Cyber Threats and Vulnerabilities
Types of Cyber Threats
Malware
Malicious software designed to damage, disrupt, or gain unauthorised access to a computer system. Malware is the broadest threat category — it includes viruses, worms, trojans, ransomware, spyware, and adware.
Phishing & Social Engineering
Deceptive techniques that manipulate people (not systems) into revealing confidential information or performing harmful actions. Phishing uses fake emails; spear-phishing targets specific individuals; vishing uses phone calls.
Denial of Service (DoS / DDoS)
Floods a target server or network with so much traffic that legitimate users cannot access the service. Distributed DoS (DDoS) uses thousands of compromised machines (a botnet) to amplify the attack.
Insider Threats
Attacks originating from within the organisation — disgruntled employees, negligent staff, or compromised accounts. Insiders already have trusted access, making detection extremely difficult.
Advanced Persistent Threats (APT)
Long-term, highly sophisticated attacks usually sponsored by nation-states or organised crime. The attacker gains silent access and remains inside the network for months or years, stealing data gradually without being detected.
Man-in-the-Middle (MitM)
The attacker secretly intercepts and possibly alters communication between two parties who believe they are communicating directly with each other. Common on unsecured Wi-Fi networks.
Injection Attacks (SQL / XSS)
Malicious code is inserted into an input field (login forms, search boxes) and executed by the server. SQL Injection extracts or destroys databases; Cross-Site Scripting (XSS) targets users of a website.
Zero-Day Exploits
Attacks that target undisclosed software vulnerabilities — ones that the software vendor has not yet patched or even discovered. Called "zero-day" because there are zero days of defence available when it is first exploited.
Types of Vulnerabilities
| Vulnerability Type | Description | Example |
|---|---|---|
| Software Vulnerability | Bugs or flaws in code that can be exploited | Unpatched Windows OS allowing remote code execution |
| Configuration Weakness | Default credentials, open ports, misconfigured cloud buckets | AWS S3 bucket left publicly accessible, exposing 50 million records |
| Human / Social Vulnerability | Lack of awareness, weak passwords, gullibility to phishing | Employee clicks phishing link and enters corporate credentials |
| Physical Vulnerability | Unsecured server rooms, unencrypted laptops, USB port access | Attacker plugs in malicious USB drive in unguarded reception area |
| Network Vulnerability | Unencrypted protocols, open Wi-Fi, poor firewall rules | FTP used instead of SFTP — credentials visible in plain text |
| Third-Party / Supply Chain | Weak security in vendor/partner systems that have access to your network | Target breach via HVAC vendor credentials |
The Cyber Kill Chain — How Attacks Unfold
Developed by Lockheed Martin, the Cyber Kill Chain breaks every attack into 7 sequential phases. Defenders can stop an attack at any phase — the earlier, the better.
- Stallings, W. — Computer Security: Principles and Practice, 4th Ed., Pearson
- CERT-IN Vulnerability Notes: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01
- MITRE ATT&CK Framework: https://attack.mitre.org
- Lockheed Martin Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Risk Management
The Risk Management Process — 6 Steps
Risk Assessment — The Risk Matrix
A Risk Matrix maps Likelihood (how probable is the threat?) against Impact (how severe is the damage if it occurs?) to assign a risk level. This helps prioritise which risks to address first with limited resources.
Risk Treatment Strategies — The 4 T's
| Strategy | What It Means | When to Use | Example |
|---|---|---|---|
| Terminate (Avoid) | Stop the activity that creates the risk entirely | Risk is too high; activity not essential to business | Stop using an insecure legacy application entirely |
| Treat (Mitigate) | Implement controls to reduce likelihood or impact | Most common — when risk can be lowered to acceptable level | Install firewalls, MFA, encryption, regular patching |
| Transfer | Shift financial risk to a third party | Residual risk remains but cost of breach is shared | Purchase cyber insurance; outsource to a managed security provider |
| Tolerate (Accept) | Accept the risk without additional controls | Risk is very low OR cost of control exceeds potential loss | Accept the risk of a rarely-visited internal test server being hacked |
Key Risk Management Frameworks
NIST Risk Management Framework (RMF)
- Developed by US National Institute of Standards & Technology
- 6 steps: Categorise → Select → Implement → Assess → Authorise → Monitor
- Most widely used globally by government and enterprise
- Aligns with NIST SP 800-37 and NIST Cybersecurity Framework (CSF)
ISO/IEC 27005 — Information Security Risk Management
- International standard for cyber risk management
- Companion to ISO 27001 (ISMS standard)
- Defines risk context, criteria, assessment, treatment, and communication
- Used by organisations seeking ISO 27001 certification
- NIST SP 800-37 Rev.2 — Risk Management Framework: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
- ISO/IEC 27005:2022 — Information Security Risk Management
- ISACA — CISM Review Manual: Risk Management Domain
Cyber Security: Industry Perspective
Cyber Security Across Industry Sectors
| Industry | Primary Assets at Risk | Key Threats | Sector-Specific Regulation (India) |
|---|---|---|---|
| Banking & Finance (BFSI) | Customer account data, transaction records, payment gateways | ATM skimming, UPI fraud, ransomware, insider fraud | RBI Cyber Security Framework (2016), PCI-DSS |
| Healthcare | Patient Electronic Health Records (EHR), diagnostic data, IoMT devices | Ransomware on hospital systems, medical device hacking | Digital Information Security in Healthcare Act (DISHA), CERT-IN advisories |
| Government / Defence | Classified communications, citizen data, critical infrastructure | APTs, nation-state espionage, critical infrastructure attacks | National Cyber Security Policy 2013, NCIIPC mandate |
| Retail / E-Commerce | Customer PII, payment card data, supply chain data | SQL injection, web scraping, payment fraud, DDoS | IT Act 2000, RBI tokenisation mandate |
| Telecommunications | Network infrastructure, call records, subscriber data | SS7 protocol attacks, SIM swapping, eavesdropping | TRAI regulations, DoT security guidelines |
| Manufacturing / OT | SCADA/ICS systems, industrial control networks | Ransomware targeting OT, sabotage of production lines | NCIIPC guidelines for critical sectors |
Industry Security Maturity Model
Organisations do not all have the same security maturity. The Security Maturity Model (similar to CMMI) ranks organisations from Level 1 (basic/reactive) to Level 5 (optimised/predictive).
Industry Roles in Cyber Security
Government Role
Sets national policy, mandates compliance, funds CERT-IN and NCIIPC, prosecutes cybercriminals under IT Act 2000. Publishes sector-specific security guidelines for banks, hospitals, and critical infrastructure.
Enterprise / Private Role
Implements security controls, trains employees, maintains SOCs (Security Operations Centres), and complies with regulatory requirements. Leading enterprises share threat intelligence via ISACs.
Research & Academia
Develops new cryptographic algorithms, discovers vulnerabilities (responsible disclosure), and trains the next generation of security professionals. IIT, IISc, and C-DAC contribute significantly in India.
- RBI Cyber Security Framework for Banks (2016): https://www.rbi.org.in
- NCIIPC — Guidelines for Critical Sectors: https://nciipc.gov.in
- NASSCOM Cyber Security Task Force Report, 2020
- ISACA — State of Cybersecurity 2023 Report
Cyber Security Tools and Technologies
Category 1 — Perimeter & Network Security Tools
Firewalls
The first line of defence. Firewalls filter incoming and outgoing network traffic based on security rules. Types:
- Packet-Filtering Firewall — Checks IP/port headers only; fast but shallow
- Stateful Inspection Firewall — Tracks connection state; more intelligent
- Next-Generation Firewall (NGFW) — Deep packet inspection, application-layer filtering, integrated IPS (e.g., Palo Alto, Fortinet)
- Web Application Firewall (WAF) — Specifically protects web applications from SQL injection, XSS, etc.
Cisco ASA Palo Alto NGFW pfSense Cloudflare WAF AWS WAF
Intrusion Detection & Prevention Systems (IDS / IPS)
IDS (Intrusion Detection System) monitors network traffic and alerts on suspicious patterns — it detects but does not block. IPS (Intrusion Prevention System) sits inline in the network and actively blocks malicious traffic in real time.
| Feature | IDS | IPS |
|---|---|---|
| Action | Detect & Alert only | Detect & Block in real time |
| Placement | Out-of-band (passive tap) | Inline (in the traffic path) |
| Risk of false positive | Low (only alerts) | High (may block legitimate traffic) |
| Performance impact | Minimal | Moderate (adds latency) |
| Examples | Snort (IDS mode), Zeek | Snort (inline), Suricata, Cisco IPS |
Category 2 — Endpoint Security Tools
Antivirus and Anti-Malware
Scans files, processes, and memory for known malware signatures and behavioural patterns. Modern solutions use AI/ML for zero-day detection.
Windows Defender ATP CrowdStrike Falcon Malwarebytes
Endpoint Detection & Response (EDR)
Advanced endpoint security that continuously monitors endpoint activity, records telemetry, detects threats that bypass traditional AV, and enables forensic investigation and automated response.
Category 3 — Monitoring & Intelligence Tools
SIEM — Security Information and Event Management
A SIEM collects, aggregates, and correlates log data from across the entire IT infrastructure (firewalls, servers, endpoints, cloud) in real time. It identifies patterns, detects anomalies, generates alerts, and provides a centralised dashboard for the SOC team.
Splunk IBM QRadar Microsoft Sentinel Elastic SIEM LogRhythm
Category 4 — Offensive / Assessment Tools
Vulnerability Scanners
Automatically scan systems for known vulnerabilities, misconfigurations, and outdated software. Used in penetration testing and security audits.
Nessus OpenVAS Qualys Rapid7 InsightVM
Penetration Testing Frameworks
Used by ethical hackers to simulate real attacks against a system with permission, identifying vulnerabilities before malicious actors do.
Metasploit Burp Suite Kali Linux OWASP ZAP
Category 5 — Encryption & Identity Tools
PKI and Certificate Management
Public Key Infrastructure (PKI) manages digital certificates used to authenticate users, devices, and services. SSL/TLS certificates on websites are issued through PKI. Certificate Authorities (CAs) like DigiCert, GlobalSign, and India's NIC CA issue these certificates.
Multi-Factor Authentication (MFA) Platforms
Adds a second (or third) layer of identity verification beyond passwords. Reduces account compromise risk by over 99% (Microsoft Security Report 2023).
Google Authenticator Microsoft Authenticator Duo Security RSA SecurID
- NIST SP 800-94 — Guide to IDS and IPS: https://csrc.nist.gov
- OWASP Top 10 Web Application Security Risks: https://owasp.org/Top10
- Splunk Security Documentation: https://docs.splunk.com/Documentation/ES
- Metasploit Documentation: https://docs.metasploit.com
Foundations of Privacy
Why Privacy Matters in Cyber Security
Privacy and security are closely related but distinct concepts. Security protects data from unauthorised access (confidentiality, integrity, availability). Privacy governs who among the authorised can access, use, and share data, and for what purpose. You can have security without privacy — a company may perfectly secure your data but sell it to advertisers, violating your privacy.
Confidentiality
Personal data must be accessible only to those with a legitimate, specific purpose. Even within an organisation, need-to-know access controls must apply. An HR staff member should not have access to medical records.
Purpose Limitation
Data collected for one purpose must not be used for another without consent. If a hospital collects patient data for treatment, it cannot share it with insurance companies without explicit permission.
Data Minimisation & Retention
Only collect what is absolutely necessary. Delete it when it is no longer needed. Organisations that hoard data indefinitely create larger breach risks and face regulatory penalties.
Key Privacy Principles (Based on OECD / GDPR Framework)
| Principle | Meaning | Example Violation |
|---|---|---|
| Collection Limitation | Collect only data that is necessary for the stated purpose | App collects contact list, location, microphone access for a flashlight app |
| Data Quality | Data must be accurate, complete, and up-to-date | Bank using 10-year-old address to send sensitive documents to old home |
| Purpose Specification | State clearly why data is collected before or at time of collection | Website collecting email addresses with no stated use |
| Use Limitation | Do not use data beyond the stated purpose | Using survey response data to target political ads without consent |
| Security Safeguards | Protect data against loss, unauthorised access, destruction | Storing passwords in plain text in a database |
| Openness (Transparency) | Individuals must know who holds their data and why | Privacy policy written in legal jargon that no one can understand |
| Individual Participation | People have the right to access, correct, and delete their data | Company refusing to delete user data on request |
| Accountability | Data controllers are responsible for complying with all principles | CEO claiming "we didn't know" about a breach that continued for 18 months |
Privacy by Design (PbD) — 7 Foundational Principles
Introduced by Ann Cavoukian, Privacy by Design argues that privacy must be built into systems and business practices from the very beginning — not added as an afterthought. Now embedded in GDPR Article 25.
- Proactive, not Reactive: Prevent privacy incidents before they happen
- Privacy as the Default: Maximum privacy settings must be the default, not the opt-out
- Privacy Embedded into Design: Privacy is not a bolt-on feature; it is part of system architecture
- Full Functionality — Positive Sum: Privacy and security are not trade-offs; both can and must be achieved together
- End-to-End Security: Data must be protected at every stage of its life cycle — collection, use, storage, and destruction
- Visibility and Transparency: Openly publish privacy practices for verification
- Respect for User Privacy: Keep it user-centric — empower individuals
Personally Identifiable Information (PII) vs Sensitive PII
PII (General)
- Name, email address
- Phone number, postal address
- IP address (in some contexts)
- Date of birth
- Employer / job title
Sensitive PII (Higher Protection Required)
- Financial data (bank account, credit card numbers)
- Medical / health records (EHR, prescriptions)
- Biometric data (fingerprints, facial recognition)
- Government IDs (Aadhaar, PAN, passport)
- Sexual orientation, religion, political views
- OECD Privacy Guidelines (2013 revision): https://www.oecd.org/sti/ieconomy/privacy.htm
- Cavoukian, A. — Privacy by Design: The 7 Foundational Principles, IPC Ontario, 2011
- GDPR Article 25 — Data Protection by Design and Default
- ENISA — Privacy and Data Protection by Design Report, 2015
Privacy Regulation
Major Global Privacy Regulations
| Regulation | Jurisdiction | Year | Key Requirements | Max Penalty |
|---|---|---|---|---|
| GDPR General Data Protection Regulation |
European Union | 2018 | Lawful basis for processing; consent must be explicit; right to erasure; 72-hour breach notification; DPO appointment for large orgs | €20 million or 4% of global annual turnover (whichever is higher) |
| CCPA California Consumer Privacy Act |
California, USA | 2020 | Right to know, delete, and opt-out of sale of personal information; applies to businesses collecting CA residents' data globally | $7,500 per intentional violation |
| HIPAA Health Insurance Portability and Accountability Act |
USA | 1996 | Protects Protected Health Information (PHI); requires physical, technical, and administrative safeguards; breach reporting within 60 days | Up to $1.9 million per violation category |
| PDPB / DPDPA Digital Personal Data Protection Act |
India | 2023 | Consent-based processing; rights of data principals; Data Fiduciary obligations; cross-border transfer restrictions; Data Protection Board of India | Up to ₹250 crore per violation |
| IT Act 2000 (Section 43A) | India | 2008 amendment | Body corporates handling sensitive personal data must maintain reasonable security practices; compensation for negligence | Compensation as determined by adjudicating officer |
India's Digital Personal Data Protection Act (DPDPA) 2023 — In Detail
The DPDPA 2023 is India's first comprehensive data privacy law, passed in August 2023. It replaces the earlier Section 43A framework and aligns India with global privacy standards.
Key Concepts in DPDPA 2023
Data Principal
- The individual whose personal data is being processed
- Has the right to access, correct, erase, and nominate
- Must give explicit, informed, free consent before data is collected
- Can withdraw consent at any time
Data Fiduciary
- The entity (company, government body) that collects and processes data
- Must specify purpose clearly before collection
- Must implement security safeguards
- Must report data breaches to Data Protection Board within 72 hours
- Significant Data Fiduciaries face additional audits and DPIA requirements
GDPR — Key Rights Under Article 17 and 20
- Right to Erasure ("Right to be Forgotten"): Individuals can request deletion of their data when it is no longer necessary or consent is withdrawn. Google was fined €100 million by CNIL (France) for violating this principle.
- Right to Data Portability: Users can request their data in a machine-readable format to transfer to another provider. Facebook must, on request, export all your data to a downloadable archive.
- Right to Object: Individuals can object to profiling and automated decision-making that significantly affects them.
Case Study — WhatsApp / Meta GDPR Fine (2022)
What Happened
Ireland's Data Protection Commission (DPC) fined Meta €225 million for WhatsApp's failure to be transparent about how it shared user data with other Meta companies (Facebook, Instagram). WhatsApp's privacy policy was not clear enough for ordinary users to understand what data was shared and why — violating GDPR's transparency and purpose limitation principles.
Key Lesson
Privacy regulation is not just about having a privacy policy — it must be genuinely understandable, honest, and specific. "Data may be shared with affiliated companies" is not sufficient under GDPR.
- Digital Personal Data Protection Act 2023 (India): https://www.meity.gov.in/data-protection-framework
- GDPR Full Text: https://gdpr.eu/what-is-gdpr
- IT Act 2000, Section 43A — Reasonable Security Practices: https://www.meity.gov.in
- ENISA — Guidelines on Data Protection by Design
Honeypots & Canary in Cyber Security
Honeypots — Concept, Types, and Architecture
What is a Honeypot?
A honeypot is a security resource designed to be probed, attacked, or compromised — intentionally. It mimics a real system (a server, database, or network) to lure attackers away from real assets and gather intelligence about their techniques, tools, and objectives. Honeypots are purely deception — they have no legitimate production traffic, so any access is inherently suspicious.
Types of Honeypots
| Type | Interaction Level | Purpose | Risk to Organisation |
|---|---|---|---|
| Low-Interaction Honeypot | Simulates limited services (e.g., open SSH port, fake login page) | Quick detection of automated scans and bots | Low — attacker cannot access real system |
| Medium-Interaction Honeypot | Simulates more realistic OS and application behaviour | Detect specific attack patterns and payloads | Moderate — requires careful isolation |
| High-Interaction Honeypot | Full real OS and applications — attacker can interact deeply | Advanced threat intelligence, APT analysis, forensics | High — attackers may pivot to real network if not isolated |
| Honeynet | A network of honeypots simulating an entire organisation's infrastructure | Study coordinated attacks, APT behaviour over time | Very High — requires professional management |
Advantages and Disadvantages of Honeypots
✅ Advantages
- Detect attacks that perimeter tools miss (especially zero-days)
- Gather real attacker tactics, techniques, and procedures (TTPs)
- Low false-positive rate — any access to honeypot is inherently suspicious
- Slow down attackers while real assets are protected
- Help train SOC analysts with real attack data
- Legally safer — attacker approached the decoy first
❌ Disadvantages
- Risk of a sophisticated attacker pivoting from honeypot to real network
- High-interaction honeypots require significant management effort
- Do not protect against attacks targeting real systems directly
- Legal grey areas in some jurisdictions (entrapment arguments)
- A honeypot that is too obvious will be ignored by skilled attackers
Canary Tokens — Digital Tripwires
What is a Canary Token?
A Canary Token (or Honeytoken) is a uniquely trackable piece of data — a fake credential, a hidden URL embedded in a document, a fake email address, a bogus database entry — that serves no legitimate purpose. If it is ever accessed, opened, or used, it instantly generates an alert. The name comes from the "canary in a coal mine" — an early warning system.
Types of Canary Tokens
| Canary Token Type | How It Works | What It Detects |
|---|---|---|
| DNS Canary Token | A fake URL embedded in a document; if opened, the DNS lookup is traced | Document theft, insider threat (file opened outside org) |
| HTTP Canary Token | A unique web pixel or URL embedded in emails or web pages | Email open tracking, unauthorised web access |
| Fake Credential Canary | Fictitious username/password stored in a password file; alerts when used in login attempts | Credential database breach, attacker using stolen credentials |
| AWS Keys Canary | Fake AWS access keys left in code repositories; trigger alert when used | Exposed cloud credentials, code repository theft |
| PDF / Word Document Canary | Document phones home when opened — even offline, via embedded tracking | Exfiltration of sensitive documents, insider data theft |
| Honeyrecord (Database) | Fake entries in a database (e.g., a fictitious customer record with a unique email) | Database exfiltration — when the fake email gets spam, the breach is confirmed |
How Canary Tokens Work — Step-by-Step
Comparison: Honeypot vs Canary Token
| Feature | Honeypot | Canary Token |
|---|---|---|
| Nature | Entire fake system / server | Single embedded data item (file, URL, credential) |
| Complexity | High — requires dedicated server, network isolation, monitoring | Low — can be deployed in minutes using tools like canarytokens.org |
| Attacker Interaction | Extended interaction possible (attacker explores the honeypot) | Single-trigger alert on first access — minimal interaction |
| Best Use Case | Threat intelligence gathering, APT research, SOC training | Early breach detection, insider threat, data exfiltration detection |
| Risk | Pivot risk if not isolated; management overhead | Near-zero risk — passive tripwire only |
| Cost | Moderate to High (hardware, software, staffing) | Very Low (free tools available) |
Protecting data and privacy is a multi-dimensional challenge. Threats evolve, vulnerabilities multiply, and regulations tighten. The organisations that succeed are those that combine strong risk management processes, appropriate security tools, a genuine respect for privacy by design, regulatory compliance, and intelligent deception technologies like honeypots and canary tokens. Security is not a product you buy — it is a culture you build.
- Spitzner, L. — Honeypots: Tracking Hackers, Addison-Wesley, 2002
- The Honeynet Project: https://www.honeynet.org
- Canarytokens.org — Open-Source Canary Tokens: https://canarytokens.org
- NIST SP 800-150 — Guide to Cyber Threat Information Sharing
- CERT-IN Technical Notes on Deception Technology