Cisco Cybersecurity Training Notes (Modules 1–5)

1. Common Threats (Module 1: Cybersecurity Threats, Vulnerabilities, and Attacks)

• Threat domain: an area of control, authority, or protection that attackers can exploit to gain access to a system.

  • Attackers can exploit systems within a domain via:
  • Direct, physical access to systems and networks
  • Wireless networking extending beyond organizational boundaries
  • Bluetooth or near-field communication (NFC) devices
  • Malicious email attachments
  • Less secure elements in an organization’s supply chain
  • An organization’s social media accounts
  • Removable media (e.g., flash drives)
  • Cloud-based applications

• Threats are categorized by domain and by type of threat.

• Threat types (Common Threats) include:

  • Software Attacks: e.g., a successful denial-of-service (DoS) attack; a computer virus
  • Software Errors: software bug; an application going offline; cross-site scripting (XSS) or illegal file server share
  • Sabotage: authorized user compromising a primary database; website defacement
  • Human Error: inadvertent data entry errors; firewall misconfigurations
  • Theft: laptops or equipment stolen from an unlocked room
  • Hardware Failures: hard drive crashes
  • Utility Interruption: electrical outages; water damage from sprinkler failure
  • Natural Disasters: hurricanes, tornadoes, earthquakes, floods, fires

• Internal vs External Threats

  • Internal threats: accidents or intentional actions by current/former employees or contract partners; server/network infrastructure compromises via infected media or malicious emails/websites
  • External threats: come from amateur or skilled attackers; exploit vulnerabilities in networked devices or use social engineering

• User Threats and Vulnerabilities (a user domain includes employees, customers, contract partners)

  • Users are the weakest link; threaten confidentiality, integrity, and availability
  • Examples: lack of security awareness; poorly enforced policies; data theft; unauthorized activity (downloads, media, VPNs, websites); destruction of systems/data

• Threats to Devices

  • Devices left powered on and unattended
  • Downloading files from unreliable sources
  • Vulnerable software installed on devices
  • New viruses, worms, and malware
  • Unauthorized USB drives, CDs, or DVDs
  • Lack of IT security policies
  • Outdated hardware or software

• Threats to the Local Area Network (LAN)

  • Unauthorized access to wiring closets, data centers, and computer rooms
  • Unauthorized access to systems, apps, data
  • OS/software vulnerabilities and updates
  • Rogue users gaining access to wireless networks
  • Exploits of data in transit
  • LAN servers with different hardware/OS
  • Unauthorized network probing and port scanning
  • Misconfigured firewalls

• Threats to the Private Cloud

  • Unauthorized network probing/port scanning
  • Unauthorized access to resources
  • Router/firewall/network device OS or software vulnerabilities
  • Router/firewall/device configuration errors
  • Remote users accessing infrastructure and downloading sensitive data

• Threats to the Public Cloud

  • SaaS, PaaS, IaaS models and their risks; data in cloud services

• Threats to Applications

  • Unauthorized access to data centers, rooms, wiring closets, or systems
  • Server downtime during maintenance
  • OS software vulnerabilities
  • Data loss; client-server or web app development vulnerabilities

• Threat Complexity

  • Software vulnerabilities stem from programming mistakes, protocol flaws, or misconfigurations
  • Attack methods include:
  • Advanced Persistent Threat (APT): continuous espionage with elaborate malware and multiple actors
  • Algorithm attacks: exploiting algorithms in legitimate software to cause unintended behaviors

• Backdoors and Rootkits

  • Backdoors: bypass authentication to gain unauthorized access; remote admin tools (RAT) install backdoors
  • Rootkits: modify OS to create a backdoor; privilege escalation; modify system files

• Threat Intelligence and Research Sources

  • US-CERT and DHS CVE dictionary
  • The dark web (encrypted, not indexed by standard search engines)
  • Indicator of Compromise (IOC): malware signatures, domain names, evidence of breaches
  • Automated Indicator Sharing (AIS): real-time threat indicator exchange via STIX/TAXII (CISA)

• 1.2 Deception (Module 1: Deception)

  • Social engineering: non-technical strategy to manipulate individuals into revealing information or performing actions
  • Common social engineering attacks:
  • Pretexting: lying to gain access to confidential data
  • Quid pro quo: requesting personal information in exchange for something
  • Identity fraud: using stolen identity for goods/services
  • Social engineering tactics (to exploit human psychology):
  • Authority, Intimidation, Consensus, Scarcity, Urgency, Familiarity, Trust
  • Shoulder Surfing and Dumpster Diving
  • Shoulder surfing: observing PINs, access codes, etc. (can be done via binoculars or cameras)
  • Dumpster diving: searching trash for discarded sensitive information; shred/destroy documents
  • Impersonation and Hoaxes
  • Impersonation: pretend to be someone else to trick victims
  • Hoax: deceptive acts causing disruption similar to a security breach
  • Piggybacking and Tailgating
  • Followers gain entry by appearing escorted or by joining crowds; use mantraps (outer door then inner door)
  • Other deception methods: invoice scams, watering hole attacks, typosquatting, prepending, influence campaigns
  • Defending Against Deception
  • Promote awareness of social engineering; educate employees on prevention
  • Tips: never disclose confidential info via email/chat/phone; resist clicking on enticing emails/links; beware of auto-downloads; enforce security policies; encourage ownership; do not yield to pressure
  • Lab: Lab exploring social engineering techniques; Part 1: Explore social engineering; Part 2: Create cybersecurity awareness poster

• 1.3 Cyber Attacks (Module 1: Cyber Attacks)

  • Malware taxonomy (three common types):
  • Virus: self-replicating program that attaches to other files when executed
  • Worm: self-replicates by exploiting network vulnerabilities
  • Trojan horse: carries out malicious operations while appearing legitimate
  • Logic bombs
  • Malicious program waiting for a trigger (e.g., date or database entry); then executes harmful code
  • Can sabotage database records, erase files, or attack OS/applications
  • Ransomware
  • Holds a system or data hostage until payment; typically encrypts data and demands payment via untraceable method
  • Decryption may not occur even after payment; some variants exploit system vulnerabilities
  • Spread via phishing emails or software vulnerabilities
  • Denial of Service (DoS) Attacks
  • Simple to conduct; two main types:
    • Flood of traffic: overwhelms network, host, or app
    • Maliciously formatted packets: causes receiver to fail handling
  • DNS Attacks
  • Open DNS resolver weaknesses used for attacks
  • DNS concepts: DNS reputation, DNS spoofing (cache poisoning), domain hijacking, URL usage
  • Layer 2 Attacks
  • Spoofing: MAC, ARP, IP spoofing
  • MAC Flooding: floods switch with fake MACs to compromise data paths
  • Man-in-the-Middle (MitM) and Man-in-the-Mobile (MitMO)
  • MitM: attacker positions between two devices to intercept/alter communications
  • MitMO: attacker targets mobile device; exfiltrates data from device
  • Zero-Day Attacks
  • Exploit software vulnerabilities before they are known or patched; defense requires holistic network security
  • Keyboard logging
  • Keystrokes captured by software or hardware; reveals usernames, passwords, etc.; anti-spyware can detect such keyloggers
  • Defending Against Attacks
  • Network hardening; awareness; patch management; antivirus; email/browser defenses; firewall rules
  • Common Email/Browser Threats
  • Spam: bulk unsolicited email often with malicious links or attachments; indicators include missing subject, requests for account updates, long cryptic links, etc.; policy: report suspected mail to cybersecurity team
  • Phishing and Spear phishing: impersonation via email/IM; spear phishing tailored to individuals; vishing (voice), pharming (misdirected website), whaling (targeting executives)
  • Defending Against Email and Browser Attacks
  • ISPs filter spam; antivirus scans; educate employees; scan attachments; join APWG; keep software patched
  • Other Attacks (There’s More…): Physical attacks; Adversarial AI; Supply chain; Cloud-based attacks
  • 1.3 Summary (Key Learnings):
  • DNS/ARP/ DHCP concepts; common email threats; XSS and code injections; malware defense with antivirus; worm lifecycle; reconnaissance mitigation; best practices including user education, strong passwords, backups, patching, and audits

• 1.4 Wireless and Mobile Device Attacks (Module 1: Wireless and Mobile Attacks)

  • Grayware and Smishing
  • Grayware: unwanted apps that annoy or track user; may monitor location or serve ads
  • SMiShing: fake SMS messages prompting malicious sites or numbers; malware can be downloaded
  • Rogue Access Points
  • Unauthorized APs on secure networks; can capture credentials or perform MitM; evil twin depicted
  • Radio Frequency Jamming (RF jamming)
  • Attackers jam wireless signals by matching frequency/power of target device; RF jamming requires matching modulation and power
  • Bluejacking and Bluesnarfing
  • Bluejacking: sending unsolicited messages via Bluetooth
  • Bluesnarfing: copying data (emails, contacts) via Bluetooth
  • Attacks on Wi‑Fi Protocols (WEP/WPA/WPA2/WPA3)
  • WEP: weak RC4 encryption; no proper key management; easily crackable; deprecated
  • WPA/WPA2: improved security; AES (CCMP) for encryption; WPA3 recommended if available; PMF (Protected Management Frames) is part of WPA3
  • WLAN Defense Measures
  • Use authentication and encryption; place access points outside firewall or in a DMZ
  • Use tools like NetStumbler to detect rogue APs; guest access policies; VPN for WLAN access
  • 5.4 Wireless Network Communication Summary
  • Key concepts recap: 802.11 frame structure; CSMA/CA; AP centralization via WLC; rogue AP threats; MiTM concepts; four shared-key authentication methods; home vs enterprise authentication choices; WPA/WPA2/WPA3

• 1.5 Application Attacks (Module 1: Application Attacks)

  • Cross-Site Scripting (XSS)
  • Client-side script injection into web pages; attacker steals cookies/session tokens and impersonates user
  • Code Injection (XML, SQL, DLL, LDAP)
  • XML injection corrupts XML data; SQL injection inserts malicious SQL; DLL injection loads malicious DLL; LDAP injection exploits LDAP queries to extract data
  • Buffer Overflow
  • Writing beyond buffer boundaries; can crash or compromise memory; may enable privilege escalation
  • Remote Code Execution and Privilege Escalation
  • Exploiting application weaknesses to execute code with user privileges; Metasploit as a toolset for exploit development
  • Other Application Attacks
  • CSRF (Cross-Site Request Forgery)
  • TOC/TOU (Time of Check – Time of Use) race conditions
  • Improper input handling; data not validated; possible buffer overflows or SQL injections
  • API abuse; Replay attacks; Directory traversal; Resource exhaustion
  • Defending Against Application Attacks
  • Write solid, secure code; validate all external input as hostile; keep software updated with patches
  • Spam, Phishing, and Email Security
  • Spam indicators; phishing harms; anti-spam/anti-phishing measures; APWG membership; patch/updates to software
  • Phishing, Vishing, Pharming, Whaling
  • Email and Browser Defense
  • Best practices for email/browsers; use IPS, proxies, and security training
  • There’s More… Additional Attacks
  • Physical attacks; Adversarial AI; Supply chain; Cloud-based risks
  • 1.5 Summary: Key takeaways on DNS, ARP, DHCP spoofing; injection attacks; XSS; antivirus as defense; four-phase worm response; reconnaissance mitigation; best practices

• 1.6 Cybersecurity Threats, Vulnerabilities, and Attacks Summary

  • Recap of key concepts from the module:
  • Threat domain and attack surface concepts
  • Internal vs external threats; threat types and examples
  • Social engineering and deception defenses
  • Malware and grayware definitions; defense basics
  • Wireless/device threats and secure WLANs overview
  • Application attacks and defense basics

2. Securing Networks (Module 2: Securing Networks)

• 2.1 Current State of Affairs
  • Networks are routinely targets; threat maps (e.g., Kaspersky Cyberthreat Real-Time Map) show ongoing attacks; many tools exist for threat visualization
  • Why network security matters: business continuity; breaches disrupt e-commerce, data integrity, privacy, and can lead to financial loss, lawsuits, and public safety concerns
  • Threat mitigation: vigilance and tools (e.g., Cisco Talos Intelligence Group, Cisco PSIRT)
• 2.2 Who is Attacking Our Network? (Threats, Vulnerabilities, and Risk)
  • Key terms:
  • Threat: potential danger to an asset
  • Vulnerability: weakness that can be exploited
  • Attack surface: total vulnerabilities exposed to an attacker
  • Exploit: mechanism to leverage a vulnerability; can be remote or local
  • Risk: likelihood of exploitation and undesirable consequence
  • Four common risk management strategies:
  • Risk acceptance: cost of options > cost of risk; take no action
  • Risk avoidance: eliminate activity/device that presents risk
  • Risk reduction: reduce exposure/impact; most commonly used
  • Risk transfer: shift risk to third party (e.g., insurance)
  • Hacker vs threat actor taxonomy:
  • White hat: ethical hackers; penetration testing; security research
  • Grey hat: may commit crimes or unethical acts, potentially disclose vulnerabilities publicly
  • Black hat: malicious criminals exploiting vulnerabilities
  • Threat actor evolution:
  • Script kiddies: exploit existing scripts/tools for harm
  • Vulnerability brokers: discover/report exploits to vendors
  • Hacktivists: protest via leaking data, DDoS, etc.
  • Cybercriminals: financially motivated criminals
  • State-sponsored: government-aligned actors; role ambiguous between white/black hat
  • Cyber threat indicators (IOCs) vs Indicators of Attack (IOAs)
  • IOCs: malware signatures, domain names, etc.; useful for defensive forensics
  • IOAs: attacker strategies, tactics; proactive defense
  • Threat sharing and awareness
  • CISA AIS for automated sharing of threat indicators; National Cybersecurity Awareness Month (NCASM) promoted by CISA/NCSA
• 2.3 Securing Networks Summary
  • Key takeaways on attack vectors, risk management, threat actors, and the importance of indicator sharing for defense

3. Attacking the Foundation (Module 3: Attacking the Foundation)

• 3.1 IP PDU Details
  • IP is a Layer 3 connectionless protocol; IPv4 and IPv6 header structure differences
  • IP does not validate the source IP; spoofing is possible; security analysts must understand IPv4/IPv6 header fields
  • IPv4 header basics and the IPv6 header differences (version values: 0100 for IPv4 and 0110 for IPv6 in binary)
  • Key IPv4 header concepts:
  • Version, Internet Header Length, DS Field (Differentiated Services) with DSCP and ECN, Total Length, Identification/Flags/Fragment Offset, TTL, Protocol, Header Checksum, Source/Destination Addresses, Options and Padding
  • IPv4 header length, fragmentation behavior, and the role of TTL
• 3.2 IP Vulnerabilities
  • IP attacks overview:
  • ICMP attacks: reconnaissance, DoS/DDoS, DoS flood, routing table manipulation
  • DoS and DDoS attacks: overwhelm legitimate users
  • Address spoofing: non-blind vs blind spoofing; hides sender identity or fuels DoS; MAC spoofing in LAN contexts
  • MiTM and session hijacking: eavesdropping or tampering with sessions
  • ICMP specifics: ICMP echo requests/replies, unreachable, mask reply, redirects, router discovery; used for recon, DoS, and traffic redirection
• 3.3 TCP and UDP Vulnerabilities
  • TCP fundamentals: reliable delivery with acknowledgments; flow control; three-way handshake; connection establishment
  • TCP attacks:
  • TCP SYN Flood: spoofed SYNs cause half-open connections; consumes server resources
  • TCP reset attacks: abrupt termination via RST; four-way FIN/ACK close sequence
  • TCP session hijacking: attacker predicts sequence numbers and hijacks a live session
  • UDP fundamentals: connectionless; smaller header; used by DNS, DHCP, SNMP; low overhead; no guaranteed delivery
  • UDP attacks:
  • UDP floods: overwhelm server with UDP packets; often leads to DoS-like conditions; potential spoofed sources
• 3.4 Attacking the Foundation Summary
  • Summary bullets focusing on IP, TCP/UDP vulnerabilities, handling of ICMP, spoofing, MiTM, session hijacking, and UDP flood dynamics

4. Attacking What We Do (Module 4: Attacking What We Do)

• 4.1 IP Services
  • ARP vulnerabilities and spoofing
  • Gratuitous ARP: unsolicited replies allow attackers to poison ARP caches and perform MiTM by associating attacker MAC with gateway IP
  • ARP cache poisoning: redirect traffic via fake ARP replies
  • ARP process steps (simplified):
  • ARP Request for gateway MAC → ARP Reply updates ARP caches
  • Consequences: MiTM between victim and external networks; attacker places self between victim and rest of network
• 4.2 Enterprise Services (HTTP/HTTPS, common HTTP exploits)
  • Attack flow: compromised webpage leads to exploit kit scan of victim’s software; exploit kit serves malware payload; persistence/communication to malware server
  • Server logs and HTTP status codes:
  • 1xx Informational, 2xx Successful, 3xx Redirection, 4xx Client Error, 5xx Server Error
  • Common HTTP exploits:
  • Malicious iFrames: inject malicious content via iframes
  • HTTP 302 Cushioning: multiple redirects to reach malicious content
  • Domain shadowing: compromised domains with subdomains to mask malicious activity
• 4.3 Mitigating Common Network Attacks
  • Defensive best practices:
  • Written security policy; employee security education; validate identities
  • Physical access control
  • Strong password policies; encryption and protection of sensitive data
  • Deploy security hardware/software: firewalls, IPS, VPN, antivirus, content filtering
  • Regular backups and testing; shut down unnecessary services/ports
  • Patch management; security audits
  • Malware mitigation: antivirus; blocking known malware via indicators; device hardening
  • Worm mitigation: containment, inoculation (patching), quarantine, treatment; potential reimage in severe cases
  • Reconnaissance mitigation: authentication, encryption, anti-sniffer tools; switched infrastructure; firewall/IPS
  • Access attack mitigation: strong password policies; minimum trust; cryptography; MFA; log reviews
  • DoS mitigation: network utilization monitoring; anti-spoofing (ACLs, DHCP snooping, IP Source Guard, DAI, etc.); block external ICMP on edges when appropriate
  • DoS lab/activity: threat mitigation lab exercises
  • Lab: Threat mitigation measures (Part 1: Incident at video production company; Part 2: Incident at a retail company)
• 4.4 Attacking What We Do Summary
  • Key learnings recap: DNS/ARP/DHCP spoofing; code injection and SQL injection; XSS; antivirus as primary defense against virus/trojan; worm response phases; reconnaissance mitigation; cyber security best practices

5. Wireless Network Communication (Module 5: Wireless Network Communication)

• 5.1 Wireless Communications
  • WLAN operation concepts: infrastructure mode, ad hoc mode, tethering, BSS, ESS, 802.11 frame structure, CSMA/CA, and discovery modes (passive/active)
  • 802.11 vs wired Ethernet comparison: RF vs cables; shared medium vs full-duplex; interference and regulatory differences
  • 802.11 frame structure highlights: Frame Control, Duration, Address1-4, Sequence Control, Payload, FCS
• 5.2 WLAN Threats
  • Threats include data interception, rogue APs, wireless intruders, and DoS attacks
  • DoS can arise from misconfigurations, intentional interference, or accidental interference (2.4 GHz bands more prone to interference than 5 GHz)
  • Rogue APs (and evil twin) and their risks; MitM via rogue APs
• 5.3 Secure WLANs
  • SSID cloaking and MAC address filtering as early security controls; limitations
  • Authentication methods (802.11 security evolution): open system auth vs shared key; WEP, WPA, WPA2, WPA3
  • Shared key authentication methods:
  • WEP: RC4-based; insecure; deprecated
  • WPA: TKIP (improved over WEP but legacy support)
  • WPA2: AES-based CCMP; current strong standard
  • WPA3: latest security; disallows outdated protocols; PMF support; adoption increasing
  • Enterprise vs Home authentication:
  • Personal (PSK) vs Enterprise (RADIUS with 802.1X and EAP)
  • Encryption methods and protocols: TKIP (legacy), AES/CCMP (preferred for WPA2), PMF in WPA3
  • WPA3 features: four modes (WPA3-Personal, WPA3-Enterprise, Open Networks, IoT onboarding)
• 5.4 Wireless Network Communication Summary
  • Packet Tracer exercises: configure basic wireless security with WPA2-Personal; troubleshoot wireless connections
  • Recap: 802.11 frames; CSMA/CA; centralized AP management via WLC; rogue AP threats; MiTM; authentication options; WPA versions; home vs enterprise authentication

1–5 Summary Notes (Cross-cutting themes)

• Attack surfaces and defense-in-depth: layer-by-layer protection, policy, education, patching, backups, and monitoring are critical

• Both technical and human factors drive security: awareness, proper configuration, and secure coding practices are essential

• Threats are dynamic: ongoing learning, intelligence sharing (IOC/IOA), and threat-hunting are important components of defense

• Key LaTeX notes for quick reference:

  • IPv4 vs IPv6 version fields in binary:
  • IPv4 version field: $0100$
  • IPv6 version field: $0110$
  • Maximum IP packet size: $65{,}535$ bytes
  • Common security protocol evolution: $WEP <br /> ightarrow WPA <br /> ightarrow WPA2 <br /> ightarrow WPA3$ with encryption types $RC4$ (WEP), $TKIP$ (WPA), and $AES/CCMP$ (WPA2/WPA3)
  • For HTTP status codes, the families are: $1xx, 2xx, 3xx, 4xx, 5xx$

• If you need a quick reference, use the section headers above to jump to specific module topics and drill into the detailed bullets under each heading.