Hackers (1995) - “The Plague: There is no right and wrong. There's only fun and boring.”
In recent days, I had the opportunity to take an introductory course in cybersecurity.
This text is an extract from what I studied in these past few days, and I believe these are basic pieces of information that provide a spark for those who are interested in the subject. It should be sufficient to give you some understanding of cybersecurity.
I have included some links among the topics that I found useful for anyone interested in exploring the subject further.
1 - BASICS
1.1 - Network Topology
Computer Network is the way computers (and other components) are connected, forming a structure.
There are various forms of network topology, but the most important ones for us at this moment are:
1.1.1 - Bus
Each computer is connected to the network uniquely and sequentially, Node 1, Node 2, Node 3, and so on. It is the simplest and cheapest to implement, but if any of the nodes fail, the entire system can be compromised, and security possibilities are limited.
1.1.2 - Ring
In addition to being connected to the subsequent device, the computer is also connected to the preceding device. Thus, the connection is made at both ends. With this dual connection, data transfer is faster. However, if one of the nodes fails, the entire internal system will collapse. This topology is also considered less secure compared to others.
1.1.3 - Star
The star connection involves a HUB that is connected to four other devices. In other words, the four devices are dependent on the HUB; if the HUB fails, all the others will also fail. Despite this, if one of the four devices goes down, the system remains stable since the "brain of the connection" is the HUB.
1.1.4 - Mesh
All network devices are connected through dedicated channels. Although it is very robust and fast, its main drawback is the cost of this structure.
1.2 - Types of Network
Regardless of the network topology, there are types of networks that are divided based on their area of operation, known as LAN, MAN, and WAN. In addition to these, there are networks focused on data transfer between storage devices called SAN (Storage Area Network) and the virtual LAN, VLAN.
1.2.1 - LAN (Local Area Network)
It's the simplest network, the Local Area Network (LAN). Typically, it's a group of devices that share the same server. Usually limited to a short distance, typically less than 10 km, a LAN can be a simple structure such as a house, a small business, a shop, or the devices connected to these structures.
1.2.2 - MAN (Metropolitan Area Network)
It follows the same idea as LAN but on a larger scale, Metropolitan Area Network. An example is the network infrastructure of a university, where different campuses are connected to the same network, even if they are located at various points in the city.
1.2.3 - WAN (Wide Area Network)
Expanding on this concept, we have the Wide Area Network, which is a large-scale geographical network encompassing a country, continent, or even the entire world. An example is a large car manufacturer that connects all its factories spread across the globe to the same network, along with its stores, workshops, and more. WAN encompasses both MAN and LAN networks.
1.2.4 - SAN (Storage Area Network)
Unlike the previous types, SAN focuses on the rapid transfer of information between storage devices. It's a modern approach to maintaining servers, where information is transferred between devices at high speeds. What distinguishes SAN is its specific structure, including types of hosts, switches, and storage. It can be used locally, in servers, or in the cloud.
1.2.5 - VLAN (Virtual LAN)
It is similar to LAN but implemented in a virtual manner, where devices communicate with each other in a virtual environment.
1.3 - Protocols
For communication between devices to exist, rules for the transmission and reception of data packets need to be in place. Although there are various protocols, the most commonly used one is TCP/IP, which is an evolution of the OSI model.
1.3.1 - OSI (Open Systems Interconnection)
The OSI model characterizes and standardizes what is used for this communication, dividing it into seven layers to be analyzed.
Each layer has its protocols designed for specific actions that need to occur during data transmission.
For this topic, we don't need an in-depth understanding of the layers and types of protocols. The ones we'll discuss are more practical. However, if you want a comprehensive understanding of how internet navigation works, this article is a must-read: TCP/IP vs. OSI: What’s the Difference Between them? | FS Community
1.3.2 - TCP (Transmission Control Protocol)
TCP simplified some layers of the OSI model but retained the use of the same protocols.
1.3.3 - IP
IP stands for Internet Protocol, which is the way devices connect to the internet (here, we are not discussing the entire flow of information but rather how a device connects).
There are four types of IP addresses: private, public, static, and dynamic.
Private
This is the IP used within a network, such as a home. It is the IP used between you and your router. When the router receives information from the internet, it analyzes to which recipient it will address the information.
Public
This is the public address. Your router requests an IP from your Internet Service Provider (ISP) to be used for you. This IP is typically dynamic. The request for information or the sending of information is done with this IP, and only within your router is the public IP analyzed along with the private IP, allowing the router to know where to address the information.
Static
This means your IP is static; it always receives the same IP. Devices where IP consistency is crucial, have their addresses defined and remain the same for an extended period.
Dynamic
As the name suggests, it is an address that continuously changes, even while connected, whenever necessary.
With that said, let's move on to the IPv4 protocol, which is gradually being phased out in favor of IPv6.
IPv4
IPv4 is the model that enables networks to transmit data, assigning an origin and destination for this traffic. However, the maximum number of IPs is limited to 4 billion, which is currently smaller than the existing number of devices. It's worth noting that IPv4 dates back to 1982.
Therefore, the transition to IPv6 became necessary. Introduced in 1995, IPv6 allows for the existence of up to 340 undecillion IPs (1028 times more than IPv4). IPv6 uses a 128-bit addressing scheme, unlike the 32-bit scheme of IPv4.
IPv6 Address: “2001:0db8:0000:0042:0000:8a2e:0370:7334”
IPv4 Address: 192.168.1.100
1.4 - Proxy and VPN
Proxy and VPN are tools used to enhance your protection through anonymous browsing.
With a proxy, you connect to a server, and this server, with its IP, handles all requests on your behalf. You connect to it, and it "browses" for you.
On the other hand, VPN encrypts your data. It passes through your ISP, reaches the VPN server, decrypts your data, conducts the browsing, and encrypts the results again before passing through your ISP. When it reaches you, it is decrypted. In essence, it functions as an encrypted information tunnel.
2 - DEEPWEB
Some tools for secure browsing on the Deep Web.
2.1 - TOR (The Onion Router)
One way to access the Deep Web is through the TOR browser, which employs a three-node route, encrypting each step akin to layers of an onion. It passes through three nodes to request information in an encrypted manner, and the response to this request also traverses three new nodes, encrypting the data again, making your browsing much more secure, albeit slower.
2.2 - DeepLinks
In the Deep Web, the majority of existing sites are not indexed, making it impossible to "search" for these links. Instead, you need to know them to access them. Therefore, there are some indexed sites with lists of deep links, providing access to non-indexed sites in the Deep Web.
2.3 - TAILS
Transitioning from browsers and links, let's delve into the operating system. For this, we have TAILS (The Amnesic Incognito Live System), an OS based on Debian Linux.
TAILS is an operating system with a focus on anonymity and can be installed on a USB drive. It gained notoriety for being used by Edward Snowden to leak information about Microsoft. Among its native tools are Tor, Thunderbird, KeePassXC, Metadata Cleaner, and various other features.
2.4 - WINSCRIBE
It is a reliable website that provides free VPN services (and additional features in the paid version).
2.5 - HIDE.ME
Similarly to Winscribe, Hide.me is a tool, but for a proxy.
3 - CYBERSECURITY
3.1 - Introduction
Despite being a widely used term and perhaps even somewhat obvious, it's worth taking a step back to understand what cybersecurity is all about. When we talk about cybersecurity, we are referring to the practices of protecting systems, networks, and programs from digital attacks, known as cyberattacks.
Cyberattacks are ways of accessing, without authorization, altering, or destroying sensitive information. In some cases, it might involve extorting money from users. It can also be a political or social act to disrupt business operations.
Cybersecurity is the constant and ongoing effort to secure information, preventing unauthorized individuals from accessing what they shouldn't.
Keeping this in mind, we can consider what tools are used to achieve its scope. What should be studied, and what tools should be used daily to effectively protect data? The answer lies in using the same tactics as those who attack, simulating attacks to find vulnerabilities in the systems we intend to protect.
In essence, what needs to be studied and done by those in the field of cybersecurity is, to a large extent, similar to what attackers do. However, the goal is to document, instruct, and improve the protected environment, closing possible security loopholes.
3.2 - RED TEAM x BLUE TEAM
One of the most common cybersecurity practices is simulating attacks, usually divided into two teams: the Red Team and the Blue Team.
These exercises aim to identify points of vulnerability, determine areas for improvement in defense, make changes to defense processes, and develop quick responses that should be executed when an attack occurs.
The RED TEAM is obligated to attack, identify and exploit vulnerabilities in the defense. It's important to note that all of this is done at the request of the company. Everything being explored has been previously agreed upon as permissible access to the information being targeted. The Red Team doesn't have direct access to this information, so, like a real attacker, they attempt to access this information.
On the other hand, the BLUE TEAM is responsible for protection, both preventive and reactive, during an attack. They must be capable of identifying the intruder, analyzing what they interacted with, and expelling them from the system.
While these two teams are the most common, other types of teams encompass more than one responsibility, such as the Purple Team.
3.3 - PTES - Framework:
PTES (Penetration Testing Execution Standard) is a penetration testing process. This process was developed to maintain a standard in the format in which penetration tests should be conducted, which does not mean that the content of the actions is predefined. Like any process, it is based on stages to be completed, and it is no different with this one, which is divided as follows:
3.3.1 - Pre-Engagement
Covers all activities before the active start of the penetration test. It involves contracts, goal definitions, limits, and what cannot be used. It is the preparation to ensure that the test is conducted correctly and to clarify the client's objectives.
Red Team: Schedule attacks, study potential targets, and try to identify weaknesses before the actual test. Blue Team: Define defense protocols, analyze potential weak points, and create procedures for test approval.
3.3.2 - Intelligence Gathering
It is the external collection of information, attempting to accumulate as much information as possible about the network infrastructure, applications, users, and potential points of vulnerability that could be exploited during the test. OSINT (Open Source Intelligence) is used here, which will be explained later, to access as much free information about what will be attacked.
Red Team: Collect information, investigate, study public profiles, and identify exposed sensitive data. Blue Team: Verify exposed sensitive information and develop strategies to protect data sensitive to such exposure.
3.3.3 - Threat Modelling
Models are created with the target system in mind, making it clearer to observe the possible network securities and the most significant vulnerabilities. The model tries to encompass as many possible vulnerabilities, the most severe ones and those that need to be prioritized in an attack.
Red Team: Identify potential attack vectors. Blue Team: Develop defense measures to neutralize vulnerabilities or hinder access to the most critical data.
3.3.4 - Vulnerability Analysis
All information and models created are analyzed to effectively validate existing vulnerabilities. It is the validation of collected information and listed vulnerabilities.
Red Team: Validate vulnerabilities to exploit security breaches. Blue Team: Implement defense measures created in Threat Modeling, fixing software, and adding new security options.
3.3.5 - Exploitation
It is the attack itself, where the Red Team tries to invade the system through the weaknesses found, and the Blue Team tries to monitor the attack and block attackers before they dominate any system breach.
3.3.6 - Post-Exploitation
When the attack is successful, there is Post-Exploitation, where the Red Team tries to maintain control over part of the target system to collect additional information. It is as if the attack has been executed (Exploitation), reached its goal, and now something is kept in the attacked system to collect more information.
Red Team: Maintain control over part of the system, collecting more information. Blue Team: Try to detect unauthorized activity and implement containment measures after an attack or as part of a routine, avoiding the existence of unauthorized access.
3.3.7 - Reporting
The final phase, where a report is produced for the client, covering all identified vulnerabilities, ways to mitigate these vulnerabilities and other necessary improvements.
3.4 - OSINT (Open-source intelligence)
OSINT is a method of collecting public information, particularly prevalent in the cybersecurity context, aiding in the discovery of sensitive information publicly available on the internet. The OSINT framework helps find tools for collecting this public information, offering a wide array of potential tools depending on the desired information. Here are some key tools:
3.4.1 Google Hacking
Advanced use of Google to employ specific search techniques to find results that are not easily accessible through regular searches.
3.4.2 Shodan
Known as the "Google" for devices connected to the internet. Identifies open ports on devices like cameras, computers, or any unprotected devices.
3.4.2 Maltego
Focuses on finding information and establishing relationships between people, companies, domains, sites, and documents across the internet.
3.4.3 Social Engineering
Involves manipulating individuals to obtain information, often by deceiving them to compromise the security of the target.
3.5 Nerwork Scanning and Enumeration
One of the simpler ways to implement PTES concepts. Involves identifying active devices in a network, either to expel or infiltrate the network and search for hosts, services, and information.
To accomplish this, tools like Metasploit, Meterpreter and Wireshark are highly useful.
If you found this text interesting and these tools compelling, you can delve deeper into cybersecurity with other articles, courses, and videos available.