix, gobuster, nmap, nc
Enumeration + PortScan
Blind shell, Reverse Shell
Reporting (+Doc)
Recon - Active/Passive
Kill chain process
Social Engineering
Code Review
Cryptography
OWASP top 10
Testing - Black/White/Grey
APT
MFA
SSDLC
CRM

Cloud

IAAS/PAAS/SAAS/CAAS
mybox / types
Network Virtualization (SDN)
Challenges / Edge Computing
XSS/SSRF/Injections
MITM/DDOS
M365/O365

Network Components

Firewall (DMZ)
TCP/IP - 4 layers
OSI - 7 layers
Ports
Protocol
NAT + VLAN + DNS Records + Subnet
VPN (Tunnels)
Routing Protocol
Tools - wireshark, nmap, Nessus, tcpdump
Packet Analysis
Encryption / Encoding /IDS / IPS
AD /IAM / A.V.
Sandboxing
Honeypot/ Honeynet
ICMP
Endpoint
Botnet
IPS/HSM
Virtualization
checksum
TLS/SSL
Rootkit
SSH
NIPS / HIPS
NIDS /HIDS
XDR
VoIP
CIA
H/W components
AAA , Availability
IC

Compliance

NIST
CIA
ECC
IEC
Mitigation
New 11 controls of 27001:2022
Differences

ISO 27001

clauses
controls (Annex A)
27001:2022

Red/Blue/Purple

Linux cmds
Powershell
Automation

Blue

SOC
SIEM (IDS/IPS, SOAR)
Path mgmt.
Threat Detection/Management
Logic bomb + Wireless Network Attacks
IRP/BCP/DRP
Signature & Anomaly based detection
Incident Response
Cyber threat intelligence
First Responder
Docker/Containment/K8

Extra

DRM
Zero Trust
OEM

SOC

SIEM (IDS/IPS, SOAR)
Path mgmt.
Threat Detection/Management
Logic bombs (worms) within Net. Attacks
IRP/BCP/DR
Sigma rule & Anomaly detection

Notes

Management

Services Management
- Definition: Services Management encompasses the strategic approach to designing, delivering, managing, and improving the way IT services are provided. It aims to ensure that IT services align with the needs of the business and provide value to both the organization and its customers.
- Focus Area: This typically involves processes and practices derived from frameworks like ITIL (Information Technology Infrastructure Library), focusing on service strategy, design, transition, operation, and continuous improvement.
Change Management
- Definition: Change Management in cybersecurity refers to the systematic approach to dealing with alterations in IT infrastructure, software, and procedures to minimize risks and ensure continuity of operations. It involves steps for requesting, reviewing, approving, and implementing changes in a controlled manner.
- Focus Area: Ensuring changes do not compromise security or introduce vulnerabilities, including risk assessment, stakeholder communication, and post-implementation review.
Incident Management
- Definition: Incident Management is the process of identifying, analyzing, and responding to cybersecurity incidents or breaches. The goal is to manage the incident effectively to minimize impact, recover services, and mitigate any vulnerabilities exploited.
- Focus Area: Rapid detection and response, containment strategies, eradication of threats, recovery of systems, and lessons learned for improving future security posture.
Problem Management
- Definition: Problem Management is the process aimed at identifying and managing the underlying causes of recurring incidents to prevent future occurrences. It involves root cause analysis, workaround identification, and permanent solutions to eliminate the problem.
- Focus Area: Distinguishing between incident management (immediate, tactical response) and problem management (strategic, long-term resolution), focusing on reducing recurring incidents and improving overall system reliability.
Build/Release Management
- Definition: Build/Release Management in the context of cybersecurity involves the processes, tools, and practices for managing development stages from build through deployment in a secure and controlled manner. It ensures that code changes are securely integrated, tested, and released into production environments without introducing vulnerabilities.
- Focus Area: Secure development lifecycle practices, automated security testing in CI/CD pipelines, version control, and managing deployment schedules to minimize disruptions and ensure integrity of production systems.

SEBI (Securities and Exchange Board of India)

Purpose: Regulates the securities market in India to protect investors and promote the development of, and to regulate, the securities market.
Cybersecurity Relevance: SEBI mandates cybersecurity frameworks for market infrastructure institutions to protect against breaches and unauthorized trading activities.

RBI (Reserve Bank of India)

India’s central banking institution, which controls the issuance and supply of the Indian rupee and manages the country’s main payment systems.
Issues guidelines for cybersecurity frameworks within banks to secure online banking, payment systems, and financial services.

IRDA (Insurance Regulatory and Development Authority)

Regulates and promotes the insurance and re-insurance industries in India.
Mandates insurance companies to adopt information security measures to protect sensitive policyholder data.

HIPAA (Health Insurance Portability and Accountability Act)

U.S. legislation that provides data privacy and security provisions for safeguarding medical information.
Requires healthcare entities to implement physical, network, and process security measures.

SOC (System and Organization Controls) Type 1/2/3

Auditing procedures that ensure the secure management of data by service providers.
- Type 1: Tests and reports on the design of a service organization’s controls at a specific point in time.
- Type 2: Tests and reports on the operational effectiveness of these controls over a defined period.
- Type 3: Similar to Type 2 but intended for a broader audience, with a focus on controls related to security, availability, processing integrity, confidentiality, or privacy.

CERT-IN (Indian Computer Emergency Response Team)

The national agency for responding to computer security incidents as they occur in India.
Issues guidelines and advisories on cybersecurity threats and measures.

GDPR (General Data Protection Regulation)

Sets guidelines for the collection and processing of personal information from individuals who live in the European Union and the European Economic Area.
GDPR: General Data Protection Regulation, EU law on data privacy and protection.
Effective Date: May 25, 2018.
Principles: Lawfulness, transparency, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
Rights: Access, rectification, erasure, restrict processing, data portability, object, and protection from automated decision-making.
Compliance: Requires technical and organizational measures; violations can lead to fines up to €20M or 4% of annual global turnover, whichever is higher.
DPO Requirement: Mandatory for organizations processing large volumes of special category data, monitoring individuals on a large scale, or public authorities.

DPDP (Digital Personal Data Protection) Act, 2023

Enhances personal digital data privacy and establishes a data protection framework.
Key Provisions:
- Data Principals/Fiduciaries: Defines roles and outlines their rights and duties.
- Consent: Requires clear consent for data processing.
- Data Protection Authority: Sets up a regulatory body for oversight.
- Individual Rights: Grants rights for data access, correction, and deletion.
- Data Localization: May require storing specific data within India.
- Breach Notification: Obligates prompt breach reporting.
- Penalties: Includes fines for non-compliance.
Cybersecurity Implications:
- Enforces data security measures.
- Promotes privacy by design.
- Potentially requires impact assessments for certain data processing activities.

IDRBT (Institute for Development and Research in Banking Technology)

Established by the Reserve Bank of India for research and development in banking technology.
Focuses on making the banking and financial services sectors more secure against cyber threats.

RBI Circulars

Official communications issued by the RBI to banks and financial institutions, detailing new regulations or amendments to existing ones.
Often include guidelines and directives on cybersecurity practices, digital payments security, and data protection.

SOX (Sarbanes-Oxley Act)

U.S. law that sets standards for all U.S. public company boards, management, and public accounting firms.
Includes requirements for internal controls and reporting on the effectiveness of those controls, including those over financial reporting and data integrity.

PCI DSS (Payment Card Industry Data Security Standard)

Information security standard for organizations that handle branded credit cards from the major card schemes.
Provides a baseline of technical and operational requirements designed to protect account data.

AI Act (Artificial Intelligence Act)

Note: Refers to proposed legislation in the European Union aimed at regulating artificial intelligence to ensure safety and rights protection.
Though primarily focused on AI, it will have implications for cybersecurity, particularly in ensuring AI systems are developed and used in a secure manner.

VA/PT

Request Codes

200 OK: The request has succeeded. The meaning of the success depends on the HTTP method:
- GET: The resource has been fetched and transmitted in the message body.
- POST: The resource describing the result of the action is transmitted in the message body.
- TRACE: The message body contains the request message as received by the server.
301 Moved Permanently: This response code means that the URI of the requested resource has been changed permanently. The new URI is usually provided in the response.
400 Bad Request: The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
401 Unauthorized: The request has not been applied because it lacks valid authentication credentials for the target resource.
403 Forbidden: The server understood the request but refuses to authorize it. Unlike 401, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
404 Not Found: The server can’t find the requested resource. This is often used when the server does not wish to reveal exactly why the request has been refused or when no other response is applicable.
500 Internal Server Error: The server encountered an unexpected condition that prevented it from fulfilling the request.
502 Bad Gateway: The server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed in attempting to fulfill the request.
503 Service Unavailable: The server is not ready to handle the request. Common causes are a server that is down for maintenance or that is overloaded. This response should be used for temporary conditions and the Retry-After HTTP header should, if possible, contain the estimated time before the recovery of the service.

Attacks

Network Attacks:

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
Man-in-the-Middle (MitM) attacks
Packet sniffing
Spoofing attacks (IP, ARP, DNS)
Session hijacking
Port scanning

Web Attacks:

SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
File Inclusion Vulnerabilities (Local File Inclusion - LFI and Remote File Inclusion - RFI)
Command Injection
Directory Traversal
Security Misconfiguration
Broken Authentication
Sensitive Data Exposure

Spoofing Attacks:

These involve impersonating another device or user on a network to gain unauthorized access to systems, steal data, or spread malware. Common types include IP address spoofing, email spoofing, and DNS spoofing.

Man-in-the-Middle (MitM) Attacks:

An attacker intercepts communication between two parties to secretly eavesdrop, modify, or redirect the communication. This can occur in unsecured Wi-Fi networks or through software vulnerabilities.

Local File Inclusion (LFI):

A type of attack where an attacker tricks a web application into executing or exposing files on the web server. LFI exploits vulnerabilities that allow an attacker to include files on a server through the web browser.

Remote File Inclusion (RFI):

Similar to LFI, but the attacker aims to include remote files or scripts over the network to be executed on the web server. This can lead to data theft, site defacement, or server compromise.

Broken Access Control:

Occurs when a user can access data or perform actions they are not authorized for. This could be due to misconfigurations or flawed design in an application’s permission settings, leading to unauthorized access or data exposure.

Tools

Burp Suite:

Type: Web vulnerability scanner and penetration testing tool.
Function: Assists in testing the security of web applications by identifying potential vulnerabilities.
Features: Includes an intercepting proxy, scanner, intruder, repeater, decoder, and comparer.
Use Case: Ideal for performing manual and automated tests on web applications to identify security flaws.

Acunetix:

Type: Automated web application security testing tool.
Function: Scans websites and web applications to find and report security vulnerabilities.
Features: Supports a wide range of web technologies, including HTML5, JavaScript, and single-page applications.
Use Case: Suited for businesses looking to assess web application vulnerabilities quickly and efficiently.

Gobuster:

Type: Open-source tool for web content discovery.
Function: Uses brute-force methodology to discover directories and files within web applications.
Features: Capable of discovering hidden resources that are not directly linked in the application.
Use Case: Useful for penetration testers and security researchers for initial reconnaissance of web applications.

Nmap (Network Mapper):

Type: Network discovery and security auditing tool.
Function: Used to discover hosts and services on a computer network by sending packets and analyzing the responses.
Features: Includes features like host discovery, port scanning, version detection, and OS detection.
Use Case: Widely used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Netcat (nc):

Type: Networking utility for reading from and writing to network connections using TCP or UDP.
Function: Often referred to as the “Swiss army knife” of networking because of its versatility.
Features: Can create any kind of connection where it can send and receive data, including port scanning, transferring files, and port listening.
Use Case: Used by administrators, developers, and testers for debugging and investigating the network.

Enumeration:

Involves active connections to systems and using protocols like SNMP, LDAP, or SMB to query and extract system information.
Techniques may include extracting user lists via NetBIOS, querying DNS for records about the target, or leveraging directory services.
Tools such as LDAPenum, NBTscan, and enum4linux are often used for targeted enumeration efforts.

Port Scanning:

Involves probing a target system’s TCP and UDP ports to identify active services and infer the operating system and software versions.
Techniques can vary from SYN scans (half-open), which don’t complete TCP handshakes, to more stealthy scans like FIN, NULL, or Xmas, designed to evade detection.
Tools like Nmap offer advanced features, such as version detection (-sV), operating system detection (-O), and scriptable interaction with target services through the Nmap Scripting Engine (NSE).

Technical Distinction:

Port scanning is a precursor to enumeration in the penetration testing methodology, used to map out a target’s network interface for open ports and service types.
Enumeration takes the information gathered from port scans to perform a deeper analysis of the discovered services, identifying potential vectors for exploitation based on the software and configurations discovered.
While port scanning can be seen as identifying “what doors and windows are open” on a target, enumeration is about “finding out what’s behind those doors and windows.”

Blind/Rev Shell

Blind Shell:

In cybersecurity, a Blind Shell refers to a scenario where an attacker gains command execution on a target system but lacks a direct standard output (stdout) to see the results of the executed commands.
This limitation often results from restrictions in the environment or the execution context, requiring the attacker to infer success or gather output through alternative means, such as by manipulating the file system or initiating outbound connections to exfiltrate data.
Techniques for operation in a Blind Shell environment might include executing commands that change the state of the system or data, which can then be verified through side-channel observations.

Reverse Shell:

A Reverse Shell is a shell session established on a remote host, initiated from the target machine back to the attacker’s machine. This is achieved by exploiting vulnerabilities in the target system to execute a payload that connects to a listening port on the attacker’s machine.
This technique effectively circumvents network perimeter defenses, like firewalls, that may block incoming connections but allow outgoing connections from the target.
Reverse Shells are highly favored in penetration testing and malicious activities for gaining interactive control over the target. The connection is typically established via common networking protocols (TCP/UDP) or web-based protocols (HTTP/HTTPS) to blend with regular traffic and evade detection.

Key Technical Difference:

Connection Initiation and Control: A Blind Shell operates under the constraint of non-interactive command execution without real-time output visibility. A Reverse Shell circumvents this by establishing an interactive session where the target system initiates the connection to the attacker’s listening service, providing a bidirectional communication channel.
Use Cases: Blind Shells might be employed in highly restricted environments where establishing a full reverse shell is not feasible. Reverse Shells are used when more comprehensive control and interaction with the target system are required, allowing for a wide range of operations including file transfer, system reconnaissance, and lateral movement within the network.

Reporting in Cybersecurity

Incident Reports: Detail the specifics of cybersecurity incidents, including the nature of the breach, impacted systems, the data compromised, and the timeline of the event. These reports are essential for forensic analysis and for developing strategies to prevent future incidents.
Threat Intelligence Reports: Compile information on current cyber threats, including threat actors, their tactics, techniques, and procedures (TTPs), and advised defensive measures. These reports help organizations stay ahead of potential security threats.
Compliance Reports: Verify and document adherence to relevant cybersecurity standards and regulations (e.g., GDPR, HIPAA, SOC 2). They are crucial for legal and regulatory compliance and often required by stakeholders to ensure the organization meets industry security standards.
Vulnerability and Risk Assessment Reports: Identify, categorize, and prioritize vulnerabilities within an organization’s digital infrastructure. These reports are essential for understanding the risk landscape and guiding remediation efforts.
Audit Reports: Conducted by internal or external parties, audit reports evaluate the effectiveness of an organization’s information security policies, controls, and management processes. They are pivotal for identifying gaps and recommending improvements.

Documentation in cyber

Policies and Procedures: Document the rules, responsibilities, and processes that govern how an organization protects its information assets. This includes access control policies, incident response plans, and data protection policies.
Configuration Baselines and Standards: Establish and record baseline configurations for systems and networks. This documentation is vital for maintaining security configurations, hardening systems, and ensuring consistent security posture across the organization.
Training and Awareness Materials: Documentation aimed at educating employees about cybersecurity best practices, recognizing phishing attempts, and understanding the importance of security policies.
Architecture Diagrams and Network Maps: Visual representations of network and system architectures, including firewalls, routers, and other security devices. These documents are essential for planning security measures and responding to incidents.
Change Management Logs: Record changes to the IT environment, including system updates, configuration changes, and the addition or removal of hardware and software. These logs are crucial for tracking modifications that might affect the organization’s security posture.

Active / Passive

Active Attack:

An active attack involves an attacker attempting to alter system resources or affect their operation.
It’s characterized by unauthorized data modification, data fabrication, and denial of service.
Examples include virus spreading, message modification, and denial of service (DoS) attacks.

Passive Attack:

A passive attack involves an attacker making copies of transmitted information without alteration.
The goal is to obtain data without detection, not to alter it.
Examples include eavesdropping on, or monitoring of, transmissions to gain information that can be used for malicious purposes.

Cyber Kill Chain

The Cyber Kill Chain process is a framework developed by Lockheed Martin to identify and prevent cyber intrusions. Here’s a concise overview:

Reconnaissance: The attacker gathers information about the target to find vulnerabilities.
Weaponization: Creation of malware designed to exploit the identified vulnerabilities.
Delivery: Transmitting the weaponized bundle to the target through email, web, USB, etc.
Exploitation: The malware exploits a vulnerability to execute on the target’s system.
Installation: The malware establishes a presence on the target system, allowing persistent access.
Command and Control (C2): The compromised system establishes a channel to a remote server for control by the attacker.
Actions on Objectives: The attacker takes actions to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

This framework helps organizations understand and combat cyber attacks by breaking down the attack process.

Social Engineering:

Social engineering is a manipulation technique that tricks humans to gain reveal private information, access, or valuables.
It relies on human interaction and often involves tricking people into breaking normal security procedures.
Example: Phishing emails that mimic legitimate companies, asking users to provide sensitive information or click on malicious links, exploiting trust to steal data.

what is Code Review?

Code review is a systematic examination of computer source code intended to find and fix mistakes overlooked in the initial development phase, improving both the overall quality of software and the developers’ skills.
It involves checking a fellow programmer’s code for errors, adherence to coding standards, and other best practices before merging it into the main codebase.

components:

Objective Analysis: Evaluating code for functionality, efficiency, and compliance with coding standards and guidelines.
Automated Tools: Utilizing software tools to scan code for common errors and adherence to style guides.
Peer Feedback: Engaging peers to review code, providing insights, and suggesting improvements based on their experience.
Documentation Review: Ensuring comments and documentation are accurate and sufficient for understanding the code’s purpose and operation.
Security Checks: Identifying potential security vulnerabilities or breaches of best practices in handling data and operations.
Performance Analysis: Assessing the code’s impact on system performance, including resource utilization and speed.
Compliance Verification: Confirming the code meets legal and regulatory requirements, especially for projects in regulated industries.

Cryptography:

Cryptography is the practice and study of techniques for secure communication between two parties in the presence of third parties called adversaries.
It involves creating and analyzing protocols that prevent third parties or the public from reading private messages.
Key components include encryption (converting plain text to scrambled text), decryption (converting back to readable form), and cryptographic keys (secret codes).

Uses:

Protecting sensitive information transmitted over the internet or stored on digital devices.
Ensuring the confidentiality and integrity of data.
Authenticating user identities and safeguarding against tampering and fraud in digital transactions.
Employed in various applications, including secure communications, e-commerce transactions, password protection, and confidential data storage.

OWASP Top 10

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Organizations, companies, and developers use it to prioritize security vulnerabilities to guard against. The latest version, is from 2021:

Broken Access Control: Allows attackers to bypass authorization to view or edit sensitive data and perform unauthorized functions.
Cryptographic Failures (formerly known as Sensitive Data Exposure): Weaknesses in cryptography that expose sensitive data to attackers, such as passwords, financial information, or personal data.
Injection: Attackers can send malicious data to an application, leading to the execution of unintended commands or access to data without proper authorization. Common examples include SQL, NoSQL, OS, and LDAP injection.
Insecure Design: A broad category focusing on risks associated with design flaws and missing controls rather than implementation bugs. This emphasizes the importance of secure design principles from the ground up.
Security Misconfiguration: Poor security configurations, default configurations, incomplete or ad hoc configurations, open cloud storage, verbose error messages containing sensitive information, etc.
Vulnerable and Outdated Components: Using components with known vulnerabilities or failing to update components promptly can expose web applications to security risks.
Identification and Authentication Failures: Weaknesses in authentication and session management, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Software and Data Integrity Failures: Insecure software updates, critical data without integrity checks, and unsafe third-party components can lead to unauthorized access or malicious code execution.
Security Logging and Monitoring Failures: Insufficient logging, monitoring, and alerting, which delays or prevents detection of breaches or policy violations.
Server-Side Request Forgery (SSRF): By exploiting vulnerable components, attackers can force the server to execute unintended requests to access or manipulate internal resources.

Testing - Black/White/Grey

Black Box Testing:
- Tester has no prior knowledge of the network infrastructure or system to be tested.
- Similar to a real-life scenario where a thief attempts to break into a house without knowing the interior layout, relying solely on the vulnerabilities visible from the outside.
White Box Testing:
- Tester has complete knowledge of the infrastructure and software being tested, including access to source code, network diagrams, and credentials.
- Comparable to giving a security expert full blueprints of a building, including hidden passages and security measures, to assess vulnerabilities.
Grey Box Testing:
- A hybrid approach where the tester has some knowledge about the internal workings of the system, but not as much as in white box testing.
- Similar to a security assessment where a consultant is given partial information about a company’s network, like network diagrams or application details, but not the full source code or credentials, to find vulnerabilities.

APT

APT stands for Advanced Persistent Threat. It describes a sophisticated, systematic cyberattack process where an attacker gains unauthorized access to a network and remains undetected for a long period of time. The purpose is often to steal data rather than to cause immediate damage.
Characteristics:
- Highly sophisticated and well-funded attackers, often state-sponsored.
- The use of advanced techniques and malware to exploit vulnerabilities.
- Long-term presence in the targeted network to extract sensitive information.
Example:
- SolarWinds Hack (APT29, also known as Cozy Bear): Discovered in December 2020, this sophisticated cyber espionage campaign compromised the SolarWinds Orion software supply chain. The attackers inserted a malicious code into the software updates, which, when installed by the customers, opened backdoors into the targeted networks. This APT campaign is attributed to a Russian cyber espionage group and affected thousands of SolarWinds’ customers worldwide, including government agencies and large corporations. The goal was to spy on and extract sensitive information over a prolonged period, demonstrating the stealth and persistence characteristic of APTs.

MFA

It is a security mechanism that requires users to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN.
MFA increases security by combining something the user knows (password), something the user has (a security token or a smartphone app that generates a one-time code), and/or something the user is (biometric verification like fingerprints or facial recognition).
By requiring multiple methods of authentication, MFA makes it more difficult for unauthorized persons to access a device or network because even if one factor (like a password) is compromised, the attacker still needs to bypass the additional factor(s).

SSDLC

SSDLC stands for Secure Software Development Life Cycle.
It is an approach to software development that integrates security practices and considerations into each phase of the software development life cycle (SDLC).
The goal is to ensure that security is a priority from the initial design through development, deployment, and maintenance, rather than being added as an afterthought.
Key phases typically include requirements analysis, design, implementation, testing, deployment, and maintenance.
By embedding security measures such as threat modeling, code reviews, and security testing throughout these phases, the SSDLC aims to minimize vulnerabilities and reduce the risk of security incidents.

CRM

CRM stands for Customer Relationship Management.
It’s a technology for managing all your company’s relationships and interactions with current and potential customers.
The goal is to improve business relationships to grow the business.
A CRM system helps companies stay connected to customers, streamline processes, and improve profitability.
It integrates and analyzes data from various touchpoints, including websites, emails, phone calls, and social media interactions, providing a comprehensive view of each customer journey.
This enables personalized customer engagement, sales management, productivity enhancement, and facilitates the aggregation of customer data into actionable insights.

IaaS/PaaS/SaaS

IaaS (Infrastructure as a Service):
- Provides virtualized computing resources over the internet.
- Users manage operating systems, applications, and middleware.
- Examples: Amazon Web Services (AWS) EC2, Google Compute Engine.
PaaS (Platform as a Service):
- Offers hardware and software tools over the internet, typically for application development.
- Users manage applications and data.
- Examples: Google App Engine, Microsoft Azure App Services.
SaaS (Software as a Service):
- Delivers software applications over the internet, on a subscription basis.
- Users manage their data and user interactions with the software.
- Examples: Google Workspace, Salesforce, Microsoft Office 365.
XaaS (Anything as a Service):
- Refers to the growing diversity of services available over the internet via cloud computing that goes beyond the traditional models.
- Encompasses anything that can be delivered through the cloud.
- Examples: Storage as a Service (STaaS), Security as a Service (SECaaS), Database as a Service (DBaaS).

Hybrid Cloud

Hybrid Cloud: Typically involves the integration of on-premises infrastructure (or private clouds) with public cloud services. This setup allows organizations to keep sensitive or critical workloads on their private infrastructure while leveraging the scalability and cost-effectiveness of public cloud services for less sensitive tasks.

Types of cloud:

Public Cloud:
- Operated by third parties, services and infrastructure are hosted off-site and shared across multiple tenants.
- Examples: AWS, Microsoft Azure, Google Cloud Platform.
Private Cloud:
- Exclusive use by a single organization, hosted internally or by a third party.
- Characteristics: Offers greater control and privacy.
Community Cloud:
- Shared by several organizations with common concerns (e.g., security, compliance).
- Purpose: Supports a community that shares similar needs.
Hybrid Cloud:
- Combines public and private clouds, allowing data and applications to be shared between them.
- Advantage: Flexibility to move processes or data between cloud solutions as needs and costs fluctuate.

Network & Storage Virt.

Network Virtualization:

Network virtualization combines hardware and software network resources and network functionality into a single, software-based administrative entity.
This technique allows multiple virtual networks to run on the same physical network, with each virtual network operating independently.
Increases flexibility, scalability, and ease of management, while reducing physical hardware costs and improving network efficiency.

Storage Virtualization:

Storage virtualization involves pooling physical storage from multiple network storage devices into what appears to be a single storage device that is managed from a central console.
This approach improves scalability and offers more efficient storage management and resource utilization.
Enhances fault tolerance, provides seamless storage expansion, and improves performance by balancing loads across multiple physical resources.

Challenges associated with CC

Security and Privacy: Ensuring the security and privacy of data stored in the cloud is crucial. There’s a need for robust encryption, access controls, and regular security audits.
Compliance: Adhering to regulatory requirements can be complex, especially in industries like finance and healthcare, where data handling standards are stringent.
Cost Management: While cloud computing can be cost-effective, managing expenses and avoiding cost overruns from scalable resources requires careful planning and monitoring.
Performance and Downtime: Dependence on the internet means that any connectivity issues can lead to performance bottlenecks or service downtime.
Data Mobility: Transferring data between different cloud services or from cloud to on-premises systems can be challenging due to large volumes or compatibility issues.

Edge Computing:

Edge computing refers to the processing of data near the source of data generation, rather than relying on a central data center.
This approach reduces latency, enhances response times, and conserves bandwidth.
Commonly used in IoT networks, real-time data processing, and applications requiring instant decision-making.

Injections

Injection attacks exploit insecure handling of user data in applications, where malicious data sent by an attacker is executed as part of commands or queries.

SQL Injection (SQLi):
- Description: Attacker manipulates SQL queries by injecting malicious SQL code through application inputs.
- Example Payload: ' OR '1'='1
- Sample Vulnerable Code:
```
String query = "SELECT * FROM users WHERE username = '" + userInput + "'";
```
Cross-site Scripting (XSS):
- Description: Malicious scripts are injected into web pages viewed by other users.
- Example Payload: <script>alert('XSS')</script>
- Sample Vulnerable Code:
```
<div>Username: <%= userInput %></div>
```
Command Injection:
- Description: Attacker executes arbitrary system commands on a host operating system through a vulnerable application.
- Example Payload: ; rm -rf /
- Sample Vulnerable Code:
```
Runtime.getRuntime().exec("ping " + userInput);
```
LDAP Injection:
- Description: Attacker alters LDAP statements using malicious input to execute arbitrary LDAP commands.
- Example Payload: *)(uid=*))(|(uid=*
- Sample Vulnerable Code:
```
String query = "(cn=" + userInput + ")";
```
XML External Entity (XXE):
- Description: Attacker exploits vulnerable XML parsers to extract data, execute remote requests, or cause denial of service.
- Example Payload: <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
- Sample Vulnerable Code:
```
DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document doc = db.parse(userInput);
```
Template Injection:
- Description: Attacker manipulates template engines (e.g., server-side template injection) by embedding malicious content in templates, leading to arbitrary code execution.
- Example Payload: ${{7*7}}
- Sample Vulnerable Code:
```
templateEngine.render(inputTemplate, data);
```
Email Header Injection:
- Description: Attacker manipulates email headers through vulnerable input fields to inject additional headers or control email flow.
- Example Payload: \nBCC: attacker@example.com\n
- Sample Vulnerable Code:
```
$headers = "From: " . $userInput;
```

TLS bypass

TLS fingerprinting is a sophisticated method used to analyze and identify unique characteristics in the TLS (Transport Layer Security) handshake process, which is essential for secure communications on the internet. It is typically used for security purposes but can also be exploited for malicious intents like tracking or profiling users.

Here’s a detailed breakdown of what TLS fingerprinting entails and how it can be bypassed:

What is TLS Fingerprinting? TLS fingerprinting leverages the specifics of the TLS handshake—a protocol for securing communications between a client and a server—to distinguish between different clients based on their unique configurations and properties. This includes details like the TLS version, cipher suites, and supported extensions provided in the “Client Hello” message during the TLS handshake.

Techniques Used in TLS Fingerprinting

Handshake Analysis: By analyzing handshake messages, especially the “Client Hello,” fingerprinting can identify the client’s TLS version, the cipher suites, and extensions it supports.
Encrypted Traffic Analysis: Analyzing encrypted TLS traffic, including packet lengths and timing, can provide insights into the TLS implementation without needing to decrypt the traffic.

How TLS Fingerprinting is Employed*

Threat Detection: Helps in detecting potentially malicious traffic.
Client Identification: Differentiates between client software and devices based on their TLS configurations.
Network Monitoring: Assists in network capacity planning and performance optimization.
Intrusion Detection: Identifies unusual TLS fingerprints that may indicate unauthorized access attempts.

Privacy Concerns Despite its benefits, TLS fingerprinting poses significant privacy issues. It can uniquely identify users and track their online activities, potentially infringing on privacy without their consent.

Methods to Bypass TLS Fingerprinting Due to the privacy concerns associated with TLS fingerprinting, various techniques have been developed to evade detection:

Obfuscation: Altering the order or content of fields within the TLS messages to disrupt fingerprinting algorithms.
Spoofing Cipher Suites and TLS Versions: Mimicking the characteristics of popular web browsers to blend in with regular traffic.
Impersonating JA3 Fingerprints: Using alternative methods to generate TLS client signatures that match common profiles.
HTTP Fingerprint Impersonation: Simulating browser characteristics in HTTP requests to bypass fingerprint-based blocking mechanisms.
Encrypting Client Hello Messages: Using VPNs or proxies to hide the true characteristics of TLS traffic from fingerprinting tools.

Conclusion Understanding and countering TLS fingerprinting is crucial for maintaining privacy and securing online communications. Employing obfuscation, spoofing, and using security tools like VPNs can help protect against unwanted tracking and profiling based on TLS fingerprinting techniques.

Threat modeling

Threat modeling is a structured approach used in cybersecurity to identify, assess, and address potential security threats to a system. It typically involves the following technical steps:

Identify Assets: Determine what sensitive data, resources, and system components need protection.
Define Security Requirements: Outline what security measures are necessary to protect these assets, based on legal, regulatory, and business needs.
Create an Architecture Overview: Develop diagrams or descriptions that detail the system architecture, including data flows, users, and external entities.
Identify Threats: Use methodologies like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to categorize potential threats specific to the system.
Identify Vulnerabilities: Analyze the architecture to find weaknesses that could be exploited by the identified threats.
Assess Risk: Evaluate the potential impact and likelihood of each threat, often using tools like DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability).
Define Mitigations: Plan how to reduce, transfer, or eliminate risks, developing security controls to address significant threats.
Document and Update: Record the threat model and keep it updated as the system or its context changes.

STRIDE and DREAD

STRIDE and DREAD are methodologies used within the field of cybersecurity to assess and manage risks. Let me break down each one for you:

STRIDE STRIDE is a model used to identify security threats and categorize them into specific types. It was developed by Microsoft and is often used during the threat modeling phase of system design. Each letter in STRIDE stands for a different type of threat:

Spoofing Identity: Impersonating something or someone else.
Tampering with Data: Unauthorized changes to data.
Repudiation: The ability of users (malicious or otherwise) to deny their actions.
Information Disclosure: Unauthorized access to data.
Denial of Service: Interrupt service availability.
Elevation of Privilege: Gaining higher access levels than authorized.

DREAD DREAD is a risk assessment model used to quantify, compare, and prioritize the security risks of different threats. It scores each aspect from 1 (least severe) to 10 (most severe) and typically focuses on:

Damage Potential: How much damage will the threat cause?
Reproducibility: How easily can the attack be reproduced?
Exploitability: How much work is required to launch the attack?
Affected Users: How many users will be affected?
Discoverability: How easy is it to discover the threat?

Application of STRIDE and DREAD

Threat Modeling Process: Organizations typically use STRIDE to identify potential threats by modeling different attack vectors against their system architecture. Each identified threat can then be evaluated using the DREAD model to assess its risk level, helping to prioritize mitigation efforts based on the potential impact and likelihood.
Example: Consider a web application that handles sensitive financial data. STRIDE could help identify a potential SQL Injection attack as a threat to ‘Information Disclosure’ and ‘Tampering’. Using DREAD, the team could assess that the damage potential and exploitability are high (due to potential access to financial data and the prevalence of SQL Injection tools), leading to prioritizing defenses against this vector.

These models are valuable tools in the cybersecurity field, helping teams to systematically analyze and mitigate risks in their systems.

MITM/DDOS

MITM and DDoS are two different types of cyber attacks:

MITM (Man-In-The-Middle) Attack: A Man-In-The-Middle attack occurs when a malicious actor intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. The attacker can intercept, send, and receive data meant for someone else, without either of the intended parties knowing that the link between them has been compromised. Common methods of MITM attacks include eavesdropping on unsecured Wi-Fi networks, DNS spoofing, and SSL hijacking.
DDoS (Distributed Denial of Service) Attack: A DDoS attack involves overwhelming a target, such as a server, website, or network, with a flood of Internet traffic. This traffic can come from a multitude of compromised devices, collectively known as a botnet. The overload of requests to the target system makes it slow down significantly or crash, rendering the service inaccessible to legitimate users. DDoS attacks are often used to take websites offline or distract from other malicious activities.

Both attacks are disruptive in nature, but they target systems in different ways. MITM attacks focus on intercepting and manipulating communications, while DDoS attacks aim to make services unavailable.

M365/O365

M365 (Microsoft 365) and O365 (Office 365) refer to Microsoft’s suite of productivity and collaboration tools, but they have distinct offerings and use cases.

Office 365 (O365) was the original branding for Microsoft’s cloud-based office software suite that included applications like Word, Excel, PowerPoint, Outlook, and others. It primarily focused on providing online access to these applications along with various services such as Exchange for email, SharePoint for document storage and collaboration, and Teams for communication.

Microsoft 365 (M365), introduced later, is a more comprehensive offering that includes everything in Office 365 and extends further to include additional features such as Windows 10 or Windows 11 Pro upgrades, Enterprise Mobility + Security (EMS) for enhanced security features, and various compliance tools. It’s designed to provide a complete productivity and security solution for businesses.

From a cybersecurity perspective, M365 offers significant advantages due to its integrated security features. These include advanced threat protection, data loss prevention, and device management capabilities, which are essential for protecting an organization’s data and IT infrastructure from cyber threats.

Firewall / DMZ

A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted network (like an internal corporate network) and an untrusted network (like the internet). Firewalls can be hardware, software, or a combination of both. Their main purpose is to prevent unauthorized access to or from private networks and to control what traffic is allowed to enter or leave the network.

A DMZ (Demilitarized Zone) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, typically the internet. The DMZ adds an additional layer of security to an organization’s local area network (LAN); external-facing servers, resources, and services are placed in the DMZ so that if they are compromised, the attacker does not have direct access to the internal LAN. It’s like a buffer zone that protects the inner network from direct exposure to external threats.

TCP/IP model - 4 layers

TCP/IP, or Transmission Control Protocol/Internet Protocol, is a suite of communication protocols used to interconnect network devices on the internet. It can also be used for a network communication in a private network (an intranet or an extranet). The TCP/IP model is a concise version of the OSI model, consisting of four layers, each with a specific function:

Link Layer (Network Interface Layer):
- Function: Handles the physical and logical connections to the hardware. This layer is responsible for how data is physically transmitted over the network, including defining the protocols to use and interfacing with network hardware like Ethernet cables and network adapters.
- Protocols Included: Ethernet, Wi-Fi, ARP (Address Resolution Protocol), and others depending on the physical network technology.
Internet Layer (Network Layer):
- Function: Responsible for sending data packets across network boundaries. It defines the network addressing scheme and routes data from the source to the destination across one or more networks.
- Protocols Included: IP (Internet Protocol), ICMP (Internet Control Message Protocol), IGMP (Internet Group Management Protocol).
Transport Layer:
- Function: Provides host-to-host communication services for applications. It establishes, maintains, and terminates connections between hosts. It also handles error recovery and flow control, ensuring complete data transfer.
- Protocols Included: TCP (Transmission Control Protocol), UDP (User Datagram Protocol).
Application Layer:
- Function: Provides process-to-process communication services for applications. It enables software applications to interact over the network. This layer deals with application-specific protocols that support a wide range of activities, including web browsing, email, and file transfer.
- Protocols Included: HTTP, HTTPS, FTP, SMTP, DNS, SSH, and more.

OSI Model

The OSI (Open Systems Interconnection) model is a conceptual framework used to understand network interactions in seven layers. Each layer serves a specific function and communicates with the layers directly above and below it. Here’s a breakdown of all seven layers:

Physical Layer: This is the lowest layer of the OSI model. It concerns the physical equipment involved in the data transfer, such as cables, switches, and routers. It defines the electrical and physical specifications for devices.
Data Link Layer: This layer provides node-to-node data transfer—a link between two directly connected nodes. It also handles error correction from the physical layer.
Network Layer: This layer handles the routing of data packets across the network. It determines the best physical path for data to travel from the source to the destination.
Transport Layer: This layer provides transparent transfer of data between end systems. It is responsible for end-to-end error recovery and flow control. It ensures complete data transfer.
Session Layer: This layer establishes, manages, and terminates connections between applications. It sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end.
Presentation Layer: This layer translates data from a format the application layer can accept to one that the network layer can understand, and vice versa. It handles data encryption, decryption, compression, and decompression.
Application Layer: This is the topmost layer. It provides services for an application software such as email, file transfer, and network data sharing. This layer interacts directly with the end user.

Port numbers (0 to 65535)

Port 20/21 - FTP (File Transfer Protocol)
Port 22 - SSH (Secure Shell)
Port 23 - Telnet
Port 25 - SMTP (Simple Mail Transfer Protocol)
Port 53 - DNS (Domain Name System)
Port 67/68 - DHCP (Dynamic Host Configuration Protocol)
Port 80 - HTTP (HyperText Transfer Protocol)
Port 110 - POP3 (Post Office Protocol version 3)
Port 123 - NTP (Network Time Protocol)
Port 143 - IMAP (Internet Message Access Protocol)
Port 443 - HTTPS (HTTP Secure)
Port 445 - SMB (Server Message Block)
Port 995 - POP3S (POP3 Secure)
Port 1433 - Microsoft SQL Server
Port 1521 - Oracle database
Port 3306 - MySQL
Port 3389 - RDP (Remote Desktop Protocol)
Port 5432 - PostgreSQL
Port 5900 - VNC (Virtual Network Computing)

NAT + VLAN + DNS Records + Subnet

NAT (Network Address Translation) NAT is a method used in networks to translate one set of IP addresses to another, allowing for the conservation of IP addresses and providing an added layer of security. It’s most commonly implemented in routers. NAT enables multiple devices on a private network to access the internet using a single public IP address. This setup not only saves IP addresses but also hides individual IP addresses of devices from the external network, providing privacy and security.
VLAN (Virtual Local Area Network) A VLAN is a subgroup within a network, which is used to divide a larger network into smaller, isolated segments without requiring separate hardware. Each VLAN creates a distinct broadcast domain which enhances the management of traffic within a large network by reducing congestion and improving security. Devices on the same VLAN can communicate as if they were on a single LAN, regardless of their physical location, which allows for more flexible network management and improved security measures.
DNS Records DNS (Domain Name System) records are used to translate human-friendly domain names (like www.example.com) into IP addresses that computers use to identify each other on the network. Common types of DNS records include:
- A Record (Address Record): Maps a domain name to an IPv4 address.
- AAAA Record: Maps a domain name to an IPv6 address.
- CNAME Record (Canonical Name Record): Used to alias one domain name to another domain name, allowing for easier management of subdomains.
- MX Record (Mail Exchange Record): Specifies mail servers responsible for receiving email messages on behalf of a domain.
- TXT Record: Allows the domain administrator to insert any text into the DNS record, often used for verifying domain ownership or implementing email security measures like SPF and DKIM.
Subnet (Subnetwork) Subnetting is the process of dividing a single physical network into several smaller, logical subnetworks (subnets). This is useful for organizing networked resources and reducing network traffic, which improves performance. Each subnet is represented by a range of IP addresses and is identified by a subnet mask, which determines how the IP address is split between the network and host portions. Subnetting enhances network security and management by isolating network segments, limiting the spread of broadcast traffic, and grouping resources logically based on their roles or functions.

VPN

A VPN, or Virtual Private Network, is a technology that creates a secure, encrypted connection between your device and a server operated by the VPN service. This secure connection, often referred to as a VPN tunnel, helps protect your online privacy and security by encrypting your internet traffic. This makes it more difficult for third parties to track your activities online or steal data.

Here’s a breakdown of the key concepts:

Privacy: When you use a VPN, your real IP address is hidden, making it harder for websites and snoopers to track your location or identify your internet service provider.
Security: VPNs encrypt your internet traffic, which protects your data from eavesdroppers on unsecure networks like public Wi-Fi.
Access: VPNs can allow you to access websites and services that are blocked or restricted in your geographical area by making it appear as if you are accessing the internet from a different location.

VPN Tunnels

Encryption: The tunnel is essentially a secure, encrypted link between your device and the VPN server. This encryption is done using protocols such as OpenVPN, IKEv2, or WireGuard, which help protect the data as it travels over the internet.
Data Integrity: The tunnel ensures that the data remains intact and unchanged during transmission. This is crucial for maintaining data security and privacy.
Routing: Inside the VPN tunnel, all of your traffic is routed through the VPN server. To any outside observer, it looks like all your internet activity is coming from the VPN server, not your device.

Routing Protocol

Routing Protocol: It is a protocol that specifies how routers communicate with each other, sharing information that enables them to select routes between any two nodes on a computer network.
Purpose: The main purpose is to dynamically learn network destinations and find the best paths to those destinations.
Types: Common types include RIP (Routing Information Protocol), OSPF (Open Shortest Path First), and BGP (Border Gateway Protocol), each serving different network scales and requirements.

few tools

Wireshark:
- Type: Network Protocol Analyzer
- Function: Wireshark is a widely used network packet analyzer that helps capture and interactively browse the traffic running on a computer network. It is used for network troubleshooting, analysis, software and protocol development, and education.
Nmap:
- Type: Network Scanner
- Function: Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network, thus building a “map” of the network. It can be used to discover devices running on a network, identify open ports and the services they are associated with, and detect security risks.
Nessus:
- Type: Vulnerability Scanner
- Function: Nessus is one of the most popular vulnerability scanners on the market. It is designed to automate the process of identifying and resolving vulnerabilities within networks, computers, and software. It can scan for vulnerabilities that hackers could use to access the system.
Tcpdump:
- Type: Command-line Packet Analyzer
- Function: Tcpdump is a powerful command-line packet analyzer, similar to Wireshark but primarily used via the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Packet analysis

Packet analysis, also known as packet sniffing or network traffic analysis, is a technique used to monitor and intercept data packets as they travel across a network. This process allows cybersecurity professionals or network administrators to capture and inspect individual packets to understand the data and management traffic flowing through a network.

In technical terms, packet analysis involves using software tools like Wireshark or tcpdump to capture network packets. Each packet contains various layers of information including:

Physical Layer Data: Information about the hardware sending or receiving the packet.
Network Layer Data (IP): Source and destination IP addresses that help in routing the packet.
Transport Layer Data (TCP/UDP): Ports and sequencing information necessary for reassembling the data streams and ensuring correct delivery.
Application Layer Data: Payload data that can include actual user or application data being transmitted.

The analysis can help detect network anomalies, troubleshoot network issues, monitor network performance, ensure compliance with security policies, and potentially detect and mitigate malicious activities within the network.

Encryption / Encoding / IDS / IPS

Encryption:

Encryption is the process of converting plaintext data into a coded form, often called ciphertext, to prevent unauthorized access.
It uses algorithms to transform readable data, known as plaintext, into an unreadable format known as ciphertext. Only those with the appropriate decryption key can convert the ciphertext back into plaintext, making it a powerful tool for securing data at rest, in transit, or in use.

Encoding:

Encoding is the process of transforming data into a different format using a method that is publicly available. It’s used to ensure data can be properly consumed by different types of systems and is not focused on security.
Common encoding types include Base64 and URL encoding. Encoding can be easily reversed by following the same process in reverse, as it does not require a key or secret.

IDS (Intrusion Detection System):

An IDS is a security technology that monitors network traffic for suspicious activity and potential threats.
IDS systems generate alerts when they detect anomalies, providing security teams with critical insights into potentially malicious activities.

IPS (Intrusion Prevention System):

An IPS is similar to an IDS but with the capability to actively block or prevent intrusions that are detected.
It sits directly in the network path, analyzing all traffic that passes through it and automatically blocking any traffic that it identifies as malicious, based on predefined security rules.

Table Of Contents