Professional Documents
Culture Documents
Compare Active Attacks Vs Passive Attacks
Compare Active Attacks Vs Passive Attacks
Compare Active Attacks Vs Passive Attacks
Due to active attacks, the execution While due to passive attack, there is no harm to
system is always damaged. the system.
In an active attack, Victim gets informed While in a passive attack, Victim does not get
about the attack. informed about the attack.
In an active attack, System resources While in passive attack, System resources are
can be changed. not changing.
Key loggers also known as keystroke loggers, may be defined as the recording
of the key pressed on a system and saved it to a file, and the that file is accessed
by the person using this malware. Key logger can be software or can be
hardware. Working: Mainly key-loggers are used to steal password or
confidential details such as bank information etc. First key-logger was invented in
1970’s and was a hardware key logger and first software key-logger was
developed in 1983.
Below are some points by means of which we can prevent cyber crime:
1. Use strong password –
Maintain different password and username combinations for each
account and resist the temptation to write them down. Weak passwords
can be easily cracked using certain attacking methods like Brute force
attack, Rainbow table attack etc, So make them complex. That means
combination of letters, numbers and special characters.
2. Use trusted antivirus in devices –
Always use trustworthy and highly advanced antivirus software in
mobile and personal computers. This leads to the prevention of different
virus attack on devices.
SECTION PUNISHMENT
This section of IT Act, 2000 states that any corporate body dealing
Section with sensitive information that fails to implement reasonable
43A security practices causing loss of other person will also liable as
convict for compensation to the affected party.
Prevention:
Intellectual Property (IP) simply refers to the creation of the mind. It refers to
the possession of thought or design by the one who came up with it. It offers the
owner of any inventive design or any form of distinct work some exclusive rights,
that make it unlawful to copy or reuse that work without the owner’s permission. It
is a part of property law. People associated with literature, music, invention, etc.
can use it in business practices.
There are numerous types of tools of protection that come under the term
“intellectual property”. Notable among these are the following:
● Patent
● Trademark
● Geographical indications
● Layout Designs of Integrated Circuits
● Trade secrets
● Copyrights
● Industrial Designs
3. Cybersquatting –
Cybersquatting means unauthorized registration and use of Internet domain
names that are similar to any business’s trademarks, service marks, or company
names. For example, let us consider Xyz is a very famous company and the
company hadn’t created a website yet. A cybersquatter could buy xyz.com,
looking to sell the domain to the company Xyz at a later date for a profit. The
domain name of a famous company can even be used to attract traffic and this
traffic will help cybersquatters earn a lot of money through advertising.
When more than one individual believes that they have the right to register a
specific domain name, then this can lead to a Domain Name Dispute. It arises
when a registered trademark is registered by another individual or organization
who is not the owner of a trademark that is registered.
Trademark Issues in Cyberspace :
Trademark means a mark capable of being depicted diagrammatically and which
may distinguish the products or services of one person from those of others and
will embody the form of products, their packaging, and combination of colors. A
registered service mark represents a service. Trademark infringement refers to
the unlawful use of a trademark or service mark which can cause ambiguity,
fraud, or confusion about the actual company a product or service came from.
Trademark owners can take the help of the law if they believe their marks are
being infringed.
Conclusion :
With the growth of Cyberspace and technology advancements, copyright and
trademarks are not limited to the usual intellectual property alone but have
spread to intellectual property rights over the internet.
Cyberspace is becoming a hub for intellectual property rights infringement.
Several practices by the cyber site operators resulted in the violation of
intellectual property rights and various other rights of other website operators. It
has become crucial that people are aware of the illegal usage of their websites
and webpages.
International conventions and treaties have provided various laws to protect
infringement of IPRs online which are helping e-commerce and e-businesses to
grow. However, the Information technology Act does not provide any provisions
in respect of cybercrimes related to IPR, cyberstalking, cyber defamation, etc.
Also, the Indian Trademark Act, 1999 and Copyright Act, 1957 are silent on
issues on online Trademark and Copyright infringement. Though computer
programs are protected under the Copyright Act, 1957, it does not provide
remedies for cyberpiracy.
What is phishing?
This is arguably the most commonly used cyber-crime technique. Phishing
involves sending fraudulent emails that direct the recipient to a fake website
through a malicious link. Phishing is a well-planned cyber-crime technique. As in
situations like these, the website is meticulously designed to resemble the
original one.
Phishing criminals leverage fake campaigns to update user data, or ask them to
sign up for a particular offer, or respond to a requirement through a malicious link.
These websites ask for confidential information, including user ID, password,
date of birth, mobile phone numbers, security codes, etc., convincingly, perhaps
that the user might not realize.
As an employer, you must ensure your employees identify such attacks. And,
considering it is better to prevent an attack rather than cure it, employees must
first use common sense and refrain from providing confidential information.
Emails indicating you’ve won a prize or a high-level authority unusually asking for
sensitive information, etc., are a few instances of phishing. Additionally, secure
links start with HTTPS. If that’s not the case, employees should not open it.
Some common types of phishing attacks include spear phishing, CEO fraud,
session hijacking, malware, content injection, etc. So, it isn’t just a particular
credential that the attackers might get access to through phishing, but get entry
into a specific network through malicious software downloads or compel
(unknowingly) the concerned employee to process a money transfer through a
CEO fraud.
There’s so much more than cyber criminals can do through phishing. Creating a
comprehensive employee awareness program with the help of an expert
cybersecurity company can help you. Click on this link to know more about spear
phishing. (internal link to How are Businesses Targeted by Spear Phishing
Attacks Each Day?)
What is vishing?
Vishing stands for voice and phishing. It involves a fraudulent phone call using
information obtained earlier online. Usually, phishing is a two-step process. First,
in the case of banking, for instance, the bad actor steals sensitive information by
email or through a fake website. However, to execute the attack, he requires the
OTP or SMS password. Accordingly, the next step is to call the person and scare
him (without sounding deliberate!) to compel him to share the secret code to
execute the fraud.
One of the most significant steps to avoid vishing is to train your employees to
identify such attacks and refuse to divulge confidential information regarding
anything. Nevertheless, employee training isn’t a one-time task. It is a process
that demands regular and consistent efforts to conduct refreshing training
programs and provide employees updates from time to time to help them
enhance their competence concerning the prevention of cyber-attacks.
Partnering with an experienced cybersecurity company helps in this regard.
What is smishing?
Lastly, what is smishing? The evolution of smishing doesn’t come as a surprise,
especially amidst techniques such as phishing and vishing. Also, when attackers
can target emails and phone calls (voice), it is quite possible that they would use
SMSs, or chat messages to channel their attacks? Of course, they can, and they
already have. Smishing, alongside phishing and vishing, has evolved significantly
to become a popular cyber-crime technique.
These threats involve messaging an individual about a fraud (a fake one) that
happened with him, about which he is unaware, or informing him that his account
or his confidential information might be at risk, or perhaps, his account will freeze
if he doesn’t verify his details, etc. The sources of these messages appears
trustworthy, and the messages are very well-articulated to seem authentic. Often,
the target, out of fear, happens to follow the instructions, or calls back, or clicks
on malicious links to stay out of the fabricated risk; however, only to compel
himself into a real one!
Again, a simple technique to create awareness among employees is to help them
stay aware about the various ways smishing attacks can take place, train them to
be able to identify a smishing attack, the action to take after identifying a potential
smishing attempt, and of course, ask them never to respond to such messages.
The terms e-commerce and e-business are often used interchangeably. The term
e-tail is also sometimes used in reference to the transactional processes that
make up online retail shopping.
1. Business to Business
2. Business to Consumer
Business to Consumer. Here the company will sell their goods and/or services
directly to the consumer. The consumer can browse their websites and look at
products, pictures, read reviews. Then they place their order and the company
ships the goods directly to them. Popular examples are Amazon, Flipkart, Jabong
etc.
3. Consumer to Consumer
Consumer to consumer, where the consumers are in direct contact with each
other. No company is involved. It helps people sell their personal goods and
assets directly to an interested party. Usually, goods traded are cars, bikes,
electronics etc. OLX, Quikr etc follow this model.
4. Consumer to Business
1.Use a password
Ensure that your Windows account is protected with a password. The laptop
should be configured so that the password has to be entered every time you turn
the machine on or when it comes out of hibernation, sleep or screensaver mode.
An account password is an effective first line of defence, but only if you avoid
choosing a commonly used - and therefore easily guessed - password. An
analysis of passwords stolen from websites during recent security incidents
reveals that the most common include "password", "123456", "abc123", "qwerty"
and, bizarrely, "monkey".
You can do this the same way that you can encrypt a computer hard drive - using
TrueCrypt or a version of Microsoft's BitLocker called BitLocker To Go (which is
included in some versions of Windows 7 and Windows 8.) Once encrypted the
memory stick can only be accessed after supplying a password.
An alternative is to use a USB drive with encryption hardware and other security
features built in, available from companies like IronKey. Its secure USB drives
self-destruct if the wrong password is supplied 10 times in a row, making it all but
impossible for a thief to access the data it holds by repeatedly guessing the
password.
10. Lock it up
Perhaps the most obvious piece of advice, but one which is frequently ignored, is
to make it hard for an opportunistic thief to walk off with your laptop.
One way to do this is by using a Kensington lock(opens in new tab) - a metal
cable which you can loop around a suitable fixed object and which attaches to
any laptop equipped with a Kensington slot.
Kensington locks certainly don't provide total security, as the cables can be cut or
they can be ripped out of the laptop, but it is enough to make many thieves move
on to easier pickings.
Protective Measures:
● Develop the habit of logging out of the PC when not in use.
● Remove any future events you’re close to attending from the social
networks if they’re recorded on online approaching events and
calendars.
● Set strong and distinctive passwords for your online accounts.
● Cyber Stalkers can exploit the low security of public Wi-Fi networks to
snoop on your online activity. Therefore, avoid sending personal emails
or sharing your sensitive info when connected to an unsecured public
Wi-Fi.
● Make use of the privacy settings provided by the social networking sites
and keep all info restricted to the nearest of friends.
● Do a daily search on the internet to search out what information is
accessible regarding you for the public to check.
What is "social Engineering"? What are the security threat that can
arise from social networking sites?
Threat actors use social engineering techniques to conceal their true identities
and motives, presenting themselves as trusted individuals or information
sources. The objective is to influence, manipulate or trick users into releasing
sensitive information or access within an organization. Many social engineering
exploits rely on people's willingness to be helpful or fear of punishment. For
example, the attacker might pretend to be a co-worker who has some kind of
urgent problem that requires access to additional network resources.
The term quid pro quo roughly means "a favor for a favor," which refers
to exchanging your information for some reward or other compensation in
exchange for phishing. Offer to participate in giveaways or research
studies may make you aware of this type of attack.
Exploitation comes from making you happy for something valuable that
comes with little investment on your end. However, the attacker does not
reward your data for you.
DNS spoofing manipulates your browser and web server to visit malicious
websites when you enter a valid URL. DNS cache poisoning
attacksinfect our device with valid URLs or routing instructions for multiple
URLs to connect to fake websites.
● Scareware Attack
Watering hole attacks infect popular web pages with malware to affect
multiple users at the same time. Carefully planning on the part of the
attacker is required to find vulnerabilities of the specific sites.
● Spam phishing is a widespread attack for some users. The attacks are
non-personal and try to capture any irresponsible person.
● Phishing and whaling use personal information to target particular users. The
whaling attacks are aimed at high-profile individuals such as celebrities, upper
management and higher government officials.Whether it is direct communication
or by a fake website, anything you share goes directly into the seamster's
pocket.You can also be fooled into the next stage of the phishing attack malware
download. The methods used in phishing are unique methods of delivery.
● SMS phishing (SMS) texts or mobile app messages may indicate a web link or
follow-up via a web link or phone number. A web link, phone number, or malware
attachment may be used.
● Angler phishing takes place on social media, where the attacker mimics the
customer service team of a trusted company. They interrupt your communication
with a brand and turn the conversations into private messages, where they
escalate the attack.
● Search engine phishing attempts to place links to fake websites at the top of
any search results. The advertisements will be paid or use valid optimization
methods to manipulate search rankings.The links are given in email, text, social
media messages and online advertisements.
Cloud security is the whole bundle of technology, protocols, and best practices
that protect cloud computing environments, applications running in the cloud, and
data held in the cloud. Securing cloud services begins with understanding what
exactly is being secured, as well as, the system aspects that must be managed.
As an overview, backend development against security vulnerabilities is largely
within the hands of cloud service providers. Aside from choosing a
security-conscious provider, clients must focus mostly on proper service
configuration and safe use habits. Additionally, clients should be sure that any
end-user hardware and networks are properly secured.
The full scope of cloud security is designed to protect the following, regardless of
your responsibilities:
With cloud computing, ownership over these components can vary widely. This
can make the scope of client security responsibilities unclear. Since securing the
cloud can look different based on who has authority over each component, it’s
important to understand how these are commonly grouped.
Fortunately, there is a lot that you can do to protect your own data in the cloud.
Let’s explore some of the popular methods.
Encryption is one of the best ways to secure your cloud computing systems.
There are several different ways of using encryption, and they may be offered by
a cloud provider or by a separate cloud security solutions provider:
● Expose sensitive data. Attackers can retrieve data, which risks exposing
sensitive data stored on the SQL server.
● Compromise data integrity. Attackers can alter or delete information from
your system.
● Compromise users’ privacy. Depending on the data stored on the SQL
server, an attack can expose sensitive user information, such as
addresses, telephone numbers, and credit card details.
● Give an attacker admin access to your system. If a database user has
administrative privileges, an attacker can gain access to the system using
malicious code.
● Give an attacker general access to your system. If you use weak SQL
commands to check usernames and passwords, an attacker could gain
access to your system without knowing a user’s credentials. From there,
an attacker can wreak havoc by accessing and manipulating sensitive
information.
Staff training:
Generate awareness about SQLi-based risks within the team responsible for
your web application and provide necessary role-based training to all users.
Any user input used in an SQL query introduces risk. Address input from
authenticated and/or internal users in the same way as public input until it is
verified. Give accounts that connect to the SQL database only the minimum
privileges needed. Use whitelists as standard practice instead of blacklists to
verify and filter user input.
A web application firewall (WAF) is often used to filter out SQLi, as well as other
online threats. A WAF relies on a large and frequently updated list of signatures
that allow it to filter out malicious SQL queries. Usually, the list holds signatures
to address specific attack vectors and is regularly patched in response to newly
discovered vulnerabilities.
In-band SQLi
Also known as a classic SQLi, an in-band SQLi is when hackers use the same
channel (or band) to launch database errors and to collect the results from an
attack. An in-band SQLi is most commonly achieved through two methods:
error-based and Union-based attacks.
Inferential SQLi
Also known as a blind SQL injection, an inferential SQLi is when hackers send
data payloads to a database server to observe its response and behavior without
being able to see what is actually occurring within the database. The server's
response provides the attacker with clues that they can use to adjust their attack
strategy.
An inferential SQLi can be either Boolean or time-based. A Boolean SQLi uses
true or false statements to solicit a response, while a time-based SQLi sets a
designated response period.
Out-of-band SQLi
Advantages of E-Governance:
The supreme goal of e-governance is to be able to provide an increased portfolio
of public services to citizens in a systematic and cost effective way. It allows for
government transparency because it allows the public to be informed about what
the government is working on as well as the policies they are trying to implement.
The main advantage while executing electronic government will be to enhance
the efficiency of the current system.
Another advantage is that it increases transparency in the administration,
reduces costs, increases revenue growth, and also improves relationships
between the public and the civic authorities.
Disadvantages of E-Governance:
The main disadvantage regarding e-governance is the absence of fairness in
public access to the internet, of trustworthy information on the web, and
disguised agendas of government groups that could have an impact and could
bias public opinions.
● Identity theft occurs when someone steals your personal information and
credentials to commit fraud.
● There are various forms of identity theft, but the most common is financial.
● Identity theft protection is a growing industry that keeps track of people's
credit reports, financial activity, and Social Security Number use.
Victims of identity theft often do not know their identity has been stolen until they
begin receiving calls from creditors or are turned down for a loan because of a
bad credit score.
If identity thieves obtain your Social Security Number, they can use it to apply for
credit cards and loans and then not pay outstanding balances. Fraudsters can
also use your number to receive medical, disability, and other benefits.3
In child identity theft, someone uses a child's identity for various forms of
personal gain. This is common, as children typically do not have information
associated with them that could pose obstacles for the perpetrator.
The fraudster may use the child's name and Social Security Number to obtain a
residence, find employment, obtain loans, or avoid arrest on outstanding
warrants. Often, the victim is a family member, the child of a friend, or someone
else close to the perpetrator. Some people even steal the personal information of
deceased loved ones.
Tax identity theft occurs when someone uses your personal information, including
your Social Security Number, to file a bogus state or federal tax return in your
name and collect a refund.
In this post, we outline the various types of contracts and legal issues with
enforcement of such contracts.
Types of E-Contracts
Three common kinds of electronic contract are browse wrap, shrink wrap and
click wrap contracts.