Introduction to Cyber Security & Ethical Hacking
You’re sitting at your computer, and you read an article about a serious data breach or an attack on your country’s national infrastructure (cough Colonial Pipeline cough) and go “I didn’t know hackers could affect the real world!”.
From there, you get sucked into the world of cyber security, but it all becomes overwhelming with different terminology, and you constantly find conflicting information.
We’ve all been there at some point, and I aim to help you become familiar with the cyber security world so you can jump into the more exciting technical parts.
Introduction to Cyber Security
To start it all off, cybersecurity is kind of a buzzword and can simply be used to explain the concept of computer security or information security – all are essentially interchangeable and mean the same thing.
So, what is security? A good definition is provided by EC-Council which states:
Security is a state of well-being of information and infrastructures in which the possibility of successful yet undetected theft, tampering and disruption of information and services is kept low or tolerable
In more understandable terms, it means protecting information or services by minimising the risk of an attack via theft, tampering or disruption (e.g. DDoS) as much as possible or whatever the organization deems acceptable for their industry.
An example may be that a company handling personally identifiable information (PII) like payment info, medical info, address, name, and so on, might (and should!) take security much more seriously than a small blog ran by a single user (me).
However, don’t be mistaken. Total security protection from all risks is unrealistic and is not going to happen. There will always be risks involved when providing services through the internet. The whole goal of security is to reduce the likelihood of an attack happening as much possible.
One key acronym in cyber security used often is the CIA Triad – not that CIA. The CIA Triad is a security model that forms the basis for security. It stands for:
Confidentiality
Integrity
Availability
Confidentiality essentially means that only authorized individuals should see and access the required information like credit card details or National Insurance Number as examples.
Integrity ensures that information or data should be safeguarded from being tampered with or modified in any way either during transit or in storage. When accessed, the information should be complete and accurate. If you’ve ever downloaded a file and it has provided an MD5 hash for “checking the hash sum” once downloaded, that is an example of integrity as you are checking the data is exactly the same as the one being hosted for download.
Availability is the easiest of the three to understand. It simply means that when a legitimate user needs the information, it should be there. Essentially, the goal is to keep the systems, networks and devices up and running as much as possible.
Sadly, there is some terminology to understand before jumping into any technical details. Bear with me, I know it’s boring but it will help you in your future career.
The first term to be understand is an asset. An asset in terms of cyber security can be defined as:
Anything that has value to the organization, its business operations and its continuity.
Typically, three categories of assets can be identified. These are:
Information (intellectual property, personal information)
Physical (computer, building)
Software (applications used to manage, store, or process information)
Any damage to an asset has an impact on the business of the organization. If the damage is serious enough, the organization may never recover, either financially or reputation-wise.
Please note that damage does not just mean a hack – it could be physical theft of an employee’s laptop or even things like earthquakes or floods.
Next up, what is a threat? A threat can be defined as:
A potential cause of an incident that may result in harm to a system or organization
Easy way to remember is that it is something that CAN happen and if so, will cause unwanted consequences.
Simply put, any event or activity that has the potential to cause harm to the asset is a threat. Threats can be categorised into two main categories:
Accidental – human error, system failures, earthquakes, fires
Deliberate – intentional human error, hacking, theft, sabotage
Going even further, they can be divided again into:
External – threat arising from outside the organization
Internal – threat from within the organization like a disgruntled employee with access to confidential information, much more difficult to identify and can cause considerable damage
A vulnerability can be defined as:
A weakness of an asset that can be exploited by one or more threats
The main thing most people think of when the term vulnerability is thrown around is probably a weakness or flaw in software whether it be an app, a service or an OS. However, it can have many more definitions including but not limited to:
Design flaw
Lack of physical security (no CCTV, guards, sensors, fences, etc…)
Faulty mechanism
Humans (think social engineering or non-techy employees)
The impact can be defined as:
The result of an information security incident, caused by a threat, which affects an asset
If the impact is limited or insignificant, the risk is generally accepted. However, a high impact factor – like crucial intellectual property being stolen - indicates the need for security measures being taken.
Finally, a risk can be defined as:
The potential that a given threat will exploit vulnerabilities of an asset and thereby cause harm to an organization
It is typically a measure of the extent to which an asset is threatened by a potential circumstance or event. There are many calculations out there to work out the risk but I’ll leave that out for now (you didn’t come here to see calculations).
An example of risks could be a company having an internal database that could be found to be vulnerable to SQL injection but is only accessible via certain computers in the internal network – in this case, they might deem it an acceptable risk due to the difficulty of penetrating the network in the first place.
However, they might also have a ton of employees with access to confidential information and might see social engineering as a bigger risk that needs to be addressed via security awareness training. It varies from company to company.
Implementing Cyber Security
Now that cyber security itself has been discussed, how do we implement it into an organization? Well, a balance must be made between security and ease of use in an organization.
In an ideal world, the security professionals would have the highest level of security available, but this is simply not possible as it would mean the system would have little functionality besides being able to turn on and it would be difficult to use – not ideal for employees and business.
Think of this like a triangle with a dot in the middle. Each point indicates a different feature – security, functionality and usability:
If you move the dot in one direction, that feature gets more attention, but the others get less attention. Like above, if the dot moves towards security, the system gets more secure but loses functionality and usability – same goes for moving it anywhere (gain something, lose something).
Security should be directly proportional to the value of the asset being secured. For example, security within a military organization or an intelligence agency where the information inside could determine whether someone lives or dies MUST be stronger than that of an educational institution where there is less security needed.
The first step for an organization typically involves developing an Information Security (IS) framework which includes several areas including:
Use of policies
Standards
Procedures
Security incident management
The whole idea of the framework is to make sure everyone in the organization is aware and understands their requirements, roles and responsibilities to ensure security – security cannot exist unless everyone plays their part to achieve the level of security required.
The overall responsibility for protection the assets is given to one person (generally a senior manager) who is supported by a team whose job it is to ensure that everyone plays their part. In general, this is achieved by writing policies, standards and procedures which provide a set of guidelines for physical, procedural and technical security measures.
If you want to dive deeper into how this is achieved and the framework, feel free to as I will not cover it in detail here for the sake of simplicity.
Before going any further, we can discuss a little bit about physical security. What is physical security? Simply put, it involves the protection of assets from environments and man-made threats. It’s considered to be the first layer of protection in any reputable organization. It’s defined as:
Safety measures that deny unauthorized access to organisational assets, protect personnel and property from damage or harm
It aims to help:
Prevent any unauthorized access to system resources – protects info from unauthorized users and implements controls so that authorized users do not misuse the integrity and availability of the information
Prevent tampering/stealing of data from the computer systems – insiders could use a USB stick to steal information. The security team could deploy monitoring tools that trigger if an insider connects a USB or an external device to certain systems.
Safeguard against espionage, sabotage, damage or theft – companies deploy surveillance systems, alarm systems, guards and more to monitor and safeguard the organization’s assets. They could also implement biometric sensors or card readers for critical rooms or areas of the company site including server rooms, file areas, network closets, backup rooms, etc…
Protect personnel and prevent social engineering attacks – security guards and employees should periodically undertake physical security awareness training to protect from social engineering attacks and learn about things like shoulder surfing as an example.
Everyone has likely heard of a firewall at some point, but what is it? Contrary to its name, it is not a wall that is on fire to protect people from jumping over it. Instead, it is an appliance used to prevent intruders from accessing private resources in a network. They can generally be either network-based or host-based.
A network-based firewall protects the perimeter of a network (e.g., it sits between your network and the internet). If configured correctly, it only allows certain types of traffic inside the network and provides a similar function (but more lenient) for outward traffic going from inside to outside.
A host-based firewall protects a single device from unauthorized access (an example is Windows Firewall). Typically, most Windows OS versions will block ICMP packets (pings) from being processed by a device – if you’ve ever tried to ping a Windows device you know was up and didn’t get a response, this is probably why.
A network firewall is the very first line of defense, but it alone will not prevent attacks. The whole purpose of a firewall is to make it difficult for attackers to access their intended target. Some malicious users will stop an attack if they encounter a well-configured firewall. However, a determined attacker will find another way in, so don’t get too comfortable.
Typically, a firewall should be used in conjunction with other security measures like IDS or SIEM.
What are an IDS and SIEM? I’m glad you asked.
An IDS (Intrusion Detection System) is a software tool used to monitor and detect attacks. An IDS can be used to investigate and analyze both outside and inside users and their traffic. Most modern IDS’s will also have a way to intervene when an attack is detected rather than just providing detection – these are called IPS (Intrusion Prevention System) and simply put, they attempt to stop an attack in real-time.
A SIEM (Security Incident and Event Management) system is used to collect tons of log data from all network devices and applications – or anything else on the network that can feed information – in real time. SIEMs typically perform a variety of tasks including:
Monitoring and detection of events
Event correlation
Threat detection and security incident response activities
Forensic and post incident analysis
Auditing and regulatory compliance reporting
SIEMs will typically perform all of this in real-time and are most notably implemented in most SOC (Security Operations Center) environments to provide security by tracking suspicious end-user behaviour activities and correlation of events.
I will not got into detail about how they operate, but feel free to explore and learn about it if interested – highly encouraged in this field!
You’ve probably heard of access control before. Access control is a mechanism that attempts to ensure only legit users can access specific resources. It ideally covers both physical and virtual environments – physical access control will not be covered here but again, feel free to research it.
Access control relies on yet another acronym – AAA. Google tells us it stands for American Automobile Association but, in cyber security, it stands for three things:
Authentication
Authorization
Accounting
Authentication ensures the identity of someone is who they say they are. Usually, this is determined by a variety of methods including:
Something you know – password, PIN
Something you are – biometrics (fingerprint, facial features, eyes)
Something you have – ID card, key
As an example, you could attend a convention and at the front door, you could get asked for your name and tell them it’s Bob Smith. However, they might ask for proof that you are Bob Smith via a convention pass that has your name on it – this is authentication.
When one factor is used, it is known as “single-factor”. When two or more are used, it is known as “multi-factor” which you have probably seen (ever entered a password and then been asked for a security code?).
Once a user is authenticated, authorization happens.
Authorization determines which resources the user can access and which operations the user is allowed to perform. Think of an educational institution for example – typically when you sign on as a student, you cannot modify any important settings like network information or operating system settings as you are not authorized to do so.
It could simply be either accessing a file or directory on the local computer or something like assigning a user a certain allocated storage space on a network drive (going back to the educational institution example).
Finally, accounting refers to the tracking and logging of actions taken by an authenticated user. Some examples of things that can be recorded are:
What users do
What they access
How long the resource is accessed
Any changes made
Put it simply, accounting keeps track of how network resources are used.
There are typically different models of access control:
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role Based Access Control (RBAC)
A common example of DAC is in most OS where the user is permitted to decide how to protect the information and level of sharing desired. Access to a file is restricted to users and groups based on their identity and the groups they are part of – think Linux permissions as the simplest example.
A common example of MAC is implemented in Security-Enhanced Linux (SELinux) where the admin imposes the MAC. The end user does NOT have permissions to decide who can access information and cannot pass permissions on to other users.
A common example of RBAC is often implemented in large enterprises – think Active Directory. Access permissions are available based on access policies determined by the system and are outside of user control, ensuring all individuals have all privileges necessary to do their job.
Another security implementation should be Patch Management. This involves obtaining, testing and installing software patches in computer systems. If workstations are running outdated Windows or apps, security measures mean nothing.
Patch management essentially maintains current up-to-date software used in an organization. However, it is important that the patches are tested in a safe environment before being deployed to ensure that the patches do not render a system or network unstable or break the application.
System hardening refers to a process that aims to reduce the attack surface. This simply makes sure that a system performs a specific job and ONLY that job with no pointless services running (e.g. no web server software running on a workstation) while also making sure it’s fully patched and checked regularly.
The tasks needed to harden a system vary according to:
The job the system performs
The OS being used
The IS policy used
You may have also heard of something called “Defense in Depth” – this is a concept that makes sure that several layers of defense exist, so if one layer is breached, another is in the way.
No organization should be complacent and have only one method of defense. The key is to ensure several and differentiated layers or defense – each layer should provide a different challenge. In general terms, defense in depth is a strategy that aims at ensuring an attacker is detected before it can do some damage.
Finally, some more “fun” terminology to learn about. The first is Digital Forensics.
Digital Forensics is often used in response to incidents. If an attack occurs or a crime is committed, digital evidence may be collected. Digital forensics uses tools and procedures which allow for identification, collection, analysis and examination of data in a forensically sound manner.
Lastly, Penetration Testing is probably the most “fun” to a lot of you and is what you think of when you think of cyber security. Penetration Testing is the act of attacking a computer or a network with the purpose of rendering those systems more secure. The end goal is to identify vulnerabilities which could be exploited by a malicious attacker. It involves many steps including:
Reconnaissance – information gathering about the target (hostnames, IP addresses). Public resources like social networks and Google are used to gather information.
Scanning – process of probing a network to identify live hosts, their open pots, running services and vulnerabilities that could be present on the system or services.
Exploitation – phase where the attack takes place against the target using the previous knowledge gained
Maintaining access – often, exploitation provides temporary access to a system. Attackers will likely want more persistent access to a system which is this step.
Speaking of Penetration Testing, let’s dive into more detail about the exciting side of cyber security and leave the business and boring terminology aside.
Ethical Hacking Principles
Before diving into the technical aspects, a good hacker needs to have a few things to be successful in this industry. These include:
An understanding of how computer systems work
Be persistent
Have access to tools to exploit weaknesses
All this talk of hacking and hackers, but what actually IS a hacker? Unfortunately, the modern definition of a hacker has quite a negative connotation meaning:
An individual who used their capabilities to attack computer systems with malicious intent & without permission
So, if you ever tell your family or friends you want to be a hacker and they give you a weird look, it’s probably because of this definition.
However, originally “hacker” simply referred to a person who was intellectually curious, enjoyed understanding the internal working of systems and wanted to stretch their capabilities.
In simpler terms, they simply used technology or things in a way they were not designed to be used for the purpose of gaining a better understanding of how things operated – no malicious intent.
The term hacking on its own typically is defined as the unauthorized use of computer resources.
Knowing what hacking is, you can probably work out what “ethical hacking” is.
Ethical Hacking is the practice of employing computer and network skills to assist organizations in testing their network security for loopholes or vulnerabilities. Nowadays, most organizations will hire Ethical Hackers to assist them in enhancing their security.
An Ethical Hacker is simply a security professional who applies their hacking skills to perform security tests and attacks to determine vulnerabilities in a system or network. They have explicit permission from the company to perform these hacking tests so it is not illegal and they have no intention to cause harm.
At the end of a security test (known as a penetration test), they report all the vulnerabilities found for remediation so the company can increase security against real malicious hackers.
An ethical hacker typically has the following skills:
Hands on security skills
Practical understanding of the malicious hacker mentality
Understanding of corrective measures to be applied
An understanding of the law
It is important to know that an ethical hacker performs the same activities as a malicious hacker does, but the difference can be expressed in three important points:
Authorization – do they have permission to do it?
Motivation – they help secure the organization
Intent – no malicious intent
Three questions should try and be answered by an ethical hacker during a penetration test:
What can an attacker see on the target system?
What can an attacker do with that information?
What are the signs of an attackers attempts or successes?
What is important to remember is that an ethical hacker MUST have both the permission and knowledge of the organization they are working for. Before a penetration test or assessment takes place, an agreement must state the Terms of Engagement under which the individual can interact with the network.
It can specify a variety of things including:
Desired code of conduct
Procedures to be followed
Nature of interaction between testers and the network
It is essential to have a formal approval. It is vital to get a signed agreement with the client in the form of a document outlining:
Scope of work – what is being tested
Nondisclosure agreement – ensure privacy of confidential information
Liability release – protects you from any actions or disruptions cause (get out of jail free card)
The project scope essentially determines the specific scope of the assessment and decides if the test is a targeted test – what is to be tested and what is not – or a comprehensive assessment – uncovering as many vulnerabilities as possible.
A targeted test aims to identify vulnerabilities in specific systems and practices. A comprehensive assessment is a coordinated effect to uncover as many vulnerabilities as possible in the network.
Hackers, in general, are typically divided into three general classes:
Black Hat – use their skills for illegal and malicious intent
White Hat – use their abilities to explore and increase security of information systems and defend them
Grey Hat – release information about security holes to public but do so indiscriminately and without regard for consequences
As mentioned briefly earlier, another term for ethical hacking is penetration testing which is an assessment of the security posture of an organization. There are two types of penetration tests:
External Assessment – conducted from outside the network perimeter, test and analyzes publicly available information
Internal Assessment – performed on the network from within the company
Each type simulates an attacker with different knowledge about the target:
Black Box – malicious outside hacker, no information or assistance from client
White Box – security tester has complete knowledge of the network infrastructure
Gray Box – partial knowledge of the system relevant to a specific type of attack by an internal attacker
Hacking can go deeper which the introduction of Red Teams, Blue Teams and Purple Teams.
With Red Teaming, it is similar to pen testing but much more targeted. The main objective is NOT finding as many vulnerabilities as possible, but to test the organization’s detection and response capabilities using those vulnerabilities.
Red Teams try and get in and access sensitive information in any way and as quiet as possible. They emulate actions of malicious hackers and look to avoid detection.
Red Team assessments are normally much longer than traditional penetration tests – typically lasting 3-4 weeks or even a couple of months depending on the complexity. Additionally, they also consist of several people with different skills and usually only performed in companies that have mature security and perform pen tests regularly.
On the other hand, the Blue Team is a group of people that carry out defense activities, ensuring that effective security controls are deployed in an organization. They attempt to detect intrusions and, if one is detected, tasks are carried out in response including forensic analysis of affected machines, traceability of attack vectors, solution proposals, and establishment of detection methods for future cases.
They defend against both real attackers and Red Teams.
Now I hear you asking: Do they work together? Is it possible to combine the teams into one single team? The answer is yes.
Many organizations have Blue and Red Teams separated. In this scenario, there is NO continuous feedback between the two teams – this is where Purple Team comes in.
Purple Teams are a group of people that perform Red and Blue teaming capabilities working closely together to improve their cyber capabilities through continuous feedback and knowledge transfer.
Purple Teaming can help security teams improve their effectiveness of vulnerability detection, threat hunting, and network monitoring by accurately simulating common threat scenarios and facilitating the creation of new techniques designed to prevent and detect new types of threats.
Previously, we covered 4 steps of a Penetration Test. However, many penetration methodologies exist so there are more than 4 steps. The reason I am using 4 steps here is to simplify it and highlight what are the key steps in an engagement. As discussed, the four steps were:
Reconnaissance
Scanning
Exploitation
Retaining Access
Reconnaissance refers to the preparation phase that both passively (no interaction with target) and actively (interaction with target) gathers information on the target. Discovery of information includes:
Individual hosts
IP addresses
IP address ranges
Naming conventions
Hidden servers or networks
Services on the network
This phase is highly important and takes up the majority of your test – estimate 80-90% of an attack is recon.
The scanning phase is a pre-attack phase that focuses on using the information discovered during reconnaissance to examine the network. It refers to the activity of identifying live hosts, open ports, running services and vulnerabilities.
Essentially, scanning is finding more detailed information that can help prepare an attack.
Exploitation is often focused on gaining access to a system. Vulnerabilities found during the previous phases are exploited to gain access. Some example attacks include stack-based buffer overflows, SQL injection and session hijacking.
The last phase is Retaining Access. Once an attacker has access, the aim is to maintain access for future exploitation and attacks. Sometimes, this involves hardening the system and securing future access with the installation of malware.
To ensure the success of this phase, an attacker would try and clear all tracks left during the attack (logs, files, etc..).
During all of this, it is essential that a log is maintained of all the activities undertaken including screenshots, the results of the activities or lack of results from an activity. The log should also be time-stamped and communicated to the concerned person within the organization.
In any case, the main end deliverable of a penetration test is a report that details incidents occurred during testing and any activities undertaken.
A final report should always include the following sections:
Executive Summary – summarise objectives and findings (non-technical)
Areas Covered – objectives, observations, activities, incidents
Summary of recommended remediations
List, analysis, explanation and conclusion of findings (highest risk first)
Supporting evidence – log files from tools and screenshots
Positive findings or good security implementations
Conclusion
I hope this was an interesting read and you learned a lot about the industry and its specifics. I know it can be quite boring at times especially with the terminology and business side, but it is incredibly important to not just know the technical details of the job but also how to turn that technical aspect into a deliverable, non-technical format so that investors and C-level executives can understand the security problems within their organization.
On the bright side, now that you’ve learnt all this stuff, you are free to have fun and start diving into the technical side of things. Go and break some machines! (legally of course).
