Essential Cybersecurity Concepts and Open-Source Tools for 2024
Firewall Architectures and iptables Configuration
Modern firewall systems implement multiple structural models to secure network perimeters:
- Dual-homed Host Model: A host equipped with two network interfaces, each connected to separate internal and external networks, preventing direct communication between them.
- Proxy-Based Model: An intermediary server manages all communications between internal and external networks, acting as a gateway that processes and forwards traffic on behalf of clients.
- Screened Subnet Model: This architecture introduces a demilitarized zone (DMZ) protected by dual filtering routers—one facing the external network and another guarding access to the internal network. A proxy server within the DMZ adds an additional layer of control and inspection.
Security Policies: Whitelist vs Blacklist
- Blacklist Approach: Default policy set to ACCEPT; rules explicit DROP or REJECT unwanted traffic. Unmatched packets are allowed through.
- Whitelist Approach: Default policy set to DROP; only specific ACCEPT rules permit traffic. All unmatched packets are denied by default.
iptables Rule Management
The iptables utility in Linux governs packet filtering across several built-in tables ordered by processing priority:
- mangle – Modifies packet headers
- nat – Handles network address translation
- filter – Performs basic packet filtering
The filter table includes three chains: INPUT (incoming), FORWARD (routed), and OUTPUT (outgoing).
Basic Syntax
iptables [-t table] COMMAND [CHAIN] [MATCH-CRITERIA] -j ACTION
- -A: Append rule to chain end
- -I: Insert at specified position
- -D: Delete rule
- -P: Set default chain policy
- -L: List rules (-vnL for detailed output)
- -F: Flush rules
Matching Conditions
- -p: Protocol (tcp/udp/icmp)
- -s/-d: Source/destination IP
- --sport/--dport: Port numbers
- -i/-o: Input/output interface
- !: Negation operator
Extended Matches via Modules
- multiport: Match multiple ports:
-m multiport --dports 80,443 - iprange: Match IP ranges:
-m iprange --src-range 192.168.1.1-192.168.1.100 - mac: Filter by MAC address:
-m mac --mac-source aa:bb:cc:dd:ee:ff
Example Rules
iptables -A INPUT -p tcp -s 192.168.10.0/24 --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A FORWARD ! -p icmp -j ACCEPT
iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
Intrusion Detection & Prevention Systems
| System Type | Function Analogy | Deployment Mode | Operation |
|---|---|---|---|
| Firewall | Door Lock | Inline | Access control using source, destination, protocol, time, action |
| IDS | Surveillance Camera | Passive (Tap/Span) | Monitors for attacks; limited ability to block encrypted or UDP floods |
| IPS | Security Guard | Inline | Proactively blocks threats; may introduce latency/single point of failure |
CIDF Framework Components
- Event Generator: Collects raw events from network or system logs.
- Event Analyzer: Processes and correlates data to detect anomalies.
- Response Unit: Executes actions like alerting, session termination, or configuration changes.
- Event Database: Stores event records and analysis results.
NIDS Capabilities
Detects SYN floods, DDoS, port scans, buffer overflows, malformed packets, unusual traffic patterns. #### HIDS Capabilities
Monitors local activities such as repeated failed logins, file integrity changes, registry modifications, service disruptions. #### Snort Operation Modes
- Packet Sniffing
- Logging
- Intrusion Detection
Sample Snort Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (content:"User root"; msg:"SSH root login attempt";)
Miscellaneous Security Protocols and Concepts
SSL/TLS Architecture
- Handshake Protocol: Authenticates peers and negotiates encryption parameters.
- Change Cipher Spec: Signals transition to encrypted communication.
- Alert Protocol: Reports errors or initiates connection closure.
- Record Protocol: Segments, compresses, encrypts, and verifies data integrity.
SET Protocol
Secure Electronic Transaction (SET) is an application-layer standard enabling secure credit card transactions. It relies on digital certificates issued by trusted Certificate Authorities (CAs) and supports mutual authentication between customers, merchants, and banks. ### Common Port Numbers
- FTP: 21 (control), 20 (data)
- SSH: 22
- Telnet: 23
- SMTP: 25
- DNS: 53 (UDP/TCP)
- HTTP: 80
- POP3: 110
- SNMP: 161
- HTTPS: 443
- SMB/RDP: 445 / 3389
- MySQL: 3306
- Oracle DB: 1521
- Redis: 6379
Note: ICMP operates at the network layer and does not use port numbers.
Malware Fundamentals
General Characteristics
- Designed with malicious intent
- Self-executing program code
- Spreads or activates upon execution
Attack Lifecycle
Infection → Privilege Escalation → Evasion → Dormancy → Damage Execution → Repeat ### Types of Malware
- Virus: Self-replicating code attached to files or boot sectors.
- Trojan Horse: Disguised as legitimate software but performs hidden malicious functions; lacks self-propagation.
- Worm: Independent, self-spreading program exploiting vulnerabilities.
- Logic Bomb: Dormant payload triggered by time, event, or condition.
- Backdoor: Secret entry point byapssing normal authentication.
- Botnet: Network of compromised machines controlled remotely for coordinated attacks (e.g., DDoS).
- APT (Advanced Persistent Threat): Long-term targeted campaign combining social engineering, zero-day exploits, and stealth techniques.
Stealth Techniques
Code obfuscation, encryption, anti-debugging, process injection, covert channels, polymorphism. Incident Response and Disaster Recovery
Response Workflow
- Incident Alert
- Verification
- Activate Plan
- Handling (Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned)
- Report Generation
- Summary Review
Disaster Recovery Levels
- Level 1: Weekly full backups
- Level 2: Predefined alternate site with equipment agreements
- Level 3: Partial recovery infrastructure with periodic data sync
- Level 4: Fully provisioned standby enviroment ready for activation
- Level 5: Real-time data replication with automatic failover capability
- Level 6: Zero data loss with active-active clustering and seamless switchover
Forensic Investigation Process
Preservation → Identification → Collection → Preservation → Analysis → Reporting Penetration Testing Phases
- Engagement Acceptance (NDA, contract signing)
- Planning (scope, timing, authorization)
- Execution (testing, documentation)
- Evaluation (report delivery, review meeting, possible retest)
- Closure (archiving)
Linux System Commands
- lsof: Lists open files and associated processes
- ps/top: View running processes
- kill: Terminate processes (
kill -9 PID) - netstat -anp | grep PORT: Check port usage
- chmod/chattr: Modify file permissions (
chattr +iprevents deletion) - find: Search files (e.g., broken symlinks:
find /path -xtype l -delete) - grep/tail/cat: Text search and viewing
- tar: Archive management (
tar czvf,xzvf) - Redirection:
>(overwrite),>>(append),|(pipe),/dev/null(discard) - systemctl: Service control (
start/stop/restart sshd) - wget: Download content recursively (
wget -p -r URL) - ln: Create symbolic links (
ln -s target linkname)
User and Permission Management
- UID 0 = root, 1–99 = system accounts, ≥100 = regular users
/etc/passwd: User info (permissions 644)/etc/shadow: Encrypted passwords (permissions 400)/etc/group: Group definitions (644)- Run levels: 0=halt, 1=single-user, 3=CLI, 5=GUI, 6=reboot
Windows Security Features
- netstat -b: Shows executable behind connections
- tasklist | findstr PID: Find process by ID
- Event Logs: Located in
%SystemRoot%\System32\Config\(.evt files) - Key Event IDs: 4624 (login success), 4625 (failed), 4672 (admin login), 4720 (user created)
- WinLogon creates access tokens containing user SID upon login
Mobile Platform Security
Android Layers
- Application: Permissions declared in AndroidManifest.xml
- Framework: Code signing enforcement
- Native Libraries: TLS support, sandboxing, Dalvik security
- Kernel: SELinux integration, ASLR, ACLs, filesystem hardening
iOS Architecture
Four layers: Core OS, Core Services, Media, Cocoa Touch Web Application Security
SQL Injection
Occurs when unvalidated input allows attackers to manipulate database queries. #### Types
Union-based, Boolean-based, Error-based, Time-based, Stacked queries, Second-order, Wide-character, Cookie injection #### Useful MySQL Functions
database(),version(),user()information_schema.schemata,.tables,.columnslength(),substr(str,pos,len),ascii(),ord()if(condition,true_val,false_val)updatexml(1,concat('~',version()),1)– triggers error with outputconcat_ws('~',db,user())– joins values with delimiter
Defense Strategies
Parameterized queries, input validation, escaping special characters, least privilege DB accounts. Cryptographic Algorithms
| Algorithm | Type | Description |
|---|---|---|
| SM1 / SM4 | Symmetric Block Cipher | 128-bit block/key size; used in WAPI wireless security |
| SM2 | Asymmetric (ECC) | Based on 256-bit prime field elliptic curve; supports encryption, signatures, key exchange |
| SM3 | Hash Function | 512-bit block, 256-bit digest |
| SM9 | Identity-Based Cryptography | Uses user identity as public key; Chinese national standard |
| MD5 | Hash | 128-bit digest (insecure) |
| SHA-1 | Hash | 160-bit digest (deprecated) |
Network Scanning Principles
- TTL > 64 usually indicates closed port
- TTL ≤ 64 may indicate open port
- Open ports respond to SYN with SYN-ACK
- Closed ports respond with RST-ACK
- No handshake completion means no log entries for scan attempts
