Comprehensive Notes on Cyber Security, Digital Forensics, and Ethical Hacking

Layer 2 Devices

• Operate at the data link layer of the OSI model.
• Examples: network switches and bridges.
• Handle data transfer within the same network segment.
• Use MAC addresses to manage traffic within a local network.
• Enhancing Security:
  • Implement VLANs (Virtual Local Area Networks) to segment network traffic and reduce the risk of broadcast storms.
  • Use port security to limit the MAC addresses allowed on specific ports, preventing unauthorized access.

Layer 3 Devices

• Operate at the network layer of the OSI model.
• Examples: Routers.
• Manage traffic between different networks.
• Direct data packets based on IP addresses.
• Enhancing Security:
  • Use Access Control Lists (ACLs) to filter incoming and outgoing traffic, ensuring only authorized data is allowed through.
  • Secure router configurations with strong passwords and disable unused services.

Devices Used to Access Network Resources and Their Logical Addressing

• PCs and Smartphones:
  • Use IP addresses to access network resources like websites and cloud services.
• Servers:
  • Also use IP addresses, often static, to provide resources such as websites and databases to clients.
• Protection Technology:
  • Firewall: Monitors and controls incoming and outgoing network traffic based on predetermined security rules, blocking unauthorized access while permitting outward communication.

Physical and Logical Addresses

• Physical Address:
  • MAC address, unique to each network interface card (NIC).
  • Used within local network environments.
  • Consists of a 48-bit number, usually displayed in hexadecimal format (e.g., 00:1A:2B:3C:4D:5E).
• Logical Address:
  • IP address, assigned at the network layer for devices to communicate over an IP network.
  • Can be IPv4 (32 bits, e.g., 192.168.1.1) or IPv6 (128 bits, e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
• Protocol for Identifying Physical Address:
  • ARP (Address Resolution Protocol): Resolves the IP address (logical address) to its corresponding MAC address (physical address).

Digital Forensics - Digital Evidence

• Besides physical hardware such as computers and mobile devices, digital evidence can also be found in:
  • Cloud storage services (e.g., Google Drive, iCloud).
  • Email servers and email accounts.
  • Social media accounts.
  • Online forums and messaging apps.
  • Network logs and security devices (e.g., firewalls, intrusion detection systems).
  • Internet browsing history and cookies.

Digital Forensics - Guidelines and principles for collecting Digital Evidence in the UK

• In the UK, the collection of digital evidence should adhere to guidelines such as those provided by the Association of Chief Police Officers (ACPO).
  • Principle 1: No action should change data held on a computer or storage media which may be subsequently relied upon in court.
  • Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent and able to give evidence explaining the relevance and the implications of their actions.
  • Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
  • Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

Digital Forensics - Volatile and Non-Volatile Information

• Volatile Information:
  • Data that is temporarily stored and lost when the device is powered down or rebooted.
  • Examples: data held in RAM (Random Access Memory) or cache memory.
  • Crucial in forensic investigations because it can contain details about system state, running processes, network connections, and logged-in users at the time of the incident.
• Non-Volatile Information:
  • Data that remains stored and intact even when the device is turned off.
  • Examples: data stored on hard drives, SSDs (Solid State Drives), USB flash drives, and other forms of permanent storage.
  • Fundamental in forensics for analyzing stored data that can give insights into user actions, stored documents, installed applications, and more.
• Collecting and analyzing both types of information are critical in digital forensics to reconstruct events or actions on digital devices.

Digital Forensics - Chain of Custody form

• A Chain of Custody form should include:
  • Description of the evidence: What the item is, including any serial numbers or unique identifiers.
  • Date and time of collection: When the evidence was collected.
  • Location of collection: Where the evidence was collected from.
  • Collected by: The name and signature of the person who collected the evidence.
  • Custodial movements: Detailed tracking of who has handled the evidence, including dates, times, and purposes of transfers.

Digital Forensics - Legislation

• Current legislation affecting digital forensics in the UK:
  • The Data Protection Act 2018: Governs the processing of personal data and is aligned with the GDPR. It's crucial for ensuring that digital evidence is handled legally and ethically.
  • The Computer Misuse Act 1990: Defines offenses related to unauthorized access to computer materials, unauthorized access with intent to commit or facilitate the commission of further offenses, and unauthorized modification of computer material.
• These guidelines and legal frameworks ensure that digital evidence is collected, preserved, and analysed in a manner that maintains its integrity and admissibility in court proceedings

Digital Forensics - Security Breach Investigation

• Scenario: A company has recently experienced a security breach.
• Steps for the Digital Forensics Team:
  1. Initial Assessment:
     • Determine the scope of the breach, including which servers, systems, or data were compromised.
     • Establish a timeline of events to understand when the breach occurred and how long the hacker had access.
  2. Preservation of Evidence:
     • Immediately secure and isolate affected systems to prevent further damage.
     • Make digital copies of logs, databases, and affected systems. Preserve all logs, especially access and audit logs.
  3. Detailed Analysis:
     • Analyse system logs, firewall logs, and intrusion detection system logs to identify any unusual activity or access patterns.
     • Check email servers and phishing filters for signs of spear-phishing or other social engineering attacks.
     • Utilize data recovery techniques to understand what data was accessed or downloaded.
  4. Containment and Eradication:
     • Remove any backdoors, malware, or other tools installed by the hacker.
     • Patch known vulnerabilities and reset passwords with strong, unique alternatives across the board.
  5. Recovery:
     • Restore systems from clean backups.
     • Monitor systems for signs of renewed attack.
  6. Reporting and Compliance:
     • Document every step taken and decision made during the investigation for both internal records and compliance with legal or regulatory standards.
     • Notify affected customers and stakeholders, adhering to data breach notification laws.
  7. Review and Update Security Policies:
     • Update incident response and disaster recovery plans based on lessons learned.
     • Improve security training and awareness programs for employees.
• Preventative Measures:
  1. Regular Security Audits and Penetration Testing:
     • Employ ethical hackers to identify vulnerabilities before malicious actors do.
     • Conduct regular security assessments, including vulnerability scans and penetration tests.
  2. Enhanced User Training:
     • Regular training sessions for employees on recognizing phishing attempts and other common cyber threats.
     • Implement a clear policy for handling suspicious emails and links.
  3. Implement Advanced Security Tools:
     • Deploy advanced malware protection and intrusion detection systems.
     • Utilize security information and event management (SIEM) systems to correlate and analyse logs in real time.
  4. Use Multi-Factor Authentication (MFA):
     • Enforce MFA across all systems, particularly for remote access and admin accounts.
  5. Regular Software Updates:
     • Keep all software, especially operating systems and applications, up to date with the latest security patches.
• Role of an Ethical Hacker:
  • Ethical hackers are employed to identify and help remediate vulnerabilities in systems.
  • Conducting penetration tests to exploit weaknesses in security (e.g., testing the strength of perimeter defenses, the effectiveness of endpoints security, and the potential for insider threats).
  • Simulating phishing attacks to test employee susceptibility and the effectiveness of security protocols.
  • Recommending security enhancements and best practices based on the vulnerabilities they find.
• Networking Fundamentals to Review:
  1. Network Segmentation and Isolation:
     • Divide the network into segments to limit the spread of breaches and to control access more effectively.
  2. Firewall Configuration and Management:
     • Ensure firewalls are properly configured to block unauthorized access and to enforce network policies.
  3. Access Controls:
     • Review and enforce least privilege principles on all systems to minimize potential damage from a breach.
  4. Regular Network Monitoring and Analysis:
     • Monitor network traffic and behavior to quickly identify and respond to suspicious activity.

Digital Forensics - Security Breach Investigation - Financial Institution

• Scenario: A large financial institution has recently experienced a security breach.
• Steps for the Cybersecurity Team to Investigate the Breach:
  1. Incident Identification and Assessment:
     • Quickly ascertain the extent of the breach, identifying which data, systems, and network segments were compromised.
     • Collect and secure digital evidence such as logs (access logs, firewall logs, application logs) and artifacts from breached systems without tampering with potential evidence.
  2. Containment Strategy:
     • Short-term containment: Isolate affected systems to prevent further data loss or damage. Disconnect or shut down compromised systems if necessary.
     • Long-term containment: Identify and close the entry points used by the attackers to prevent re-entry.
  3. Eradication and Recovery:
     • Eradicate threats by removing malware, disabling breached accounts, and fixing vulnerabilities.
     • Implement recovery procedures to bring affected systems back online safely, ensuring no remnants of the attack remain.
  4. Forensic Analysis:
     • Conduct a thorough forensic analysis to understand how the breach occurred, the pathway taken by the attackers, and the data accessed or stolen.
     • Use this information to refine threat models and improve security posture.
  5. Post-Incident Activity:
     • Review and revise incident response protocols and recovery processes based on what was learned.
     • Provide detailed documentation and reports for regulatory compliance and for use in potential legal actions.
     • Notify affected customers and regulatory bodies as required by law.
• Preventative Measures:
  1. Regular Penetration Testing and Security Audits:
     • Engage ethical hackers to perform targeted attacks on systems to uncover vulnerabilities.
     • Conduct comprehensive security audits regularly to assess the security landscape and implement necessary improvements.
  2. Employee Training and Awareness Programs:
     • Regular training on recognizing spear-phishing and other social engineering attacks.
     • Simulated phishing exercises to keep staff vigilant.
  3. Robust Access Controls:
     • Implement strict access control policies using the principle of least privilege.
     • Use multi-factor authentication (MFA) for accessing sensitive systems and data.
  4. Advanced Threat Detection Technologies:
     • Deploy intrusion detection systems (IDS), intrusion prevention systems (IPS), and real-time threat detection solutions.
     • Utilize security information and event management (SIEM) systems for monitoring and analyzing security alerts.
• Role of an Ethical Hacker:
  • Vulnerability Assessment and Penetration Testing (VAPT): Identify and exploit vulnerabilities in the network, applications, and other IT resources to determine where unauthorized access or other malicious activities could occur.
  • Security System Audits: Regular audits of security systems and processes to ensure they are robust and have not been compromised.
  • Training and Simulation: Provide real-world attack simulations to train the IT security team on rapid response and remediation techniques.
• Networking and Data Security Measures:
  1. Network Segmentation and Monitoring:
     • Segment networks to limit lateral movement by attackers. Use firewalls and zero trust models to rigorously enforce access controls.
     • Continuous monitoring of network traffic to detect and respond to unusual activities quickly.
  2. Data Encryption:
     • Encrypt sensitive data both at rest and in transit to ensure that even if data is intercepted, it remains protected.
     • Implement strong encryption protocols like AES-256 for data storage and TLS for data in transit.
  3. Regular Updates and Patch Management:
     • Ensure that all software, particularly operating systems and applications, are up- to-date with the latest security patches.
     • Automate patch management processes to reduce the window of exposure to known vulnerabilities.
  4. Backup and Disaster Recovery:
     • Regularly backup critical data and implement a robust disaster recovery plan to minimize data loss and downtime in the event of a breach.

Digital Forensics - Security Breach Investigation - Online Retail

• Scenario: You work for a small online retailer that specializes in handmade jewelry.
  1. Identify the Problem: Find out what data was stolen and stop any ongoing unauthorized access.
  2. Digital Forensics: Use digital forensics to figure out how the breach happened. Preserve all logs and evidence
  3. Fix the Issues: Remove any threats and secure your systems. Such as malware unauthorized access points. Restore data from backups if necessary and ensure all systems are clean before bringing them back online.
• Improve Cybersecurity
  1. Update Systems: Make sure all software is up to date to avoid vulnerabilities.
  2. Train Employees: Educate your team on recognizing phishing emails and practicing good password hygiene.
  3. Secure Data: Use encryption for customer data and employ robust cybersecurity tools like firewalls.
• Restore Customer Confidence
  1. Communicate Openly: Tell your customers what happened, what you've done about it, and how you plan to protect their data in the future.
  2. Support Affected Customers: Offer help to prevent identity theft, such as credit monitoring.
  3. Stay Transparent: Keep customers informed about new security measures.
• Legal and Technical Aspects
  • UK Legislation (GDPR): Follow GDPR guidelines by reporting the breach to authorities and notifying affected customers.
  • Ethical Hacking: Hire experts to test your defences and find weak spots.
  • Networking and Security: Strengthen your network security and regularly monitor for threats.
  • Data Security: Enhancing data security practices such as encryption, secure data storage, and robust access controls are essential to protect sensitive customer information.
  • Digital Forensics: Plays a critical role in investigating the breach, understanding how the breach occurred, and in ensuring that all traces of the attackers are removed from the network.

Ethical Hacking - Reconnaissance

• Two Main Types of Reconnaissance:

  • Passive Reconnaissance: Gathering information without directly interacting with the target system. This method is discreet and aims to avoid detection.
  • Active Reconnaissance: Involves interacting directly with the target system to gather data. This could be detected by the target's security systems.

• Techniques in Passive Reconnaissance:

  • Google Dorking: Utilizing advanced Google search operators to find specific information about the target that is inadvertently exposed online.

    • Tool: Google Search
    • Usage: Type site:targetdomain.com filetype:pdf to find pdf files on a specific domain.

  • Whois Lookup: Gathering domain registration details including the domain owner and associated contacts.

    • Tool: WHOIS command-line tool or websites like whois.domaintools.com.
    • Usage: Enter whois targetdomain.com in the command line to retrieve information about the domain.

• Exploitation Stage Legal Risks:

  • Legislation: By exploiting vulnerabilities in a server you're not authorized to access, you could be violating the Computer Misuse Act 1990 in the UK.
  • Potential Outcome: This could lead to criminal charges, resulting in fines or imprisonment depending on the severity of the breach and the data accessed.

• Countermeasures to Mitigate Cyber-attacks:

  • Regular Security Audits and Penetration Testing: Ensures vulnerabilities are identified and fixed before they can be exploited by attackers. Reason: Keeps the security measures up to date and effective.
  • Employee Training: Conduct regular training sessions on cybersecurity awareness, phishing, and other common threats. Reason: Most breaches exploit human errors or lack of awareness.
  • Update and Patch Management: Regular updates to software and systems to patch known vulnerabilities. Reason: Prevents attackers from exploiting known issues.
  • Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring multiple methods of verification. Reason: Makes unauthorized access much harder.
  • Backup and Disaster Recovery Plans: Maintain regular backups and have a clear plan for data recovery in case of a breach. Reason: Minimizes data loss and downtime during and after a cyber incident.