Professional Documents
Culture Documents
opasdfghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnmqwer
CYBER SECURITY: NOTES
tyuiopasdfghjklzxcvbnmqwertyuiopas
MBA/AUC-002
dfghjklzxcvbnmqwertyuiopasdfghjklzx
13/08/2015
VARUN MODI
cvbnmqwertyuiopasdfghjklzxcvbnmq
wertyuiopasdfghjklzxcvbnmqwertyuio
pasdfghjklzxcvbnmqwertyuiopasdfghj
klzxcvbnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmqwerty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvbnmrty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
UNIT -1
TOPIC 2: Components
The six components that must come together in order to produce an
information system are:
2
4. Procedures: Procedures are the policies that govern the operation of
a computer system. "Procedures are to people what software is to
hardware" is a common analogy that is used to illustrate the role of
procedures in a system.
5. People: Every system needs people if it is to be useful. Often the
most over-looked element of the system are the people, probably the
component that most influence the success or failure of information
systems. This includes "not only the users, but those who operate
and service the computers, those who maintain the data, and those
who support the network of computers." <Kroenke, D. M. (2015). MIS
Essentials. Pearson Education>
6. Feedback: it is another component of the IS, that defines that an IS
may be provided with a feedback (Although this component isn't
necessary to function).
3
TOPIC 3: Types of Information Systems
4
TOPIC 4: Developing an Information System
5
The guide should cover how to run the system, how to enter data, how to
modify data and how to save and print reports.
The guide should include a list of error messages and advice on what to do
if something goes wrong.
Information security
Do you have information that must be available when you need it?
6
If you answered yes to any of these questions, then you have a need for
information security.
On next page
7
TOPIC 8: Information Assurance
8
practitioner will perform a risk assessment for those assets. Vulnerabilities
in the information assets are determined in order to enumerate the threats
capable of exploiting the assets. The assessment then considers both the
probability and impact of a threat exploiting a vulnerability in an asset, with
impact usually measured in terms of cost to the asset's stakeholders. The
sum of the products of the threats' impact and the probability of their
occurring is the total risk to the information asset.
With the risk assessment complete, the IA practitioner then develops a risk
management plan. This plan proposes countermeasures that involve
mitigating, eliminating, accepting, or transferring the risks, and considers
prevention, detection, and response to threats. A framework published by a
standards organization, such as Risk IT, CobiT, PCI DSS orISO/IEC
27002, may guide development. Countermeasures may include technical
tools such as firewalls and anti-virus software, policies and procedures
requiring such controls as regular backups and configuration hardening,
employee training in security awareness, or organizing personnel into
dedicated computer emergency response team (CERT) or computer
security incident response team (CSIRT). The cost and benefit of each
countermeasure is carefully considered. Thus, the IA practitioner does not
seek to eliminate all risks, were that possible, but to manage them in the
most cost-effective way.
After the risk management plan is implemented, it is tested and evaluated,
often by means of formal audits.
9
WHY IS CYBER SECURITY IMPORTANT?
Governments, military, corporations, financial institutions, hospitals and
other businesses collect, process and store a great deal of confidential
information on computers and transmit that data across networks to other
computers. With the growing volume and sophistication of cyber attacks,
ongoing attention is required to protect sensitive business and personal
information, as well as safeguard national security.
Quantitative risk analysis makes use of a single figure produced from these
elements. This is called the 'Annual Loss Expectancy (ALE)' or the
'Estimated Annual Cost (EAC)'.
This is calculated for an event by simply multiplying the potential loss by
the probability. The problems with this type of risk analysis are usually
associated with the unreliability and inaccuracy of the data.
10
Qualitative Risk Analysis
This is by far the most widely used approach to risk analysis. Probability
data is not required and only estimated potential loss is used.
Most qualitative risk analysis methodologies make use of a number of
interrelated elements:
THREATS
These are things that can go wrong or that can 'attack' the system.
Examples might include fire or fraud. Threats are ever present for every
system.
VULNERABILITIES
CONTROLS
11
UNIT -2
12
TOPIC 2: Data Security Considerations
Backups:
Along with the greater ease in management that Enterprise Level Backups
provide, comes a greater threat to security. Centralized service means
centralized access.
13
To prevent unauthorized access, it is critical that data be rendered
unreadable when it or the device on which it resides are no longer needed.
This is required by law (and common sense) for all computers and media
containing sensitive information.
Note that different kinds of data storage media require different methods for
secure removal or destruction, some simple but others complex. Do it
incorrectly and the data remains for prying eyes to discover.
Proof that secure disposal is not easy comes from this simple fact: insecure
disposal is one of the most common causes of sensitive data being
compromised. Not coincidentally, it is one of the most common methods
by which identity theft occurs.
For each storage medium there are more and less secure methods.
Paper media
Electronic media
14
Many people are under the impression that all they need to do is "delete" a
file from a computer's hard drive or other storage media. Unfortunately,
that's almost never sufficient. In most cases,"delete" simply changes
indexing information about a file, sort of like marking through the entry in a
book's table of contents but leaving the pages behind.
Emptying the "recycle bin" or the "trash" folder of deleted files is usually
also ineffective. These methods remove the pointers (indexes) to the
deleted files, but the data itself still remains on the storage media as
unallocated space.
Even if the unallocated space is subsequently used by new files, there are
sophisticated scanning methods that could be used to recover data
previously stored in those locations.
Some un-rewritable media, like CD-Rs and DVD-Rs, can't have their
contents deleted in any case. Inoperable media, like a crashed hard drive,
may be so corrupted that you cannot access it using normal computer
operations; but it still may have data on it that can be recovered by others.
Removable magnetic "disks" (floppies, ZIP disks, and the like) and linear
magnetic media (tape reels, cartridges) can be "degaussed" -- that is,
demagnetized. An appropriately-sized and -powered "degausser" is
required.
For each particular type of magnetic storage and size of degausser there is
a minimum erasing time.
Note that degaussing can make the media inoperable, so this method is not
recommended if the media needs to be reused and/or has resale value.
15
Over-writing magnetic media
Special software is used to over-write all the usable storage locations. The
simplest method is a single over-write; additional security is provided by
multiple over-writes with variations of all 0s, all 1s, complements (opposite
of recorded characters) and/or random characters so that recovery even by
the most sophisticated methods becomes almost impossible.
There are a few free public domain programs like DBAN that perform
secure over-writes. There are also many commercial offerings.
You can take a hammer or a high-speed drill to your hard drive, USB drive
or other device. Chances are excellent that you'll render it inoperable in
short order.
Floppy disks can be broken open and the internal magnetic disk cut up. As
with optical media (see next discussion), caution is required to avoid
personal injury from flying plastic parts, etc., and it is still theoretically
possible to recover data even from a mangled disk.
Optical media
16
written. Because such media are optical rather than magnetic, neither can
they be degaussed.
So, as with paper, only physical destruction will do. Many higher-capacity
paper shredders are rated for CD/DVD destruction for exactly this reason.
It's a good investment to upgrade to a shredder that is CD/DVD capable if
you regularly rely on optical media for your data storage.
Breaking discs in half with your hands can send dangerous shards of
plastic flying. Burning discs (or microwaving them) can release toxic
fumes. Don't ever do this!
For a whole system, some manufacturers (like Dell and Apple), and many
retailers of computer equipment, offer recycling programs that meet both
security and environmental concerns. These programs will process the
entire old system for disposal, including cleaning the hard drive and any
other storage media, when you trade it in as part of a new purchase.
Archival Storage:
In computers, archival storage is storage for data that may not be actively
needed but is kept for possible future use or for record-keeping purposes.
Archival storage is often provided using the same system as that used for
backup storage. Typically, archival and backup storage can be retrieved
using a restore process.
17
TOPIC 3: Data Security Technology
Firewall:
Software firewalls are installed on your computer (like any software) and
you can customize it; allowing you some control over its function and
protection features. A software firewall will protect your computer from
outside attempts to control or gain access your computer.
VPN:
18
elements to secure both the company's private network and the outside
network through which the remote user connects through.
Access Control:
19
The control panel also ignores a door open signal to prevent an alarm.
Often the reader provides feedback, such as a flashing red LED for an
access denied and a flashing green LED for an access granted.
Perhaps the most well known computer security threat, a computer virus is
a program written to alter the way a computer operates, without the
permission or knowledge of the user. A virus replicates and executes itself,
usually doing damage to your computer in the process. Learn how to
combat computer virus threats and stay safe online.
20
Spyware Threats
Phishing Threats
Trojan Horse
21
Logic Bombs
Trap doors
E-Mail Virus
22
known and undoubtedly cause the greatest loss of time and money overall.
The best two defenses against e-mail viruses for the individual user are:
(2) installing and using anti-virus software to scan any attachment before
you open it.
Macro Virus
Worm
23
even if only by consuming bandwidth, whereas viruses almost always
corrupt or modify files on a targeted computer.
Although a DoS attack does not usually result in the theft of information or
other security loss, it can cost the target person or company a great deal of
time and money. Typically, the loss of service is the inability of a particular
network service, such as e-mail, to be available or the temporary loss of all
network connectivity and services. A denial of service attack can also
destroy programming and files in affected computer systems. In some
cases, DoS attacks have forced Web sites accessed by millions of people
to temporarily cease operation.
24
TOPIC 5: Threats to E-Com- Electronic Payment System
E-COMMERCE THREATS
Digital Signature
25
The digital equivalent of a handwritten signature or stamped seal, but
offering far more inherent security, a digital signature is intended to
solve the problem of tampering and impersonation in digital
communications. Digital signatures can provide the added
assurances of evidence to origin, identity and status of an electronic
document, transaction or message, as well as acknowledging
informed consent by the signer.
In many countries, including the United States, digital signatures have the
same legal significance as the more traditional forms of signed documents.
The United States Government Printing Office publishes electronic versions
of the budget, public and private laws, and congressional bills with digital
signatures.
Public-key cryptography:
26
27
UNIT – 3
28
begin in the initiation phase with the identification of key security roles to be
carried out in the development of the system.
Disposal Phase: In this phase, plans are developed for discarding system
information, hardware, and software and making the transition to a new
system. The information, hardware, and software may be moved to another
system, archived, discarded, or destroyed. If performed improperly, the
disposal phase can result in the unauthorized disclosure of sensitive data.
When archiving information, organizations should consider the need for
and the methods for future retrieval.
29
organization needs to have a robust information security program that
maps to its business drivers, legal and regulatory requirements, and threat
profile.
Information security governance is similar in nature to corporate and IT
governance because there is overlapping functionality and goals between
the three. All three work within an organizational structure of a company
and have the same goals of helping to ensure that the company will survive
and thrive – they just each have different focuses.
30
Security Design Principles
31
Design Principles for Protection Mechanisms
Least privilege- Should only have the rights necessary to complete your
task.
Economy of mechanism- Should be sufficiently small and as simple as
to be verified and implemented – e.g., security kernel. Complex
mechanisms should be correctly Understood, Modeled, Configured,
Implemented and Used
Complete mediation- Every access to every object must be checked
Open design- Let the design be open. Security through obscurity is a
bad idea
Should be open for scrutiny by the community- Better to have a
friend/colleague find an error than a foe
Separation of privilege- Access to objects should depend on more than
one condition being satisfied
Least common mechanism- Minimize the amount of mechanism
common to more than one user and depended on by all users
Psychological acceptability- User interface must be easy to use, so that
users routinely and automatically apply the mechanisms correctly.
Otherwise, they will be bypassed
Fail-safe defaults. Should be lack of access
32
Threat Vectors
Attack Goals
Attacks Against
Access control
Biometrics
Authentication tokens
RFID
33
Network appliances
Cryptographic accelerators
Wireless access points
Network adapters/NICs
PDAs/Mobile devices
Some of the other topics in this unit like Intrusion Detection, Access
Control, Backup and Storage have been covered in previous
sections, please refer to those sections for these topics
34
UNIT – 4
Email Policy
Here are five reasons why your company needs an email policy:
35
help avoid legal liability. For instance in the case of Morgan Stanley, the
court ruled that a single e-mail communication (a racist joke, in this case)
cannot create a hostile work environment and dismissed the case against
them.
4. Educate Email Etiquette: You can use your email policy to educate
your employees in email etiquette to ensure that your company conveys a
professional image in its email communications.
By creating a security policy for your business you can protect your business
from most of the common forms of internet threat.
The internet can be a great force for good, but unfortunately it can also be the
conduit for everything that is bad in the world. While you may be wise to spam
emails, phishing emails and files that aren't quite as innocent as they seem, your
staff may not be quite so security conscious in their use of the internet.
Additionally the growth in social networking is a cause for concern to many
36
employers as these sites can be a huge distraction from day to day work. This is
where a security policy comes in to play.
When you take on new staff in your business the last thing on your mind is
probably, "how do I make sure that my staff are internet safe"? However by
creating a security policy you will have laid out clear lines of responsibilities that
will ensure you and your team protect the reputation of your business, as well as
preventing your business from potential internet attacks, and from claims by an
employee that "they didn't know".
Many problems with procedures that crop up after they’ve been implemented are
traceable to inadequate or no review.
Let’s say a procedure as written describes an ideal process, performed under
ideal conditions (i.e., real-world conditions aren’t taken into account). If this isn’t
caught in the policy review process, the end product will meet
requirements only through luck. Luck being notoriously unreliable,
inconsistent, and uncontrollable, you’re clearly better off with a policy review.
37
An Effective Policy Review Process
38
(the writer’s level of experience, competing projects, the amount of information
provided them, clarity of the objectives, etc.).
39
TOPIC 2: LAWS
Copyright Law
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is
an Act of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is
the primary law in India dealing with cybercrime and electronic commerce. It is
based on the United Nations Model Law on Electronic Commerce 1996
(UNCITRAL Model) recommended by the general assembly of united nations by
a resolution dated 30th January 1997.
The following are the crimes which can be committed against the following
groups:
Against Individual
40
Cyber Stalking
Dissemination of obscene material
Defamation
Hacking/Cracking
Indecent Exposure
Individual Property
Computer Vandalism
Transmittiming a Virus
Network Trespassing
Unauthorized Control over Computer System
Hacking/Cracking
Against Organisation
Pornography
Polluting the youth through indecent exposure
Trafficking
41
Software License
42
systems. (For example, a policy would state that "Company X will maintain
secure passwords") A "standard" is a low-level prescription for the various
ways the company will enforce the given policy. (For example, "Passwords
will be at least 8 characters, and require at least one number.") A
"procedure" can describe a step-by-step method to implementing various
standards. (For example, "Company X will enable password length controls
on all production Windows systems.")
This use of the term "standard" differs from use of the term as it relates
to information security and privacy frameworks, such as ISO/IEC 27002 or
COBIT.
What is Patent?
43
Patent Act do not define the term 'Patent' [s.2 (m)], it simply states that
‘Patent’ means a patent granted under this Act and includes for the
purposes of sections 44, 49, 50, 51, 52, 54, 55, 56, 57, 58, 63, 65, 66, 68,
69, 70, 78, 134, 140, 153, 154 and 156 and Chapter XVI, XVII & XVIII, and
a Patent granted under the Indian Patents and design Act, 1911 (2 of
1911); the Patents (Second Amendment) Bill, 1999 states that “Patent
means a patent granted under this Act”.
Patent Act 1970 envisages that 'any invention that has a commercial
application and which are not exempted under the Act are eligible for grant
of patent. S.2 (j) the Act defines ‘invention’ as: any new and useful –
and includes any new and useful improvement of any of them, and an
alleged invention;
The Second Amendment Bill, 1999 has introduced a new definition of
invention as against 1970, Act, i.e., 2(j) in 1999 Bill:
IMPORTANT QUESTIONS
44
Discuss various types of intrusions possible in a network systems. What
are the approaches used for detection of the intrusions ?
45
46
47