VIGNESH K NOTES

CP4391 SECURITY PRACTICES

UNIT I SYSTEM SECURITY

Model of network security – Security attacks, services and mechanisms
– OSI security architecture - A Cryptography primer- Intrusion detection
system- Intrusion Prevention system - Security web applications- Case
study: OWASP - Top 10 Web Application Security Risks.

S
Network Security Model

TE
The network security involves all tools, devices, strategies and activities which
enterprises and organizations undertake to protect their networks, data and operations.
An effective network security strategy must include the most effective set of tools for

O
identification and reflection various threats and attacks. Creation of well thought-
out network security model will effectively help you in realization your network's security.

N
The network security model (NSM) is a scheme that reflects the general plan and the
policy of ensuring the network security, and usually includes all or some of the following
seven layers in different modifications according to the specific company's needs:
K
 Physical layer — involves organization of physical security against the access
to the data on computer devices, this can be access control devices, cameras,
H

alarm.
 VLAN layer — involves creation of Virtual Local Area Networks (VLANs) which
S

join together common hosts for security purposes.

 ACL layer — supposes creation and maintenance of Access Control Lists (ACLs)
E

which allow or deny the access between hosts on different networks.

N

Software layer — helps to protect the user layer and ensures the software's
actuality.
IG

 User layer — involves the user’s training of security on the network.

 Administrative layer — supposes the training of administrative users.
 IT department layer — this layer is the most important for network security, it
V

contains all network security professionals and support specialists, network

technicians and architects, which organize and maintain the work of the
network and hosts.

Pay please your attention for the powerful ConceptDraw DIAGRAM diagramming and
vector drawing software extended with Network Security Diagrams Solution from the
Computer and Networks Area of ConceptDraw Solution Park which lets fast and easy

1|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
design all variety of network security models: Open network security model, Closed
network security model, Restrictive network access model.

S
TE
O
N
K
Example 1. Network Security Model
H

To design the Network Security Model, we recommend to use already ready-to-use 460
predesigned colorful vector objects offered by 4 libraries of the Network Security
S

Diagrams Solution:
E

 Cybersecurity Clipart
 Cybersecurity Shapes
N

 Cybersecurity Connectors
 Cybersecurity Round Icons
IG

Simply drag desired objects from the libraries to your document, arrange them, depict
relationships between devices with help of connectors from the Cybersecurity Connectors
library, type the text and make your diagram more attractive with help of bright colors
V

applied for objects, connectors and background.

2|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
Example 2. Network Security Diagrams Solution in ConceptDraw STORE

N
One more useful way for inspiration and excellent start for drawing Network Security
Diagrams and Network Security Model is collection of predesigned network security
K
samples and examples offered by Network Security Diagrams Solution in ConceptDraw
STORE.
H
S
E
N
IG
V

Example 3. Network Security Diagram — Access Control and Encryption

3|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
The samples you see on this page were created in ConceptDraw DIAGRAM using the tools
of Network Security Diagrams Solution for ConceptDraw DIAGRAM software. An
experienced user spent 10 minutes creating each of these samples.

Use the Network Security Diagrams Solution for ConceptDraw DIAGRAM to create your
own Network Security Model and Network Security Diagrams quick, easy and effective.

All source documents are vector graphic documents. They are available for reviewing,
modifying, or converting to a variety of formats (PDF file, MS PowerPoint, MS Visio, and

S
many other graphic formats) from the ConceptDraw STORE. The Network Security
Diagrams Solution is available for all ConceptDraw DIAGRAM users.

TE
TEN RELATED HOW TO's:

O
Network diagrams with ConceptDraw DIAGRAM →

N
Of course it is possible to keep network records in text documents, but it is very difficult
to use them later. A more sound way to keep such documentation is to create a network
K
diagram that might represent either logical network structure or physical. These
diagrams are easy to understand and you will thank yourself later. There is a physical
network diagram. It is a tool to represent, maintain and analysis of network equipment
H

and interconnections. Network diagram depicts the actual network information in the
attractive clear graphic form. One can learn here the LAN cable length,
S

telecommunication type and carrying capacity. The diagram depicts servers, IP address
and domain name as well. Also it shows location of hubs, switches, modems, routers, and
E

other network equipment. The sets of special symbols and images delivered with
ConceptDraw Network Diagrams solution are used to show network components.
N

Symbols have a standard view. Therefore, various specialists can read the network
IG
V

4|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
diagram without any discrepancies.

S
TE
O
Picture: Network diagrams with ConceptDraw DIAGRAM
N
K
Related Solution:

Computer Network Diagrams

H
S

Modern Garden Design →

E

The modern garden design is a full complex of works for design, decorating and
gardening. Landscape design offers a large number of styles for the modern garden
N

design, their origins go back centuries. But do not forget that the modern garden design
is first of all an individual project for a specific landscape and specific owner of the land,
IG

and sometimes it is appropriate to apply the combination of styles. ConceptDraw

DIAGRAM diagramming and vector drawing software offers the unique Landscape &
V

5|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Garden Solution from the Building Plans area for effective development the modern

S
TE
O
N
K
H
S
E
N
IG

garden design.

Picture: Modern Garden Design

V

Related Solution:

Landscape & Garden

CCTV Network Example →

6|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
The following examples cctv network were created in ConceptDraw DIAGRAM
diagramming and vector drawing software using the Audio, Video, Media Solution. Using
this easily customizable cctv network template you can represent any existing cctv
network.

S
TE
O
N
K
H
S
E
N
IG

Picture: CCTV Network Example

V

Related Solutions:

Audio and Video Connectors Audio, Video, Media

Network Icon →

7|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
ConceptDraw DIAGRAM diagramming and vector drawing software extended with
Computer Network Diagrams Solution from the Computer and Networks Area offers a set
of useful tools, collection of templates, samples, and libraries of various computer
symbols, computer devices icons, computer network icon for fast and easy drawing
network computer diagrams and illustrations.

S
TE
O
N
K
H
S
E
N
IG

Picture: Network Icon

V

Related Solution:

Computer Network Diagrams

UML Notation →

8|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
There are many ways to track the system in a critical situation. To model a system
behavior, uml notation is widely used. Usually, an UML diagram consists of elements such
as actor and a case. This diagram represents the structure of UML notations. Unified
Modeling Language (UML) is used in software engineering to depict graphically the
software modeling process. UM Language uses graphic notations for developing models
of object-oriented systems. These notations displays requirements, sub-systems, logical
and physical elements, etc. We created this diagram using ConceptDraw DIAGRAM
reinforced with Rapid UML solution. It can be helpful for students on software

S
engineering, when learning UML.

TE
O
N
K
H
S
E
N
IG
V

Picture: UML Notation

Related Solution:

9|Page
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Rapid UML

UML Use Case Diagram Example. Social Networking Sites Project →

UML Diagrams Social Networking Sites Project. This sample was created in ConceptDraw
DIAGRAM diagramming and vector drawing software using the UML Use Case Diagram
library of the Rapid UML Solution from the Software Development area of ConceptDraw

S
Solution Park. This sample shows the Facebook Socio-health system and is used at the
projection and creating of the social networking sites.

TE
O
N
K
H
S
E
N
IG
V

Picture: UML Use Case Diagram Example. Social Networking Sites Project

Related Solution:

10 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Rapid UML

What Is a Concept Map →

What is a Concept Map and what software is effective for its design? A concept map or
conceptual diagram is a diagram that depicts suggested relationships between concepts.
As for effective software - we suggest you to pay attention for the ConceptDraw

S
DIAGRAM diagramming and vector drawing software. Extended with Concept Maps
Solution from the "Diagrams" Area it is a real godsend for you.

TE
O
N
K
H
S
E
N
IG

Picture: What Is a Concept Map

V

A Model for Network Security

When we send our data from the source side to the destination side we have to use some
transfer method like the internet or any other communication channel by which we are
able to send our message. The two parties, who are the principals in this transaction,

11 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
must cooperate for the exchange to take place. When the transfer of data happened
from one source to another source some logical information channel is established
between them by defining a route through the internet from source to destination and by
the cooperative use of communication protocols (e.g., TCP/IP) by the two principals.
When we use the protocol for this logical information channel the main aspect of security
has come. who may present a threat to confidentiality, authenticity, and so on. All the
techniques for providing security have two components:

1. A security-related transformation on the information to be sent.

S
2. Some secret information is shared by the two principals and, it is hoped,

TE
unknown to the opponent.
A trusted third party may be needed to achieve secure transmission. For example, a third
party may be responsible for distributing the secret information to the two principals
while keeping it from any opponent. Or a third party may be needed to arbitrate disputes

O
between the two principals concerning the authenticity of a message transmission. This
model shows that there are four basic tasks in designing a particular security service:

N
1. Design an algorithm for performing the security-related transformation.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of secret information.
K
4. Specify a protocol to be used by the two principals that make use of the
security algorithm and the secret information to achieve a particular security
service.
H
S

Security Attacks, Services and

E

Mechanisms
N

 To assess the security needs of an organization effectively, the manager

IG

responsible for security needs some systematic way of defining the requirements
for security and characterization of approaches to satisfy those requirements.
 One approach is to consider three aspects of information security:
V

1. Security attack –Any action that compromises the security of information owned
by an organization.
2. Security mechanism –A mechanism that is designed to detect, prevent or recover
from a security attack.
3. Security service –A service that enhances the security of the data processing
systems and the information transfers of an organization. The services are

12 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
intended to counter security attacks and they make use of one or more security
mechanisms to provide the service.

Security Services

The classification of security services are as follows:

1. Confidentiality: Ensures that the information in a computer system and

S
transmitted information are accessible only for reading by authorized parties. E.g.
printing, displaying and other forms of disclosure.

TE
2. Authentication: Ensures that the origin of a message or electronic document is
correctly identified, with an assurance that the identity is not false.
3. Integrity: Ensures that only authorized parties are able to modify computer
system assets and transmitted information. Modification includes writing,

O
changing status, deleting, creating and delaying or replaying of transmitted
messages.

be able to deny the transmission.

N
4. Non repudiation: Requires that neither the sender nor the receiver of a message

5. Access control: Requires that access to information resources may be controlled

K
by or the target system.
6. Availability: Requires that computer system assets be available to authorized
parties when needed.
H

Security Services (X.800)

S

Authentication: The assurance that the communicating entity is the one that it claims
to be.
E

 Peer Entity Authentication: Used in association with a logical connection to

N

provide confidence in the identity of the entities connected.

 Data Origin Authentication: In a connectionless transfer, provides assurance
IG

that the source of received data is as claimed.

Access Control:-The prevention of unauthorized use of a resource (i.e., this service

V

controls that can have access to a resource, under what conditions access can occur, and
what those accessing the resource are allowed to do).

Data Confidentiality: The protection of data from unauthorized disclosure.

 Connection Confidentiality: The protection of all user data on a connection.

13 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Connectionless Confidentiality: The protection of all user data in a single data
block.
 Selective-Field Confidentiality: The confidentiality of selected fields within the
user data on a connection or in a single data block.
 Traffic Flow Confidentiality: The protection of the information that might be
derived from observation of traffic flows.

Data Integrity:

S
 Connection Integrity with Recovery: Provides for the integrity of all user data

TE
on a connection and detects any modification, insertion, deletion, or replay of any
data within an entire data sequence, with recovery attempted.
 Connection Integrity without Recovery: As above, but provides only detection
without recovery.

O
 Selective-Field Connection Integrity: Provides for the integrity of selected
fields within the user data of a data block transferred over a connection and takes


inserted, deleted, or replayed N
the form of determination of whether the selected fields have been modified,

Connectionless Integrity: Provides for the integrity of a single connectionless

K
data block and may take the form of detection of data modification. Additionally,
a limited form of replay detection may be provided.
 Selective-Field Connectionless Integrity: Provides for the integrity of selected
H

fields within a single connectionless data block; takes the form of determination of
whether the selected fields have been modified.
S

Non-Repudiation: Provides protection against denial by one of the entities involved in a

E

communication of having participated in all or part of the communication

Nonrepudiation, Origin: Proof that the message was sent by the specified party.
N


 Nonrepudiation, Destination: Proof that the message was received by the
specified party.
IG

Security Attacks
V

Security attacks can be classified in terms of Passive attacks and Active attacks as per
X.800 and RFC 2828.
There are four general categories of attack which are listed below.

 Interruption: An asset of the system is destroyed or becomes unavailable or

unusable. This is an attack on availability. Examples: destruction of piece of

14 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
hardware, Cutting of a communication line or disabling of file management
system.

S
Figure 1.2: interruption attack

TE
 Interception: An unauthorized party gains access to an asset. This is an attack
on confidentiality. Unauthorized party could be a person, a program or a
computer.

O
Examples: wiretapping to capture data in the network, illicit copying of files

N
K
H

Figure 1.3: interception attack

 Modification: An unauthorized party not only gains access to but tampers with
S

an asset. This is an attack on integrity.

E

Examples: changing values in data file, altering a program, modifying the contents of
messages being transmitted in a network.
N
IG
V

Figure 1.4: modification attack

 Fabrication: An unauthorized party inserts counterfeit objects into the system.

This is an attack on authenticity.

Examples: insertion of spurious message in a network or addition of records to a file.

15 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Figure 1.5: fabrication attack

A useful categorization of these attacks is in terms of

S
 Passive attacks: do not affect system resources.
 Active attacks: try to alter system resources or affect their operation.

TE
1. Passive attack

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.

O
The goal of the opponent is to obtain information that is being transmitted. Passive
attacks are of two types:


N
Release of message contents: A telephone conversation, an e-mail message and a
transferred file may contain sensitive or confidential information. We would like to
prevent the opponent from learning the contents of these transmissions.
K
H
S
E
N
IG

Figure 1.6: Release of message contents

 Traffic analysis: If we had encryption protection in place, an opponent might

V

stillbe able to observe the pattern of the message. The opponent could determine
the location and identity of communication hosts and could observe the frequency
and length of messages being exchanged. This information might be useful in
guessing the nature of communication that was taking place. Passive attacks are
very difficult to detect because they do not involve any alteration of data.
However, it is feasible to prevent the success of these attacks.

16 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
Figure 1.7: Traffic
analysis

Passive attacks are very difficult to detect because they do not involve any alteration of
data. However, it is feasible to prevent the success of these attacks.

O
2. Active attacks

N
These attacks involve some modification of the data stream or the creation of a false
stream. These attacks can be classified in to four categories:
K
 Masquerade –One entity pretends to be a different entity.
H
S
E
N
IG
V

Figure 1.8: Masquerade

 Replay –involves passive capture of a data unit and its subsequent transmission
to produce an unauthorized effect.

17 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
Fi

O
gure 1.9: Replay

 Modification of messages –Some portion of message is altered or the

N
messages are delayed or recorded, to produce an unauthorized effect.
K
H
S
E

Fi
N

gure 1.10: Modification of messages

IG

 Denial of service –Prevents or inhibits the normal use or management of

communication facilities. Another form of service denial is the disruption of an
entire network, either by disabling the network or overloading it with messages so
V

as to degrade performance.

18 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
F
igure 1.11: Denial of service

N
It is quite difficult to prevent active attacks absolutely, because to do so would require
physical protection of all communication facilities and paths at all times. Instead, the goal
K
is to detect them and to recover from any disruption or delays caused by them

Security Mechanisms:
H

According to X.800, the security mechanisms are divided into those implemented in a
S

specific protocol layer and those that are not specific to any particular protocol layer or
security service. X.800 also differentiates reversible & irreversible encipherment
E

mechanisms. A reversible encipherment mechanism is simply an encryption algorithm

that allows data to be encrypted and subsequently decrypted, whereas irreversible
N

encipherment include hash algorithms and message authentication codes used in digital
signature and message authentication applications.
IG

Specific Security Mechanisms:

Incorporated into the appropriate protocol layer in order to provide some of the OSI
V

security services:

 Encipherment: It refers to the process of applying mathematical algorithms for

converting data into a form that is not intelligible. This depends on algorithm used
and encryption keys.

19 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Digital Signature: The appended data or a cryptographic transformation applied to
any data unit allowing to prove the source and integrity of the data unit and
protect against forgery.
 Access Control: A variety of techniques used for enforcing access permissions to
the system resources.
 Data Integrity: A variety of mechanisms used to assure the integrity of a data unit
or stream of data units.
 Authentication Exchange: A mechanism intended to ensure the identity of an

S
entity by means of information exchange.
 Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic

TE
analysis attempts.
 Routing Control: Enables selection of particular physically secure routes for
certain data and allows routing changes once a breach of security is suspected.
 Notarization: The use of a trusted third party to assure certain properties of a data

O
exchange

Pervasive Security Mechanisms:

N
These are not specific to any particular OSI security service or protocol layer.
K
 Trusted Functionality: That which is perceived to be correct with respect to
some criteria
H

 Security Level: The marking bound to a resource (which may be a data unit)
that names or designates the security attributes of that resource.
S

 Event Detection: It is the process of detecting all the events related to network
security.
E

 Security Audit Trail: Data collected and potentially used to facilitate a security
audit, which is an independent review and examination of system records and
N

activities.
 Security Recovery: It deals with requests from mechanisms, such as event
IG

handling and management functions, and takes recovery actions.

V

OSI Security Architecture

The security of an organization is the greatest concern of the people working at the
organization. Safety and security are the pillars of cyber technology. It is hard to imagine
the cyber world without thinking about security. The architecture of security is thus a

20 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
very important aspect of the organization. The OSI (Open Systems Interconnection)
Security Architecture defines a systematic approach to providing security at each layer.
It defines security services and security mechanisms that can be used at each of the
seven layers of the OSI model to provide security for data transmitted over a network.
These security services and mechanisms help to ensure the confidentiality, integrity, and
availability of the data. OSI architecture is internationally acceptable as it lays the flow
of providing safety in an organization.
OSI Security Architecture focuses on these concepts:

S
 Security Attack:

TE
 Security mechanism: A security mechanism is a means of protecting a system,
network, or device against unauthorized access, tampering, or other security
threats.
 Security Service:

O
Classification of OSI Security Architecture

N
K
H
S
E
N

Classification of OSI Security Architecture

OSI Security Architecture is categorized into three broad categories namely Security
IG

Attacks, Security mechanisms, and Security Services. We will discuss each in

detail:
1. Security Attacks:
V

A security attack is an attempt by a person or entity to gain unauthorized access to

disrupt or compromise the security of a system, network, or device. These are defined as
the actions that put at risk an organization’s safety. They are further classified into 2 sub-
categories:

21 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
A. Passive Attack:

Attacks in which a third-party intruder tries to access the message/ content/ data being
shared by the sender and receiver by keeping a close watch on the transmission or eave-
dropping the transmission is called Passive Attacks. These types of attacks involve the
attacker observing or monitoring system, network, or device activity without actively
disrupting or altering it. Passive attacks are typically focused on gathering information or
intelligence, rather than causing damage or disruption.

S
Here, both the sender and receiver have no clue that their message/ data is accessible to
some third-party intruder. The message/ data transmitted remains in its usual form

TE
without any deviation from its usual behavior. This makes passive attacks very risky as
there is no information provided about the attack happening in the communication
process. One way to prevent passive attacks is to encrypt the message/data that needs
to be transmitted, this will prevent third-party intruders to use the information though it

O
would be accessible to them.

Passive attacks are further divided into two parts based on their behavior:

 N
Eavesdropping: This involves the attacker intercepting and listening to
communications between two or more parties without their knowledge or
K
consent. Eavesdropping can be performed using a variety of techniques, such
as packet sniffing, or man-in-the-middle attacks.
 Traffic analysis: This involves the attacker analyzing network traffic patterns
H

and metadata to gather information about the system, network, or device.

Here the intruder can’t read the message but only understand the pattern and
S

length of encryption. Traffic analysis can be performed using a variety of

techniques, such as network flow analysis, or protocol analysis.
E

B. Active Attacks:

Active attacks refer to types of attacks that involve the attacker actively disrupting or
N

altering system, network, or device activity. Active attacks are typically focused on
causing damage or disruption, rather than gathering information or intelligence. Here,
IG

both the sender and receiver have no clue that their message/ data is modified by some
third-party intruder. The message/ data transmitted doesn’t remain in its usual form and
shows deviation from its usual behavior. This makes active attacks dangerous as there is
V

no information provided of the attack happening in the communication process and the
receiver is not aware that the data/ message received is not from the sender.

Active attacks are further divided into four parts based on their behavior:

 Masquerade is a type of attack in which the attacker pretends to be an

authentic sender in order to gain unauthorized access to a system. This type

22 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
of attack can involve the attacker using stolen or forged credentials, or
manipulating authentication or authorization controls in some other way.
 Replay is a type of active attack in which the attacker intercepts a
transmitted message through a passive channel and then maliciously or
fraudulently replays or delays it at a later time.
 Modification of Message involves the attacker modifying the transmitted
message and making the final message received by the receiver look like it’s
not safe or non-meaningful. This type of attack can be used to manipulate the

S
content of the message or to disrupt the communication process.
 Denial of service (DoS) attacks involve the attacker sending a large volume

TE
of traffic to a system, network, or device in an attempt to overwhelm it and
make it unavailable to legitimate users.
2. Security Mechanism
The mechanism that is built to identify any breach of security or attack on the

O
organization, is called a security mechanism. Security Mechanisms are also responsible
for protecting a system, network, or device against unauthorized access, tampering, or

N
other security threats. Security mechanisms can be implemented at various levels within
a system or network and can be used to provide different types of security, such as
confidentiality, integrity, or availability.
K
Some examples of security mechanisms include:

 Encipherment (Encryption) involves the use of algorithms to transform data

H

into a form that can only be read by someone with the appropriate decryption
key. Encryption can be used to protect data it is transmitted over a network,
S

or to protect data when it is stored on a device.

 Digital signature is a security mechanism that involves the use of
E

cryptographic techniques to create a unique, verifiable identifier for a digital

document or message, which can be used to ensure the authenticity and
N

integrity of the document or message.

 Traffic padding is a technique used to add extra data to a network traffic
IG

stream in an attempt to obscure the true content of the traffic and make it
more difficult to analyze.
 Routing control allows the selection of specific physically secure routes for
V

specific data transmission and enables routing changes, particularly when a

gap in security is suspected.
3. Security Services:
Security services refer to the different services available for maintaining the security and
safety of an organization. They help in preventing any potential risks to security. Security
services are divided into 5 types:

23 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Authentication is the process of verifying the identity of a user or device in
order to grant or deny access to a system or device.
 Access control involves the use of policies and procedures to determine who
is allowed to access specific resources within a system.
 Data Confidentiality is responsible for the protection of information from
being accessed or disclosed to unauthorized parties.
 Data integrity is a security mechanism that involves the use of techniques to
ensure that data has not been tampered with or altered in any way during

S
transmission or storage.
 Non- repudiation involves the use of techniques to create a verifiable record

TE
of the origin and transmission of a message, which can be used to prevent the
sender from denying that they sent the message.

Benefits of OSI Architecture:

O
Below listed are the benefits of OSI Architecture in an organization:

1. Providing Security:


N
OSI Architecture in an organization provides the needed security and safety,
K
preventing potential threats and risks.
 Managers can easily take care of the security and there is hassle-free security
maintenance done through OSI Architecture.
H

2. Organising Task:
S

 The OSI architecture makes it easy for managers to build a security model for
the organization based on strong security principles.
E

 Managers get the opportunity to organize tasks in an organization effectively.

3. Meets International Standards:
N

 Security services are defined and recognized internationally meeting

international standards.
IG

 The standard definition of requirements defined using OSI Architecture is

globally accepted.
V

24 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Crypto-Primer: Encryption Basics Every Security Pro Should

Know
Encryption has become a routine part of everyday life. Your iPhone uses it to defeat
cybercriminals and snoopers. Security cameras may use it to keep footage private. And
your VPN definitely uses it, to fence off online traffic and make it invisible to prying eyes.

Recently, however, there has been a legislative push in the US to limit ways in which
encryption can be used. First came the EARN IT Act, which would set up a government

S
commission to dictate best practices to tech companies, and now there is an even more
direct affront to encryption in the form of the Lawful Access to Encrypted Data Act.

TE
In light of these realities, it's helpful to have a better understanding of what encryption
is, what are the various types of encryption and encryption algorithms, and which types
offer the strongest protection. This article will explain why encryption is important but

O
also help to make an informed decision when protecting your data.

What's an Encryption Type?

N
When we talk about encryption types, we are dealing with the way that encryption
processes operate. There are three major forms — asymmetric, symmetric, and hash
functions — and they work in different ways.
K
Asymmetric: A common form of encryption in use on today's Internet, asymmetric
cryptography is also known as public key cryptography. In this type of encryption, data
H

is encrypted using a pair of keys.

One of these keys is the public key, while the other is the private key. The public key is
S

known by the provider of encryption services and is used to apply initial encryption. It
will usually be changed on a regular basis to ensure that it is protected from hackers.
E

The private key is used to decrypt data when it reaches its destination and is known
only to the user or recipient.
N

Asymmetric encryption is ubiquitous on the Web. For instance, it's used in Bitcoin;
IG

payments via APIs also generally use asymmetric encryption to ensure to secure credit
card details.

This is a slower type of encryption than symmetric encryption, so it's often used to
V

encrypt small pieces of data. For example, it is often used in conjunction with symmetric
cryptography to facilitate key exchange.

Symmetric: In symmetric encryption, only a single key is required. When information is

encrypted symmetrically, the two nodes use the same key, which is applied to data to
encrypt and decrypt it. Generally, this key will be created via random-number

25 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
generators, which themselves have grades of sophistication. Even so, the best
symmetric encryption will be weaker than asymmetric alternatives.

The advantage of symmetric encryption is speed. Because one key is involved, data can
be encrypted and read much faster.

Hash functions: Slightly different than asymmetric and symmetric encryption, hash
functions still turn plaintext into impenetrable code for the purposes of data protection.

A hash function converts an input into a predetermined output. It doesn't matter how

S
large the input is; it will always create a hash of the same fixed length. The created hash
cannot be turned back into the input, so there's no decryption involved in the

TE
conventional sense.

This may seem less useful than standard encryption, but it is actually a very powerful
tool. Hash functions have become the primary way to prove that data or software is

O
authentic and that outsiders haven't tampered with it.

Hashes are also used routinely in password storage systems, storing passwords in

N
hashed format instead of plaintext. They can also detect whether documents or data
have been changed via monitoring changes to the hash output.
K
Introducing Encryption Algorithms
Algorithms are essentially the tools used to turn plaintext into indecipherable chunks of
data. We refer to it here as an algorithm, but in traditional cryptography, the word
H

"cipher" is much more common. For the purposes of this article, we'll treat the terms as
interchangeable.
S

Algorithms are graded according to their strength. This in turn usually refers to the
length of the key size used by specific forms of encryption. For example, in the popular
E

AES-128 algorithm, the key length is 128 characters.

N

Length matters because the longer a key is, the more computations an attacker must
process in order to decrypt an encoded message. Hence, we've seen key lengths
IG

steadily growing over the years to 256- and even 512-bit versions.

However, key length is not everything; ciphers are stronger or weaker for other reasons
as well. The five most common algorithms include:
V

DES: The granddaddy of today's encryption algorithms, Data Encryption Standard (DES)
was invented by IBM in the 1970s with a key length of 56 characters. In 1977, it became
the first digital algorithm approved as a Federal Information Processing Standard, and
became the go-to option for protecting classified documents.

These days, DES is an antique, providing virtually no protection against hackers.

However, without it we'd be unprotected against digital intruders.

26 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Triple DES: Triple DES (or 3DES) uses a 168-bit cipher and essentially works by applying
old-style DES to data chunks three times. Data is encrypted with one DES key, then
decrypted with another, before being encrypted with a third key. At the other end, the
process is simply reversed. This tends to provide enhanced protection against brute
forcing, although NIST downgraded the algorithm in 2017. Therefore, it's not the gold
standard.

AES: The Advanced Encryption Standard (AES) was introduced as a replacement for
DES, and was created by the Belgian cryptographers Joan Daemen and Vincent Rijmen.

S
In 2001, it was adopted by NIST as the leading encryption standard and remains

TE
relevant to modern cryptography.

Key sizes vary from 128 to 256 bits, which can apply between 10 and 14 rounds of
encryption on targeted data. That delivers a high level of security and speed, which has
made AES the option of choice for tools like VPNs. As of 2020, AES has still not been

O
effectively cracked, and according to Edward Snowden, not even the NSA has been able
to brute-force the algorithm.

N
RSA: RSA (Rivest–Shamir–Adleman) is a public key algorithm, which has been around
since 1977. It uses two shared prime numbers, which are as large as possible. While the
K
primes remain private, an auxiliary number also forms part of the public key.

Cracking the primes is extremely tough, especially if padding is used to strengthen the
private keys. But the algorithm suffers in terms of speed, making it useful for some
H

actions (such as encrypting documents), but less useful for encrypting traffic on the
Web.
S

SHA-256: The gold standard hashing algorithm, SHA-256 replaced older ciphers such as
SHA-1 and MD5. SHA-256 is often a good partner function of AES-256 and is yet to be
E

cracked. Notably, SHA-256 is used quite extensively in Bitcoin.

N

Knowledge Is Protection Power

As you can see, there's a huge difference between a type of encryption and the cipher.
IG

In short, a type of encryption refers to the way the process is organized. An algorithm is
applied as part of that process to actually convert data into an unreadable format.

With digital threats growing all the time and governments hungry for data on citizens,
V

encryption isn't a minor issue. So, get to know how it works, and choose a system that
provides the protection you need.

27 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Intrusion Detection System (IDS)

A system called an intrusion detection system (IDS) observes network traffic for
malicious transactions and sends immediate alerts when it is observed. It is software that
checks a network or system for malicious activities or policy violations. Each illegal
activity or violation is often recorded either centrally using a SIEM system or notified to
an administration. IDS monitors a network or system for malicious activity and protects a
computer network from unauthorized access from users, including perhaps insiders. The

S
intrusion detector learning task is to build a predictive model (i.e. a classifier) capable of
distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good (normal)

TE
connections’.

O
N
K
H

How does an IDS work?

S

 An IDS (Intrusion Detection System) monitors the traffic on a computer

network to detect any suspicious activity.
E

 It analyzes the data flowing through the network to look for patterns and signs
of abnormal behavior.
N

 The IDS compares the network activity to a set of predefined rules and
patterns to identify any activity that might indicate an attack or intrusion.
IG

 If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.
 The system administrator can then investigate the alert and take action to
V

prevent any damage or further intrusion.

Classification of Intrusion Detection System
IDS are classified into 5 types:

 Network Intrusion Detection System (NIDS): Network intrusion detection

systems (NIDS) are set up at a planned point within the network to examine
traffic from all devices on the network. It performs an observation of passing
traffic on the entire subnet and matches the traffic that is passed on the

28 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
subnets to the collection of known attacks. Once an attack is identified or
abnormal behavior is observed, the alert can be sent to the administrator. An
example of a NIDS is installing it on the subnet where firewalls are located in
order to see if someone is trying to crack the firewall.

S
TE
O
N
K
H

 Host Intrusion Detection System (HIDS): Host intrusion detection systems

(HIDS) run on independent hosts or devices on the network. A HIDS monitors
S

the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot
E

of existing system files and compares it with the previous snapshot. If the
N

analytical system files were edited or deleted, an alert is sent to the

administrator to investigate. An example of HIDS usage can be seen on
mission-critical machines, which are not expected to change their layout.
IG
V

29 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E

 Protocol-based Intrusion Detection System (PIDS): Protocol-based

N

intrusion detection system (PIDS) comprises a system or agent that would

consistently reside at the front end of a server, controlling and interpreting the
IG

protocol between a user/device and the server. It is trying to secure the web
server by regularly monitoring the HTTPS protocol stream and accepting the
related HTTP protocol. As HTTPS is unencrypted and before instantly entering
V

its web presentation layer then this system would need to reside in this
interface, between to use the HTTPS.
 Application Protocol-based Intrusion Detection System (APIDS): An
application Protocol-based Intrusion Detection System (APIDS) is a system or
agent that generally resides within a group of servers. It identifies the
intrusions by monitoring and interpreting the communication on application-

30 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
specific protocols. For example, this would monitor the SQL protocol explicitly
to the middleware as it transacts with the database in the web server.
 Hybrid Intrusion Detection System: Hybrid intrusion detection system is
made by the combination of two or more approaches to the intrusion
detection system. In the hybrid intrusion detection system, the host agent or
system data is combined with network information to develop a complete view
of the network system. The hybrid intrusion detection system is more effective
in comparison to the other intrusion detection system. Prelude is an example

S
of Hybrid IDS.

TE
Benefits of IDS

 Detects malicious activity: IDS can detect any suspicious activities and
alert the system administrator before any significant damage is done.

O
 Improves network performance: IDS can identify any performance issues
on the network, which can be addressed to improve network performance.



Compliance requirements: IDS
Ncan help in meeting
requirements by monitoring network activity and generating reports.
compliance

Provides insights: IDS generates valuable insights into network traffic, which
K
can be used to identify any weaknesses and improve network security.
Detection Method of IDS
1. Signature-based Method: Signature-based IDS detects the attacks on the
H

basis of the specific patterns such as the number of bytes or a number of 1s or

the number of 0s in the network traffic. It also detects on the basis of the
S

already known malicious instruction sequence that is used by the malware.

The detected patterns in the IDS are known as signatures. Signature-based
E

IDS can easily detect the attacks whose pattern (signature) already exists in
the system but it is quite difficult to detect new malware attacks as their
N

pattern (signature) is not known.

2. Anomaly-based Method: Anomaly-based IDS was introduced to detect
IG

unknown malware attacks as new malware is developed rapidly. In anomaly-

based IDS there is the use of machine learning to create a trustful activity
model and anything coming is compared with that model and it is declared
V

suspicious if it is not found in the model. The machine learning-based method

has a better-generalized property in comparison to signature-based IDS as
these models can be trained according to the applications and hardware
configurations.
Comparison of IDS with Firewalls
IDS and firewall both are related to network security but an IDS differs from a firewall as
a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls

31 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
restrict access between networks to prevent intrusion and if an attack is from inside the
network it doesn’t signal. An IDS describes a suspected intrusion once it has happened
and then signals an alarm.

Conclusion:
Intrusion Detection System (IDS) is a powerful tool that can help businesses in detecting
and prevent unauthorized access to their network. By analyzing network traffic patterns,
IDS can identify any suspicious activities and alert the system administrator. IDS can be
a valuable addition to any organization’s security infrastructure, providing insights and

S
improving network performance.

TE
Intrusion Prevention System (IPS)

O
Intrusion Prevention System is also known as Intrusion Detection and Prevention System.

N
It is a network security application that monitors network or system activities for
malicious activity. Major functions of intrusion prevention systems are to identify
malicious activity, collect information about this activity, report it and attempt to block or
K
stop it.

Intrusion prevention systems are contemplated as augmentation of Intrusion Detection

Systems (IDS) because both IPS and IDS operate network traffic and system activities for
H

malicious activity.
IPS typically record information related to observed events, notify security administrators
S

of important observed events and produce reports. Many IPS can also respond to a
detected threat by attempting to prevent it from succeeding. They use various response
E

techniques, which involve the IPS stopping the attack itself, changing the security
environment or changing the attack’s content.
N

How Does an IPS Work?

IG

An IPS works by analyzing network traffic in real-time and comparing it against known
attack patterns and signatures. When the system detects suspicious traffic, it blocks it
from entering the network.
V

Types of IPS
There are two main types of IPS:

1. Network-Based IPS: A Network-Based IPS is installed at the network

perimeter and monitors all traffic that enters and exits the network.
2. Host-Based IPS: A Host-Based IPS is installed on individual hosts and
monitors the traffic that goes in and out of that host.
Why Do You Need an IPS?

32 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
An IPS is an essential tool for network security. Here are some reasons why:

 Protection Against Known and Unknown Threats: An IPS can block known
threats and also detect and block unknown threats that haven’t been seen
before.
 Real-Time Protection: An IPS can detect and block malicious traffic in real-
time, preventing attacks from doing any damage.
 Compliance Requirements: Many industries have regulations that require the
use of an IPS to protect sensitive information and prevent data breaches.

S
 Cost-Effective: An IPS is a cost-effective way to protect your network

TE
compared to the cost of dealing with the aftermath of a security breach.
 Increased Network Visibility: An IPS provides increased network visibility,
allowing you to see what’s happening on your network and identify potential
security risks.

O
Classification of Intrusion Prevention System (IPS):
Intrusion Prevention System (IPS) is classified into 4 types:

N
1. Network-based intrusion prevention system (NIPS):
It monitors the entire network for suspicious traffic by analyzing protocol
K
activity.

2. Wireless intrusion prevention system (WIPS):

H

It monitors a wireless network for suspicious traffic by analyzing wireless

networking protocols.
S

3. Network behavior analysis (NBA):

E

It examines network traffic to identify threats that generate unusual traffic

flows, such as distributed denial of service attacks, specific forms of malware
N

and policy violations.

IG

4. Host-based intrusion prevention system (HIPS):

It is an inbuilt software package which operates a single host for doubtful
activity by scanning events that occur within that host.
V

Comparison of Intrusion Prevention System (IPS) Technologies:

The Table below indicates various kinds of IPS Technologies:

IPS Types of
Scope per
Technolog Malicious Activity Strengths
Sensor
y Type Detected

33 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Multiple

Network, transport, and network Only IDPS which can analyze

Network-
application TCP/IP layer subnets the widest range of application
Based
activity and groups protocols;

of hosts

Multiple

S
Wireless protocol
WLANs
activity; unauthorized
and

TE
Only IDPS able to predict
Wireless wireless
groups of wireless protocol activity
local area networks
wireless
(WLAN) in use
clients

O
Typically more effective than

Network, transport, and

application TCP/IP layer
N
Multiple
network
the others at

identifying reconnaissance
K
NBA activity subnets scanning and

that causes anomalous and groups DoS attacks, and at

network flows of hosts reconstructing major
H

malware infections
S

Host application and

E

operating system (OS) Can analyze activity that

Host- activity; network, Individual
N

was transferred in end-to-end

Based transport, host
encrypted communications
and application TCP/IP
IG

layer activity

Detection Method of Intrusion Prevention System (IPS):

V

1. Signature-based detection:
Signature-based IDS operates packets in the network and compares with pre-
built and preordained attack patterns known as signatures.

2. Statistical anomaly-based detection:

Anomaly based IDS monitors network traffic and compares it against an
established baseline. The baseline will identify what is normal for that network

34 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
and what protocols are used. However, It may raise a false alarm if the
baselines are not intelligently configured.

3. Stateful protocol analysis detection:

This IDS method recognizes divergence of protocols stated by comparing
observed events with pre-built profiles of generally accepted definitions of not
harmful activity.

S
Comparison of IPS with IDS:
The main difference between Intrusion Prevention System (IPS) with Intrusion Detection

TE
Systems (IDS) are:
1. Intrusion prevention systems are placed in-line and are able to actively
prevent or block intrusions that are detected.
2. IPS can take such actions as sending an alarm, dropping detected malicious

O
packets, resetting a connection or blocking traffic from the offending IP
address.

N
3. IPS also can correct cyclic redundancy check (CRC) errors, defragment packet
streams, mitigate TCP sequencing issues and clean up unwanted transport
and network layer options.
K
Conclusion:
An Intrusion Prevention System (IPS) is a crucial component of any network security
strategy. It monitors network traffic in real-time, compares it against known attack
H

patterns and signatures, and blocks any malicious activity or traffic that violates network
policies. An IPS is an essential tool for protecting against known and unknown threats,
S

complying with industry regulations, and increasing network visibility. Consider

implementing an IPS to protect your network and prevent security breaches.
E
N
IG

Securing Web Applications

Websites and Web applications has became a necessity in this world, From business,
companies, education, collaboration, personal blogs, foods and groceries, health and
V

medicine, social media platforms, accessing Government Services and Digital payments
and even voting everything is available in the Internet. These days its has become
common to get our daily works done via some button clicks on the screen and the
common question “are website secure?”. The answer is mostly but not completely. Every
legitNeimate website tries to provide at most security but no form of internet is
completely, a 100% secure.

35 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Website vs WebApp :
Websites are static HTML, CSS, with some JS files displayed according styling provided in
CSS. Websites aren’t dynamic, they can’t submit forms, can’t generate pages
dynamically and might be limited in other accepts too. Web Applications are the
programs which can accept form submissions, generate pages dynamically,
communicate with database to do CURD processes and more.
Some of the security tips for website owners generally are:

S
 Getting an SSL certificate

TE
 Creating secure passwords

 Keeping backups

O
 Updating websites to latest releases

N
These are some of the general security principles followed be website owners with
limited technical knowledge. These principles are good for those who just brought a
K
domain and hosting, added wordpress with a nice theme. These people have no need to
worry about server updates and security, no need to worry about how wordpress works
all they care about is the content and sometimes speed. For these type of people the
H

above steps are mostly enough, but for web applications we need some more things than
for a website?
S

Let us look into something we need to care for while deploying their webapp’s.
E

 Never put Debug mode ON in production –

N

Many web frameworks like WordPress, Django, Larvel provide a development

server which should be never used in production. Debug mode ON provides
IG

better error logs, with the availability of information such as variable names
and line numbers from the source code for developers.
V

 Restrict Access to server and close unused ports –

Running our web app in cloud is very good option. Some of the good options
are Digitalocean, google cloud, azure and AWS. When you rent for the virtual
server limit the people who can access to the server. its better to use SSH to
access the server. Always close unnecessary ports while running the server.

36 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Always update frameworks and application –
Updates are the best way to reduce bugs in our application. in the same
manner updating the framework we used to build the application might be
helpful but sometimes we have to rewrite the code for our application but if
the update is long term it would be best to do it even we have to rewrite the
code.

Keep the Database secure –

S

Many times we miss that database is also the part of our application and its

TE
also necessary for us to keep our database secure. Always keep strong
passwords, limit users who can have access to run native commands with the
database. Its also very good to choose the database according to application
need.

O
 DNS hosting –

N
DNS is the backbone of internet, its the phonebook for the internet. In simple
word DNS is the protocol which converts human readable hostnames like
geeksforgeeks.org to computer understanding numbers like 34.218.62.116. Its
K
necessary for our web app to have better and widespread DNS like Cloudflare,
cloud based DnS which reduces the lookup time to find our server IP and to
connect to it.
H

Limiting API usage –

S


Many of the webapp use external services which will be included using
specially configured API’s for specific functions. Most of API providers limit the
E

usage according to their plan and its also better for web app developers also
N

to implement rate limiting of API’s according to need so that we don’t pay any
extra.
IG

 Bot and Spam –

Many web application also contain forms for allowing to subscribe email, or
V

some other query form, Many bots these days have the ability to submit the
plain forms. To protect its better to keep recaptcha with every form which will
keep most of the bots out. Google provides recaptcha for free for basic usage.

 HTTP headers –
Most of the web application frameworks allow to send HTTP headers like HSTS,
CSP, Referrer and Permission Policy, which helps the browser determine the

37 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
sources and protocols it should allow to load styles, sources and media in turn
hardening the security of webapps like upgrading to HTTPS, XSS protection
and more.

These are some of the basic things to look out you look into more security features and
policies by going into the documentation of the framework you were using to create the
web app.

S
What is OWASP?

TE
The Open Web Application Security Project, or OWASP, is an international non-profit
organization dedicated to web application security. One of OWASP’s core principles is

O
that all of their materials be freely available and easily accessible on their website,
making it possible for anyone to improve their own web application security. The

N
materials they offer include documentation, tools, videos, and forums. Perhaps their
best-known project is the OWASP Top 10.
K
What is the OWASP Top 10?
H

The OWASP Top 10 is a regularly-updated report outlining security concerns for web
application security, focusing on the 10 most critical risks. The report is put together by a
S

team of security experts from all over the world. OWASP refers to the Top 10 as an
‘awareness document’ and they recommend that all companies incorporate the report
E

into their processes in order to minimize and/or mitigate security risks.

N

Below are the security risks reported in the OWASP Top 10 2017 report:
IG

1. Injection
V

 Injection attacks happen when untrusted data is sent to a code interpreter

through a form input or some other data submission to a web application. For
example, an attacker could enter SQL database code into a form that expects a
plaintext username. If that form input is not properly secured, this would result in
that SQL code being executed. This is known as an SQL injection attack.

38 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Injection attacks can be prevented by validating and/or sanitizing user-submitted
data. (Validation means rejecting suspicious-looking data, while sanitization refers
to cleaning up the suspicious-looking parts of the data.) In addition, a database
admin can set controls to minimize the amount of information an injection attack
can expose.

2. Broken Authentication

S
TE
 Vulnerabilities in authentication (login) systems can give attackers access to user
accounts and even the ability to compromise an entire system using an admin
account. For example, an attacker can take a list containing thousands of known

O
username/password combinations obtained during a data breach and use a script
to try all those combinations on a login system to see if there are any that work.


N
Some strategies to mitigate authentication vulnerabilities are requiring two-factor
authentication (2FA) as well as limiting or delaying repeated login attempts
using rate limiting.
K
3. Sensitive Data Exposure
H
S

 If web applications don’t protect sensitive data such as financial information and
passwords, attackers can gain access to that data and sellor utilize it for nefarious
E

purposes. One popular method for stealing sensitive information is using an on-
path attack.
N

 Data exposure risk can be minimized by encrypting all sensitive data as well as
IG

disabling the caching* of any sensitive information. Additionally, web application

developers should take care to ensure that they are not unnecessarily storing any
sensitive data.
V

 *Caching is the practice of temporarily storing data for re-use. For example, web
browsers will often cache webpages so that if a user revisits thosepages within a
fixed time span, the browser does not have to fetch the pages from the web.

39 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
4. XML External Entities (XEE)

 This is an attack against a web application that parses XML* input. This input can
reference an external entity, attempting to exploit a vulnerability in the parser. An
‘external entity’ in this context refers to a storage unit, such as a hard drive. An
XML parser can be duped into sending data to an unauthorized external entity,
which can pass sensitive data directly to an attacker.

S
 The best ways to prevent XEE attacks are to have web applications accept a less

TE
complex type of data, such as JSON**, or at the very least to patch XML parsers
and disable the use of external entities in an XML application.

 *XML or Extensible Markup Language is a markup language intended to be both

O
human-readable and machine-readable. Due to its complexity and security
vulnerabilities, it is now being phased out of use in many web applications.

 N
**JavaScript Object Notation (JSON) is a type of simple, human-readable notation
often used to transmit data over the internet. Although it was originally created
K
for JavaScript, JSON is language-agnostic and can be interpreted by many
different programming languages.
H

5. Broken Access Control

S
E

 Access control refers a system that controls access to information or

functionality. Broken access controls allow attackers to bypass authorization and
N

perform tasks as though they were privileged users such as administrators. For
example a web application could allow a user to change which account they are
IG

logged in as simply by changing part of a url, without any other verification.

V

 Access controls can be secured by ensuring that a web application uses

authorization tokens* and sets tight controls on them.

 *Many services issue authorization tokens when users log in. Every privileged
request that a user makes will require that the authorization token be present.
This is a secure way to ensure that the user is who they say they are, without
having to constantly enter their login credentials.

40 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
6. Security Misconfiguration

Security misconfiguration is the most common vulnerability on the list, and is often the
result of using default configurations or displaying excessively verbose errors. For
instance, an application could show a user overly-descriptive errors which may reveal
vulnerabilities in the application. This can be mitigated by removing any unused features
in the code and ensuring that error messages are more general.

S
TE
7. Cross-Site Scripting

O
 Cross-site scripting vulnerabilities occur when web applications allow users to add
custom code into a url path or onto a website that will be seen by other users.
This vulnerability can be exploited to run malicious JavaScript code on a victim’s

N
browser. For example, an attacker could send an email to a victim that appears to
be from a trusted bank, with a link to that bank’s website. This link could have
some malicious JavaScript code tagged onto the end of the url. If the bank’s site is
K
not properly protected against cross-site scripting, then that malicious code will
be run in the victim’s web browser when they click on the link.
H

 Mitigation strategies for cross-site scripting include escaping

untrusted HTTP requests as well as validating and/or sanitizing user-generated
S

content. Using modern web development frameworks like ReactJS and Ruby on
Rails also provides some built-in cross-site scripting protection.
E
N

8. Insecure Deserialization
IG

 This threat targets the many web applications which frequently serialize and
deserialize data. Serialization means taking objects from the application code and
V

converting them into a format that can be used for another purpose, such as
storing the data to disk or streaming it. Deserialization is just the opposite:
converting serialized data back into objects the application can use. Serialization
is sort of like packing furniture away into boxes before a move, and deserialization
is like unpacking the boxes and assembling the furniture after the move. An
insecure deserialization attack is like having the movers tamper with the contents
of the boxes before they are unpacked.

41 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 An insecure deserialization exploit is the result of deserializing data from
untrusted sources, and can result in serious consequences like DDoS attacks and
remote code execution attacks. While steps can be taken to try and catch
attackers, such as monitoring deserialization and implementing type checks, the
only sure way to protect against insecure deserialization attacks is to prohibit the
deserialization of data from untrusted sources.

S
9. Using Components With Known Vulnerabilities

TE
 Many modern web developers use components such as libraries and frameworks
in their web applications. These components are pieces of software that help

O
developers avoid redundant work and provide needed functionality; common
example include front-end frameworks like React and smaller libraries that used
to add share icons or a/b testing. Some attackers look for vulnerabilities in these

N
components which they can then use to orchestrate attacks. Some of the more
popular components are used on hundreds of thousands of websites; an attacker
finding a security hole in one of these components could leave hundreds of
K
thousands of sites vulnerable to exploit.

 Component developers often offer security patches and updates to plug up known
H

vulnerabilities, but web application developers don’t always have the patched or
most-recent versions of components running on their applications. To minimize
S

the risk of running components with known vulnerabilities, developers should

remove unused components from their projects, as well as ensuring that they are
E

receiving components from a trusted source and ensuring they are up to date.
N

10. Insufficient Logging And Monitoring

IG

 Many web applications are not taking enough steps to detect data breaches. The
V

average discovery time for a breach is around 200 days after it has happened.
This gives attackers a lot of time to cause damage before there is any response.
OWASP recommends that web developers should implement logging and
monitoring as well as incident response plans to ensure that they are made aware
of attacks on their applications.

42 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Top 10 Web Application Security Risks

There are three new categories, four categories with naming and scoping changes, and
some consolidation in the Top 10 for 2021.

S
TE
O

N
A01:2021-Broken Access Control moves up from the fifth position; 94% of
applications were tested for some form of broken access control. The 34 Common
Weakness Enumerations (CWEs) mapped to Broken Access Control had more
K
occurrences in applications than any other category.
 A02:2021-Cryptographic Failures shifts up one position to #2, previously
known as Sensitive Data Exposure, which was broad symptom rather than a root
H

cause. The renewed focus here is on failures related to cryptography which often
leads to sensitive data exposure or system compromise.
S

 A03:2021-Injection slides down to the third position. 94% of the applications

were tested for some form of injection, and the 33 CWEs mapped into this
E

category have the second most occurrences in applications. Cross-site Scripting is

now part of this category in this edition.
N

 A04:2021-Insecure Design is a new category for 2021, with a focus on risks

related to design flaws. If we genuinely want to “move left” as an industry, it calls
IG

for more use of threat modeling, secure design patterns and principles, and
reference architectures.
 A05:2021-Security Misconfiguration moves up from #6 in the previous
V

edition; 90% of applications were tested for some form of misconfiguration. With
more shifts into highly configurable software, it’s not surprising to see this
category move up. The former category for XML External Entities (XXE) is now
part of this category.
 A06:2021-Vulnerable and Outdated Components was previously titled Using
Components with Known Vulnerabilities and is #2 in the Top 10 community
survey, but also had enough data to make the Top 10 via data analysis. This

43 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
category moves up from #9 in 2017 and is a known issue that we struggle to test
and assess risk. It is the only category not to have any Common Vulnerability and
Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact
weights of 5.0 are factored into their scores.
 A07:2021-Identification and Authentication Failures was previously Broken
Authentication and is sliding down from the second position, and now includes
CWEs that are more related to identification failures. This category is still an
integral part of the Top 10, but the increased availability of standardized

S
frameworks seems to be helping.
 A08:2021-Software and Data Integrity Failures is a new category for 2021,

TE
focusing on making assumptions related to software updates, critical data, and CI/
CD pipelines without verifying integrity. One of the highest weighted impacts from
Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/
CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from

O
2017 is now a part of this larger category.
 A09:2021-Security Logging and Monitoring Failures was previously

N
Insufficient Logging & Monitoring and is added from the industry survey (#3),
moving up from #10 previously. This category is expanded to include more types
of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS
K
data. However, failures in this category can directly impact visibility, incident
alerting, and forensics.
 A10:2021-Server-Side Request Forgery is added from the Top 10 community
H

survey (#1). The data shows a relatively low incidence rate with above average
testing coverage, along with above-average ratings for Exploit and Impact
S

potential. This category represents the scenario where the security community
members are telling us this is important, even though it’s not illustrated in the
E

data at this time.

N
IG
V

UNIT II NETWORK SECURITY

44 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Internet Security - Intranet security- Local Area Network Security -
Wireless Network Security - Wireless Sensor Network Security- Cellular
Network Security - Mobile security - IOT security - Case Study - Kali
Linux.

What Is Internet Security?

S
Internet security is a broad term that refers to a wide range of tactics that aim to

TE
protect activities conducted over the internet. Implementing internet security
measures helps protect users from different online threats like types of
malware, phishing attacks, scams, and even unauthorized access by hackers. .

O
Why is internet security so important today?

N
As the internet expands and becomes an even bigger part of our
lives, cyberthreats continue to grow both in scope and sophistication. According to
Forbes, data breaches and cyberattacks saw an increase of 15.1% in 2021 compared
K
to the previous year. These security threats come in different forms and vary in terms
of complexity and detectability.
H

Some common online threats people face today include:

Malware: Malicious software is an umbrella term that refers to any

S


program that exploits system vulnerabilities to damage a computer
system or network and steal sensitive information from users. Examples
E

of malware include viruses, Trojans, ransomware, spyware, and worms.

N

 Phishing: Phishing is cyberattacks that involve stealing a user’s sensitive

data by duping them into opening an email or an instant message
and clicking a malicious link . The data that cybercriminals target can range
IG

from login credentials to credit card numbers. Phishing attacks are often
used for identity theft purposes.
 Spam: Spam is a term that describes unwanted email messages sent in
V

bulk to your email inbox. This tactic is generally used to promote goods and
services users aren’t interested in. Spam mail can also contain links
to malicious websites that automatically install harmful programs that
help hackers gain access to your data.
 Botnets: This contraction of “robot network ” refers to a network of
computers that have been infected with malware. The computers are then
prompted to perform several automated tasks without permission.

45 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Examples of these tasks include sending spam and carrying out denial-of-
service (DDoS) attacks.
 Wi-Fi threats: Wi-Fi networks can be subject to a wide range of attacks
that involve hackers exploiting unprotected connections and breaching data
security to obtain sensitive information. .

Antivirus protection

S
 The first step in making sure you have internet security is installing antivirus
software. These programs are designed to prevent, search for, detect, and get

TE
rid of viruses and other types of malicious software.

 Antivirus software can run automatic scans to make sure no network or data
breach has occurred and scan specific files or directories for any malicious

O
activity or patterns.

 There are plenty of options to choose from when it comes to antivirus

N
software, however, few programs offer the comprehensive level of protection
the antivirus software included in McAfee® Total Protection provides to its
users.
K
 McAfee’s antivirus software comes with a wide selection of features,
including malware detection, quarantine, and removal, different options for
H

scanning files and applications, and an advanced firewall for home network
security.
S

Create strong passwords

E

While this may sound obvious, it’s important to create strong and unique passwords
N

for all your online accounts and devices. A significant percentage of data
breaches occur as a result of simple password guessing.
IG

Some tips to follow when creating a password include:

 Never use personal information, such as date of birth.

V

 Don’t reuse passwords.

 Avoid sequential numbers or letters.
 Combine letters, numbers, and symbols.
 Don’t use common words.

46 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
It can also be a good idea to use a password manager , as this will help reduce the risk
of your passwords getting leaked or lost. McAfee’s password manager, is particularly
convenient thanks to its advanced encryption and multi-factor authentication.

Check that your computer firewall is enabled

A firewall is a network security system built into your operating system. It monitors
incoming and outgoing network traffic to prevent unauthorized access to your

S
network. For it to be able to identify and block these threats, you’ll want to make sure
your firewall is enabled on your device. If you’re unsure if your device comes with

TE
a firewall, you can benefit from one included in McAfee Total Protection.

Use multi-factor authentication when possible

O
Multi-factor authentication (MFA) is an authentication method that requires at least
two pieces of evidence before granting access to an app or website. Using this
method as much as possible can add another layer of security to your applications
and reduce the likelihood of a data breach.

Choose a safe web browser

N
K
Your choice of browser is an important part of implementing internet security
measures. In fact, web browsers vary widely in terms of the security features that
H

they offer, with some offering just the basics and others providing a more complete
range of features. Ideally, you should opt for a web browser that offers the following
S

security features:
E

 Private session browsing

 Pop-up blocking
N

 Privacy features
 Anti-phishing filter
IG

 Automatic blocking of reported malicious sites

 Cross-site script filtering
V

How can you keep children safe online?

As children grow older, their internet use becomes more extensive. This can also
increase their exposure to various security threats. To keep them safe online, educate
them about the risks associated with web browsing and introduce them to some of
the best practices for avoiding online threats like not sharing passwords .

47 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Explain which information should be shared and which information should be kept
private and instruct them to never click on links from unknown sources.

You should also take a more active approach to protect your children by
setting parental controls on certain websites. For instance, you can use YouTube’s
parental controls to filter any inappropriate content and keep a child-friendly
interface.

S
Internet security tips to know

The following tips can help you stay on the safe side in regard to internet security.

TE
 Install antivirus software on all your devices. This is the first step you
should take when securing your mobile and computer systems. Internet

O
security software identifies vulnerabilities and can neutralize threats before
they become a bigger problem.
 Keep your operating system and programs up to date. Neglecting to

N
update your applications and operating systems can leave you exposed to
threats as hackers seek to exploit unpatched vulnerabilities.
Use strong passwords. Using strong passwords reduces the risk of
K

a hacker cracking it and gaining access to your system.
 Use an ad blocker. Adware pop-ups often trick users into clicking on links
that lead to malicious websites. Using an ad-blocker to help prevent this
H

from happening.
 Use parental controls. Setting parental controls makes web browsing
S

safer for children and reduces the chances of virus infection.

Only shop on secure websites with “ https://” URLs. The “S” at the
E


end of the HTTP extension stands for “secure” and indicates that the
website has a security certificate and is safe for transactions.
N

 Never submit financial information when using public Wi-

Fi. Public Wi-Fi hot spots lack security measures and encryption, making
IG

them vulnerable to prying eyes. Sharing sensitive information like bank card
numbers when connected to one isn’t recommended.
 Use multifactor authentication. As we mentioned, MFA adds a layer of
V

protection to the sign-in process and makes unauthorized access to your

data extremely difficult.
 Check your bank statements regularly to catch any suspicious
activity. Keep an eye for any transaction that you don’t recall initiating, as
this could be a sign of a malware infection.

48 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Intranet Security Best Practices

A common misconception about intranet security is that just because a company's data
resides on their own network, they're safe from cyberattacks. This could not be further
from the truth. The reality is that most of today's intrusions come through trusted
employees, networks, and devices. In order to protect your enterprise, it's essential to

S
understand the different types of threats an organization faces when using an intranet
and how best to guard against them.

TE
In the last few years, we have seen several high-profile security breaches involving
companies such as Target and Sony. As a result, many CTOs are now looking at their
intranets as potential risks. This article covers some of the most common threats to an

O
intranet and the best practices for securing your company's intranet from cyberattacks.

What Is An Intranet?
N
Intranet software forms a hub for internal communication and collaboration. This
K
collaboration tool makes it easy for employees to access both internal and external
resources. Gartner defines an intranet as "a network internal to an enterprise that uses
the same methodology and techniques as the internet but is accessible only to
H

employees."

Why Does an Intranet Need Security?

S

Modern intranets are cloud-based, centralized hubs filled with information and assets
E

that rightfully belong to your company. While this is great for your business and its
operations, it also represents a golden opportunity for cyberattackers to gain all the
N

information they need in one heist.

IG

Internal websites that keep sensitive employee and client information require enhanced
intranet security, especially for highly regulated industries like banking and healthcare,
where data loss can be catastrophic. However, the truth is that cyberattacks aren't the
V

only major threat to your intranet security— your own employees are.

Common Threats to An Intranet

According to data from Infosec, 70% of data breaches can be attributed to employee
error, whether malicious or not. In fact, the top three vulnerabilities to intranet security

49 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
come from internal negligence. To understand why, let's take a look at the common
threats to your corporate intranet, both internal and external.

Internal Threats

Employee Error or Negligence: This is the most common threat to the security
of your intranet and happens when your data security policies aren't
adequately enforced or are weak. Ultimately, workers may end up

S
unintentionally leaving breaches for cyberattackers to exploit.
Accidental Intranet Exposure: Sensitive data is accidentally placed in a

TE
location accessible from the Web. The news stories about improper usage of
Amazon S3 permissions (and other cloud storage) fall into this category.
Insider Theft: This is similar —and sometimes mistakenly seen as— employee
negligence, but in this case, the employee breaches the system and accesses

O
insider data knowingly with malicious purposes.

N
K
External Threats

Physical Theft: Cyberattackers can coordinate seemingly harmless attacks and

H

steal office equipment like pen drives or hard drives to gain access to
employee data or passwords. Plus, hackers can also gain access to your
S

network by gaining access to your routers or physical servers.

Interception of Data During Transit: Another security challenge for intranets
E

is that data is particularly vulnerable during transit. Many companies use

insecure protocols like HTTP and don't encrypt their data, which results in lost
N

data packages that malicious hackers can intercept.

Hacking: Direct hacking involving a third party is always possible, especially if
IG

your company deals with sensitive data or financial records. Potential hacking
can come in denial-of-service attacks, phishing, malware or virus, and
ransomware.
V

7 Intranet Security Best Practices

In order to have a safe and secure intranet, you need to protect the stored data. Now
that you know the potential threats to your company, let's talk about some best practices
you need to follow to protect your organization's intranet from cyberattacks.

50 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
1. Establish a Comprehensive Security Policy
While it's possible that your company has some data security measures in place,
it's likely that you overlooked your intranet data security, especially if you're
using a legacy intranet. Take some time to review your security policies and
measures and make sure they also protect your remote workers' digital
workplace, and that the protection extends to your mobile intranet. Once you've
reviewed your actions, delineate a plan with steps for a rapid response if a data
breach occurs.

S
2. Strengthen Your Log-in Protocols
While we're all aware of the potential dangers of weak passwords, the truth is that

TE
many people still rely on them. Modern intranets, however, protect you from
picking weak passwords and enable more secure log-in protocols such as Single
Sign-on (SSO), Active Directory (AD), or Lightweight Directory Access Protocols
(LDAP). Protocols like this enable a seamless, centralized authentication

O
management process that also enables secure mobile access to your corporate
intranet.
3. Enact Access Control
N
It's necessary to limit the amount of information your employees have access to
unless it relates to their job.. An intranet platform with granular roles and
K
permissions capabilities can help control access and reduce potential internal
data breaches. For instance, by creating permissions for different intranet users
based on their roles, you make sure that employees have access to only the
H

information they need, increasing their productivity and reducing time lost looking
for information.
S

4. Meet Global Security Standards

Security standards exist for a reason, and it's always a good idea to follow them
E

as closely as possible to prevent a security breach or cyberattacks. Also, for

regulated industries such as healthcare, government, and financial institutions,
N

security standards aren't an option, and your intranet needs to meet compliance
regulations to operate. A modern intranet like dotCMS offers users a GDPR, SOC2,
IG

HIPAA, and ISO 9001-compliant platform that protects your data and simplifies
compliance efforts.
5. Secure Third-party Integrations
V

Modern intranets can be extended using third-party software. Third-party software

enables greater flexibility and functionality but also introduces security risks to
your corporate intranet. For your intranet to be safe and secure, you need to
make sure that every piece of software you integrate is protected from end to
end. API-based integrations, for example, need to offer secure endpoints and
shouldn't expose your private API data, details about the intranet, or your
employees.

51 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
6. Never Forget to Update
Updates always introduce new complexities and risks to your company intranet.
However, not updating is not an option either, as new threats and security
vulnerabilities emerge every day. Legacy intranets, for example, require manual
updates that can break your system and damage functionality, which results in
potential data loss or the exposure of sensitive information. With a modern
intranet, these concerns largely disappear as SaaS-based products carry out
automatic updates.

S
7. Choose a Modern Intranet Platform
Lastly, make sure you choose the right tool for your business. Assess your

TE
company needs and decide whether you need an open-source intranet or
proprietary software. Decide between a monolithic solution or a best-of-breed
platform and determine the architecture and the functionalities your intranet
needs to have to support your employees. The intranet platform you choose will

O
play a vital role in how you will be able to approach security and how safe your
information is against malicious attacks.

Local Area Network Security

N
K
How can a local area network (LAN) be secured?
H

There are many different ways to provide security for local area networks (LANs). Many
of these apply to the common types of hardware that are used for these small, local
S

network setups.

One common strategy is to install a firewall resource behind a single access point, such
E

as an initial wireless router. It’s also appropriate to use specific security protocols
like WPA or WPA2 for password encryption on traffic coming in from the internet.
N

Designers may also want to secure other routers and switches that serve different parts
IG

of the network.

Administrators can also filter traffic using a detailed knowledge of trusted network areas.
Many of these strategies rely on specialized authentication policies where network traffic
V

is scrutinized to prevent different kinds of unauthorized access. Some can use "tunnel"
technologies like VPN or otherwise lock down various access points for more precision
control. Users can also control security, i.e. control packets, through different layers of
the OSI model, where experts talk about security "at the network layer" for effective
control.

52 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
In addition, LANs typically need internal security strategies. These involve adding
elements like anti-virus or anti-malware security, in case some of these types
of hacking functions are introduced to networks through user activity. For example, many
intrusive viruses and malicious programs operate off of a user opening an email,
downloading a file from an illegitimate source or otherwise opening up the internal LAN
to exterior threats.

Those who are trying to promote better security for a LAN need to look carefully at each
aspect of security design, in order to close as many loopholes and prevent as

S
many vulnerabilities as possible.

TE
Securing Your Office Network

For the average SaaS company you can operate on the following minimum network

O
security recommendations:

1. Get a support router with an activated firewall

N
Change the default admin login credentials so that if your network is compromised the
hacker can’t make changes to the network. Every time a vulnerability is discovered,
K
there will be a firmware update issued. It’s critical that you install these updates. An easy
way to make sure an update isn’t missed would be to turn on the auto-update feature.
H

2. Use WPA2 encryption

This is a type of encryption that secures the vast majority of Wi-Fi networks. The WPA2
S

should have a strong password.

E

3. Create a “Guest Network”

N

You want this for individuals who visit the office but are not a part of your company. Most
modern routers have a feature to enable a guest network. This is an easy way to boost
IG

your network security.

4. Physically secure your network hardware

V

Physical security is a very important consideration. The hardware shouldn’t be out in the
open where anybody can access it. You want hardware stored in a controlled room or
locked office where a member of the organization can keep an eye on it. An extra
precaution would be to monitor the hardware with a security camera.

53 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
5. Acquire higher-quality routers

You likely have basic routers like the kind that the service provider sets up or the cheap
ones from the electronics store come with a low-level firewall. However, a business-grade
router comes with stronger firewalls. Some even have intrusion detection or intrusion
protection systems built into them that make them worth the extra cost. The stronger
routers are likely to have better performance on the network because these models have
the ability to handle more devices.

S
6. Deactivate the “use ports” on the router

TE
There are often USB or Ethernet ports on a router that are not in use. Deactivating these
ports will limit the chances that somebody could plug a rouge device into the network.
Since these ports are one more entry point to worry about when it comes to LAN security,

O
turn them off if you can.

7. Add MAC address filtering

N
MAC address filtering is a security measure that only allows devices that the organization
is aware of to connect to the network. The filtering can be done by collecting the MAC
K
address of every device and then uploading those credentials into a database in the
router. It may seem like an extra precaution but it just ensures that if a hacker was able
to get the password to the network, they wouldn’t be able to gain access without having
H

one of the identified MAC addresses.

Wireless Network Security

S

Like the system's security and data security, keeping a sound knowledge about different
E

wireless security measures is also essential for security professionals. It is because

different wireless security mechanisms have a different level of strength and capabilities.
N

There are automated wireless hacking tools available that have made cybercriminals
IG

more powerful. List of some of these tools are:

 AirCrack.
 AirSnort.
V

 Cain & Able.

 Wireshark.
 NetStumbler etc.

Different hacking techniques include remote accessing, shoulder surfing, wireless

router's dashboard accessing, and brute-forcing attack that are used to penetrate

54 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
wireless security. In this chapter, you will learn about the different security postures that
exist in the wireless domain.

What is Wireless Security?

Wireless security revolves around the concept of securing the wireless network from
malicious attempts and unauthorized access.

The wireless security can be delivered through different ways such as:

S
1. Hardware-based: where routers and switches are fabricated with encryption
measures protects all wireless communication. So, in this case, even if the data

TE
gets compromised by the cybercriminal, they will not be able to decrypt the data
or view the traffic's content.
2. Wireless setup of IDS and IPS: helps in detecting, alerting, and preventing
wireless networks and sends an alarm to the network administrator in case of any

O
security breach.
3. Wireless security algorithms: such as WEP, WPA, WPA2, and WPA3. These are
discussed in the subsequent paragraphs.

Wired Equivalent Privacy (WEP)

N
K
Wired Equivalent Privacy (WEP) is the oldest security algorithm of 1999. It uses the
initialization vector (IV) method. The first versions of the WEP algorithm were not
H

predominantly strong enough, even when it got released. But the reason for this weak
release was because of U.S. limits on exporting different cryptographic technologies,
which led the manufacturing companies to restrict their devices to 64-bit encryption only.
S

As the limitation was withdrawn, the 128 bit and 256 bit WEP encryption were developed
E

and came into the wireless security market, though 128 became standard.

Wi-Fi Protected Access (WPA)

N

Wi-Fi Protected Access (WPA) was the next Wi-Fi Alliance's project that replaced the WEP
IG

standard's increasingly noticeable vulnerabilities. WPA was officially adopted in the year
2003, one year before the retirement of WEP. WPA's most common configuration is with
WPA-PSK, which is abbreviated as Pre-Shared Key. WPA uses 256-bit, which was a
V

considerable enhancement above the 64-bit as well as 128-bit keys.

Wi-Fi Protected Access II (WPA2)

Wi-Fi Protected Access II (WPA2) became official in the year 2006 after WPA got
outdated. It uses the AES algorithms as a necessary encryption component as well as

55 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
uses CCMP (Counter Cipher Mode - Block Chaining Message Authentication Protocol) by
replacing TKIP.

ADVERTISING

Wi-Fi Protected Access 3 (WPA3)

Wi-Fi Protected Access 3 (WPA3) is the latest and the third iteration of this family
developed under Wi-Fi Alliance. It has personal and enterprise security-support features

S
and uses 384-bit Hashed Message Authentication Mode, 256-bit Galois / Counter Mode
Protocol (GCMP-256) well as Broadcast/Multicast Integrity Protocol of 256-bit. WPA3 also

TE
provides perfect forward secrecy mechanism support.

O
Wireless Sensor Network Security

N
K
H
S
E
N
IG
V

56 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

57 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

58 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

59 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

60 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

61 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Cellular Network Security

Despite their seemingly endless coverage (your mileage will definitely vary), cellular
network security has proven to be surprisingly robust over the years. There have been
security issues over the years to be sure, but the lion’s share of problems have come
from the way that people use the network rather than the network itself being
compromised.

S
These threats can come from all of the usual sources that you would try to protect from
online, but there are some that are also uniquely tied to mobile devices. Today we’re

TE
going to be briefly covering some of the security functions that had been implemented
over the years for cellular networks and some of the threats we still face on a day to day
basis when it comes to mobile security.

O
Cellular networks

N
There are a number of different communication technologies that most users are at least
K
somewhat familiar with but are tied to particular ‘Generations’ of devices and their
associated networks- GSM (Global System for Mobiles) and CDMA (Code Division Multiple
Access) were commonplace during the 2G and 3G era, LTE (Long Term Evolution) for 4G,
H

and 5G-NR for 5G networks that are still being rolled out. Starting with 4G, most major
vendors globally converted over to the LTE standard, allowing for far less fragmentation
S

of device compatibility. We’re going to be referring to a presentation from the National

Institute for Standards and Technology on “LTE Security- How Good Is It?” for a
E

considerable amount of the breakdown of functionality.

Access to LTE Networks as a rule is provided through a series of mesh-style base stations
N

which send and receive signals from user devices which then forward requests onto a
backend core network. The core network itself processes authentication and subscriber
IG

services along with connecting users to the rest of the Internet.

V

62 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
Much like the OSI model, the cellular stack provides connectivity from the physical layer

O
all the way up through application, with TCP/IP doing its own thing and not really lining
up properly with the standards. TCP/IP however does sit on top of the packet data

N
convergence protocol (PDCP), which provides header compression and radio encryption.
K
H
S
E
N
IG
V

The IMSI (International Mobile Subscriber Identity) is a unique id for every subscriber.
While you might think at first glance that it would just be the user’s phone number, it

63 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
actually has nothing to do with it. This is usually a 15 digit numeric value stored on the
UICC (Universal Integrated Circuit Card), which can be considered a next-gen SIM
(Subscriber Identification Module) card. The IMSI contains three separate values- 3 digits
comprising the MCC (Mobile Country Code), 2 to 3 digits for the MNC (Mobile Network
Code), and then the MSIN (Mobile Subscription Identification Number) from the provider
itself.

The UICC operates the same conceptually as a smart card- providing a basis for
encrypting communications and authentication. This is far from the only encryption

S
method used for protecting data transfers and calls, as the Authentication and Key

TE
Agreement (AKA) protocol is first used to authenticate devices to the network, and only
after this has been completed are the crypto keys for encrypting calls generated. As we
go up the Cellular Stack, multiple 128-bit and 256-bit keys are used to help protect both
internal communications and user traffic.

O
Once traffic has been received by the base stations from the user, IPsec protects
communications on the backend from the base stations to the core network, both of

N
which use PKI certificates to authenticate to each other. Problems come into play
however when data has to abide by legacy rules such as the GSM downgrading noted
above. This also means that services that exploit elements that cannot be updated or the
K
human factor could still gain access to user data despite strong protections. Let’s quickly
go over a few of these Potential Security Issues.
H

2FA via SMS

S

Multiple methods have been revealed over the years that allow unauthorized users to
gain access to text messages. Sometimes this has been by obtaining access via
E

employees at the cellular provider, 3rd party services that can operate without
verification, or malicious apps with elevated permissions.
N

Because of this, 2FA (2 Factor Authentication) via SMS is considered potentially insecure
IG

and exploitable to the point where it is recommended to use any alternative to this
system.
V

Compromised Wi-Fi networks

If a user connects to a compromised Wi-Fi network, most of the protections on the

Cellular Network will not apply because it’s not being used. Making sure that Wi-Fi is
turned off whenever leaving a safe area is critical for users to avoid accidentally
connecting to a network that they don’t want to.

64 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Out of support devices

The supported lifetime for most mobile devices is significantly less than that of their
desktop or laptop counterparts. This means that security updates may possibly stop
being received by user devices just a few years after the initial release of the device. If
users continue to use these devices long after this date, they run the risk of having their
devices exploited through any number of means.

S
While purchasing new devices and moving over to them can be difficult, the benefits
outweigh the potential costs.

TE
App leaks

App developers do not have unlimited resources. They put together a product, ship it out

O
and try to get it approved and on their respective stores as quickly as possible. This
means that some legitimate apps may have higher than intended permissions, which

N
would give them access to a significant amount of non-essential data, but without
adequate protections for that data because they didn’t need it in the first place. Because
of this, other apps that have been installed may be able to sniff around for this
K
information and send it off to third parties.

Being careful about what apps we permit on our devices and regularly updating the ones
we do have are both excellent ideas. What we can also do though is audit App
H

Permissions on a regular basis and see what apps have been granted which permissions.
Removing permissions from apps may cause unexpected errors, but least privilege is
S

worth investigating when it comes to sensitive information.

E

Social engineering
N

Social Engineering in the modern age can involve sending SMS messages, emails, phone
calls, browser popups, full screen ads and more to users with prompts ranging to polite
IG

requests to threatening legal action if they don’t do some specific action. This could
potentially convince users to give whatever information they are being asked for to a 3rd
party that definitely should not have access to it, and cost them dearly as a result.
V

Some protections have been built into Mobile OS’s already, along with spam protection
and caller id’s flagging potentially suspicious numbers. These bad callers can then be
sent to voicemail directly without the user having to deal with it.

65 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Conclusion

Cellular Networks are vastly improved compared to where they were years ago, and are
continuing to become better as we move into 5G and beyond. These protections though
only go so far however, and we still need to remain vigilant for threats that can that use
this network to spread, or bypass it entirely.
Posted: March 23,

S
What is mobile security?

TE
 Mobile device security refers to being free from danger or risk of an asset loss or
data loss using mobile computers and communication hardware

O
 The future of computers and communication lies with mobile devices, such as
laptops, tablets and smartphones with desktop-computer capabilities. Their size,

N
operating systems, applications and processing power make them ideal to use
from any place with an internet connection. And with the expansion of ruggedized
devices, the Internet of Things (IoT) and operating systems, such as Chrome OS,
K
macOS and Windows 10, every piece of hardware that's enhanced with this
software and capabilities becomes a mobile computing device.
H

 Because mobile devices have become more affordable and portable,

organizations and users have preferred to buy and use them over desktop
S

computers. And with ubiquitous wireless internet access, all varieties of mobile
devices are becoming more vulnerable to attacks and data breaches.
E

 Authentication and authorization across mobile devices offer convenience, but

N

increase risk by removing a secured enterprise perimeter’s constraints. For

example, a smartphone’s capabilities are enhanced by multi-touch screens,
IG

gyroscopes, accelerometers, GPS, microphones, multi-megapixel cameras and

ports, allowing the attachment of more devices. These new capabilities change
the way users are authenticated and how authorization is provided locally to the
V

device and the applications and services on a network. As a result, the new
capabilities are also increasing the number of endpoints that need protection from
cybersecurity threats.

 Today cybercriminals can hack into cars, security cameras, baby monitors and
implanted healthcare devices. And by 2025, there could be more than 75 billion

66 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
“things” connected to the internet — including cameras, thermostats, door locks,
smart TVs, health monitors, lighting fixtures and many other devices.

Mobile security threats

 While it's certainly critical to establish and enforce an enterprise-wide security

policy, a policy alone isn't sufficient to counter the volume and variety of today's
mobile threats. In 2019, Verizon conducted a study (PDF, 77 KB, link resides

S
outside of ibm.com) with leading mobile security companies, including IBM,
Lookout and Wandera, surveying 670 security professionals. The study found that

TE
1 out of 3 of those surveyed reported a compromise involving a mobile device.
47% say remediation was "difficult and expensive," and 64% say they suffered
downtime.
 And companies embracing bring-your-own-device (BYOD) policies also open

O
themselves to higher security risks. They give possibly unsecured devices access
to corporate servers and sensitive databases, opening them to attack.

N
Cybercriminals and fraudsters can exploit these vulnerabilities and cause harm or
damage to the user and the organization. They seek trade secrets, insider
information and unauthorized access to a secure network to find anything that
K
could be profitable.

Phishing
H

Phishing — the number-one mobile security threat — is a scamming attempt to steal

users’ credentials or sensitive data, such as credit card numbers. Fraudsters send users
S

emails or short message service (SMS) messages (commonly known as text messages)
designed to look as though they’re coming from a legitimate source, using fake
E

hyperlinks.
N

Malware and ransomware

IG

Mobile malware is undetected software, such as a malicious app or spyware, created to

damage, disrupt or gain illegitimate access to a client, computer, server or computer
network. Ransomware, a form of malware, threatens to destroy or withhold a victim’s
V

data or files unless a ransom is paid to decrypt files and restore access.
What is ransomware?

Cryptojacking

Cryptojacking, a form of malware, uses an organization’s computing power or individual’s

computer power without their knowledge to mine cryptocurrencies such as Bitcoin or
Ethereum, decreasing a device’s processing abilities and effectiveness.

67 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Cryptojacking Attacks: Who's Mining on Your Coin? - This link opens in a new tab

Unsecured wifi

Unsecured wifi hotspots without a virtual private network (VPN) make mobile devices
more vulnerable to cyberattack. Cybercriminals can intercept traffic and steal private
information using methods such as man-in-the-middle (MitM) attacks. Cybercriminals can
also deceive users into connecting to rogue hotspots, making it easier to extract

S
corporate or personal data.
How to Secure Wi-Fi From Home - This link opens in a new tab

TE
Outdated operating systems

Older operating systems (OS) usually contain vulnerabilities that have been exploited by

O
cybercriminals, and devices with outdated Oss remain vulnerable to attack. Manufacturer
updates often include critical security patches to address vulnerabilities that may be
actively exploited.

Excessive app permissions N

K
Mobile apps have the power to compromise data privacy through excessive app
permissions. App permissions determine an app’s functionality and access to a user’s
device and features, such as its microphone and camera. Some apps are riskier than
H

others. Some can be compromised, and sensitive data can be funneled through to
untrustworthy third parties.
S

How to secure mobile devices

E

The core security requirements remain the same for mobile devices as they do for non-
N

mobile computers. In general, the requirements are to maintain and protect

confidentiality, integrity, identity and non-repudiation.
IG

However, today's mobile security trends create new challenges and opportunities, which
require a redefinition of security for personal computing devices. For example,
V

capabilities and expectations vary by device form factor (its shape and size), advances in
security technologies, rapidly evolving threat tactics, and device interaction, such as
touch, audio and video.

IT organizations and Security teams need to reconsider how to achieve security

requirements in light of device capabilities, the mobile threat landscape and changing
user expectations. In other words, these professionals need to secure multiple

68 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
vulnerabilities within the dynamic and massively growing mobile device environment. A
secure mobile environment will offer protection in six primary areas: enterprise mobility
management, email security, endpoint protection, VPN, secure gateways and cloud
access broker.

Enterprise mobility management

EMM is a collective set of tools and technologies that maintain and manage how mobile
and handheld devices are used within an organization for routine business operations.

S
TE
Email security

To protect data from email-based cyber threats such as malware, identity theft and
phishing scams, organizations need to monitor email traffic proactively. Adequate email
protection includes antivirus, antispam, image control and content control services.

O
Endpoint protection

N
With technologies such as mobile, IoT and cloud, organizations connect new and different
endpoints to their response environment. Endpoint security includes antivirus protection,
K
data loss prevention, endpoint encryption and endpoint security management.

VPN
H

A virtual private network (VPN) allows a company to securely extend its private intranet
S

over a public network's existing framework, such as the Internet. With a VPN, a company
can control network traffic while providing essential security features such as
E

authentication and data privacy.

N

Secure gateways

A secure gateway is a protected network connection, connecting anything to anything. It

IG

enforces consistent internet security and compliance policies for all users regardless of
location or device type used, and it keeps unauthorized traffic out of an organization's
network.
V

Cloud access broker

A CASB is a policy enforcement point between users and cloud service providers (CSPs).
It monitors cloud-related activity and applies security, compliance and governance rules
around cloud-based resources use

69 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

What Is IoT Security

IoT security is a subsect of cybersecurity that focuses on protecting, monitoring

and remediating threats related to the Internet of Things (IoT) — the network of
connected devices equipped with sensors, software or other technologies to gather,

S
store and share data via the internet.

TE
Devices include traditional endpoints, such as computers, laptops, mobile phones,
tablets and servers, as well as non-traditional items, such as printers, cameras,
appliances, smart watches, health trackers, navigation systems, smart locks or smart
thermostats.

O
Why is IoT Security Important?

N
Over the past decade, IoT technology has experienced phenomenal growth. IoT
Analytics , an insights firm specializing in IoT research, reported that IoT connections,
such as smart home devices, connected cars and network industrial equipment
K
exceeded traditional connected devices such as computers and laptops, for the first
time in 2020, representing 54% of the 21.7 billion active connected devices. The firm
H

estimates that by 2025, there will be more than 30 billion IoT connections, which
equates to about four IoT devices per person on average.
S

Often overlooked or minimized within the cybersecurity strategy, IoT security has
become a more pressing concern for organizations given the recent shift to remote
E

work due to COVID-19 . With people now relying on both their home network and
personal devices to conduct business activities, many digital adversaries are taking
N

advantage of lax security measures at the endpoint level to carry out attacks.
Insufficient IoT protocols, policies and procedures can pose a grave risk for
IG

organizations since any device can serve as a gateway to the wider network.

IoT Security Challenges

V

IoT security is extremely important because any smart device can serve as an entry
point for cybercriminals to access the network. Once adversaries gain access through
a device, they can move laterally throughout the organization, accessing high-value
assets or conducting malicious activity, such as stealing data, IP or sensitive
information.

70 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
One of the main challenges is that users and developers don’t think of IoT devices as
targets for cyberattackers. Developers typically have smartphone and computer
devices tested by paying an ethical hacker to uncover bugs and other issues. Testing
these devices ensures they are fully protected from adversaries, but, if IoT devices
are not equipped with the same level of protection, the organization as a whole is at
risk of a cyberattack.

 Check out our new product, Falcon Discover, which allows your organization to

S
quickly identify and eliminate malicious or noncompliant activity by providing
unmatched real-time visibility into IoT devices, users, and

TE
applications.Explore: CrowdStrike's Falcon Discover

 Even if developers adopt a hyperfocus on cybersecurity for IoT devices, a

huge challenge involves user interaction and education. Many IoT devices

O
come with a default username and password, which you can typically change.
Nevertheless, many users prefer using default credentials for matters of

N
convenience, wrongly thinking that their device is not susceptible to
cyberattacks.
K
 Additionally, consumers are unaware of the importance of staying up to date
with the latest software or firmware update in your device. Updates are not
exclusive to smartphones and computers, and should not be indefinitely
H

postponed. Developers craft these updates to stay on top of software

vulnerabilities and manage bugs, so having the latest version of the firmware
S

on all devices will help your organization stay secure.

 It is necessary for organizations to develop a comprehensive cybersecurity

E

strategy that protects against a wide range of cyberattacks across all devices
at both the endpoint and network level.
N

Common Attacks on IoT Devices

IG

DoS and DDoS Attacks

V

In a Denial of Service (DoS) attack , cybercriminals will assume control of the device
and use it to overwhelm servers with web traffic, preventing legitimate users from
conducting normal activity. A Distributed Denial of Service (DDoS) attack is similar,
but cybercriminals use a distributed network of infected devices, Botnet , to flood the
website with fake traffic and overwhelm the servers.

Firmware Exploits

71 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Firmware is the software that operates the hardware on every device. Operating
systems in smartphones and computers typically run independent of the firmware,
but on most IoD devices, the firmware is the operating system and doesn’t have a
security protection system in place.

Credential Exploits

Many IoD devices tend to have easy or generic usernames and passwords that might

S
be easy to decipher by a cyberattacker. Attackers are experts on what they do, and
are aware of common credential vulnerabilities across popular devices.

TE
On-Path Attacks

IoD devices do not typically encrypt their data by default. This makes them

O
particularly vulnerable to on-path attacks, attacks where an attacker “sits” in the
middle of two stations or parties that trust each other. The attacker then intercepts
and manipulates the data being exchanged.

IoT Security Best Practices N

K
IoT security is part of the organization’s overall cybersecurity strategy. It is
important to treat connected devices with the same level of security as they would a
traditional endpoint, such as a computer or smartphone.
H

Consumer Best Practices

S

 Staying up to date with all patching and OS updates required by the

E

connected device.
 Using strong password practices for all connected devices.
N

 Enabling multi-factor authentication whenever possible.

 Routinely take inventory of your connected devices and disable any items
IG

that are not used regularly.

Business Best Practices

V

 Developing and implementing an IoT device policy that outlines how

employees can register and use a personal device, as well as how the
organization will monitor, inspect and manage those devices to maintain the
organization’s digital security.
 Compiling and maintaining a master list of all IoT devices — both those
owned by the organization and those owned by employees — to better

72 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
understand the attack surface and the security measures needed to maintain a
safe environment.
 Consider implementing a cloud access security broker (CASB) to serve as a
security check point between cloud network users and cloud-based applications to
manage and enforce all data security policies and practices including
authentication, authorization, alerts and encryption.
 Monitoring all network devices and taking immediate action if and when any
devices show signs of compromise.

S
 Encrypting all data being transmitted to and from connected devices from its
original format to an alternative.

TE
 Implementing cybersecurity best practices from the development stage of
IoD devices

CrowdStrike’s Approach to IoT Security Tools

O
 Since there is no single security tool that can provide uniform and complete

N
protection across all connected devices, IoT security requires a blend of
elements from both the endpoint security strategy and cloud security
strategy.
K
 On top of our Falcon Discover for IoT, CrowdStrike has a number of strategic
partners that offer protection for specific processes and devices. Check out
H

the CrowdStrike Store and explore our extensive toolkit for IoT security.

Kali Linux
S

Operating System is the main system software which is responsible for the flawless
E

working of the machine. Some Operating Systems are designed for some specific
purposes. Though we could use them for anything we want to, but they have some
N

special tools or services available feasibly to its users which makes it a good OS for the
specific purpose. Like we generally prefer Windows in case of gaming as most of the
IG

games are available for windows itself. Likewise, we prefer mac OS for designing related
purposes as most of the designing software is easily available for mac and can be used
flawlessly. In the same way when we have an OS for Network Security, Digital Forensics,
V

Penetration testing, or Ethical Hacking named Kali Linux.

Kali Linux is a Debian-derived Linux distribution that is maintained by Offensive

Security. It was developed by Mati Aharoni and Devon Kearns. Kali Linux is a specially
designed OS for network analysts, Penetration testers, or in simple words, it is for those
who work under the umbrella of cybersecurity and analysis. The official website of Kali
Linux is Kali.org. It gained its popularity when it was practically used in Mr. Robot Series.
It was not designed for general purposes, it is supposed to be used by professionals or by

73 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
those who know how to operate Linux/Kali. To know how to install Kali Linux check
its official documentation.
Advantages:
 It has 600+ Penetration testing and network security tools pre-installed.
 It is completely free and open source. So you can use it for free and even
contribute for its development.
 It supports many languages.
 Great for those who are intermediate in linux and have their hands on Linux

S
commands.
 Could be easily used with Raspberry Pi.

TE
Disadvantages:
 It is not recommended for those who are new to linux and want to learn linux.
(As it is Penetration Oriented)
 It is a bit slower.

O
 Some software may malfunction.
Kali Linux is to be used by those who are professional penetration testers, cybersecurity

N
experts, ethical hackers, or those who know how to operate it. In simple words, if you
know how to use Linux and its terminal commands, architecture, system, and file
management then you are good to go with Kali Linux. And if you are not, then we will
K
recommend you first start with ubuntu distribution and get your hands on Linux and after
sufficient practice, you could give Kali Linux a try. This will not only save your time of
searching on the internet but also will make you use it with ease. However, if you’re a
H

professional penetration tester or studying penetration testing, there’s no better toolkit

than Kali Linux.
S

Why Kali Linux?

If you are interested in penetration testing or cybersecurity stuff you need some specific
E

tools to perform some tasks which come pre-installed and settled up in Kali Linux so you
may directly use them without doing any configuration. Or in case if one wants to check
N

the vulnerabilities on a website or want to know security-related bugs in any application

then it is great to go with Kali Linux.
IG

Many people think that Kali is a tool for hacking or cracking social accounts or web
servers. This is one of the biggest myths about Kali Linux. Kali Linux is just another
Debian distribution with a bunch of networking and security tools. It is a weapon to train
V

or defend yourself not to attack anyone. Kali Linux was designed mainly for
professionals. It is for those who want to get their hands in Penetration Testing, Cyber
Security, or Ethical Hacking. It is a powerful tool and in case, not used properly, it may
lead to losses even.

74 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E

UNIT III SECURITY MANAGEMENT 9

N

Information security essentials for IT Managers- Security Management

System - Policy Driven System Management- IT Security - Online
IG

Identity and User Management System. Case study: Metasploi

Information security essentials for

V

IT Managers
What is an Information Security Manager?

Every company, organization, and agency uses computer systems to access, send, and
store data. This information has value and security managers are in charge of protecting

75 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
it. This job focuses on proactively setting up defenses against threats and responding to
security breaches if they occur.

Information security professionals acquire specific technical skills during an

undergraduate program. Learning about analyzing network activity, monitoring users,
understanding vulnerabilities, performing scans, and preventing network intrusion are
essential for anyone following this career path.

However, those with plans to ascend to a security manager position can learn additional

S
skills in a graduate-level program or during professional certification courses.

TE
Learn about Degree Options

What Does an Information Security Manager Do?

O
An information security manager's duties focus on building, maintaining, and updating
cybersecurity systems and practices, and responding to breaches should they occur.

N
In a larger organization or company, a manager heads a cybersecurity team. In a smaller
company, they may handle all the tasks themselves or work with non-specialist IT
personnel.
K
Here are some of the key duties that information security managers perform regardless
of the setting in which they work:
H

 Monitoring all network operations and infrastructure. Information security

S

managers are responsible for regularly going through logs to look for suspicious
activity and maintaining an organization's data systems and networks.
E

 Monitoring internal and external policy compliance. In this career, you

monitor employee operations and client interactions to ensure compliance with
N

the organization's cybersecurity policies.

 Maintaining all security tools and technology. Information security
IG

managers are responsible for ensuring that all security programs, tools, and
technologies are working correctly, as well as providing the necessary protections
to the company's networks, digital communications, and databases.
V

 Implementing new technology. Information security managers monitor the

implementation of any new technology, hardware, or software. They ensure that
these systems are secure and do not create any new vulnerabilities for the
existing network.
 Monitoring regulation compliance. This is a critical duty for information
security managers who work in heavily regulated industries, such as finance or
healthcare, that handle, transmit, and store personal information.

76 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Information security managers also advise management-level personnel and decision-
makers on cybersecurity matters.

Where Do Information Security Managers Work?

Organizations and companies in nearly all industries rely on computer systems, and they
need to ensure that their data and networks are secure. Because of such widespread
demand for information security, qualified professionals can work almost anywhere.

S
Here are some examples of companies and industries that often hire information security
managers.

TE
 Financial services companies
 Computer and information systems companies
 Internet service providers

O
 Healthcare and pharmaceutical companies
 Brick-and-mortar and online retailers
Manufacturing



Telecommunications companies
Government agencies
Cybersecurity service providers
N
K


The educational requirements for information security managers are similar regardless of
where they choose to work.
H
S

What Education Does an Information Security Manager Need?

E

Given the considerable technical ability required for a career as an information security
manager, applicants for an entry-level position typically need at least a bachelor's
N

degree in cybersecurity or an IT degree with a significant amount of coursework related

to cybersecurity.
IG

Following up the bachelor's degree with a master's degree in information security can
help you prepare for a management position. During such a program, you will increase
your level of technical skill and also learn the strategic thinking and leadership skills
V

necessary for a senior position. Master's degree holders can often enter the workforce at
a higher level than those with a bachelor's degree.

77 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

Security Management System

Security Management System (ISMS) is defined as an efficient method for managing

sensitive company information so that it remains secure. The security management

system is a very broad area that generally includes everything from the supervision of

security guards at malls and museums to the installation of high-tech security

management systems that are generally made to protect an organization’s data. Read on

S
to learn more about this field and get examples of the types of security management in

TE
place today.

Feature of Security Management System:

 Security management relates to the physical safety of buildings, people, and

O
products.

 Security management is the identification of the organization’s assets.


N
Generally, Security Management System is provided to any enterprise for

security management and procedures as information classification, risk

K
assessment, and risk analysis to identify threats, categorize assets, and rate.

Importance of security management: There are some important aspects of security

H

management which is generally provided to any organization and which are given

below:
S

1. Intellectual Property: There are principal reasons, that organizations formalize an

E

innovation management program, is to gain a competitive edge over the competition.

Although if the initial ideation phases are open to everyone, a lot of work goes into
N

developing and refining those ideas and that refinement is often the difference between
IG

an incremental idea and a transformative one and the companies don’t protect those

later stage refinement activities, then they could lose the competitive edge they gain by

instituting an innovation management program in the first place.

V

2. Data Integrity: Security Management systems confidence in lots of data to help

prioritize and validate initiatives and generally we could be talking about votes and

comments on ideas, ROI data, and beyond. If security management systems aren’t

secure, this data could be stripped or tampered with. It will be simple to make an idea or

project appear more popular or more valuable if the system can be gamed.

78 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
3. Personally Identifiable Information: All who participate in a security management

program share at least their personal information in order to log on to the system and

where privacy is everything – security management systems are provided to protect all

their users as a matter of course.

4. System Interconnectivity: Generally, security management software interacts with

a variety of other systems like project management, social software, and beyond, etc.

S
Frailness in one system can lead to frailness in others, which is why any security

management system has to be equal to the systems with which it interacts

TE
- Policy Driven System Management-

O
Policy-driven system management or policy-based management (PBM) is a research
domain that aims to automate the management of large-scale computing systems. The

N
long-term vision of PBM is that humans no longer need to care for low-level aspects of
system management, but may focus on the specification of high-level management goals
K
that will be autonomously enforced by computer agents. Ultimately, computing systems
will be comparable to, for instance, biological systems that regulate basic body functions
such as the heart rate without conscious intervention by humans. The promise of PBM
H

lies, on the one hand, in reducing system management costs that grew significantly over
the past decades and, on the other hand, in the improvement in service quality. Although
S

PBM has several application domains, this chapter focuses particularly on its use for
securing computing systems according to high-level security goals.
E

What is a policy management system?

N

 Without a modern policy management system, it’s all too easy for policy and
process to slip through the cracks of your organization.
IG

 A policy management system is an organized method for, you guessed it,

managing policies. There are many pieces to successful policy management, but
V

a system connects those pieces together to create a unified whole.

Maybe you can relate to some of these challenges:

 Scattered policies: making it difficult to access and update them

 Multiple versions: resulting in employees referencing old policies
 Poor communication: making it difficult to send and track policy updates
 Limited collaboration: leading to frustration with ineffective tools like email

79 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Unsecure system: increasing risk of misplaced docs and privacy breaches
 Lack of accountability: resulting in employee noncompliance risks

A policy and procedure management system lets you control document security, easily
collaborate on policy updates, publish content to the community, distribute policies to
employees, and track E-signatures on said documents.

There are many types of policy management systems, and some are way more efficient

S
than others. What system, if any, does your organization currently use for managing
policies?

TE
1. Paper-based policy management

Paper. It seems rather quaint and traditional in this digital age, doesn’t it? Many

O
organizations still rely on paper for managing their policies though, and it’s
understandable why. For decades, it was the only option businesses had.

N
Paper-based policy management wouldn’t be possible without filing cabinets and
binders. While these filing systems provide some order and structure, their
shortcomings could be costing your organization.
K
Filing cabinets
H

Filing cabinets aren’t a scalable solution. The filing of paper documents involves creating,
printing, categorizing, labeling, and sorting thousands of documents over time. It can
S

take hours, not to mention finding files once they’re logged away. Even with a highly
structured filing system, tracking down old documents can be time intensive.
E

And it only gets worse over time. The longer an organization exists and the more it
N

grows, the more filing cabinets it will require, taking up valuable office space.

According to some studies, it costs an average of $20 in labor to file a paper document.
IG

Searching for a misfiled document could cost up to $120, and recreating a lost document
could cost $220.
V

The problem is these gaps and errors are rarely tracked, so organizations never get a
sense of how much money they’re actually losing on an annual basis from ineffective
policy management systems.

Binders

80 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Employees need to be aware of policies in order for policies to do their job. What is a
policy’s job? To keep your employees and organization aligned with best practices,
industry standards, and regulations.

If this doesn’t happen, you know better than anyone what the consequences are: fines,
lawsuits, brand disrepute, and more. Basically a PR nightmare.

What it comes down to is communication and access, both of which are limited with a

S
paper-based system like binders.

Many organizations distribute policies to staff as paper binders. Yes, this puts necessary

TE
information in the hands of employees. But too often, these binders end up ignored on a
shelf or in a drawer.

O
With binders, it’s difficult to distribute and track new/updated policies. When it comes to
new policies, administrators have to print and hand out a copy to every staff member.
When a policy binder is updated, old binders need to be thrown away. But what happens

N
if it’s not? Various versions of documents get circulated and referenced, opening your
organization up to liability.
K
What is paper costing you?

Now that we’ve looked at filing cabinets and binders and their pitfalls, let’s look at four
H

additional ways that paper is costing you time, money, and effort.
S

Paper is easy to lose, damage, or misplace

E

In a survey by Ponemon Institute, 71% of respondents said they were aware of a time
when important paper documents got lost or misplaced. When important documents slip
N

through the cracks, it can disrupt day-to-day operations, confuse employees, and create
security issues.
IG

With a paper system, it’s difficult keeping track of due dates for important documents,
which hurts your organization’s chances for accreditation. In industries that require
certifications and licenses, especially, outdated documents pose serious liability risks.
V

Paper comes with security risks

Paper policies also pose security risks. Apart from locking filing cabinets, administrators
have little control over who can view sensitive documents.

81 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
In the same Ponemon survey, 61% of respondents said there weren’t enough controls to
secure paper documents. In industries such as healthcare, a lack of document security
can result in HIPAA violations.

Paper documents are also susceptible to damage. If a company doesn’t digitally back up
its documents, it runs the risk of losing all its policies and essential paperwork to a fire,
flood, or other disasters.

S
Paper policies are time-consuming to maintain and update

In many industries, the volume of paperwork required for operations is too much for one

TE
person to manage. As organizations grow, they may need to hire more administrators
just to manage documents. But this can create budget strains and take up valuable
administrative hours that would be better used on other projects.

O
Most experts suggest that organizations update policies and procedures at least
annually. But if policies only exist on paper, it can be challenging to do so. Administrators

N
must distribute printed copies of policies to collaborators, collect and interpret the
suggestions, and input all the edits. Then they have to pass out the revised version and
the process starts all over again.
K
Keeping physical backups of policies can be helpful, but using a completely paper-based
system can be a drain on resources and time and expose your organization to risk.
H

Paper is expensive
S

The average office employee prints 10,000 pages every year, costing
E

companies thousands of dollars in paper and printing costs.

N

2. Mixed media policy management

Mixed media systems are a mix of digital and paper solutions. Chosen to reduce paper
IG

costs and inefficiencies, it’s the middle ground between paper and digital systems.

While mixed media solutions allow for file sharing and limited collaboration, they may fall
V

short of your policy management needs. In this section, we’ll explore three
common tools that organizations use in conjunction with paper.

Shared (Intranet) drives

Uploading documents

82 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
An internal shared drive saves office space and allows for easier document access while
in the office. The problem is employees can’t access shared drives remotely, which is
exacerbated if your employees need to reference policies in the field to do their jobs.

Not to mention, documents on shared drives can easily get duplicated, lost, or deleted.
And since shared drives have limited tagging and linking capabilities, they can be
confusing for employees to navigate.

S
Signing and tracking documents

Quality policy management tools let you collect signatures on important documents.

TE
If you’re using a shared drive, the sign-off process usually involves printing a PDF
document, signing it, and scanning it back onto the drive. Not only is this process time

O
consuming, but it leaves room for error.

 Signed documents can easily get misplaced




You have to manually remind staff to sign N
It’s hard tracking who has signed a document

Lack of data security while documents lay on desks

K
Email
H

While email is still an important tool for communication, it doesn’t have workflow, smart
editing, or tracking functionality. Some organization is possible via folders, but how many
S

of your coworkers have organized email accounts? It’s far too easy for emails to get
deleted, lost, or stored improperly for it to be a reliable policy management tool.
E

Microsoft Teams
N

Microsoft Teams helps small to medium sized teams communicate and collaborate. The
larger your organization, or the more teams you have, the more disorganized the app
IG

becomes. Why? Teams is highly compartmentalized. You can create teams, channels
within those teams, and tabs within channels, but as you create more, the number of
places housing information increases exponentially, making it difficult to access
V

important content.

Designed to be a central hub for all communication, Teams lets you co-author
documents, track revision history, and integrate with various apps to expand its
capabilities. Unfortunately, workflow functionality is limited, you can’t map policies to
standards, and there’s no training component.

83 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Learn more about Microsoft Teams here.

What is mixed media costing you?

Inefficiency

Using a shared drive may cut down on some of the costs associated with paper filing, but
it has some of the same pitfalls. You’ll still have to spend a lot of time maintaining and
distributing documents.

S
Collaboration is overly complicated as well, with administrators having to keep track of

TE
conflicting digital files.

Limited security

O
Mixed media policy management systems don’t allow for customizable security options.
On most shared drives, everyone has access to everything. Research by Forrester has

N
shown that 25% of data breaches were insider jobs, and 36% were the result of
employee mistakes.
K
Mixed media systems can pose even more security risks than paper systems, because
it’s easier for employees to alter, delete, or share files.
H

Plus, on-site shared drives still leave organizations at risk of losing all their files. Hard
drives crash. Computers break. Files get damaged. In-office backup systems aren’t
S

always guaranteed to work.

Outdated policies
E

When files are stored on a computer or shared drive, accidents happen. It’s easy to
N

unintentionally create duplicates of documents.

IG

Let’s say you distribute paper or email copies of a new policy but forget to update the
version on the drive. This can leave employees referencing the wrong policy, which can
throw a wrench in operations, lead to fines, and create liability risks.
V

Manual processes

Many organizations keep spreadsheets of important due dates. But without automated
reminders, administrators will have to manually manage updates, due dates, employee
sign-offs, and more.

84 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
When leaders make policy changes, there’s no easy way to track who made a change
and when.

In the digital age, there’s no need to keep relying on these cumbersome, manual
processes.

Discover more benefits of using electronic records instead of paper.

3. Digital policy management

S
There are many digital policy management systems on the market. These cloud-based

TE
systems do what paper-based and mixed media systems can’t. Though more expensive
upfront, they save you money in the long run.

Microsoft SharePoint

O
Many organizations use or consider using SharePoint as their digital policy management

N
system. But its ubiquity alone shouldn’t compel you to get it. Here are some of the pros
and cons.
K
Pros

SharePoint is a system for document storage and management. As a platform,

H

SharePoint is super customizable, meaning if you have the expertise and time, it can be
tailored to meet your organization’s needs. As part of Microsoft Office, it integrates with
S

the entire Microsoft Office suite, so you can easily use Word, Excel, and PowerPoint.
Finally, SharePoint lets you manage document security, track changes in a limited
E

capacity, and go paperless.

Cons
N

SharePoint has limited out-of-the-box functionality. Most organizations can’t simply buy
IG

the platform and start using it. SharePoint takes significant setup and will require help
from a developer to customize the platform for your needs. While you may have an in-
house developer, getting the most out of SharePoint and maintaining it often takes a
V

developer experienced with SharePoint specifically.

For many organizations, SharePoint requires employee training. And from a cost and time
perspective, it’s not cheap if you have more than a few employees. Lastly, SharePoint
has poor search functionality, making it difficult to access the many policies stored in the
system.

85 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

PowerDMS

PowerDMS is a policy management software that creates a living connection between

your policies, accreditation, and training. Forged in the public safety sector, PowerDMS
now serves 3,500+ public and private sector organizations worldwide with secure, cloud-
based solutions.

S
Pros

TE
PowerDMS allows for policy creation, workflows, version control, distribution, attestation
tracking, and much more. Key data, like who revised or signed a document and when, is
grouped with each respective policy to create a library of living documents. Built with

O
policy managers in mind, it lets you customize admin rights, map policies to standards,
and upload a variety of content (images, videos, audio, documents). Here are some
additional features:



Centralized storage
Automated workflows
N
K
 Acknowledgement tracking
 Real-time notifications
 Version control
H

 Access control
 Powerful search
S

 Side-by-side comparison
 Integrations (Microsoft Office, Adobe)
E

 Mobile functionality
N

Cons
IG

PowerDMS is not a content provider, but they do have content partners they can connect
you with, as well as a tool for subscribing to relevant policy content from publishers. With
policy, accreditation, and training features, PowerDMS is a fairly comprehensive solution.
V

So while it can save you time and money long term, it will take an investment of time
upfront to learn the platform.

What is a digital system costing you?

Although digital policy management systems are more expensive upfront, the good ones
will ultimately save you time and money. The trick is doing the research to find the right
solution for your organization.

86 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
The right solution is one that checks every box on your list of non-negotiables.
Conversely, the wrong solution can create gaps in your compliance, leading to
inefficiencies, wasted time, fines, lawsuits, and brand disrepute.

What is IT Security?

S
IT security is the protection of information and especially the processing of information.

TE
IT security is intended to prevent the manipulation of data and systems by unauthorized
third parties. The meaning behind this is that socio-technical systems, i.e. people and
technology, within companies / organizations and their data are protected against
damage and threats. This does not only mean information and data, but also physical

O
data centers or cloud services.
What is the objective of IT Security?

What is the objective of IT

Security?
N
K
Information has become more and more valuable over the last few years. Therefore it is
all the more important to protect it. Information security is defined by the three IT
H

protection goals of availability, integrity and confidentiality. These must be maintained.

In addition, there are other parts to be added: Authenticity, accountability, non-
S

repudiation and reliability.

Confidentiality of Information
E

Confidentiality of Information
The confidentiality of IT Securitymeans that data is only accessible to certain authorized
N

persons. For example, only a certain group of people can access the data it contains. In
other words, access protection must be defined. This means that access rights must also
IG

be assigned.
Another central point in the confidentiality of information is the transport of data. This
should always be encrypted, symmetrically or asymmetrically. This means that
V

unauthorized persons cannot access the contents.

Information Integrity

Information Integrity
The integrity of the information should be seen, that the contents and data are always
complete and correct. So the systems must also work together for their own benefit. In
order to be able to use data, they must not be changed by means of a sales or
processing operation. For this reason, it is also important to note that there is no

87 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
possibility for the authoritative Dritte to have (part of) the data available. As it is only
possible to make a mistake, it has to be proven that this art of manipulation can be
prevented, that the safety can be improved and that it can be used.

S
TE
O
N
K
Availability of Information
H

Availability of Information
Ensuring the availability of the respective information means that data processing within
S

the systems runs smoothly. The data must be able to be retrieved correctly at the
E

desired time. This means that the computer systems must be protected against failures.
This is why there are also load tests to check the limits, so that business operations are
N

maintained in any case.

Which areas include IT Security?
IG

Endpoint Security
All necessary end devices, i.e. PCs, notebooks, tablets and cell phones must be
V

protected. This includes the associated applications and operating systems. Endpoint
security is about protecting everything that is switched within the company network up
to the Internet.
Internet & Cloud Security

Internet & Cloud Security

88 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
From the moment that information is scattered over the Internet or sent by e-mail, IT
security takes on a new significance. The risk of systems, information and data becoming
the target of cyber attacks is increasing. From then on, it is also true that users or the
data of users and users are protected. Because as soon as users are on the move in the
World Wide Web, they leave footprints via their digital identity.
User Security

User Security
Because they don’t know what they’re doing, even the users in your company can be a

S
major risk. The IT department, where there is awareness, should be very careful to
counteract this. Whether through an application on the private smartphone or through

TE
updates on the laptop, the risk is there. If an email attachment is too large, it should not
be directed immediately to your private email address. The IT department must create
user awareness so that every employee in the company pays the greatest attention to

O
the issue of IT security.
What impact does a cyber attack have on my data?

What impact does a cyber attack

have on my data?
N
K
If one of these three areas of IT security is breached, this can have serious consequences
for the companies and businesses affected. Cyber-attacks allow hackers to access
confidential information, such as internal information or personal data. Industrial
H

espionage, misuse of credit card data or theft of personal identities can be the
consequence. Manipulated data can lead to the disruption of production because
S

automated machines no longer function properly.

Cyber Attack Methods: What attacks exist?
E

Cyber Attack Methods: What

N

attacks exist?
IG

Cyber-crime is constantly changing and new methods are being developed to identify
and exploit security holes. In general, IT Security is asymmetric: in order to significantly
damage a company’s operating procedures, a cyber-criminal must successfully exploit a
V

single weakness. Companies, on the other hand, have to ensure comprehensive

protection to safeguard their IT security.
Advanced Persistent Threats (APTs)

Advanced Persistent Threats (APTs)

Advanced Persistent Threats (APT) means “advanced and persistent threat”. Hackers use
a lot of time, effort and resources to penetrate a system. First they infiltrate a computer

89 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
to spy on internal processes and from there they sabotage the entire network. This gives
cyber-criminals permanent access to a network and from there they can spread more
malware to attack the entire system.
M

Malware
alware
Malware can be any type of malicious program that can cause damage to infected
systems. These include worms, viruses, Trojans and ransomware programs. WannaCry,

S
Petya and Ryuk in particular have demonstrated in recent years that malware is quite
capable of bringing companies to the brink of closure or even insolvency if IT Security is

TE
inadequate. More about malware you can read here.
Phishing

Phishing

O
Phishing is an attempt at fraud carried out electronically, in which a fake email is sent to
the recipient, who often does not recognize it as such at first. This method of cyber-

N
attack, in the form of a professional looking email, is often designed to trick the recipient
into revealing confidential data. Learn more about phishing here.
K
H
S
E
N
IG

DDoS Attacks
S Attacks
V

DDoS stands for Distributed Denial Of Service. In a DDoS attack, bots cause a large
number of requests to the victim’s server. As a result, certain services are paralyzed
because the affected servers are overloaded.

90 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
What is Critical Infrastructure?

What is Critical Infrastructure?

Critical infrastructures are the companies, organizations and facilities that are essential
for the maintenance of essential social functions, health, security and economic and
social well-being of the population. They include, for example, energy and water
companies, logistics companies, hospitals and the financial sector. The interruption or
destruction of the operations of these companies would have a significant impact. Learn

S
about the consequences and possible measures in case of cyber-attacks on the energy

TE
and logistics sector, among others:
 Energy providers at the center of hacker attacks
 Cyber-crime threatens the logistics sector
 Cyber-attacks on the automotive sector are on the rise

O
What is Critical Infrastructure?
rity Con

N
Cybercrime has an increasing impact on a country’s economic and political processes.
The consequences of cyber-attacks show through numerous incidents that IT Securityis
K
indispensable in today’s world. If the three objectives of protecting confidentiality,
integrity or availability are not met, this can have devastating effects on the profitability
of a company.
H

Hornetsecurity is a first-class provider of managed security services. The products

include everything needed for seamless and above all secure communication via email
S

and the Internet. No additional hardware or software is required.

E

What is identity and access management

N

(IAM)?
IG

Identity and access management (IAM) is a cybersecurity discipline focused on

managing user identities and access permissions on a computer network. While IAM
policies, processes, and technologies can differ between companies, the goal of any
V

IAM initiative is to ensure that the right users and devices can access the right
resources for the right reasons at the right time.
IAM can help streamline access control in complex, multi-cloud environments. Today,
corporate networks connect to on-premises, remote, and cloud-based (SaaS) apps
and data sources. A wide range of users need access to these resources for various
purposes, including human users (employees, customers, contractors) and non-
human users (bots, IoT devices, automated workloads, APIs).

91 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
IAM systems allow companies to assign a single digital identity and set access
privileges for each user. That way, only authorized users can handle company
resources, and they can only use those resources in ways the company permits.
How IAM works

 At its core, IAM aims to keep hackers out while making sure authorized users
can easily do everything they need to do, but not more than they’re allowed to
do.

S
 Company networks are unique, and so are the policies, processes, and tools
each company uses to build an identity and access management system. That

TE
said, most, if not all, IAM implementations cover four key functions:

Identity lifecycle management

O
 Identity lifecycle management is the process of creating and maintaining a
digital identity for every human or non-human entity on a network.

N
 A digital identity tells the network who or what each entity is and what it’s
allowed to do on the network. Typically, the identity includes standard user
account information—name, ID number, login credentials, etc.—as well as
K
information about the entity’s organizational role, responsibilities, and access
permissions.
 Identity lifecycle management includes processes for onboarding new entities,
H

updating their accounts and permissions over time, and offboarding or

deprovisioning users who no longer need access.
S

Access control
E

 As mentioned above, each digital identity has a certain level of access to

N

network resources, depending on the company's access policies. On a cloud

platform, a customer may only have access to their personal account and
IG

data. An employee may have access to customer databases and internal tools
like HR portals. A system administrator may be able to access and alter
everything on the network: customer and employee accounts, internal and
V

customer-facing services, and network infrastructure like switches and

routers.
 Many IAM systems use role-based access control (RBAC) to set and enforce
access policies. In RBAC, each user's privileges are based on their job function
or job title. Say a company were setting access permissions for a network
firewall. A sales rep likely wouldn't have access at all, as their job doesn't
require it. A junior-level security analyst might be able to view firewall

92 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
configurations but not change them. The CISO would have full administrative
access. An API that integrates the company's SIEM with the firewall might be
able to read the firewall's activity logs but see nothing else.

 Some IAM systems have distinct methods and policies for privileged access
management (PAM). PAM is the process of managing permissions for highly
privileged accounts, like admins who oversee databases, systems, or servers.
These are different from other IAM roles because theft of these credentials

S
would allow hackers to do whatever they want in a system. PAM tools isolate
these digital identities from the rest, using credential vaults and just-in-time

TE
access protocols for extra security.

With the move toward zero trust network architectures, many companies apply the
principle of least privilege when setting user access permissions. Instead of receiving

O
blanket access to resources, users are only granted the lowest level of privilege
necessary to complete their task, and privileges are revoked as soon as the task is

N
over. Least privilege helps companies avoid the problems that can arise from
overprovisioning, in which users have more permissions than they need for their
roles.
K
Authentication and authorization

IAM systems don't just create identities and assign permissions—they also help
H

enforce those permissions through authentication and authorization.

Authentication is how users prove they are who they claim to be. When a user
S

requests access to a resource, the IAM system checks their user credentials against
the credentials stored in the directory. If they match, access is granted.
E

While a username/password combination provides a basic level of authentication,

N

most identity and access management frameworks today use extra layers of
authentication for added protection against cyberthreats.
IG

Multi-factor authentication (MFA)

V

Multi-factor authentication (MFA) requires users to provide two or more

authentication factors to prove their identities. Common factors include a security
code sent to the user's phone, a physical security key, or biometrics like fingerprint
scans.

93 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Single sign-on (SSO)

Single sign-on (SSO) allows users to access multiple apps and services with one set of
login credentials. The SSO portal authenticates the user and generates a certificate or
token that acts as a security key for other resources. Many SSO systems use open
protocols like Security Assertion Markup Language (SAML) to share keys freely
between service providers.

Adaptive authentication

S
Adaptive authentication, or "risk-based authentication," changes authentication

TE
requirements in real time when risk changes. A user logging in from their usual
device may only need to enter a username and password. That same user logging in
from an untrusted device or trying to view sensitive information may need to supply
additional authentication factors.

O
Once a user is authenticated, the IAM system checks the directory for their access
privileges. The IAM system then authorizes the user to only access the resources and
perform the tasks their permissions allow.

Identity governance
N
K
Identity governance is the process of tracking what users do with their resource
access. IAM systems monitor users to ensure they don't abuse their privileges—and
H

to catch hackers who may have snuck into the network.

Identity governance is also important for regulatory compliance. Companies can use
S

activity data to make sure their access policies comply with data security regulations
E

like the General Data Protection Regulation (GDPR) or the Payment Card Industry
Data Security Standard (PCI-DSS).
N

IAM solutions

Companies rely on IAM solutions to streamline and automate IAM tasks and workflows
IG

that can be hard—or impossible—to handle manually. While companies once used
point solutions to manage different IAM functions, today's IAM tools are
comprehensive platforms. Common features of these identity and access
V

management solutions include:

Centralized directories or integrations with external directory services like Microsoft

Active Directory and Google Workspace

Automated workflows for creating, updating, and removing digital identities

94 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Built-in authentication options like MFA and SSO

Access control functions for users at all levels, including privileged accounts

Tracking capabilities to monitor users, flag suspicious activity, and ensure compliance
Some IAM solutions now incorporate artificial intelligence and machine learning to
enable a more dynamic approach to authentication and authorization. AI can look for
indicators of suspicious activity—like many failed login attempts in a short period or a

S
remote user who isn't using the company's VPN—and automatically take action, like
asking for more authentication factors or terminating access.

TE
Identity-as-a-service (IDaaS) solutions, in which a third party delivers cloud-based
identity and access management services and tools, are also gaining popularity.
Companies can outsource important but time-consuming tasks like creating new user

O
accounts, authenticating access requests, and identity governance.
Why IAM matters

N
Identity and access management has become fundamental to many companies'
K
cybersecurity strategies. IAM tools and frameworks can help with:

 Regulatory compliance: Standards like GDPR and PCI-DSS require strict

H

policies around who can access data and for what purposes. IAM systems
allow companies to set and enforce formal access control policies that meet
S

those standards. Companies can also track user activity to prove compliance
during an audit.
E

 Data security: According to IBM's Cost of a Data Breach report, credential

theft is the leading cause of data breaches. IAM systems can add extra
N

authentication layers, so hackers need more than just a password to reach

sensitive data. RBAC policies can limit the lateral movement of malicious
IG

actors, including insider threats.

 Digital transformation: With the rise of multi-cloud environments, IoT
devices, remote work, and BYOD, companies need to facilitate secure access
V

for more types of users to more types of resources. IAM systems can
centralize access management for all users and resources in a network,
maintaining network security without disrupting the user experience.

and the Internet. No additional hardware or software is required.

95 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

96 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

97 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

98 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

99 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

100 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
UNIT IV CYBER SECURITY AND CLOUD SECURITY

Cyber Forensics- Disk Forensics – Network Forensics – Wireless

Forensics – Database Forensics – Malware Forensics – Mobile Forensics –
Email Forensics- Best security practices for automate Cloud
infrastructure management – Establishing trust in IaaS, PaaS, and SaaS
Cloud types. Case study: DVWA

S
Cyber Forensics

TE
Cyber forensics is a process of extracting data as proof for a crime (that involves
electronic devices) while following proper investigation rules to nab the culprit by
presenting the evidence to the court. Cyber forensics is also known as computer

O
forensics. The main aim of cyber forensics is to maintain the thread of evidence and
documentation to find out who did the crime digitally. Cyber forensics can do the
following:



N
It can recover deleted files, chat logs, emails, etc
It can also get deleted SMS, Phone calls.
K
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.
H

Why is cyber forensics important?

S

in todays technology driven generation, the importance of cyber forensics is immense.

E

Technology combined with forensic forensics paves the way for quicker investigations
and accurate results. Below are the points depicting the importance of cyber forensics:
N

 Cyber forensics helps in collecting important digital evidence to trace the

IG

criminal.
 Electronic equipment stores massive amounts of data that a normal person
fails to see. For example: in a smart house, for every word we speak, actions
V

performed by smart devices, collect huge data which is crucial in cyber

forensics.
 It is also helpful for innocent people to prove their innocence via the evidence
collected online.
 It is not only used to solve digital crimes but also used to solve real-world
crimes like theft cases, murder, etc.

101 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Businesses are equally benefitted from cyber forensics in tracking system
breaches and finding the attackers.
The Process Involved in Cyber Forensics
1. Obtaining a digital copy of the system that is being or is required to be
inspected.
2. Authenticating and verifying the reproduction.
3. Recovering deleted files (using Autopsy Tool).
4. Using keywords to find the information you need.

S
5. Establishing a technical report.

TE
How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic

O
experts follow are:


N
Identification: The first step of cyber forensics experts are to identify what
evidence is present, where it is stored, and in which format it is stored.
Preservation: After identifying the data the next step is to safely preserve
K
the data and not allow other people to use that device so that no one can
tamper data.
 Analysis: After getting the data, the next step is to analyze the data or
H

system. Here the expert recovers the deleted files and verifies the recovered
data and finds the evidence that the criminal tried to erase by deleting secret
S

files. This process might take several iterations to reach the final conclusion.
 Documentation: Now after analyzing data a record is created. This record
E

contains all the recovered and available(not deleted) data which helps in
recreating the crime scene and reviewing it.
N

 Presentation: This is the final step in which the analyzed data is presented in
front of the court to solve cases.
IG

Types of computer forensics

V

There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:

 Network forensics: This involves monitoring and analyzing the network

traffic to and from the criminal’s network. The tools used here are network
intrusion detection systems and other automated tools.

102 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Email forensics: In this type of forensics, the experts check the email of the
criminal and recover deleted email threads to extract out crucial information
related to the case.
 Malware forensics: This branch of forensics involves hacking related crimes.
Here, the forensics expert examines the malware, trojans to identify the
hacker involved behind this.
 Memory forensics: This branch of forensics deals with collecting data from
the memory(like cache, RAM, etc.) in raw and then retrieve information from

S
that data.
 Mobile Phone forensics: This branch of forensics generally deals with

TE
mobile phones. They examine and analyze data from the mobile phone.
 Database forensics: This branch of forensics examines and analyzes the
data from databases and their related metadata.
 Disk forensics: This branch of forensics extracts data from storage media by

O
searching modified, active, or deleted files.

Techniques that cyber forensic investigators use

N
Cyber forensic investigators use various techniques and tools to examine the data and
K
some of the commonly used techniques are:

 Reverse steganography: Steganography is a method of hiding important

H

data inside the digital file, image, etc. So, cyber forensic experts do reverse
steganography to analyze the data and find a relation with the case.
S

 Stochastic forensics: In Stochastic forensics, the experts analyze and

reconstruct digital activity without using digital artifacts. Here, artifacts mean
E

unintended alterations of data that occur from digital processes.

 Cross-drive analysis: In this process, the information found on multiple
N

computer drives is correlated and cross-references to analyze and preserve

information that is relevant to the investigation.
IG

 Live analysis: In this technique, the computer of criminals is analyzed from

within the OS in running mode. It aims at the volatile data of RAM to get some
valuable information.
V

 Deleted file recovery: This includes searching for memory to find fragments
of a partially deleted file in order to recover it for evidence purposes.

Advantages

 Cyber forensics ensures the integrity of the computer.

103 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Through cyber forensics, many people, companies, etc get to know about such
crimes, thus taking proper measures to avoid them.
 Cyber forensics find evidence from digital devices and then present them in
court, which can lead to the punishment of the culprit.
 They efficiently track down the culprit anywhere in the world.
 They help people or organizations to protect their money and time.
 The relevant data can be made trending and be used in making the public
aware of it.

S
What are the required set of skills needed to be a cyber forensic expert?

TE
The following skills are required to be a cyber forensic expert:

 As we know, cyber forensic based on technology. So, knowledge of various

O
technologies, computers, mobile phones, network hacks, security breaches,
etc. is required.



identify proof/evidence. N
The expert should be very attentive while examining a large amount of data to

The expert must be aware of criminal laws, a criminal investigation, etc.

K
 As we know, over time technology always changes, so the experts must be
updated with the latest technology.
 Cyber forensic experts must be able to analyse the data, derive conclusions
H

from it and make proper interpretations.

 The communication skill of the expert must be good so that while presenting
S

evidence in front of the court, everyone understands each detail with clarity.
 The expert must have strong knowledge of basic cyber security.
E
N

Disk forensics
IG

A digital forensic investigation generally consists of five major steps [Figure-1]:

 Identification
V

 Data Acquisition

 Data Recovery

 Analysis

 Reporting

104 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
[Figure-1: Forensics steps]

O
Learn Digital Forensics
N
Build your skills with hands-on forensics training for computers, mobile devices, networks
K
and more.

A brief about various Linux tools available

H

There are multiple Linux tools used for imaging and analysis of disks and drives. They
S

also come as several distributions containing all necessary tools to carry out Forensics,
e.g. BackTrack, FIRE, Knoppix-STD, Linux LEO, Penguin Sleuth. All of them have an
E

excellent collection of tools required for forensics. Some useful tools we require:

Image-acquiring tools: Dd, DdRescue, dc3dd, Aimage

N

Data Recovery tools: Foremost, Magic Rescue,SafeCopy

IG

Forensics Analysis tools: bulk_extractor, Miss Identify, RegLookup, readpst

Forensics suites: Autopsy, Sleuth Kit, PTK

V

As published elsewhere, the complete description of tools and their uses are out of scope
of this article, we’ll be just using them for our forensics, as you may get a fair idea about
them during our process. We shall be using BackTrack(BT) for our analysis. You could
pretty much use any distribution available as all have mostly common necessary tools.
You could use any normal Linux flavors such as Fedora, RedHat, and Ubuntu as well, but
the advantage of using distributions like BT is that they already have a fair collection of
these tools. Otherwise you may need to install them.

105 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
To keep our work neat, clean, and easily understandable, we will create a few directories
in order to organize the data. We may need one directory for collecting our proofs, and
another directory to browse the suspected image of the disk. We shall redirect all of the
results from our analysis to the proof directory. The location of the directories is
completely arbitrary but I prefer them on the root’s home:

# mkdir /evidence

Now make a directory where we’ll be doing our most of the analysis:

S
# mkdir /mnt/investigation

TE
Here we are creating the folder ‘investigation’ under ‘mnt’ directory, where we will
mount all the external data for our investigation. You are completely free to create your
own folder at any place; this is just for sake of better organization.

O
Acquire the image

N
Identify the machine which needs to be investigated, and take an image of the hard disk.
You can capture the disk and connect to your forensics machine in order to take its
image. The disk may be anything from a hard disk to a floppy. That way, you’ll have two
K
copies of the suspected disk-one image as well as the physical disk itself. We’ll be
examining both images one by one. The tool ‘dd’ can be used to take an image of the
disk by using this command:
H

dd if=<media/partition on a media> of=<image_file>,

S

Example:

dd if=/dev/sdc of=image.dd
E

Here, we are taking image of the disk sdc and saving it as image.dd. You can give the
N

image any name, and .dd is an extension just to denote that it’s an image taken through
‘dd’ tool.
IG

Now for this article, we’ll use sample test images already available on few open source
sites such as http://dftt.sourceforge.net/ , http://pyflag.sourceforge.net or http://
linuxleo.com/ etc. They list excellent test images in every format to carry out test
V

forensics. Download any disk images and unzip it in the ‘evidence’ directory already
created.

I shall be using one of the images already downloaded from similar sites at my PC. This
was created using the same command dd if=/dev/sdc of=
pyflag_stdimage_0.1, where we have taken image of disk sdc [Figure-2]:

106 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

[Figure-2: List of sample images]

Once you download the above image copy it in blank floppy disk, we may require it later
on:

S
# dd if=
pyflag_stdimage_0.1 of=/dev/fd0

TE
So, the image is copied into your floppy device(/dev/fd0). Now we have two copies, one
in the /evidence directory and one in physical floppy device.

O
Image analysis

N
Now that an image has been captured, let’s mount the contents to see how we can use
tools. We’ll mount it in our /investigation directory:
K
# mount -o ro,noexec,loop pyflag_stdimage_0.1 /mnt/investigation

Here ‘ro’ and ‘noexec’ denotes that the file should be mounted as read-only and non-
H

executable.

Now switch over to /mnt/investigation directory, where you can browse through the file
S

system of the disk image [Figure-3]:

E
N
IG
V

[Figure-3: File system in the disk image]

Now you can redirect the above output to a simple file and place it into your evidence
directory. This file can be used for analyzing the files and their various attributes [Figure-
4].

107 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
#ls -Ralit > /evidence/ListOfFiles

S
TE
O
N
[Figure-4: Detailed listing of files]

Using this list you can search for any specific file such as ‘.txt’ [Figure-5]:
K
# grep txt ListOfFiles:
H
S

[Figure-5: Using grep to search specific files]

E

Another useful command might be for checking the file types. This would be useful in the
N

scenarios where file extensions are modified. So if any .txt file is modified as a .jpg, the
grep command won’t be able to find it. Go to your investigation folder and provide the
IG

following command and again redirect the results in your ‘evidence’ directory:

# find. -type f -exec file {} ; > /evidence/TypeOfFile

Go to evidence directory and see the contents of TypeOfFile, you get the nice view of file
V

types [Figure-6]:

108 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

[Figure-6: Type of files]

S
Now we may want to view the contents of the files:

TE
# less hello.txt

# strings hello.txt

Or, if you want to see HexDump:

O
# xdd hello.txt

Searching strings can be also useful in the cases where you might want to look for

N
notoriously used terms that may give you some idea about the incident and purpose:
such as, ransom, virus, secrets etc. They may provide vital clue to in the investigation.
K
So, we shall extract all the zipped files in order to search them for any particular string.

The following commands now can be used for searching a term [Figure-7]:

# grep -r -i secret ./ , It will look for term ‘secret’ in all the files of current directory
H
S
E

[Figure-7: Looking for suspicious keywords through the image]

# grep –r –i rootkit ./ [Figure-8]:

N
IG
V

109 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
[Figure-8: Looking for suspicious keywords]

It seems that a rootkit has also been injected to the system. But where is the file? If we
search through the file, at the bottom we find path of rootkit binary file. Finding of
K
NTROOT.sys suggest that the system was infected from process hiding Trojans. So here’s
another search [Figure-9]:
H
S
E
N

[Figure-9: We confirmed the path of rootkit file]

Now, let’s move to few more interesting folders. Let’s see what lies inside them. Keep
IG

digging into them. The file DonVittos_private_key.txt contains a private DSA key, which
might have been used to get access the machine [Figure-10]:

# less DonVittos_private_key.txt
V

110 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
[Figure-10: View of a private key file]

Let’s drill into other folders such as ‘Document and Settings’. One file ‘index.dat’ under

TE
‘Document and Settings/ Administrator/ Local Settings’ gives tracking information about
sites visited. Keep looking other folders. We found something more interesting, one
outlook.pst file under ‘Document and Settings/ Administrator/’. This may give us more
information. We will use a tool called ‘readpst’ available in BackTrack. ‘readpst’ is a

O
command line tool which converts pst files into mbox format which in turn can be viewed
and manipulated using any mail reading software.

# readpst -D outlook.pst

Option ‘D’ includes deleted items in the output.

N
K
This creates several folders Inbox, Sent Items, MailBox, Deleted Items etc [Figure-11].
H
S
E
N
IG
V

[Figure-11: Output of pst file]

Now all of these folders which are in mbox format can be easily viewed using any mail
client. For this purpose, I shall use ‘KMail’ to open the items. You just need to show the
path of the folders and it will open them in your client interface. So if there are any
attachments in the mail, you can easily open it and download for further evidence. So,
while examining Inbox we can see the mails, one of the mails says [Figure-12]:

111 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
[Figure-12: View of one received mail]

O
We can view any attachment now easily. Similarly let’s examine Sent Items folder now
[Figure-13].

N
K
H
S
E
N

[Figure-13: View of a mail in Sent Items]

IG

The above mail appears to be threatening. We can see the contents of the files as well.
Let’s open ‘document.doc’ above attached above to see its contents [Figure-14].
V

112 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
[Figure-14: View of an attachment in the mail]

Further, we would like to redirect all the mail items to our ‘Evidence’ directory in order to
K
collect them for producing proof:

# readpst -D outlook.pst -o /evidence/MailsEvidence

H

Data recovery
S

Now, I shall introduce one more tool which has a nice GUI—Autopsy. Autopsy analyzes
E

the disk image and helps you browse the file contents and recover the data. It even has
capabilities for retrieving deleted files as well. So, once you are done with the image
N

acquisition, we can use Autopsy to analyze the image [Figure-15.

IG
V

113 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
[Figure-15: Autopsy tool]

We’ll open a new case, provide the case name, description and investigator names at the
second step, then add a host in the third step. In fourth step, you need to give path of
the image stored at your machine. In few next steps, it will ask you to select the file
system and partition, etc. Once done, click on ‘Analyze’ button, the following screen will
appear [Figure-16].

S
TE
O
N
K
[Figure-16: Autopsy functions]
H

‘File Analysis’ lets you browse through the entire file system, ‘Keyword Search’ can be
S

used for searching specific terms in the file system, ‘File Type’ lets you see the allocated
and unallocated files, ‘Image Details’ gives information about File System architecture,
E

size and other metadata information, ‘Meta Data’ gives information about inodes, ‘Data
Unit’ shows contents of any fragment. We’re interested in File Analysis and Keyword
N

Search. Let’s click File Analysis tab [Figure-17]:

IG
V

114 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
[Figure-17: Browsing the file system]

We can browse and view contents of the entire file system. The files in blue are existing
files and if in red, they are deleted. We can see the contents of the files by clicking on
them. Autopsy also gives you much information about dates of access, change, size,
name etc of the files. Let’s click on of the red files, which were deleted. It shows the
contents of the deleted file, file type, and various options for displaying it in ASCII, HEX or
exporting the file [Figure-18].

S
TE
O
N
K
[Figure-18: View of deleted files]
H

Now we’ll go to Keyword Search tab and try to search some important terms such as
SSN, ransom, virus, Trojan, secret etc. Actually, it’s suggested to create a list of terms or
S

regular expressions, which can give vital clues about the file. We searched for the term
‘warn’ here; it shows all of the hits it found in the entire file system. We can show the
E

contents of the file after clicking on them [Figure-19].

N
IG
V

115 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
[Figure-19: Keyword searches in Autopsy]

Apart from these, there are a few more options which we can try and get more useful
evidence as far as possible. It’s not possible to cover all of the tools and their
functionalities in single article; hence we may look at them in future articles.

What is Network Forensics?

 The word “forensics” means the use of science and technology to investigate and
establish facts in criminal or civil courts of law. Forensics is the procedure of

S
applying scientific knowledge for the purpose of analyzing the evidence and

TE
presenting them in court.
 Network forensics is a subcategory of digital forensics that essentially deals with
the examination of the network and its traffic going across a network that is
suspected to be involved in malicious activities, and its investigation for example

O
a network that is spreading malware for stealing credentials or for the purpose
analyzing the cyber-attacks. As the internet grew cybercrimes also grew along

N
with it and so did the significance of network forensics, with the development and
acceptance of network-based services such as the World Wide Web, e-mails, and
others.
K
 With the help of network forensics, the entire data can be retrieved including
messages, file transfers, e-mails, and, web browsing history, and reconstructed to
expose the original transaction. It is also possible that the payload in the
H

uppermost layer packet might wind up on the disc, but the envelopes used for
delivering it are only captured in network traffic. Hence, the network protocol data
S

that enclose each dialog is often very valuable.

 For identifying the attacks investigators must understand the network protocols
E

and applications such as web protocols, Email protocols, Network protocols, file
transfer protocols, etc.
N

 Investigators use network forensics to examine network traffic data gathered from
the networks that are involved or suspected of being involved in cyber-crime or
IG

any type of cyber-attack. After that, the experts will look for data that points in
the direction of any file manipulation, human communication, etc. With the help
of network forensics, generally, investigators and cybercrime experts can track
V

down all the communications and establish timelines based on network events
logs logged by the NCS.

Processes Involved in Network Forensics:

Some processes involved in network forensics are given below:

 Identification: In this process, investigators identify and evaluate the

incident based on the network pointers.

116 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Safeguarding: In this process, the investigators preserve and secure the
data so that the tempering can be prevented.
 Accumulation: In this step, a detailed report of the crime scene is
documented and all the collected digital shreds of evidence are duplicated.
 Observation: In this process, all the visible data is tracked along with the
metadata.
 Investigation: In this process, a final conclusion is drawn from the collected
shreds of evidence.

S
 Documentation: In this process, all the shreds of evidence, reports,
conclusions are documented and presented in court.

TE
Challenges in Network Forensics:
 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.

O
 Address Spoofing.

N
K
H
S
E
N
IG
V

Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.

117 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better
planning.
 It helps in a detailed network search for any trace of evidence left on the
network.
Disadvantage:
 The only disadvantage of network forensics is that It is difficult to implement.

S
TE
Wireless Forensics

O
Wireless Forensics’ main goal is to provide a methodology upon which computer forensic
scientists can collect and analyze wireless communications that could potentially be used
in a court of law as digital evidence.
N
K
Overview of the Medium

 Wireless technologies are broadly classified as Wireless Local Area networks

(WLANs), Wireless Personal-Area-Networks (WPANs), and Wireless Wide-Area-
H

Networks (WWANs) with each technology being determined by the distance of its
operation. WLANs typically operate within a few hundred feet which suits
S

applications for home use, as opposed to WPANs, which have an operational

range of a few feet. WWANs operate on a larger footprint which typically spans
E

metropolitan cities and/or through intercity links using microwave technology.

 Wi-Fi network operate primarily in two distinct frequency spectrums 2.4 GHz and
N

5 GHz. As seen below in figure 1, the 2.4 GHz Wi-Fi frequency spectrum has 14
distinct channels each at 22 MHz wide.
IG
V

Figure 1

118 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Wi-Fi Technology Overview

802.11

Wi-Fi technologies allow the wireless interconnection of mobile devices through the use
of radio waves eliminating the need for hardwires. Of all the wireless technologies today,
Wi-Fi is the most prominent and continues to grow at a staggering rate. Several variants
of the IEEE 802.11 specification exist and are outlined in figure 2 below.

S
TE
O
N
K
Figure 2
H

Wireless Access Points

S

A wireless access point, or WAP, is essentially a unit that acts as a central transmitting
unit for all remotely connected wireless devices.
E

· SSID
N

WAPs identify themselves with the use of a Service Set ID or SSID, which is a unique 32
IG

alphanumeric character ID specific to that WAP. SSIDs, which is a name given to the
network, usually acts as a password when remote devices attempt a connection to the
WAP. SSIDs are also what differentiates one Wireless network from another making
V

wireless network management easier.

· BSSID

Basic Service Set Identifier is typically the hardware MAC address assigned to the
wireless network interface. The BSSID cannot be changed as it burned into the chipset

119 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
during the manufacturing process but with the advent of modern software, it can be
spoofed and/or altered locally and remotely.

RFID

Radio Frequency Identification technology is prevalent in the retail industry and has
recently seen an explosion in warehousing and merchandising. RFID technology can also
be found in FasTrak and E-ZPass used in cars for toll bridge crossings. RFID is an

S
automatic identification technology AIT, which uses radio waves to initiate automatic
data acquisition. There are three basic types of RFID:

TE
1. Active RFID: Battery powered that provides a partial or complete source
of power to the RFID tag’s circuitry and antenna.
2. Passive RFID: Does not contain a battery. Receives power from the

O
reader itself. When the reader gets close enough to the tag, radio waves
from the reader pass to the RFID tag and generates an electromagnetic

tag. N
current from which the RFID tag draws its power, thus, energizing the RFID

3. Battery Assisted Passive (BAP): Hybrid of both active ad passive types

K
that contains its own integrated power source, which can retrieve energy
from reader to awaken up the chip.
RFID attacks do occur but typically require high end equipment to acquire data from a
H

long range since RFID is a low power short range technology. RFID technology is
susceptible to some of the most well known types such as:
S

1. Reverse Engineering: Required the physical acquisition of the chip to

E

later be dismantled by the attacker.

2. Power Analyses: This attack occurs through the use of energy harvesting
N

tactics performed by monitoring power consumption levels of RFID power

emissions.
IG

3. Eavesdropping & Replay: Requires the use of an unauthorized RFID

reader, which is used to sniff communications between two linked RFID
devices. This technique requires the hacker to have knowledge of RFID
V

protocols and specific tag & reader information.

4. Denial of Service: Attacks performed by sending jamming signals with
noise interference, removing and/or disabling tags, or blocking RFID radio
signals entirely.

Bluetooth

120 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Bluetooth is a low energy, wireless radio, close range technology that can be found in
everything from Computer keyboards, Mice, speakers, clocks, and wearable’s such as,
watches, Fit Bits, headphones, etc… There exists two prevalent implementations of the
Bluetooth specification as flows:

1. Bluetooth with low energy functionality (LE): Initiates long range

radio communications through short range bursts. Used most frequently in
IoT applications that rely on extended battery life and do not require a

S
continuous connection. Operates at a max distance of 330ft, over the air
data rates 125kbit/s, 1Mbits/s, 2Mbits/s, uses 128-bit AES with Counter

TE
Mode CBC-MAC security, adaptive frequency hopping, 24-bit CRC, 32-bit
Message Integrity Check, Peak current consumption <15mA.
2. Bluetooth BR/EDR: Continuous connection at short ranges. Used mainly

O
for audio streaming. Operates at a max distance of 330ft, data rates 1-
3Mbits/s, Adaptive fast frequency hopping, FEC, fast ACK, Peak current
consumption <30mA.

N
3. Dual-Mode: Hybrid chipset, typically found in mobile devices that allow
connections to both BR/EDR devices like headsets and LE devices like
wearables.
K
There three most prominent Bluetooth attacks that can occur are:
H

1. Bluejacking: A relatively harmless attack that can create confusion for

the user during an attack. A criminal hacker would send unsolicited
messages to Bluetooth devices within range, which are most commonly
S

sent as text but can also be sent as sounds or images.

E

2. Bluebugging: Attackers take over the mobile device then snoop in on the
conversation allowing the ability to perform the same commands as the
N

user i.e., send messages, activate call forwarding, etc..

3. Bluesnarfing: Any unauthorized access to or information theft of an
established Bluetooth connection providing attackers access to information
IG

such as: calendars, email, text messages, and contact lists.

Bluetooth keyboards are a popular target for attacks where a criminal hacker could quite
easily steal user login credentials such as medical and banking usernames and
V

passwords. There are primarily two methods upon which this can be done.

1. Hardware Keylogger: Require the attacker to have physical access to

the cable connection between the keyboard and the computer. Records all
keystrokes then sends to a text file which can be parsed at a later time at
a remote location. Stealthier of the two methods because hardware

121 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Keyloggers utilizes their own computing resources thus circumventing any
IDS alert messages.
2. Software Keylogger: Usually malware that’s installed by an attacker
which lies resident on the local machines hard drive or in memory. Less
stealthy as it utilizes local machine resources and may trigger an IDs alert.

Wireless Forensics Checklist

Radio Frequency Interfaces

S
· Direct-sequence spread spectrum

TE
2.4 GHz band up to seven channels of 1or 2 Mbps. Each bit of the original signal is
subdivided into multiple bits in the transmitted signal, referred to as “Chipping Code”.
Chipping Code algorithms spread the original signal across a wide frequency band in

O
direct proportion to the amount of received bits, in essence, a 10-bit chipping code would
spread a signal across a frequency 10 times larger then a 1-bit chipping code.

· Frequency Hopping spread spectrum N

2.4 GHz band at data rates 1 Mbps and 2Mbps, typically operates with the ISM bands
K
(industrial, scientific, and medical), therefore, forgoing FCC license requirements in the
United States. Signals are broadcast over a randomized series of radio frequencies, in
essence, hopping across various frequencies within a fixed interval. The receiver, which
H

is synchronized with the transmitter, receives intelligible information while potential

attackers hear gibberish. Jamming attempts disrupts only a few bits at a time.
S

Attributes of Wi-Fi services

E

 Association: Initial process of association between an AP and station

N

within a specific BSS.

 Re-association: The process of transferring access from one AP to
IG

another that allows any particular mobile station to move freely between
any BSS.
 Disassociation: The process of terminating a station’s association with an
V

AP.
 Authentication: Process of stations establishing identities with one
another.
 Privacy: Used to maintain confidentiality of transmitted messages.
Encryption may or may not be used.

Global Position System

122 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
GPS metadata artifacts can be found in almost everything digital such as: photos, music
download files, automobile satellite navigation units, etc… GPS also provides outdoor
locations, accurate timestamps, and valuable GPS log information.

Packet capture

Data packets contain the raw data referred to as the payload within a communications
stream. Data packet headers contain routing headers, which also contain critical routing

S
information such as source and destination IPs. Packet captures are used to identify
security flaws and/or breaches by determining the origin of intrusion, identification of

TE
data leakages, troubleshooting undesired events, Identifying packet/data loss, and
forensically by allowing network defenders to understand the extent of the issue.

Radio Signal Strength

O
Wi-Fi radio signals are measured in dBm or Decibel per milliwatt. Signal strength play s a

N
role most particular in the type of application being used, for instance, -70dBm is
adequate enough for sending emails, scanning barcodes, or surfing the Internet. -67dBm
is sufficient for higher-throughput applications such as voice over IP, voice over WiFi, and
K
streaming video. Mobile devices typically operate within -65dBm.

Wireless Forensics Toolkits

H

Pcap format capture

S

PCAP, or Packet Capture, is the predominant traffic capture format available today.
Wireshark is the most popular tool designed for packet capture analyses. Wireshark is a
E

highly efficient protocol analyzer that is the equivalent of a microscope allowing users to
dive deep within the packets and uncover critical details required during a forensic
N

investigation. PCAP files are flexible and can be found on both Linux systems as libpcap
and Windows systems as WinPcap files. Wireshark also work on both systems as well and
IG

freely downloadable from the Internet as an open source tool supported by a massive
community of experts located around the world.
V

Wi-Fi Pineapple

WiFi Pineapple is a wireless auditing tool designed scan, target, intercept, report, record,
and analyze logs. The WiFi Pineapple is highly portable and can be used as a man-in-the-
middle device, rogue AP, device tracking and alerting, and performs flawlessly during
WAR driving.

123 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Aircrack-ng & KISMET

Aircrack-ng is an 802.11 WEP and WPA-PSK key cracking tool designed to uncover keys
after enough data has been captured. Aircrack-ng is a multi function tool that performs
many duties including: configuring fake APs, cracking wireless passwords, decrypting
WEP/WPA/WPA2 pcap files, discovers wireless driver information, and much more.

KISMET is a wireless sniffer, network detector, and intrusion detection system. Works

S
predominantly with 802.11 Wi-Fi with the capability to expand, via plug-ins, to
accommodate other network types. Work with standard pcap files and is compatible with

TE
Wireshark.

fl0p – passive Layer 7 flow fingerprinting

O
fl0p is a simple passive layer 7 fingerprinting TCP/UDP/ICMP packet sequence flow
analyzer. It’s designed to analyze the exchange between clients and servers relative to

N
their layer seven payload sizes and transmission intervals irrespective of content
inspection. Subsequent matches are made against a pre-existing database of traffic
pattern signatures to ascertain any facts of interest about the captured traffic. fl0p has
K
the ability to peek into cryptographic tunnels and differentiate between human and
robotic communications.
H

Conclusion

Digital forensics is the process of collecting data that has the potential to serve as
S

evidence in a court of law; therefore, maintaining integrity of that data is vital before,
during, and after an investigation and should be the mindset of a digital forensic team.
E

Digital forensic teams also need to pay particular attention to all legal considerations
N

during an investigation, such as, unauthorized eavesdropping, which has the potential of
rendering all digital forensic evidence inadmissible in court.
IG

Wireless forensics requires attack data that is either captured during an attack, through
continuous monitoring, or from an unexpected attack using previously captured log data.
Organization’s most typically view encryption as a burden, which in the end may be
V

viewed as an inconvenience to the organization but serves as an added layer of

protection. Forensic investigators to be mindful of the organization’s culture which could
serve to jeopardize an investigation as well.

Wireless airspace is open to any and all users who so happen to be close enough to pick
up a wireless access point’s radio signals, and as result, have the ability to steal, snoop,

124 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
or spoof sensitive private information. The Wi-Fi Pineapple discussed in this report is one
such device available to the public at a low cost, which happens to be one of the most
popular WAR driving devices available today.

Unfortunately, the same tools and technologies used for wireless forensics discussed in
this report are the same tools used by the bad guys and they know how to use them well
in many cases. As is the case with WAR driving, various other means of rogue
communications will most certainly continue to serve to both protect and harm users as

S
the perpetual growth of wireless infrastructure continues into the future.

TE
Database Forensics

O
Database forensics is a subfield of digital forensic science concerned with the forensic
examination of databases and their metadata. It is the use of electronic data stored in
the database to reconstruct the clues, detect crime, and accomplish case cracking.


N
The discipline is comparable to computer forensics, which follows the standard
forensic method and employs investigative techniques on database contents and
K
metadata. Additionally, cached data may exist in a server’s RAM, necessitating
live analytic tools.
 Forensic analysis of a database may involve inspecting and validating the
H

timestamps associated with the update time of a row in a relational table to

validate a database user’s actions.
S
E

History of Database Forensic

If we look back upon the history of database forensics, it has got rid of the stale and
N

brought forth the fresh during decades when more and more crime activities have been
detected along with database development.
IG

The 1970s

Financial fraud was a major target of cybercrime during this time period, which was
common in this era for trained people with specific talents, such as those in banking,
V

engineering, and academia to use mainframe computers for their work. When workers in
these fields realized they could make money by altering computer data, they began
engaging in white-collar crime. The one-half-cent crime was one of the most well-known
crimes of the mainframe era.
It was difficult for law enforcement officers to ask the correct questions or preserve
evidence for trial during this period since they were unfamiliar with computers at the
time. Many began to attend the Federal Law Enforcement Training Center (FLETC)

125 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
programs designed to train law enforcement in recovering and analyzing digital data,
especially databases.
The mid-1990s

The rise of the database sector was sped up by the Internet’s arrival. The majority of
desktop users used client-server database systems to access data on computer systems,
which stored numerous information as time went by.
The late 1990s

S
FrontPage, Java Servelets, Dream Weaver, ColdFusion, Enterprise Beans, and Oracle
Developer 2000 are some of the Internet database connectors that have seen an

TE
increase in demand due to the rising investment in online enterprises. Open-source
platforms like Apache, MySQL, and CGI became popular among web developers as a
result of their widespread use. When POS technology became more prevalent, online
transaction processing and online analytics processing became more advanced.

O
Meanwhile, corruption, money laundering, online financial fraud, and more related cases
emerged, which forced law enforcement to learn and look deeply into relevant databases

N
and utilize database forensics techniques accordingly to detect.
The 2000s
K
Database applications have grown despite the Internet’s collapse in the early 2000s. For
PDAs, POS transactions, and the consolidation of vendors, new interactive programs were
developed. Microsoft, IBM, and Oracle are currently the top three database vendors in
H

the Western world.

It ended up with MySQL, SQLServer, and Oracle being the mainstream types of database
S

systems.
At Present(2021 – )
E

Databases have become an integral part of our daily lives. Many of the services we take
for granted now are only available because of databases, from personal cloud storage to
N

weather forecasting. There is a slew of new non-relational database vendors popping up

all the time. Oracle, MySQL, and DB2 are just a few of the contemporary relational
IG

database titans.
More importantly, more advanced technology has also been applied to the digital
forensic field based on databases, which makes it utilized more widely in current society.
V

The application of Database Forensics

The Database Forensics technique has begun to apply widely among law-enforcements in
recent years, which has also rapidly expanded its application scenarios.
A database forensic investigation may be focused on discovering transactions within a
database system or application that suggest proof of illegal activity, such as FRAUD. (For

126 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
some real application scenario use cases, you could check out this post for a better
understanding.)

 To facilitate processing and data querying, the most prevalent types of databases
in use today are often modeled in rows and columns in a sequence of tables.
Thus, data may be accessed, managed, amended, updated, controlled, and
organized with ease. The majority of databases write and query data using a
structured query language (SQL).

S
 Database forensics examines who gets Database access and what actions are
taken. Large-scale data security breaches are a significant issue, and criminal

TE
investigators look for pertinent information. Forensic analysis of a database may
include an investigation of the timestamps indicating when a record in a relational
table was updated.

O
However, In order to better implement the above techniques to effectively assist crime
investigation, working with Database Forensic Experts / Database Forensic Investigators
is always essential to most law enforcement.

Who is a Database Forensic Expert?

N
K
Database forensic experts are like detectives that investigate digital crimes. They hunt
down cyberstalkers, cyberbullies, and sexual predators by identifying malevolent
hackers, identity thieves, and online fraudsters.
H

The evidence they unearth may also be used to solve crimes in the “analog” world, such
as murder, theft, white-collar robbery, etc.
S

Generally, Database Forensic Experts / Database Forensic Investigators responsibilities

include:
E

1. Investigating computer systems and other digital storage devices for evidence.
N

2. Investigating with the use of forensic tools for disks and databases as well as file
readers and network forensic software
IG

3. Using software to examine email, computer registries, and files as well as mobile
devices
4. Recovering vital documents and images that have been destroyed or encrypted.
5. Writing and speaking about discoveries.
V

6. Providing digital evidence to corporate authorities, law enforcement, and the

courts.
7. Detecting and remediating security breaches.

However, though Database Forensic Expert / Database Forensic Investigators has always
been skillful and talented in dealing with digital forensic investigation especially when it
comes to database forensics, supporting tools would never be a lack throughout all their

127 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
career.
Working with scientific and trustworthy digital forensic tools in database forensics, not
only make their workload burden decrease but makes the whole law-enforcement
agencies possess advanced modern investigative techniques.

What is the Database Forensic Tool?

Investigations based on database forensics may be used for many purposes. One of the
most usual ways to do this is in a court of law, whether in a criminal or civil context.

S
Attributing evidence, verifying alibi or statement authenticity, ascertaining purpose,
pinpointing origins, and verifying documents are all possible using database forensics.

TE
In order to be fully qualified under the standard of being a piece of evidence according to
the judicial principle, the digital evidence being as database files has to be retrieved and
recovered completely and integrally.

O
In a way, working with Database Forensic Tools is crucial to whatever investigation
entities, no matter it’s digital forensic investigators, police officers, or special

N
intelligence agencies when dealing with database evidence.
Luckily, there are several resources available to assist you in making this procedure
quick and straightforward. These programs provide comprehensive reports that may be
K
utilized in judicial proceedings.

The following is a hand-picked list of Digital Forensic Toolkits, which are both open-
H

source (free) and commercial (paid) software on the list.

S
E

 DBR for MySQL

N

DBR for MySQL is capable of restoring broken, damaged, or unavailable MySQL

databases, including database tables, views, functions, stored procedures, and triggers.
IG

It can scan and retrieve deleted data from the Database in addition to restoring it.
V

128 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
 DBR for SQLServer

N
DBR for SQLServer is a robust and efficient SQLServer database repair tool that can fix
corrupted, damaged, or unavailable SQLServer databases, including database tables,
K
views, functions, stored procedures, and triggers. Along with database restoration, it can
also examine and retrieve lost data from the Database.
H
S
E
N
IG
V

 DBR for Oracle

DBR for Oracle is a very effective and powerful Oracle database repair tool that may be
used to restore corrupted, damaged, or unavailable Oracle databases, including

129 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
database tables, views, functions, stored procedures, and triggers. Along with database
restoration, it can also examine and retrieve lost data from the Database.

S
TE
O
 ProDiscover Forensics
N
K
A tool for computer security, ProDiscover Forensic enables you to find all the data on a
hard drive. For legal proceedings, it can protect evidence and provide high-quality
reports. You can use this program to get JPEG’s EXIF data out of the image file format.
H

 Sleuth Kit (+ autopsy)

S

Sleuth Kit (+Autopsy) is a Windows-based utility package that simplifies forensic

E

investigation on computer systems. This application enables you to inspect the contents
of your hard disk and smartphone.
N

 FTK Imager
IG

Developed by AccessData, FTK Imager is a forensics tool that may be used to obtain
evidence. Without tampering with the original evidence, it can make copies of data. To
limit the quantity of irrelevant data, this program enables you to choose file size and
V

pixel size criteria.

 EnCase

Encase is a program that aids in the retrieval of data from hard drives via encryption. An
in-depth investigation of files may be conducted to gather evidence such as documents
and photos.

130 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 System for Interfacing with Financial Transactions (SIFT)

SIFT Workstation is built on Ubuntu. In terms of digital forensics and incident response,
it’s one of the most excellent computer forensic tools available.

 The FTK Imager software

To gather evidence, AccessData created the forensic tool known as FTK Imager. It is able
to make copies of data without tampering with it. It is possible to reduce the quantity of

S
data by specifying criteria such as file size, pixel size, and information type.

TE
However, most of the above digital forensic tools are incapable of the overall procedure
due to the below standard workflow of Database Forensic Investigation.

O
In such a case, we’re supposed to figure out what it specifically is to implement a
rigorous and eligible database forensic investigation.
Database Forensic Investigation Process

 Acquisition & Recovery

N
K
To recover the deleted files and inaccessible files has always been the first step no
matter it’s a database or other digital evidence in digital forensics. Without a scientific
H

recovery process, no database files could be applied to any further steps, and let
acquisition alone.
S

However, there are always deleted and damaged database files, especially when it
comes to financial crime activities like online transaction fraud, money laundering, etc.
E

 Inspection
N

Access the targeted database files during the inspection step, so that it’s realizable to
gather all needed files to proceed with analysis in the next step. However, obstacles
IG

often happen during the process since database files with passwords & accounts and
related confidential requirements would prevent unauthorized users from accessing,
which has been occurred in numerous cases we know so far.
V

 Analysis

Overall analysis for all available/normal database files retrieved from the database is the
vital process in which potential case cracking direction could be as a result, only if it’s
trustworthy enough along with potential clues.
Thus, the analysis method takes up the major factors in generating a reliable result.

131 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Reporting

After giving all reliable analyses on the available database files, it’s time for formulating
a referential Digital Forensic Report. At this point, a visual and hierarchical map to point
out suggestions and tactics would be the best reference and methodology for deeper
investigations.

In fact, as we already know simple supporting tools sometimes do not work effectively

S
and scientifically, the database evidence could be ended up not being admissible in
court, even after tons of workload on dealing with the problematic files in certain cases.

TE
Thus, learning about DBF(Database Forensic Analysis System) from SalvationDATA today
could be an advisable option to scientifically conduct database forensics and avoid not
admissible evidence from being occurred.
Database Forensic Analysis System

O
So far, there is no integrated Database Forensic Analysis System all over the world to
cover all processes in Database Forensics including Acquisition & Recovery, Inspection,
Analysis, Reporting, except DBF from SalvationDATA.
N
DBF series covers forensic database systems for both relational and non-relational
databases, as the world’s premier database forensic supporting system.
K
In order to resolve the above-mentioned obstacles during each step, it has been put into
well-researched and development for corresponding capacities just to fulfill both the case
H

cracking demand and being admissible in court.

Meanwhile, without the need for a pricey expert or a complex set-up environment is
S

going to help law enforcement or demand entities implement such effective and most
available supporting tools with less hesitation.
E
N

 Acquisition & Recovery

IG

Designed to overcome the obstacles in database files acquisition & recovery,

deleted/corrupted/fragmented databases, false file systems, and application system
access restrictions, most of the potential problems have been addressed by DBF, even
data inside inaccessible tablespaces or tables, views, stored procedures, triggers,
V

functions, etc.

132 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
 Inspection

N
When encountering required confidential information, it’s now been resolved by the
patented technology from SalvationDATA to bypass. Consequently, it makes most of the
K
database files have been able to be accessed without restriction and initial configuration
of the database environment possible.
H
S
E
N
IG
V

133 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Analysis

o File Carving Technology from DBF is capable of extracting, analyzing, and

rearranging fragmented database files directly from storage mediums or
image files
o Multiple Analysis Functions such as keyword search, filtering, statistics,
SQL statement query, and visual connection analysis have been
implemented completely in DBF. Besides, it supports the analysis of the

S
database log files based on both relational databases MySQL, SQL Server,
Oracle, and non-relational databases.

TE
O
N
K
H
S

 Reporting

With its Hierarchical Relationship Analytical Tool to create and interpret the hierarchical
E

relationship maps, the investigators are capable of receiving the most visualized and
analyzed analysis report. So that, other departments, especially courts could consider
N

them more admissible!

IG
V

134 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
Summary
Database Forensics is never a common investigation work when compared to other

N
digital forensic works like video forensics, mobile forensics, etc, even if it’s conducted by
Database Forensics Experts / Database Forensics Investigators. Without deep knowledge
reserved in database-related technology, it would be frustrating and end up with
K
no admissible evidence in court probably, unless scientific supporting tools or database
forensics systems are out there to assist.
H
S

What is Malware Forensics?

E

It is a way of finding, analyzing & investigating various properties of malware to seek out
the culprits and reason for the attack. the method also includes tasks like checking out
N

the malicious code, determining its entry, method of propagation, impact on the system,
ports it tries to use etc. investigators conduct forensic investigation using different
IG

techniques and tools.

Types of Malware:
V

The category of malware is predicated upon different parameters like how it affects the
system, functionality or the intent of the program, spreading mechanism, and whether
the program asks for user’s permission or consent before performing certain operations.
a number of the commonly encountered malwares are:
 Backdoor
 Botnet
 Downloader

135 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Launcher
 Rootkit
 HackTool
 Rogue application
 Scareware
 Worm or Virus
 Credential-stealing program, etc.
Symptoms of Infected Systems:

S
Following are some symptoms of an infected system-

TE
 System could be come unstable and respond slowly as malware might be
utilizing system resources.
 Unknown new executables found on the system.
 Unexpected network traffic to the sites that you simply don’t expect to

O
attach with.
 Altered system settings like browser homepage without your consent.


N
Random pop-ups are shown as advertisement.
Recent additions to the set are alerts shown by fake security applications which you
never installed. Messages like “Your computer is infected” are displayed and it asks the
K
user to register the program to get rid of the detected threat. Overall, your system will
showcase unexpected & unpredictable behavior.
H

Different ways Malware can get into system:

S

 Instant messenger applications

 Internet relay chat
E

 Removable devices
 Links and attachments in emails
N

 Legitimate “shrink-wrapped” software packaged by disgruntled employee

 Browser and email software bugs
IG

 NetBIOS (File sharing)

 Fake programs
 Untrusted sites & freeware software
Downloading files, games screensavers from websites .
V


Prerequisites for Malware Analysis:

Prerequisites for malware analysis include understanding malware classification,

essential x86 programming language concepts, file formats like portable executable file
format, windows APIs, expertise in using monitoring tools, disassemblers and debuggers .
Types of Malware Analysis:

The two of the malware analysis types supported the approach methodology include:

136 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Static Malware Analysis: it’s a basic analysis of code & comprehension of the malware
that explains its functions.
Dynamic Malware Analysis: It involves execution of malware to look at its conduct,
operations and identifies technical signatures that confirm the malicious intent.
Online Malware Analysis Services:

 VirusTotal
 Metascan Online
Malware Protection Center

S

 Web Online Scanners

TE
 Payload Security
 Jotti
 Valkyrie, etc.
Malware Analysis Tools:

O
 IDA Pro
 What’s Running



Process Explorer
Directory Monitor
RegScanner
N
K
 Capsa Network Analyzer
 API Monitor .
It is an enormous concern to supply the safety to computing system against malware. a
H

day many malwares are being created and therefore the worse thing is that new
malwares are highly sophisticated which are very difficult to detect. Because the
S

malware developers use the varied advanced techniques to cover the particular code or
the behavior of malware. Thereby, it becomes very hard to research the malware for
E

getting the useful information so as to style the malware detection system due to anti-
static and anti-dynamic analysis technique. Therefore, it’s crucial for the forensic
N

analysts to possess sound knowledge of various malware programs, their working, and
propagation, site of impact also as methods of detection and analysis and continuous
IG

advancement of an equivalent .
V

Mobile Forensics – Definition, Uses, and Principles

Mobile forensics, a subtype of digital forensics, is concerned with retrieving data from an
electronic source. The recovery of evidence from mobile devices such as smartphones
and tablets is the focus of mobile forensics. Because individuals rely on mobile devices

137 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
for so much of their data sending, receiving, and searching, it is reasonable to assume
that these devices hold a significant quantity of evidence that investigators may utilize.

Mobile devices may store a wide range of information, including phone records and text
messages, as well as online search history and location data. We frequently associate
mobile forensics with law enforcement, but they are not the only ones who may depend
on evidence obtained from a mobile device.

Uses of Mobile Forensics:

S
The military uses mobile devices to gather intelligence when planning military operations
or terrorist attacks. A corporation may use mobile evidence if it fears its intellectual

TE
property is being stolen or an employee is committing fraud. Businesses have been
known to track employees’ personal usage of business devices in order to uncover
evidence of illegal activity. Law enforcement, on the other hand, may be able to take
advantage of mobile forensics by using electronic discovery to gather evidence in cases

O
ranging from identity theft to homicide.

Process of Mobile Device Forensics:

N
K
H
S
E
N
IG
V

138 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG

 Seizure and Isolation: According to digital forensics, evidence should

always be adequately kept, analyzed, and accepted in a court of law. Mobile
device seizures are followed by a slew of legal difficulties. The two main risks
V

linked with this step of the mobile forensic method are lock activation and
network / cellular connectivity.
 Identification: The identification purpose is to retrieve information from the
mobile device. With the appropriate PIN, password, pattern, or biometrics, a
locked screen may be opened. Passcodes are protected, but fingerprints are
not. Apps, photos, SMSs, and messengers may all have comparable lock

139 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
features. Encryption, on the other hand, provides security that is difficult to
defeat on software and/or hardware level.
 Acquisition: Controlling data on mobile devices is difficult since the data
itself is movable. Once messages or data are transmitted from a smartphone,
control is gone. Despite the fact that various devices are capable of storing
vast amounts of data, the data itself may be stored elsewhere. For example,
data synchronization across devices and apps may be done either directly or
via the cloud. Users of mobile devices commonly utilize services such as

S
Apple’s iCloud and Microsoft’s One Drive, which exposes the possibility of data
harvesting. As a result, investigators should be on the lookout for any signs

TE
that data may be able to transcend the mobile device from a physical object,
as this might have an impact on the data collecting and even preservation
process.
 Examination and analysis: Because data on mobile devices is

O
transportable, it’s tough to keep track of it. When messages or data from a
smartphone are moved, control is lost. Despite the fact that numerous devices

 N
can hold vast amounts of data, the data itself may be stored elsewhere.
Reporting: The document or paper trail that shows the seizure, custody,
control, transfer, analysis, and disposition of physical and electronic evidence
K
is referred to as forensic reporting. It is the process of verifying how any type
of evidence was collected, tracked, and safeguarded.
Principles of Mobile Forensics:
H

The purpose of mobile forensics is to extract digital evidence or relevant data from a
mobile device while maintaining forensic integrity. To accomplish so, the mobile forensic
S

technique must develop precise standards for securely seizing, isolating, transferring,
preserving for investigation, and certifying digital evidence originating from mobile
E

devices.
N

The process of mobile forensics is usually comparable to that of other fields of digital
forensics. However, it is important to note that the mobile forensics process has its own
IG

unique characteristics that must be taken into account. The use of proper methods and
guidelines is a must if the investigation of mobile devices is to give positive findings.
V

What is Email Forensics?

Email forensics is dedicated to investigating, extracting, and analyzing emails to collect
digital evidence as findings in order to crack crimes and certain incidents, in a
forensically sound manner.
The process of email forensics, it’s conducted across various aspects of emails, which
mainly includes

140 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Email messages
 Email addresses(sender and recipient)
 IP addresses
 Date and time
 User information
 Attachments
 Passwords
 logs (Cloud, server, and local computer)

S
To deeply and overall investigate the above crucial elements of email, potential clues are

TE
going to be obtained to help push the progress of a criminal investigation.
Hence, knowing how to conduct scientific and effective email forensics has come into
account.
But before diving deep into practical email forensics, without a full understanding of the

O
operation and theory of emails themselves, the forensic work is likely to be stuck.

How Email works?

N
Just like other digital forensics technology, it’s not easy to conduct forensics without
understanding the basis of the underlying technologies.
K
Emails are probably generated from various mediums and approaches and thus different
technologies are applied accordingly.
Commonly speaking, a man writes an email on his digital device, maybe a phone or
H

computer, and then sends it to the one he wants to. Though it’s seemingly the man has
finished his work, the upon email processing work just starts in order to successfully and
S

correctly be delivered to the recipient.

When an email is sent out, countless servers are actually undertaken the whole
E

information of the email before it can really arrive in the recipient’s inbox, which is said
that we have to understand what’s proceeding after we click the “send” button.
N

Email Programs and Protocols

During the process, there are 3 protocols and 3 email programs tightly related and are
IG

vital to be known.

 Simple Mail Transfer Protocol (SMTP): it is the standard Protocol used to

V

transmit and send emails.

 Internet Message Access Protocol (IMAP): it is one of the standard protocols
used for receiving emails.
 POP3 (Post Office Protocol 3): it is one of the standard protocols used to
receive mail.
 Mail Transfer Agent (MTA): sends and forwards emails through SMTP. e.g.
Sendmail, postfix.

141 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Mail User Agent (MUA): mail client used to receive emails, which uses IMAP or
POP3 protocol to communicate with the server. e.g. Outlook, Apple Mail, Gmail.
 Mail Delivery Agent (MDA): saves the mails received by MTA to local, cloud
disk or designated location, meanwhile it usually scans for spam mails and
viruses. e.g. Promail, Dropmail.
 Mail Receive Agent (MRA): implements IMAP and POP3 protocol, and interacts
with MUA. e.g. dovecot

S
The theory of email running

TE
O
N
K
H
S

Let’s take an example below for instance to better explain the theory of email running.
E

 STEP 1: To start, someone creates an email with a Mail User Agent (MUA), typical
N

MUAs include Gmail, Apple Mail, Mozilla Thunderbird, and Microsoft Outlook
Express.
IG

 STEP 2: Regardless of the MUA used, the mail is created and sent to the user’s
mail transfer agent (MTA) – the delivery process uses the SMTP protocol.
 STEP 3: The MTA then checks the recipient of the message (here we assume it is
V

you), queries the DNS server for the domain name corresponding to the recipient
MTA, and sends the message to the recipient MTA – again using the SMTP
protocol.

At this moment, the mail has been sent from the remote user’s workstation to his
ISP(Internet Server Provider)’s a mail server and forwarded to your domain.
What will happen next?

142 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Considering different network configurations, it is very likely that the mail will be
transferred to another MTA during the transmission process, but eventually, an MTA will
take over the mail and be responsible for delivery.
Then, the MTA will deliver the mail to a mail delivery agent (MDA).
The main function of the MDA is to save the mail to the local disk. Specific MDAs can also
be developed with other functions, such as mail filtering or direct mail delivery to other
file locations. Thus, it should be noted that it is MDA that completes the function of
storing mail on the server.

S
 STEP 4: Now, it’s time for you to check your mail.

TE
Running MUA, you can use the IMAP protocol or POP3 protocol to query the mail server
for your mail. The mail server first confirms your identity, then retrieves the mailing list
from the mail store and returns the list to the MUA.

O
Now you can read the message.

Message location of an email

N
Even if we know the running theory of emails, it’s recommended to be noted that
different configuration on the recipient’s email client varies the copies of the message to
K
be saved.
Additionally, any server that sends a message from a party to a recipient can keep a
copy of the email.
H

With the above root principle, it’s going to equip your initial ideas before conducting your
email forensics investigation.
S

How to conduct Email Forensics investigation?

E

With the increasing popularity of the use of email based on the boom of the internet,
some typical crimes are tied to email. For instance, financial crime, cyber security, and
N

extortion software, to name a few.

To bring the criminals to justice, it’s crucial to look into investigative emails.
IG

Before we can dive into the major investigative extraction working directions of email
forensics, be noted:
V

1. Local Computer-based emails: For local computer-based email data files, such
as Outlook .pst or .ost files, it’s recommended to follow our following techniques
directly.
2. （Cloud）Server-based emails: For （Cloud）Server based email data files, it’s
not possible to conduct complete forensic work until you obtain the electronic
copies in the (Cloud)server database under the consent of the service providers.

143 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
3. Web-based emails: For Web-based e-mail (e.g. Gmail,) investigations, it’s more
likely possible to just filter specific keywords to extract email address-related
information instead of the overall email data and information compared to local
computer-based emails.

Viewing and Analyzing E-mail Headers

The primary evidence in email investigations is the email header where massive and
valuable information could be found.

S
When carrying out the analysis, you’d be advised to get started from the bottom to the
top, since the most crucial information from the sender would be on the bottom while

TE
information about the receiver would be on the topmost.
Since we already talked about MTAs where you could find out the route of the email
transferred, it should be good for you to give it a detailed scan of the email header.

O
Here’s a sample for your information:
N
K
H
S
E
N

If you’re still not familiar with the fields, check the below explanations:
IG

 From: Address of the actual sender acting on behalf of the author listed in the
From field
V

 To: The email address and, optionally, the name of the message’s primary
recipient(s)
 Cc: Carbon copy; a copy is sent to secondary recipients
 Bcc: Blind carbon copy; a copy is sent to addresses added to
 Subject: A brief summary of the topic of the message
 Date: A brief summary of the topic of the message

144 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 (In)Reply-To: The message-ID of the message that this is a reply to; used to link
related messages together
 Message-ID: An automatically generated field
 Content-Type: Information about how the message is to be displayed, usually a
Multipurpose Internet Mail Extensions (MIME) type
 Precedence: —Commonly with values “bulk,” “junk,” or “list”; used to indicate
that automated “vacation” or “out of office” responses should not be returned for
this mail, for example, to prevent vacation notices from being sent to all other

S
subscribers of a mailing list
 Received: Tracking information generated by mail servers that have previously

TE
handled a message, in reverse order (last handler first)
 References: Message-ID of the message to which this is a reply

The main piece of information you’re looking for is the originating e-mail’s domain

O
address or IP address. Other than that, helpful information includes the date and time the
message was sent, filenames of any attachments, and unique message number, if it’s
supplied.
N
Give all of them a complete analysis before you move to the next step.
K
Email Server Investigation

To locate the source of an email, it’s required to investigate the email’s servers. Since it’s
H

not surprising criminals tend to delete their emails in case of being caught or accused of
sensitive emails.
However, there is still a chance to get them back.
S

In extreme cases, even though both emails have been deleted from both sides between
senders and recipients, a copy might be still on the server, since there is always
E

retention on the server after the email is successfully delivered each time due to specific
N

government regulations for email.

Whereas, you don’t want to miss out on investigating the log before it is archived after a
certain period.
IG

For your better work implementation, take below most popular email server software
under consideration:
V

 Exchange Server (.edb)

 Exchange Public Folders (pub.edb)
 Exchange Private Folders (priv.edb)
 Streaming Data (priv.stm)
 Lotus Notes (.nsf)
 GroupWise (.db)
 GroupWise Post Office Database (wphost.db)

145 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 GroupWise User Databases (userxxx.db)
 Linux Email Server Logs/var/log/mail.*

Network Devices

If there is no log from the email server due to various reasons, for instance, incorrect
configuration on the email server, another approach is worth trying, which is the network
service.
In certain cases, an internet service provider (ISP) or any other communications network

S
stores an email. Therefore, investigators are recommended to examine the network
devices such as routers and there might be chances for some clue of the source of an

TE
email.

Software embedded identifiers

O
When looking deep enough at the email software, a higher level analysis of the extra
information on it comes into account.

N
Actually, information about the sender and attached files could be found sometimes in an
email when you technically examine it, since in most cases, the senders tend to
customize their header under Multipurpose Internet Mail Extensions (MIME) with
K
a Transport Neutral Encapsulation Format(TNEF).

Attachment Analysis
H

As is known to us all, sometimes, our computer gets infected when we surf the Internet
and open specific files. To cause the issue, viruses and malware are most skeptical.
S

When it comes to emails, it’s also very common for a problematical attachment to be
found and thus it’s really worth investigating the attached files.
E

However, if the files happened to be deleted, you’re suggested to consult with a digital
forensic agency or use a data recovery tool like DRS to recover them so that you could
N

better examine every piece of them.

After the attachment’s retrieval, you’d better analyze those suspicious files under a
IG

sandbox environment in case the file is malware and do harm to your computer.
Bulk Email Forensics
V

Significant mailbox collections tend to be examined, analyzed, and used as proof in legal
instances. Therefore, legal experts have to work with large mailboxes in many
circumstances. Most email service applications, like Perspective and Gmail, give a
dashboard embedded with several valuable functions.
However, you might not get the desired results by only using keywords in the interface.
Day and time are two attributes of emails considered necessary if they are produced as
evidence related to an instance.

146 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Also, email messages can be forged like physical documents, and hackers may tamper
with these attributes. Moreover, since an email doesn’t directly reach the receiver to the
sender, recording its actual way with accurate timings is a challenging aspect.

MD5 and SHA1 Hash Values

MD5 and SHA1 would be the two most crucial hashing algorithms utilized by digital
forensics professionals since it’s standard practice to make use of MD5 and SHA1
hashing algorithms in email forensics brought on. These algorithms enable forensic

S
investigators to aid digital evidence as soon as they acquire this until it finally is created

TE
in a courtroom of law.

One more reason why hash values are crucial is usually that electronic documents are
shared with legal professionals and various other parties in the analysis. Therefore,

O
making certain every person has identical replicates of the data files is vital.

N
Consider how many places an email may well be saved. This could be preserved on the
sender’s equipment, around the recipient’s machine, on either the sender’s or recipient’s
email server, or both, and in backup media with regard to either server. In the event that
K
you consider the many places the email could stay, that should indicate to you that that
is rare for an email is usually ever truly deleted.
It may always be quite difficult to get, yet it probably is out there somewhere. This is
H

definitely one of the reasons for this why email forensics is so important.
S

One will need to sign into the e-mail support in order to be able to analyze emails.
E

Google mail and similar services do not provide any kind of mechanism to access a
message if that has been wiped from the trash folder.
N

In that circumstance, it’s likely not possible to be covered.

In some cases, some sort of subpoena can be issued to the service agency, and it
IG

may well search backups intended for the missing electronic mail
Tracing Email

Js code tracking
V

To better locate or identify a suspect email address, it’s important to attract the suspect
to open a trackable email. Across cases like kidnapping and murder, it’s commonly used
to identify criminals.

By inserting a specific J.S code along HTTP: “ img sr” tag on an image within the
body of your email, it’s going to be able to record at least the IP address after the

147 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
suspect clicks the image, especially when the location of a suspect or cybercriminal is
unknown.

Traced information identify

When acquiring tracking information, it’s no doubt to identify the information in hand to
look for some clues that will benefit your forensic investigation in a way.
Below is the manual method for IP address identification where you could figure out
detailed information about the IP’s owner.

S
 http://www.whois.net

TE
 http://www.networksolutions.com/whois/index.jsp
 http://www.who.is
 http://www.internic.net/whois.html
 http://cqcounter.com/whois/

O
Smart Email Forensic Investigation Suggestions

N
Whenever there are suspects coming to you, you’re bound to be monitoring their
activities. As an example, administrators might obtain security checks by collaborating
with an employee who definitely seems to be disgruntled or that has access to sensitive
K
information.
This employee’s email logs and network use may, for example, show the puppy sending
innocent family images to a Hotmail account, but no traffic heading back from that
H

Hotmail account. These kinds of seemingly innocent pics might carry steganographically
hidden messages, and so provide proof of the employee’s part in corporate espionage.
S

Forensic email doing a trace is similar to traditional gumshoe investigator work, which
involves looking at each point through which an email passed.
E

An individual works comprehensively back to the beginning computer and, eventually,

the perpetrator.
N

Correctly manage the email forensic evidence

Digital evidence in the form of email data can be crucial in civil and criminal cases.
IG

However, be sure it is extracted in the correct manner using email forensics.

 The email data is extracted in full and there is no question whether all data has
V

been recovered
 The validity of the data can be relied upon in both civil and criminal courts as
admissible evidence
 Ensures that no changes are made to the email metadata
 It is compliant with the ACPO guidelines and the quality standards set out within
the ISO17025 documentation and Forensic Science Regulator’s Codes of Good
Practice and Conduct.

148 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 Any deleted emails and files are recovered where possible

Final Thought
Email forensics refers to analyzing the source and content of emails as evidence, though
the actual investigation of email-related crimes and incidents involves various
approaches.
They do so in a forensically sound manner to correctly examine header data of all
messages of interest to the investigation, scientifically decode any available extracted

S
information after your tracked suspects return what benefits your case, and correctly
finalize your email forensic investigation.

TE
Best practices to help automate more secure Cloud deployments

O
Businesses across all industry verticals have been leveraging the efficiency, elasticity,
and innovation of the cloud. Yet, a recent survey revealed that only 35% of organizations

and compliance risks’ as a significant barrier.

N
have fully achieved their expected outcomes from the cloud and 65% identified ‘security

Though cloud offers new opportunities to transform, modernize, and innovate, security
K
risk remains the most significant hurdle to cloud adoption. Moreover, the complexity of
hybrid and multi-cloud environments further complicate the journey to the cloud.
H

While security is often seen as the biggest hindrance to cloud adoption – in reality – it
can be its greatest accelerator – when automated.
Automating the cloud security process enables organizations to gather the information
S

they need to secure their cloud environments and redirect their efforts to innovation and
E

growth.
Automating the security processes that are conventionally created and deployed
N

manually brings a new evolution to the cloud. However, many enterprises struggle during
the implementation of cloud security automation.
Here are five best practices for the successful implementation of cloud security
IG

automation:
V

149 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
5 Steps for Successful Cloud Security Automation

O
1) Automate Infrastructure Buildout
By automating infrastructure buildout, engineers are relieved from the task of manually

N
configuring security groups, networks, user access, firewalls, DNS names, and log
shipping, among others. This significantly reduces the scope for engineers to make
K
security mistakes.
Moreover, the security team need not worry about the best practices every time they
spin up a new instance, as they only have to touch the scripts, not the instances, to
H

make the changes.

2) Automate Script
S

In traditional IT, a zero-day vulnerability or any other major security issue requires an
organization’s system engineers to work rigorously to patch every server manually. But
E

automating scripts requires only a single line change in the manifests to ensure the
newly released version was running instead.
N

These automation script resources are declarative management tools that automatically
configure instances, virtualized servers, or even bare metal servers.
IG

Whenever a new instance is launched, these scripts get the instance ready for
production, including the security configuration tasks like ensuring central
authentication, installing intrusion detection agents, and enabling multi-factor
authentication.
V

3) Automate Deployments
Though automating deployments is one of the best practices in DevOps implementation,
it can also improve an organization’s security posture. In the event of a zero-day
vulnerability, deployment automation ensures that changes made to the DevOps
tool script get deployed across every instance or server automatically. This makes it
possible for a single system engineer to respond to threats quickly.

150 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
4) Automate Security Monitoring
In the present growing trend of hybrid and multi-cloud environments that support
individual applications, it is imperative to monitor the entire infrastructure in a single
interface. During an event of a security attack and downtime, it can be resource-draining
and time-consuming to identify and fix the problem.
Automated security monitoring aids engineers with the right intelligence to address the
attack and protect critical assets.
5) Get Ready for the Future of Automation

S
Within the next few years, data balloons and hybrid environments will become
mainstream, making the manual security approach incompetent. Hence, now is the best

TE
time to develop an internal automation team or outsource it. Although achieving end-to-
end process automation across hybrid environments may take months or even years, it
will prove infinitely more valuable than training employees to reduce human error.
5 Stages of Cloud Security Automation Framework

O
N
K
H
S
E
N
IG

Automation of cloud security involves a 5-step strategy as follows:

V

1) Monitor
Your cloud capacity will always scale to meet all the operational needs. So, it’s
imperative to monitor the workflow of all the tasks in your cloud. This enables you to gain
an understanding of how each workflow is carried out.
2) Evaluate
In the process of automating cloud security, knowing and prioritizing the tasks to
automate is the first critical step. Closely monitoring the workflows helps to evaluate

151 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
tasks that should be automated, like the repeated tasks, deployments, resource
provisioning, and creating security rules.
3) Analyze
Do an in-depth analysis of the collected information based on severity as low, medium, or
high risk. Then automate low-risk processes first, followed by medium and high. The in-
depth analysis also helps you do controlled automation and study the impact on
infrastructure.
4) Automate and Report

S
The resulting analysis can now be pushed to integrated systems to automate the
workflows. Then configure the automation processes to generate the reports that give

TE
the overview of the changes before or after.
5) Remediate
By now, you will get a clear picture of cloud automation, irrespective of whether you
started automating simple workflows or complex ones. This enables you to implement

O
remediation and enhance the overall security posture.
How Businesses Benefit from Cloud Security Automation?

N
A continuous, automated security protects your enterprise’s critical cloud assets from
evolving threats, as well as helps your business reap the following benefits:
K
 Minimized time spend on security operations
 Consistency in security operations
 Reduced manual errors
H

 Enhanced compliance
 Advanced security measures
S

 Robust security posture

 Rapidly identify and address security gaps
E

In Conclusion
Automation of cloud security offers a host of business benefits. However, it can be
N

expensive and complex than non-automated security. The technology requirements are
costly and require a significant amount of time to implement. Moreover, security
IG

automation escalates the need for some highly skilled security expertise to set it up
effectively and maintain it.
Hence, if you’re moving to the cloud or already in the cloud, partnering with a Cloud
V

solutions provider like Veritis is the most effective option to secure your cloud-based
systems with state-of-the-art security.
As a US-based cloud consulting services provider, Veritis delivers highly effective and
reliable cloud computing services that enable organizations to be agile and responsive to
the evolving market landscape.

152 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
Organizations move to the cloud for many reasons, from improved efficiency, to ease of
management, to better security. That’s right, one of the most important benefits of
moving to the cloud is the opportunity to establish a robust baseline security and
compliance posture.

But it doesn’t just magically happen. While you can depend on Google Cloud’s secure-
by-design core infrastructure, built-in product security features, and advanced security

S
tools, you also need to configure cloud deployments to meet your own unique security
and compliance requirements. We believe that a big part of our shared responsibility

TE
for security is to help make meeting these requirements easier.

That’s why this week we launched our Google Cloud security best practices center , a

O
new web destination that delivers world-class security expertise from Google and our
partners. This expertise, in the form of security blueprints, guides, whitepapers, and
more, can help you accelerate your move to cloud while prioritizing security and

N
compliance. And with downloadable, deployable templates and code, it can help you
automate more secure deployment of services and resources.
K
Blueprints: Helping you automate more secure deployments
H

As part of this new resource center, we’re publishing a comprehensive new security
S

foundations blueprint to provide curated, opinionated guidance and accompanying

automation to help you build security into your starting point for your Google Cloud
E

deployments. The security foundations blueprint was developed based on our customer
experience and covers the following topics:
N

 Google Cloud organization structure

 Authentication and authorization
IG

 Resource hierarchy and deployment

 Networking (segmentation and security)
 Logging
V

 Detective controls
 Billing setup

The blueprint itself includes both a detailed best practices guide and deployable assets
in the form of customizable Terraform build scripts that can be used to stand up a
Google Cloud environment configured per the guidance.

153 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
This joins other newly published blueprints with the same goal of best-practice security
posture automation for specific apps or workloads.

The PCI on GKE blueprint contains reference architectures and a set of Terraform
configurations and scripts that demonstrate how to bootstrap a PCI environment in
Google Cloud. The core of this blueprint is a sample Online Boutique application, where
users can browse items, add them to a shopping cart, and make purchases. This
blueprint enables you to quickly and easily deploy workloads on Google Kubernetes

S
Engine (GKE) that align with the Payment Card Industry Data Security Standard (PCI
DSS) in a repeatable, supported, and secure way. The blueprint also includes a PCI DSS

TE
3.2.1 mapping for the solution and a PCI Compliance whitepaper , which provides an
independent, third-party assessment of the blueprint performed by Coalfire, Google's
PCI DSS auditor.

O
The Google Cloud Healthcare Data Protection Toolkit is an automation framework for
deploying Google Cloud resources to store and process healthcare data,

N
including protected health information (PHI) as defined by the US Health Insurance
Portability and Accountability Act (HIPAA) . It provides an example of how to configure
Google Cloud infrastructure for data storage, analytics, or application development and
K
includes many of the security and privacy best-practice controls recommended for
healthcare data, such as configuring appropriate access, maintaining audit logs, and
monitoring for suspicious activities.
H

The Anthos security blueprints provide prescriptive information and instructions for
S

achieving a set of security postures when you create or migrate workloads that use
Anthos clusters. There are currently individual blueprints for enforcing
E

policies, enforcing locality restrictions for clusters on Google Cloud , and auditing and
monitoring for deviation from policy . Each blueprint includes an implementation guide
N

and deployable assets (custom resource definition files and Terraform templates and
scripts). These blueprints are additive, so you can apply multiple blueprints to your
IG

environments.
V

154 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

onsibility model means for

Establishing trust in IaaS, PaaS, and SaaS
Cloud types
When moving to the cloud, companies approach it with a number of different models –
SaaS, IaaS, and PaaS most commonly. But moving to the cloud shouldn’t obscure the fact

S
that what you’re really looking for is a zero trust security model.

TE
The concept of zero trust stipulates that all connections, between users, applications,
and processes, are limited to trusted parties. These trusted parties need to be evaluated
before being allowed the opportunity to exchange data with one another, or even to
simply connect.

O
To recap the shared responsibility model of cloud service delivery: Iaas, PaaS, and SaaS

N
models transfer progressively more of the burden of the management of the solution to
the vendor. This reduces the lift for the consumer, but can also come at the expense of
agility and control. Our friends at the Cloud Security Alliance have a good breakdown of
K
where responsibility tends to reside at each of these levels. They point out, though, that
the fine line of responsibility between the vendor and the consumer is always case-
specific.
H
S
E
N

Cloud Service Models (IaaS,

IG

PaaS, SaaS), David Chou, 2018

Even in the case of SaaS, where applications are managed by a third-party provider,
V

there are still zero trust principles and practices organizations must adhere to. With SaaS
solutions, the first leg of your zero trust strategy is typically a single sign-on (SSO)
identity verification solution. This enforces multi-factor authentication for users of the
service, as well as links the identity solution to a posture control system to ensure that
the device the user is connecting with is properly protected. You need to make sure you
trust both who is connecting as well as how they are connecting.

155 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
The problem facing development teams today is that so many tools and services have
migrated to the cloud, that no one can be an expert in all of them. The big three cloud
providers alone (Amazon, Google, and Microsoft) offer hundreds of cloud services.

Zero trust can provide a defense-in-depth approach by securing all aspects of your
infrastructure from user devices to microservices. The different models of cloud adoption
just change the demarcation point between the third-party cloud provider and the
business. Knowing where this line sits in practice is critical to maintaining the security of

S
cloud-native applications.

TE
Even when you move the demarcation point up to the SaaS case, the effective use and
implementation of a zero trust model is critical to the security of your data and your
company. With cloud security, Gartner predicts that cloud misconfigurations will be the
top root cause of breaches. This means that 99% of cloud security issues will due to

O
customer error!
A holistic approach to zero trust security needs to address this risk. A cloud-native

N
application protection platform or CNAPP can help secure cloud-native
applications against misconfiguration. Zscaler’s CNAPP solution provides comprehensive
visibility and insight into the metrics and controls needed to manage this critical security
K
component. Critically, this gives developers the ability to prioritize real risk amid high
levels of noise.
H

Zscaler provides a holistic suite of zero trust tools, allowing you to prioritize what portion
of the zero trust journey is most important to your business, so you can start your
S

journey there. Remember the Chinese proverb, “a journey of a thousand miles begins
with a single step.” Start your journey today.
E

Case study: DVWA

N
IG
V

156 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

157 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

158 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

159 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

S
TE
O
N
K
H
S
E
N
IG
V

160 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

UNIT V PRIVACY AND STORAGE SECURITY

Privacy on the Internet - Privacy Enhancing Technologies - Personal privacy

Policies - Detection of Conflicts in security policies- privacy and security in
environment monitoring systems. Storage Area Network Security - Storage
Area Network Security Devices - Risk management - Physical Security
Essentials.

S
TE
What Is Internet Privacy?
 In just a few words, internet privacy refers to how much of your personal
information stays private when you’re online. And by private information, we

O
mean anything directly related to your personal life. This includes your home or
work address, telephone number, medical history, or list of contacts.


N
Ultimately, it’s not only personal information that users share online. It’s also
financial data such as credit card or bank records. All these can easily end up in
the wrong hands and lead to unfortunate scenarios where your money or your
K
identity gets stolen.

 To answer the question “what is internet privacy,” we need to take a closer look
H

at the exchange that happens when we go online. Did you think that using the
internet is free? Unfortunately, you are wrong. Everything you do when surfing the
S

web comes at a cost.

 Whether you’re simply visiting a website and accepting its cookies, or sharing
E

photos with your followers on social media, remember that a part of your personal
information will no longer be only yours to know. It doesn’t even matter if the
N

service you’re using is free or not. Everyone pays the same price — exposure.
IG

 Social networking and simply going online is nowadays an activity riddled with
risks and threats posed to our personal integrity.
V

What Is Internet Privacy Required For?

 People that care less about their online privacy and security may think that living
in a digital world without strict boundaries and limitations is not a big deal.
However, internet privacy needs to be regulated very carefully for everyone to
feel just as safe as they would in real life.

161 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
 If you think about it well, in your day-to-day life you don’t share your bank data or
personal information with just about anyone. You expect people to respect your
own privacy, and you respect theirs, and you don’t open the door of your house
for any stranger to enter.

 All things considered, the online medium should look the same. We need better
privacy laws to shield us from unsolicited third parties. We also need the right
type of software that can protect us from identity theft and data breaches.

S
What Is The Biggest Internet Privacy Issue?

TE
It would be impossible to pinpoint only one issue! Still, we can narrow it down as much as
possible. Most privacy issues can fit into the following categories;

Location Tracking

O
As we all know, most apps request to know our location to give you further access

N
to their perks and features. It’s not mandatory, for sure, but if you will allow just
any app to track you without thinking twice, you risk sharing your location with
third parties you have no idea about, and these include hackers too.
K
Awareness is advised as well as personal involvement in the way all your app’s
settings are adjusted.
H

Social networks are also a growing concern when it comes to sharing your
location’s information. In fact, most of the time, being on social media, including
S

the likes of TikTok, Facebook, Instagram, Twitter, or LinkedIn, means voluntarily

posting photos, videos, or tweets of yourself and filling in your current location.
E

Social media is all fun and games until it’s not anymore, and the information
you’ve willingly shared becomes a hazard.
N

Data Storage
IG

When looking at what internet privacy is, we need to discuss the way search
engines such as Google or Yahoo store our data.
V

Unfortunately, the search engines we all use retain lots of information about
ourselves, what we like to read, what we like to buy, where we go on holiday, and
so on, and there’s really very little we can do to steer clear of this modern
conundrum.

Mishandling Of Information

162 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
As you’ve probably already noticed, there are plenty of websites and companies
out there that require your personal information to grant you access to their
services. This information is typically not encrypted and, thus, not secure, which
means that anyone can read it.

This, as you may already expect by now, spells big trouble.

Cybercriminals are more enticed than ever to break accounts and steal personal
and financial information since security vulnerability is now a feature of the online

S
environment.

Ongoing Spying

TE
That’s right. When you are online, your activity and browsing history is tracked and
recorded by various apps for several different reasons. The biggest one being that the
more private data they gather about you, the easier it will be for them to know what you

O
like and, ultimately, what they should sell to you.

N
And although most of the time the data they collect is used for advertising purposes,
sometimes it can end up in the hands of cybercriminals. In other words, another online
privacy issue we’re facing nowadays is the refined and ongoing surveillance we’re all
K
silently subjected to.

What Can We Do to Keep Our Internet Privacy? Is It Achievable?

H

The most important thing we hope you gain from reading this article is the
S

understanding that Internet privacy is worth protecting at all costs. Internet

privacy represents our sense of freedom, safety, and personal identity online and
E

outside the internet.

Sometimes playing with an app’s privacy settings is simply not enough and
N

extended steps need to be taken to guard our well-deserved internet privacy. It

can be difficult to protect your privacy at times, but it’s an essential task. It can
IG

help you avoid identity theft, doxing, and other issues that are prevalent online.

Working with a reputable team will offer you answers to your questions and
V

provide feedback on privacy best practices. At Internet Privacy, we develop

customized online privacy plans that fulfill your online needs and keep you
updated on your privacy security status.

Only by staying vigilant about what you share and who you share with can you
protect yourself from potential fraud, financial loss, and identity theft.

163 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES
The Takeaway

Internet privacy is the retention of the personal data we shared online in a way that
guards our privacy, much like in real life. We need it, after all, to maintain a sense of
personal identity, even online, where every little detail is shared.

Privacy-enhancing technologies

S
3 languages

TE
 Article
 Talk
 Read
 Edit
 View history

O
Tools







N
K




H

From Wikipedia, the free encyclopedia

Privacy-enhancing technologies (PET) are technologies that embody fundamental

data protection principles by minimizing personal data use, maximizing data security,
S

and empowering individuals. PETs allow online users to protect the privacy of
their personally identifiable information (PII), which is often provided to and handled
E

by services or applications. PETs use techniques to minimize an information

system's possession of personal data without losing functionality.[1] Generally
speaking, PETs can be categorized as hard and soft privacy technologies. [2]
N

Goals of PETs[edit]
IG

The objective of PETs is to protect personal data and assure technology users of two
key privacy points: their own information is kept confidential, and management
of data protection is a priority to the organizations who hold responsibility for any PII.
PETs allow users to take one or more of the following actions related to personal
V

data that is sent to and used by online service providers, merchants or other users
(this control is known as self-determination). PETs aim to minimize personal data
collected and used by service providers and merchants, use pseudonyms or
anonymous data credentials to provide anonymity, and strive to achieve informed
consent about giving personal data to online service providers and merchants. [3] In
Privacy Negotiations, consumers and service providers establish, maintain, and
refine privacy policies as individualized agreements through the ongoing choice
among service alternatives, therefore providing the possibility to negotiate the terms

164 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

and conditions of giving personal data to online service providers and merchants
(data handling/privacy policy negotiation). Within private negotiations, the transaction
partners may additionally bundle the personal information collection and processing
schemes with monetary or non-monetary rewards. [4]
PETs provide the possibility to remotely audit the enforcement of these terms and
conditions at the online service providers and merchants (assurance), allow users to
log, archive and look up past transfers of their personal data, including what data has
been transferred, when, to whom and under what conditions, and facilitate the use of
their legal rights of data inspection, correction and deletion. PETs also provide the

S
opportunity for consumers or people who want privacy-protection to hide their
personal identities. The process involves masking one's personal information and
replacing that information with pseudo-data or an anonymous identity.

TE
Families of PETs[edit]
Privacy-enhancing Technologies can be distinguished based on their assumptions. [2]
Soft privacy technologies[edit]

O
Main article: Soft privacy technologies

Soft privacy technologies are used where it can be assumed that a third-party can be

control and auditing.[2] N

trusted for the processing of data. This model is based on compliance, consent,

Example technologies are access control, differential privacy, and tunnel encryption
K
(SSL/TLS).
Hard privacy technologies[edit]
Main article: Hard privacy technologies
H

With hard privacy technologies, no single entity can violate the privacy of the user.
The assumption here is that third-parties cannot be trusted. Data protection goals
S

include data minimization and the reduction of trust in third-parties. [2]

Examples of such technologies include onion routing, the secret ballot, and
E

VPNs[5] used for democratic elections.

Existing PETs[edit]
N

PETs have evolved since their first appearance in the 1980s. [dubious – discuss] At intervals,
review articles have been published on the state of privacy technology:
IG

 A principal, though fundamentally theoretical, overview of terminology and

principal anonymization technology is found in Pfitzmann & Hansen's terminology
of anonymity.[6]
V

 In 1997, a report by Goldberg, Wagner and Brewer at the University of California

in Berkeley summarized PETs.[7]
 In 2003, Borking, Blarkom and Olk reviewed the technologies from a data
protection perspective in their Handbook of privacy enhancing technologies.[1]
 In 2007, Fritsch published an historic, taxonomic and practical overview of
contemporary privacy-enhancing technology for the Internet for the research
project PETWeb.[8]
 In 2008, Fritsch and Abie documented the gap between implemented PETs and
their successful deployment in a research roadmap for PETs.[9]

165 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

 In 2015, Heurix et al. published a taxonomy of privacy enhancing technologies.[10]

 A specialization of PET research that looks into increasing the transparency of
data processing is called Transparency Enhancing Technologies (TETs). A
review article by Janic et al. summarizes developments in TETs.[11] Murmann and
Fischer-Hübner published a review of transparency tools in 2017.[12]
 In 2019, the World Economic Forum published a white paper exploring PET use
cases in financial technology and infrastructure.
 The Boston Women's Workforce Council published reports
in 2017 and 2019 exploring the gender pay gap in a number of Boston-based
companies. The data was compared using PETs, to ensure that sensitive

S
employee information remained private throughout.
 In 2020, Identiq published an ebook discussing PETs that are actively being used
in identity validation.

TE
 In 2021, the European Data Protection Board, which oversees the enforcement
of GDPR, and the European Union Agency for Cybersecurity published technical
guidance supporting Secure Multi-Party Computation as a valid privacy-
preserving safeguard, applying to both healthcare and cybersecurity use cases.

O
Example PETs[edit]
Examples of existing privacy enhancing technologies are:


N
Communication anonymizers hiding a user's real online identity (email
address, IP address, etc.) and replacing it with a non-traceable identity
(disposable / one-time email address, random IP address of hosts participating in
K
an anonymising network, pseudonym, etc.). They can be applied to everyday
applications like email, Web browsing, P2P networking, VoIP, Chat, instant
messaging, etc.
 Shared bogus online accounts. This technology de-links an online account
H

from a specific user's habits by allowing many users to share the account, and
setting up fake personal information in the account settings. To accomplish this,
one person creates an account for a website like MSN, providing bogus data for
S

their name, address, phone number, preferences, life situation etc. They then
publish their user-IDs and passwords on the internet. Everybody can now use
this account comfortably. Thereby the user is sure that there is no personal data
E

about him or her in the account profile. (Moreover, he is freed from the hassle of
having to register at the site himself.)
N

 Obfuscation refers to the many practices of adding distracting or misleading

data to a log or profile, which may be especially useful for frustrating precision
analytics after data has already been lost or disclosed. Its effectiveness against
IG

humans is questioned, but it has greater promise against shallow algorithms.[13][14]

[15][16]
Obfuscating also hides personal information or sensitive data through
computer algorithms and masking techniques. This technique can also involve
adding misleading or distracting data or information so it's harder for an attacker
to obtain the needed data.
V

 Access to personal data: Here, a user gains control over the privacy of their
data within a service because the service provider's infrastructure allows users to
inspect, correct or delete all their data that is stored at the service provider.
 Enhanced privacy ID (EPID) is a digital signature algorithm supporting
anonymity. Unlike traditional digital signature algorithms (e.g., PKI), in which
each entity has a unique public verification key and a unique private signature
key, EPID provides a common group public verification key associated with many
of unique private signature keys.[17] EPID was created so that a device could
prove to an external party what kind of device it is (and optionally what software

166 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

is running on the device) without needing to also reveal exact identity, i.e., to
prove you are an authentic member of a group without revealing which member.
It has been in use since 2008.
 Homomorphic encryption is a form of encryption that allows computation on
ciphertexts.
 Zero-knowledge proof is a method by which one party (the prover) can prove to
another party (the verifier) that they know a value x, without conveying any
information apart from the fact that they know the value x.
 Secure multi-party computation is a method for parties to jointly compute a
function over their inputs while keeping those inputs private.

S
 Ring signature is a type of digital signature that can be performed by any
member of a set of users that each have a pair of cryptographic keys.
 Non-interactive zero-knowledge proof (NIZKs) are zero-knowledge proofs that

TE
require no interaction between the prover and verifier.
 Format-preserving encryption (FPE), refers to encrypting in such a way that
the output (the ciphertext) is in the same format as the input (the plaintext)
 Blinding is a cryptography technique by which an agent can provide a service to
a client in an encoded form without knowing either the real input or the real

O
output.
 Differential privacy: An algorithm is constrained so that the results or outputs of
a data analysis can't tell if a certain individuals information is being used to


concerns,
N
analyze and form the results. This technique focuses on large databases and
hides the identity of individual "inputs" who might have private data and privacy

Pseudonymization is a data management technique that replaces an

K
individual's identity or personal information with an artificial identifiers known as
Pseudonyms. This de-identification method enables contents and fields of
information to be covered up so as to deter attacks and hackers from obtaining
important information. These Pseudonyms can be either placed in groups or for
H

individual pieces of information. Overall, they serve to discourage information

stealing while also maintaining data integrity and data analysis.[18]
Federated learning is a machine learning technique that trains models across
S


multiple distributed nodes. Each node houses a local, private dataset.
 Adversarial stylometry methods may allow authors writing anonymously or
E

pseudonymously to resist having their texts linked to their other identities due to
linguistic clues.
N

Future PETs[edit]
Examples of privacy enhancing technologies that are being researched or developed
IG

include[19] limited disclosure technology, anonymous credentials, negotiation and

enforcement of data handling conditions, and data transaction logs.
Limited disclosure technology provides a way of protecting individuals' privacy by
allowing them to share only enough personal information with service providers to
V

complete an interaction or transaction. This technology is also designed to limit

tracking and correlation of users’ interactions with these third parties. Limited
disclosure uses cryptographic techniques and allows users to retrieve data that is
vetted by a provider, to transmit that data to a relying party, and have these relying
parties trust the authenticity and integrity of the data. [20]
Anonymous credentials are asserted properties or rights of the credential holder
that don't reveal the true identity of the holder; the only information revealed is what
the holder of the credential is willing to disclose. The assertion can be issued by the

167 | P a g e
 VIGNESH K NOTES
CP4391 SECURITY PRACTICES

user himself/herself, by the provider of the online service or by a third party (another
service provider, a government agency, etc.). For example:
Online car rental. The car rental agency doesn't need to know the true identity of
the customer. It only needs to make sure that the customer is over 23 (as an
example), that the customer has a drivers license, health insurance (i.e. for
accidents, etc.), and that the customer is paying. Thus there is no real need to know
the customers name nor their address or any other personal information.
Anonymous credentials allow both parties to be comfortable: they allow the customer
to only reveal so much data which the car rental agency needs for providing its

S
service (data minimization), and they allow the car rental agency to verify their
requirements and get their money. When ordering a car online, the user, instead of
providing the classical name, address and credit card number, provides the following

TE
credentials, all issued to pseudonyms (i.e. not to the real name of the customer):

 An assertion of minimal age, issued by the state, proving that the holder is older
than 23 (note: the actual age is not provided)
 A driving licence, i.e. an assertion, issued by the motor vehicle control agency,

O
that the holder is entitled to drive cars
 A proof of insurance, issued by the health insurance
Digital cash


N
Negotiation and enforcement of data handling conditions. Before ordering a
product or service online, the user and the online service provider or merchant
negotiate the type of personal data that is to be transferred to the service provider.
K
This includes the conditions that shall apply to the handling of the personal data,
such as whether or not it may be sent to third parties (profile selling) and under what
conditions (e.g. only while informing the user), or at what time in the future it shall be
deleted (if at all). After the transfer of personal data took place, the agreed upon data
H

handling conditions are technically enforced by the infrastructure of the service

provider, which is capable of managing and processing and data handling
S

obligations. Moreover, this enforcement can be remotely audited by the user, for
example by verifying chains of certification based on Trusted computing modules or
by verifying privacy seals/labels that were issued by third party auditing
E

organizations (e.g. data protection agencies). Thus instead of the user having to rely
on the mere promises of service providers not to abuse personal data, users will be
N

more confident about the service provider adhering to the negotiated data handling
conditions [21]
Lastly, the data transaction log allows users the ability to log the personal data they
IG

send to service provider(s), the time in which they do it, and under what conditions.
These logs are stored and allow users to determine what data they have sent to
whom, or they can establish the type of data that is in possession by a specific
V

service provider. This leads to more transparency, which is a pre-requisite of being in

control.

168 | P a g e