SENG 411

Cyber Security
Dr. Emin Emrah Özsavaş
eminemrahozsavas@gmail.com

1
Aim & Scope
• Describe the elements of cyber security
• Explain cyber threats and attacks
• Describe hacking methodologies
• Understand security controls and countermeasures
• Understand security governance

2
Textbook & other material
• Ethical Hacking and Countermeasures Ver. 12, EC-Council 2022
• Praise for CISSP All-in-One Exam Guide, Fernando Maymi, Shon
Harris, McGraw Hill 2022
• Practical Information Security Management: A Complete Guide to
Planning and Implementation, Tony Campbell, Apress 2016

3
 Syllabus
Week Topic Sub-topics
1 Introduction and Basics Language of security, overview
Identity and Access Identification, authentication,
2 Management, System authorization, access control, system
Architectures architecture concepts
Symmetric and asymmetric encryption,
3 Cryptography
hash functions, digital signatures
Network attacks, security architectures,
4 Network Security
countermeasures
Footprinting and reconnaissance,
5 Hacking Methodology scanning networks, enumeration,
vulnerability analysis
System hacking (gaining access,
Hacking Methodology escalating privileges, maintaining
6
and Sniffing access, clearing logs), sniffing concepts
and techniques
4
 Syllabus
Week Topic Sub-topics
Malware concepts, APT, trojan, virüs,
7 Malware Threats
worm, analysis, countermeasures
Social Engineering and Session
8 Concepts, threats, countermeasures
Hijacking
Web Server and Web
9 Concepts, threats, countermeasures
Application Security
10 Mobile and Cloud Security Concepts, threats, countermeasures
11 Wireless, IoT, and OT Security Concepts, threats, countermeasures
Threat intelligence, digital evidence
Security Operations, Role of
12 and incident response, digital
AI/ML
forensics, AI/ML in security posture
Risk management, organizational
13 Security Governance security, security implementation,
secure system development
14 General Review

5
Grading
• Assignments & quizzes
• Midterm exam
• Final exam

6
Language of security
&
overview

7
 InfoSec, IT/ICT Sec, Cyber Sec

* Information Security: protection of information from unauthorized access, use, disclosure,

disruption, modification, or destruction, in order to provide confidentiality, integrity, and
availability.
- consist of information both digital and analog, includes personnel, physical, ICT, and
document security.
* IT security is protection of information Technologies, no difference between ICT security and
IT security.
* Cyber security: ability to protect or defend the use of cyberspace from cyber attacks. It includes
information and non-information.
Cyber security is all about security of anything in cyber realm (space), information security is all
about security of information regardless of the realm. 8
InfoSec
- Information: Processed data
- Protecting the information
- C.I.A.

9
InfoSec
Integrity

Availability
Confidentiality

10
InfoSec
• Confidentiality: assurance that the information is
accessible only to those authorized to have access
• Integrity: the trustworthinessof data or resources in
terms of preventing improper or unauthorized changes
• Availability: assurance that the systems responsible for
delivering, storing, and processing information are
accessible when required by the authorized users

11
InfoSec
- Confidentiality: ACL, file permission, enc. …

- Integrity: hash func., digital signature …

- Availability: disaster rec. plan, redundancy …

12
 InfoSec
Availability: disaster rec. plan, proper back up, redundancy …
‘the condition of any backup is unknown until a restore is
attempted’

13
InfoSec
• Info assurance is the higher tier, InfoSec falls under this tier
• Two more pillars
• Info assurance = C.I.A. + authenticity + non-repudiation
• Authenticity: Refers to the characteristic of a communication,
document, or any data that ensures the quality of being genuine
• Non-Repudiation: A guarantee that the sender of a message
cannot later deny having sent the message and that the recipient
cannot deny having received the message

14
InfoSec
• Authenticity
checking identity before allowing access
Three types: something you know, have, are
• Non-Repudiation
knowing who sent or received information
digital signatures

15
Cyber Sec

16
Cyber Sec vs. Defense
- two interconnected disciplines
- focused on protecting critical digital assets and
infrastructure
- prevention, reducing attack surfaces, hardening
systems
- threat detection and minimizing impacts of incidents

17
Cyberwarfare
• Fifth domain of battle (2011): Pentagon declared that they accept
‘cyber’ as the fifth domain of battle, after land, sea, air, and
space.

18
Cyberwarfare
• Fifth domain of battle (2011)

19
Cyberwarfare
two major approaches:

20
Cyber security
• Protecting cyber realm towards to cyber attacks and
reducing the risks
• There are lots of hackers, cyber terrorists and spies
(general idea, true?)
• Risks stem from errors of hardware & software (broad
perspective)
• Can we protect every asset?

21
Cyber security
Hardware & Software errors:

22
Cyber security
Three basic components:
• Vulnerability
- Weakness of a system, when exploited loss and
damage may occur
• Threat
- Situation resolved when weakness is prevented
- Attack or fault of an innocent person
- Exploiting a vulnerability intentionally is called
an ‘attack’
• Countermeasure
- Resolving a vulnerability

23
Cyber security

potential for loss, damage, or destruction of an asset, as a

result of a threat exploiting a vulnerability

* BCP: Business Continuity Planning

24
Cyber security
Example:
a system that allows weak passwords
* A password is vulnerable for dictionary or exhaustive key
attacks:
* An intruder can exploit the password weakness to break
into the system:
* Resources within the system are prone for illegal
access/modify/damage by the intruder:

vulnerability, threat, risk?

25
Cyber security
Attacks = Motive (Goal) + Method + Vulnerability

* motives originates out the notion that target system

stores or processes something valuable
* attackers try various tools and attack techniques to
exploit vulnerabilities

26
Cyber security
Motives:
- Disrupt business continuity
- Perform information theft
- Manipulating data
- Create fear and chaos by disrupting critical infrastructures
- Bring financial loss to the target
- Propagate religious or political beliefs
- Achieve a state's military objectives
- Damage the reputation of the target
- Take revenge
- Demand ransom

27
Cyber security
Classification of attacks:
- Passive Attacks
- Active Attacks
- Close-in Attacks
- Insider Attacks
- Distribution Attacks

28
Cyber security
Classification of attacks / Passive attacks:
- intercepting and monitoring network traffic and data flow on
the target network and do not tamper with the data
- very difficult to detect as the attacker has no active
interaction with the target system or network

o Footprinting
o Sniffing and eavesdropping
o Network traffic analysis

29
Cyber security
Classification of attacks / Active attacks:
- tamper with the data in transit or
o Man-in-the-Middle attack
disrupt communication or services to
o DNS and ARP poisoning
bypass or break into secured systems o Compromised-key attack
o Denial-of-service (DoS) attack o Firewall and IDS attack
o Bypassing protection mechanisms o Profiling
o Malware attacks (such as o Arbitrary code execution
o Privilege escalation
viruses, worms, ransomware)
o Backdoor access
o Modification of information
o Cryptography attacks
o Spoofing attacks
o SQL injection
o Replay attacks o XSS attacks
o Password-based attacks o Directory traversal attacks
o Session hijacking o Exploitation of application and
OS software 30
Cyber security
Classification of attacks / Close-in attacks:
- performed when the attacker is in close physical proximity
with the target system or network
- main goal is to gather or modify information or disrupt its
access

o Social engineering
(Eavesdropping, shoulder surfing, dumpster diving, and other
methods)

31
Cyber security
Classification of attacks / Insider attacks:
- performed by trusted persons, having physical access to the
critical assets of the target
- involves using privileged access
- insiders can easily bypass security rules, corrupt valuable
resources, and access sensitive
- difficult to figure out

o Eavesdropping and wiretapping

o Theft of physical devices
o Data theft

32
Cyber security
Classification of attacks / Distribution attacks:
- occur when attackers tamper with hardware or software
prior to installation
- examples are backdoors created by software or hardware
vendors at the time of manufacture
- used to gain unauthorized access to the target

33
Cyber security

* step-by-step process to perform ethical hacking

* follows the same process as that of an attacker, only differences are
hacking goals and strategies 34
Cyber security
* footprinting & reconnaissance: attacker gathers as much
information as possible about the target prior to launching an attack
(IP address range, namespace, and employees …)
* scanning: used to identify active hosts, open ports, and
unnecessary services enabled on particular hosts. Often, the
reconnaissance and scanning phases overlap, and it is not always
possible to separate them
* enumeration: involves making active connections to a target
system or subjecting it to direct queries. Gathering information such
as network user lists, routing tables, security flaws, shared users,
groups, applications …
* vulnerability analysis: examination of the ability of a system or
application, including its current security procedures and controls

35
Cyber security
* System Hacking:
Attackers follow a certain methodology to hack a system
o Gaining Access
o Escalating Privileges
o Maintaining Access
o Clearing Logs

36
Cyber security
Cyber Kill Chain Methodology
- used for identification and prevention of malicious intrusion
activities, enhances intrusion detection and response
- provides greater insight into the attack phases, helps security
professionals in identifying the steps that adversaries follow

37
Cyber security
Tactics, Techniques, and Procedures (TTPs)
- activities and methods associated with specific threat actors or groups
of threat actors, determine the behavior of a threat actor (hacker)
- helpful in analyzing threats and profiling threat actors; can further be
used to strengthen the security infrastructure
- tactics: a guideline that describes the way an attacker performs attacks
from beginning to end; predict and detect evolving threats in the early
stages
- techniques: technical methods used by an attacker to achieve
intermediate results during attacks; identify vulnerabilities and
implement defensive measures in advance
- procedures: organizational approach followed by the threat actors to
launch their attacks; identify what the attacker is looking for within the
target organization's infrastructure

38
Cyber security
Tactics, Techniques, and Procedures (TTPs)
- tactics:
obtain information available on the Internet or perform social
engineering
approach the target employees one by one or as a group
constant payload from the beginning to the end of the attack or
changeable payload
- techniques:
different techniques at each stage of the threat life cycle
for the 1st stage, in social engineering, certain non-technical software
tools are used
for the middle stages, set of tools are used
for the last stage there are technical and nontechnical aspects

39
Cyber security
Tactics, Techniques, and Procedures (TTPs)
- procedures:
sequence of actions performed
number of actions usually differs depending upon the objectives of the
procedure and the APT group
detailed description of how tactics are executed using the choice of
techniques

40
Cyber security

41
Cyber security
Indicators of Compromise (IoCs)
- procedures:
clues, artifacts, and pieces of forensic data found on a network or
operating system of an organization that indicate a potential intrusion or
malicious activity in the organization's infrastructure
are not intelligence
divided into four categories:
- Email Indicators: sender's email address, email subject, and
attachments or Iinks
- Network Indicators: URLs, domain names, and IP addresses
- Host-Based Indicators: filenames, file hashes, registry keys, DLLs
- Behavioral Indicators: used to identify specific behavior related to
malicious activities such as code injection into the memory, document
executing PowerShell script
42
Cyber security
Indicators of Compromise (IoCs)
- Unusual outbound network traffic
- Unusual activity through a privileged user account
- Geographical anomalies
- Multiple login failures
- Increased database read volume
- Large HTML response size
- Multiple requests for the same file
- Mismatched port-application traffic
- Suspicious registry or system file changes
- Unusual DNS requests
- Unexpected patching of systems
- Signs of Distributed Denial-of-Service (DDoS) activity
-…
43
Cyber security
MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework
- globally accessible knowledge base of adversary tactics and techniques
based on real-world observations (https://attack.mitre.org)
- used as a foundation for the development of specific threat modeis and
methodologies
- three collections of tactics and techniques: Enterprise, Mobile, and ICS
(industrial control systems) matrices
- 14 tactics for enterprise and mobile, 12 tactics for ICS & corresponding
techniques

44
Cyber security

45
Cyber security
Attackers
- Amateur: download a tool, try it, and use it on another person’s mobile
phone to take a look at private photographs. Mostly script kiddies
- Hacker (Cracker): innocent, they detect and report the vulnerabilities to
the owner of a system. Crackers are malicious hackers
- State-funded spy
- Terrorist

46
Cyber security

- Black hats: individuals with extraordinary computing skills, resort to malicious or

destructive activities (crackers)
- White hats: individuals use their skills for defensive purposes, security analysts,
they have permisson form the system owner
- Gray hats: individuals who work as black hat and white hat at various times

47
Cyber security
Ethical hackers:
• Work with professional and ethical values, no hidden
agenda
• Get Out of Jail Free doc from the requestor (system
owner)
• Report of the findings, regular documentation
• Respecting privacy (e.g., passwords, personally
identifiable information-PII)
• No crashing tested systems

48
Cyber security
Ethical hackers’ technical capabilities:
• OS knowledge (Windows, Linux, Mac, Unix)
• Network knowledge (hardware & software)
• Attack knowledge
• and other capabilities
- Organizational security policies
- Standards and laws

49
Cyber security
Hackers vs. malicious users

• Hackers: External, unauthorized

• Malicious users: Internal, authorized

Which one is much more dangerous?

50
Cyber security
teams in general:

* Blue team: Defend side, defends against both real attackers

and red teams, System admins, other IT personnel

* Red team (aggressor team): White hat (ethical hacker) team

51
Cyber security
Penetration Test (PenTest)

* Assess your security before an attacker does

* Penetration testing tools simulate real-world attack
scenarios

52
Cyber security
PenTest Methods:

53
Cyber security
White box
* Pros
- Deep and thorough testing
- Maximizes testing time
- Extends the testing area
* Cons
- Non realistic attack

54
Cyber security
Black box
* Pros
- Simulates a very realistic scenario
* Cons
- Testing time can not be maximised
- Some areas of the infrastructure might remain
untested

55
Cyber security
- official permission before starting, Rules of Engagement
- RoE includes:
. IP addresses/blocks
. Hosts that will be excluded
. Test methods and tools
. Timing
. Testers’ IP addresses
. Contact info

56
Cyber security
Defense in depth: several protection Iayers

Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access Controls
57
Cyber resilience
• continuously deliver the intended outcome despite
adverse cyber events
• collaboration of people, processes, technology and
facilities
• cyber security and keeping things running

58