Definition

Information Security (InfoSec) is the practice of protecting information—both physical and digital—from unauthorized access, use, disclosure, disruption, modification, or destruction. It ensures that the right people have access to the right information at the right time.

Concept Explanation

In today's digital world, data is one of the most valuable assets. Organizations store sensitive data like customer records, financial information, and trade secrets. InfoSec provides a framework to protect this data throughout its lifecycle: creation, storage, transmission, and disposal. It is not just about technology; it includes policies, people, and processes.

• Data at Rest: Information stored on hard drives, databases, or cloud storage.
• Data in Transit: Information moving across networks (e.g., emails, file transfers).
• Data in Use: Information being processed in RAM or CPU.

Formal Definition

"Information Security is defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability." — NIST (National Institute of Standards and Technology)

Key Components

• Threat: Any potential danger to information (e.g., hackers, malware).
• Vulnerability: A weakness in a system that can be exploited.
• Risk: The likelihood that a threat will exploit a vulnerability.
• Asset: Anything of value that needs protection (data, hardware, software).
• Control/Countermeasure: A safeguard to reduce risk (e.g., firewall, encryption).

Definition

The CIA Triad is the foundational model for information security. It stands for Confidentiality, Integrity, and Availability. All security policies and controls are designed to protect one or more of these three pillars.

1. Confidentiality

Ensuring that information is accessible only to those authorized to have access. This is achieved through encryption, access control lists (ACLs), and authentication mechanisms like passwords and biometrics.

Real-World Example: A hospital encrypts patient medical records so only doctors and nurses can read them.

2. Integrity

Ensuring that information is accurate and has not been tampered with. This is achieved through hashing (like SHA-256), digital signatures, and version control.

Real-World Example: A bank uses checksums to verify that a money transfer request was not altered during transmission.

3. Availability

Ensuring that information and systems are accessible to authorized users when needed. This is achieved through redundancy, backups, and disaster recovery plans.

Real-World Example: An e-commerce website uses multiple servers so if one fails, the site stays online.

Definition

ITU-T Recommendation X.800 provides a systematic framework for defining and organizing security. It defines Security Attacks, Security Mechanisms, and Security Services.

1. Security Attacks

Actions that compromise the security of information. They are divided into:

• Passive Attacks: Observing or monitoring transmissions without altering data. (e.g., Eavesdropping, Traffic Analysis). Goal: Gain information.
• Active Attacks: Modifying the data stream or creating a false stream. (e.g., Masquerade, Replay, Denial of Service). Goal: Disrupt or deceive.

2. Security Services

Functions provided by a system to ensure security. Defined by X.800 as: Authentication, Access Control, Data Confidentiality, Data Integrity, and Non-Repudiation.

3. Security Mechanisms

The tools used to implement the services. Examples: Encipherment (encryption), Digital Signatures, Access Control mechanisms, Traffic Padding.

Definition

Symmetric-key cryptography uses a single secret key for both encryption and decryption. Both the sender and receiver must possess the same key.

How It Works

1. Alice and Bob agree on a shared secret key (e.g., "S3cretK3y!").
2. Alice encrypts her message using the key: Plaintext + Key → Ciphertext.
3. Alice sends the ciphertext to Bob over an insecure channel.
4. Bob decrypts the message using the same key: Ciphertext + Key → Plaintext.

Common Algorithms

• DES (Data Encryption Standard): Older, 56-bit key. Now considered insecure.
• 3DES (Triple DES): Applies DES three times. More secure but slow.
• AES (Advanced Encryption Standard): Modern standard. Uses 128, 192, or 256-bit keys. Very fast and secure.

Advantages

Fast encryption/decryption. Efficient for large amounts of data.

Disadvantages

Key Distribution Problem: How do you securely share the secret key with the other party? If intercepted, all security is lost.

Definition

Asymmetric cryptography uses a pair of mathematically related keys: a Public Key (shared with everyone) and a Private Key (kept secret by the owner).

How It Works (for Encryption)

1. Bob generates a key pair: a Public Key and a Private Key.
2. Bob shares his Public Key with Alice (and anyone else).
3. Alice encrypts a message using Bob's Public Key.
4. Alice sends the ciphertext to Bob.
5. Bob decrypts the message using his Private Key (only he has it).

The RSA Algorithm

RSA is the most famous asymmetric algorithm. Its security is based on the mathematical difficulty of factoring the product of two large prime numbers. If n = p × q, finding p and q from n is computationally infeasible for very large numbers.

Advantages

Solves the Key Distribution Problem. You can share your public key openly without risk.

Disadvantages

Slower than symmetric encryption. Not practical for encrypting large files directly (hybrid systems use both).

Definition: Hashing

A hash function is a one-way mathematical function that takes any input and produces a fixed-size output (the "hash" or "digest"). It is irreversible—you cannot get the original data back from the hash.

Properties of a Good Hash Function

• Deterministic: Same input always produces the same hash.
• Fixed Output: MD5 produces 128-bit, SHA-1 produces 160-bit, SHA-256 produces 256-bit.
• Avalanche Effect: A tiny change in input causes a completely different hash.
• Collision Resistant: It should be extremely hard to find two different inputs that produce the same hash.

Common Algorithms

PGP (Pretty Good Privacy)

PGP is an encryption program that provides cryptographic privacy and authentication. It uses a combination of symmetric encryption (for speed) and asymmetric encryption (for key exchange and digital signatures). It is widely used for encrypting emails.

Definition

A security attack is any action designed to compromise the confidentiality, integrity, or availability of a system. Attacks are broadly classified as Passive or Active.

Passive Attacks

The attacker monitors transmissions without altering them. The goal is to obtain information. Difficult to detect because nothing is changed.

• Eavesdropping (Interception): Listening to private communications.
• Traffic Analysis: Analyzing patterns of communication (e.g., who is talking to whom, how often).

Active Attacks

The attacker modifies the data stream or creates a false one. Easier to detect but harder to prevent.

• Masquerade: Pretending to be an authorized user.
• Replay: Capturing data and retransmitting it to cause an unauthorized effect.
• Modification of Messages: Altering data during transmission.
• Denial of Service (DoS): Flooding a system with traffic to make it unavailable.

Concept Explanation

Each layer of the OSI/TCP-IP model has unique security vulnerabilities:

• Physical Layer: Wiretapping, physical destruction of cables.
• Data Link Layer: MAC Spoofing, ARP Poisoning.
• Network Layer: IP Spoofing, ICMP attacks (Smurf attack).
• Transport Layer: SYN Flood attacks, Session Hijacking.
• Application Layer: SQL Injection, XSS, Malware, Phishing.

Definition

A digital signature is a mathematical scheme for verifying the authenticity and integrity of a digital message or document. It is the digital equivalent of a handwritten signature.

How It Works

1. The sender creates a hash of the message (e.g., using SHA-256).
2. The sender encrypts the hash with their Private Key. This encrypted hash is the "Digital Signature."
3. The sender sends the original message along with the digital signature.
4. The receiver decrypts the signature using the sender's Public Key to get the original hash.
5. The receiver creates a new hash of the received message and compares it to the decrypted hash. If they match, the message is authentic and unaltered.

What It Provides

• Authentication: Confirms the sender's identity.
• Integrity: Proves the message was not modified.
• Non-Repudiation: The sender cannot deny sending the message because only their private key could have created the signature.

Definition

SSL (Secure Sockets Layer) is a cryptographic protocol designed to provide secure communication over a computer network. It establishes an encrypted link between a web server and a browser.

How SSL Works (The Handshake)

1. Client Hello: Browser sends supported SSL version and cipher suites to server.
2. Server Hello: Server chooses the cipher suite and sends its digital certificate.
3. Certificate Verification: Browser verifies the certificate with a trusted Certificate Authority (CA).
4. Key Exchange: Browser generates a session key, encrypts it with the server's public key, and sends it.
5. Secure Connection: Both parties now use the symmetric session key for fast encrypted communication.

Definition

TLS (Transport Layer Security) is the successor to SSL. It is a more secure and efficient protocol for encrypting data in transit. TLS 1.3 is the current modern standard.

Key Differences from SSL

• Uses stronger cipher suites (e.g., ChaCha20, AES-GCM).
• Removes outdated algorithms like MD5 and SHA-1.
• TLS 1.3 completes the handshake in just 1 round-trip (faster).
• Enforces Perfect Forward Secrecy (PFS) by default.

Perfect Forward Secrecy (PFS)

PFS ensures that even if the server's private key is compromised in the future, past encrypted sessions cannot be decrypted. Each session uses a unique, ephemeral key.

Definition: IPsec

Internet Protocol Security (IPsec) is a suite of protocols that encrypt and authenticate IP packets at the Network Layer. It is used to create Virtual Private Networks (VPNs).

IPsec Modes

• Transport Mode: Only the payload of the IP packet is encrypted. Used for host-to-host communication.
• Tunnel Mode: The entire IP packet is encrypted and encapsulated in a new packet. Used for network-to-network (VPN gateway) communication.

IPsec Protocols

• AH (Authentication Header): Provides data integrity and authentication, but NOT encryption.
• ESP (Encapsulating Security Payload): Provides data integrity, authentication, AND encryption. Most commonly used.

What is a VPN?

A Virtual Private Network creates a secure, encrypted "tunnel" over the public internet, allowing users to access a private network remotely as if they were directly connected to it.

Definition

Malware (Malicious Software) is any software intentionally designed to cause damage to a computer, server, client, or computer network.

Types of Malware

Definition

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Types of Firewalls

• Packet Filtering Firewall: Inspects packet headers (Source IP, Dest IP, Port). Works at Network Layer. Fast but limited context.
• Stateful Inspection Firewall: Tracks the state of active connections and makes decisions based on the context of the traffic (not just headers). More secure.
• Application-Level Gateway (Proxy): Inspects the actual content of the packets (Layer 7). Provides deep inspection but is slower.
• Next-Generation Firewall (NGFW): Combines all of the above with intrusion prevention (IPS), deep packet inspection, and application awareness.

Definition: Proxy Server

A proxy server acts as an intermediary between a user's device and the internet. It receives requests from the client, forwards them to the destination, and returns the response.

Uses of Proxy Servers

• Anonymity: Hides the user's real IP address.
• Content Filtering: Blocks access to specific websites (e.g., in a corporate environment).
• Caching: Stores copies of web pages to speed up repeated requests.

IDS vs IPS

Definition

Cybercrime is any illegal activity that involves a computer, a network, or a networked device. The computer can be the target of the crime (e.g., hacking) or the tool used to commit it (e.g., online fraud).

Why is Cybercrime Increasing?

• Rapid digitization of services (banking, healthcare, government).
• Anonymity provided by the internet.
• Global nature: Criminals can attack from anywhere in the world.
• Low risk, high reward for attackers.

Crimes Against Individuals

• Cyberstalking
• Identity Theft
• Online Harassment/Defamation
• Phishing

Crimes Against Property

• Hacking / Unauthorized Access
• Software Piracy
• Credit Card Fraud
• Intellectual Property Theft

Crimes Against Society/Government

• Cyber Terrorism
• Distribution of Child Pornography
• Spreading Malware
• Attacks on Critical Infrastructure

Definition

Intellectual Property (IP) refers to creations of the mind: inventions, literary and artistic works, designs, symbols, names, and images used in commerce.

Types of IP Rights

• Copyright: Protects original works of authorship (books, music, software code).
• Patent: Protects inventions and new processes.
• Trademark: Protects brand names and logos.
• Trade Secret: Protects confidential business information.

IP Crimes in Digital World

Software piracy, illegal downloading of movies/music, and code theft are common forms of IP crimes facilitated by the internet.

Overview

The Information Technology Act, 2000 (amended in 2008) is the primary law in India dealing with cybercrime and electronic commerce.

Key Sections

Definition

Ethical Hacking is the authorized practice of bypassing system security to identify potential data breaches and threats in a network. It is performed legally with permission from the owner.

What Makes it "Ethical"?

• Explicit written authorization from the system owner.
• The intent is to improve security, not cause harm.
• All discovered vulnerabilities are reported to the owner.
• The hacker respects the privacy of data during testing.

Why Do Organizations Need Ethical Hackers?

• Proactive Defense: Find and fix vulnerabilities before malicious hackers do.
• Compliance: Many regulations (like PCI-DSS, HIPAA) require regular security assessments.
• Protect Reputation: A data breach can destroy customer trust and brand value.
• Financial Protection: Breaches lead to lawsuits, fines, and recovery costs.
• Test Security Investments: Verify that expensive security tools are actually working.

1. Reconnaissance (Footprinting): Gathering information about the target without directly interacting with it. (Passive: Google, Whois, LinkedIn. Active: Port scanning).
2. Scanning: Actively probing the target to find open ports, services, and vulnerabilities. Tools: Nmap, Nessus.
3. Gaining Access (Exploitation): Exploiting a discovered vulnerability to enter the system. Tools: Metasploit.
4. Maintaining Access: Installing backdoors, rootkits, or creating new user accounts to ensure persistent access.
5. Clearing Tracks (Covering Tracks): Deleting logs, modifying registry entries, and removing evidence of the intrusion.

Definition

Penetration Testing (Pen Testing) is a simulated cyberattack against your computer system to check for exploitable vulnerabilities.

Types of Pen Tests

• Black Box: Tester has no prior knowledge of the system. Simulates a real external attack.
• White Box: Tester has full knowledge (source code, network diagrams). Deep, comprehensive test.
• Grey Box: Tester has partial knowledge (e.g., user credentials). Simulates an insider threat.

What is Kali Linux?

Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It comes pre-installed with hundreds of security tools.

Essential Tools in Kali

• Nmap: Network scanner for discovering hosts and services.
• Metasploit: Framework for developing and executing exploit code.
• Burp Suite: Web application security testing.
• Wireshark: Network packet analyzer.
• John the Ripper: Password cracker.
• Aircrack-ng: Wireless network security auditing.

Definition

SQL Injection is a code injection technique that exploits a security vulnerability in an application's database layer. It allows attackers to execute arbitrary SQL code on the database.

How It Works

An attacker enters malicious SQL code into a user input field (like a login form). If the application does not properly validate the input, the code is executed by the database.

Example Payload: In a login field, entering ' OR 1=1 -- can bypass authentication because the query becomes: SELECT * FROM users WHERE user='' OR 1=1 --' AND pass='...'. The `1=1` is always true, and `--` comments out the rest.

Prevention

• Use Parameterized Queries (Prepared Statements).
• Validate and sanitize all user inputs.
• Use a Web Application Firewall (WAF).

Definition

XSS is a client-side code injection attack where an attacker injects malicious scripts (usually JavaScript) into web pages viewed by other users.

Types of XSS

• Stored XSS: The malicious script is permanently stored on the target server (e.g., in a database comment). Affects all users who view the page.
• Reflected XSS: The script is reflected off the web server, such as in an error message or search result. Requires tricking the user into clicking a malicious link.
• DOM-based XSS: The vulnerability exists in the client-side code itself, not the server.

Impact

Can be used to steal session cookies, deface websites, or redirect users to malicious sites.

Definition: Sniffing

Sniffing is the process of capturing data packets as they travel over a network. This can be used to capture sensitive information like passwords if the traffic is unencrypted.

Definition: Session Hijacking

Session Hijacking is an attack where the attacker takes over a valid user session. This is often done by stealing the user's session cookie after they have authenticated.

Common Techniques

• ARP Spoofing: Tricking devices on the network to send traffic to the attacker's machine.
• Sidejacking: Capturing unencrypted session cookies over Wi-Fi.

What is OWASP?

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Their "Top 10" is a list of the most critical web application security risks.

The OWASP Top 10 (2021 Edition)

1. Broken Access Control
2. Cryptographic Failures
3. Injection (SQL, XSS, etc.)
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)

Definition

Digital Forensics is the process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally admissible. It is used in investigations of cybercrime, fraud, and other incidents.

Key Goals

• Identify the source of the attack or incident.
• Recover and reconstruct data that has been deleted or hidden.
• Establish a timeline of events.
• Provide evidence that can be used in court.

• Disk Forensics: Analyzing data stored on hard drives and SSDs. Recovering deleted files.
• Network Forensics: Monitoring and analyzing network traffic to detect intrusions or data exfiltration.
• Mobile Forensics: Extracting data from smartphones and tablets (SMS, call logs, app data, GPS).
• Memory Forensics: Analyzing the contents of volatile memory (RAM) to find running processes, malware, or encryption keys.
• Cloud Forensics: Investigating data stored in cloud services like AWS, Azure, and Google Cloud.

Definition

"Every contact leaves a trace." This principle, formulated by criminologist Dr. Edmond Locard, states that whenever two objects come into contact, there is always a transfer of material or evidence.

Application in Digital Forensics

In the digital world, every action on a computer leaves behind some form of artifact. These are the "traces":

• Log files showing user activity.
• Browser history and cache.
• Registry entries on Windows.
• Metadata embedded in files (creation date, author).
• Deleted files remaining in slack space or unallocated sectors.

1. Identification: Determine what devices, data, and systems are relevant to the investigation.
2. Preservation: Protect the evidence from modification. Use write-blockers. Create forensic images.
3. Collection: Safely extract the data. Follow the order of volatility (RAM first, then disk).
4. Analysis: Examine the data to find relevant evidence. Use forensic tools like EnCase, FTK, Autopsy.
5. Reporting (Presentation): Document all findings in a clear, organized report suitable for legal proceedings.

Definition

The Chain of Custody is a chronological documentation or paper trail showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Why is it Important?

• Ensures the evidence has not been tampered with since collection.
• Proves that the evidence presented in court is the same evidence that was collected at the scene.
• Failure to maintain the chain can make evidence inadmissible in court.

What to Document?

Who collected it, when, where, how it was stored, who had access, and any transfers of possession.

Definition

Forensic Imaging is the process of creating an exact, bit-for-bit copy of a storage device. This is often called a "Bit-Stream Image" or "Forensic Clone."

Why Not Just Copy Files?

A standard file copy only copies accessible files. A forensic image captures everything, including:

• Deleted files (data still exists in unallocated space).
• File slack (unused space at the end of file clusters).
• Hidden partitions and system files.

Tools for Imaging

FTK Imager, DD (Linux command), EnCase.

Verification

After creating the image, a hash (MD5 or SHA-256) of both the original and the image is calculated. If they match, the image is a perfect copy.

Digital Devices as Evidence Sources

• Computers: Event logs, browser history, emails, documents.
• Mobile Phones: Call logs, SMS, GPS location data, app data, photos.
• Routers/Firewalls: Network traffic logs, connection timestamps, blocked requests.
• Servers: Access logs, database records, user authentication records.
• IoT Devices: Activity logs from smart home devices, wearables, etc.

Common Windows Artifacts

• Prefetch Files: Show when applications were last run.
• Registry: Contains user settings, recently accessed files, USB history.
• LNK Files (Shortcuts): Point to files that were once opened, even if deleted.
• Event Logs: System, Security, and Application logs record events.