Cybersecurity

Firewalls are a very important part of any organization’s security infrastructure. They act as a barrier between trusted networks and harmful sources.

This Module helps to know about firewalls — their functionality, configurations, and strategies to bypass or enhance their security, giving ethical hackers the knowledge to test and secure these systems.

Let’s explore what this module offers and why firewalls are the firstline of network defense.

What is a Firewall?

A firewall is a security device or software that monitors and controls incoming and outgoing traffic based on predefined rules. It works as a digital gatekeeper which allows legitimate traffic while blocking malicious or unauthorized access. Firewalls are essential for securing networks from threats like malware, hackers, and unauthorized users.

Main Topics :

#Types of Firewalls

1. Packet-Filtering Firewalls

This firewall examine individual packets of data against a set of predefined rules. These rules are based on criteria like source and destination IP addresses, ports, and protocols.

• How It Works:
  • Filters traffic based on headers in each packet.
  • Blocks or allows packets based on the rule set (e.g., block port 23 for Telnet).
• Strengths:
  • Simple and fast.
  • Effective for basic traffic control.
• Limitations:
  • Cannot analyze packet content or track sessions.
  • Vulnerable to attacks like IP spoofing.

2. Stateful Inspection Firewalls

They track the state of active connections and use this context to make filtering decisions.

• How It Works:
  • Maintains a state table to monitor ongoing connections.
  • Only allows packets that are part of established sessions.
• Strengths:
  • Provides better security by understanding connection states.
  • Prevents unauthorized access while allowing legitimate traffic.
• Limitations:
  • More resource-intensive than packet-filtering firewalls.
  • Requires more configuration and management.

3. Proxy Firewalls

These firewalls work between users and the server.  All traffic passes through the proxy, which analyzes and filters it before forwarding.

• How It Works:
  • Inspects traffic content.
  • Masks the user’s IP address, enhancing anonymity.
• Strengths:
  • Offers detailed content inspection and robust security.
  • Can block specific content or applications, such as websites or downloads.
• Limitations:
  • Slower compared to other types due to in-depth analysis.
  • May require significant configuration and maintenance.

4. Next-Generation Firewalls (NGFWs): Combine traditional firewalls with advanced features like deep packet inspection, intrusion prevention, and application-level filtering.

#Firewall Architectures

• Network-Based Firewalls: Deployed at network perimeters to secure large-scale systems.
• Host-Based Firewalls: Installed on individual devices to protect them directly.
• Cloud Firewalls: Secure virtual environments and cloud-based resources.

#How Firewalls Work

A firewall enforces security policies through Access Control Lists and predefined rules.

• Inbound and Outbound Filtering: Monitoring data entering or leaving the network.
• Rule Creation: Setting up rules based on IP addresses, ports, and protocols.
• Zones and Interfaces: Configuring trusted, untrusted, and DMZ zones for better segmentation.

#Firewall Evasion Techniques

Ethical hackers need to understand how attackers bypass firewalls to secure them better.

1. Tunneling

Tunneling involves making malicious traffic within trusted protocols like HTTP or HTTPS, making it appear harmless. Since firewalls often allow these protocols for regular web traffic, malicious payloads can pass undetected.

• Defense:
  • Use deep packet inspection to analyze the content of traffic.
  • Restrict unnecessary protocols and monitor for unusual traffic patterns.

2. Spoofing

Spoofing involves manipulating packet headers, such as source or IP addresses, to disguise the traffic or bypass rules. This can trick firewalls into allowing unauthorized traffic.

• Defense:
  • Implement strict IP validation and anti-spoofing measures.

3. Misconfiguration Exploitation

Attackers can exploit overly permissive firewall rules such as open ports or weak rules, provide an easy way to bypass security controls.

• Defense:
  • Regularly review and update firewall rules.
  • Use automated tools to audit configurations.

4. Encryption

Encryption is used to hide malicious traffic within encrypted connections, such as HTTPS or VPNs. Since the content is encrypted, firewalls cannot inspect the payload without decryption.

• Defense:
  • Implement SSL/TLS inspection to analyze encrypted traffic.

#Firewall Hardening and Countermeasures

• Ensuring firmware and rules are up-to-date.
• Avoiding overly permissive rules and keeping ACLs clean.
• Using VLANs and zones to isolate sensitive resources.
• Combining firewalls with IPS for better threat detection.
• Continuously analyzing firewall logs to detect suspicious activities.

Conclusion

This module guides us to understand, configure, and test firewalls. Whether you’re learning about basic packet-filtering firewalls or advanced next-gen firewalls, this module ensures you’re equipped with the skills to identify vulnerabilities and defend against  threats.

Firewalls just help you to detect malicious entry in your system but you have to remove it from your system yourselves.

What Is Social Engineering?

social engineering is not a cyber attack.Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gaining control/access over a computer system and servers, or to steal personal and financial information and many more thing of victims,company and organization. Social engineers, those who exploit social engineering attacks, exploit this, essentially “hacking” humans.

How does social engineering work?

In a typical social engineering attack, a cybercriminal will communicate with the intended victim by saying they are from a trusted organization. In some cases, they will even impersonate a person the victim knows.

For examples:

Imagine someone receives a generic message warning them of fraudulent activity on their bank account. They might ignore it, thinking it’s a spam message. However, if the message appears to come directly from their bank, with accurate branding and a familiar tone, they are more likely to pay attention.This message more make believable,the attacker might include specific details that resonate with the victim’s recent activities.Scenario,it could mention a suspicious charge from a country they recently visited or a duplicate charge for a bill they have already legitimately paid. This specific key information increases the sense of urgency and legitimacy, increasing the likelihood that the victim will engage.and this message is increase in u leverage emotional triggers such as fear and urgency.

Types of social engineering attacks?

Cyber criminals often employ social engineering tactics to exploit human vulnerabilities. These attacks can take various forms, such as text messages, phone calls, or in-person interactions.Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. Let’s explore some of the common methods used in each category.

Phishing: This process to attempting the acquire sensitive information such as usernames, passwords, and credit card details by misleading by using bulk email, SMS text messaging, or by phone. Phishing messages create a sense of urgency, curiosity, or fear this message triggered emotion. The message will prod victims into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

Baiting: A type of social engineering attack where a scammer uses a false promise to lure a victim into a trap which may steal personal and financial information or inflict the system with malware. The trap could be in the form of a malicious attachment with an enticing name.

Example: USB baiting sounds a bit unrealistic, but it happens more often than you might think. Essentially what happens is that cybercriminals install malware on to USB sticks and leave them in strategic places, hoping that someone will pick the USB up and plug it into a corporate environment, there by unwittingly unleashing malicious code into their organization.

Tailgating: Also known as “piggybacking”. Its physical breach where an unauthorized person manipulate and create their way into a restricted or employee only authorized area and they use of social engineering tactics. The attacker might impersonate a delivery driver, or custodian worker. Once the employee opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.

Dumpster Diving: A scammer will search for sensitive information e.g., bank statements, pre-approved credit cards, student loans, other account information, in the garbage when it hasn’t been properly sanitized or destroyed.

Rogue Wi-Fi Networks: Attackers set up a fake Wi-Fi to intercept data from unsuspecting victims.

If u know about of all types of social engineering u can search on internet.

It’s Social Engineering Case Studies in Companies from internet

Twitter – 2020

In July 2020, hackers gained access to Twitter’s (now known as X) internal systems and compromised high-profile accounts, including those owned by Barack Obama, Elon Musk, Bill Gates, and more. The hackers used social engineering tactics to manipulate employees and gain access to internal tools. They posted fraudulent messages from these accounts promoting a Bitcoin scam, asking people to send cryptocurrency to a specified address.

The incident exposed various security weaknesses and brought into question the company’s ability to protect high-level accounts. This incident damaged users’ trust in Twitter’s security measures, as users and experts criticized the company’s response. The attack caused a temporary drop in Twitter’s stock price and led to a federal investigation.

Uber – 2022 and 2016

In 2020, an attacker used social engineering to compromise Uber‘s systems. The individual who admitted to the hack informed The New York Times that they had sent a text message to an Uber employee, posing as corporate IT personnel. Through social engineering, the attacker convinced the employee to disclose a password, granting the hacker entry into Uber’s systems.

The attacker claimed to have access to internal messaging services, databases, source code and emails.

This was not Uber’s first breach. After a previous attack in 2016, the former Chief Security Officer (CSO) was convicted of federal charges for covering up a data breach involving millions of uber user records. This attack was not related to social engineering. According to reports, developers uploaded code containing credentials to GitHub, where attackers found them and used them to access Uber’s systems, resulting in a data breach affecting 57 million riders.

Uber was fined $1.2 million by British and Dutch data regulators for weak security practices exposed by the attack.

Sony Pictures – 2014

A criminal group named the “Guardians of Peace” targeted Sony Pictures Entertainment. The attack resulted in the theft and release of sensitive company data, including emails, employee information, and unreleased films. According to the US Government, the attackers used phishing to gain access to Sony’s network.

The breach significantly damaged Sony’s reputation, as leaked emails revealed controversial conversations among executives and exposed internal conflicts. The attack cost Sony millions of dollars in remediation efforts, legal settlements, and lost revenue from leaked films. Additionally, the incident prompted legal investigations and raised concerns about cybersecurity vulnerabilities in the entertainment industry.

Social Engineering Prevention

Preventing social engineering attacks requires a combination of awareness, vigilance, and security best practices. Here are some key ways to protect yourself:

1. Awareness and Training like as (e.g., phishing, pretexting, baiting, tailgating).
2. Only permission gives Verify Identities
3. Be Cautious with Emails and Links

• Do not click on unknown or suspicious links.
• Check for red flags in emails:
• Urgency or threats
• Spelling errors
• Unfamiliar sender addresses
• Generic greetings like “Dear User”
• Hover over links to inspect their destination before clicking.

4. Use Strong Authentication
5. Secure Personal Information
6. Phone and In-Person Scams
7. Report Suspicious Activities

• If you suspect a social engineering attempt, report it to your organization’s security team or relevant authorities.
• Keep records of suspicious emails or calls for future reference.

8. Use Security Tools

• Install email filters to detect phishing attempts.
• Use endpoint security solutions to prevent malware infections.
• Enable browser security features to detect malicious sites.
• Would you like tips on how to practice identifying social engineering attacks?

 

 

Understanding Malware Threats

Malware is a harmful tool used by hackers to mess up systems, steal important data and shut down whole system. CEHv13’s Module 05: Malware Threats helps ethical hackers learn about malware, how it works and multiple ways to stop it.

The importance of this topic is to:

• Spot Malware: Learn to identify signs of malware in a system.
• Analyze Threats: Understand how malware works and what it can do.
• Defend Systems: Protect systems from being attacked by malware.

What is Malware?

Malware is a program or code created to harm, exploit or gain unauthorized access to systems and networks. From stealing sensitive data to disrupting critical operations, malware is a versatile and dangerous tool for attackers.

Main Topics :

#Types of Malware

1. Viruses

Viruses are malicious programs that infect files and spread when those files are executed. They require user action, such as opening an infected file or running the program, to activate. Once active, they can corrupt data, slow down systems, and even disable important functionalities.

2. Worms

Worms are similar to viruses but differ in one key aspect—they spread across networks without needing user action. Worms exploit vulnerabilities in systems or software to replicate themselves.

3.Trojans

Trojans are destructive programs that show themselves as legitimate software to trick users into installing them. Once installed, they can create backdoors for attackers, steal sensitive information, or even allow remote control access. Trojans often spread through phishing emails, malicious ads, or fake downloads.

4. Ransomware

Ransomware is a highly disruptive type of malware that encrypts files or locks entire systems, demanding a random payment to restore access. It typically spreads through phishing emails, malicious links. Ransomware mostly attack businesses and individuals by holding critical data hostage.

5. Spyware

Spyware secretly monitors user activities and collects sensitive data, such as passwords, credit card details, or browsing history. It often enters systems as part of legitimate-looking software or through vulnerabilities. Spyware is dangerous because it operates in the background, mostly without the user’s knowledge.

6. Adware

Adware is software designed to display advertisements. While sometimes simply annoying, adware can also collect user data or redirect users to malicious websites. It often comes bundled with free software downloads, and it is not always harmful but it can slow down systems and compromise privacy.

7. Rootkits

Rootkits are a type of malware that gives attackers root access to a system, enabling them to hide their presence and control the system entirely. They are challenging to detect because they operate deep within the system, bypassing traditional security measures.

8. Fileless Malware

Fileless Malware is a type of malware that operates entirely in a system’s memory, leaving no files behind. This makes it extremely difficult to detect using antivirus tools. It often exploits vulnerabilities in running applications or uses malicious scripts to execute its payload.

#Malware Analysis Techniques

1. Static Analysis

Static analysis involves examining the malware without executing it. By analyzing the code, file structure, and resources, security professionals can identify the malware’s capabilities .

What It Involves:

• Scanning the file using antivirus tools or hash databases.
• Reviewing code such as file deletion or encryption routines.
• Inspecting metadata for clues about the malware’s origin and functionality.

Benefits:

• Quick way to find if a file is malicious.
• Helps detect techniques used to hide malware.

2. Dynamic Analysis

Dynamic analysis is about observing how the malware behaves when it runs. This is done in a secure, isolated environment to prevent harm to real systems.

What It Involves:

• Running the malware in a sandbox to see what files it creates, modifies, or deletes.
• Monitoring its network activities.
• Capturing registry changes.

Benefits:

• Provides a clear picture of the malware’s behavior and impact.

3. Reverse Engineering

Reverse engineering is a method where the malware’s code is decompiled and analyzed to fully understand its purpose and functionality.

What It Involves:

• Decompiling the malware to break it down into readable code.
• Identifying algorithms used for encryption, data exfiltration, or persistence.
• Understanding how the malware interacts with the system and evades detection.

Benefits:

• Helps in creating patches to counter the malware.
• Essential for analyzing advanced malware, such as ransomware.

#Delivery Mechanisms of Malware

Some common methods how attackers deliver the malware to victim:

• Phishing Emails
• Drive-by Downloads
• USB Drives

#Countermeasures and Defenses

The module doesn’t just focus on threats – it teaches you how to defend against them.

Antivirus : Regularly updated tools to detect and remove malware.
Endpoint Protection: Tools to secure endpoints like laptops and phones.
Patch Management: Keeping software up to date to fix vulnerabilities.
User Awareness Training: Educating users to recognize phishing attempts and malicious links.
Network Segmentation: Limiting the spread of malware by isolating systems.

Conclusion

This module helps you understand how attackers thinks and how to defend against the malware. We learned about advanced malware techniques or implementing effective defenses, this module prepares you to stay one step ahead from the attackers.

This module has complete knowledge of malwares and how to defend against them.

What is NIST? Lets take a look:

NIST stands for the National Institute of Standards and Technology. It is a federal agency within the U.S. Department of Commerce that develops and promotes measurement standards, guidelines, and technologies to enhance innovation and industrial competitiveness. NIST plays a key role in areas such as cybersecurity, manufacturing, and scientific research.

About NIST CSF:

The NIST Cybersecurity Framework (CSF) is a comprehensive guide designed to help organizations manage and reduce cybersecurity risks. Developed by the National Institute of Standards and Technology (NIST), the CSF provides a flexible, risk-based approach to cybersecurity that can be applied across various industries and types of organizations, both public and private.

The Latest version is NIST’s CSF v2.0.

As we can see NIST CSF has 6 functions named as:

1. Govern
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover

Short Explanation of Functions and their categories:

Govern: The Govern function integrates governance, risk management, and oversight activities to ensure that cybersecurity is aligned with business objectives, regulatory requirements, and risk management strategies. It was introduced to bring a more holistic and strategic focus to cybersecurity management across the organization.

Categories of Govern function:

i. Organizational Context: emphasizes the need for organizations to understand their business environment and strategic objectives before they can implement effective cybersecurity measures.
ii. Risk Management: Risk context for business is set out.
iii. Roles, Responsibilities, and Authorities: Roles, responsibilities and authorities should be defined inside the organization in a clear manner.
iv. Policy: Policies for managing cybersecurity should be defined. Which includes Cybersecurity Policy Development, Communication & Enforcement, Alignment with Organizational Goals
v. Oversight: Continuous monitoring and evaluation of cybersecurity activities.
vi. Supply Chain: includes Third-party Risks, Supply Chain Resilience, Due Diligence & Monitoring

Identify: The identity function is related to identifying the assets you want to protect, for protecting our assets we must identify them first.

It has 3 categories of control:

i. Asset management: Asset management means identifying and recording all the assets you want to secure/protect.
ii. Risk assessment: Assessing the risk related to all the assets.
iii. Improvement: Identify the improvements that can be made to secure assets.

Prevent: This category is related to the preventive measures related to the assets.

It has 5 categories:

i. Identity management, Authentication and access: Also known as IAM(Identity and access management) , it is important for verifying who can access the assets and what can they access.
ii. Awareness and Training: It is important to educate our employees and users about secure practices. This can reduce the cyber risks.
iii. Data security: It is related to data so as to protect its confidentiality, integrity, and availability of the data .
iv. Platform security: Increases security by ensuring that the hardware, operating software and applications used to store and process the data are secured.
v. Technology Infrastructure Resilience: Ensure that there is resilient architecture to ensure that network and platform can withstand attacks.

Detect: to make sure to detect attacks at their earliest stage.

It has 2 categories:

i. Continuous monitoring :There should be a continuous monitoring team to ensure proper monitoring of the platform and network. So that attacks can be detected . e.g SOC team.
ii. Adverse Event Analysis: Not all potential threats are actual threats and this category is important for that , it is to identify threats by identifying/analyzing the events.

Respond: It is related to responding to the threats that are found.

It has 4 Categories:

i. Incident management: It refers to managing the incident from the poit it is identified to the end.
ii. Incident Analysis: It is related to analyzing the threat by events and other data .
iii. Incident Response, Reporting, and Communication: This involves responding to the incident and formal reporting and external communication like – to the investors , users etc.
iv. Incident Mitigation: Incidents must be dealt with quickly and should be mitigated.

Recover: This involves recovering from the incidents like – restoring data etc

It has two categories:

i. Incident Recovery Plan Execution: Once the incident is contained we need to think about recovering any damaged or lost data and any services that have been disrupted.

ii. Incident Recover Communications: Just as we need to keep internal and external stakeholders informed of the state of our incident response, we need to maintain these communications during service recovery.