This article explains the general idea of cybersecurity. It is a collection of notes I have gathered online and is freely available to read.

Terminology:

• Cybersecurity: The study of information security policy. It is the way to protect people from harmful attacks online.
• Authorization: The process of verifying what a person has access to.
• Authentication: The process of verifying the person's identity.
• Cyberspace: An environment where anything digital takes place. It is a word that serves as a contrast to "in real life". We use "internet" to represent ourselves in "cyberspace".
• Internet: A service provided by Internet Service Providers that involve the use of TCP/IP protocol suite. We use "internet" to stay online in the "cyberspace".
• Vulnerability: A flaw in a system that could be exploited to compromise the system.
• Zero-day Vulnerability: A flaw in a system not known to software developers but known to attackers (i.e. STUXNET and Log4Shell).
• Exploit: It is the software in the system used to take advantage of a security bug or vulnerability.
• Malware: "Bad" software running on a computer for malicious purposes. Examples include viruses, trojans, ransomware, worms, rootkits etc.

Introduction

CIA Triad

In the world of cybersecurity, it is important to contain information within reasonable limits on the internet.

There are three ways to ensure this:

• Confidentiality: Only a specific group or person is authorized for data access (i.e. using password or biometrics)
• Integrity: Keeping data accurate and not compromised or tampered with. It must remain trustworthy and unchanged unless modified by authorized users.
• Availability: Data is readily accessible for public or private use.

Together, they form what is called the "CIA triad". It is the guiding model for designing information security policies.

The Three Types of Software

When users start interacting with computers and the internet, they may notice three different types of software: goodware, grayware, and malware.

Type	Characteristics	Examples
Goodware	Obtained from trustworthy source	Official OS updates or vendor-signed programs
Grayware	Software that is not outright malicious but may have unwanted features	Potentially unwated programs (PUAs), bloatware, adware, spyware
Malware	Software that is made to cause harm to its recipient	Virus, Trojan, Worm

Note: You may find "spyware", "adware", and "trackware" in the "grayware" category. Depending on the true intent of the hacker or developer, both "adware" and "spyware" are often malicious by nature. Therefore, it's better to consider them as "malware" instead

Hats

The word "hacker" is often misunderstood. Although it colloquially implies a bad-actor in the cyberspace, it is more nuanced.

As we see in this picture, every type of hacker has different responsibilities. The colours for ethics are "white", "gray", and "black":

• Black: Hackers that commit illegal acts ("the bad guy"). i.e. steal personal information/money, destroy IT infrastructure, commit fraud etc.
• Gray: Hackers that commit illegal acts but without malicious intent. i.e. exploit security flaws without permission, but report them afterward.
• White: Hackers that commit legal and ethical acts ("the good guy"). i.e. They are altruistic and care about people's privacy and dignity.

Specialized hackers ones include:

• Red: Hackers that specialize in offensive security.
  • They're often perceived as people who simulate or commit aggressive attacks for ideological purposes. They also prevent and punish crimes without a police warrant. (Hence, "vigilantes").
  • Groups infamous for red hat hacking include Anonymous, SiegedSec, and others.
• Blue:
  • Hackers that specialize in defensive security.
    • They are recruited by companies to defend IT infrastructure with the sole purpose of protecting, patching, monitoring etc.
  • OR... Hackers that seek vengeance for retribution.
    • They are disgruntled people that believe their target is in the wrong. The do not do it for money, they do it out of spite to enact personal retribution or social justice.
• Purple: Hackers that self-teach and experiment their IT infrastructure.
  • They like to combine the best of blue and red hat hacking techniques to push the limits of IT security.
• Green: Hackers that are relatively new to the field of cybersecurity. They are committed to learn and improve their IT skills.
• Script Kiddies: Hackers that do not like to learn and wish to find shortcuts and commit malicious acts.

Malware

"Malware" is a type of program made by bad actors designed to cause harm or exploit computer systems or devices. It is a portmanteau of "malicious software".

Malware is categorized by their penetration (infection) and payload (behaviour). They can do one or multiple things and can overwrite system files, damage booting processes, encrypt sensitive files, steal personal information, etc.

Hackers usually incorporate some or all of the characteristics above based on the following multiple categories in their malicious code.

Important: Cybersecurity textbooks or articles like to describe how there are different "types" of malware. The thing is, a certain malicious program can be a virus (by penetration), a trojan (by payload), and a spyware (by payload) all at the same time. It is very common to find overlapping features based on how malwares penetrate systems, how they hide, and how they behave. It is better to think of the following list as labels or functions rather than mutually exclusive "types".

The three main categories are:

• Virus: Malware that replicates itself by infecting an executable file.
  • It almost always attaches itself to an executable file.
  • It requires the user or a host program to trigger it.
• Worms: Malware that can self-replicate on its own.
  • Like viruses, it also spreads itself to other computers.
  • Unlike a virus, it does not involve user interaction at all.
• Trojans (a.k.a Trojan Horse): Malware that misleads users its true intent.
  • A stand-alone malware disguised as a legitimate software and acts as a cover for hidden actions.
  • Unlike viruses and worms, they do not self-replicate.

This table gives a clearer picture:

Parameter	Virus	Worms	Trojans
Main target	Attacks the files in the system	Attacks the systems in a network	Attacks the users in a system
Replication	Yes	Yes	No
User Interaction	Yes	No	Yes
Reproducibility	Reproduce by infecting other files	Reproduce by itself	None
Impact/Payload	File corruption, system instability	Network slowdown, system crash, delivery of other malware (e.g. Trojan)	Stealing data, providing Remote Access Trojan (RAT), or delivering ransomware

A few more examples include:

• Spyware: Malware that strictly spies people. It includes keylogging, unauthorized camera/microphone access, logging activities, location tracking etc.
• Rootkit: Malware specifically designed to corrupt operating system functionality.
• RAT (Remote-access Trojan): A more sophisticated trojan that enables attackers to establish a covert/hidden communication channel (backdoor) for complete unauthorized computer access.
• Adware: Malware/Grayware that presents unwanted ads. It can be in the form of too many irritant pop-up windows.
• Ransomware: Malware that encrypts user data and extracts ransom from the user. If the ransom is not met, the computer becomes compromised.

Other programs involving malware include:

• Keylogger: Logs all the keysstrokes users enter with their keyboards.
• Bot: A software application that automatically performs one or multiple tasks. Bots that are distributed on the network form a botnet (portmanteau of "bot" and "net").
• Logic bomb: A set of instructions in a program that carries malware (i.e. malware or worm) only after certain conditions are met.

That's great and all, but how can we report and graph out malware attacks? If an incident occurs that failed to maintain and protect the company's IT infrastrcuture, what are the ways to prevent it from happening again?

Cybersecurity Frameworks

As computer security needs were becoming more demanding in the early days of computing, it became necessary to report and share incident findings via a standard framework.

One of the most popular one is a study made by Lockheed Martin Corporation to find definite patterns of malware penetrating inside a computer or system. They have formulated a model and The Cyber Kill Chain was created for referential use.

Cyber Kill Chain (CKC) is a strategic framework that provides a systematic understanding for understanding and mitigating cyber threats:

Note: This model is not the sole standard way to track down the stages of a cyberattack. It is only there as a reference and assumes the attacks are linear (they often loop, skip, or overlap stages)

1. Reconnaissance: Find/recognize the target ("casing the joint")
2. Weaponization: Create a malicious payload (code) exploiting a known vulnerability.
3. Delivery: Transmit the weapon to the target (e.g., email attachment, malicious link, USB drive).
4. Exploitation: Trigger the malicious code to take advantage of the vulnerability.
5. Installation: Install malware or a backdoor on the compromised system.
6. Command and Control: Establish communication between the compromised system and the attacker.
7. Action on Objectives: Carry out the attacker’s goals (data theft, sabotage, etc.).

This is just one of the many frameworks. Other popular frameworks include:

• Diamond Model
• MITRE ATT&CK
• Unified Kill Chain (UKC) (Combination of CKC and MITRE ATT&CK)

We are not going to focus on these frameworks in detail as they are beyond the scope for an introductory cybersecurity article. It's good however to be aware of their existence.

Network Attacks

As we come back into cyberattacks, they are not limited to malware infecting computers. Exploiting vulnerable networking infrastructure can be just as bad as Operating System level attacks.

They include:

DNS Cache Poisoning:

Note: It goes by various names: "DNS hijacking", "DNS (cache) poisoning", or "DNS redirection".

DNS cache poisoning is a cyberattack that involves by tricking a DNS server into accepting a fake DNS record. It works by pointing the user into a compromised DNS server which can affect multiple networks at a large scale. Its end result is to achieve "DNS Spoofing".

So, if the user tries to access a legitimate site, it will redirect to a fake version of the said site ("spoofed"). The attacker can then attempt to steal personal information (spyware) and can also infect the computer via user installation with a trojan or a virus.

1. Attacker injects fake DNS entry.
2. User issues a request (HTTP GET) to a real website.
3. Request resolves to a fake website.
4. "Spoof" the user and compromise their computer with social engineering.

Man in the Middle

A Man in the Middle (MitM) is a cyberattack that involves the attacker secretly intercepting and relaying communication between two hosts while they're communicating directly with each another. The attacker will monitor any information going to and from two hosts and modify their payload.

MitM will involve the following methods:

• Use fake access points: Attackers create passwordless Wi-Fi access points with names similar to legitimate ones. If victims unwillingly connect to these, all their online traffic will pass through the attackers' device.
• ARP spoofing (ARP poisoning): Attackers broadcast over the local network the mapping between the IP address of a legitimate device and the MAC address of their own device. This is possible only when the perpetrators have access to the victim's local network.
• DNS spoofing (DNS poisoning): MitM attack can involve changing the DNS cache on a vulnerable DNS server (i.e. a router with DNS cache or a DNS server). The end result is the user being directed to a malicious copy of a website that is indistinguishable from the original.
• URL Spoofing: Like DNS poisoning, but involves the use of Unicode characters (Homograph attacks), very long URLs (URL Padding), or embedding the target domain to trick users and directing them into a malicious copy indistinguishable from the original.