DIPLOMA IN CYBER SECURITY – ALISON

MODULE 1

Understanding the Basics of Cybersecurity

Definition of cyber security

Cyber security refers to the practice of safeguarding computer systems, networks, and digital
information from any unwarranted access, use, disclosure, disruption, or destruction.

This involves taking various measures and technologies in place to secure computers servers
mobile devices electronic systems data against cyber threats such as hacking malware phishing
ransomware other forms of attacks such as ransomware etc.

Importance of Cyber security

At present, cybersecurity holds enormous value as we become ever more dependent on digital
technology to perform daily tasks. The greater risks from cyber threats include significant
financial loss, damage to an individual or organisation's reputation, loss of sensitive data or
threats to national security. Such in breaches in security measures being exploited make fully
understanding and implementing the process for cyber security measures imperative for today.

Principles of Cyber security

There are three key concepts or principles in cyber security often referred to as the CIA triad:

 C = Confidentiality: Ensuring data can only be seen by authorised viewers.

 I = Integrity: Ensuring data accuracy and completeness; this involves stopping
unauthorised users from altering or manipulating it.
 A = Availability: Ensuring data and services are readily accessible when needed by
authorised users.

Understanding cybersecurity fundamentals is the first step toward protecting yourself or your
business against potential cyber threats. Cybersecurity is ever-evolving as new threats appear
and innovative methods of defence become available.

Cybersecurity is more than simply stopping attacks; it is about creating an environment in which
any attacks that do happen have minimal effects and swift recovery is achieved. Let us continue
this fascinating exploration of this field!

Cybersecurity in the Digital Age

The digital Age: A new frontier –

The digital or information age is an era in human history defined by an economic shift away from
traditional manufacturing towards an economy reliant on information technology. Today we live
more connected than ever before as data is produced, stored, shared, and accessed across
computers, mobile phones and cloud platforms worldwide.

1
While our connected and data-driven world provides many conveniences and advancements, it
also presents numerous risks and vulnerabilities which necessitate the implementation of
cybersecurity practices to safeguard us all. Therefore, its significance cannot be underrated.

Why is cybersecurity important?

 One of the key functions of cybersecurity is protecting sensitive data - be it personal

details of individuals, intellectual property of businesses, or classified government files -
which may otherwise be compromised in some manner and lead to serious monetary
and reputational loss if breached.
 Strong cybersecurity measures must be in place in order to keep unauthorised
individuals away from systems and networks - including hackers looking for data theft
opportunities as well as disgruntled employees with plans of disrupting services.
 Cyber attacks have the power to severely disrupt digital systems, like websites. An
attack like DDoS could render them unavailable causing substantial loss in business
revenue and sales.
 Many regions have laws and regulations in place which mandate businesses to protect
customer and employee personal data; failure to do so could incur substantial fines or
penalties.

More Relevant Than Ever

Cybersecurity in today's digital environment continues to rise for multiple reasons:

1. Increased Cybercrime: As we become increasingly dependent upon technology, so does

cybercrime. Cybercriminals have become more sophisticated as has their reward for conducting
crime online.

2. Growth of Internet of Things (IoT): With more devices connecting to the internet--from
smart phones and smart home appliances to other connected gadgets like drones--coming
online, more vulnerabilities and entry points for hackers increase exponentially.

3. COVID-19 and Remote Work: COVID-19 has led to an acceleration in remote work practices
by businesses, expanding digital footprint and raising demands for secure remote access to
resources.

4. Emergence of AI/ML: These cutting-edge technologies may bring many advantages, yet
also pose new cybersecurity threats. Attackers could exploit them to automate cyber attacks or
enhance phishing attempts - and more!

As we progress into a digital society, cybersecurity will remain at the centre of discussions.
Each person plays their part by protecting personal data or company assets while keeping
themselves updated about regulations to keep themselves protected against threats.

2
 Keep this in mind as we journey toward creating a safe digital world - every step towards
understanding and adopting better cybersecurity practices will bring us closer to that goal.

Overview of Cyber Threats and Attack Vectors

What are cyber threats?

Cyber threats can be defined as attempts by criminals or hackers to damage or disrupt

computer networks or systems for illicit gain, typically to steal, alter, or destroy targets by
hacking into vulnerable systems and then using that access point as their weapon of attack.

Types of Cyber threats

1. Malware

Malware can be defined as malicious software installed without consent on an end user device
with the intention of harming them and/or their data, including viruses such as worms and
trojans as well as ransomware and spyware. All such examples constitute examples of
Malware.

2. Phishing

The Phishing technique is a devious method of cybercrime where scammers design falsely
realistic-looking websites or emails in order to entice unaware victims into providing confidential
information such as passwords as well as credit card numbers and social security numbers.

3. Man-in-the-Middle Attacks

Man-in-the-Middle attacks are cybersecurity attacks wherein an attacker secretly intervenes

between two parties' communication to eavesdrop, alter data or pose as trusted entities,
jeopardising both confidentiality and integrity of communications between them.

4. Distributed Denial of Service Attacks

When engaged in, DDoS attacks use brute-force traffic attacks against networks or websites in
an effort to render it unavailable for user use.

5. SQL Injection

3
In an SQL Injection attack, attackers take advantage of vulnerabilities in web application's
database query software in order to gain unauthorised access to information.

6. Zero-Day Exploits

Zero-day exploits are cyber attacks which strike upon discovering any weakness in software,
often on its very first day of discovery. Because most affected parties remain unaware of it until
much later, exploits may remain for days, weeks, or even months until being patched by those
with the best protection plans in place.

Test questions

What are Attack Vectors?

An attack vector is any route through which an attacker gains unauthorised entry to a computer
or network with malicious intentions and delivers their payload or payoff. Attack vectors allow
hackers to exploit system vulnerabilities - including human ones - by exploiting human
vulnerabilities as part of an offensive strategy.

Common attack vectors

1. Email and Phishing

Email has emerged as a primary attack vector, with phishing being one of the more popular
attack techniques used against users. Attackers typically pose as trusted organisations to lure
recipients into clicking malicious links or downloading infected attachments from an email sent
from them.

2. Web

Attackers may exploit vulnerabilities in web applications to gain unauthorised access or spread
malware, either via SQL injection, cross-site scripting (XSS), or simply uploading files with
malware onto them.

3. Social Engineering

Social engineering involves deceiving or coercing individuals into divulging confidential

information through various techniques like phishing, pretexting, baiting and tailgating.

4
4. Physical Media

Attackers often employ physical devices such as USB flash drives to gain entry to systems and
compromise them. Leaving such seemingly innocent items lying about makes for easier
compromise by attackers who will soon discover it and exploit its vulnerabilities.

5. Unpatched Software

Software with known vulnerabilities that has yet to be patched can provide attackers with easy
entry points into networks containing zero-day attacks, making exploitation an attractive
prospect.

Understanding cyber threats and attack vectors used by cybercriminals is essential for
cybersecurity. When exploring this subject further, remember: awareness is power! By
becoming better acquainted with potential dangers we will have better chances at protecting
ourselves against future attacks.

Legal and Ethical Considerations in Cybersecurity

So far we've discussed the essentials of cybersecurity - its purpose, importance and the various
threats and attack vectors it is vulnerable to - but now let's turn our focus onto legal and ethical
considerations surrounding this area of research.

Understanding Cybersecurity Laws

Cybersecurity laws refer to legislation and statutes related to internet usage by individuals,
businesses and governments alike.

Their aim is to safeguard users against online crime while outlining legal processes that should
be undertaken following any potential cyber breaches or incidents.

5
Ethical Considerations in Cybersecurity

Legal requirements aside, ethical considerations also play a pivotal role in cybersecurity. Ethical
considerations often revolve around what actions would constitute the "right" or "good" course of
action in any particular circumstance.

Here are some of the major ethical concerns for cybersecurity:

Pic ethics

1. Privacy: When protecting systems and data, cybersecurity professionals often gain access to
sensitive personal or organisational data which should remain private and undisclosed.
Maintaining its protection as part of ethical practice is therefore of utmost importance.

2. Disclosure: When security researchers or cybersecurity professionals find vulnerabilities

within a system, an ethical question arises of when, how and to whom this information should be
disclosed.

3. Proportionality: When responding to cyber threats, defence measures should be

proportionate with their intensity and should aim at minimising further disruption or injury.

4. Equality of Access: With internet usage becoming an integral component of daily life,
providing equal and fair access to digital resources while protecting against digital discrimination
are ethical considerations that should be prioritised.

Why is Cybersecurity Important?

Recently, an increased awareness has emerged regarding the relationship between

cybersecurity and human rights.

Digital technologies are increasingly being utilised to exercise fundamental freedoms like
freedom of expression, privacy and access to information; consequently, cybersecurity
measures must respect and secure such rights.

Staying abreast of cybersecurity law and ethics can be complex and constantly shifting; keeping
up to date is an integral component of being a cybersecurity professional.

6
Beyond technical skills and knowledge, cybersecurity involves upholding laws while upholding
ethical standards - maintaining this balance helps build a safer digital world for us all!

Network Security

This topic is intended to introduce you to network security.

Topics to Be Covered:

 Fundamentals of network security

 Components of network security
 Network protocols and their vulnerabilities
 Firewall technologies and intrusion detection systems
 Virtual private networks (VPNs) and secure remote access

Fundamentals of Network Security

What is network security (NS)?

Network security refers to practices and policies implemented to detect, deter and monitor any
unlawful access, misuse, modification, or denial of computer networks and related resources in
an effort to safeguard infrastructure as well as data.

The goal is securing these vital components of an efficient digital society.

Why is network security essential?

7
With organisations becoming ever more interconnected, vulnerabilities within network
connections increase exponentially; thus making network security an essential aspect of
cybersecurity.

Network security protects user data while guaranteeing usability, reliability and integrity within a
network infrastructure from threats such as malware, ransomware, phishing or denial-of-service
(DoS) attacks.

Components of Network Security

Network security entails multiple layers of defences at both the edge and in the network, each
layer implementing policies and controls designed to allow only authorised users access to
network resources while keeping malicious actors away. Key elements include:

1. Access control
This is used to control who can access the network. It effectively keeps unauthorised
persons out while granting access to authorised users.
2. Antivirus and anti-malware software
Antivirus and antimalware software is intended to defend against malware such as
viruses, ransomware, worms, trojans and spyware.
3. Firewalls
Firewalls act as barriers between an internal network and external networks (typically the
internet) which help block malicious traffic while permitting legitimate traffic through.
4. Virtual Private Networks
VPN enables secure connections over the internet between networks. A VPN provides
privacy when browsing over public WiFi networks or public Wi-Fi hotspots - an additional
layer of protection.
5. Intrusion Prevention systems(IPS)
These systems identify fast-spreading threats, such as zero-day or zero-hour attacks.
6. Security Information and Event Management and (SIEM)
These tools allow IT teams to centrally manage and see events related to security, as
well as enable incident response and report generation for compliance purposes.
7. Email security
Network security is crucial in today's interconnected world to protect sensitive data and
prevent disruptions to service. It involves multiple strategies, policies, and tools working

8
 together to provide comprehensive protection. Remember, network security is like a fort.
Your defensive walls must be strong, yet have an exit plan if they are breached.

Network Protocols and Their Vulnerabilities

What are Network Protocols?

Network protocols are rules designed to facilitate data communication among computers and
devices in a network, and to facilitate its data packet delivery smoothly from source to
destination.
There are various network protocols, each catering to certain purposes and operating at various
layers of a networking model. Some key ones include HTTP(S), FTP, SMTP, DNS and TCP/IP
among many more.
Understanding Key Protocols and Their Vulnerabilities

1. HTTP and HTTPS (HyperText Transfer Protocol and HTTP Secure):

These two protocols allow web users to transfer data over an unsecured channel; any
information can be intercepted and exploited during transmission.
HTTPS offers more protection by using encryption technology to secure its message
transmission; however, improper configuration can leave HTTPS vulnerable to attacks such
as "SSL stripping", whereby an attacker downgrades communication from HTTPS back
down to HTTP in order to intercept information being transferred between hosts.

2. FTP (File Transfer Protocol)

FTP is used for sending files between client and server, but lacks encryption which leaves
sensitive data vulnerable to interception. As an alternative, its secure counterpart, SFTP
uses SSH-based encryption instead.

3. SMTP (Simple Mail Transfer Protocol)

Used for sending emails, this protocol can easily be compromised to send spam or phishing
attacks. Without adequate protections in place, its vulnerability could allow any number of
unwanted senders access.

9
4. DNS (Domain Name System)
DNS provides translation between domain names and IP addresses, making it vulnerable to
DNS spoofing or poisoning attacks in which an attacker modifiess DNS records to divert
traffic away from targeted websites, often for illicit reasons.

5. TCP/IP (Transmission Control Protocol/Internet Protocol)

This is the basic communication protocol of the internet and can be susceptible to various
attacks such as SYN flood attacks; an attacker flooding servers with SYN packets causes it
to become inactive and render itself nonresponsive.

Securing Network Protocols

While these vulnerabilities can seem concerning, there are many strategies for securing network
protocols:
1. Use Secure Versions of Protocols:
Whenever possible, use secure versions of protocols (like HTTPS instead of HTTP, and
SFTP instead of FTP) that offer encryption.
2. Patch and Update Regularly:
Keeping servers and software patched and updated helps to fix known vulnerabilities that
could be exploited.
3. Implement DNS Security Extensions (DNSSEC):
This helps to mitigate risks of DNS spoofing by providing authentication for DNS responses.
4. Intrusion Detection Systems (IDS)/ Intrusion Prevention Systems (IPS):
These devices can identify and prevent various attacks against network protocols.
5. Proper Configuration:
Many attacks exploit misconfigurations. Ensure that systems are properly set up to minimise
potential weak points.

10
Understanding network protocols and their vulnerabilities forms a critical part of network
security. Remember, every protocol serves a purpose and it's not about eliminating them, but
about how we secure them. It's about knowing their weaknesses and implementing the right
measures to strengthen them.

Firewall Technologies/Intrusion Detection Systems

A firewall is a network security system which monitors and controls incoming and outgoing
network traffic according to predetermined security rules, acting as an intermediary between
trusted internal networks such as your company network and potentially hostile external ones
like the internet.

Types of Firewalls

 Packet Filtering Firewall: This type of firewall operates at the network level to filter
packets of data passing through it; any that don't meet security rules set out by this
device won't pass.
 Stateful Inspection Firewall: Also known as dynamic packet filtering, this firewall keeps
track of active connections and only allows traffic through if it's part of an already-
established connection.
 Proxy Firewall: Proxy firewalls operate at the application layer, filtering traffic between
two systems by invoking a service request on behalf of one system.
 Next-Generation Firewall (NGFW): These firewalls include functions of traditional
firewalls plus other network device filtering functionalities, such as intrusion prevention,
SSL and SSH inspection, deep-packet inspection, and reputation-based malware
detection.

11
What are SL/TLS?

These are security protocols that keep data safe when it’s moving between a user (like a
browser or app) and a server.

What they do
They:
 Encrypt data – so hackers can’t read it
 Authenticate servers – so you know you’re talking to the real website
 Ensure data integrity – so data isn’t altered in transit

SSL vs TLS

SSL (Secure Sockets Layer) → older, now deprecated

TLS (Transport Layer Security) → modern, more secure replacement
When people say SSL, they usually mean TLS.

Where you see it

Websites with https://

Online banking
Email (SMTP, IMAP, POP3 over TLS)
VPNs, APIs, cloud services

How it works (quick flow)

 Browser connects to a server

 Server sends a digital certificate
 Certificate is verified by a Certificate Authority (CA)
 Encryption keys are exchanged
 Secure communication begins

Why it matters

Without SSL/TLS:
Passwords can be stolen
 Data can be intercepted (man-in-the-middle attacks)
 Websites can be impersonated

12
Common TLS versions

 SSL 2.0 / 3.0 – insecure

 TLS 1.0 / 1.1 – deprecated
 TLS 1.2 & TLS 1.3 – recommended

What is an IDS?

An Intrusion Detection System (IDS) monitors network traffic for any suspicious activities that
could indicate potential intrusion attempts and sends alerts when such activity is spotted.
While IDS's are highly efficient at spotting anomalies, they cannot prevent intrusion attempts
themselves from taking place.
Types of Intrusion Detection systems

1. Network Intrusion Detection Systems (NIDS): These can be strategically installed into
networks to monitor all traffic moving in or out, between all devices connected.
2. Host Intrusion Detection Systems (HIDS): These run on all computers or devices in
the network with direct access to both the internet and the enterprise internal network.
3. Anomaly-Based IDS: This type of IDS uses machine learning to create a trusted
baseline and then compares new behaviour against this baseline. If the behaviour
deviates significantly, the IDS triggers an alert.
4. Signature-Based IDS: This type of IDS uses predefined signatures to detect known
threats.

Intrusion Prevention systems (IPS)

13
Intrusion Prevention Systems (IPSs) serve as an extension to IDSs by stopping attacks
themselves. An active system, an IPS can detect intrusive activity while taking steps to block
users or sources.
Firewalls and intrusion detection systems play an integral part in an effective network security
plan. By understanding their strengths and limitations, firewalls and IDS can better defend
against various cyber threats to help defend your network more efficiently from cyber criminals
and potential attacks.
Remember, cyber security should not be considered an immediate fix but an ongoing process!

Virtual Private Networks/Secure Remote Access

What is a VPN?

Virtual Private Network (VPN) technology creates a secure tunnel between your device and
either the network at work or an internet server, effectively creating an extension of private
networks across public ones to allow users to send and receive data as though their computing
devices were directly linked into them.

Why is VPN Important?

VPNs are crucial for preserving privacy and securing data exchange in a world where data
breaches and surveillance are significant concerns.
 Encryption: VPN provides strong encryption to ensure that even if cybercriminals
intercept data they cannot read it.
 Anonymity: VPN can mask your IP address, making your online actions virtually
untraceable.
 Remote Access: VPNs provide a secure way for remote employees to access necessary
resources on their company's network.

14
(VPN – other definitions)
A VPN (Virtual Private Network) is a service that protects your internet connection by making
it private and secure.
In simple words
A VPN hides your real location and IP address and encrypts your data while you’re online.

What a VPN does

 Keeps your internet activity private
 Protects you on public Wi-Fi (cafés, offices, hotels)
 Lets you access websites or apps blocked in your country
 Prevents tracking by ISPs and hackers

How it works
 Normally, your internet goes directly to a website.
 With a VPN, your internet first goes through a secure server in another location, then to
the website.
 The website sees the VPN, not you.
Example
If you’re in Uganda and connect to a VPN server in UK, websites think you’re in the UK.
Common uses
 Privacy and security
 Streaming geo-blocked content
 Online banking safety
 Remote work and school access

Understanding Secure Remote Access

Secure remote access refers to any method by which an individual may connect securely with a
network from outside its location - this may involve VPNs but could also involve using other
strategies and tools.
Ensuring secure remote access is crucial in protecting your network. This involves
several elements:
 Authentication: Ensure only authenticated users can gain entry to a network using
passwords or alternative methods like biometric verification and multi-factor authentication.
 Authorization: This involves managing user permissions, so users can only access the
data and systems they need for their work.

15
 Encryption: As mentioned above, encryption involves encoding data so it cannot be read if
intercepted and read by third parties.
 Monitoring: Continuously monitoring network activity can help identify any unusual or
suspicious behaviour that might signal a security breach.

Types of VPNs

There are various VPN solutions designed for specific uses; and requirements:

1. Remote Access VPN: Allowing users to securely connect with private networks remotely is
often employed by corporate employees in order to securely access their company network
from home or while travelling.
2. Site-to-Site VPN, also referred to as Router to Router VPN, allows for seamless
communication between networks located at different offices by securely linking their networks
together.
3. IPsec (Internet Protocol Security) VPN: This protocol suite is used to secure Internet
Protocol (IP) communications by authenticating and encrypting each IP packet in a
communication session.
4. SSL (Secure Socket Layer) VPN: Provides access to web applications from different
locations and types of devices securely while only giving access to specific resources on a
network (rather than all).

Understanding VPNs and secure remote access tools in this digital era where much work can
be completed remotely is vitally important to cybersecurity professionals.

They allow us to keep networks secure even if users are distributed across disparate locations -
remembering that security goes beyond technology alone: trust is what keeps networks
functioning well!

SYSTEM SECURITY

This topic is intended to introduce you to system security.

Topics to Be Covered:
 Operating system security principles.
 Secure configuration and hardening of OS
 User and account management.
 Patch Management and vulnerability assessment.

 Operating System Security Principles

What is Operating System Security?

Operating system security (OSS) refers to measures and controls implemented within an OS
in order to shield itself against threats and attacks from within and without.

16
An OS controls access to hardware resources as well as providing functionalities; as such its
protection must remain paramount as attackers may target it as potential points of attack.

Principle 1: Principle of Least privilege

PoLP stipulates that users should only have access to what is absolutely necessary in order to
complete their job functions effectively and this applies across users, applications, systems and
processes alike. Should an attacker gain entry, PoLP limits their potential damage.

Principle 2: Principle of Defence in Depth

Defence in Depth refers to using multiple security measures to defend one asset; that way if one
measure fails, others remain intact - for instance a strong OS security strategy could include
firewalls, antivirus software and regular system updates.

Principle 3: Fail safe – stance

The fail-safe stance principle stipulates that should any system or function fail in an unsafe way,
its failure should occur in such a way as to minimise possible harm or disruption - for instance if
verification function failure were to occur and requests weren't denied by system instead of
approved, as per this theory.

Principle 4: Separation of Duties

Separation of duties (SoD) is a concept that helps prevent fraud and error. This principle asserts
that a task typically engaged in fraud should be broken into separate steps, each requiring
different individuals. In an OS, key system administrative tasks can be distributed among
multiple roles to prevent misuse.

Principle 5: Security by Design

Security by design refers to incorporating security protocols and tools into an OS during its
design phase instead of trying to add them post-buildup. Building security from day one often
proves easier and more effective.

Security Mechanisms in Operating Systems

 Authentication: Identify verification is the process of authenticating users, processes or

devices on an operating system, typically through username and password authentication;
more advanced systems might also use biometric information or security tokens as methods
of confirmation.
 Access Control: An access control mechanism within an OS is designed to regulate access
to certain resources within it by following certain rules that determine who or what can
access which resources.

17
 Encryption: Encryption can protect information stored within an OS as well as data being
transmitted into or out of it.
 Audit and Logging: Monitoring system activities is important in detecting any irregular or
suspicious activities on an operating system (OS), from user log-in/out sessions and file
access events to special notifications such as suspicious email communications. OS keeps
logs of these and many more activities for your review.

Operating system security is at the core of overall cybersecurity, making up one of its three
pillars. Understanding its principles is vital in creating and maintaining secure systems; next
we'll delve deeper into specific ways we can secure different operating systems like Windows,
Linux and MacOS.

Remember, any system is only as safe as its weakest link; even minor breaches in OS security
could give cybercriminals an entryway into your OS and provide opportunities for attacks.
Therefore, always remain alert and strive to learn.

 Secure Configuration and Hardening of OS

Hardening of an operating system comes into play after installation as many features which,
although useful, could create potential vulnerabilities if left unsecured. Hardening provides one
way of protecting these features against being misused.

What is OS Hardening?

OS hardening is the process of securing an operating system by reducing its surface of

vulnerability. This is achieved by configuring the OS securely, turning off unnecessary services,
deleting unused accounts, keeping the system updated, and applying the necessary security
patches.

Secure Configuration

Step one in hardening an OS is configuring it securely. While the exact process varies based on
which OS is being used, here are some general steps:
1. Removing Unused Software and Services: Every program and service running on an OS
represents an entry point for an attacker; to lower this risk, any unnecessary programs and
services should be removed to lower the risk.

18
2. Managing User Accounts: Be certain all default passwords have been changed with strong,
unique ones that limit administrative privileges to only as many accounts.
3. Install Firewalls and Intrusion Detection Systems: These essential security tools help
keep threats away.

Hardening Techniques

Here are some standard techniques used in hardening an OS:

 Regularly applying updates and patches is one of the simplest and most effective ways to
secure an OS. These updates often contain fixes for known vulnerabilities.
 Operates on the principle of least privilege (PoLP), giving users and processes the minimum
levels of access they need to accomplish their tasks.
 Implement security policies like password complexity requirements, account lockouts for
repeated failed login attempts, and regular password changes.
 Regular system monitoring helps identify potential security threats.

OS-Specific Hardening

Different operating systems have different security needs and vulnerabilities. Here's a brief
overview for the three most common OS:

 Windows: Take advantage of features like Windows Defender Firewall and BitLocker drive
encryption to safeguard against security misconfigurations, while regularly using Windows
Update and the Microsoft Baseline Security Analyzer as updates become available.
 MacOS: Use the built-in firewall and FileVault drive encryption. Regularly update the system
through the App Store, and consider using the built-in Malware Removal Tool.
 Linux: Depending on the distribution, various tools and techniques may be utilised for
security. Common examples are firewall software such as iptables or additional access
control offered through SELinux; package managers often offer regular updates of software
packages as well.

Hardening an OS is an integral step towards protecting it against potential attacks and can
dramatically decrease its attack surface and protect from threats. Security should always remain
top of mind as threats emerge - constant vigilance must be applied in order to stay ahead of
threats.

 User and Account Management

What is User Management?

User and account management involves creating, controlling, and monitoring system user
profiles.
It includes managing authentication methods, assigning and revising user privileges, monitoring
user activities, and deactivating inactive or unnecessary accounts.

19
Why is User and Account Management Important?

Effective user and account management:

1. Prevents Unauthorised Access: By ensuring only authorised individuals can access your
systems, you can prevent potential security breaches.
2. Minimising Risk: By applying the Principle of Least Privilege (PoLP), only giving users the
access they need you can reduce the risk of internal security incidents.
3. Ensures Accountability: By making sure each user has a unique ID, you can trace actions
back to the individual who performed them. This promotes responsibility and deters misuse.

Key Aspects of User and Account Management

1. User Registration: This involves creating user accounts, usually with a unique username
and password. Additional identification methods, like two-factor authentication, can be
employed.
2. Privilege Assignment: Assign users the minimum privileges they need to perform their
duties. Avoid giving administrative privileges unless necessary.
3. Account Monitoring: Keep track of user activities and watch for unusual behaviour, such as
repeated login failures, which might indicate a security threat.
4. Account Deactivation or Deletion: Unused accounts belonging to former employees should
be immediately deactivated or deleted so as to prevent misuse and any potential breaches in
security.
5. Password Management: Enforce strong password policies. This may include minimum
password lengths, complexity requirements, and regular password changes.

Best Practices for User and Account Management

 Follow the Principle of Least Privilege: Assign users only the privileges they need.
 Enforce Strong Password Policies: Require complex, unique passwords and regular
password changes.
 Use Two-Factor Authentication (2FA): 2FA greatly increases account security by requiring
a second form of identification.
 Regularly Review Accounts and Privileges: Regularly check for outdated or excessive
privileges and inactive accounts.
 Train Users: Educate users about secure behaviour, such as not sharing passwords,
recognizing phishing attempts, and reporting suspected security incidents.

User and account administration is essential in developing an effective cybersecurity plan. By

carefully controlling access to your systems, user and account administration allows you to
greatly decrease both internal and external security incidents.

 Patch Management and Vulnerability Assessment

20
What is Patch Management?

Patch management refers to the practice of disseminating and applying updates, or patches, to
software applications and technologies.
Patches serve various functions ranging from fixing software bugs and improving functionality to
eliminating security vulnerabilities that pose threats against our organisation.

Why is Patch Management Important?

Maintaining an effective patch management process is vitally important, for various reasons:

1. Reducing Vulnerabilities: Patches often resolve known security vulnerabilities that could
otherwise be exploited by cybercriminals.
2. Maintaining Compliance: Many regulatory standards require that software be kept up-to-
date.
3. Improving Functionality: Patches often also include enhancements and new features that
can improve productivity and the user experience.

What is Vulnerability Assessment?

Vulnerability assessment refers to identifying, quantifying and prioritising (or ranking)

vulnerabilities within an organisational system in order to provide them with all of the knowledge
needed to address and mitigate risks more proactively.

Why is Vulnerability Assessment Important?

1. Identification of Weaknesses: Vulnerability Assessments help uncover vulnerabilities within

your systems before they can be exploited by attackers.
2. Prioritising Resources: By ranking vulnerabilities based on severity, assessments help
organisations prioritise their remediation efforts.
3. Maintaining Compliance: Regular vulnerability assessments can be a requirement of
regulatory compliance standards.

Understanding and following best practices for patch management and vulnerability
assessments will significantly lower cybersecurity risks for businesses of all types and sizes.
Staying secure shouldn't be treated like a one-time task but as part of an ongoing journey.

OS Updates

These are major or regular improvements to an operating system (like Windows, Android, Linux,
macOS).
They usually include:

21
  New features
 Performance improvements
 User interface changes
 Bug fixes
 Security enhancements
Examples:
 Updating from Windows 10 to Windows 11
 A big Android system update (e.g., Android 13 → 14)

OS updates can be large and sometimes change how the system looks or works.

OS Patches

Patches are small, targeted fixes released to correct specific problems.

They usually fix:

 Security vulnerabilities (very important �)
 Software bugs or errors
 Stability issues
 Compatibility problems
Examples:
 Monthly Windows security patches
 Android security patch updates
 Linux kernel security patches
Patches are smaller, faster to install, and focus on fixing problems rather than adding new
features.

Patch Management - Best Practices

 Keep a comprehensive inventory of all systems and applications which require patching.
 Prioritise patches based on the severity of the vulnerabilities they resolve.
 Test patches in a controlled environment before deployment to ensure they don't
introduce new problems.
 Schedule patching during off-peak hours to minimise disruption.
 Automate the patch management process as much as possible to ensure patches are
applied promptly and consistently.

Vulnerability Assessment Best Practices

 Conduct vulnerability scans regularly, not just once.

 Use automated tools to help identify known vulnerabilities.
 After a vulnerability assessment, act promptly to address identified vulnerabilities.
 Include hardware, software, and human factors in your vulnerability assessments.

22
  Vulnerability assessment should not be seen as a one-off event but as part of your
cybersecurity plan's long-term implementation strategy.

Lesson Summary

1. Cybersecurity refers to the practice of safeguarding computer systems, networks, and

digital information from any unwarranted access, use, disclosure, disruption, or destruction.
At present, cybersecurity holds enormous value.
2. Understanding cybersecurity fundamentals is the first step toward protecting yourself or
your business against potential cyber threats.
3. One of the key functions of cybersecurity is protecting sensitive data - be it personal details
of individuals, intellectual property of businesses, or classified government files.
4. As we progress into a digital society, cybersecurity will remain at the centre of discussions.
5. An attack vector is any route through which an attacker gains unauthorised entry to a
computer or network with malicious intentions and delivers their payload or payoff.
6. Network security refers to practices and policies implemented to detect, deter and monitor
any unlawful access, misuse, modification, or denial of computer networks and related
resources in an effort to safeguard infrastructure as well as data.
7. Network security is crucial in today's interconnected world to protect sensitive data and
prevent disruptions to service.
8. Network security entails multiple layers of defences at both the edge and in the network,
each layer implementing policies and controls designed to allow only authorised users
access to network resources while keeping malicious actors away.
9. Network protocols are rules designed to facilitate data communication among computers
and devices in a network, and to facilitate its data packet delivery smoothly from source to
destination.
10. Understanding network protocols and their vulnerabilities forms a critical part of network
security.
11. An Intrusion Detection System (IDS) monitors network traffic for any suspicious activities
that could indicate potential intrusion attempts and sends alerts when such activity is
spotted.
12. Understanding VPNs and secure remote access tools in this digital era where much work
can be completed remotely is vitally important to cybersecurity professionals.
13. Operating system security (OSS) refers to measures and controls implemented within an OS
in order to shield itself against threats and attacks from within and without.
14. Operating system security is at the core of overall cybersecurity, making up one of its three
pillars.
15. Hardening an OS is an integral step towards protecting it against potential attacks and can
dramatically decrease its attack surface and protect it from threats.
16. User and account administration is essential in developing an effective cybersecurity plan.
17. Understanding and following best practices for patch management and vulnerability
assessments will significantly lower cybersecurity risks for businesses of all types and sizes.

23
 MODULE 2

Learning Outcomes

Having completed this module you will be able to:

 Define cryptography and list the components of cryptography.

 Discuss public key infrastructure and digital certificates.
 Explain how to secure email and file encryption.
 Recognise common vulnerabilities in web applications.
 Explain web application security frameworks and best practices.
 State the various secure coding principles.
 Describe web application penetration testing.
 Outline the typical stages involved in web application penetration testing.
 Identify the security issues surrounding iOS and Android mobile operating systems.
 Discuss mobile app security and secure development practices.

CRYPTOGRAPHY

This topic is intended to introduce you to cryptography.

24
Topics to Be Covered:

1. Introduction to Cryptography and encryption algorithms.

2. Public key infrastructure (PKI) and digital certificates.
3. Cryptographic protocols.
4. Secure email and file encryption.

Intro to Cryptography and Encryption Algorithms

What is Cryptography?

Cryptography refers to the practice and study of techniques for secure communication when
confronted by adversaries.

Cryptography involves creating written or generated codes which protect information in secret -
used for protecting emails, credit card info, corporate files and more.

Components of Cryptography

Cryptography primarily consists of three components:

1. Encryption: This is the process of converting plaintext into ciphertext (unreadable format) to
hide its actual meaning.
2. Decryption: Decryption refers to the process of turning encrypted text back into plaintext
format.
3. Cryptanalysis: This is the study of analysing and deciphering encrypted data without having
prior knowledge of the algorithm or the key used in the encryption.

25
Types of Cryptographic Algorithm

Cryptography involves various algorithms to perform the encryption and decryption processes.

The main types include:

Symmetric-Key cryptography

With this approach, both sender and recipient share one secret key used to encrypt and decrypt
their message, keeping their identities hidden from third parties.

A widely known example is Data Encryption Standard as well as its upgraded variant AES which
use this technique.

Asymmetric-Key cryptography

More commonly referred to as public key cryptography, this approach utilises two keys - one
public and the other private.

A sender uses their recipient's public key for encryption while their private key decrypts it; an
algorithm such as Rivest-Shamir-Adleman can often be seen being utilised within this form.

Hash Functions

Hash functions offer another alternative to encryption techniques that doesn't involve keys -
instead generating a fixed length hash value from plaintext that makes retrieving its original
message nearly impossible. MD5 and SHA-1 are two commonly-used hash functions.

Key Terms in Cryptography

 Cipher: An algorithm designed for performing encryption or decryption.

 Key: Information used by the cipher that only knows by the sender and recipient in order to
encrypt and decrypt messages.
 Plaintext: The original, readable message.
 Ciphertext: The encrypted message which is not readable or understandable until it is
decrypted.
Cryptography plays an integral part of modern data protection systems. While cryptography
studies can be complex, they play an essential part in cybersecurity education and must be
included as such in all student curriculums.

Public Key Infrastructure and Digital Certificates

What is Public Key Infrastructure (PKI)?

26
PKI refers to a set of roles, policies, hardware, software and procedures needed for creating,
managing, distributing, using, storing and revoking digital certificates.

Asymmetric cryptography relies on two keys for encryption and decryption - public for public key
encryption while private for decryption.

PKI provides a framework that facilitates functions like digital signature, encryption and
authentication - essential capabilities that verify data integrity and source, providing secure
transactions and communications online.

Key Components of PKI:

 Digital Certificates: These are electronic 'passwords' that allow a party receiving certain
information to decode content encrypted by the party who originally sent the info.
 Certificate Authorities (CAs): Certificate Authorities provide trusted third-party digital
certificates by verifying identity and associating cryptographic keys to users who apply for
them.
 Certificate Store: This is a storage space for digital certificates.
 Key Pair (Public and Private Keys): These mathematically related keys must remain
secret, while their public counterpart can be freely made accessible for anyone to use.

What are Digital Certificates?

Digital certificates are electronic documents created using digital signature technology to link a
public key with its identity, providing proof that an individual owns them.

Under most PKI schemes, a certificate authority (CA), often an organisation charged by
customers to issue them certificates, is the issuer of certificates for them.

Digital Certificates typically contain:

 Owner's public key

 Owner's name
 Expiration date of the public key
 Name of the issuer
 Serial number of the Digital Certificate
 Digital signature of the issuer

Applications of PKI and Digital Certificates

1. Secure Email: PKI is used to secure email communication, providing assurance that the
message came from a known sender and that it wasn’t tampered with.

27
2. Secure Network Access: PKI provides secure remote access to global information over
untrusted networks.
3. Document Signing: Digital signatures use PKI technology to secure and authenticate the
data.
Public Key Infrastructure and digital certificates play an vital role in secure online
communication and transactions, enabling verification of authenticity and integrity for data sent
over networks, thus becoming essential components of modern cybersecurity solutions.

Cryptographic Protocols

Now we will discuss cryptographic protocols like TLS/SSL and IPsec that facilitate secure
communications over networks - fundamental elements in maintaining online security.

What are cryptographic protocols?

Cryptographic protocols, or security protocols, use cryptography to secure electronic

communications over networks.

Such cryptographic protocols often offer key agreement, entity authentication, data integrity
protection, confidentiality guarantees and non-repudiation to their clients.

TLS and it's predecessor, SSL

Transport Layer Security, like its predecessor Secure Sockets Layer, are cryptographic
protocols designed to provide communications security on computer networks. Websites use
TLS in order to encrypt all communication between their server and web browsers and users of
their site. Here's an outline of it function:

 Hello: The client and server establish a connection, and the client proposes encryption
options.
 The server chooses the highest level of encryption both can manage and sends the
client its public key certificate.
 Clients compare a server certificate against its list of trusted CAs; if a match exists, they
generate a symmetric session key, encrypt it using its public key and send it back.
 A server decrypts its session key with its private key and sends back an
acknowledgment encrypted with this session key to initiate an encrypted session.

Internet Protocol Security (IPsec)

IPsec is a set of protocols used together to establish secure connections between devices.

IPsec can help create authenticated and confidential IPv4 and IPv6 packets through
authentication between agents before each session begins and negotiation of cryptographic
keys used during sessions.

28
IPsec can be used in two modes:

1. Transport Mode: IPsec's Transport Mode protects transport-layer protocols by only

encrypting/authenticating its payload (your data) of an IP packet.

2. Tunnel Mode: IPsec tunnel mode provides an IP packet encapsulation mechanism

designed to protect packets routed between networks. In tunnel mode, entire IP packets are
encrypted or authenticated before being wrapped back up into new IP packets with unique
headers and then sent on their journeys.
TLS/SSL and IPsec are foundational to the secure operation of internet communications. They
protect sensitive information from interception and tampering, ensuring that our online
transactions and communications are confidential and authentic.

Secure Email and File Encryption

Secure Email

Secure email involves encrypting an email and its attachments for delivery only to its intended
recipients, using encryption keys that only they possess can unlock it back to its original form.

Essentially, secure emails turn plaintext emails into unintelligible scrambled ciphertext that only
people possessing said encryption key can reverse back into plaintext form.

There are several methods to secure email:

1. Transport Layer Security(TLS)

TLS secures communication between mail servers and clients by encrypting connections
while in transit, protecting email while on its way - yet may remain vulnerable at rest on
servers or recipients devices.
2. Pretty good privacy(PGP) and GNU privacy Guard(GPG)
Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) both employ end-to-end
encryption that secures email messages sent out until decrypted by their intended
recipients. The senders use public keys of recipients while recipients decrypt them using
private keys corresponding to themselves.
3. Secure/ Internet multipurpose Internet Mail Extensions(S-M IME)
S/MIME has become part of most modern email software and uses a central authority to
select certificate recipients, providing users with more robust encryption and digital
signing than just SSL/TLS can offer. It enables email encryptors and users to digitally
sign their emails providing users with added layers of protection than just SSL/TLS
provides.

File Encryption

29
File encryption is a security measure in which individual files or folders can be encrypted by
either their users or system administrators to safeguard sensitive information from being
exposed unknowingly to third-parties.
Encryption encases it all within an encrypted structure preventing unwarranted access by
anyone not authorised.

Two main types of file encryption exist:

1. Symmetric encryption: This type employs symmetric keying for file encryption and
decryption, providing quicker encryption with more security in its distribution of keys.
While faster, however, safe distribution remains key.
2. Asymmetric Encryption: Also referred to as public-key encryption, this approach
employs two keys: one public and one private when creating encryptions with public
keys; only corresponding private keys can decrypt them back. As with asymmetric
encryptions, however, this process tends to be more secure due to its complexity; yet
may take more time in terms of speed and convenience.

Common file encryption methods include using file archiving programs like 7-Zip or WinZip that
offer password protection and file encryption capabilities, while many operating systems also
include built-in file protection features like Windows' BitLocker or macOS' FileVault for
convenient file protection.

As technology becomes ever more pervasive, security of email communications and files
becomes ever more crucial in today's increasingly digital environment. Learning how to protect
this sensitive data through encryption techniques such as emails or files is vital in maintaining
cybersecurity.

Web applications

Web applications (often called web apps) are software programs that run in a web browser
instead of being installed directly on your computer or phone.

In simple terms:
If you open it using the internet and a browser (Chrome, Firefox, Edge, etc.), it’s a web
application.

How web applications work

 You access them through a URL (website link)

 They run on a server on the internet
 Your browser acts as the interface (no installation needed in most cases)

Common examples

 Gmail – sending and receiving emails

30
  WhatsApp Web – chatting via a browser
 Facebook / X (Twitter) – social networking
 Google Docs – creating and editing documents online
 Online banking portals – checking balances, transfers

Key features of web applications

 Internet-based (usually need internet)

 Cross-platform (work on phone, tablet, or PC)
 Easy updates (updates happen on the server, not your device)
 User accounts & security (logins, passwords, permissions)
 Interactive (forms, chats, uploads, downloads)

Web application vs website

Website Web Application

Mostly informational Interactive & functional
Read-only content Users input & process data
Example: news site Example: online banking

Technologies used to build web apps

Front-end: HTML, CSS, JavaScript

Back-end: PHP, Python, Java, [Link]
Database: MySQL, PostgreSQL, MongoDB
Web Application Security

This topic is intended to introduce you to Web Application Security.

Topics to be covered
 Common vulnerabilities in web applications.
 Web application security frameworks and best practices.
 Secure coding principles.
 Web application penetration testing.

31
Common Vulnerabilities in Web Applications

Web application vulnerabilities are security weaknesses or flaws in an internet-facing application

that an attacker could exploit to compromise it and gain entry to steal information or engage in
other illegal acts, including poor input validation, incorrect configuration settings or outdated
components among many other sources of vulnerability.

SQL injection (SQLi)

SQL Injection is an attack method utilised by malicious actors to exploit weaknesses within a
web application's database layer.

The technique involves injecting SQL statements that execute, providing attackers access to
view, modify or delete records within their target database.
An example of SQLi would be entering "' OR '1'='1" into a login field without using proper
filtering capabilities; otherwise, this can fool an application into providing access without valid
username and password credentials.
Cross site scripting

Cross-Site Scripting attacks take place when an attacker exploits web apps as an entryway to
deliver malicious scripts to other users without bypassing access controls and gaining entry to
sensitive data. There are three primary forms of Cross-Site Scripting attacks:

1. Stored XSS: The malicious script is permanently stored on the target servers.
2. Reflected XSS: The malicious script is embedded in a URL and reflected off the web server.
3. DOM-Based Cross Site Scripting: This vulnerabilities present in client-side code rather than
server-side [Link]-Site Request Forgery

Cross site request forgery

32
CSRF attacks aim at tricking victims into making malicious requests by persuasion or
persuasion of some sort, typically by loading up pages with such requests on them and tricking
the victims into clicking them in order to submit malicious requests on their behalf.

They act maliciously by taking on their identity and privileges for unintended functions on behalf
of those being victimised by them.

Security Misconfiguration

Security misconfigurations can occur at any level of an application stack, including the network
services, platform, web server, application server, database, and framework.

Common examples include unnecessary open ports, default account credentials, or verbose
error messages containing sensitive information.

Web Application Security Frameworks

A strong understanding of web application security frameworks is fundamental to protecting

your web applications from various security threats.

Web Application Security Frameworks

A web application security framework is a structure designed to promote the structured
development and deployment of secure web applications. Examples of such frameworks
include:

 OWASP (Open Web Application Security Project) Top Ten: This is a powerful
awareness document for web application security, representing a broad consensus about
the most critical security risks to web applications. The OWASP Top Ten includes risks like
Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), and
more.
 Spring Security: This is a powerful, highly customizable authentication and access control
framework for Java applications. It's a de-facto standard for securing Spring-based
applications.

33
 Django Security Framework: Django offers an impressively robust framework for web
application security, featuring built-in mechanisms such as CSRF protection, Clickjacking
Prevention, SQL Injection Defences and more.

Web Application Security Best Practices

Adopting security best practices can dramatically lower the number of vulnerabilities present in
your web application and minimizes any resulting potential damages. Here are a few such
practices:
 Validate input strictly for length, range, format, and type. Avoid any known unsafe characters
or inputs.
 Always use HTTPS instead of HTTP to protect page authenticity, secure ongoing
communication, and keep user data safe.
 Implement a Content Security Policy (CSP): CSP is a simple method to reduce XSS risks on
modern browsers by declaring which dynamic resources are allowed to load.
 Use strong hash functions to store password (bcrypt, scrypt) and enforce password
complexity that may deter password cracking attempts.
 Maintaining an updated system and software is important in protecting a web app's security,
including updating server operating systems, databases, frameworks and libraries used by
your applications.
 Following the principle of least privilege is key in protecting data. Each module (process,
user or program depending on subject matter) should only access those resources essential
for fulfilling its legitimate function.

Web application security should never be treated as an afterthought; rather, it must become part
of your development life cycle and follow best practices when choosing security frameworks to
use. Doing this will guarantee your applications remain as safe as possible.

Secure Coding Principles

Secure coding is vital because even minor miscalculations can lead to serious security
vulnerabilities, so adhering to its principles can help developers circumvent many such
problems.

34
1. Minimize surface attack area

Every feature and functionality in your code can potentially be exploited. Therefore, minimise
your application's attack surface by limiting the number of features, reducing code complexity,
and compartmentalising your application.

2. Principle of Least previlege

2/1/26, 11:27 - kakande: This principle holds that an individual or program should only need the
bare minimum privileges necessary to perform its function, for example if writing access is
unnecessary for its function a function should only require read access, thus restricting
attackers.

3. Defence in Depth

Defence in depth, or layered security, is a principle where you use multiple layers of security
controls to protect your application. For instance, you could have an IDS (Intrusion Detection
System) as well as a firewall to protect your network.

4. Fail securely

How your application handles errors can greatly influence its overall security. For example, if a
function fails, it shouldn't offer more access than when it was working correctly. Additionally,
error messages should not disclose sensitive information that could aid an attacker.

5. Do not trust user input

Even if an input seems harmless, always validate it. This includes not only form data entered by
users, but also query parameters, HTTP headers, cookies, and any other input to your
application.

6. Implement secure defaults

35
Security should always be the default setting, since having to choose between secure and
insecure modes may lead users to accidentally select one over the other. Therefore, secure
settings should always be the default choice.

7. Keep security simple

Aiming for simplicity in design will aid your application's security, since complex architectures
and code bases require greater upkeep while having higher chances of harbouring
vulnerabilities.

8. Encrypt sensitive data

Sensitive data such as user passwords or personal details should always be encrypted when
stored at rest and/or transmitted, including data at rest and transit. This applies both when
stored locally on computers as well as when transmitted between servers and clients.

9. Use security features of your frameworks and platforms

Most platforms and frameworks come equipped with built-in security features like encryption
and input validation that should always be taken advantage of rather than trying to implement
your own.

10. Perform regular updates and patching

In conclusion, by adhering to these secure coding principles, you can significantly enhance the
security of your applications.

Web Application Penetration Testing

Web Application Penetration Testing is an analytical method of testing the security of a web app
by simulating attacks from external sources, usually hackers or intruders. WAP testing typically
includes reviewing various components such as URLs, user input fields and pages in an app in
search for vulnerabilities that attackers could exploit to breach its defences and gain entry.

36
Here are the typical stages involved in web application penetration testing:

Stage 1: Planning and Reconnaissance

At this stage, the first step should be defining the scope and objectives for testing.
Reconnaissance involves gathering preliminary intelligence about your target, such as its
domain name, IP address or network setup.

Stage 2: Scanning

Next comes scanning of your web application with automated tools (like OWASP ZAP, Nessus
or Burp Suite ) in order to discover potential vulnerabilities and weaknesses - this phase
includes both static and dynamic analysis.

Stage 3: Gaining Access

This phase involves web application attack vectors like SQL Injection, Cross Site Scripting and
Cross Site Request Forgery in order to exploit vulnerabilities discovered during scanning;
potentially gaining access to data, functionalities or systems underlying them.

Stage 4: Maintaining Access

Here, the goal is to test whether vulnerability can be used to gain persistent entry to an
exploited system and achieve long-term presence that allows malicious actors access to in-
depth data, often by increasing privileges, collecting internal information or intercepting traffic
etc.

Stage 5: Analysis and Reporting

The results of the penetration test are then compiled into a report detailing:
 What was tested
 What vulnerabilities were identified
 The severity of each vulnerability
 Recommendations for mitigation strategies

37
Stage 6: Clean-Up

The final step involves removing any payloads, scripts, or other modifications made by the
tester and restoring the system to its pre-test state.

Common Tools Used for Penetration Testing

1. OWASP ZAP: Zed Attack Proxy (ZAP) is a free and open-source web application security
scanner. During development and testing stages it can identify vulnerabilities in web apps to
provide valuable security monitoring data to developers and testers alike.
2. Burp Suite: Burp Suite is a useful platform for performing security testing of web
applications. Its various tools work seamlessly together to support the entire testing process.
3. Nmap (Network Mapper): Nmap is an open-source network discovery and security auditing
tool available free to everyone, which allows it to detect hosts and services across an entire
computer network and generates an image or "map" of said network.

Remember, penetration testing of web applications should only ever be undertaken with
express authorization from relevant parties; unauthorised testing could constitute illegal
conduct.

Mobile Security

This topic is intended to introduce you to Mobile Security.

Topics to Be Covered:
 Overview of mobile security challenges.
 Mobile operating system security (iOS, Android).
 Mobile app security and secure development practices.
 Mobile device management and BYOD Policies

38
Overview of Mobile Security Challenges

 Lost or Stolen Devices: Physical security for mobile devices is of great concern since
losing or stealing them exposes all stored data - including personal and/or company files
that contain sensitive personal or corporate data.
 Malicious Apps: Malware is a substantial mobile security threat. Malicious apps may
appear legitimate or even be functional, but they carry harmful payloads that can steal data,
send spam messages, or ransom your data.
 App Vulnerabilities: Even legitimate apps may present risks if they contain security
vulnerabilities which can be exploited to gain unwarranted access to sensitive data or
execute malicious code.
 Unsecured Networks: Mobile devices frequently connect to public Wi-Fi networks that may
not be secure; attackers could exploit these connections to collect sensitive data or
distribute malware.
 Phishing Attacks: Phishing attacks, also known as Smishing attacks, involve sending SMS
text messages (also referred to as Smishing), emails or even malicious websites with the
purpose of duping users into divulging sensitive data such as login IDs and passwords.
 Insufficient User Knowledge: Mobile device users often lack knowledge regarding
potential security risks and ways to mitigate them, leading to risky behaviour like clicking
suspicious links or installing untrustworthy applications on their phones.
 System Updates: Mobile devices frequently receive operating system and application
updates that fix security vulnerabilities. However, not all users promptly install these
updates, leaving their devices exposed to known vulnerabilities.
 Data Leakage: Data leakage can happen through various channels on mobile devices,
including apps that require broad permissions, cloud-based backups, or even through the
device's physical ports.

39
IoT devices (Internet of Things devices)
These are physical objects that connect to the internet and can collect, send, or receive data—
often automatically, without you doing much.
Think of them as ―smart‖ everyday things
Simple definition
IoT devices = devices with sensors + software + internet connectivity
They sense something, send data, and sometimes act on it.
Common examples (very relatable)
Home
Smart bulbs, Smart TVs, Smart plugs, Smart door locks, CCTV cameras (IP cameras),
Wearables, Smartwatches, Fitness bands (steps, heart rate)
Transport
GPS vehicle trackers, Smart fuel sensors
Agriculture (big in Uganda)
Soil moisture sensors, Smart irrigation systems, Livestock tracking tags
Business & Industry
Smart meters (electricity, water), Temperature sensors in fridges, Asset tracking devices
How IoT devices work (easy flow)
 Sensor collects data (temperature, motion, location, etc.)
 Internet connection (Wi-Fi, mobile data, Bluetooth)
 Cloud/server stores & analyzes data
 App or dashboard shows info or triggers action
Example:
A smart camera detects motion → sends alert to your phone �
Why IoT devices are useful
 Remote monitoring
 Automation (less manual work)
 Saves time and cost
 Improves security & efficiency

40
Challenges / risks
 Security risks if poorly protected
 Needs internet & power
 Privacy concerns

Mobile Operating System Security (iOS, Android)

We will explore the security issues surrounding iOS and Android mobile operating systems.

iOS Security

iOS, the proprietary mobile operating system designed by Apple. It is widely renowned for its
secure architecture and feature set.

 Secure Boot Process: Every time an iOS device boots, its secure boot process checks that
each component loaded has been cryptographically signed by Apple to guarantee that no
outside interference has taken place in its programming and that only approved Apple code
runs on it.
 Data Encryption: iOS employs AES-256 encryption to safeguard information stored on its
devices and provides additional encryption protections for sensitive material like passwords
and biometric information.
 App Sandbox: Each app runs within its own "sandbox", or restricted environment that
isolates it from other programs and user data. Apps need explicit user consent in order to
access data outside their sandboxes.
 App Review Process: Every app and update submitted to Apple App Store undergoes an
in-depth review process before being approved, in order to make sure they're reliable, meet
expectations, and contain no offensive material.

Android Security

Android, developed by Google, is an open-source mobile operating system. It offers various

security features, including:

41
 Google Play Protect: With over three billion apps currently in Google Play, this technology
scans apps before their download to check for malware or security risks before users decide
if they want them.
 Sandboxing: Like iOS, Android employs sandboxing to protect individual apps and user
data from each other and the operating system.
 User-Based Permission Model: Android apps must obtain permission from their users
before accessing sensitive system capabilities and data.
 Full Disk Encryption: Starting with Android 6.0, full disk encryption encrypts user data on
devices and makes it unusable without access to an appropriate decryption key.
 Secure Boot: Android devices which support secure boot ensure the initial piece of
software to load when turning on their devices is unmodified and protected against potential
attacks, known as the boot loader.
Although both iOS and Android provide strong security features, no system can guarantee
100% protection. Therefore, users should remain cautious by staying away from suspicious
links or downloads; keeping operating systems and applications updated; as well as employing
mobile security applications to stay protected.
Mobile App Security/Secure Development Practices

Mobile App Security Risks

Mobile apps can pose various security risks, including:
1. Insecure Data Storage: Insecure data storage occurs when files or information stored on
devices is made accessible by apps and users that could allow unauthorised access or lead to
leakage of private information. Such cases could lead to data breaches and leakage.
2. Poor Authentication/Authorization: Weak authentication mechanisms can enable attackers
to gain unauthorised entry to user accounts and cause potential havoc with accounts belonging
to various people.
3. Insecure Communication: Without proper encryption, data transmitted over the network can
be intercepted by attackers.
4. Inadequate Cryptography: Even when encryption is used, weak keys, deprecated
algorithms, or incorrect implementation can render the encryption ineffective.
5. Unintended Data Leakage: This occurs when sensitive user information is shared without
sufficient safeguards in place or their consent.

Secure Development Practices

42
Here are some best practices for secure mobile app development:
 Secure the Code: Mobile app code should be written securely to resist reverse engineering
and tampering. Techniques include code obfuscation and minification.
 Secure Data Storage: Use secure containers for data storage. Sensitive data should be
encrypted using strong encryption algorithms.
 Implement Strong Authentication/Authorization: Multi-factor authentication (MFA) is a
must for sensitive applications. OAuth is a popular authorization protocol used by many
mobile applications.
 Use Secure Communication: Always use secure and encrypted connections to transfer
data. HTTPS with TLS should be used for all network communications.
 Perform Security Testing: Just like functionality testing, security testing should be a part of
the software development lifecycle (SDLC). Use tools like OWASP ZAP for dynamic
analysis and Fortify for static analysis.
 Use the Principle of Least Privilege: Apps should only request the minimum permissions
necessary for them to function. This limits the potential damage from a compromise.
 Regularly Update and Patch Your Apps: Developers should regularly update their
applications to fix security vulnerabilities and protect against the latest threats.

Mobile Device Management and BYOD Policies

Now we will delve deeper into Mobile Device Management (MDM) and Bring Your Own Device
policies; both concepts play a pivotal role in protecting corporate data on mobile devices.
Mobile Device Management (MDM)
MDM refers to the administration of mobile devices within an enterprise environment -
smartphones, tablet computers, laptops and desktop computers.

MDM solutions aim to increase security while simultaneously decreasing costs and supporting
efforts while supporting efforts and saving on resources. Key features of MDM solutions may
include:
1. Device Inventory and Tracking: MDM solutions provide a centralised way to track all
devices, their status, and information like device model, OS version, etc.
2. Policy Management: MDM allows for the creation and enforcement of security policies like
requiring screen locks or preventing the installation of non-approved apps.

43
3. Remote Wipe: In case a device is lost or stolen, an MDM solution can remotely wipe the
device to protect sensitive data.
4. Software Distribution: MDM solutions can push updates and software installations to
devices remotely, ensuring that all devices are running the latest and most secure software
versions.

Bring Your Own Device (BYOD) Policies

BYOD refers to the policy of permitting employees to utilise personal devices for work purposes.
While BYOD can boost employee satisfaction and lower hardware costs, its implementation
presents unique security issues that must be considered carefully before moving ahead with
such plans. Here are some best practices for successfully instituting such policies:

 Convey Clear Policies: Outline what devices and support will be allowed as well as what
data may be accessed or stored on personal devices.
 Implement Strong Authentication: Require strong passwords and, where possible, multi-
factor authentication on all devices that will access corporate data.
 Secure Data Transmission: Ensure that data is encrypted when transmitted between the
device and corporate servers.
 Regular Audits: Regularly review and audit BYOD devices to ensure compliance with
security policies.
 Employee Education: Train employees on the risks and responsibilities associated with
using their personal devices for work.
 Use MDM Solutions: Use MDM solutions to manage devices and enforce security policies.
 Plan for Device Loss or Employee Departure: Have a plan in place for removing corporate
data when a device is lost, stolen, or when an employee leaves the company.
 Striking an appropriate balance between the benefits and security risks presented by BYOD
can be challenging; however, by employing appropriate policies and tools organisations can
safely manage mobile devices within their workplace environment.

Lesson Summary

 Cryptography refers to the practice and study of techniques for secure communication when
confronted by adversaries.

44
 PKI refers to a set of roles, policies, hardware, software and procedures needed for
creating, managing, distributing, using, storing and revoking digital certificates.
 Digital certificates are electronic documents created using digital signature technology to link
a public key with its identity, providing proof that an individual owns them.
 TLS/SSL and IPsec are foundational to the secure operation of internet communications.
 Common file encryption methods include using file archiving programs like 7-Zip or WinZip
that offer password protection and file encryption capabilities, while many operating systems
also include built-in file protection features like Windows' BitLocker or macOS' FileVault for
convenient file protection.
 Web application security should never be treated as an afterthought; rather, it must become
part of your development life cycle and follow best practices when choosing security
frameworks to use.
 Web application penetration testing is an analytical method of testing the security of a web
app by simulating attacks from external sources, usually hackers or intruders.
 Although both iOS and Android provide strong security features, no system can guarantee
100% protection.
 BYOD refers to the policy of permitting employees to utilise personal devices for work
purposes.

MODULE 3

Learning Outcomes

Having completed this module you will be able to:

 List the benefits of cloud computing and cloud service models.

 Evaluate cloud security threats and risks.
 Explain how to secure cloud migration and data protection.
 Analyse incident response processes and methodologies.
 Outline incident handling and escalation procedures.
 Discuss digital forensics principles and techniques.
 Identify key steps involved in evidence gathering.
 Explain ethical hacking and ethical hacking methodology.
 List the techniques used in reconnaissance/footprinting.

45
 Describe vulnerability assessment and penetration testing.

Cloud Security

This topic is intended to introduce you to cloud security.

Topics to Be Covered:

 Introduction to cloud computing and cloud service models.

 Cloud security threats and risks.
 Cloud security architecture and controls.
 Secure cloud migration and data protection.

Intro to Cloud Computing and Cloud Service Models

Cloud Computing
Cloud computing refers to the on-demand delivery of IT resources over the Internet with pay-as-
you-go pricing. Instead of investing in and owning physical servers and data centres, with cloud
providers you can gain access to computing power, storage capacity, databases services on
demand at pay per use prices.

Benefits of Cloud Computing

1. Cost-Effective: Cloud computing eliminates the capital expense of buying hardware and
software, setting up and running on-site data centres.

46
2. Scalable: Cloud computing allows businesses to easily upscale or downscale their IT
requirements as and when required.
3. Performance: Cloud services run on a worldwide network of secure data centres, which are
upgraded to the latest generation of fast and efficient computing hardware.
4. Speed and Agility: With cloud, vast amounts of computing resources can be provisioned in
minutes.
5. Productivity: Cloud computing removes the need for many of the time-consuming "heavy
lifting" tasks (such as hardware setup, software patching, and other IT management chores),
allowing IT teams to spend time on achieving more important business goals.

Cloud Service Models

Cloud services are typically deployed based on three service models:

1. IaaS brown

IaaS: Infrastructure as a Service is one of the primary cloud computing services, offering IT
infrastructure rental through servers and virtual machines (VMs), storage networks and
operating systems on an "as you go" payment basis from providers like Azure or AWS.

2. PaaS

PaaS: Platform as a Service provides organisations with an alternative method for handling
infrastructure (typically hardware and operating systems) so they can focus on application
deployment and management instead.

3. SaaS br

SaaS (Software as a Service): With this model of cloud hosting and management, providers
host and administer software applications and their underlying infrastructures in an "as a
Service" configuration while handling maintenance like upgrades and security patching remotely
for users connected by Internet browser.

Cloud Security Threats and Risks

47
Cloud computing brings many advantages, yet also poses certain security threats. Let's
examine some of them now:

Data breaches

Data breaches could expose sensitive information, typically personal, intellectual property and
trade secret data. A breach could expose this sensitive data and compromise both its reputation
as well as cause financial losses to both individuals and enterprises involved.

Data Loss

Data stored in the cloud could be lost for reasons other than malicious attacks. Accidental
deletion of data by the cloud service provider or a physical catastrophe, like a fire or earthquake,
could lead to the permanent loss of customer data unless the provider or customer has taken
measures to redundantly backup data.

Account Hijacking

2/1/26, 17:43 - kakande: Phishing, fraud and software vulnerabilities may lead to compromised
cloud credentials being stolen by attackers allowing them to make use of that access by
manipulating data, spying on transactions and redirecting clients towards fraudulent websites.

Unsafe APIs

Cloud services frequently offer APIs to their customers, with security largely depending on these
APIs to protect against accidental and intentional attempts at circumventing policy. They must
be designed as such.

Cloud Security Threats and Risks

DoS (denial of service) attacks

While DoS attacks don't typically lead to theft of data or financial loss for their victims, they can
cost both time and money while their system becomes unavailable.

48
Insider threat br

An insider with malicious intent, or a "malicious insider," can exploit their authorised access to
an organisation's data in the cloud, potentially leading to the exposure or theft of that data.

Shared technology vulnerabilities

Sometimes, the underlying components that make up this infrastructure (e.g., CPU caches,
GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture
(a cloud model). This could lead to shared technology vulnerabilities.

Mitigating these risks requires the deployment of security tools, best practices and education.
Cloud service providers typically implement extensive safeguards against threats on their
platforms; customers should also take necessary measures to secure their own information.

Cloud Security Architecture and Controls

Cloud Security Architecture

Cloud security architecture is a part of the cloud infrastructure designed to meet your
organisation's cybersecurity requirements.

Its main role is to provide strategic direction and alignment with business needs and regulatory
requirements. Key elements include:

 Identity and Access Management (IAM): It controls who is authenticated and authorised to
use resources.
 Data Encryption: Encryption should be used for data at rest and in transit. Consider using
your own encryption keys whenever possible.
 Firewalls and Intrusion Detection/Prevention: These systems filter traffic and monitor for
malicious activity.
 API Gateways: These manage and control the traffic between applications and the cloud
environment.

Cloud Security Controls

Security controls are safeguards or countermeasures used to avoid, detect, counteract, or

minimise security risks.

Some essential cloud security controls are:

49
 Preventive Controls: These are designed to prevent an incident from occurring. Examples
include secure coding standards, security training, and network segmentation.
 Detective Controls: These controls are designed to discover or detect unwanted or
unauthorised activity. Examples include intrusion detection systems (IDS), log reviews, and
violation reporting systems.
 Corrective Controls: These controls limit the extent of any damage caused by the incident.
Examples include disaster recovery plans (DRPs) and automated scripts to shutdown
services.
 Deterrent Controls: These are designed to discourage a potential attacker. Examples are
security awareness training and the use of legal agreements.
 Compensating Controls: These are alternate controls used when primary controls are not
feasible or effective. These might involve additional monitoring or more frequent reviews.

Remind yourself that security in the cloud is shared responsibility: while cloud providers must
uphold its integrity, customers also hold themselves responsible.

Secure Cloud Migration and Data Protection

Secure Cloud Migration

Migrating data securely requires careful preparation before migrating it. Below are steps for
conducting an effective cloud migration:

 Step 1 - Planning: Establish your business objectives for migrating data, understand which
files need to be moved over and the security controls that exist with each provider.
 Step 2 - Selecting a Service Model: Based on your business requirements and security
considerations, decide between IaaS, PaaS or SaaS as your service model of choice.
 Step 3 - Risk Evaluation: Evaluate potential security threats affecting the cloud with
regards to data breach, loss, account hijacking or insecure APIs.
 Step 4 - Data Migration: This should be done securely, with encryption used while data is
in transit.
 Step 5 - Security Controls: Implement additional security controls as needed. This could
include encryption for data at rest, improved identity and access management, and more
secure application programming interfaces.
 Step 6 - Testing: Test the security of your cloud service with vulnerability scanning and
penetration testing.
 Step 7 - Review and Audit: Regularly review and audit your cloud services to ensure they
remain secure.

Data Protection in the Cloud

Data protection is a key aspect of cloud security, encompassing measures such as:

1. Keep regular backups of data outside the cloud service provider so as to guarantee its
accessibility in case of failure or outages. This helps safeguard availability.
2. Encrypt data at rest and in transit. For sensitive data, consider retaining control of the
encryption keys.

50
3. Implement strong access controls. Only authorised individuals should have access to your
data in the cloud.
4. Understand the regulations governing data in your region and ensure your cloud service
provider complies. This is particularly essential if your data resides outside its original
jurisdiction.
5. Ensure you meet any industry-specific compliance standards for data protection. This could
include standards such as GDPR, PCI DSS, or HIPAA.

Incident Response and Forensics

Topics to Be Covered:

 Incident response process and methodologies.

 Incident handling and escalation procedures.
 Digital forensics principles and techniques.
 Evidence collection and preservation

Incident Response Process and Methodologies

Incident Response

Incident response refers to the method by which organisations address security breaches or
cyber-attacks - it involves taking measures to detect, analyse and respond effectively.

The goal is to minimise damage while shortening recovery times and costs as much as
possible.

51
An effective incident response plan aims to limit damage while simultaneously decreasing
recovery costs and timeframe.

Furthermore, such plans aim to ensure smooth business continuity as well as safeguard
corporate reputations.

Incident Response Process

Incident response can be broken down into six key stages:

Stage 1: Preparation

This is the readiness phase where you prepare to handle potential incidents by setting up the
necessary tools, team, and plan.

Stage 2: Identification

Here, you work on detecting and acknowledging the incident.

Stage 3: Containment

In this stage, you limit the damage of the incident and isolate affected systems to prevent further
damage.

Stage 4: Eradication

Once contained, you find the root cause of the incident, remove the threat from your systems,
and identify measures to prevent similar future incidents.

Stage 5: Recovery

Now, you restore and return affected systems and devices back into your business
environment, ensuring no threat remains.

Stage 6: Lessons learned

Finally, you do a post-mortem analysis to draw lessons, improve the process and prepare for
future incidents.

Incident Response Methodologies

Although incident response varies significantly across organisations, having established

frameworks and methodologies can help standardise and structure it more easily.

Examples might include:

52
 NIST Incident Response Life Cycle: Created by the National Institute of Standards and
Technology (NIST), this four-phase method covers Preparation; Detection & Analysis;
Containment Eradication Recovery and Post Event Activity phases.
 SANS Incident Handler's Handbook: This methodology developed by SANS Institute follows
a six-step approach similar to NIST but with increased emphasis on lessons learned.
 PICERL: Short for Preparation, Identification, Containment, Eradication, Recovery, and
Lessons Learned, this methodology is simple but covers the necessary steps in the process.

Incident Handling and Escalation Procedures

Incident Handling

Incident management refers to the actions taken after an incident has been identified in order to
address it effectively and responsibly. It includes several key steps.

 Step 1: Recording of Incident: Every aspect of an incident should be documented

accurately, such as time and date when discovered, person who discovered it, type of
incident it involves and any additional pertinent details.
 Step 2: Initial Investigation: A quick investigation is carried out to confirm whether an
incident has occurred. This could involve looking at log files, speaking to staff, or examining
data.
 Step 3: Incident Categorization: Following initial investigation, an incident should be
classified according to its type and severity in order to establish an effective response
strategy. This allows managers and investigators to make sound judgement calls when
choosing appropriate responses for future incidents.
 Step 4: Incident Notification: In case of an incident occurring within an organisation, all
relevant stakeholders should be made aware. This might include IT personnel,
management, or even legal or public relations teams depending on its severity.
 Step 5: Response: In response to this type of incident, an incident response team must
follow its planned response plan in terms of isolating affected systems, gathering evidence
and trying to ascertain its source.
 Step 6: Post-Incident Review: Once an incident is under control, its experience should be
examined so as to learn from and improve future responses.

Predefined Protocols

Not every incident can be managed by an initial response team alone and may require extra
resources or expertise.

This is where incident escalation procedures come in handy; predefined protocols should
include steps such as these.

Technical Escalation

This happens when the initial incident response team lacks the technical skills or resources to
handle the incident.

53
The incident may be escalated to a higher level of technical expertise within the organisation.

Management Escalation

If an incident is severe or likely to have significant repercussions for an organisation, escalating

to management may be necessary in order to develop the most suitable response.

Decision making at this level may need to take place if responding could affect business
operations or result in significant costs for responding.

External Escalation

There may be instances when external intervention may be necessary; such as law
enforcement (if the incident involves illegal activities), regulatory bodies (if compliance issues
could exist), or third-party specialists (for additional expertise).

Digital Forensics Principles and Techniques

Digital forensics

Digital or computer forensics, is an area of forensic science concerned with gathering evidence
found on computers or digital storage media.

The goal is to examine this material forensically with the aim of recognizing, preserving,
recovering, analysing and providing facts or opinions regarding what information exists within
the digital medium.

Criminal and private investigations often use this practice extensively, using it for situations
ranging from cybercrime and data breaches to disputes regarding legal matters and civil
matters.

Principals of digital forensics

Several key principles guide the work of digital forensics:

 Evidence should be collected and preserved according to court standards; this means
following proper procedures and documenting each action taken.
 Evidence must be unaltered or falsified in any way.

54
 An investigation should carefully assess all available evidence, considering all angles.
 Replicability should allow someone else to produce similar results using similar evidence.
 Investigation should not impede on or compromise existing business processes and
systems.

Digital Forensics Techniques

Digital Forensics employs various methodologies, such as but not limited to:

1. Data Recovery: Recovering deleted files or pieces of data that might serve as evidence.
2. System Analysis: Investigate system logs, processes, and other data to understand how
an incident occurred.
3. Network Analysis: Analysing network logs, traffic, and other data to trace the source of
network attacks or other incidents.
4. Live Analysis: Analysing data from a live system, often used when volatile data might be
lost when a system is shut down.
5. Timeline Analysis: Constructing a timeline using time-stamped digital evidence can assist
investigators in understanding what transpired during an incident.

Evidence Collection and Preservation

Evidence Collection

Evidence collection following a security incident is crucial in order to gain a clear picture of what
took place and who is at fault, while also uncovering ways similar events may be prevented in
future.

Key steps involved in evidence gathering include:

1. Prioritisation: Not all evidence is equally valuable, so it's crucial to prioritise. Typically, data
that is most volatile or at risk of being lost should be collected first. This might include
system memory, temporary files, and system logs.
2. Capture System Images: System images provide an instantaneous snapshot of how things
stand within an environment at any point in time, which is useful when trying to assess an
incident immediately following its occurrence.
3. Network Traffic and Logs: Network traffic logs can provide valuable evidence about
incoming and outgoing connections. They can also highlight any unusual or suspicious
activity.
4. Physical Environment: Additionally, it's crucial to examine the environment where an
incident took place. Are security cameras present that might have captured suspicious
activity or Can access logs shed light on who was present at the time of the incident?

Evidence Preservation

55
Preserving evidence is just as critical as its collection. Without proper care taken when storing
evidence, it could deteriorate or become corrupted and become useless, leaving key principles
of preservation unfulfilled.

These include:

Chain of Custody

To establish that evidence has not been altered in its handling or altered during collection, a
record must exist of who handled the evidence from start to finish. This helps establish whether
proper procedures have been followed.

Storage security

Evidence must be stored securely to prevent unintended access or accidental destruction,

whether this involves physical measures (like locking away in an archive room) or digital
measures such as encryption.

Documentation

Every step taken during the collection and preservation processes should be thoroughly
documented, from date and time of collection, who collected evidence, how it was acquired to
any relevant details that may arise during collection or preservation processes.

Hashing

Hashing algorithms can create an indelible "digital fingerprint" of evidence which allows one to
verify whether or not any changes were made during transmission or alteration of evidence.

Ethical Hacking

This topic is intended to introduce you to ethical hacking.

Topics to Be Covered:

 Introduction to ethical hacking.

 Reconnaissance and footprinting techniques.
 Vulnerability assessment and penetration testing.
 Exploitation techniques and post-exploitation analysis.

56
Introduction to Ethical Hacking

What is ethical hacking?

Ethical hacking refers to the practice of testing computer systems, networks and web apps in
order to discover vulnerabilities an attacker could exploit.

As opposed to malicious hackers who seek only to breach security by exploiting vulnerabilities
that they find, ethical hackers employ their skills for good by providing recommendations on how
best to remedy vulnerabilities identified during such evaluation.

Why is ethical hacking crucial?

Ethical hacking can provide organisations with an invaluable service: the opportunity to identify
and fix vulnerabilities before malicious attackers exploit them, which often proves far less costly
than reacting after security incidents have already taken place.

Additionally, regulatory standards and laws often mandate certain organisations to perform
periodic penetration testing and vulnerability analyses in order to safeguard sensitive
information. By regularly testing for vulnerabilities in their environment and taking necessary
measures for protection, organisations can ensure they are protecting sensitive data properly.

Who is an ethical hacker?

An ethical hacker is defined as any professional trained in hacking techniques and

methodologies who uses that expertise to assist organisations and systems owners secure
them more effectively and safely.

Ethical hackers should always secure written authorization before conducting any testing of
networks and systems for vulnerabilities or potential security risks.

Ethical Hacking Methodology

The methodology of ethical hacking typically involves the following steps:

57
1. Step 1: Planning and reconnaissance: Define the scope of the test and gather information
about the target system.
2. Step 2: Scanning: Use various tools to understand how the target system responds to
different intrusions.
3. Step 3: Gaining Access: Attempt to exploit vulnerabilities in the system, often using the
same methods that a malicious hacker would use.
4. Step 4: Maintaining Access: Test whether the vulnerability can be used to achieve
persistent access to the exploited system, simulating an advanced persistent threat.
5. Step 5: Covering Tracks: Attempt to remove any evidence of the testing process, further
mimicking the actions of a malicious hacker.
6. Step 6: Analysis and Reporting: Analyse the results of the test and provide a report
detailing the vulnerabilities found, the successful exploits, and recommendations for
mitigation.

Reconnaissance and Footprinting Techniques

What is Reconnaissance/Footprinting?

Reconnaissance or footprinting is the initial phase in which an ethical hacker gathers as much
information on a target system to understand how it functions, what defences exist against
potential vulnerabilities, and identify possible targets of attack.

Hackers gather information in the early stages of hacking in order to devise strategies for
accessing systems later. However, at this point they're simply collecting intelligence; not actively
working against an attempt at breaking into it.

Goals of Reconnaissance

The key goals of this phase include:

 Understanding the target system and its activity.

 Mapping out network and system infrastructure.
 Identifying potential system vulnerabilities.
 Planning the next steps based on the gathered information.

Techniques Used in Reconnaissance/Footprinting

Vulnerability Assessment and Penetration Testing

What is Vulnerability Assessment?

Vulnerability assessment (VA) refers to identifying and quantifying vulnerabilities within an

environment or system.

58
VA may employ both manual and automated techniques in order to locate any possible
exploitable holes which could be exploited by attackers; effectively cataloguing weaknesses
which might be exploited in order to establish vulnerability profiles of systems or environments.

What Is Penetration Testing (or Pen Testing)

Penetration testing, also referred to as Pen Testing, involves ethical hackers simulating cyber
attacks against a system in order to assess potential exploitable vulnerabilities that allow
attackers to reduce its information assurance level. In other words, vulnerabilities allow an
attacker to reduce security.

While vulnerability assessments look for weaknesses, penetration testing goes further by
exploiting those vulnerabilities to assess how much harm they can do.

VAPT Process and Tools

VAPT Process

1. The VAPT process generally involves the following stages:

2. Planning and Defining Scope: As part of planning the test, its first step should be defining its
scope and goals, such as which systems it covers or testing methods it employs.
3. Discovery: To identify potential vulnerabilities within target systems and gather relevant
information. This step utilises various tools and techniques.
4. Attack: This is the phase where the penetration tester tries to exploit the identified
vulnerabilities to understand the extent of potential damage.
5. Reporting: The final phase is reporting, which involves capturing details about the identified
vulnerabilities, the successful exploits, and providing recommendations for remediation.

VAPT tools

There are several tools available for conducting VAPT, including but not limited to:

Nessus: Nessus is a popular vulnerability scanner designed to automate vulnerability

assessment processes.

OpenVAS: This is an open-source tool used for vulnerability scanning and management.

Metasploit: This is a powerful tool used for developing and executing exploit code against a
remote target machine.

Burp Suite: A popular web application security testing tool used for checking web application
security.

59
Remember, while these tools may automate certain aspects of VAPT, they cannot replace
expert analysis and interpretation.

Exploitation Techniques/Post-Exploitation Analysis

Exploitation Techniques

Exploitation is where the ethical hacker leverages found vulnerabilities to gain unauthorised
access to the target system.

Here are a few common exploitation techniques:

1. Buffer overflow

When programs attempt to store more data in a buffer than it can handle, overwriting adjacent
memory and possibly leading to unpredictable program behaviour or memory access errors or
the execution of malicious code can occur. This phenomenon is called buffer overflow.

2. Injection attacks

This form of cybercrime involves injecting malicious code directly into a program and processing
it afterwards, typically SQL Injection where an attacker attempts to insert his or her SQL
commands directly into user inputs that pass directly onto an SQL Server for execution.

3. Previlege escalation

Privilege Escalation refers to exploiting bugs, design flaws or configuration oversight in

operating systems or software applications to gain elevated access to resources that would
normally remain protected from usage by applications or users.

4. Social engineering

Social engineering refers to non-technical attacks which exploit individuals by convincing them
into divulging sensitive data such as passwords and credit card numbers through manipulation,
commonly through phishing attacks.

Post - Exploitation Analysis

After exploiting the vulnerabilities, the ethical hacker enters the post-exploitation phase. The
purpose of this phase is to determine the value of the machine compromised and to maintain
control for later use. The steps involve:

1. Collecting Evidence: This involves collecting system information, user information, network
connections, running services, and other relevant details about the exploited system. This
could be used for further exploitation, documentation, or for establishing further attacks.
2. Securing Access: Ethical hackers may also establish backdoors, rootkits, or other means of
securing access to the compromised systems for later use.

60
3. Removing Tracks: Ethical hackers usually clear logs, command histories, and other traces of
their activity on the exploited system. This step is usually performed to avoid detection by
system defenders, but it can also help simulate the actions of malicious attackers.
4. Reporting: The final step is reporting. This involves documenting the vulnerabilities found,
the exploits used, the data accessed, and any changes made to the system.

Please note, while these activities might sound malicious, an ethical hacker always has legal
permission to conduct these activities and they're performed to help secure the system, not to
cause harm.

Lesson Summary

 Cloud computing refers to the on-demand delivery of IT resources over the Internet with
pay-as-you-go pricing.
 Incident response refers to the method by which organisations address security breaches or
cyber-attacks - it involves taking measures to detect, analyse and respond effectively.
 Incident management refers to the actions taken after an incident has been identified in
order to address it effectively and responsibly. It includes several key steps.
 Digital or computer forensics, is an area of forensic science concerned with gathering
evidence found on computers or digital storage media.
 Evidence collection following a security incident is crucial in order to gain a clear picture of
what took place and who is at fault, while also uncovering ways similar events may be
prevented in the future.
 Preserving evidence is just as critical as its collection.
 Ethical hacking refers to the practice of testing computer systems, networks, and web apps
in order to discover vulnerabilities an attacker could exploit.
 Vulnerability assessment (VA) refers to identifying and quantifying vulnerabilities within an
environment or system.
 Exploitation is where the ethical hacker leverages found vulnerabilities to gain unauthorised
access to the target system.

61
 MODULE 4

Learning Outcomes

Having completed this module you will be able to:

 Explain the cyber threat landscape and intelligence sources.

 Describe threat intelligence gathering and analysis.
 Describe threat hunting and incident response using threat intelligence.
 Discuss risk management frameworks and methodologies.
 Explain vulnerability assessment and risk analysis.
 Recognise compliance requirements and standards.
 List the benefits of secure software development lifecycle.
 Identify secure coding practices and code reviews.
 Describe secure code analysis tools.

Cyber Threat Intelligence

This topic is intended to introduce you to Cyber Threat Intelligence.

Topics to Be Covered:

 Cyber threat landscape and intelligence sources.

 Threat intelligence gathering and analysis.
 Threat hunting and incident response using threat intelligence.
 Threat Sharing and collaboration platforms.

Cyber Threat Landscape and Intelligence Sources

62
Cyber threats represent one of the foremost challenges of modern civilization. As technology
develops, so too does its threat landscape: as hackers use more advanced techniques to
breach security measures and compromise networks.

To counteract such attacks, cybersecurity professionals need to have an in-depth knowledge of

the current cyber threat landscape and various intelligence sources available; this topic explores
these sources that help mitigate them.

Understanding the Cyber Threat Landscape

The cyber threat landscape encompasses any existing and potential malicious activities that
threaten an organisation's digital assets, from existing to potential malware attacks that might
come about because of technological advancement, geopolitical conditions or global economic
activity.

It changes constantly due to factors like technological innovations, geopolitical conditions or

global economy; its primary threats being malware, ransomware, phishing attacks DDoS attacks
or advanced persistent threats (APT).

1. Malware: Malware includes viruses, worms, Trojan and spyware which aim to disrupt
computer systems or gain entry in order to damage them and gain unauthorised entry.
2. Ransomware: Ransomware refers specifically to ransomware-type attacks which encrypt
an organisation's data before demanding payment in return for access restoration.
3. Phishing: These fraudulent schemes seek to deceive users into giving out personal and
sensitive data like usernames, passwords and credit card details by appearing trustworthy.
4. DDoS attacks: Distributed Denial of Service attacks overload servers, systems, or networks
with traffic to render them unavailable to users.
5. Advanced Persistent Threats (APTs): These threats involve extended cyberattacks where
an intruder gains entry to a network and remains undetected for an extended period.

Sources of Cyber Threat Intelligence

Cyber threat intelligence provides organisations with information they can use to understand
threats that have, will or are currently attacking their organisation. With this knowledge in hand,

63
organisations are better able to prepare, prevent and identify any cyber attacks which threaten
security measures aimed at breaching. There are multiple sources for such intelligence.

1. Open-source intelligence (OSINT): This information is publicly available and can be

gathered from news reports, blogs, forums, and social media.
2. Human Intelligence (HUMINT): This involves direct communication and interaction with
informed individuals or insiders within cybercriminal networks.
3. Technical Intelligence (TECHINT): This involves gathering information from technical
sources like logs, network traffic, and system behaviours.
4. Intelligence from Vendors: Security vendors often have vast intelligence networks and can
provide information on new vulnerabilities, malware, and threat trends.
5. Industry-specific feeds and groups: Organisations in the same industry often face similar
threats, so sharing information between these organisations can be helpful.

Through understanding and capitalising on various sources of intelligence about cyber threats,
organisations can more successfully plan and execute cybersecurity strategies designed to fend
off potential attacks on their network.

Threat Intelligence Gathering and Analysis

Threat intelligence collection and analysis are integral parts of cybersecurity, providing
organisations with insight into potential threats they could encounter and ways to mitigate them.

Threat Intelligence Gathering

At the core of threat intelligence lies data collection. There are various means available for
gathering this intelligence ranging from open sources such as publicly accessible information to
vendor-supplied intelligence as discussed previously. Ultimately, which methods an organisation
uses depends upon their unique requirements, resources and risk tolerance.

Internal data can also provide invaluable threat intelligence. This includes system logs, network
traffic data and individual behaviours within an organisation - which tools such as intrusion
detection systems (IDS), security information and event management (SIEM), user entity
behaviour analytics (UEBA), or even intrusion identification and notification (IIT) may use to
collect.

Threat Intelligence Analysis

Once data collection is complete, the next step should be analysis to uncover meaningful
insights from it. This process often includes several steps; these could include:

1. Step 1: Data Normalisation and Aggregation: In this step, data collected from different
sources are combined into one coherent format to enable easier analysis and comparison
between them.

64
2. Step 2: Data Correlation: Data are then compared in order to detect patterns and
relationships within them, helping identify trends, vulnerabilities, threats and their possible
impact.
3. Step 3: Threat Prioritisation: Not all threats pose equal risks for organisations; certain
ones pose greater threats. Threat prioritisation involves prioritising threats based on factors
like potential impact and frequency of occurrence.
4. Step 4: Contextualization: Contextualizing involves tailoring analysis to fit with specifics
about an organisation - its systems, processes and vulnerabilities. This helps provide
greater insight into potential threats that might impact them and how best to mitigate them.
5. Step 5: Intelligence Reporting: Finalising our analysis by producing a report. This should
include clear, actionable information necessary for decision making regarding an
organisation's security strategy.

Threat Intelligence Platforms (TIPs)

Threat Intelligence Platforms (TIPs) are tools designed to automate the process of gathering,
analysing, and managing threat intelligence. TIPs aggregate information from multiple sources
before normalising it to prioritise threats and produce actionable reports - thus significantly
expanding a company's threat intelligence capabilities.

Threat Hunting and Incident Response

Utilising threat intelligence efficiently is integral for both proactive identification of cyber attacks
and swift responses to security incidents. In this topic, we'll look at how threat intelligence can
support threat hunting and incident response processes - two essential parts of an effective
cybersecurity posture.

Threat hunting

Threat hunting refers to the practice of actively and iteratively scanning networks, endpoints and
datasets for advanced threats that evade traditional automated tools. Contrasting with traditional
threat management measures, threat hunting involves actively looking out for anomalies which
might indicate breaches.

Threat intelligence plays a central role in threat hunting. By gathering details about the latest
tactics, techniques, and procedures (TTPs) used by adversaries, threat hunters can search their
systems for signs that an adversary might use against them - for instance if threat intelligence
indicates a certain kind of malware has become popular among their adversaries, threat hunters
might look out for any signs it is present there.

Incident response

Incident response refers to the practice of managing and mitigating cybersecurity breaches or
attacks to minimise damage and speed recovery time and costs. Its primary goal is limiting
recovery costs while simultaneously mitigating damage as quickly as possible. Threat

65
intelligence can play an invaluable role in incident response. Responders can utilise threat
intelligence data to quickly assess an incident by understanding its nature, identifying
perpetrators, and understanding their TTPs; ultimately helping contain and prevent further
damage to property or lives.

Threat intelligence can provide invaluable aid during the recovery phase of incident response.
By understanding how an attack took place, organisations can take measures to thwart similar
ones in future - for instance if phishing breached security at your organisation, threat intelligence
might reveal specific techniques used enabling better education among employees as well as
enhanced email security measures for your emails.

Threat hunting to incident response

Integrating Threat Intelligence into Threat Hunting and Incident Response: Threat intelligence
should be integrated into all areas of an organisation's cybersecurity efforts, using Threat
Intelligence Platforms (TIPs) to collect, aggregate and analyse threat data before disseminating
it across relevant systems and personnel - from real-time threat detection in Security
Information and Event Management systems (SIEM), through to incident response teams
receiving intelligence reports to aid their efforts.

Threat Sharing and Collaboration Platforms

Due to the complex and ever-evolving cyber threat landscape, collaborative approaches must
be employed when protecting organisations against threats.

Threat sharing offers organisations an invaluable chance to collaborate on collective defence by

benefiting from each other's knowledge and experiences.

Importance of Threat Sharing

Sharing threat intelligence allows organisations to stay abreast of emerging threats, identify
common vulnerabilities and learn from past experiences of other businesses.

Security teams can benefit greatly by understanding TTPs (Tactics, Techniques & Procedures)
and IOCs (Indicators of Compromise) used against similar businesses so as to best prepare
and respond when threats come their way.

Threat Sharing and Collaboration Platforms

Threat connect

This platform integrates several essential capabilities such as threat intelligence, orchestration
and automation as well as case management into one convenient product.

66
Malware Information Sharing Platform: This open-source threat intelligence platform is widely
utilised by governments, nongovernmental organisations, and private businesses for sharing,
storing and correlating threat data.

Threat sharing platforms offer secure environments in which organisations can exchange threat
intelligence.(before threat connect)

Anomali Threat stream

Anomali's platform connects seamlessly to many security and IT systems to aggregate and
operationalize threat intelligence for collaboration across organisations or between teams.

FS-ISAC

FS-ISAC (Financial Services Information Sharing and Analysis Center): This industry-specific
platform facilitates sharing threat intelligence among financial institutions.

Alien vault OTX

AlienVault OTX (Open Threat Exchange): AlienVault OTX is one of the largest open threat-
sharing networks, where participants can share and collaborate on threat data.

Framework for Threat Intelligence Sharing

Standard languages and protocols have been implemented in order to facilitate efficient threat
intelligence sharing, with these including:

1. STIX (Structured Threat Information Expression): This is a language designed for

conveying structured cyber threat information.
2. TAXII (Trusted Automated Exchange of Intelligence Information): This is an application
protocol for exchanging cyber threat information securely.
3. CybOX (Cyber Observable Expression): This is a standardised schema for the
specification, capture, characterization, and communication of events or stateful properties
that are observable in the operational domain.
4. IOC (Indicators of Compromise): IOCs are pieces of forensic data that identify potentially
malicious activities on a system or network. Examples include IP addresses, URLs, MD5
hashes of malware files, or even specific patterns of behaviour.

Threat-sharing and collaboration platforms are indispensable weapons in the battle against
cyber threats, empowering organisations to increase cybersecurity by working collaboratively on
information-sharing initiatives to strengthen their cybersecurity posture and contribute to
creating a safer cyber environment for everyone.

Risk Management and Compliance

67
This topic will teach you about risk management and compliance.

Topics to Be Covered:

 Risk management frameworks and methodologies.

 Vulnerability assessment and risk analysis.
 Compliance requirements and standards.

Risk Management Frameworks and Methodologies

Risk management plays a pivotal role in cybersecurity. By understanding and applying effective
risk management frameworks and methodologies, organisations can systematically identify,
assess, and mitigate their exposures.

Understanding Risk Management

Before delving deeper into specific frameworks and methodologies, let us first define risk
management.

Risk management refers to the practice of recognizing, assessing, and controlling threats
against an organisation's digital assets - it involves taking steps that reduce their effects while
planning a response should an attack happen.

Risk Management Frameworks

An effective risk management framework offers an organised means for identifying, assessing
and mitigating risks. Numerous globally accepted frameworks may be implemented into practice
such as these ones:

 NIST Risk Management Framework (RMF): Created by the National Institute of Standards
and Technology, the NIST RMF offers an approach for incorporating security, privacy, and
risk management activities into system development life cycle. It comprises steps such as
categorise, select, implement, assess authorise monitor.
 ISO 27005: As part of ISO 27000 series standards for information security management,
ISO 27005 offers guidelines on risk management to support general concepts laid out by
ISO 27001.
 COSO Enterprise Risk Management (ERM) Framework: The Committee of Sponsoring
Organizations of the Treadway Commission developed this framework to help organisations
effectively report on and manage risks to achieve their objectives.

Vulnerability Assessment and Risk Analysis

Establishing and mitigating vulnerabilities within an organisation's systems are cornerstones of

cybersecurity risk management. By conducting thorough vulnerability and risk analyses,
companies can detect weak spots in their cybersecurity posture and take measures to address
them.

68
Vulnerability Assessment

An organisation performing a vulnerability assessment identifies, classifies and prioritises

vulnerabilities within computer systems, applications and network infrastructures to collect the
necessary data that enables it to fix known flaws as well as protect itself against possible future
attacks. The typical steps in a vulnerability assessment include:

1. Locating IT Assets: The initial step of performing a vulnerability assessment involves

identifying all assets to protect. This may include hardware, software, networks or data
assets.
2. Conduct a Vulnerability Scan: Conducting this analysis uses automated tools to scour all
identified assets for potential vulnerabilities that might exist within them.
3. Vulnerability Analysis: Once results of the scan have been collected, these should be
examined in depth to understand each vulnerability's impact on potential targets.
4. Remediation: Once vulnerabilities have been identified, remedial action must be taken
against them. This might involve installing updates for software or changing configuration
settings or taking other security precautions to address them.

Risk Analysis

While vulnerability assessment focuses on identifying and addressing specific weaknesses, risk
analysis is a broader process that considers the potential impact and likelihood of threats to an
organisation's systems. Risk analysis typically involves the following steps:

1. Identification of Threats: This step involves the identification of threats facing an

organisation from various sources such as cybercrime, insider threats, natural disasters or
accidental data loss.
2. Assessing Vulnerabilities: Just like vulnerability assessments, vulnerability analyses
involve identifying weaknesses which could be exploited by threats.
3. Calculating Risk: Calculating risk involves estimating both its potential impact and
likelihood, often expressed as the product. Risk can then be expressed as the product
between potential impact and likelihood - thus yielding its product, known as its "risk profile."
4. Prioritising Risks: Based on their calculated risk, threats are then prioritised. This helps
organisations focus their efforts on the most significant risks.
5. Establish a Risk Management Plan: After identifying all risks, an effective risk
management plan must be created in order to address each one effectively. This document
must outline how each risk will be reduced or avoided entirely using mitigation, transference,
acceptance, or avoidance strategies.

By conducting regular vulnerability assessments and risk analyses, organisations can keep their
cybersecurity up to date and respond effectively to the evolving threat landscape.

Compliance Requirements and Standards

Compliance is also vital when managing cybersecurity risks; not only for legal reasons but also
to ensure best practices for cybersecurity within an organisation are followed.

69
GDPR

The General Data Protection Regulation of the European Union is an established law which
establishes comprehensive rules governing how personal data of EU residents should be
handled within that body, giving individuals greater control of their personal information while
simplifying regulatory environments for international business operations.

Key principles of GDPR include:

1. Lawfulness, fairness, and transparency: When processing personal data it should always be
done so in a lawful, fair, and transparent way.
2. Data minimization: Only the minimum necessary amount of personal data should be
collected and processed.
3. Data subject rights: Individuals have the right to access their data, correct inaccuracies, and
request deletion in certain circumstances.
4. Security: Organisations must implement appropriate security measures to protect personal
data.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards
designed to ensure that all companies that accept, process, store, or transmit credit card
information maintain a secure environment. Key requirements include:

Payment Card Industry Data security Standard( PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards
designed to ensure that all companies that accept, process, store, or transmit credit card
information maintain a secure environment. Key requirements include:

1. Protecting stored cardholder data.

2. Encrypting transmission of cardholder data across open, public networks.

3. Maintaining a vulnerability management program.

4. Implementing strong access control measures.

Other standards and regulations

Dependent upon their industry and location, organisations may need to comply with various
other standards and regulations as part of doing business. Examples could include:

1. Health Insurance Portability and Accountability Act (HIPAA): This US law mandates
healthcare providers to protect patient data by following set protocols regarding handling
healthcare data.

2. ISO 27001: This international standard offers guidance for creating an Information Security
Management System (ISMS).

70
3. Sarbanes-Oxley Act (SOX): This US legislation mandates companies to maintain financial
records for multiple years as well as implement controls against fraud to help combat it.

Noncompliance with regulations or customer trust issues may incur serious repercussions for
organisations; thus, understanding and adhering to compliance requirements are an integral
component of risk management.

Secure Software Development

This topic is intended to introduce you to Secure Software Development.

Topics to Be Covered:

 Secure software development lifecycle.

 Secure coding practices and code reviews.
 Secure code analysis tools.
 DevOps security and (CI/CD) pipelines.

Secure Software Development Lifecycle

Security is of utmost importance in any software system. By including security considerations

from its early inception and throughout its lifetime, organisations can help safeguard their
systems and data against cyber threats.

The Secure Software Development Lifecycle (SDLC) offers an ideal framework to incorporate
security considerations throughout every stage of the software development process.

Understanding the Secure SDLC

The Secure SDLC is an approach to software development that incorporates security practices
and measures from its infancy; unlike more traditional approaches that tend to add them after

71
system creation has completed - leaving vulnerabilities unchecked in its wake. It consists of five
main stages, as follows.

1. Requirements Analysis

At this initial phase of software development, all the requirements are established; including
security requirements. This step typically entails identifying user security needs, developing
policies to cover those needs, and specifying any regulatory mandates relevant to its creation.

2. Design

At this stage, software architects determine its architecture while security remains a top priority.
This may involve designing secure interfaces or processes and including encryption or other
measures into its design to protect user data.

3. Implementation

At this step, software coding begins. Secure coding practices should be adhered to in order to
avoid vulnerabilities such as SQL injection or buffer overflow vulnerabilities that could pose
threats during development.

4. Verification

Verifying software involves testing it to identify any vulnerabilities or security flaws and address
them accordingly, using methods such as code reviews, penetration testing and vulnerability
scanning.

5. Maintenance

Once deployed, software needs to be regularly maintained and updated in response to

emerging threats or vulnerabilities, which may involve patching software updates, changing
security configuration settings or responding to incidents as soon as they arise.

Benefits of the Secure SDLC

Secure SDLC delivers numerous advantages:

 By prioritising security from the outset, software becomes more likely to remain safe from
attacks and remain less at risk of disruptions.
 Attaining security during software development is usually more cost-efficient than patching
bugs after deployment has taken place.
 Secure SDLC can assist in meeting compliance standards that mandate specific security
measures.

Secure Coding Practices and Code Reviews

72
Secure Coding Practices

Secure Coding refers to writing code with security in mind, to protect against potential
vulnerabilities. It involves more than simply avoiding known security flaws; rather it must take
into account how your code design affects data handling processes and vice versa.

Here are a few secure coding practices:

1. Always verify input against its expected format to prevent SQL injection and cross-site
scripting (XSS) vulnerabilities.
2. Stay away from using functions or libraries known to contain vulnerabilities.
3. Error handling can prevent attackers from gathering intelligence about your system.
4. Code should run with only as much privilege as necessary in order to fulfil its intended
function, in order to limit potential damage if exploited by malicious actors.
5. Code Signing: Code signing involves employing digital signatures to validate and ensure the
integrity of a program code.

Code Reviews

Code reviews are essential in maintaining secure coding practices. In a code review, other
developers inspect a code sample for errors, bugs and security vulnerabilities to detect issues
before they become issues. This practice helps avoid potential headaches that might otherwise
arise down the line.

Code reviews should look for several things:

1. Security Vulnerabilities: The goal of a code review with security as the focus should be to
detect potential security flaws within it, such as potential exploitable flaws in code or its
subroutines, that might compromise user or system data security.
2. Coding Standards: Reviewers should make sure code complies with established coding
standards, often comprising specific security practices for reviewers to take note.
3. Code Quality: While security may be at the forefront, code reviews also help uncover any
quality-of-code issues which might compromise software's performance or reliability.

Implementing secure coding practices and conducting thorough code reviews are two effective
strategies to boost software security.

Secure Code Analysis Tools

Secure software development relies heavily on safe coding practices and manual code reviews;
however, they're not the only tools available. Automated secure code analysis tools (also
referred to as static application security testing (SAST) tools) allow developers to identify
security vulnerabilities faster.

Secure Code Analysis Tools

73
Secure code analysis tools examine source and compiled versions of code to detect security
flaws that might threaten its integrity, such as buffer overflows, SQL injection, cross-site
scripting (XSS), or insecure cryptography usage. Secure code analysis tools also detect
deviations from established coding practices and standards as well as potential deviations that
go against them.

SonarQube

SonarQube is an open source platform designed for continuous code quality inspection,
supporting over 20 programming languages and capable of identifying various security
vulnerabilities.

Fortify Static Code Analyzer

As part of Micro Focus's suite of application security tools, Fortify SCA identifies vulnerabilities
both within custom code and open-source components.

Checkmarx

Checkmarx offers an effective static code analysis tool which identifies vulnerabilities across
popular programming languages, providing peace of mind to developers.

Veracode static analysis

This tool allows for in-depth scanning of binaries to detect security flaws introduced through
open-source libraries or third-party code, in addition to vulnerabilities introduced via compilation
mistakes.

Benefits of Secure Code Analysis Tools

Using secure code analysis tools as part of your secure SDLC offers several advantages:

1. Early Detection: These tools help teams quickly detect potential security vulnerabilities
early in the development process when fixing them is usually cheaper and simpler.
2. Automation: By automating analysis processes these tools allow teams to save both time
and resources compared with manual code reviews.
3. Consistency: Automated tools are ideal for providing consistent and comprehensive code
reviews without human errors compromising them.

Secure code analysis tools can be an extremely valuable resource; however, they should never
replace secure coding practices and manual code reviews as a source of additional protection
for your code.

Instead, they should serve as complementary measures that add another level of defence
against unwanted infiltration into your program.

74
DevOps security and (CI/CD) pipelines

Integration of security from the beginning is vitally important when it comes to software
development, which forms the cornerstone of DevSecOps approach, which brings together
developers (Dev), security (Sec), and operations personnel (Ops) so as to guarantee its
presence throughout development lifecycle CI/CD pipelines.

DevOps Security or DevSecOps

DevSecOps is the philosophy of integrating security practices within DevOps processes.

DevSecOps involves developing a culture around Security as Code with ongoing, flexible
collaboration among release engineers and security teams; holding everyone responsible for
security decisions/actions taken that coincide with development/operation decisions/actions as
quickly and quickly.

Key elements of DevSecOps include:

 Security Requirements: Similar to functional requirements, security requirements should

also be established at the outset.
 Security Scanning: On an ongoing basis, conduct security scanning of both code base and
dependencies using automated tools for this task.
 Continuous Monitoring: Proactively track applications and infrastructure to detect security
threats quickly and react appropriately.
 Incident Response: Develop comprehensive incident response procedures in order to
quickly and efficiently address security incidents that arise.

CI/CD Pipelines and Security

Continuous Integration and Deployment (CI/CD) pipelines automate software delivery

processes. Developers are enabled to integrate changes back onto the main branch as often as
possible; then automated build, test and deployment processes start up automatically releasing
those updates directly into production.

Here's how security can be built into the CI/CD pipelines:

 Start building secure code from day one using secure coding practices and static code
analysis tools that can identify potential vulnerabilities during development.
 Utilise automated tools to scan dependencies for known security flaws.
 Add security tests to your automated testing suite - such as dynamic application security
testing (DAST) or interactive application security testing (IAST).
 Maintain the appropriate settings for both your application and infrastructure, and monitor
any modifications which could introduce vulnerabilities.
 Automation tools help reduce human error and ensure the correct version and configuration
are installed for an application deployment.

Integrating security into DevOps processes and the CI/CD pipeline enables early identification
and remediation of vulnerabilities that impact software developed - thus strengthening its

75
security posture compared to dealing with them later. Furthermore, such efforts foster an
environment in which security becomes everyone's responsibility.

Lesson Summary

 Cyber threats represent one of the foremost challenges of modern civilization.

 Threat Intelligence Platforms (TIPs) are tools designed to automate the process of
gathering, analysing, and managing threat intelligence.
 Threat intelligence provides organisations with an efficient tool for both proactive and
reactive incident responses, helping them defend against an ever-evolving cyber threat
landscape.
 Risk management plays a pivotal role in cybersecurity.
 By conducting regular vulnerability assessments and risk analyses, organisations can keep
their cybersecurity up to date and respond effectively to the evolving threat landscape.
 Noncompliance with regulations or customer trust issues may incur serious repercussions
for organisations; thus, understanding and adhering to compliance requirements are an
integral component of risk management.
 Security is of utmost importance in any software system.
 By including security considerations from its early inception and throughout its lifetime,
organisations can help safeguard their systems and data against cyber threats.
 Secure Coding refers to writing code with security in mind, to protect against potential
vulnerabilities.
 Code reviews are essential in maintaining secure coding practices.

MODULE 5

Learning Outcomes

Having completed this module you will be able to:

 Recognise common wireless network vulnerabilities.

 Discuss Wi-Fi security protocols (WPA2, WPA3).
 Outline common social engineering techniques.
 Distinguish between phishing, pretexting, and baiting attacks.
 Describe physical security controls and access management.
 Explain the role of IoT in today's world, common types of IoT devices and vulnerabilities in
IoT devices.
 List several key challenges related to securing IoT devices and networks.
 Identify common IoT protocols and their security features.
 Discuss the legal and ethical aspects of cybersecurity.
 Explain the ethical considerations in cybersecurity.

Wireless Network Security

This topic is intended to introduce you to Wireless Network Security.

Topics to Be Covered:

76
 Wireless network vulnerabilities and Threats.
 Wi-Fi security protocols.
 Wireless intrusion detection and prevention systems.
 Wireless penetration testing.

Wireless Network Vulnerabilities and Threats

Wireless networks offer convenient connectivity, enabling devices to interact without physical
cables between each other and to the internet.

Unfortunately, their freedom can come at the price of increased vulnerability from threats due to
being broadcast over airwaves; providing potential attackers easier access.

Common Wireless Network Vulnerabilities

1. Open Wireless Networks: An open wireless network doesn't require authentication for
network connection - making them highly vulnerable as any device within its range could
connect and potentially gain access to network resources.
2. Weak Encryption Protocols: Early wireless protocols such as WEP (Wired Equivalent
Privacy) can be easily broken, while even later protocols like WPA2 may still be
compromised by using weak passwords.
3. Wireless Device Vulnerabilities: Just like other technological equipment, wireless devices
come equipped with their own unique set of vulnerabilities. This could range from design
flaws or firmware bugs, configuration problems or configuration errors that allow hackers to
gain unauthorised entry.

Common Wireless Network Threats

77
1. Eavesdropping: Eavesdropping and intercepting are one of the primary threats to wireless
networks, with hackers using packet sniffing tools to capture and examine all data
transmitted over them. If these transmissions don't include enough encryption layers or their
security is weak enough, an attacker could gain access to sensitive information that they
should keep confidential.
2. Rogue Access Points: Rogue access points are wireless access points installed without
permission by network administrators, providing attackers with an entryway into a network.
3. Man-in-the-Middle Attacks: With this kind of attack, an attacker intercepts communication
between two parties to either listen in and/or pretend they're conversing normally - making
the two seem as though their dialogue has taken place naturally.
4. DoS Attacks: DoS attacks aim to render machines, networks, or services unavailable by
flooding them with excessively large requests from multiple sources.

Understanding vulnerabilities and threats is the foundation for secure wireless network
implementation, and in subsequent topics we will introduce various methods and best practices
for mitigating threats to ensure it will run without issue for years.

Remember, no solution provides 100% cybersecurity; rather, the goal should be to make it as
difficult for potential attackers to breach your network. Adopt a proactive approach by regularly
updating software, monitoring network traffic and informing users.

Wi-Fi Security Protocols (WPA2, WPA3)

WiFi security protocols are indispensable tools that aim to defend wireless networks against
various vulnerabilities and threats, providing authentication and encryption as critical features.
WPA2 and WPA3 are two widely utilised WiFi security protocols.

i. WPA2 (Wi-Fi Protected Access 2)

WPA2 was first implemented as an upgrade from WPA, first released in 2004. Since its debut, it
has proven an enormous improvement on previous standards including WPA and WEP (Wired
Equivalent Privacy), providing stronger data protection and network security features such as:

1. AES Encryption: WPA2 introduced Advanced Encryption Standard (AES), a significantly

stronger encryption protocol than Temporal Key Integrity Protocol used by WPA.

2. Personal and Enterprise Modes: WPA2 offers two distinct modes - WPA2 Personal and
WPA2 Enterprise. In Personal mode, authentication uses pre-shared keys (PSK), while
Enterprise uses an authentication server.

WPA2 may boast numerous strengths, yet its vulnerabilities still pose threats. Recently, an
exploit known as KRACK (Key Reinstallation Attacks) was discovered which may allow
attackers to intercept and decrypt network traffic without authorization from users.

78
ii. WPA3 (Wi-Fi Protected Access 3)

WPA3 was first unveiled as the latest wireless network security protocol in 2018 and provides
significant enhancements over its predecessor WPA2, covering many of its weaknesses:

 Enhance Encryption: In its enterprise mode, WPA3 employs 192-bit encryption technology
for increased protection when handling sensitive information.
 Robust Password-Based Authentication: WPA3 utilises Simultaneous Authentication of
Equals (SAE), providing robust protection from password guessing attacks even with weak
passwords used, making it harder for an attacker to guess it through repeated tries.
 Forward Secrecy: WPA3 provides enhanced forward secrecy. This feature prevents an
attacker from decrypting an encrypted data stream later even if their password becomes
compromised, eliminating a potential security threat to an encrypted data stream that was
captured during encryption.

Wi-Fi security protocols are indispensable components in protecting wireless networks against
potential threats and vulnerabilities, with WPA2 and WPA3 serving as leading-edge options in
network protection; WPA3 offers multiple advantages over its predecessor with its
implementation often yielding even greater results than just having more effective protocols
themselves.

Wireless Intrusion Detection/Prevention Systems

2/4/26, 18:43 - kakande: Wireless Intrusion Detection Systems (WIDS) and Prevention Systems
(WIPS) are vital elements in safeguarding wireless networks, monitoring radio spectrum for any
indication of unapproved access points or attacks that use illegal attack techniques. These
systems help keep networks protected.

Wireless Intrusion Detection Systems (WIDS)

WIDS monitor the wireless spectrum within range of your network and detect potential intruders
or attackers. Their main functions include:

1. Detecting Rogue Access Points: WIDS continuously scan the network in search of any
unauthorised access points which might pose security threats, to identify those with no legal
authorization to gain entry and cause security breaches.
2. Identifying Attack Patterns: WIDS can detect common attack patterns such as denial-of-
service attacks, man-in-the-middle attacks or known exploit techniques to protect
businesses against these potential attacks.
3. Alert Administrators: Once potential threats have been detected by WIDS, an alert
notification may be generated and sent via email, dashboard notification or alarm system to
network administrators.

Wireless Intrusion Prevention Systems (WIPS)

WIDS can detect and alert administrators about potential threats; WIPS go one step further by
actively working to prevent attacks. Key features of WIPS include:

79
1. Automated Protection: Once an imminent threat has been detected, WIPS can take
immediate and appropriate measures to secure the network; such as blocking traffic from an
unknown access point or disconnecting suspicious devices.
2. Preventing Unauthorised Access: WIPS employ various techniques such as blocking MAC
addresses or de-authenticating devices in order to stop unintended devices from accessing
their network.
3. Integration With Network Security Policies: WIPSs typically integrate seamlessly into overall
network security policies and can enforce these by blocking actions that violate them.

Wireless Intrusion Detection and Prevention Systems are essential elements of an effective
wireless network security strategy, offering essential layers of protection by identifying threats
as they emerge and reacting swiftly in real-time.

As cyber threats emerge more regularly than ever, having systems in place that detect and
react swiftly against such dangers is vital in safeguarding wireless networks effectively.

Wireless Penetration Testing

Wireless Penetration Testing, also referred to as Wireless Ethical Hacking, is an ethical hacking
security practice conducted legally against wireless networks to identify vulnerabilities that
malicious hackers could exploit and to understand weaknesses within them that require
upgrades in security measures accordingly.

The goal is to understand each network's weaknesses so as to enhance them further and
strengthen protection measures accordingly.

Wireless Penetration Testing Process

The wireless penetration testing process generally involves the following steps:

Step 1-Establisth the scope

Before conducting a penetration test, testers must establish its scope. This may involve
specifying networks to be tested as well as any methods they will employ during their evaluation
process.

Step 2 - Reconnaissance

In Step 2, a tester conducts an environmental survey in order to locate all wireless devices
present, such as routers, access points and client devices. Tools like network sniffers or
wireless discovery tools may be utilised here for this task.

Step 3 - Vulnerability Identification

80
In Step 3, vulnerability testing involves searching the wireless network for vulnerabilities which
could be exploited - for instance weak encryption, default or weak passwords, outdated
firmware versions etc.

Step 4 - Exploitation

Once identified vulnerabilities are confirmed, testers attempt to use them exploit them by
breaking into wireless network and accessing sensitive files without authorization. This step
provides insight into potential damage that would occur should an intruder exploit these
weaknesses for malicious use.

Step 5 – Reporting

Once testing has concluded, the tester prepares an extensive report detailing any vulnerabilities
discovered or exploit attempts, along with recommendations to enhance network security.

Tools for Wireless Penetration Testing

There are several tools that can aid in wireless penetration testing. Some popular ones include:

 Aircrack-ng: An assessment toolkit developed specifically to evaluate Wi-Fi network

security. It covers key aspects such as monitoring, attacking, testing and cracking.
 Kismet: Kismet is an open-source Wi-Fi analyzer, sniffer and intrusion detection system
capable of locating network elements as well as potential vulnerabilities within networks.
 Wireshark: Wireshark is a network protocol analyzer which allows users to capture and
interactively explore network traffic on any computer network.

Wireless penetration testing is a critical aspect of network security for organisations. By

identifying potential weaknesses within their networks and taking preventative steps to secure
them, organisations are better able to protect sensitive information while also preventing
unwarranted access.

This proactive approach to security helps safeguard sensitive data while keeping vital resources
safe from outside access.

Social Engineering and Physical Security

This topic is intended to introduce you to

Topics to Be Covered:

 Overview of social engineering techniques.

 Phishing, pretexting, and baiting attacks.
 Physical security controls and access management.

Overview of Social Engineering Techniques

81
Social engineering is an insidious non-technical attack strategy used by cyber attackers that
leverages human interaction in order to bypass standard security protocols and gain
unauthorised access.

Understanding various social engineering techniques as a cybersecurity professional is vital in

creating strategies to counter them effectively.

Common Social Engineering Techniques

Technique 1: phishing

This form of social engineering is among the most widespread. Phishers usually utilise email or
malicious websites to solicit personal data by pretending to be legitimate organisations or
people, often by appearing trustworthy when conducting the scam.

Technique 2: Pretexting

This tactic uses deception by creating a false pretext (the pretext) in order to obtain personal
information from victims, for instance by impersonating bank representatives requesting account
details confirmations or by making false promises about meeting up at banks to retrieve victim's
personal details.

Technique 3: Baiting

Baiting is similar to phishing but involves promising the victim an incentive, for instance leading
them to install malicious software believing it's a free game or movie download.

Technique 4: Tailgating

Piggybacking refers to when an unauthorised individual follows someone into restricted areas
without authorisation from them or with authorization.

Technique 5: Quid Pro Quo

Translated literally as 'something for something," this strategy involves exchanging services or
benefits in exchange for access or information.

Technique 6: Spear phishing

2/5/26, 09:44 - kakande: Spear phishing is a more targeted version of phishing in which an
attacker conducts research on their target before devising and tailoring an attack accordingly.

Emails used in spear phishing may target individuals by their role within an organisation or
some other personal detail, making the attack all the more personalised.

82
Social engineering tactics exploit human vulnerabilities rather than technological vulnerabilities
and may be hard to counter using technical measures alone. Therefore, understanding these
techniques and educating users is essential as part of any comprehensive cybersecurity plan.

Phishing, Pretexting, and Baiting Attacks

Social engineering techniques like phishing, pretexting and baiting attacks are used widely
within cybersecurity to convince individuals into divulging sensitive data. Gaining an
understanding of such tactics is crucial in order to prevent them and maintain robust
cybersecurity protections.

1. Phishing Attacks

Phishing is the practice of collecting personal information using false emails or websites in an
effort to gather such details as account credentials. Here's how it generally works:

An attacker sends out emails purporting to come from trustworthy sources - this could include
banks, social networking sites, payment apps or sites, online store auction sites or
administrators as well as reliable IT administrators - which create urgency or fear among their
recipients and prompt them to act immediately or quickly. Your account could be at risk unless
you confirm your personal data immediately or that there has been some breach in its security.

Emails contain links leading to fake websites where visitors are requested to provide personal
data such as their account username, password, full name, address, DOB, social security
number and credit card details - providing attackers with all they need for identity theft, financial
fraud or any number of crimes to commit against you.

2. Pretexting Attacks

Pretexting is a form of social engineering in which an attacker attempts to build up an

acceptable pretext that they can use to steal personal data from victims. Scammers typically
begin this type of attack by building trust with their victim by impersonating coworkers,
policemen, bank and tax officials or anyone with access to right-to-know information - in turn,
using this trust to trick their victim into giving out personal data either over the phone or
electronically.

3. Baiting attacks

Baiting attacks resemble phishing attempts in that both involve promises to deliver goods or
items as lures for victims to fall for them. What differentiates baiting attacks is their promise of
something tangible in exchange for trusting their perpetrators with personal details or financial
data. Baiting attackers typically offer users free music or movie downloads if they provide their
login details - the moment you provide this data, attackers have control of your system or data!

As another popular strategy, dropping malware-infected physical devices, like USB flash drives
in public places (bathrooms, elevators, or sidewalks) that will likely attract victims is another
popular tactic for infecting physical targets with malware. Simply wait until someone touches or
uses your device - they could end up becoming your victims without you

83
realising. Understanding how phishing, pretexting and baiting attacks work allows us to be
better equipped at protecting ourselves against them. Awareness should serve as the
cornerstone of every organisation's security program and ongoing education and training
regarding these threats must form part of it.

Physical Security Controls/Access Management

2/5/26, 10:00 - kakande: Cybersecurity often prioritises protecting digital assets against threats;
however, physical security controls play an equally vital role in safeguarding physical assets like
servers and computers from damage and unwarranted entry - this form of defence known as
physical security controls when combined with proper access management solutions form a
comprehensive approach that safeguards an organisation against both digital and physical
risks.

Physical Security Controls

Physical security controls are measures taken by organisations and their assets and sensitive
data against threats that could compromise them and result in loss or damage of information or
hardware. Common physical security controls:

1. Perimeter Security: This encompasses walls, fencing, gates and barriers with perimeter
intrusion detection systems and surveillance systems to detect possible intruders within their
boundaries.
2. Access Control: Security guards, receptionists, biometric access control systems, card
readers and keys may all be employed to limit who can enter certain buildings or areas
within them.
3. Intrusion Detection: Utilising alarm systems to identify unauthorised access.
4. Environmental Hazard Protection: These include fire suppression systems, HVAC units
(which regulate climate and humidity levels), power supply units as well as fire
extinguishers.
5. Security Measures in Specific Locations: Server rooms may require extra precautionary
security measures.

Access Management

Access management entails monitoring who has access to which areas within an organisation.
This requires processes and technologies for controlling network resources as well as system
resources - helping employees access only those data needed for job functions. Key
components of access management include:

1. User Identification: User identification refers to the process of verifying users when they
attempt to gain entry into a system.
2. Authentication: The act of verifying credentials held by individuals, computer processes, or
devices. Methods include knowing something (password or PIN), possessing something
(access card/smart card), or being something they themselves (biometric data such as
fingerprints/retina patterns).

84
3. Authorization: Determining what permissions an authenticated individual or device has
access to for a resource or system.
4. Access Controls: Access controls are methods used to enforce authorization by determining
who may access resources based on authentication credentials, which could involve
network access control (NAC), firewall and intrusion prevention systems as appropriate.

Physical security controls and access management are crucial elements of an effective security
plan, serving to safeguard both physical assets as well as digital data from unapproved access
or environmental risks, providing peace of mind to both employees and clients of an
organisation.

Internet of Things (IoT) Security

This topic is intended to introduce you to Internet of Things (IoT) Security.

Topics to Be Covered:

 Understanding IoT devices and their vulnerabilities.

 IoT security challenges and risks.
 Securing IoT ecosystems and protocols.
 IoT penetration testing and vulnerability assessment.

Understanding IoT Devices and Their Vulnerabilities

Introduction to IoT Devices

IoT (Internet of Things), is the name given to a networked collection of computing devices,
mechanical and digital machines, objects, or people connected by communication technologies
with unique identifiers (UIDs) capable of exchanging data without human-to-human or computer
interaction.

Consumer devices including smart home products and wearables to commercial/industrial uses
like smart factories/infrastructure are examples of IoT applications that utilize this concept.

The Role of IoT in Today's World blu

IoT plays an invaluable role across multiple fields - healthcare, agriculture, transportation - by
offering innovative solutions to current problems.

Examples of IoT applications in such settings are remote monitoring systems, automated
systems with predictive maintenance capabilities and advanced analytics; all designed to
increase efficiency, productivity and convenience.

Common Types of IoT Devices

 Consumer IoT devices: Consumer IoT devices include TV, speaker, wearable fitness tracker
and home appliance that use the Internet of Things technology.

85
 Commercial IoT devices: Devices like smart security systems, automated farming
equipment, and advanced logistics tracking tools fall under this category.
 Industrial IoT devices: This category includes devices used in manufacturing, energy
management, and smart cities, such as predictive maintenance equipment, smart grid
technologies, and industrial automation tools.

Vulnerabilities in IoT Devices

Despite their numerous benefits, IoT devices have numerous vulnerabilities that pose security
risks. Some of these vulnerabilities include:

 Insecure Network Services: Many IoT devices expose open network services that are
exposed to the internet, making these vulnerable services easy targets for attackers looking
to take control of IoT devices and gain control.
 Insufficient Privacy Protection: IoT devices may collect a large amount of personal data,
which may not always be securely stored or transmitted.
 Security Gap in IoT Devices: Unfortunately, many IoT devices can contain software
vulnerabilities which allow an attacker to gain entry and compromise them or their data.
 Lack of Secure Update Mechanism: Unfortunately, IoT devices frequently lack secure
mechanisms for updating software updates - leaving them exposed to attacks exploiting
outdated vulnerabilities in existing code.
 Use of Default or Weak Passwords: Many IoT devices come with default passwords that are
easily discoverable by attackers. Some devices also don't enforce strong password
practices, making them easy to compromise.

Understanding the Impact of IoT Vulnerabilities

Vulnerabilities in IoT devices can have serious repercussions. Attackers could take advantage
of them to access sensitive data or gain control of devices; disrupt services; or use
compromised devices as launchpads for further attacks against critical infrastructure systems -
with potentially disastrous ramifications on public safety.

IoT devices, while offering numerous benefits, present a new set of security challenges.
Understanding these devices and their vulnerabilities is a crucial step in ensuring their secure
deployment and operation. Future topics in this module will delve into strategies and best
practices for mitigating these risks and securing IoT devices.

IoT Security Challenges and Risks

IoT (Internet of Things) is an emerging field that links devices ranging from household
appliances to industrial machines via the internet, creating multiple advantages as well as
security challenges that must be understood to manage risks associated with IoT effectively.

Understanding IoT Security Challenges

There are several key challenges related to securing IoT devices and networks, including:

86
 Device Diversity: IoT encompasses an immense diversity of devices spanning tiny sensors
to large industrial machines with various software and security requirements that must all be
managed effectively in order for IoT solutions to work. Administering all this diversity can be
a daunting task indeed!
 Limited Resources: Many IoT devices have limited processing power, memory, and energy
resources, which makes it difficult to implement robust security measures like encryption or
intrusion detection systems.
 Scale: The sheer number of IoT devices makes it challenging to manage and secure these
devices effectively.
 Data Privacy: IoT devices often collect a large amount of personal or sensitive data, making
them attractive targets for cybercriminals.
 Lack of Standards: There is currently a lack of comprehensive security standards for IoT,
leading to inconsistency in security practices across different devices and sectors.

IoT Security Risks

These challenges lead to several potential risks, including:

1. Unauthorized Access: IoT devices contain vulnerabilities which could allow an attacker to
gain unauthorized entry to both themselves or the network it connects to.
2. Data Breach: Insufficient data protection measures can lead to data breaches, where
sensitive data is exposed to unauthorized individuals.
3. Device Manipulation: Attackers may gain control over an IoT device and manipulate its
operation for malicious purposes.
4. Denial of Service Attacks: IoT devices can become vulnerable to DoS attacks that disrupt
their operation and services rendered.
5. IoT Botnets: Compromised IoT devices can be harnessed into an army-scale botnet to
launch large-scale attacks against organizations or people.

Case Studies of IoT Security Incidents

Recent security incidents highlighting IoT risks have drawn public attention, including:

1. Mirai Botnet: Composed mostly of IoT devices such as security cameras and routers, Mirai
botnet was utilized in 2016 for powerful Distributed Denial of Service attacks against targets
like DNS providers and routers.
2. St. Jude Medical Pacemakers: In 2017, the Food and Drug Administration confirmed that
certain St. Jude Medical pacemakers contained vulnerabilities which allowed attackers to
quickly drain batteries or alter the pacing of devices by depleting battery capacity or altering
pacer pacing settings.

Security risks related to IoT security can be real and significant, with potential effects ranging
from privacy breaches to threats against human life.

87
Addressing them effectively requires taking a multifaceted approach which includes
technological measures, regulatory frameworks, user education strategies. Subsequent topics in
this module will explore these measures more in-depth.

Securing IoT Ecosystems and Protocols

Introduction to IoT Ecosystems and Protocols

IoT ecosystems consist of a vast array of devices connected and communicating through
various protocols. These protocols, specifically designed to cater to IoT's unique requirements,
facilitate interactions between devices. Some popular IoT protocols include MQTT, CoAP,
Zigbee, and Bluetooth Low Energy (BLE).

The Importance of IoT Protocol Security

IoT protocols serve a pivotal function in transmitting data between devices; however, they also
pose potential attack vectors if left unsecured.

Thus, understanding and implementing proper security measures for IoT protocols are vitally
important to creating and protecting an secure IoT ecosystem.

Common IoT Protocols and Their Security Features

1. MQTT (Message Queuing Telemetry Transport): A lightweight messaging protocol

commonly used in IoT for transmitting data from devices to servers. It offers some basic
security features like TLS encryption and username/password-based access control.
2. CoAP (Constrained Application Protocol): Designed for resource-constrained IoT devices, it
provides features like support for DTLS (Datagram Transport Layer Security) for encryption
and built-in methods for managing device authorization.
3. Zigbee: A low-power, low-data-rate wireless protocol for IoT devices, often used in home
automation. Zigbee supports 128-bit symmetric encryption keys for network security.
4. Bluetooth Low Energy (BLE): Widely used in wearables and home automation, BLE has
various security features such as pairing methods and encryption. However, it has
vulnerabilities that can be exploited if not properly configured.

Securing IoT Ecosystems

Securing IoT ecosystems

Securing an IoT ecosystem requires a holistic approach that addresses all layers of the
ecosystem. Some key measures include:

 Device Security: Use strong, unique passwords for each device. Enable automatic updates
to ensure devices are always running the latest, most secure software.
 Data Security: Protect the data collected and processed by IoT devices. This could involve
using encryption for data at rest and in transit and applying strict access controls.

88
 Network Security: Use firewalls and intrusion detection systems to monitor for suspicious
activity. Secure Wi-Fi networks and segment them to isolate IoT devices from other network
resources.
 Secure Protocols: Use secure communication protocols that provide encryption and
authentication.

Adopting security standards and best practices

Emerging standards and best practices exist which seek to provide guidelines for protecting IoT
ecosystems, with NIST in the US offering detailed recommendations in their "Considerations for
Managing Internet of Things (IoT) Cybersecurity and Privacy Risks" guide.

Although IoT brings many advantages, it also poses serious security threats. To limit these
dangers and achieve optimal performance from IoT technology, all its elements - devices
themselves, data processed by them, networks they connect to and protocols used for
communication must all be secured properly so as to take full advantage of its benefits while
mitigating risks associated with its deployment. By taking such proactive steps we can leverage
IoT without facing its downsides!

IoT Penetration Testing/Vulnerability Assessment

Pen testing (also referred to as penetration testing or pen testing) and vulnerability assessments
are effective ways of quickly detecting vulnerabilities within an IoT ecosystem before malicious
actors exploit them.

While vulnerability assessments concentrate on pinpointing possible weaknesses, penetration

testing goes one step further by exploiting identified flaws to understand their real world effects
and impact.

Understanding IoT Penetration Testing

IoT Penetration Testing is a structured process where ethical hackers simulate real-world attack
scenarios to identify security vulnerabilities in IoT devices and systems. These can include
testing for:

1. Weak Authentication: This involves trying to bypass login mechanisms using techniques like
password cracking or exploiting default credentials.
2. Insecure Network Services: Ethical hackers may probe network services exposed by the IoT
device to identify potential avenues for intrusion or data interception.
3. Firmware Vulnerabilities: Pen testers may also analyze the device's firmware to look for
vulnerabilities that can be exploited.

Role of Vulnerability Assessment in IoT Security

A vulnerability assessment is a systematic examination of an IoT ecosystem to identify, classify,

and prioritize vulnerabilities. It typically involves automated tools to scan for known
vulnerabilities and can identify issues such as:

89
 Outdated Software: Old software versions may have known vulnerabilities that can be
exploited.
 Misconfigurations: Incorrectly configured systems or services can expose the device to
potential attacks.
 Weak Encryption: If the device uses weak or outdated encryption standards, it could leave
data transmissions vulnerable to interception and decryption.

Tools for IoT Penetration Testing and Vulnerability Assessment

Several tools can be used for IoT penetration testing and vulnerability assessment, such as:

 Nmap: An open-source network scanner used to discover hosts and services on a network.
 Wireshark: A network protocol analyzer used for troubleshooting, analysis, software and
communication protocol development.
 Metasploit: A penetration testing platform that enables you to find, exploit, and validate
vulnerabilities.
 OpenVAS: A full-featured vulnerability scanner that helps you to scan your systems for
known vulnerabilities.

The Importance of Ethical Considerations

During penetration testing, ethical considerations are paramount. Testers should always have
explicit permission before testing, should aim to minimize potential disruptions, and should
handle any discovered vulnerabilities responsibly, typically through a process of responsible
disclosure to the device or system's manufacturer.

IoT penetration testing and vulnerability assessments are integral parts of an effective IoT
security strategy. By identifying and mitigating vulnerabilities early, organizations can greatly
lower their risk of cyber attacks - but such processes must be handled responsibly in order to
stay ethical.

Legal and Ethical Aspects of Cybersecurity

This topic is intended to introduce you to the legal and ethical aspects of cybersecurity.

Topics to Be Covered:

 Cybersecurity laws and regulations.

 Intellectual property rights and data privacy.
 Ethical considerations in cybersecurity

Cybersecurity Laws and Regulations

As our world becomes ever more interconnected, cybersecurity has become not just a technical
but a legal and regulatory concern. There is an array of laws and regulations which outline how
data must be protected, breach notifications are handled and how organisations must react
when attacks happen; understanding these is crucial for professionals in cybersecurity fields.

90
i. Cybersecurity Laws and Regulations

Laws and regulations concerning cybersecurity exist both nationally and internationally, often
with an eye toward protecting personal data, mandating organisations to employ adequate
security measures, and outlining penalties for cyber crimes.

ii. CFAA (The Computer Fraud and Abuse Act)

Enacted in 1986 to combat hacking, this United States legislation punishes any unauthorised
access or overuse of authorised accounts - with fines or imprisonment as possible penalties.

iii. GDPR (The General Data Protection Regulation)

An EU legal instrument which establishes data protection and privacy across Europe. This
regulates data protection law across all member nations while setting stringent controls over
how personal data should be managed and processed.

iv. HIPAA (Health Insurance Portability and Accountability Act of 1996):

This US legislation contains data privacy and security provisions to help safeguard medical
information.

v. CCPA (The California Consumer Privacy Act)

This U.S. state law gives California residents more control over the personal data collected
about them by businesses, including rights such as having knowledge, editing or deletion and
opting out from selling personal information to third parties.

vi. PCI DSS (The Payment Card Industry Data Security Standard)

While not legally mandated, companies processing credit card transactions must abide by this
standard which mandates maintaining secure networks, protecting cardholder data and
monitoring networks while adhering to an information security policy.

Understanding laws and regulations surrounding cybersecurity is vitally important for

professionals in this industry. They establish what constitutes cybercrime while setting security
standards across systems and data. Knowledge of such regulations allows professionals to craft
comprehensive yet compliant cybersecurity strategies, but keep in mind that laws vary by
jurisdiction - what may be legal in one may not necessarily apply to another.

Professionals working in cybersecurity must not only consider technical strategies and solutions
but also understand the legal landscape when providing cybersecurity advice to organisations.
Laws and regulations play a pivotal role in outlining what organisations must implement to
secure their data and systems.

Intellectual Property Rights and Data Privacy

91
Intellectual property protection and data privacy have taken an elevated place within digital
environments. Cybersecurity professionals must possess an in-depth knowledge of these
concepts as they often act as first lines of defence against protecting essential data.

Intellectual Property Rights

2/5/26, 11:32 - kakande: Intellectual property rights refer to any right granted to creators over
their creations made using their mind, usually granted for a set period of time and normally
giving an exclusive use privilege over said creation for use and consumption by its author.
Common forms of intellectual property rights include:

 Copyright: Copyright is the term legal terminology for rights that creators possess over
literary and artistic works like books, music albums, paintings, sculptures and movies.
 Patents: A patent grants exclusive rights for an invention. An invention could include any
product or process which provides new ways of doing things or offers technical solutions to
issues in society.
 Trademarks: A trademark is an identifiable symbol or sign used to identify goods and
services provided by one enterprise from those provided by others.

Protecting intellectual property (IP) means safeguarding it against theft, unwarranted access
and other cyber risks posed by theft and unwarranted use. This may involve safeguarding
patented technology, copyrighted software, or brand trademarks of companies.

Data Privacy

Data or information privacy refers to the appropriate management of personal data belonging to
individuals. It requires managing how it's collected, stored, processed and shared among
parties that have access to that data. A number of principles serve as guides when handling this
type of information:

1. Consent for collection/processing: Personal data must not be collected/processed without

explicit, informed consent of an individual.
2. Limiting purposes for collection/processing: Personal data should only be gathered for
specific, legitimate and documented reasons and not further processed in ways inconsistent
with these goals.
3. Data Minimization: Only necessary personal information should be gathered and processed.
4. Security: Your data should be protected using appropriate technical and organisational
measures.

Intellectual property rights and data privacy are two foundational concepts in cybersecurity. Both
highlight the necessity of safeguarding both individuals' creations as well as personal data
belonging to each.

As a cybersecurity professional, understanding these ideas will aid you in designing effective
systems and protocols designed to secure these essential elements of life.

Ethical Considerations in Cybersecurity

92
Professional cybersecurity personnel must consider both legal and ethical implications when
making choices regarding cyber security projects. Ethical decisions include making choices
which respect all parties involved: employers, customers and the wider public alike.

Key Ethical Considerations

There are several key ethical considerations in cybersecurity:

Respect for privacy

Respecting privacy extends beyond simply adhering to laws and regulations; it involves
acknowledging and upholding people's right to control over their personal information - such as
data collection, storage and use considerations.

Honesty and integrity

Cybersecurity professionals should conduct honest assessments of security risks without

withholding or manipulating any data for personal gain or in order to escape their responsibility.

In addition, they must abide by both organisation rules and local jurisdiction laws when
rendering these services.

Cybersecurity professionals should conduct honest assessments of security risks without

withholding or manipulating any data for personal gain or in order to escape their responsibility.

In addition, they must abide by both organisation rules and local jurisdiction laws when
rendering these services.

Responsibility

Professionals should accept responsibility for the work they perform, including protecting
systems' security while considering user impacts and public interest concerns.

In the event of a breach occurring, professionals should act quickly to mitigate harm while taking
preventive steps against future incidents.

Respect intellectual property

Cybersecurity professionals should recognize and uphold the rights of creators and owners of
intellectual property.

This involves not only abstaining from illegal activities like piracy but also making sure their
actions do not unwittingly put such property at risk.

Code of Ethics

93
Many professional organisations have implemented codes of ethics for their members. One
such code of ethics can be found with (ISC)2, who offer the Certified Information Systems
Security Professional (CISSP) certification; its members are expected to abide by it when
upholding society and infrastructure protection, acting honourably and honestly, offering
competent service delivery, advancing integrity within their profession and protecting society in
general.

Ethical Hacking

Ethical hacking or penetration testing, where professionals attempt to gain entry to systems to
identify vulnerabilities. Such work must be carried out under ethical considerations by seeking
permission, respecting target rights and interests, and working toward improving security rather
than exploiting vulnerabilities.

Ethics play an integral part of cybersecurity. They allow professionals to make decisions that
respect all parties involved while adhering to all relevant laws and regulations. Understanding
ethical considerations as part of working in cybersecurity is paramount

Lesson Summary

 Understanding vulnerabilities and threats is the foundation for secure wireless network
implementation.
 Wireless penetration testing is a critical aspect of network security for organisations.
 Social engineering tactics exploit human vulnerabilities rather than technological
vulnerabilities and may be hard to counter using technical measures alone.
 Understanding how phishing, pretexting and baiting attacks work allows us to be better
equipped at protecting ourselves against them.
 Although IoT brings many advantages, it also poses serious security threats.
 IoT penetration testing and vulnerability assessments are integral parts of an effective IoT
security strategy.
 Professionals working in cybersecurity must not only consider technical strategies and
solutions but also understand the legal landscape when providing cybersecurity advice to
organisations.
 Protecting intellectual property (IP) means safeguarding it against theft, unwarranted access
and other cyber risks posed by theft and unwarranted use.
 Intellectual property rights and data privacy are two foundational concepts in cybersecurity.
 Ethics play an integral part in cybersecurity. They allow professionals to make decisions that
respect all parties involved while adhering to all relevant laws and regulations.

94