Cybersecurity Fundamentals

What is cybersecurity?
Refers to any technologies, practices and policies for
preventing cyberattacks or mitigating their impact.
Information security
Focuses on the value of the information we are trying to protect rather than
how we protect it.

 Physical security is the practice of physically protecting assets like

buildings, security cameras, equipment, and property from physical
threats such as theft, vandalism, fire, and natural disasters.
 Cybersecurity is the practice of protecting and recovering networks,
devices, and programs from any type of malicious cyber attack.
 Good security cannot have one without the other and both must work
towards the same objectives.
Information security’s objectives are often defined using the CIA triad as a
good starting point. CIA is a mnemonic for the three
objectives: Confidentiality, Integrity, and Availability.

Confidentiality Confidentiality means preventing information from falling

Information is private into the hands of people who do not have authorization to
access the information.

Integrity Integrity means making sure the information stays accurate

Information has not and consistent, and ensuring that unauthorized people
been altered cannot makes any changes to the information.

Availability Availability means timely and reliable access to and use of

Information can be the information when required.
accessed when
required

The CIA triad is a model to help guide policies for information security within an
organization.
Key elements of cybersecurity

People: people are the end users of digital systems and second, people
are often those responsible for the design and maintenance of digital
systems. Human action is by far the leading cause of cybersecurity
incidents. When organizations design a secure system, they must design
with people in mind.
Process: Good processes have the following attributes:
 They are clear and as easy as possible.
 They are accessible or well known.
 They are consistent. Processes should not contradict each other, if
possible.
Technology: Within cybersecurity, this commonly covers elements such as
device encryption, network perimeter defenses, and anti-malware
technologies.
The following table shows some technological leaps for security, their
perceived drawbacks, and some downsides to their introduction from the
user perspective.
 Perceived Undesirable user
Technological leap Business benefit drawback responses

Automated patch All software is up- Interruptions to use User does not
management to-date of device power down devices

High complexity Harder for Tedious to use P@ssw0rd!

mandatory attackers to guess
passwords passwords

Mandatory Passwords cannot Predictably PasswordJan to

passwords expire be compromised repetitive then PasswordFeb
after 30 days for long periods of
time

Encrypted emails Attackers cannot Additional Disable encryption

read emails in configuration and feature
transit complexity

Risk management
A risk is the possibility of something happening with a negative
consequence.
Risk valuation
All risks are not equally important. Certain risks may require urgent
attention whereas others may be ignored. Risks that are more significant,
are known as high risks. Basic equation to calculate the value of a risk:
Risk value = Consequence x Likelihood

Consequence is the impact and associated damages.

Likelihood is how often the risk impact occurs.
Within cybersecurity, likelihood is hard to directly measure due to the
constant evolution of technology and involvement of outside attackers. As a
good rule of thumb, the likelihood of an organization being attacked
depends partly on three attributes as follows:
Likelihood = Adversary capability x Adversary motivation x Vulnerability severity

An adversary is a general term used to describe an entity who wishes to

compromise an information system.
 Vulnerabilities are potential weaknesses within a system that could be
exploited to compromise it.
Risk response
There are four responses to a risk that an organization could choose.

Accept The organization accepts the risk in its current form. This is a decision that will be
made by a senior individual within the organization, referred to as a “risk owner”.

Reduce The organization could decide a risk is too large to accept and aim to have it
reduced in some fashion. This could either be through reducing the likelihood or
consequence.

Transfe The organization may want a third party to accept the risk, or part of it, instead of
r accepting it themselves. This is done via insurance.

Reject The organization could decide a risk is too high and may withdraw from being
affected by it. This will have significant business impacts such as shutting down
sites or avoiding markets.

Risk appetite
A risk appetite is the level of risk an organization is willing to accept.

 An organization is said to have a high risk appetite if it is willing to

accept a high level of risk.
 An organization is said to have a low risk appetite if it does not like
accepting risk.

Common misconceptions
 Everyone who works in cybersecurity comes from an IT background.
 All hackers are criminals.
 Cybersecurity is something I can’t do.
 I'm too old or too young to work in this industry.
Laws and ethics
Common types of computer misuse laws
 Unapproved use or control of a computer device
 Preventing others from legitimate use
 Aiding other criminals or designing malware
 To illustrate the complexity of the laws and ethics of cybersecurity,
this diagram shows how the areas of legality and ethics could be
seen to overlap.

Threat actor groups

These are diverse groups and they vary substantially in motivation,
resources, and techniques. Let's review and compare the five main types of
cyber attacker groups.

Group 1: Script kiddie

The first group is the least advanced, the script kiddie. The term "script
kiddie" refers to someone who uses programs, frequently basic hacking
tools, without truly understanding what is going on behind the scenes. They
may display a basic understanding of networking and programming, but
lack technical skills as well as patience or strategic intent.

Group 2: Hacktivist
The second group is the hacktivist. Hacktivist is a term which combines
"hacker" and "activist". Hacktivists seek a political or economic change and
will use hacking to achieve it.

Group 3: Criminal gang

As long as there is easy money to be made, criminals will always be a
problem for society. The internet’s creation has created a new method for
criminals to prey on victims with an unprecedented scale, range, and ease.
Rather than run risks in person, aspiring criminals can send out millions of
infected emails from halfway around the world and secure a ransom from a
victim before transferring funds into cryptocurrencies to evade conventional
policing methods. Capturing these criminals is extremely taxing and, due to
international laws, securing a prosecution is near impossible. Sadly, most
criminals are aware of these facts.
Group 4: Nation state hacker or advanced persistent threat (APT)
The next group, and one that receives the most media attention, perhaps
unduly, is the nation state attackers. Many military organizations around the
word now consider cyberspace a fifth sphere of conflict alongside sea,
land, air, and space. Many nations have demonstrated the ability to project
power across national borders to a great and expanding variety of
consequences.

Group 5: Malicious insider

The final group that is arguably the most concerning, is that of the
malicious insider. The insider refers to a member within an organization
that either intentionally or otherwise acts against it.

Types of cyber attacks

a) Denial of service (DoS) attack

 A DoS attack is any type of attack that causes a complete or partial

system outage.
 The means to perform a DoS attack can range from causing a
system to crash to making it unreachable or incapable of continuing
work due to abnormal levels of forwarded network traffic.

b) Distributed denial of service (DDoS) attack

 A DDoS attack is a DoS attack that comes from more than one
source at the same time.
 The machines used in such attacks are collectively known as
“botnets” and will have previously been infected with malicious
software, so they can be remotely controlled by the attacker.
 According to research, tens of millions of computers are likely to be
infected with botnet programs worldwide.

c) Phishing attack

 A phishing attack is the practice of sending messages that appear to

be from trusted sources with the goal of gaining personal information
or influencing users to do something.
 It combines social engineering and technical trickery.

d) Spear phishing attack

 Spear phishing attacks are a very targeted type of phishing activity.

 Attackers take the time to conduct research into targets and create
messages that are personal and relevant, and thus likely more
effective.
 e) Malware

 Malware is a catch-all term for malicious software. It is any software

designed to perform in a detrimental manner to a targeted user
without the user's informed consent.
 It often triggers secretly when a user runs a program or downloads a
file, which can often be unintentional.
 Once active, malware can block access to data and programs, steal
information, and make systems inoperable.

f) Man in the middle (MitM) attack

 A MitM attack occurs when hackers insert themselves in the

communications between a client and a server.
 This allows hackers to see what’s being sent and received by both
sides.

g) Domain name system (DNS) attack

 DNS is one of the core protocols used on the internet.

 Basically, the DNS protocol allows a computer to resolve a domain to
an IP address, which allows a user to, for example, reach BMW’s
main website by typing “[Link]” instead of writing an IP address
that is hard to remember.
 DNS is used almost everywhere. As a core protocol of the internet,
lots of attack vectors directly target DNS, including DNS spoofing,
domain hijacking, and cache poisoning (just to name a few).

h) Structured query language (SQL) injection

 SQL allows users to query databases.

 SQL injection is the placement of malicious code in SQL queries,
usually via web page input. A successful attack allows common
commands to be run. This can include deleting the database itself!
 SQL injection is one of the most common web hacking techniques.
Structure of a cyber attack
Introducing the Lockheed Martin Cyber Kill Chain® framework
How is cybersecurity used?
How an IBM Security team isolates a cyberattack and shuts down the
threat. Havyn helps fight cybersecurity threats by answering basic queries
using a Watson-based chatbot and voice interface. The tool can ascertain if
cyberthreats exist and identify any systems it impacts.

 Havyn began as an experiment in speech-to-text (STT), text-to-

speech (TTS), and conversational technologies powered by Watson
designed to fight cybersecurity threats by answering basic questions.
 Cybersecurity analysts perform many time-consuming tasks while
navigating multiple systems and databases. Havyn’s ability to field
multiple queries at once has the potential to greatly complement
current cybersecurity workflows.
What is a Raspberry Pi?
The Raspberry Pi is a versatile computer that can be made into just about
anything.

 It a low cost
 credit-card sized computer that plugs into a computer monitor
 helps people of all ages explore computing and learn how to program
in languages like Scratch and Python
 It has a lightweight version of a Linux operating system called
Raspbian
IBM X-Force Command Center
Represent a quantum leap in IBM Security’s core capabilities. The centers are
built on the latest cognitive security solutions and the industry’s top talent. By
combining leading technology, industry-proven processes, and input from skilled
security experts, IBM X-Force Command Centers help companies stay ahead of
even the most advanced threats.
Participants operate real tools, investigate active infections, and respond to
internal and external cybersecurity events.
Cutting-edge cognitive technology and IBM cyber-defense experts combine
forces to help organizations identify and combat advanced security threats.
 provides critical cybersecurity-related crisis leadership skills in a safe
“livefire” environment where participants can experience the effects of live
malware, distributed denial-of-service (DDoS), and other traditional and
advanced attacks.
 is a state-of-the-art facility that immerses clients and potential clients in a
simulated Security Operations Center (SOC). Its tactics and protocols are
designed to anticipate and defend against current and future cyber
threats.
You are the chief information security officer (CISO) in this 360 video
demonstration of the IBM X-Force Command Center. Experience the “sandbox”
Cyber Range, where the team keeps a serious breach at bay under the
guidance of an IBM Cybersecurity General. (Beaconing end points)
NOVA Cybersecurity Lab

IBM and Cybersecurity

Help you master basic cybersecurity terminology and understand how IBM
Security helps clients defend against cyberattacks and respond to broader
security threats.

Cybersecurity terminology
primer
a) An Advanced Persistent Threat (APT) is a multi-phase, long-term
network attack in which unauthorized users gain access to, and
harvest, valuable enterprise data.
The Stuxnet Worm, launched in 2010, is an example of an APT.
b) A botnet is a group of computer systems, anywhere in the world, that
has been infected by a malicious piece of software. The software
allows these computers to be networked together by a hacker. The
hacker gains full control of all the bots in the network and can
conduct malicious tasks. An example of a botnet is the “Star Wars”
Twitter Botnet, launched in 2017.
c) A breach is the moment an unauthorized user or intruder (hacker)
successfully exploits a vulnerability in a computer or device, and
gains access to its files and network. An example of a breach is
the Yahoo! data breach in September 2016, in which 3 billion user
accounts were comprised.
d) A cyberattack is a malicious attempt to damage, disrupt, or gain
unauthorized access to computer systems, networks, or devices,
through cyber means.
An example of a cyberattack is the 2013 cyberattack launched
against Target department stores. The cyberattack affected 40
million credit and debit card accounts of Target customers.
e) Cybersecurity involves the preservation of information's
confidentiality, integrity, and availability in cyberspace.
IBM Security is an example of an organization dedicated to
cybersecurity.
f) A computer exploit involves the use of a malicious application or
script to take advantage of a computer’s vulnerability.
An example of a computer exploit is the September 2017 Equifax
data breach that resulted from a vulnerability in the company’s web
application infrastructure.
 g) Malware is an umbrella term that describes all forms of malicious
software designed to cause havoc on a computer.
The WannaCry attacks in May 2017 and January 2018 are examples
of malware used to conduct cyberattacks.
h) In an MitM attack, an attacker intercepts messages between a user
and a website in order to observe and record transactions.
An example of a response to an MitM attack is the June 2015 arrest
of 49 multi-national European suspects for intercepting email
payment requests.
i) Phishing is a technique used by hackers to obtain sensitive
information, such as passwords, bank accounts, or credit card data. It
often begins as an unexpected email disguised as coming from a
legitimate source. It commonly takes two forms, trying to trick the
recipient into replying with the information they seek, like bank
details, or tempting the recipient to click a malicious link or run an
attachment.
j) Ransomware is a form of malware that deliberately prevents people
from accessing files on their computer. When ransomware infects a
computer, it typically encrypts files and requests that a “ransom” be
paid in order to have the files decrypted.
An example of a ransomware attack is the September
2013 CryptoLocker attack that infected computers running the
Microsoft Windows operating system.
k) A virus is a type of malware for personal computers, that dates back
to the days of floppy disks. Viruses typically aim to corrupt, erase, or
modify information on a computer, and then spread to others.
In recent years, viruses like Stuxnet have also caused physical
damage.
l) A zero-day attack is a particular form of software exploit,
usually malware.
A zero-day exploit is unique and unknown to the public or a software
vendor. Because few people are aware of the vulnerability, victims
have “zero days” to protect themselves from its use.
An example of a zero-day exploit is the 2014 zero-day attack
on Sony Pictures Entertainment, in which their corporate network
was compromised and sensitive corporate data was released.

Cyberattacks Methods
There are many possible reasons for a cyberattack. These might include
political, financial, or personal motives related to international or military
conflicts, trade secret acquisitions, cyber activism, or even revenge or
notoriety.
a) Social engineering attacks can be used to obtain legitimate user
passwords by stealing password databases. Social engineering
attack methods include phishing, watering holes, and Trojan
horses.
b) “Bugs” in programming code present opportunities for attackers to
breach (hack) and “own” a system. Configuration errors, such as
 default passwords and open file shares, also create major security
issues. Network design and protocol weaknesses can create entry
points for malware infections and initial “latch on” attacks.
c) A Man-in-the-Middle (MitM) attack is used to intercept, capture, and
then release network traffic. MitM attacks may include using Internet
domain names or mobile apps to spoof legitimate websites, or use
physical devices, such as point-of-sale (POS) skimmers, to capture
or “skim” sensitive data.
MitM attacks are an advanced variation
of phishing and pharming attacks. In these attacks, a criminal uses
an intermediate website to view private information and alter
transactions. So, when users log in to a website and start working,
they are unaware that all the information exchanged between them
and the website is passing to a criminal.
d) Internet protocol (IP) spoofing involves circumventing security
systems that limit access to known IP and media access
control (MAC) addresses. With this method, an attacker pretends to
be a legitimate endpoint in order to gain access to systems.
e) By stealing legitimate system administration credentials, an
unauthorized user can gain access to one or more systems. In this
scenario, an attacker steals administration credentials for System A,
and then uses them “downstream” to gain access to System B. The
result is that the attacker is able to exploit the “trust relationship”
between the two systems.
f) An attacker may direct massive quantities of network traffic to a
network host to prevent the host from serving legitimate users. When
attackers successfully overwhelm the hosts, they can potentially
restrict system access, denying access to other users. This is known
as Denial of Service (DoS) or Distributed DoS (DDoS).
g) Advanced Persistent Threats (APTs) are created by well-funded,
highly-skilled organizations and nation-states, and often to target
specific organizations. APTs are sets of stealthy and continuous
computer hacking processes. APTs can remain dormant for months,
but when they are active, they typically use state-of-the-
art exploitation techniques.

Protecting a Device with

Malwarebytes
Module 1
Threats to devices and networks
In this module, you’ll learn about threats to devices and networks and
tools for countering these threats.
Malware
Is a software or firmware intended to perform an unauthorized process that will
have adverse impact on the confidentiality, integrity, or availability of an
information system.

Attackers design malware to remain undetected while using the device’s

resources to launch service attacks, host elicit data, or access personal
or business information.
The typical reason that attackers deploy malware is financial gain, Some
other reasons for deploying malware include espionage, activism, and
fame.
Attackers often target an organization’s endpoints. An endpoint is a
device connected to the organization’s network. With endpoint access,
attackers can disrupt a competitor’s operations or use sensitive
information to extort the organization.
Types of Malwares
1. A virus is a piece of malicious code that attaches to other files or
programs to replicate itself. Viruses need user interaction to run, such as
when a user opens a malicious executable file that they think is safe.
Once run, viruses can alter system performance, overwrite files, or delete
or corrupt data. They spread to other computers by design, furthering
the damage done.
2. Worms are self-replicating malware that, unlike viruses, do not require
human interaction to run. Typically, worms spread and stifle resources or
turn computers into zombies. A zombie is a compromised computer that
attackers can use for purposes such as sending spam emails and mining
cryptocurrency.
3. A trojan horse, or trojan, is a seemingly helpful program designed to
secretly give an
attacker access to the device. Attackers disguise trojans as benign
programs or files such as games, wallpapers, or other downloads. Once
the user runs the trojan, the attacker can control the computer remotely,
steal data, spy on user activity, install other malware, or perform other
malicious actions.
4. Ransomware is software that infects a system, restricts users’ access to
the system or its data, and instructs users to pay a ransom to regain
access. Often, the instructions warn that if the user or organization
doesn’t pay the ransom by a deadline, the attacker will destroy the data.
5. Spyware is software installed on a device or system secretly to collect
and report information about the user or organization. Some examples of
this information include financial information and login credentials. Other
examples are web browsing habits, download history, and other internet
behavior that attackers can sell to organizations as marketing data.
6. Adware, short for advertising-supported software, is software that
automatically displays unsolicited advertisements. Usually, these ads
open in pop-up windows. However, adware can also change the browser
home page to one advertising a product or service and insert ads into
 search results. It can even install browser extensions, plugins, or toolbars
associated with the product.
7. A browser hijacker, or simply hijacker, is a program that alters
browser settings without the user’s authorization, and it often functions
as adware. For example, hijackers might change the browser home page,
install or modify toolbars, or include ads in search results. They might
also redirect users to pages with paid content or downloadable malware.

Antimalware software
Is specialized software that detects, quarantines, and even destroys
malware on computers or networks. Some well-known antimalware
programs include Malwarebytes, McAfee Antivirus, and Windows
Defender.
Antimalware programs reside locally on a single device. But some can
also send scan data to a centralized server for the organization’s IT
department to review. For example, in an endpoint protection and
response (EDR) system, each endpoint sends logs, local device data, and
malware scan results to a server. The server’s EDR software analyzes
this information to defend endpoints from malware and additional
threats.
Antimalware software detects malware by scanning all device files for
malware signatures. A malware signature is a pattern of attributes that
corresponds to known malware. After identifying a malware signature in
a file, antimalware software deletes the file, quarantines it, or alerts the
user that the file could be infected.
Social engineering
A common social engineering attack is phishing. Phishing is the practice
of sending messages that trick users into providing sensitive information.
Organizations typically issue policies and training to help employees
identify and report phishing attempts. You can also install browser
extensions, such as Malwarebytes Browser Guard, that block known
malicious websites by default. Doing so lowers your chances of visiting
such sites in response to phishing attempts.
Cookies
When you visit a website, the website’s server creates a file called a
cookie and stores the cookie on your browser. A cookie is a data file
containing information about your interaction with the website.
Tracking cookies, or trackers, track your browsing activity across
websites without your consent. Some websites host advertiser scripts
that provide a third-party tracker to your browser. This advertiser can
check this cookie when you open different websites that use this same
advertising script, revealing each of these sites that you have visited.
Even first-party cookies, cookies that communicate only with the site you
are on and not third-party advertisers, contain sensitive information such
as login authentication. An attacker could access these cookies to log in
to the website as you, a practice called cookie hijacking.
Eavesdropping
Is when an attacker secretly accesses someone else’s communications
across an unencrypted network.
One of the most well-known eavesdropping attacks is a man-in-the-
middle (MitM) attack. In this attack, an attacker inserts themself
between two devices, like your laptop and a server, to capture and
modify communication between them. For example, say an attacker sets
up a free wifi hotspot in a popular public
location, and you connect to this network. The attacker could view your
communications, redirect you to fake login screens, or insert
advertisements over web pages.
You are especially vulnerable to eavesdropping on unsecure or open
networks. These are free, unencrypted networks without password
requirements, such as guest networks that airports, hotels, and
restaurants provide. While you are logged into your bank account, an
attacker could take control of your session and transfer money
elsewhere. Hijacking a session in real time is called session hijacking.
VPNs
A VPN is a virtual network that encrypts communication between two or
more sites.
Your VPN encrypts all data sent from your device, including your IP
address. Next, the recipient’s VPN decrypts that data. This recipient may
be a third-party VPN server; instead of connecting to websites directly,
you connect to the server, which provides you access to websites.
With a VPN, you can browse the web anonymously. You can prevent
attackers, your internet service provider, and online vendors from
reading or decrypting your data. You might even be able to choose a
specific region for the VPN server, enabling you to view content specific
to that region.
Module 2
Protecting a device with Malwarebytes
Simulation: Protecting a device with Malwarebytes