Cybersecurity Midterm Study Sheet

Cyber Security

A practice aimed at reducing the risk of attacks on computers, networks, or software.

CIA Model of Cyber Threats

Refers to Confidentiality (leaks sensitive info), Integrity (corrupts assets via malware viruses), and Availability (blocks access via DDoS) threats posed to data.

Active Attacks

Disruption or alteration of data, such as in Man-in-the-Middle attacks.

Passive Attacks

Secretly monitoring communications to steal information without modifications.

Authentication

The process to ensure users or systems are who they claim to be.

Security services

Measures to protect assets from threats

Types of security services

Authentication, Access control (network control to limit access; RBAC to allow permissions to role based access control), nonrepudiation, data integrity (no unauthorised changes, duplication, and insertion), data confidentiality (protecting data during transmission)

Nonrepudiation

Senders can not deny sending a message and receivers can not deny receiving a message.

Cyber defense mechanisms

Use tools and process to ensure security

Types of cyber defense mechanisms

Encipherment - secures data through encryption

Digital signatures - verifies message authenticity and origin

Traffic padding - adds fake data to prevent analysis

Routing control - ensures secure data paths

Notarisation - involves third-party verification of transactions

Authentication exchange - making mutual trust during communication

Availability service

Ensures that resources are available at all times

Malware

Software created to harm or exploit systems - accesses data without permission

DoS Attack

Denial of Service attack that overwhelms a target to disrupt services.

DDoS

Attack using multiple sources to overwhelm a target.

Brute Force Attack

An automated method attempting every possible way to break into a system.

Heuristic Attack

Uses clever human insight and knowledge for shortcuts to gain access

XOR Function

A function used in symmetric encryption where the same key is used for both encryption and decryption.

4 groups of cyber attackers

Young women & men → white hates (hack to help owners), black hats (hack to embarrass owners), grey hats (between white and black hats)

Cyber criminals → motivated by money

Cyber terrorists → usually irresponsible actors ranging from motivated individuals seeking justice to groups aiming for damage

Nation state attacker → usually funded by a military government using APTs (Advanced Persistent Threats) to steal industrial data and advanced tools to damage/block access to major infrastructures

5 groups of cyber defenders

Internet users → all online users must take precautions against cyber attackers

Enterprise security teams → led by the CISO to protect company systems (PCs, servers, apps, networks…)

Cyber security technology vendors → produce products and services to stop cyber attacks

Government & regulatory organisations → try to reduce risk trough legal, policy, and oversight methods

Cyber military & intelligence organisations → use cyber attacks as a tactical weapon

SSL/TLS

Protocols that secure HTTP connections and ensure secure communications.

Cryptography

Converts data into unreadable format, only readable with a key.

Plaintext

Original, readable data before encryption

Ciphertext

Scrambled, unreadable version of the plaintext after encryption

Key

A value used in encryption algorithms to determine how plaintext is transformed into ciphertext

Secret key

Value used in encryption, independent of the plaintext and algorithm

Encryption algorithm

A conversion process from plaintext → ciphertext using a key

Decryption algorithm

Reverse conversion process from ciphertext → plaintext using a key

Caesar’s cipher

Substitution cipher where each letter of plaintext is shifted a fixed number = key

Ci = (Pi + k) mod 26; Pi = (Ci + k ) mod 26

Vigenere cipher

Polyalphabetic cipher where each letter in a plaintext is shifted multiple times by a corresponding letter in a keyword

Ci = (Pi + k) mod 26; Pi = (Ci + k ) mod 26

Vernam cipher

Symmetric stream cipher using XOR and a random key of the same length of the message used only once (one-time pad)
Ci = Pi XOR k; Pi = Ci XOR k

Monoalphabetic cipher

Substitutes each letter in the plaintext to another letter based on a fixed rule

Playfair cipher

A digraph subsitution cipher that encrypts pairs of letters using a 5×5 matrix and 3 rules:

1. Same row: Shift right.

2. Same column: Shift down.

3. Different row and column: Swap opposite corners of the rectangle.

Hill cipher

Polygraphic cipher that encrypts a block of letters from a plaintext converted into numbers and multiplied by a key matrix

DDoS Attack

A Distributed Denial of Service attack flooding a target with multiple sources of traffic.

Symmetric encryption

Uses same key for both encryption and decryption

Examples: DES, AED, 3DES

DES (Data Encryption Standard)

Uses the FEISTEL cipher structure which divides the plaintext into two halves and process them with 16 round keys.

Characteristics of DES

16 rounds of substitution and permutation

key length = 56 bit

block size = 64 bits

DES steps

1. Initial Permutation (IP) - rearrange the 64 bit plaintext

2. 16 rounds of expansion, key mixing (XOR with subkey), substitution using 8 s-boxes with 6 bit input to 4 bit, and permutation using p-boxes with a given pattern to rearrange the outputted 36bit set from s-boxes

3. Final Permutation (Ip ^-1) - reverse IP

AES (Advanced Encryption Standard)

Replaces DES, supports block sizes of 128 bits and key lengths of 128, 192, or 256 bits

3DES

Applies DES 3 times for improved security using either 2 or 3 keys

Asymmetric encryption

Uses public key for encryption and private key for decryption

Example: RSA used for secure communications

OTP (One-time pad)

Provides great security by using a random key the same size of the message only once

Disadvantages of OTP

Key distribution (both sender and receiver must have the same key)

Key management (storing and securely handling the key)

Trusted software

Asks for permission before accessing data

Trojan Horse concept

Malicious code can be hidden inside legitimate software (backdoor)

original: if valid (password) then allow access

malicious with hidden code: if valid (password) OR password = “ABC” then allow access

Worm malware

Self-replicating malware where worms jump from one computer to another creating a chain reaction without user interaction

Defense in depth

Uses multiple layers of security to protect systems

— if one layer fails, other can still provide protection where different methods (passwords, firewalls) are used together instead of repeating the same protection

AAA model

Authentication - verifies who you are (i.e. passwords)

Access control - limits who can access certain resources (i.e. firewalls)

Audit - tracks activity to catch suspicious behaviour

Antivirys

Software tool that works by using signatures to detext malware to identify patterns like file names or sizes

Hackers create variants of malware

Changing file names from Trojan.exe to Trojan1.exe making signature-based detection less effective

TCB (Trust Computing Base)

A set of hardware, software, and controls to ensure system security by providing a trusted environment for sensitive operations

Helps detect unauthorised changes like those made by rootkits.

Zero-day exploit

A cyber attack that takes advantage of a software or hardware unknown vulnerability leaving no time for defense.

Passwords

Most common authentication form because it is easy to create, remember, and reuse.

Authentication process

1. Identification - provide username or ID

2. Challenge - system requests proof

3. Computation - user retrieves proof

4. Response - user submits proof

5. Validation - system verifies proof

6. Notification - user is informed of the result

Disadvantages of passwords

Single-factor authentication - no fallback if hacker breaks the password

Easy to guess - default passwords, reused passwords, easy guessing, cracking with dictionary attack tools, phishing scams, keylogging attacks.

2FA process

1. First factor - user provides their password

2. Second factor - user receives a code to device

3. Completed authentication - user enters system’s sent code

Biometric Authentication

Verification method using unique physical traits, like fingerprint or facial recognition.

Ideal biometrics

Universal, distinguishable, permanent, easy to collect

Biometric modes

Identification - who goes there?

Authentication - are you who you sat you are?

Enrollment - precise but slow data collection

Recognition - quick but accurate detection

Biometric errors

Fraud rate - misidentification, insult rate - failed recognition, EER (equal error rate) = equal amount of fraud and insult rates

Advanced Persistent Threat (APT)

Long-term cyber attacks typically performed by nation-state actors.

Two-Factor Authentication (2FA)

A security process that requires two different forms of identification (i.e. known password and something user has like a mobile phone)

Packet Sniffing

Monitoring and capturing data packets traveling over a network.

Denial of Service (DoS)

An attack designed to make a service unavailable to its intended users.

Access Control Matrix

A security access table which combines ACLs (Access Control Lists) - a list attached to each object defining which users have access and which permissions.

MLS (Multilevel Security)

Classification model that allows access based on security DoD levels (top secret, secret, confidential, unclassified…)

Adaptive Authentication Method

Changes how a user logs in based on factors like location, what device is used, online user behaviour

Challenge-response authentication

A method using OTP (one-time password) for security:

Nonce = random number used only once

OTP password

Token devices =devices that generate OTPs

2FA hardware/software

Orange book

A system evaluation of computer security based on

A - highest security (verified protection)

B - Strong protection (mandatory)

— B1 = Data is labeled to limit access

— B2 = Structured protection

— B3 = Security domains that are tamperproof

C - user-controlled acces

— C1 = basic protection with user-level permissions

— C2 = user-controlled access (stronger with audits)

D - minimal protection

Phishing

Deceptive attempts to obtain sensitive information by masquerading as a trustworthy entity.

Firewall

A security system that filters network traffic, blocking unauthorized access.

Keylogging

A method used by attackers to capture every keystroke made by a user.

Command & Control (C&C)

A system where compromised devices are managed remotely by hackers.

Integrity Threat

A threat that corrupts assets or data.

Confidentiality Threat

A threat that leads to the leak of sensitive data.

Availability Threat

A threat that blocks access to data or services.

Malicious Actors

Individuals or groups that engage in cyber offense against assets.

Event Detection

Mechanism to identify suspicious activities within a system.

VPN (Virtual Private Network)

An encrypted tunnel used to secure communication over the Internet.

Trusted Computing Base (TCB)

A set of protection mechanisms within the computer architecture.

Recognition vs. Identification

Recognition is one-to-one verification; identification is one-to-many verification.

Transport Mode

Encrypts only the payload (end-to-end communication)

Tunnel Mode

Encrypts the entire IP packet

SSL/TLS

Secures HTTP connections (HTTPS)

SSH

Secure remote login and data exchange via

1. Transport Protocol - secures transport layer communication

2. User Authentication Protocol - verifies user’s identity

3. Connection Protocol - manages client-server connection

IPSec

A protocol suite that ensures IP communication by encrypting and authenticating traffic in the IP layer

ESP

Protocol in the IPSec that provides encryption for confidentiality

IKE

Protocol in the IPSec that sets up SA (Security Associations)

Types of malware

Trojan viruses, viruses, worm viruses, spyware, ransomeware

SSL/TLS handshake

• Client Hello: Client shares supported ciphers and random data.

• Server Hello: Server picks cipher, sends certificate, and random data.

• Key Exchange: Client verifies certificate and sends encrypted "pre-master secret."

• Session Key Generation: Both generate session keys from the pre-master secret.

• Client Finished: Client confirms with an encrypted message.

• Server Finished: Server confirms with its own encrypted message.

TCP 3 way handshake

Establishes connection by

1. SYN (synchronise): Client sends SYN to initiate.

2. SYN/ACK: Server responds with SYN/ACK.

3. ACK (acknowledge): Client sends ACK to confirm connection.

Firewall types

Application-level gateway = filters traffic at the application layer (HTTP, FTP)

Circuit-level gateway = monitors handshake and manages connections

Network firewall = filter traffic based on IP addresses and ports

Distributed firewall = security system spread across multiple devices/network points

DMZ (Demilitarised zone)

Separates internal and external networks for additional server protection

IDS (Intrusion Detection System)

Monitors traffic for suspicious activity

• Anomaly-based IDS = detects unusual traffic patterns

• Signature-based IDS = detects known threat patterns

IPS (Intrusion Prevention System)

Similar to IDS but can block malicious traffic

• HIDS = Host-based IDS = monitors individual machines

• NIDS = Network-based IDS = monitors network traffic

Network security attacks

SYN flood = DoS attack using multiple SYN requests to overwhelm a server

HTTP flood = DoS attack targetting web servers by sending HTTP requests

ARP poisoning = redirects traffic by associating an attacker’s MAC with another device’s IP

DNS poisoning = cache poisoning redirecting users to fake wbs using malicious DNS entries

DDoS mitigation techniques

Upstream Filtering = ISPs or security providers block DDoS traffic before it reaches the target.

Scrubbing Centers = Security systems that clean incoming traffic, removing DDoS attacks.

Ideal security protocol characteristics

Confidentiality, integrity, authentication, non-repudiation, fast

EDS (electronic data security)

protects data via encryption, authentication, access control via SSL/TLS, VPN protocols

Out-of band

Communication outside the main data channel