One day Interaction Program for

Faculty Members & Sr. Technocrats, on

“Cyber Security & Data Protection” at
Malaviya National Institute of Technology (MNIT), Jaipur
Department of Computer Science & Engineering
Conducted by: DR CBS CYBER SECURITY SERVICES LLP
Resource Persons:
Dr. C B Sharma IPS R. M.Sc., M.A., LL.B., Diploma in Cyber Law, Ph.D
Certified Lead Auditor, ISMS (ISO/IEC 27001:2013) ,
Member Data Security Council of India (DSCI)
Mr. Swati Vashisth M.B.A(CSE), B.E. (CSE), Diploma in Cyber Law
Certified Lead Auditor, ISMS (ISO/IEC 27001:2013)
Certified Ethical Hacker (CEH), Member Data Security Council of India (DSCI)
Mr. Sachin Sharma M.Tech(CSE), B.E. (CSE), Diploma in Cyber Law
Certified Lead Auditor, ISMS (ISO/IEC 27001:2013)
Certified Ethical Hacker (CEH), Member Data Security Council of India (DSCI)
Mr. Mudit Chaturvedi M.Tech(CSE), B.Tech(CSE), Diploma in Cyber Law
Certified Lead Auditor, ISMS (ISO/IEC 27001:2013) ,
Certified Ethical Hacker (CEH) , Member Data Security Council of India (DSCI)
10:00 AM – 04:30 PM 20 DEC 2019
1/4/2020 1
 II Session
1. Cyber Security : Security of Information (Data)
2. Through: Reviewed Technologies, Tested Tools, VAPT

3. International Standards & References

4. Vulnerability : End Point,

Network,
Web Applications
5. Hands on Practice: Manual and Tool Based

4 January 2020
2
 Information
• Information is an asset that is essential to an
organization’s business and consequently needs to
be protected.
• Exist in form of :
i) A Data stored in computers
ii) Transmitted across networks
iii) Printouts
iv) Written on Paper sent by Fax
v) Stored on Disks
vi) Held on Microfilm
vii) Spoken in conversation over telephone
1/4/2020
3
 Information (Data) exist in
1. End Point: Computer(Desktop, Laptop etc.),
Communication devices (Smartphone etc.)
2. Network: Internet, Intranet, LAN , WAN , Wi-Fi ,
Hotspot etc.
3. Network Devices: Firewall, Switches, Routers etc.
4. Processors: Servers etc.
5. Storage: Server, Hard disk, data center, cloud etc.
6. Communication: Email and websites
7. Applications: Web, Mobile, database, software etc.

4 January 2020 4
Information Technology (Cyber) Security is
Protection of :
• Data created/prepared by computer
• Data written on a paper sent by fax
• Data received through network
• Data transmitted across networks
• Data stored in computers, servers, disks &
micro film
• Data printed out
• Data spoken on telephone / Smartphone

4 January 2020
5
 Information Security Management
System (ISMS)
• An Information Security Management System (ISMS)
consists of the policies, procedures, guidelines and
associated resources and activities, collectively
managed by an organization, in the pursuit of
protecting its information assets.
• An ISMS is a systematic approach for establishing,
implementing, operating, monitoring, reviewing,
maintaining and improving an organization’s
information security to achieve business objectives.

1/4/2020 6
 Section 70: Protected System
• Appropriate government may declare any computer
resource which effect facility of Critical Information
Infrastructure, to be a protected system and
unauthorized access to such protected system,
shall be punishment of imprisonment of 10 years.
Section 70A: National Nodal Agency
• Central government may designate any organization
of the government as the national nodal agency in
respect of critical information infrastructure
protection.

4 January 2020 7
 Ref. Section 70 B IT Act 2000

CERT-In
 Indian Computer Emergency Response Team to serve as
national agency for incident response
70 B (4): The Indian CERT shall serve as the national agency for
performing the following functions in area of cyber security –
(a) Collection, analysis and dissemination of information on
cyber incidents;
(b) Forecast and alerts of cyber security incidents;
(c) Emergency measures for handling cyber security incidents ;
(d) Coordination of cyber incidents response activities;
(e) Issue guidelines, advisories, vulnerability notes and white
papers relating to information security practices, procedures,
prevention, response and reporting of cyber incidents;
(e) Such other functions relating to cyber security as may be
prescribed.
4 January 2020 8
 Section 70 B (Continue)
(7) Any Service provider, intermediaries, data
centres, body corporate or person who fails to
provide the information called for or comply
with the direction under subsection(6) , shall be
imprisonment for a term which may extend to 1
year or with fine which may extend to 1 lakh
rupees or both.

4 January 2020 9
Need of ISMS
• Information Security depends on
people, Information security polices,
processes, procedures and technology.
• Resources are not unlimited, so it
requires effective and efficient
establishment of management system
for Information security (ISMS).

1/4/2020 10
Establishing ISMS
1. Set the context of the organization and the
scope of the ISMS (Selection of Security
Controls)
2. Identify Sensitive Information and IT Assets
3. Performing Risk Analysis
4. Risk Assessment and Risk Management
5. Measure & control through Risk Management
Plan and
6. Improve ISMS

11
1/4/2020
 Vulnerabilities in Information System
• A vulnerability is a weakness which can be
exploited by a threat actor, such as an attacker, to
perform unauthorized actions within a computer
system. To exploit a vulnerability, an attacker
must have at least one applicable tool or
technique that can connect to a system
weakness.
• Vulnerabilities create possible attack condition,
through which a hacker could access a target
system.

1/4/2020
Risk
• Effect of uncertainty on object.
• A situation involving exposure to danger.
• Risk is the potential of gaining or losing
something of value.

1/4/2020 13
Risk assessment
• A systematic process of evaluating the
potential risks
Identification,
evaluation,
estimation of the levels of risks (High,
Medium or Low)

1/4/2020 14
 Risk Management
• Risk management is defined as coordinated
activities to direct and control an organization to
with regard to risk.
• Inter related activities of risk management :
1. Risk Treatment : process of selection and
implementation of measures to modify risks.
2. Residual Risk: The risk remaining after risk
treatment.
3. Risk acceptance: Decision to accept the Risk.

1/4/2020 15
Phases of ISMS

1/4/2020 16
Important ISMS Standards
1. ISO/ IEC (27001:2013 )Information security management
standard
2. ISO/ IEC 27002 (Information technology – Security techniques –
Code of practice for information security controls)
3. The Control Objectives for Information and related Technology
(COBIT) by Information Systems Audit and Control Association (ISACA)
4. Information Technology Infrastructure Library(ITIL)
5. Cyber Security Framework
6. Schedule II- IT Security Guidelines IT Act 2000
7. ISO/ IEC 27017 (Information technology – Security techniques –
Code of practice for information security controls based on
ISO/IEC 27002 for Cloud Services)
8. ISO/ IEC 27018 (Information technology – Security techniques –
Code of practice for protection of personal identifiable
information (PII) in public clouds acting as PII processors)

1/4/2020
International Standardization
ISMS(ISO/IEC 27001:2013)
• 114 IT Security Controls
• Requirements: Information Security Policies-
1. Identification, Asset Management & Disposal ,Acceptable Use
(including Software) Policy
2. E-Mail, Information Transfer & Social Media Policy
3. HR Policy
4. Business Continuity and Backup Policy
5. Clear Screen & Clear Desk Policy
6. Network, Internet, Wi-Fi, LAN, Access Control, Server Room & Log
Policy
7. Data Security and Cryptography Policy (including Data Centers)
8. Privacy Policy
9. CCTV Policy
10. Password Policy
11. Mobile device and Teleworking

1/4/2020
ISMS(ISO/IEC 27001:2013) Controls
Control no. Control Objectives
A.5 Information Security Policies
A.6 Organization Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Physical & Environmental Security
A.12 Operational Security
A.13 Communication Security
A.14 System Acquisition, Development and Maintenance
A.15 Supplier Relationship
1/4/2020 19
ISMS(ISO/IEC 27001:2013) Controls
Control no. Control Objective
A.16 Information Security Incident Management
A.17 Information Security Aspects of Business Continuity Management
A.18 Compliances

1/4/2020 20
 Web Vulnerability Assessment

21
1/4/2020
International Vulnerability References &
Standards
1.Common Weakness Enumeration (CWE)
2. Common Vulnerabilities and Exposures (CVE)
3. National Vulnerability Database (NVD)
4. Open Web Application Security Project (OWASP )
5. SysAdmin, Audit, Network and Security (SANS)
(SANS Top 25 Most Dangerous Software Errors)
6. The Web Application Security Consortium (WASC)
7. Bugtraq
1/4/2020 22
1. Common Weakness Enumeration
(CWE)
• CWE™ is a community-developed list of
common software security weaknesses.

https://cwe.mitre.org
• Weaknesses in the 2019 CWE Top 25 Most
Dangerous Software Errors

1/4/2020
23
2. Common Vulnerabilities and
Exposures (CVE)
• CVE® is a list of entries, each containing an
identification number, a description, and at
least one public reference, for publicly
known cyber-security vulnerabilities.

https://cve.mitre.org

1/4/2020
24
 3. National Vulnerability Database
(NVD)
• The NVD is the U.S. government repository of standards
based vulnerability management data represented using
the Security Content Automation Protocol (SCAP).
• This data enables automation of vulnerability
management, security measurement, and compliance.
• The NVD includes databases of security checklist
references, security related software flaws,
misconfigurations, product names and impact metrics.

https://nvd.nist.gov
1/4/2020
25
 4. Open Web Application Security
Project (OWASP)
• The Open Web Application Security Project
(OWASP) is a worldwide not-for-profit charitable
organization focused on improving the security of
software.
• The OWASP Top 10 is a powerful awareness
document for web application security. It represents
a broad consensus about the most critical security
risks to web applications.
Ref: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

1/4/2020 26
5. SANS Top 25 Most Dangerous
Software Errors
• SANS Top 25 Most Dangerous Software Errors is a
list of the most widespread and critical errors that
can lead to serious vulnerabilities in software.
• The Top 25 Software Errors are listed below in
three categories:
1. Insecure Interaction Between Components (6 errors)
2. Risky Resource Management (8 errors)
3. Porous Defenses (11 errors)

1/4/2020 27
6. Web Application Security Consortium
(WASC)
• The Web Application Security Consortium (WASC) is a non
profit organization of an international group of experts,
industry practitioners, and organizational representatives
who produce open source and widely agreed upon best-
practice security standards for the World Wide Web.
• The Threat Classification Reference Grid was created to
allow individuals and products to reference particular
Threat Classification sections with a static identifier.

Ref.: http://projects.webappsec.org/w/page/13246974/Threat
Classification Reference

1/4/2020 28
7. Bugtraq
• Bugtraq is an electronic mailing list dedicated
to issues about computer security.
• About vulnerabilities, vendor security-related
announcements, methods of exploitation, and
how to fix them.

Ref. https://www.securityfocus.com/archive

1/4/2020 29
Guidelines for Indian Govt. Websites
https://web.guidelines.gov.in
• National Informatics Centre has developed
these Guidelines as an initiative under the
National Portal of India Project.
• Development of these guidelines involved an
extensive consultation process involving
representatives from National Informatics
Centre and various other Indian Government
Departments, at the Centre and State levels.

1/4/2020 30
Important Tools for Vulnerability
Assessment & Penetration Testing
Open Source tools (Go to Kali Linux)
• OWASP ZAP (Also available for windows)
• Wega
• Wapiti
• W3af
• Ratproxy
• Wfuzz
• Arachini
• Grendel Scan
1/4/2020
Important Tools for Vulnerability
Assessment & Penetration Testing
Commercial Tools
• Burp Suite
• Acunetix
• Nessus
• Netsparker
• Paros
• Arachini
• Grendel Scan

1/4/2020
Dummy Applications for Vulnerability
Assessment and Penetration Testing
1. Damn Vulnerable Web Application (DVWA) :
Damn Vulnerable Web App (DVWA) is a PHP/MySQL
web application that is damn vulnerable. Its main
goals are to be an aid for security professionals to test
their skills and tools in a legal environment, help web
developers better understand the processes of
securing web applications and aid teachers/students
to teach/learn web application security in a class
room environment.
2. bWAPP (a buggy web application): a free and open
source insecure web application.

1/4/2020 33