AZ

Cybersecurity Midterm Study Sheet

Cyber security - about reducing the risk of attacks to computers, networks, or software.

  • Designed to prevent CIA threats from happening to assets.

Threat - the bad things that hackers can do to assets


Cyber offence = malicious actors try to attack assets (websites, company networks)

Cyber defence = safeguards that try to stop cyber offence attacks 

The cyber offence is way ahead of the cyber defence BECAUSE CYBER OFFENCE ONLY NEEDS TO FIND ONE WAY TO BREAK INTO YOUR SYSTEM WHILE THE CYBER DEFENCE NEEDS TO STOP EVERY POSSIBLE BREAK-IN PATH.


CIA Model of Cyber Threats:

  1. Confidentiality threat: Leaks sensitive data (e.g., encryption broken).

  2. Integrity threat: Corrupts assets (e.g., malware).

  3. Availability threat: Blocks access (e.g., DDoS).


2 types of security attacks:

  1. Passive attacks - secretly monitor communications to steal information WITHOUT modifying

  • E.g. eavesdropping or network sniffing.

  1. Active attacks - disrupt or alter data 

  • E.g. intercepting and changing messages in MITM (Man-in-the-Middle) attacks









Security Services - measures to protect assets from threats:

  • Authentication ensures users or systems are who they claim to be.

  • Access control restricts unauthorized actions using methods like:

    • Network control to limit access.

    • RBAC (Role-Based Access Control) where permissions depend on user roles.

  • Data confidentiality protects sensitive information during transmission.

  • Data integrity ensures no unauthorized changes are made to information (prevents duplication, insertion, modification, reordering, or replay attacks).

  • Nonrepudiation prevents parties from denying actions:

    • The sender cannot deny sending a message.

    • The receiver cannot deny receiving it.


Cyber defense mechanisms use tools and processes to ensure security:

  • Encipherment secures data through encryption.

  • Digital signatures verify message origin and authenticity.

  • Traffic padding adds fake data to prevent analysis.

  • Routing control ensures secure data paths.

  • Notarization involves third-party verification of transactions.

  • Authentication exchange establishes mutual trust during communication.

Some mechanisms provide broader security:

  • Event detection to identify suspicious activities, 

  • Security labels to classify data, 

  • Audit trails to track activities for accountability.


Availability service - ensures that resources are accessible and usable at all times.

  • Goal: To keep systems functioning even during attacks like DDoS.

Hacking - process of intentionally exploiting vulnerabilities.

  • Goal: to create a threat to a target asset.


Cyber attack methods:

  1. Brute Force Attack:

    • Automated method trying every possible way to break in.

    • Relies on sheer persistence, not strategy.

  2. Heuristic Attack:

    • Uses clever human insight and knowledge for shortcuts to gain access.

    • Value: Saves time compared to tedious brute force methods.

Hacking campaign = when combining these techniques into a series of steps

Advanced Persistent Threat (ATP) = when nation states perform these attacks over a period of time.

Example:

Imagine you need to crack an encryption code hiding data from unauthorized viewers, with access only to the encrypted data over a network and no other hints. If the encryption resembles a cryptogram, where one letter is replaced by another (e.g., Caesar’s cipher shifting letters two places forward), a brute force attack could break it.

encrypt(a)=c; encrypt(b)=d; encrypt(c)=e; etc.

Using this scheme ^, two communicating entities can encrypt plaintext message in a manner that only exposes the ciphertext:

Plaintext: the cow jumped over the moon 

Ciphertext: vjg eqy lworqf qxgt vjg oqqp

Unauthorized observers might try to decrypt the message by looking for patterns in the ciphertext, similar to solving a cryptogram. This type of encryption is vulnerable to a brute force attack, which can be done with a simple computer program.

The attack works by counting how often each letter appears in the ciphertext. Over time, the pattern of letter frequencies will match the typical frequency of letters in the real alphabet, revealing the encryption method.

For example, in English, the most common letters are e, t, a, o, and i. If these are replaced in the ciphertext by other letters, their frequency will eventually match the original letters. A brute force program can then break the encryption by analyzing the letter patterns.


4 different groups of Cyber Attackers (that perform hacking):

Young women & men = Group 1 

  1. White hats = first flavour of group 1 = hack to help owners

  2. Black hats = second flavour of group 1 = hack to embarrass owners

  3. Grey hats = third flavour of group 1 = somewhere in between white & black hats

Cyber criminals = Group 2

  • Motivated by money.

  • Main target: Financial assets like credit cards, medical records, and personal information.

  • Stolen data is often sold on the Dark Web.

Cyber terrorists = often-irresponsible actors = Group 3

  • Motivated by some political/philosophical drive 

  • Use questionable tactics to achieve their attack goals (i.e. major DDoS floods)

  • Range from individuals seeking justice to groups aiming for destruction.

Nation state attacker = Group 4

  • Generally funded by a military government

  • Highly skilled, disciplined, and willing to go to major lengths to use intelligence to harm targets.

  • 2 techniques of nation state attacks: 

  1. Use Advanced Persistent Threats (APTs) to steal important information from industrial systems.

  2. Use advanced tools to damage or block access to important infrastructure.







4 different groups of Cyber Defenders:

Internet users = Group 1

  • Every individual online has a responsibility to take precautions against cyber attacks.

  • Common attack: Phishing – tricking users into clicking malicious links that install malware.

  • Malware-infected devices become part of a botnet:

Botnet = A group of infected devices (bots) controlled remotely by a hacker through a Command & Control (C&C) system.

→ Devices in a botnet can be used for coordinated attacks, even without the owner’s knowledge

Command devices send instructions to bots acting like "zombies" to attack a target 

→ Victims see the attack coming from scattered, hacked devices worldwide

Enterprise security teams = Group 2

  • Led by the Chief Information Security Officer (CISO)

  • Protects company systems (PCs, apps, servers, networks) from cyber attacks

  • Usually reports to the Chief Information Officer (CIO)

  • Rising cyber risks are leading CISOs to report directly to top leadership

  • This change is like how HR evolved from personnel departments

Cyber Security Technology Vendors = Group 3

  • Produce products and services that stop cyber attacks

  • Serving essentially as defensive arm dealers

Government & Regulatory Organisations = Group 4

  • Try to reduce risk through legal, policy, and oversight methods

Cyber Military & Intelligence Organisations = Group 5

  • Use cyber attacks as a tactical weapon as part of their overall warfighting arsenal





Cryptography - secures data by converting it into unreadable formats, only decipherable with a key.

  • Goal: to ensure only authorized users can access the information.

Cryptograms - a type of puzzle where text is encrypted by substituting/rearranging characters.


Plaintext - the original, readable data or message before encryption.

Ciphertext - the scrambled, unreadable version of the plaintext after encryption.

Key - a value used in the encryption algorithm that determines how plaintext is transformed into ciphertext. 

  • Different keys will produce different ciphertexts for the same plaintext.

Secret key - input to the encryption algorithm (a value independent of the plaintext and of the algorithm)

  • The algorithm's output changes based on the key used.

  • The key determines the specific substitutions and transformations.

Encryption Algorithm - a process that converts plaintext into ciphertext using a key.

Decryption Algorithm - the reverse process, which converts ciphertext back into plaintext using a key.

For secure conventional encryption, two things are needed:

  1. A strong algorithm that prevents attackers from decrypting ciphertext or discovering the key.

  2. Secure key sharing and protection. If the key is compromised, all communications are at risk.

The algorithm can be public, but the key must remain secret. The main challenge in symmetric encryption is keeping the key secure.

Cryptographic systems are characterised along 3 independent dimensions:

  1. The type of operations used for transforming plaintext to ciphertext.

  2. The number of keys used.

  3. The way in which the plaintext is processed.

The XOR function is often used in symmetric encryption - same key is used for both encryption & decryption

1 XOR 0 = 1

0 XOR 1 = 1

0 XOR 0 = 0

1. Caesar Cipher - a simple substitution cipher where each letter of the plaintext is shifted by a fixed number (key). Ci = cipher text; Pi = plain text; k = key

  • Encryption: Ci = (Pi + k) mod 26

  • Decryption: Pi = (Ci - k) mod 26

  • Example, with a key of 2: "A" = "C", "B" = "D",...


2. Vernam Cipher - A symmetric stream cipher using XOR and a random key used only once of the same length as the message (one-time pad cipher)

  • Encryption: Ci = Pi XOR k

  • Decryption: Pi = Ci XOR k


3. Vigenère Cipher - a polyalphabetic cipher where each letter in the plaintext is shifted by a corresponding letter in a keyword; uses multiple shifts based on a keyword.

  • Encryption Formula: Ci = (Pi + Ki) mod 26

  • Decryption Formula: Pi = (Ci - k) mod 26

  • Example: Convert letters (A=0, B=1, C=2, D=3, E=4, F=5, …):

Plaintext: H(7) E(4) L(11) L(11) O(14), 

Keyword: K(10) E(4) Y(24) K(10) E(4)

Encrypt: Ci=(Pi+Ki)mod  26: H + K = RE + E = IL + Y = JL + K = VO + E = S


4. Monoalphabetic Cipher - a substitution cipher maps each letter in the plaintext to another letter based on a fixed rule.

  • Example: "A" might become "Q," "B" becomes "W," etc.

  • It's vulnerable to frequency analysis → common letters (like "E" in English) will appear often.


5. Playfair Cipher - a digraph substitution cipher → pairs of letters are encrypted based on a 5x5 matrix; 

  • Rule 1: if the letters are in the same row → Take the letter to the right

  • Rule 2: if the letters are in the same column → Take the letter below;      

  • Rule 3: if in different rows and columns → rectangle formed; swap the opposite corners.


6. Hill Cipher - a polygraphic cipher that encrypts a block of letters (Pi) is converted to numbers and multiplied by a key matrix Ci=(K×Pi)mod  26; 

Symmetric Encryption:  Uses the same key for both encryption and decryption. 

  • DES (Data Encryption Standard): Uses the Feistel Cipher structure → which divides the plaintext into two halves and processes them with round keys. Characteristics:

  • Key length = 56 bits; Block size = 64 bits

  • 16 rounds of substitution and permutation.

  • S-boxes: Substitution tables used during each round of DES to replace blocks of bits.

  • These substitution boxes add confusion to the cipher.

  • Encryption Steps in DES:

  1. Initial Permutation (IP): Rearranges the 64-bit plaintext.

  2. Rounds (16 rounds): Each round applies expansion, key mixing (XOR with subkey), substitution (via S-boxes), & permutation (via P-boxes).

  3. Final Permutation (IP⁻¹): Reverses the initial permutation.

  • AES (Advanced Encryption Standard): Replaces DES, supports block size = 128-bit, and uses key lengths =128, 192, or 256 bits.

  • 3DES: Applies DES 3x for improved security, using either two or three keys.

Process: The 6-bit input is split into 2 parts:

1) S-box: 8 boxes of 6 bits → 4 bits (substitution).

2) P-box: Takes 32 bits and rearranges the order (permutation), but the number of bits stays the same.

(1) Row: The first and last bits of the 6-bit input. (2) Column: The middle 4 bits of the 6-bit input

Example: Consider a 6-bit input 110110:

Row: The first and last bits =10 

Column: The middle 4 bits = 1011 

Output value of S-box (when connecting row 10 as the third row, column 1011 as column 12) = 1010

Repeat this for all 8 s-boxes then follow a given p-box pattern to rearrange the outputted 36-bit set

Asymmetric Encryption: Uses a public key for encryption and a private key for decryption.

  • RSA is used for secure communications, based on the difficulty of factoring large prime numbers.

One-Time Pad (OTP) - provides great security by using a random key only once, as long as the message.

  • Challenge: key distribution (both sender and receiver must have the same key) & key management (storing and securely handling the key) 

Malware is software designed to harm or exploit systems.

→ Types of actions include downloading other malware, deleting files, and remote control of systems.


Trusted software – Asks for permission before accessing data.

Malware – Accesses data without permission.


Trojan Horse Concept – Malicious code can be hidden inside legitimate software (backdoor).

  • Example:   If valid (password)

 then allow access

A malicious version might include a hidden code:

 If valid (password) OR password = "ABC"

 then allow access

Open-source software promotes transparency by allowing anyone to review the code.

  • E.g. of exploitation: Mobile apps requesting location data may misuse the information by secretly sharing it with third parties.

Worm malware - a self-replicating program that spreads across networks without user intervention

Find (computer)

Send (worm) to computer

Run (worm) on computer

  • Process: Worms jump from one computer to another, creating a chain reaction.

  • E.g.:   → Computer Alice sends the worm to Computer Bob

   → Computer Bob sends the worm to Computer Fred, and so on.

  • Trace behaviour: Worms exploit vulnerabilities in systems to propagate endlessly.

Alice → Bob → Fred → [next systems].

Defense in Depth - uses multiple layers of security to protect systems. 

  • If one layer fails, others can still provide protection. → Instead of repeating the same protection, different methods (i.e. passwords, firewalls) are used together.

AAA Model:

  • Authentication: Verifies who you are (e.g., passwords).

  • Access Control: Limits who can access certain resources (e.g., firewalls).

  • Audit: Tracks activity to catch suspicious behavior.


Cybersecurity setups use multiple protective measures (e.g., firewalls, antivirus) to create a layered defense.

  • Layers work together to keep systems secure → If one fails (e.g., a password is guessed), other layers (like firewalls) still protect the system.


Antivirus – a cybersecurity software tool that works by using signatures to detect malware, identifying patterns like file names or sizes.

Hackers create variants of malware, such as changing file names from Trojan.exe to Trojan1.exe, making signature-based detection less effective.

Behavioral analysis improves detection by focusing on unusual activity, like unexpected external access, instead of fixed patterns.

Advanced techniques like machine learning adapt to new threats by identifying changes in behavior.

Rootkits hide in a system’s memory, making them hard to detect, but tools like the Trusted Computing Base (TCB) provide reliable snapshots of trusted system utilities to spot changes.

Hackers often stay ahead with zero-day exploits, which leave defenders unprepared for entirely new threats.









Passwords - the most common and familiar form of authentication.

  • Popular due to their convenience = easy to create, remember and reuse


Authentication Process → to verify a user's identity:

  1. Identification: Provide username or ID.

  2. Challenge: System requests proof.

  3. Computation: User retrieves proof.

  4. Response: User submits proof.

  5. Validation: System verifies proof.

  6. Notification: User is informed of the result


Cons of Passwords:

  • Single-Factor Authentication: If a hacker breaks the password, there’s no fallback defense.

  • Easy to Guess: Common issues include:

    • Default passwords like "password" or "123456."

    • Reuse of passwords across different platforms.

    • Guessing using personal details like birthdates or ZIP codes.

    • Cracking encrypted passwords with tools like dictionary attacks.

    • Phishing scams that trick users into revealing credentials.

    • Keylogging cyber attacks capture everything typed, including passwords and sensitive information.


Two-Factor Authentication (2FA) - adds an extra layer of security by requiring two forms of identification to verify a user’s identity. 

→ It combines something you know (like a password) with something you have (like a mobile phone).

  • 2FA Process:

  1. User provides their password (first factor).

  2. System sends a code to the user’s mobile phone (second factor).

  3. User enters the code to complete authentication.

  • 2FA helps prevent spoofing attacks (where an attacker pretends to be a trusted user). Even if a hacker steals the password, they can't proceed without the second factor (e.g., mobile phone).

  • 2FA doesn't have to rely on passwords and mobiles; it can use any two separate factors, like biometric tests (e.g., fingerprint scans).


Biometric Authentication - Biometric factors (thumbprints, facial recognition) are often used in 2FA.

  • These unique physical attributes are stored as hashes in a database.

  • BUT, spoofing biometric data during registration is a security challenge.

Ideal Biometrics:

  • Universal: Applies to almost everyone.

  • Distinguishable: Can distinguish with certainty (though not 100%).

  • Permanent: Ideally remains unchanged over time.

  • Collectable: Easy to collect, depending on subject cooperation.

Biometric Modes:

  • Identification: Who goes there? (one-to-many comparison).

  • Authentication: Are you who you say you are? (one-to-one comparison).

  • Enrollment vs Recognition:

    • Enrollment: Precise, slow data collection.

    • Recognition: Quick, accurate detection.

Biometric Errors

  • Fraud Rate: Misidentification (e.g., Trudy as Alice).

  • Insult Rate: Failure to recognize (e.g., Alice not recognized as Alice).

  • Equal Error Rate (EER): The point where fraud and insult rates are equal.


Authentication: Verifying identity.

Authorization: Determining allowed actions (access control via ACLs (Access Control Lists) and Capabilities).

  • Access Control

  • Access Control Matrix: User-resource access info.

  • ACLs: Store matrix by columns.

  • Multilevel Security (MLS):

    • Classifications apply to data (objects).

    • Clearances apply to users (subjects).

    • DoD Levels: TOP SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED.


An Adaptive Authentication Method uses multiple factors (e.g., location, device behavior) to adjust security based on the situation, strengthening protection when needed.

Challenge-Response Authentication - method using one-time information for security:

  • Nonce = A random number used once.

  • One-time password = Valid for a single session.

  • Token devices = Generate one-time codes.

  • Hardware/Software (2FA) = Physical or app-based tools used for authentication.




The Orange Book is a system used to evaluate computer security, with 4 divisions:

A – Highest security (verified protection).

B – Strong protection (mandatory, tamperproof, and labeled security).

C – Weak protection (user-controlled).

D – Minimal protection (no real security).

TCSEC: Trusted Computing System Evaluation Criteria (1983), developed by the DoD (NSA).

Division Breakdown

  • A: Verified protection (formally proven, though not always practical).

  • B: Mandatory protection (enforced, no bypassing).

    • B1: Labeled security (data is labeled to limit access).

    • B2: Structured protection (includes covert channel protection).

    • B3: Security domains (tamperproof, small code).

  • C: Discretionary protection (user-controlled).

    • C1: Basic protection.

    • C2: Controlled access (stronger, with audits).

  • D: Minimal protection (no significant security).







OSI Model 

  1. Layer 1: Physical Layer → Deals with the physical connection, like cables and hardware.

  2. Layer 2: Data Link Layer → Handles data transfer between two directly connected devices.

  3. Layer 3: Network Layer 

  • IP Protocol: Routes packets using IP addresses from source to destination.

  1. Layer 4: Transport Layer

  • TCP: Ensures reliable communication, error correction, and flow control.

  • UDP: Faster but unreliable communication.

  1. Layer 5: Session Layer → Manages sessions between devices for continuous data exchange.

  2. Layer 6: Presentation Layer → Formats or translates data (e.g., encryption, compression).

  3. Layer 7: Application Layer → Interacts with software applications and end-users 

  • HTTP

  • FTP


TCP/IP SECURITY - measures to protect data transmitted over the TCP/IP protocol, including encryption and authentication.

Cryptographic Suites: Combinations of encryption protocols (e.g., SSL/TLS, IPSec) for secure communication.

1. Transport Mode: Encrypts only the payload (end-to-end communication).

2. Tunnel Mode: Encrypts the entire IP packet (used in VPNs).

Web Security Protocols:

  • SSL/TLS: Secures HTTP connections (HTTPS).

  • SSH: Secure remote login and data exchange.

    1. Transport Protocol: Secures transport layer communication.

    2. User Authentication Protocol: Verifies identity.

    3. Connection Protocol: Manages client-server connection.

  • IPSec - a suite of protocols securing IP communication by encrypting and authenticating all traffic at the IP layer.

    1. ESP: Provides encryption for confidentiality and optional authentication.

    2. IKE: Protocol for setting up security associations (SA).




SSL/TLS handshake:

  1. Client Hello: Client sends supported ciphers and random data.

  2. Server Hello: Server picks cipher, sends its certificate (public key) and random data.

  3. Key Exchange: Client verifies server certificate, sends encrypted "pre-master secret."

  4. Session Key Generation: Both client and server generate session keys from the pre-master secret.

  5. Client Finished: Client confirms with a message encrypted using the session key.

  6. Server Finished: Server confirms with its own encrypted message.


3-Way Handshake (TCP) - establishes a connection in three steps:

  1. SYN: Client sends SYN to initiate.

  2. SYN/ACK: Server responds with SYN/ACK.

  3. ACK: Client sends ACK to confirm connection.


NETWORK SECURITY - protecting networks and data from unauthorized access and attacks.

Firewall - a security system that filters network traffic to block unauthorized access.

  • Types:

  • Application-Level Gateway: Filters traffic at the application layer (HTTP, FTP).

  • Circuit-Level Gateway: Monitors handshakes and manages connections.

  • Firewall Location: Placed between internal and external networks to filter traffic.

  • Distributed Firewall: Provides granular security across the network.

  • Web Application Firewalls (WAFs): Protect web apps from threats like SQL injection, XSS.


DMZ: Separates internal and external networks for additional server protection.

VPN: Secure, encrypted tunnel over the Internet for privacy and integrity.

IDS: Monitors traffic for suspicious activity.

  • Anomaly-Based IDS: Detects unusual traffic patterns.

  • Signature-Based IDS: Detects known threat patterns.

IPS: Similar to IDS, but can block malicious traffic.

  • HIDS: Monitors individual machines.

  • NIDS: Monitors network traffic.


Network Security Attacks

  • SYN Flood: DoS attack using multiple SYN requests to overwhelm a server.

  • HTTP Flood: DoS attack targeting web servers by sending HTTP requests.

  • ARP Poisoning: Redirects traffic by associating an attacker’s MAC with another device's IP.

  • DNS Poisoning/Cache Poisoning: Redirects users to fake websites using malicious DNS entries.


Distributed Denial of Service (DDoS) - an attack that floods a target with traffic from multiple sources, overwhelming its resources and causing service disruption.

Botnets - Networks of compromised devices used to generate high-volume traffic toward a target.

Reflection and Amplification - Attacker sends small requests to third-party servers with spoofed victim IP, amplifying the response.

DDoS Mitigation Techniques:

  1. Upstream Filtering - ISPs or security providers filter incoming traffic to mitigate DDoS before it reaches the target.

  2. Scrubbing Centers - Specialized security devices that clean inbound traffic, filtering out malicious DDoS traffic.


Characteristics of an Ideal Security Protocol

  • Confidentiality: Data only accessible to authorized users.

  • Integrity: Data remains unaltered.

  • Authentication: Verifies identities.

  • Non-repudiation: Prevents denial of authenticity.

  • Efficiency: Fast, scalable, and resource-efficient.


EDS (Electronic Data Security) - Protects data via encryption, authentication, and access control using protocols like SSL/TLS and VPNs.

Out-of-Band: Communication outside the main data channel.

Blocking Out-of-Band: Control or block via management channels (e.g., firewalls) without interrupting data flow.

Layer 3 (Network Layer): Routes packets using IP addresses.

Layer 4 (Transport Layer): Manages communication flow; TCP ensures reliable delivery, UDP is faster but unreliable.


Bad Software (Vulnerabilities) → Software flaws that can be exploited, caused by poor coding, lack of updates, or excessive privileges.


Examples of Attacks on Software

  • Buffer Overflow: Overflows buffer memory to execute code or crash the system.

  • SQL Injection: Malicious SQL queries manipulate databases, bypassing security.

  • XSS: Malicious scripts are injected into web pages to steal data or redirect users.

  • Privilege Escalation: Exploiting vulnerabilities to gain unauthorized higher-level access.