qwertyuiopasdfghjklzxcvbnmqwertyui

opasdfghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnmqwer
CYBER SECURITY: NOTES
tyuiopasdfghjklzxcvbnmqwertyuiopas
MBA/AUC-002

dfghjklzxcvbnmqwertyuiopasdfghjklzx
13/08/2015

VARUN MODI

cvbnmqwertyuiopasdfghjklzxcvbnmq
wertyuiopasdfghjklzxcvbnmqwertyuio
pasdfghjklzxcvbnmqwertyuiopasdfghj
klzxcvbnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmqwerty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvbnmrty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
UNIT -1

TOPIC 1: Information systems

Information systems are the software and hardware systems that
support data-intensive applications.

Such a system may be as simple as a 3x5 card catalog system on a desk,

or a desktop calendar. Or, it may be as complicated as a multi-node
computer database system used to manage vast quantities of related
information.

TOPIC 2: Components
The six components that must come together in order to produce an
information system are:

1. Hardware: The term hardware refers to machinery. This category

includes the computer itself, which is often referred to as the central
processing unit (CPU), and all of its support equipments. Among the
support equipments are input and output devices, storage devices
and communications devices.
2. Software: The term software refers to computer programs and the
manuals (if any) that support them. Computer programs are
machine-readable instructions that direct the circuitry within the
hardware parts of the system to function in ways that produce useful
information from data. Programs are generally stored on some input /
output medium, often a disk or tape.
3. Data: Data are facts that are used by programs to produce useful
information. Like programs, data are generally stored in machine-
readable form on disk or tape until the computer needs them.

2
4. Procedures: Procedures are the policies that govern the operation of
a computer system. "Procedures are to people what software is to
hardware" is a common analogy that is used to illustrate the role of
procedures in a system.
5. People: Every system needs people if it is to be useful. Often the
most over-looked element of the system are the people, probably the
component that most influence the success or failure of information
systems. This includes "not only the users, but those who operate
and service the computers, those who maintain the data, and those
who support the network of computers." <Kroenke, D. M. (2015). MIS
Essentials. Pearson Education>
6. Feedback: it is another component of the IS, that defines that an IS
may be provided with a feedback (Although this component isn't
necessary to function).

3
TOPIC 3: Types of Information Systems

There are various types of information systems, for example:

1. Transaction processing systems,

2. Decision support systems,
3. Knowledge management systems,
4. Learning management systems,
5. Database management systems,
6. Office information systems.

4
TOPIC 4: Developing an Information System

The steps involved in developing an Information System are:

Analysis: This is a very important part in the development of an

Information System and involves looking at an organization or system
(such as a nursery school) and finding out how information is being
handled at the moment.

Feasibility Study: The aim of a feasibility study is to see whether it is

possible to develop a system at a reasonable cost. At the end of the
feasibility study a decision is taken whether to proceed or not.
A feasibility study contains the general requirements of the proposed
system.

System Design: The areas that need to be considered in the design

process are listed below:
1. Outputs
2. Inputs
3. File Design
4. Hardware
5. Software

Testing: Any new system needs to be thoroughly tested before being

introduced.
First of all the system should be tested with normal data to see if it works
correctly.
Secondly, the system is tested with data containing known errors to try and
make it fail ('crash').
Thirdly, the system is tested with very large amounts of data to see how it
can cope.
It is important that processing time and response rates remain acceptable
with varying amounts of data.

Implementation: Implementing or introducing a new system can be done

in two ways: Direct Implementation & Parallel Running

Documentation: User guides are written in plain English rather than

technical language.

5
The guide should cover how to run the system, how to enter data, how to
modify data and how to save and print reports.

The guide should include a list of error messages and advice on what to do
if something goes wrong.

TOPIC 5: Information security

Information security

Information security, sometimes shortened to InfoSec, is the practice of

defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
It is a general term that can be used regardless of the form the data may
take (e.g. electronic, physical).

TOPIC 6: Need of Information Security

Why do you need Information Security?

This is sometimes tough to answer because the answer seems obvious.

No?
As we know, information security is all about protecting the confidentiality,
integrity and availability of information.

Answer these questions:

Do you have information that needs to be kept confidential (secret)?

Do you have information that needs to be accurate?

Do you have information that must be available when you need it?

6
If you answered yes to any of these questions, then you have a need for
information security.

We need information security to reduce the risk of unauthorized information

disclosure, modification, and destruction.

We need information security to reduce risk to a level that is acceptable to

the business (management).

We need information security to improve the way we do business.

TOPIC 7: Threats to Information Systems

Threats to Information Systems:

On next page

7
TOPIC 8: Information Assurance

Information assurance (IA) is the practice of assuring information and

managing risks related to the use, processing, storage, and transmission
of information or data and the systems and processes used for those
purposes.

The information assurance process typically begins with the enumeration

and classification of the information assets to be protected. Next, the IA

8
practitioner will perform a risk assessment for those assets. Vulnerabilities
in the information assets are determined in order to enumerate the threats
capable of exploiting the assets. The assessment then considers both the
probability and impact of a threat exploiting a vulnerability in an asset, with
impact usually measured in terms of cost to the asset's stakeholders. The
sum of the products of the threats' impact and the probability of their
occurring is the total risk to the information asset.
With the risk assessment complete, the IA practitioner then develops a risk
management plan. This plan proposes countermeasures that involve
mitigating, eliminating, accepting, or transferring the risks, and considers
prevention, detection, and response to threats. A framework published by a
standards organization, such as Risk IT, CobiT, PCI DSS orISO/IEC
27002, may guide development. Countermeasures may include technical
tools such as firewalls and anti-virus software, policies and procedures
requiring such controls as regular backups and configuration hardening,
employee training in security awareness, or organizing personnel into
dedicated computer emergency response team (CERT) or computer
security incident response team (CSIRT). The cost and benefit of each
countermeasure is carefully considered. Thus, the IA practitioner does not
seek to eliminate all risks, were that possible, but to manage them in the
most cost-effective way.
After the risk management plan is implemented, it is tested and evaluated,
often by means of formal audits.

TOPIC 9: CYBER SECURITY

WHAT IS CYBER SECURITY?
Cyber security, also referred to as information technology security, focuses
on protecting computers, networks, programs and data from unintended or
unauthorized access, change or destruction.

9
WHY IS CYBER SECURITY IMPORTANT?
Governments, military, corporations, financial institutions, hospitals and
other businesses collect, process and store a great deal of confidential
information on computers and transmit that data across networks to other
computers. With the growing volume and sophistication of cyber attacks,
ongoing attention is required to protect sensitive business and personal
information, as well as safeguard national security.

TOPIC 10: Security Risk Analysis

Security in any system should be commensurate with its risks. However,
the process to determine which security controls are appropriate and cost
effective, is quite often a complex and sometimes a subjective matter. One
of the prime functions of security risk analysis is to put this process onto a
more objective basis.

There are a number of distinct approaches to risk analysis. However, these

essentially break down into two types: quantitative and qualitative.

Quantitative Risk Analysis

This approach employs two fundamental elements; the probability of an

event occurring and the likely loss should it occur.

Quantitative risk analysis makes use of a single figure produced from these
elements. This is called the 'Annual Loss Expectancy (ALE)' or the
'Estimated Annual Cost (EAC)'.
This is calculated for an event by simply multiplying the potential loss by
the probability. The problems with this type of risk analysis are usually
associated with the unreliability and inaccuracy of the data.

Probability can rarely be precise and can, in some cases, promote

complacency. In addition, controls and countermeasures often tackle a
number of potential events and the events themselves are frequently
interrelated.

10
Qualitative Risk Analysis

This is by far the most widely used approach to risk analysis. Probability
data is not required and only estimated potential loss is used.
Most qualitative risk analysis methodologies make use of a number of
interrelated elements:

THREATS

These are things that can go wrong or that can 'attack' the system.
Examples might include fire or fraud. Threats are ever present for every
system.

VULNERABILITIES

These make a system more prone to attack by a threat or make an attack

more likely to have some success or impact. For example, for fire a
vulnerability would be the presence of inflammable materials (e.g. paper).

CONTROLS

These are the countermeasures for vulnerabilities.There are four types:

Deterrent controls reduce the likelihood of a deliberate attack

Preventative controls protect vulnerabilities and make an attack

unsuccessful or reduce its impact

Corrective controls reduce the effect of an attack

Detective controls discover attacks and trigger preventative or corrective

controls.

11
UNIT -2

TOPIC 1: Application security

Application security is the use of software, hardware, and procedural
methods to protect applications from external threats. Once an afterthought
in software design, security is becoming an increasingly important concern
during development as applications become more frequently accessible
over networks and are, as a result, vulnerable to a wide variety of threats.

Actions taken to ensure application security are sometimes called

countermeasures.
The most basic software countermeasure is an application firewall that
limits the execution of files or the handling of data by specific installed
programs. The most common hardware countermeasure is a router that
can prevent the IP address of an individual computer from being directly
visible on the Internet. Other countermeasures include conventional
firewalls, encryption/decryption programs, anti-virus programs, spyware
detection/removal programs and biometric authentication systems.

Application security can be enhanced by rigorously defining enterprise

assets, identifying what each application does (or will do) with respect to
these assets, creating a security profile for each application, identifying and
prioritizing potential threats and documenting adverse events and the
actions taken in each case. This process is known as threat modeling. In
this context, a threat is any potential or actual adverse event that can
compromise the assets of an enterprise, including both malicious events,
such as a denial-of-service (DoS) attack, and unplanned events, such as
the failure of a storage device.

12
TOPIC 2: Data Security Considerations
Backups:

Enterprise level backups are becoming the fundamental way to safeguard

your data.
Gone are the days where you can have a tape drive hooked up to every
machine in order to back it up. Now you might have 1 server backing up 20,
50, 100 or more clients, some backup solutions even allow thousands of
clients on a single server.
The primary reason for this is centralization: of media, of administration, of
access. It is much easier to change 100 tapes on 1 machine than it is to
change 1 tape on 100 machines. It is easier to collect data and spot
problems from a central server than it is to monitor 100 machines.

Along with the greater ease in management that Enterprise Level Backups
provide, comes a greater threat to security. Centralized service means
centralized access.

If an intruder gains access to your backup server he gains access to the

collected data from all of that server clients. This is an important security
risk, one that should be considered and planned for. Not every risk can be
accounted for, good computer security is always a compromise between
usability and precautions. A good overview of the security risks of
Enterprise level backup can provide you with the groundwork needed to
make the decisions for your environment.

Secure data disposal methods:

Information systems store data on a wide variety of storage media,

including: internal and external hard drives; internal solid-state memory,
removable flash memory cards and flash drives; floppy, ZIP and other
types of removable magnetic disks; tapes, cartridges and other linear
magnetic media; optical storage using CDs and DVDs; and paper.

13
To prevent unauthorized access, it is critical that data be rendered
unreadable when it or the device on which it resides are no longer needed.
This is required by law (and common sense) for all computers and media
containing sensitive information.

Note that different kinds of data storage media require different methods for
secure removal or destruction, some simple but others complex. Do it
incorrectly and the data remains for prying eyes to discover.

Proof that secure disposal is not easy comes from this simple fact: insecure
disposal is one of the most common causes of sensitive data being
compromised. Not coincidentally, it is one of the most common methods
by which identity theft occurs.

What is really secure?

For each storage medium there are more and less secure methods.

Paper media

Paper containing sensitive information should be shredded. Every office

(and home) should have access to a shredder or a secure shredding
service. Shredders are cheap. "Dumpster-diving" for data is common.
Secure recycling containers are distributed around the medical campus for
just this reason.

Alternatively, paper records can be pulverized (rendered into a powder by

grinding), macerated (rendered into pulp by chemicals) or incinerated
(burned). This is appropriate for extremely sensitive information.

Electronic media

The appropriate "cleaning" method for electronic media depends on the

type. The main division is between "magnetic media" and "optical media."
Though both contain information in electronic form, the methods for secure
disposal are very different.

14
Many people are under the impression that all they need to do is "delete" a
file from a computer's hard drive or other storage media. Unfortunately,
that's almost never sufficient. In most cases,"delete" simply changes
indexing information about a file, sort of like marking through the entry in a
book's table of contents but leaving the pages behind.

Emptying the "recycle bin" or the "trash" folder of deleted files is usually
also ineffective. These methods remove the pointers (indexes) to the
deleted files, but the data itself still remains on the storage media as
unallocated space.

Even if the unallocated space is subsequently used by new files, there are
sophisticated scanning methods that could be used to recover data
previously stored in those locations.
Some un-rewritable media, like CD-Rs and DVD-Rs, can't have their
contents deleted in any case. Inoperable media, like a crashed hard drive,
may be so corrupted that you cannot access it using normal computer
operations; but it still may have data on it that can be recovered by others.

Demagnetizing magnetic media

Removable magnetic "disks" (floppies, ZIP disks, and the like) and linear
magnetic media (tape reels, cartridges) can be "degaussed" -- that is,
demagnetized. An appropriately-sized and -powered "degausser" is
required.

For each particular type of magnetic storage and size of degausser there is
a minimum erasing time.

As with disposal of paper information, there are trade-offs rather than

absolute standards for "erasing" magnetic media. The more powerful and
lengthy the degaussing process applied to any given type of storage media,
the less likely it is to be subsequent recovered by others.

Note that degaussing can make the media inoperable, so this method is not
recommended if the media needs to be reused and/or has resale value.

15
Over-writing magnetic media

"Fixed" internal magnetic storage, such as computer hard drives, as well as

external "mini" and "micro" hard drive storage, can be cleaned by software
that uses an over-writing or "wiping" processes. USB "flash drive" devices
and plug-in memories like CompactFlash, Memory Stick, Secure Digital,
and SmartMedia can also be cleaned in this way.

Special software is used to over-write all the usable storage locations. The
simplest method is a single over-write; additional security is provided by
multiple over-writes with variations of all 0s, all 1s, complements (opposite
of recorded characters) and/or random characters so that recovery even by
the most sophisticated methods becomes almost impossible.

There are a few free public domain programs like DBAN that perform
secure over-writes. There are also many commercial offerings.

Mangling magnetic media

You can take a hammer or a high-speed drill to your hard drive, USB drive
or other device. Chances are excellent that you'll render it inoperable in
short order.

But be warned that recovery of data from physically mangled magnetic

devices is still possible. Physical destruction is generally something that
must be done by a trained person to be completely effective, particularly for
hard drives.

Floppy disks can be broken open and the internal magnetic disk cut up. As
with optical media (see next discussion), caution is required to avoid
personal injury from flying plastic parts, etc., and it is still theoretically
possible to recover data even from a mangled disk.

Optical media

"Write-many" optical media (such as CD-RWs and DVD-RWs) can be

processed via an over-write method similar to that for magnetic media.
However, the vast majority of optical media in use are of the "write once"
type -- notably the ubiquitous CD-Rs and DVD-Rs. They cannot be over-

16
written. Because such media are optical rather than magnetic, neither can
they be degaussed.

So, as with paper, only physical destruction will do. Many higher-capacity
paper shredders are rated for CD/DVD destruction for exactly this reason.
It's a good investment to upgrade to a shredder that is CD/DVD capable if
you regularly rely on optical media for your data storage.

As with magnetic media, you can perform a physical attack. Cutting a CD

or DVD with scissors is an alternative if you have only a few to do. But
note that cut-up discs have been successfully reassembled and read, so
cut them into multiple pieces and, ideally, dispose of the pieces in different
trash receptacles.

Breaking discs in half with your hands can send dangerous shards of
plastic flying. Burning discs (or microwaving them) can release toxic
fumes. Don't ever do this!

Computer recycling programs

For a whole system, some manufacturers (like Dell and Apple), and many
retailers of computer equipment, offer recycling programs that meet both
security and environmental concerns. These programs will process the
entire old system for disposal, including cleaning the hard drive and any
other storage media, when you trade it in as part of a new purchase.

Archival Storage:

In computers, archival storage is storage for data that may not be actively
needed but is kept for possible future use or for record-keeping purposes.
Archival storage is often provided using the same system as that used for
backup storage. Typically, archival and backup storage can be retrieved
using a restore process.

17
TOPIC 3: Data Security Technology

Firewall:

A firewall is a system designed to prevent unauthorized access to or from

a private network. Firewalls can be implemented in both hardware and
software, or a combination of both.
Firewalls are frequently used to prevent unauthorized Internet users from
accessing private networks connected to the Internet, especially intranets.
All messages entering or leaving the intranet pass through the firewall,
which examines each message and blocks those that do not meet the
specified security criteria.

Hardware firewalls can be purchased as a stand-alone product but are also

typically found in broadband routers, and should be considered an
important part of your system and network set-up. Most hardware firewalls
will have a minimum of four network ports to connect other computers, but
for larger networks, business networking firewall solutions are available.

Software firewalls are installed on your computer (like any software) and
you can customize it; allowing you some control over its function and
protection features. A software firewall will protect your computer from
outside attempts to control or gain access your computer.

VPN:

VPN or virtual private network, is a network that is constructed by using

public wires — usually the Internet — to connect to a private network, such
as a company's internal network. There are a number of systems that
enable you to create networks using the Internet as the medium for
transporting data. These systems use encryption and other security
mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.

A VPN is designed to provides a secure, encrypted tunnel in which to

transmit the data between the remote user and the company network. The
information transmitted between the two locations via the encrypted tunnel
cannot be read by anyone else because the system contains several

18
elements to secure both the company's private network and the outside
network through which the remote user connects through.

Intrusion detection (ID):

It is a type of security management system for computers and networks. An

ID system gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches, which include
both intrusions (attacks from outside the organization) and misuse (attacks
from within the organization).
ID uses vulnerability assessment (sometimes refered to as scanning),
which is a technology developed to assess the security of a computer
system or network.

Intrusion detection functions include:

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations

Access Control:

It is the selective restriction of access to a place or other resource. The act

of accessing may mean consuming, entering, or using. Permission to
access a resource is called authorization.
When a credential is presented to a reader, the reader sends the
credential’s information, usually a number, to a control panel, a highly
reliable processor.
The control panel compares the credential's number to an access control
list, grants or denies the presented request, and sends a transaction log to
a database. When access is denied based on the access control list, the
door remains locked. If there is a match between the credential and the
access control list, the control panel operates a relay that in turn unlocks
the door.

19
The control panel also ignores a door open signal to prevent an alarm.
Often the reader provides feedback, such as a flashing red LED for an
access denied and a flashing green LED for an access granted.

There are three types (factors) of authenticating information:

 something the user knows, e.g. a password, pass-phrase or PIN

 something the user has, such as smart card or a key fob
 something the user is, such as fingerprint, verified by biometric measurement

TOPIC 4: Security Threats

Computer security threats are relentlessly inventive. Masters of disguise

and manipulation, these threats constantly evolve to find new ways to
annoy, steal and harm. Arm yourself with information and resources to
safeguard against complex and growing computer security threats and stay
safe online.

Computer Virus Threats

Perhaps the most well known computer security threat, a computer virus is
a program written to alter the way a computer operates, without the
permission or knowledge of the user. A virus replicates and executes itself,
usually doing damage to your computer in the process. Learn how to
combat computer virus threats and stay safe online.

20
Spyware Threats

A serious computer security threat, spyware is any program that monitors

your online activities or installs programs without your consent for profit or
to capture personal information. We’ve amassed a wealth of knowledge
that will help you combat spyware threats and stay safe online.

Hackers & Predators

People, not computers, create computer security threats and malware.

Hackers and predators are programmers who victimize others for their own
gain by breaking into computer systems to steal, change or destroy
information as a form of cyber-terrorism. What scams are they using lately?
Learn how to combat dangerous malware and stay safe online.

Phishing Threats

Masquerading as a trustworthy person or business, phishers attempt to

steal sensitive financial or personal information through fraudulent email or
instant messages. How can you tell the difference between a legitimate
message and a phishing scam? Educate yourself on the latest tricks and
scams.

Trojan Horse

Trojan, in computing is any malicious computer program which

misrepresents itself as useful, routine, or interesting in order to persuade a
victim to install it.

21
Logic Bombs

Logic bombs are small programs or sections of a program triggered by

some event such as a certain date or time, a certain percentage of disk
space filled, the removal of a file, and so on.
For example, a programmer could establish a logic bomb to delete critical
sections of code if she is terminated from the company. Logic bombs are
most commonly installed by insiders with access to the system.

Trap doors

Trap doors, also referred to as backdoors, are bits of code embedded in

programs by the programmer(s) to quickly gain access at a later time, often
during the testing or debugging phase.
If an unscrupulous programmer purposely leaves this code in or simply
forgets to remove it, a potential security hole is introduced. Hackers often
plant a backdoor on previously compromised systems to gain later access.
Trap doors can be almost impossible to remove in a reliable manner.
Often, reformatting the system is the only sure way.

E-Mail Virus

An e-mail virus is computer code sent to you as an e-mail note attachment

which, if activated, will cause some unexpected and usually harmful effect,
such as destroying certain files on your hard disk and causing the
attachment to be remailed to everyone in your address book.
Although not the only kind of computer virus, e-mail viruses are the best

22
known and undoubtedly cause the greatest loss of time and money overall.
The best two defenses against e-mail viruses for the individual user are:

(1) a policy of never opening (for example, double-clicking on) an e-mail

attachment unless you know who sent it and what the attachment contains,
and

(2) installing and using anti-virus software to scan any attachment before
you open it.

Macro Virus

A macro virus is a computer virus that "infects" a Microsoft Word or similar

application and causes a sequence of actions to be performed
automatically when the application is started or something else triggers it.
Macro viruses tend to be surprising but relatively harmless.
A typical effect is the undesired insertion of some comic text at certain
points when writing a line.
A macro virus is often spread as an e-mail virus. A well-known example in
March, 1999 was the Melissa virus virus.

Worm

A computer worm is a standalone malware computer program that

replicates itself in order to spread to other computers. Often, it uses a
computer network to spread itself, relying on security failures on the target
computer to access it.
Unlike a computer virus, it does not need to attach itself to an existing
program. Worms almost always cause at least some harm to the network,

23
even if only by consuming bandwidth, whereas viruses almost always
corrupt or modify files on a targeted computer.

Denial of Service (DoS)

A denial of service (DoS) attack is an incident in which a user or

organization is deprived of the services of a resource they would normally
expect to have. In a distributed denial-of-service, large numbers of
compromised systems (sometimes called a botnet) attack a single target.

Although a DoS attack does not usually result in the theft of information or
other security loss, it can cost the target person or company a great deal of
time and money. Typically, the loss of service is the inability of a particular
network service, such as e-mail, to be available or the temporary loss of all
network connectivity and services. A denial of service attack can also
destroy programming and files in affected computer systems. In some
cases, DoS attacks have forced Web sites accessed by millions of people
to temporarily cease operation.

A few of the better-known attacks based on the buffer characteristics of a

program or system include:

1. Sending e-mail messages that have attachments with 256-character

file names to Netscape and Microsoft mail programs
2. Sending oversized Internet Control Message Protocol (ICMP) packets
(this is also known as the Packet Internet or Inter-Network Groper
(PING) of death)
3. Sending to a user of the Pine e-mail program a message with a
"From" address larger than 256 characters

24
 TOPIC 5: Threats to E-Com- Electronic Payment System

E-commerce security is the protection of e-commerce assets from

unauthorized access, use, alteration, or destruction.

6 dimensions of e-commerce security:

1. Integrity: prevention against unauthorized data modification

2. Nonrepudiation: prevention against any one party from reneging on an
agreement after the fact
3. Authenticity: authentication of data source
4. Confidentiality: protection against unauthorized data disclosure
5. Privacy: provision of data control and disclosure
6. Availability: prevention against data delays or removal

E-COMMERCE THREATS

Threats: anyone with the capability, technology, opportunity, and intent to

do harm.Potential threats can be foreign or domestic, internal or external,
state-sponsored or a single rogue element.Terrorists, insiders, disgruntled
employees, and hackers are included in this profile (President's
Commission on Critical Infrastructure Protection)

Concern 2001 2000

Loss of Privacy/confidentiality, data misuse/abuse 28% 25%
Cracking, eavesdropping, spoofing, rootkits 25% 20%
Viruses, Trojans, worms, hostile ActiveX and Java 21% 26%
System unavailability, denial of service, natural disasters, power interruptions 18% 20%

Digital Signature

A digital signature (not to be confused with a digital certificate) is a

mathematical technique used to validate the authenticity and integrity
of a message, software or digital document.

25
 The digital equivalent of a handwritten signature or stamped seal, but
offering far more inherent security, a digital signature is intended to
solve the problem of tampering and impersonation in digital
communications. Digital signatures can provide the added
assurances of evidence to origin, identity and status of an electronic
document, transaction or message, as well as acknowledging
informed consent by the signer.

In many countries, including the United States, digital signatures have the
same legal significance as the more traditional forms of signed documents.
The United States Government Printing Office publishes electronic versions
of the budget, public and private laws, and congressional bills with digital
signatures.

Public-key cryptography:

Public-key cryptography, also known as asymmetric cryptography, is a

class of cryptographic protocols based on algorithms that require two
separate keys, one of which is secret (or private) and one of which
is public. Although different, the two parts of this key pair are
mathematically linked. The public key is used, for example,
to encrypt plaintext or to verify a digital signature; whereas the private key
is used for the opposite operation, in these examples to decrypt cipher text
or to create a digital signature.
The term "asymmetric" stems from the use of different keys to perform
these opposite functions, each the inverse of the other – as contrasted with
conventional ("symmetric") cryptography which relies on the same key to
perform both.

26
27
UNIT – 3

TOPIC 1: Developing Secure Information Systems

Initiation Phase: During the initiation phase, the organization establishes

the need for a system and documents its purpose. Security planning should

28
begin in the initiation phase with the identification of key security roles to be
carried out in the development of the system.

Development/Acquisition Phase: During this phase, the system is

designed, purchased, programmed, developed, or otherwise constructed. A
key security activity in this phase is conducting a risk assessment and
using the results to supplement the baseline security controls.
In addition, the organization should analyze security requirements; perform
functional and security testing; prepare initial documents for system
certification and accreditation; and design the security architecture.

Implementation Phase: In the implementation phase, the organization

configures and enables system security features, tests the functionality of
these features, installs or implements the system, and obtains a formal
authorization to operate the system.
Design reviews and system tests should be performed before placing the
system into operation to ensure that it meets all required security
specifications.

Operations/Maintenance Phase: In this phase, systems and products are in

place and operating, enhancements and/or modifications to the system are
developed and tested, and hardware and software components are added
or replaced.

Disposal Phase: In this phase, plans are developed for discarding system
information, hardware, and software and making the transition to a new
system. The information, hardware, and software may be moved to another
system, archived, discarded, or destroyed. If performed improperly, the
disposal phase can result in the unauthorized disclosure of sensitive data.
When archiving information, organizations should consider the need for
and the methods for future retrieval.

TOPIC 2: Information Security Governance

It is not enough to have some security policies and then just concentrate on
securing your network. To integrate security within business processes, an

29
organization needs to have a robust information security program that
maps to its business drivers, legal and regulatory requirements, and threat
profile.
Information security governance is similar in nature to corporate and IT
governance because there is overlapping functionality and goals between
the three. All three work within an organizational structure of a company
and have the same goals of helping to ensure that the company will survive
and thrive – they just each have different focuses.

Security governance is the set of responsibilities and practices exercised

by the board and executive management with the goal of providing
strategic direction, ensuring that objectives are achieved, ascertaining that
risks are managed appropriately and verifying that the enterprise's
resources are used responsibly.

In other words, Information security governance is all of the tools,

personnel and business processes that ensure that security is carried out
to meet an organization's specific needs. It requires organizational
structure, roles and responsibilities, performance measurement, defined
tasks and oversight mechanisms.

TOPIC 3: Systems Security Architecture and Design

The security architecture is one component of a product’s overall

architecture and is developed to provide guidance during the design of the
product. It outlines the level of assurance that is required and potential
impacts that this level of security could have during the development
stages and on the product overall.

30
Security Design Principles

Security is a system requirement just like performance, capability, cost,

etc.Therefore, it may be necessary to trade off certain security
requirements to gain others.
Principles of Secure Design

 Design security in from the start

 Allow for future security enhancements
 Minimize and isolate security controls
 Employ least privilege
 Structure the security relevant features
 Make security friendly
 Don’t depend on secrecy for security
Principles for Software Security

 Secure the weakest link

 Practice defense in depth
 Fail securely- If your software has to fail, make sure it does it securely
 Follow the principle of least privilege
 Compartmentalize- Minimize the amount of damage that can be done by
breaking the system into units
 Keep it simple- Complex design is never easy to understand
 Promote privacy- Try not to do anything that compromises the privacy of
the user
 Remember that hiding secrets is hard
 Be reluctant to trust- Instead of making assumptions that need to hold
true, you should be reluctant to extend trust
 Use your community resources- Public scrutiny promotes trust

31
Design Principles for Protection Mechanisms

 Least privilege- Should only have the rights necessary to complete your
task.
 Economy of mechanism- Should be sufficiently small and as simple as
to be verified and implemented – e.g., security kernel. Complex
mechanisms should be correctly Understood, Modeled, Configured,
Implemented and Used
 Complete mediation- Every access to every object must be checked
 Open design- Let the design be open. Security through obscurity is a
bad idea
 Should be open for scrutiny by the community- Better to have a
friend/colleague find an error than a foe
 Separation of privilege- Access to objects should depend on more than
one condition being satisfied
 Least common mechanism- Minimize the amount of mechanism
common to more than one user and depended on by all users
 Psychological acceptability- User interface must be easy to use, so that
users routinely and automatically apply the mechanisms correctly.
Otherwise, they will be bypassed
 Fail-safe defaults. Should be lack of access

TOPIC 4: Security Issues in Hardware

Understand and accept that hardware-based security is extremely difficult –

Just because it's a hardware product does not mean it's secure.

32
Threat Vectors

Interception (or Eavesdropping) – Gain access to protected information

without opening the product.

Interruption (or Fault Generation) – Preventing the product from

functioning normally

Modification – Tampering with the product, typically invasive

Fabrication/Man-in-the-Middle – Creating counterfeit assets of a product

Attack Goals

Competition (or Cloning) – Specific IP theft to gain marketplace advantage

Theft-of-Service – Obtaining service for free that normally requires money

User Authentication (or Spoofing) – Forging a user's identity to gain access

to a system

Privilege Escalation (or Feature Unlocking) – Gaining increased command

of a system or unlocking hidden/undocumented features

Attacks Against

Access control
Biometrics
Authentication tokens
RFID

33
Network appliances
Cryptographic accelerators
Wireless access points
Network adapters/NICs
PDAs/Mobile devices

 Some of the other topics in this unit like Intrusion Detection, Access
Control, Backup and Storage have been covered in previous
sections, please refer to those sections for these topics

34
UNIT – 4

TOPIC 1: Security Policy

Security policy is a definition of what it means to be secure for a system,

organization or other entity.
For an organization, it addresses the constraints on behavior of its
members as well as constraints imposed on adversaries by mechanisms
such as doors, locks, keys and walls.
For systems, the security policy addresses constraints on functions and
flow among them, constraints on access by external systems and
adversaries including programs and access to data by people.

If it is important to be secure, then it is important to be sure all of the

security policy is enforced by mechanisms that are strong enough. There
are many organized methodologies and risk assessment strategies to
assure completeness of security policies and assure that they are
completely enforced. In complex systems, such as information systems,
policies can be decomposed into sub-policies to facilitate the allocation of
security mechanisms to enforce sub-policies.

Email Policy

Here are five reasons why your company needs an email policy:

1. Protect against email threats: An email policy helps prevent email

threats. A well laid out email policy makes your staff aware of the corporate
rules and guidelines, which if followed will protect your company against
(spear) phishing attacks and confidentiality leaks, aid compliancy and
minimize legal liability.

2. Avoid misconduct: An email policy can help stop any misconduct at an

early stage, for instance by asking employees to come forward as soon as
they receive an offensive email. Keeping the incidents to a minimum can

35
help avoid legal liability. For instance in the case of Morgan Stanley, the
court ruled that a single e-mail communication (a racist joke, in this case)
cannot create a hostile work environment and dismissed the case against
them.

3. Reduce liability: If an incident does occur, an email policy can minimize

the company’s liability for the employee’s actions. Previous cases have
proven that the existence of an email policy can prove that the company
has taken steps to prevent inappropriate use of the email system and
therefore can be freed of liability. WorldCom Corp. for instance, faced a
court case from two former employees for allowing four racially offensive
jokes on its email system. WorldCom successfully defended themselves
because they had an email policy that spelled out inappropriate content
and because they took prompt remedial action against the co-worker who
sent the racially harassing e-mails.

4. Educate Email Etiquette: You can use your email policy to educate
your employees in email etiquette to ensure that your company conveys a
professional image in its email communications.

5. Warn employees of email monitoring: If you are going to use email

filtering software to check the contents of your employees’ emails, it is
essential to have an email policy that warns your employees that their
emails might be monitored. If you do not have such as policy you could be
liable for privacy infringement. More about the legality of email monitoring.

WWW Security Policy

By creating a security policy for your business you can protect your business
from most of the common forms of internet threat.

The internet can be a great force for good, but unfortunately it can also be the
conduit for everything that is bad in the world. While you may be wise to spam
emails, phishing emails and files that aren't quite as innocent as they seem, your
staff may not be quite so security conscious in their use of the internet.
Additionally the growth in social networking is a cause for concern to many

36
employers as these sites can be a huge distraction from day to day work. This is
where a security policy comes in to play.

When you take on new staff in your business the last thing on your mind is
probably, "how do I make sure that my staff are internet safe"? However by
creating a security policy you will have laid out clear lines of responsibilities that
will ensure you and your team protect the reputation of your business, as well as
preventing your business from potential internet attacks, and from claims by an
employee that "they didn't know".

The policy basics

The objective of an internet security policy is t

 Set the boundaries of employee use.

 Describe what is deemed acceptable behavior.
 Explain processes and procedures employees should adopt to protect and
manage your systems.
 Assign roles and responsibilities for staff so everyone knows their respective
tasks.
 Detail the outcomes if the policy is ignored or deliberately breached.

Policy Review Process

Many problems with procedures that crop up after they’ve been implemented are
traceable to inadequate or no review.
Let’s say a procedure as written describes an ideal process, performed under
ideal conditions (i.e., real-world conditions aren’t taken into account). If this isn’t
caught in the policy review process, the end product will meet
requirements only through luck. Luck being notoriously unreliable,
inconsistent, and uncontrollable, you’re clearly better off with a policy review.

37
An Effective Policy Review Process

Why do you review anything? To ensure the accuracy and completeness of

whatever it is you’re reviewing and to make sure everyone has the same
understanding of the policy, process, or situation. In short, to ensure effective
communication, which will lead you to the desired outcome.
Effective communication is a big reason why the international quality
standard, ISO 9001, mandates design and development reviews (clause 7.3.4).
If you don’t review, you risk missing any number of product requirements, both
stated and unstated, and you risk losing customers.
Need another reason to review policies and procedures? No one is perfect and
no process is perfect. No one will write the perfect procedure the first time, every
time.
Furthermore, no one — NO ONE! — can multitask. Your technical writer wears
several other thats, right? That person is bound to temporarily lose focus on the
policy or procedure they’re writing when other projects and other managers are
continually demanding that their stuff is mission critical, “…so drop everything
and work on this.” (Now, where was I?)
We all agree, then, that policies and procedures have to be reviewed, right? So,
how’s it done? Well, one method that works is based on speech evaluations as
done by Toastmasters. For a Toastmaster, learning how to evaluate a speech –
or a written document – is as critical as learning how to give a speech
or write one.
In your policy review process, whether its written or oral, be sure to lead with
those aspects of the procedure where objectives were met or exceeded. If critical
procedure review objectives were not, consider possible explanations for that

38
(the writer’s level of experience, competing projects, the amount of information
provided them, clarity of the objectives, etc.).

Sample Security Policy

39
TOPIC 2: LAWS

Copyright Law

Copyright is a bundle of rights given by the law to the creators of literary,

dramatic, musical and artistic works and the producers of cinematograph
films and sound recordings
The rights provided under Copyright law include the rights of reproduction
of the work, communication of the work to the public, adaptation of the work
and translation of the work The scope and duration of protection provided
under copyright law varies with the nature of the protected work.
The Indian copyright law protects literary works, dramatic works, musical
works, artistic works, cinematograph films and sound recordings.

Information Technology Act, 2000

The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is
an Act of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is
the primary law in India dealing with cybercrime and electronic commerce. It is
based on the United Nations Model Law on Electronic Commerce 1996
(UNCITRAL Model) recommended by the general assembly of united nations by
a resolution dated 30th January 1997.

The following are the crimes which can be committed against the following
groups:

Against Individual

 Harassment via Emails

40
 Cyber Stalking
 Dissemination of obscene material
 Defamation
 Hacking/Cracking
 Indecent Exposure
Individual Property

 Computer Vandalism
 Transmittiming a Virus
 Network Trespassing
 Unauthorized Control over Computer System
 Hacking/Cracking

Against Organisation

 Hacking & Cracking

 Possession of unauthorised Information
 Cyber- Terrorism against Government Organisation
 Distribution of Pirated Software Etc

Against Society at Large

 Pornography
 Polluting the youth through indecent exposure
 Trafficking

41
Software License

A software license is a legal instrument (usually by way of contract law,

with or without printed material) governing the use or redistribution of
software. Under United States copyright law
all software is copyright protected, except material in the public domain. A
typical software license grants an end-user permission to use one or more
copies of software in ways where such a use would otherwise potentially
constitute copyright infringement of the software owner's exclusive rights
under copyright law.

In addition to granting rights and imposing restrictions on the use of

software, software licenses typically contain provisions which allocate
liability and responsibility between the parties entering into the license
agreement. In enterprise and commercial software transactions these
terms often include limitations of liability, warranties and warranty
disclaimers, and indemnity if the software infringes intellectual property
rights of others.

Software licenses can generally be fit into the following

categories: proprietary licenses and free and open source. The significant
feature that distinguishes them are the terms under which the end-user
may further distribute or copy the software.

Information Security Standards

The term "standard" is sometimes used within the context of information
security policies to distinguish between written policies, standards and
procedures. Organizations should maintain all three levels of
documentation to help secure their environment. Information security
policies are high-level statements or rules about protecting people or

42
systems. (For example, a policy would state that "Company X will maintain
secure passwords") A "standard" is a low-level prescription for the various
ways the company will enforce the given policy. (For example, "Passwords
will be at least 8 characters, and require at least one number.") A
"procedure" can describe a step-by-step method to implementing various
standards. (For example, "Company X will enable password length controls
on all production Windows systems.")
This use of the term "standard" differs from use of the term as it relates
to information security and privacy frameworks, such as ISO/IEC 27002 or
COBIT.

Indian Patent Act

What is Patent?

Patent is a monopoly granted by statute of a country for a limited term over

a new and useful invention that involves inventive step. Invention may
either for a product or process. The rights enjoyed by owner of the patent
are proprietary in nature and the patentee or his agent or licensees has the
exclusive right to use and have the benefits of patented invention and
prevent unauthorized use, during the period of patent protection. Period
during which the owner enjoys the benefits is called term of the patent.
Registration is a prerequisite for patent protection and the protection
granted is territorial in nature i.e., patent granted in a country will give the
owner of the patent right only within that country.

Indian Law on Patents

The law governing Patents in India is Patent Act, 1970 as amended in the
years 1995 and 1999, along with the patent rules, 1972.

43
Patent Act do not define the term 'Patent' [s.2 (m)], it simply states that
‘Patent’ means a patent granted under this Act and includes for the
purposes of sections 44, 49, 50, 51, 52, 54, 55, 56, 57, 58, 63, 65, 66, 68,
69, 70, 78, 134, 140, 153, 154 and 156 and Chapter XVI, XVII & XVIII, and
a Patent granted under the Indian Patents and design Act, 1911 (2 of
1911); the Patents (Second Amendment) Bill, 1999 states that “Patent
means a patent granted under this Act”.
Patent Act 1970 envisages that 'any invention that has a commercial
application and which are not exempted under the Act are eligible for grant
of patent. S.2 (j) the Act defines ‘invention’ as: any new and useful –

Ø art, process, method or manner of manufacture;

Ø machine apparatus or other Articles;
Ø substance produced by manufacture,

and includes any new and useful improvement of any of them, and an
alleged invention;
The Second Amendment Bill, 1999 has introduced a new definition of
invention as against 1970, Act, i.e., 2(j) in 1999 Bill:

IMPORTANT QUESTIONS

What is an information system ? Discuss how does the use of lnternet by

organisations support their business processes and activities ?

What are the challenges in establishment of secure networks ? Discuss.

Explain Public key cryptography.

What are the requirements of payment systems in e-commerce ? Explain

the working of credit card transactions in e-commerce.

44
Discuss various types of intrusions possible in a network systems. What
are the approaches used for detection of the intrusions ?

What is a VPN ? Discuss the scenarios where VPN canbe deployed.

Write a short note on Cyber Crimes.

45
46
47