Cyber Security CSA320 NOTES

CYBER SECURITY (CSA320)
UNIT-I
INTRODUCTION
Overview of Cyber Security
Cyber security is the practice of defending computers, servers, mobile devices,
electronic systems, networks, and data from malicious attacks. It's also known as
information technology security or electronic information security. The term applies in
a variety of contexts, from business to mobile computing, and can be divided into a
few common categories.
· Network security is the practice of securing a computer network from intruders,

whether targeted attackers or opportunistic malware.
· Application security focuses on keeping software and devices free of threats. A

compromised application could provide access to the data it's designed to protect.
Successful security begins in the design stage, well before a program or device is
deployed.
· Information security protects the integrity and privacy of data, both in storage
and in transit.
· Operational security includes the processes and decisions for handling and
protecting data assets. The permissions users have when accessing a network and the
procedures that determine how and where data may be stored or shared all fall under
this umbrella.
· Disaster recovery and business continuity define how an organization responds
to a cyber-security incident or any other event that causes the loss of operations or
data. Disaster recovery policies dictate how the organization restores its operations
and information to return to the same operating capacity as before the event. Business
continuity is the plan the organization falls back on while trying to operate without
certain resources.
Cyber Threats
A cyber or cyber security threat is a malicious act that seeks to damage data, steal data,
or disrupt digital life in general. Cyber threats include computer viruses, data
breaches, Denial of Service (DoS) attacks, and other attack vectors. Cyber threats also
refer to the possibility of a successful cyber-attack that aims to gain unauthorized
access, damage, disrupt, or steal an information technology asset, computer network,
intellectual property, or any other form of sensitive data. Cyber threats can come from
within an organization by trusted users or from remote locations by unknown parties.
Types of cyber threats:
1. Cyber Warfare
2. Cyber Crime
3. Cyber Terrorism
4. Cyber Espionage
1. Cyber Warfare: Cyber Warfare is typically defined as a set of actions by a nation or

organization to attack countries or institutions' computer network systems with the
intention of disrupting, damaging, or destroying infrastructure by computer viruses or
denial-of-service attacks. Cyber warfare can take many forms, but all of them involve
either the destabilization or destruction of critical systems. The objective is to weaken
the target country by compromising its core systems.
This means cyber warfare may take several different shapes:
❖ Attacks on financial infrastructure

❖ Attacks on public infrastructure like dams or electrical systems
❖ Attacks on safety infrastructure like traffic signals or early warning systems
❖ Attacks against military resources or organizations
2. Cyber Crime: Cybercrime is criminal activity that either targets or uses a computer,
a computer network or a networked device. Most cybercrime is committed by
cybercriminals or hackers who want to make money. However, occasionally
cybercrime aims to damage computers or networks for reasons other than profit. These
could be political or personal.
Cybercrime can be carried out by individuals or organizations. Some cybercriminals

are organized, use advanced techniques and are highly technically skilled. Others are
novice hackers.
Types of cybercrime include:
● Email and internet fraud.
● Identity fraud (where personal information is stolen and used).
● Theft of financial or card payment data.
● Theft and sale of corporate data.
● Cyber Extortion (demanding money to prevent a threatened attack).
● Ransomware attacks (a type of cyber extortion).
● Crypto jacking (where hackers mine crypto currency using resources they do not
own).
3. Cyber Terrorism: Cyber terrorism is often defined as any premeditated, politically
motivated attack against information systems, programs and data that threatens
violence or results in violence. Cyber Terrorist acts are carried out using computer
servers, other devices and networks visible on the public internet. Secured government
networks and other restricted networks are often targets.
Examples of cyber terrorism include the following:
● Disruption of major websites. The intent here is to create public inconvenience

or stop traffic to websites containing content the hackers disagree with.
● Unauthorized access. Attackers often aim to disable or modify
communications that control military or other critical technology.
● Disruption of critical infrastructure systems. Threat actors try to disable or
disrupt cities, cause a public health crisis, endanger public safety or cause
massive panic and fatalities. For example, cyber terrorists might target a water
treatment plant, cause a regional power outage or disrupt a pipeline, oil
refinery or fracking operation.
4. Cyber Espionage: Cyber espionage, or cyber spying, is a type of cyberattack in

which an unauthorized user attempts to access sensitive or classified data or
intellectual property (IP) for economic gain, competitive advantage or political reasons.
Cyber espionage attacks can be motivated by monetary gain; they may also be
deployed in conjunction with military operations or as an act of cyber terrorism or
cyber warfare. The impact of cyber espionage, particularly when it is part of a broader
military or political campaign, can lead to disruption of public services and
infrastructure, as well as loss of life.
Cyber spies most commonly attempt to access the following assets:

● Research & Development data and activity
● Academic research data
● IP, such as product formulas or blueprints
● Salaries, bonus structures and other sensitive information regarding
organizational finances and expenditures
● Client or customer lists and payment structures
● Business goals, strategic plans and marketing tactics
● Political strategies, affiliations and communications
● Military intelligence
Cyber Security Vulnerabilities

The importance of cyber security in sustaining business operations has increased
significantly as the value of data increases every day. Organizations must successfully
prevent employee and customer data breaches if they want to develop new business
connections and sustain long-term relationships. A thorough awareness of cyber
security vulnerabilities and the techniques used by threat actors to access networks is
necessary to achieve this level of security. Effective vulnerability management not only
improves security programmes but also lessens the impact of successful attacks.
Here are a few examples of cyber security vulnerabilities
● Missing data encryption

● Lack of security cameras
● Unlocked doors at businesses
● Unrestricted upload of dangerous files
● Code downloads without integrity checks
● Using broken algorithms
Vulnerabilities in Software
Software vulnerability is a defect in software that could allow an attacker to gain
control of a system. These defects can be because of the way the software is designed,
or because of a flaw in the way that it’s coded. An attacker first finds out if a system
has software vulnerability by scanning it. The scan can tell the attacker what types of
software are on the system, are they up to date, and whether any of the software
packages are vulnerable. When the attacker finds that out, he or she will have a better
idea of what types of attacks to launch against the system. A successful attack would
result in the attacker being able to run malicious commands on the target system.
Coding errors could introduce several types of vulnerabilities, which include the
following:
● Buffer overflows – These allow someone to put more data into an input field
than what the field is supposed to allow. An attacker can take advantage of this
by placing malicious commands into the overflow portion of the data field,
which would then execute.
● SQL Injection – This could allow an attacker to inject malicious commands into
the database of a web application. The attacker can do this by entering specially-
crafted Structured Query Language commands into either a data field of a web
application form, or into the URL of the web application. If the attack is
successful, the unauthorized and unauthenticated attacker would be able to
retrieve or manipulate data from the database.
● Third-party libraries – Many programmers use third-party code libraries, rather

than try to write all software from scratch. This can be a real time-saver, but it
can also be dangerous if the library has any vulnerabilities. Before using any of
these libraries, developers need to verify that they don’t have vulnerabilities.
● Application Programming Interfaces – An API, which allows software
programs to communicate with each other, could also introduce software
vulnerability. Many APIs are not set up with strict security policies, which could
allow an unauthenticated attacker to gain entry into a system.
System Administration
System administration refers to the management of one or more hardware and
software systems. The task is performed by a system administrator who monitors
system health, monitors and allocates system resources like disk space, performs
backups, provides user access, manages user accounts, monitors system security and
performs many other functions.
The system administrator’s responsibilities are diverse and involve many areas of an
organization’s technology systems. This IT professional may be responsible for some,
or all the areas listed below, depending on an organization’s structure and scope:
● Design, organize, modify, and support an organization’s computer systems,
including operating systems, business applications, security tools, web servers,

email systems, and user hardware (laptops, PCs).
● Quickly resolve any system failures and troubleshoot issues.
● Upgrade and manage hardware and software.
● Install and configure local area networks (LANs), wide area networks (WANs),
and network segments and servers, such as file servers, VPN gateways, and
intrusion detection systems.
● Ensure an uninterrupted internet connection and manage mail servers for
sending and receiving emails and file servers for saving and managing data.
● Oversee system performance and report generation.

● Manage user accounts, credentials, permissions, access rights, storage allocations,
and active directory administration.
Complex Network Architectures

Network architecture refers to a network’s structural and logical layout. It describes
how the network devices are connected and the rules that govern data transfer
between them.
Types of Networking Architecture
The two types of network architectures are used:
● Peer-To-Peer network
● Client/Server network
Peer-To-Peer network:
● Peer-To-Peer network is a network in which all the computers are linked
together with equal privilege and responsibilities for processing the data.
● Peer-To-Peer network is useful for small environments, usually up to 10
computers.
● Peer-To-Peer network has no dedicated server.

● Special permissions are assigned to each computer for sharing the resources, but
this can lead to a problem if the computer with the resource is down.
Advantages of Peer-To-Peer Network:
● It is less costly as it does not contain any dedicated server.
● If one computer stops working, other computers will not stop working.
● It is easy to set up and maintain as each computer manages itself.
Disadvantages of Peer-To-Peer Network:
● In the case of the Peer-To-Peer network, it does not contain the centralized
system. Therefore, it cannot back up the data as the data is different in different
locations.
● It has a security issue as the device is managed itself.

Client/Server Network:
● Client/Server network is a network model designed for the end users called
clients, to access the resources such as songs, video, etc. from a central computer
known as Server.
● The central controller is known as a server while all other computers in the
network are called clients.
● A server performs all the major operations such as security and network
management.
● A server is responsible for managing all the resources such as files, directories,
printer, etc.
Advantages of Client/Server network:
● A Client/Server network contains the centralized system. Therefore, we can back
up the data easily.
● A Client/Server network has a dedicated server that improves the overall
performance of the whole system.

● Security is better in Client/Server network as a single server administers the
shared resources.
● It also increases the speed of sharing resources.
Disadvantages of Client/Server network:
● Client/Server network is expensive as it requires the server with large memory.
● A server has a Network Operating System (NOS) to provide the resources to the
clients, but the cost of NOS is very high.
● It requires a dedicated network administrator to manage all the resources.
Open Access to Organizational Data

Open access is a broad international movement that seeks to grant free and open
online access to academic information, such as publications and data. A publication is
defined as 'open access' when there are no financial, legal or technical barriers to
accessing it - that is to say when anyone can read, download, copy, distribute, print,
search for and search within the information, or use it in education or in any other way
within the legal agreements. Currently, there are more than 12,000 academic journals
accessible in the Directory of Open Access Journals, and more than 3,500 archives are
included in the Directory of Open Access Repositories. About 28 percent of peer-
reviewed articles today are open access, and the number is increasing with each
passing year.
Research funders are playing an increasingly important role in accelerating the

adoption of Open Access. The Wellcome Trust in the United Kingdom has led the way,
becoming the world’s first funder to mandate open access for publication of the
research it funds. Scores of other research funders—including the largest funder of
research in the world, the United States. Academic and research institutions have also
embraced open access, with faculty at more than 850 colleges and universities voting to
adopt campus-wide open access policies. Harvard, MIT, the University of Nairobi, and
the entire University of California System have joined the ranks of institutions that
have open access mandates.
Weak Authentication
The more difficult an authentication mechanism is to defeat, the stronger it is. Clearly
the authentication strength of a system should correlate to the value of the assets it is
protecting. Two-Factor and Multi-Factor Authentication solutions are appropriate for
systems that deal with highly valued assets.
Weak Authentication describes any scenario in which the strength of the

authentication mechanism is relatively weak compared to the value of the assets being
protected.
It also describes scenarios in which the authentication mechanism is flawed or

vulnerable:
Password Strength:
The “strength” of a password is related to the potential set of combinations that would
need to be searched in order to guess it.
Thus, the following factors influence password strength:
● Length: The number of characters in the password. The greater the length, the
greater the strength.
● Character Set: The range of possible characters that can be used in the password.
The broader the range of characters, the greater the strength. It is typical for
strong password schemes to require upper- and lower-case letters, digits, and
punctuation characters.
Password Policy:
Password Policy describes the rules that are enforced regarding password strength,
changes, and re-use. An effective password policy supports strong authentication. It
is generally accepted that the each of the following will increase the integrity of the
authentication process:
● Periodically changing the password for an account makes it less likely that a
password will be compromised, or that a compromised password will be used.

This is termed password expiration.
● Prohibiting the re-use of the same (or similar) password to the one being
changed will prevent password expiration from being circumvented by users.

● Enforcing minimum strength rules for passwords will guarantee application
compliance with Password Policy.

● Prohibiting dictionary words and/or popular passwords will make password
cracking less likely.

● The use of secret questions to further demonstrate identity.
Password Cracking:
There are countless hacking tools and frameworks available to help an attacker guess a
password through an automated sequence of attempts. This is called “brute forcing”
because such tools will attempt all possible password combinations given a set of
constraints in an attempt to authenticate. An application that does not protect itself
against password cracking in some manner may be considered as having a Weak
Authentication vulnerability depending the requirements and risk-level.
Dictionary Attacks:
In addition to brute force attacks, password cracking tools also typically have the
ability to test a file of candidate passwords. This is called a dictionary attack because
the file used may actually be a dictionary of words. Passwords that can be found in a
dictionary are considered weak because they can eventually be discovered using a
dictionary attack. An application that allows dictionary words as passwords may be
considered as having a Weak Authentication vulnerability depending the application
requirements and risk-level.
Popular Passwords:
Since passwords are usually freely chosen and must be remembered, and given that
humans are lazy, passwords that are easy to remember tend to be more popular than
those that are not. In fact, some passwords become very popular and are used far
more frequently than might be expected. Although the most popular entries change
over time, you can always find a “top-N” list somewhere, like here, or here, or here.
Clearly it is in the user’s best interest to avoid the most popular passwords.
Unprotected Broadband Communications

Broadband communications are usually considered to be any technology with
transmission rates above the fastest speed available over a telephone line. Broadband
transmission systems typically provide channels for data transmissions in different
directions and by many different users. An unsecured wireless connection is one you
can access without a password. Public networks offered in places like cafes are often
open. Although these provide free wireless Internet access, using public Internet comes
with dangers. If your home Internet is open, you should consider securing wireless
access to protect your data and avoid legal trouble.
⮚ Unsecure Wi-Fi
The two types of public networks are ones that are left open by businesses and ones
that are left open by individuals. An open network from a business allows customers
to use the Internet in the establishment -- such as patrons of a coffee shop using the
network to work. An open network in a home comes from a router that hasn't been
secured. Sometimes this is unintentional, if the owner doesn't know that her network is
open. However, an unsecured wireless connection isn't always bad. Some experienced
users opt to leave their Wi-Fi open for the public to access, with proper security
precautions to protect their data and bandwidth.
⮚ Implementing Wireless Security
Every router has some wireless security features built into the settings. Log in to your
router's administration settings using your browser; if you've never done this before,
the IP address and default login details are usually on the bottom of the router. When
choosing wireless security, WPA2 is the most secure, while WEP is the easiest for
outside users to crack. Set a strong password, and only share the password with
people you trust. Some routers also offer a Guest Network setting, which allows you to
create a secure wireless network and another unsecure network, which offers you
home security and an open network for visitors or neighbors.
⮚ Safety on Public Networks
If you routinely access public networks, you can still browse safely. Avoid entering
anything sensitive, such as bank or credit card information. If you have to access this
data, consider using a virtual private network (VPN), which encrypts all the data you
send using an external server.
Poor Cyber Security Awareness

Information is easily shareable across the Internet at nearly the speed of light,
depending on network connections. In reality, someone on the other side of the world
can steal your data in the blink of an eye. Companies will do what they can to protect
your information, but you should also do what you can to keep it safe as well.
1. Outdated Software
Websites are not the only ways you can be hacked, either. Operating systems on your
computer, mobile devices or even software running your wireless network at home are
easy to compromise for hackers. Updates to software are more than just fixing
operational bugs. In many instances, these updates include fixes to vulnerabilities like
using that old copy of Windows 7 without security updates turned on could
compromise your personal data.
2. Not Understanding the Threat
One of the most common reasons why cyber-attacks cause so much damage is because
of the lack of proper understanding. A lot of people believe themselves to be immune
from threats and don’t really put thought into how dangerous attacks can become.
Even something as simple as a web browser can lead to all kinds of problems in work
and personal lifestyles. According to Kaspersky Lab, a leader in antiviral software,
attackers used web browsers 62% of the time to spread mayhem.
3. Lack of Proper Protection
One of the leading causes to how hackers gain a foothold in your systems is due to
improper protection. Remember the comment earlier about not locking your door at
night? Essentially, a lack of security software on your computer or website would be
like removing that door entirely. More than 304 million cyber-attacks were recorded in
2015. Although most of these were thwarted, it puts it into perspective just how
virulent attacks are in the world. In fact, more than 27% of all malware pieces recorded
throughout history were produced that same year.
4. Effects of Ransomware
Ransomware has been around for quite some time, but it has grown exponentially
since 2015. Essentially, this is when someone gains control of a database or computer
system and blocks its use until a “ransom” is paid. However, these kinds of attacks
only happen less than one percent of the time. To put this into perspective, the
Hollywood Presbyterian Medical Center’s network in Los Angeles was held hostage in
2016 until a $17,000 Bitcoin ransom was paid. Because of the number of lives that are
held in the balance from attacks like this, it’s much easier to extort money.
5. Evolving Software
Some forms of attacks are extremely difficult to track down and stop, even for high-
end software. For example, a polymorphic virus delivers a new payload every time it
expands. This means it essentially mutates each time making it very difficult to spot.
As many as 32% of computers with antivirus protection are infected at any given time.
This is often from new viral variants as well as polymorphic wares. All it takes is a
minor change in coding to help a virus become something new and undetectable.
Cyber Security Safeguards
It is meant by Protective measures and controls prescribed to meet the security
requirements specified for an information system. Safeguards may include security
features, management constraints, personnel security, and security of physical
structures, areas, and devices. Some major cyber security safeguards are listed below:
1. Protect Your Information & Documents
2. Be Vigilant Against Tricks
3. Protect Your Communications
4. Be on Alert for “Phishing” to Prevent Account Takeovers
5. Look Out for Fake Notification Emails from Social Media Sites
Access Control
Access control is a data security process that enables organizations to manage who is
authorized to access corporate data and resources. Secure access control uses policies
that verify users are who they claim to be and ensure appropriate control access levels
are granted to users.
1. Audit: Organizations can enforce the principle of least privilege through the access
control audit process. This enables them to gather data around user activity and
analyze that information to discover potential access violations.
2. Authentication: Authentication is the initial process of establishing the identity of a

user. For example, when a user signs in to their email service or online banking
Account with a username and password combination, their identity has been
authenticated. However, authentication alone is not sufficient to protect organizations’
data.
3. Biometrics: A biometric access control system is one that determines whether or not
to let a person into a building or a specific room based on the individual's unique
physical biometric characteristics. It works by comparing something unique about the
person—such as face, fingerprint, and iris, palm, and hand geometry— to a database of
stored biometric templates about authorized users. If there is a match, the person is
allowed in; otherwise, the person is denied access. It provides significant physical
security benefits for protecting a wide variety of locations from intruders.
4. Cryptography: Cryptography is a method of protecting information and

communications through the use of codes, so that only those for whom the information
is intended can read and process it. Procedures and protocols that meet some or all of
the above criteria are known as cryptosystems. Cryptosystems are often thought to
refer only to mathematical procedures and computer programs; however, they also
include the regulation of human behavior, such as choosing hard-to-guess passwords,
logging off unused systems and not discussing sensitive procedures with outsiders.
5. Deception: Deception technology is a cyber security defense practice that aims to

deceive attackers by distributing a collection of traps and decoys across a system's
infrastructure to imitate genuine assets. If an intruder triggers a decoy, then the server
will log and monitor the attack vectors utilized throughout the duration of the
engagement. Deception technology provides security teams with a number of tactics
and resulting benefits to help:
● Decrease attacker dwell time on their network

● Expedite the average time to detect and remediate threats
● Reduce alert fatigue
● Produce metrics surrounding indicators of compromise (IOCs) and tactics,
techniques, and procedures (TTPs).
6. Denial of Service Filters: The DoS Filter window is used to enable or disable the
Denial of Service filter. The DoS filter automatically scans traffic passing through the
switch for well-known frames (based on packet signature) that are typically used to
conduct Denial of Service attacks to network devices. Once a frame is identified as a
threat, it is automatically dropped.
a. Open the DoS Filter subtab on the Security tab.
b. To disable DoS filtering, select Disable from the DoS Filtering drop-down list.
c. To enable DoS filtering, select Enable from the DoS Filtering drop-down list.
d. Click Apply Changes.
7. Ethical Hacking: Ethical Hacking is defined as any form of hacking that is

authorized by the owner of the target system. It can also refer to the process of taking
active security measures to defend systems from hackers with malicious intentions on
data privacy. From a technical standpoint, Ethical Hacking is the process of bypassing
or cracking security measures implemented by a system to find out vulnerabilities,
data breaches, and potential threats. It is only deemed ethical if the regional or
organizational cyber laws/rules are followed.
8. Firewalls: A firewall is a network security device that monitors incoming and
outgoing network traffic and permits or blocks data packets based on a set of security
rules. Its purpose is to establish a barrier between your internal network and incoming
traffic from external sources (such as the internet) in order to block malicious traffic
like viruses and hackers. Firewalls can either be software or hardware, though it’s best
to have both. A software firewall is a program installed on each computer and
regulates traffic through port numbers and applications, while a physical firewall is a
piece of equipment installed between your network and gateway.
9. Intrusion Detection Systems: An Intrusion Detection System (IDS) is a system that

monitors network traffic for suspicious activity and issues alerts when such activity is
discovered. It is a software application that scans a network or a system for harmful
activity or policy breaching. Although intrusion detection systems monitor networks
for potentially malicious activity, they are also disposed to false alarms. Hence,
organizations need to fine-tune their IDS products when they first install them. It
means properly setting up the intrusion detection systems to recognize what normal
traffic on the network looks like as compared to malicious activity.
9. Response: It is a set of information security policies and procedures that you can
use to identify, contain, and eliminate cyber attacks. The goal of incident response is to
enable an organization to quickly detect and halt attacks, minimizing damage and
preventing future attacks of the same type. There are six steps to incident response.
These six steps occur in a cycle each time an incident occurs. The steps are:
➢ Preparation of systems and procedures

➢ Identification of incidents
➢ Containment of attackers and incident activity
➢ Eradication of attackers and re-entry options
➢ Recovery from incidents, including restoration of systems
➢ Lessons learned and application of feedback to the next round of

preparation
10. Scanning: Security scanning, or vulnerability scanning, can mean many different
things, but it can be simply described as scanning the security of a website, web-based
program, network, or file system for either vulnerabilities or unwanted file changes.
The type of security scanning required for a particular system depends on what that
system is used for. The more complicated and intricate the system or network is, the
more in-depth the security scan has to be. Security scanning can be done as a one-time
check, but most companies who incorporate this into their security practices buy a
service that continually scans their systems and networks.
11. Security Policy: Cyber security procedures explain the rules for how employees,
consultants, partners, board members, and other end-users access online applications
and internet resources, send data over networks, and otherwise practice responsible
security. For large organizations or those in regulated industries, a cybersecurity policy
is often dozens of pages long. For small organizations, however, a security policy
might be only a few pages and cover basic safety practices. Such practices might
include:
● Rules for using email encryption
● Steps for accessing work applications remotely
● Guidelines for creating and safeguarding passwords
● Rules on use of social media
12. Threat Management: Threat management, or cyber threat management, is a

framework often used by cyber security professionals to manage the life cycle of a
threat in an effort to identify and respond to it with speed and accuracy. The
foundation of threat management is a seamless integration between people, process
and technology to stay ahead of threats. Organizations that successfully adopt and
implement the threat management framework often benefit from:
● Lower risk with faster threat detection, consistent investigations and faster
response
● Continuous improvement through built-in process measurement and reporting
● Increased security team skills, effectiveness and morale.
UNIT-II
SECURING WEB APPLICATIONS, SERVICES, SERVERS
AND INTRUSION DETECTION AND PREVENTION
Introduction to Web Application Security

Web application security (also known as Web AppSec) is the idea of building websites
to function as expected, even when they are under attack. The concept involves a
collection of security controls engineered into a Web application to protect its assets
from potentially malicious agents. Web applications, like all software, inevitably
contain defects.
The following non-exhaustive list of features should be reviewed during Web

application security testing. An inappropriate implementation of each could result in
vulnerabilities, creating serious risk for your organization.
● Application and server configuration. Potential defects are related to

encryption/cryptographic configurations, Web server configurations, etc.
● Input validation and error handling. SQL injection, cross-site scripting (XSS), and
other common injection vulnerabilities are the result of poor input and output
handling.
● Authentication and session management. Vulnerabilities potentially resulting in
user impersonation. Credential strength and protection should also be
considered.
● Authorization. Testing the ability of the application to protect against vertical
and horizontal privilege escalations.
● Business logic. These are important to most applications that provide business
functionality.
● Client-side logic. With modern, JavaScript-heavy web pages, in addition to web
pages using other types of client-side technologies (e.g., Silverlight, Flash, Java
applets), this type of feature is becoming more prevalent.
Basic Security for HTTP Applications

HTTP is used to communicate over the internet, so users, information providers, and
application developers should be aware of the limitations of security. In HTTP, clients
are often privy to a large amount of personal information like: name of the user, email
address, passwords, location, Encryption key, etc. We should be careful to prevent
unintentional leakage of this personal information of the client via the HTTP protocol
to other sources.
1. Abuse of Server Log Information
In this, all the personal data of the user should be stored at the server in an encrypted
form.
2. Transfer of Sensitive Information
HTTP cannot regulate the content of data that is transferred. HTTP cannot have any
prior method to determine the sensitivity of any particular part of the information within
the context of any request. Revealing any specific software version of the server might
allow the server machine to become more vulnerable to attacks against software which
contains security holes. The Proxies which serve as a portal through the firewall of the
network should take special precaution about the transfer of header information which
is used to identify the hosts behind the firewall.
3. Encoding Sensitive Information in URL's
The source of a link could be private information, so it is strongly recommended that the
user be able to select whether or not the field of the referrer is sent.
If the page that we refer to was transferred with a source protocol, clients should not
include a Referrer field in an HTTP request.
4. Privacy Issues Connected to Accept Headers
Accept request-headers can reveal the client's information to all servers which are
accessed.
Basic security for SOAP Services

SOAP is an abbreviation that stands for Simple Object Access Protocol. SOAP is an
API messaging protocol, and SOAP security is the strategy that prevents unauthorized
access to SOAP messages and user information. Web Standards Security (WS Security)
is the main aspect of ensuring SOAP security. WS Security is the set of
principles/guidelines to regulate authentication and confidentiality procedures for
SOAP Messaging. WSS-compliant measures include digital signatures, XML
encryption, X.509 certifications, and passwords, among others. XML encryption makes
data unreadable when unauthorized users gain access.
On average, businesses lose $3.9 million in malware and ransomware attacks. SOAP
Security protects the sensitive data in companies’ charge from access by the wrong
hands. Basically, you integrate security into your API infrastructure to protect the
interests of your customers or clients.
SOAP Security Risks: There are several kinds of cyber-attacks and vulnerabilities, and
those uniquely targeting APIs make the bulk of SOAP security risks. Some of them
include:
1. Code Injections – in SOAP, XML code injections introduce malicious code into
an application or database. Careful access control prevents these attacks.

2. Leaked/Breached Access – most attacks begin with breached or leaked access.
You must ensure SOAP messages are shown to authorized users only.
3. (Distributed) Denial of Service – DoS or DDoS attacks overwhelm web
services with overly many or long messages. Limiting message length and
volume in SOAP security prevents these attacks.
4. Cross-Site Scripting – code injection, but happens from the web application
side to the website

5. Session Hijacking – an unauthorized user obtains session ID, and that user
gains full access to the application and/or another user’s account.
Identity Management and Web Services

An identity management system (IDMS) can be used to manage the identities and
privileges of computer systems as well as people. Thus, most significant deployments
of Web services for corporate information systems will sooner or later result in the
deployment of an IDMS. The implementation of an enterprise-wide identity
management system is of great interest to corporate security for several reasons.
• An IDMS will close IT security gaps related to enrolling and terminating employees.
• The deployment of an IDMS is typically accompanied by a role-based access control

(RBAC) scheme for the information systems. Once roles are jointly defined by human
resources and business managers, and once IT security privileges are assigned to the
roles, security privileges can be automatically granted upon enrollment in the IDMS.
Privileges are also automatically changed when an employee's position changes, and
revoked automatically upon the employee's termination.
• Physical security can leverage the defined corporate roles by defining access control
privileges to match, aligning physical security more tightly with the organization's job
roles. This doesn't require the access control system to be integrated to any other
system.
• Physical security can leverage the HR enrollment of employees by integrating the

physical access control system (PACS) with the IDMS, so that access control privileges
are managed automatically along with IT privileges as HR enrolls, re-assigns and
terminates employees.
WEB SERVICES:
Web Services technology is a collection of standards and protocols designed to reduce

the amount of work it takes to accomplish integration (and thereby reduce cost and
schedule), and to provide flexible interfaces between systems that won't “break” when
one system or the other is updated or revised. IT departments are already using the
Web services approach to integration because it has many advantages over previous
approaches, and now physical security systems are beginning to use Web services to
connect to other systems as well.
Web services technology is being used to address business needs in following ways:
• Enterprise Application Integration (this is the category for PACS and IDMS
integration)
• Improved Application Development Efficiency Business Partner Integration
(suppliers, distributors, channels, etc.)
• Web Portal Integration, Business Activity Monitoring
• Extended Functionality for Web Applications
Authorization Patterns
These are security mechanisms that you can use to decide your client’s privileges
related to system resources. These system resources could be files, services, data, and
application features built on your client’s identity. One such is OAuth2.0.
Authorization Patterns are mentioned below:
1. Scattered data and scattered logic pattern: In this pattern, the data required to make
authorization decisions get scattered across the different micro services. In addition to
data, the logic behind deciding whether access is to be given to the requestor or not is
spread across the service.
The pattern given above works for a small number of micro services, but problems
start appearing when the number of services increases. The call to get data for making
authorization decisions is putting an unnecessary load on underline services, as shown
in the above diagram.
2. Centralized data and logic patterns: We can try putting all the authorization data
and logic in one place as a solution. We can then separate it from services that require
authorization. We can implement this pattern by following a common way of building
a dedicated authorization service. Another option could be to use an off-the-shelf
solution like Key cloak or Open Policy agent. Whenever services have to perform
permission checks, they turn around and ask for the authorization service.
Having a single system in charge of authorization is quite appealing. But we should
consider some essential points before finalizing the pattern as mentioned below:
● The entire authorization data is in a single place now. There could be one
possibility: either the authorization service turns into the data’s single source of
truth, or you can copy and synchronize the data from your applications to a
central place.
● The authorization data should understand the entire data model underlying
permissions related to groups, shares, folders, guests, and projects. The system
can become a bottleneck for new development if the models are constantly
changing. Any change in any micro service can ask for an update to the
authorization service. Thus, breaking the separation of concerns.
● A single service that has the responsibility for securing every type of request
needs high availability as well as low latency. Every request gets denied if the
system goes down, and every request gets slow if the system starts responding to
the queries slowly.
3. Scattered logic and central gateway data Pattern: We put all the data required for
authorization as part of every request in this pattern. Then each service will not have to
fetch data separately, which will reduce the load on underline services.
The advantage of this pattern is its architectural simplicity, and it gives them the
freedom to developers to not be concerned about the roles data or org data origin. We
can get the authorization data quickly on request, and you can also perform a
permission check instantly without any additional roundtrips.
Security Considerations
Data security consideration requires the security of data and system resources against
unauthorized access, disclosure, or corruption. Data breaches may be intentional or
unintentional but ultimately cause huge losses to the organization hence need to be
taken seriously.
5 types of data security considerations are:
1. Backing up Data
The purpose of data backup is to create extra copies of important files in a separate
storage location to act as a backup during any failure. Various factors like human
carelessness, malicious attack, or system faults trigger failure in an infrastructure.
Physical storage or cloud storage stores the backed-up data.
2. Data Archiving for Security
As a business grows, keeping track of huge amounts of data and managing them can
be tricky. Data archiving is the process of retaining inactive data at a secure place for a
long time. Such data may or may not be used in the future but are required to be stored
for its intended purpose. Archives have search facilities. Indexed makes the retrieval
fast and easy. Archives hold old information that is unnecessary for everyday tasks.
Storing such inactive information in primary storage can reduce its efficiency. Data
archive helps in reducing the load on primary storage by moving unused resources to
the archive.
3. Disposal of Data
An organization should wipe out data regularly, whether that’s cleaning inboxes or
getting rid of old databases that are no longer relevant. Data stored on physical storage
devices like hard drives, USBs, tapes must be purged before discarding.
The information stored in the cloud is destroyed to keep the organization’s private
data out of reach from criminals. Every company must do this whenever they get rid of
something that holds data.
4. Location Security
Organizations face a daunting task in deciding where to locate their business-critical

data. Since the amount of data is enormous it is stored across different devices in
multiple locations from on-premises to cloud. Knowing the location of the data center
helps in planning the location security to protect the data. Companies usually locate
their data hubs several miles outside the city. They need to look carefully into the
location restrictions.
For example, the warehouse located in a disaster-prone area poses a huge risk of data
compromise during a calamity.
5. Redundant Utilities
The data center has critical data and facilities required to keep the business up and
running. To restrict unwanted intruders from entering the data center’s perimeter,
strong security barriers must be set up. These barriers can be two-factor authentication,
access control, or leveraging CCTV surveillance. But no matter how complex the
security is there will always be some data loss. This can be due to various reasons like
employee negligence or malicious activity. Hence duplication of critical components of
the system becomes necessary. This increases the reliability of the system, improves
performance, and provides a fail-safe backup.
Challenges
For security teams, the number of controls they can implement to secure a web
application in production is limited while for the attackers, there is no limit on the
number of attack vectors they can exploit. Five most common web application security
challenges faced are:
1. Injection: Injection or SQL injection is a type of security attack in which the malicious
attacker inserts or injects a query via input data (as simple as via filling a form on the
website) from the client-side to the server. If it is successful, the attacker can read data
from the database, add new data, update data, delete some data present in the database,
issue administrator commands to carry out privileged database tasks, or even issue
commands to the operating system in some cases.
2. Broken Authentication: It is a case where the authentication system of the web

application is broken and can result in a series of security threats. This is possible if the
adversary carries out a brute force attack to disguise itself as a user, permitting the users
to use weak passwords that are either dictionary words or common passwords like
“12345678”, “password” etc. This is so common because shockingly 59% of the people
use the same passwords on all websites they use. Moreover, 90% of the passwords can
be cracked in close to 6 hours! Therefore, it is important to permit users to use strong
passwords with a combination of alphanumeric and special characters. This is also
possible due to credential stuffing, URL rewriting, or not rotating session IDs.
3. Sensitive Data Exposure: As the name suggests, this means that sensitive data stored
is leaked to malicious attackers. This information can include personal data like name,
address, gender, date of birth, personal identification numbers like Aadhaar card
number or SSN, etc., financial data like account number, credit card numbers, health-
related information, etc. This can result in a monetary loss if the attacker uses the
financial information of users to carry out online payments (in most cases to
cryptocurrency), identity theft, and reputation loss.
4. XML External Entities: This type is common to web applications that parse XML
input. It is carried out when the input in the form of XML references an external entity
but is processed by a weak XML parser. It can cause a huge loss to the brand as it can in
turn allow distributed denial of service, port scanning, server-side request forgery,
disclosure of sensitive information, etc.
5. Broken Access Control: Access control specifies limits or boundaries in which a user
is allowed to operate. For example, the root privileges are usually given to the
administrator and not the actual users. Having a broken or leaking access control system
can result in unintended information leaks, modifying details of other user accounts,
manipulating metadata, acting as the admin, unauthorized API access, etc.
Intrusion Detection and Prevention

It is a security event, or a combination of multiple security events, that constitutes a
security incident in which an intruder gains, or attempts to gain, access to a system or
system resource without having authorization to do so.
Any of the following can be considered an intrusion −
● Malware, sometimes known as ransomware, is a type of computer virus.

● Attempts to obtain unauthorized access to a system
● DDOS (Distributed Denial of Service) attacks
● Destruction of cyber-enabled equipment
● Employee security breaches that are unintentional (like moving a secure file
into a shared folder)
● Untrustworthy users, both within and external to your company
Physical Theft
A physical threat is a potential cause of an incident that can result in loss or physical
harm to the computer systems. Physical security is represented as the security of
personnel, hardware, programs, networks, and data from physical situations and
events that can support severe losses or harm to an enterprise, departments, or
organization. This contains security from fire, natural disasters, robbery, theft,
elimination, and terrorism.
There are various types of physical threats which are as follows:
Unauthorized Access − One of the most common security risks regarding

computerized information systems is the hazard of unauthorized access to confidential
information. The main concern appears to be from unwanted intruders, or hackers, who
use the current technology and their skills to divide into supposedly secure computers
or to exhaust them. A person who gains access to a data system for malicious reasons is
often termed a cracker instead of a hacker.
Computer Viruses − Computer virus is a type of nasty application written deliberately

to enter a computer without the user’s permission or knowledge, with an ability to
duplicate itself, therefore continuing to spread. Some viruses are small but duplicate
others can cause severe harm or adversely influence program and implementation of
the system.
Vandalism − Deliberate damage caused to hardware, software and data is treated as a
serious threat to information system security. The threat from destruction lies in the fact
that the organization is temporarily refused access to someone of its resources. Even
relatively minor damage to an element of a system can have an essential effect on the
organization as a whole.
Accidents − Accidental misuse or damage will be influenced over time by the attitude
and disposition of the staff in addition to the environment. Human errors have a higher
impact on information system security than do man made threats caused by purposeful
attacks. But most accidents that are serious threats to the security of information
systems can be diminished.
Abuse of Privileges
Privileged account abuse occurs when the privileges associated with a particular user
account are used inappropriately or fraudulently, either maliciously, accidentally or
through willful ignorance of policies. Privileged accounts are a gateway to critical
systems and data. Abuse of these powerful accounts can lead to the loss of sensitive
data and business intelligence, as well as downtime of systems and applications
essential for business operations.
Steps for reducing the risk of privileged account abuse:
Step 1: Continuously assess and properly manage assigned privileges
Ask your friends whether they have ever accessed information they shouldn’t have
seen. I’m sure you’ll find that many of them have. This happens because privilege
assignment is often seen as a one-time task, which it shouldn’t be. Instead, on a regular
basis, you make sure to:
● Review access rights and remove excessive permissions in accordance with the
least-privilege principle.
● Review and update permissions whenever a user’s role in the organization
changes.
● Make sure your sensitive data is not overexposed by verifying that access to it is
granted based strictly on a specific need.

● Pay special attention to your privileged accounts — who can use them and what
permissions they grant.
Step 2: Gain visibility into your IT environment
Would you know if there were a suspiciously high number of failed attempts to access
a critical file or database, or an unauthorized modification to your security groups? If
not, this step is especially important to you. Without a thorough monitoring of all
changes and user activity in the IT environment, it is impossible to detect threats,
including privilege abuse, in their early stages.
Step 3: Analyze user behavior
It’s one thing to collect data. It’s totally another to get meaningful insights out of it.
Can you tell when your users exercise their privileges outside of normal working
hours? Do you know whether their current behavior deviates from the norm? User
behavior analysis will show you anomalies that are not always obvious if you just look
at event logs.
Unauthorized Access by Outsider
Unauthorized access is when a person gains entry to a computer network, system,
application software, data, or other resources without permission. Any access to an
information system or network that violates the owner or operator’s stated security
policy is considered unauthorized access. Unauthorized access is also when legitimate
users access a resource that they do not have permission to use. The most common
reasons for unauthorized entry are to:
● Steal sensitive data

● Cause damage
● Hold data hostage as part of a ransomware attack
● Play a prank
Unauthorized Access Tactics:
Guessing passwords: Guessing passwords is a common entry vector for unauthorized

access. Manual password guessing is done using social engineering, phishing, or by
researching a person to come up with information that could be the password.
Social engineering: Cybercriminals often gain unauthorized access by taking

advantage of human vulnerabilities, convincing people to hand over credentials or
sensitive data. These attacks, known as social engineering, often involve some form of
psychological manipulation and utilize malicious links in email, pop-ups on websites,
or text messages.
Tailgating or piggybacking: Tailgating is a tactic used to gain physical access to

resources by following an authorized person into a secure building, area, or room. The
perpetrator can be disguised as a delivery or repair person, someone struggling with
an oversized package that may require assistance, or someone who looks and acts as if
they belong there. Most of these situations occur "in plain sight."
Fraudulent use of access cards: Access cards that are lost, stolen, copied or shared
pose an unauthorized access risk.
Door propping: While incredibly simple, propping open a door or window is one of
the most effective ways for an insider to help a perpetrator gain unauthorized access to
restricted buildings or spaces.
Malware Infection
Malware (short for “malicious software”) is a file or code, typically delivered over a
network, that infects, explores, steals or conducts virtually any behavior an attacker
wants. And because malware comes in so many variants, there are numerous methods
to infect computer systems. Though varied in type and capabilities, malware usually
has one of the following objectives:
● Provide remote control for an attacker to use an infected machine.
● Send spam from the infected machine to unsuspecting targets.
● Investigate the infected user’s local network.
● Steal sensitive data.
Intrusion Detection and Prevention Techniques

An Intrusion Detection System (IDS) is either a hardware device or software
application that uses known intrusion signatures to detect and analyze both inbound
and outbound network traffic for abnormal activities. This is done through:
● System files comparisons against malware signatures.
● Scanning processes that detect signs of harmful patterns.
● Monitoring user behavior to detect malicious intent.
● Monitoring system settings and configurations.
Vital intrusion detection and prevention techniques are:
Web Application Firewall (WAF) – The Imperva cloud WAF is a cloud-based firewall
deployed on your network’s edge. It bolsters your existing IPS through signature,
reputational and behavioral heuristics that filter malicious incoming requests and
application attacks—including remote file inclusions and SQL injections.
Two-factor authentication (2FA) – 2FA is a security process requiring users to provide

two means of verification when logging into an account, such as a password and one-
time passcode (OTP) sent to a mobile device. It bolsters intrusion prevention by adding
an extra layer of protection to your application’s sensitive data.
Backdoor protection – IDS configurations typically identify backdoors based on

known malware signatures. At best, it’s a halfway measure, as most perpetrators
obfuscate the code and alias of their backdoor shells to avoid all recognition.
Anti-Malware Software
Anti-malware is a type of software developed to scan, identify and eliminate malware,
also known as malicious software, from an infected system or network.
Anti-malware secures an individual system or an entire business network from

malicious infections that can be caused by a variety of malware that includes viruses,
computer worms, ransomware, rootkits, spyware, keylogger, etc. Anti-malware can be
deployed on individual PCs, a gateway server or even on a dedicated network
appliance.
Benefits of Anti-Malware:
● Real-time protection
● Boot-time scan
● Scanning of individual files
● Protection of sensitive information
● Restoration of corrupted data
● Protection from spam and identity theft
● Provides robust web protection
● Provides quick scan of the removable device
Network based Intrusion Prevention Systems

Network-based intrusion prevention systems monitor entire networks or network
segments for malicious traffic. This is usually done by analyzing protocol activity. If
the protocol activity matches against a database of known attacks, the corresponding
information isn’t allowed to get through. NIPS are usually deployed at network
boundaries, behind firewalls, routers, and remote access servers.
The majority of NIPSs utilize one of the three detection methods as follows:
● Signature-based detection: Signatures are attack patterns predetermined and
preconfigured. This detection method monitors the network traffic and compares
it with the preconfigured signatures so as to find a match. On successfully
locating a match, the NIPS take the next appropriate action. This type of
detection fails to identify zero-day error threats. However, it has proved to be
very good against single packet attacks.
● Anomaly-based detection: This method of detection creates a baseline on
average network conditions. Once a baseline has been created, the system
intermittently samples network traffic on the basis of statistical analysis and
compares the sample to the created baseline. If the activity is found to be outside
the baseline parameters, NIPS takes the necessary action.
● Protocol state analysis detection: This type of detection method identifies
deviations of protocol states by comparing observed events with predefined

profiles.
Host based Intrusion Prevention systems

The Host-based Intrusion Prevention System (HIPS) protects your system from
malware and unwanted activity attempting to negatively affect your computer. HIPS
utilizes advanced behavioral analysis coupled with the detection capabilities of
network filtering to monitor running processes, files and registry keys. HIPS is
separate from Real-time file system protection and is not a firewall; it only monitors
processes running within the operating system.
HIPS settings can be found in Advanced setup (F5) > Detection engine > HIPS >
Basic. The HIPS state (enabled/disabled) is shown in the ESET Endpoint Security main
program window, in the Setup > Computer.
Security Information Management

Security information management is a process of gathering, monitoring and
investigating log data in order to find and report suspicious activities on the system.
This process is automated by security information management systems or tools. The
files (records) have information about system activities such as running applications,
services, errors that occurred. So that is what security log data is.
With security log files, one can know the IP address of the system, MAC or internet
address, login data and status of the system. If such details fall on bad guys, they
might use the details destructively.
The reports generated by SIM systems are typically used to:
1. Detect unauthorized access as well as modifications to files and data breaches.
2. Identify data trends that can be leveraged potentially by business
organizations for their progression.

3. They are also used to identify network behavior and assess performance.
The SIM tool (system) acts as a software agent which sends the reports about the
events to the centralized server. By which admins are updated about the reports.
That’s all about Security Information Management.
Network Session Analysis

It is a category of cyber security that involves observing network traffic
communications, using analytics to discover patterns and monitor for potential threats.
The practice of session analysis is actually much older than the Internet. For example,
the military began intercepting radio traffic beginning in World War I, and the
interception and decoding work done became a critical part of battle strategy during
World War II.
Though we’ve advanced considerably from radio technology, the principle of traffic
analysis remains the same. Communication traffic patterns are scrutinized for
information that will help keep assets secure. By monitoring network traffic, abnormal
activity from threat actors can be detected early on, thwarting attackers before they
achieve their goal of destruction or theft.
Need of Network Session Analysis:
1. They shorten the dwell time of infections. Discovering threats as soon as possible
is the best way to minimize damage. The longer an infection lives in a network,
the more damage it can do. Swiftly detecting a threat can ensure that there is
minimal harm.
2. They improve efficiency. Most organizations do not have the resources to have
personnel devoted to actively monitoring for and investigating risk around the
clock. These solutions automated threat detection, allows organizations to do
more with less and ensures that security analysts are able to focus more on threat
removal.
3. They provide wide coverage. By monitoring traffic, NTA solutions can monitor
different types of devices. For example, many NTA solutions are OS agnostic,
monitoring traffic from both Linux servers and Windows workstations.
System Integrity Validation

A system integrity validation is a part of the system hardening process to confirm that
we have taken all the necessary measures to prevent any unauthorized access to our
systems and files. System integrity validation verifies the integrity of different system
components, such as operating systems, applications, and network services.
Countermeasures:
There are various countermeasures that can be used for effective security which include
physical security, logical security, and cryptographic security.
● Logical Security controls involve a computer system’s access to resources, such
as files, network access, and so on. Logical controls help prevent unauthorized
or improper access to a computer system.
● Examples of logical controls are passwords, such as encryption algorithms
such as Asymmetric cryptography, and ElGamal encryption algorithm. Data

flow controls enforce secure data flow by controlling who can send or receive
data from the computer system’s memory or storage.
● Data flow controls help prevent unauthorized or improper access to data, such
as limiting the ability of an authorized user to access data from another user.
● Physical security protects items by ensuring that physical intrusions are
properly locked down and that doors and windows are tightly secured.
● Cryptographic security controls ensure the proper transmission of
information or files over a network between two computers or devices that

are communicating with each other. Examples of cryptographic systems
include the Secure Sockets Layer (SSL) protocol, Transport Layer Security
(TLS), Secure HTTP (HTTPS).
UNIT-III
CRYPTOGRAPHY AND NETWORK SECURITY
Introduction to Cryptography
Cryptography is the study of secure communications techniques that allow only the
sender and intended recipient of a message to view its contents. The term is derived
from the Greek word kryptos, which means hidden.
There are numerous cryptographic algorithms in use, but in general they can be
broken into three categories: symmetric cryptography, asymmetric cryptography, and
hash functions.
Symmetric cryptography: The Caesar cipher we discussed above is a great example of

symmetric cryptography. In the example we used, if encrypted messages were being
exchanged between Caesar and one of his centurions, both parties would have to know
the key—in this case, how many letters forward or backwards in the alphabet you
need to move to transform plaintext to cipher text or vice versa. That's what makes it
symmetrical. But the key needs to stay a secret between the two of them, which is why
this is sometimes also called secret key cryptography.
Asymmetric cryptography: Caesar may have been able to confer with his centurions in
person, but you don't want to go into your bank and talk to the teller just to learn what
the private key is for encrypting your electronic communication with the bank—that
would defeat the purpose of online banking. In general, in order to function securely,
the internet needs a way for communicating parties to establish a secure
communications channel while only talking to each other across an inherently insecure
network. The way this works is via asymmetric cryptography, which is sometimes
called public key cryptography.
Message Authentication
Message authentication ensures that the message has been sent by a genuine identity
and not by an imposter. The service used to provide message authentication is a
Message Authentication Code (MAC). A MAC uses a keyed hash function that
includes the symmetric key between the sender and receiver when creating the digest.
Message Authentication Functions:

All message authentication and digital signature mechanisms are based on two
functionality levels:
● Lower level: At this level, there is a need for a function that produces an
authenticator, which is the value that will further help in the authentication of
a message.
● Higher-level: The lower level function is used here in order to help receivers
verify the authenticity of messages.
Digital Signatures
A digital signature is a mathematical technique used to validate the authenticity and
integrity of a message, software, or digital document.
The steps followed in creating digital signature are :
1. Message digest is computed by applying hash function on the message and
then message digest is encrypted using the private key of the sender to form
the digital signature. (Digital signature = encryption (private key of sender,
message digest) and message digest = message digest algorithm (message)).
2. Digital signature is then transmitted with the message.(message + digital
signature is transmitted)
3. Receiver decrypts the digital signature using the public key of sender.(This
assures authenticity, as only sender has his private key so only sender can
encrypt using his private key which can thus be decrypted by sender’s public
key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual
message is sent with the digital signature).

6. The message digest computed by the receiver and the message digest
(obtained by decryption on digital signature) need to be the same for ensuring

integrity.
Applications of Cryptography
Applications of Cryptography in various fields are:
1. Digital Currency: A much-known application of cryptography is digital currency

wherein crypto currencies are traded over the internet. Top crypto currencies like
Bitcoin, Ethereum, and Ripple have been developed and traded over time. With
cashless economies emerging, digital currencies have grabbed the attention of the
world. Unregulated by any government or banks, crypto currencies are our upcoming
future.
Blockchain technology has a lot to do with this application. Several nodes in the
blockchain are empowered with cryptography that enables the secure trade of a crypto
currency in a digital ledger system. These ledgers are protected, preserved, and cannot
be accessed by any other person or organization.
2. E-commerce: E-commerce startups enable us to shop items online and pay for them
online. These transactions are encrypted and perhaps cannot be altered by any third
party. Moreover, the passwords we set for such sites are also protected under keys to
ensure that no hacker gets access to our e-commerce details for harmful purposes.
3. Military Operations: The applications of cryptography in the military are well-

known. Military operations have also derived great use from cryptography for a long
time. Used for encrypting military communication channels, military encryption
devices convert the real communication characters so that the enemies cannot come to
know about their upcoming plans. Simply put, cryptography safely transmits
messages from one end to the other without letting the enemy forces intercept the real
meaning. This is a very important application of cryptology as it can be of both public
and private use. On the large scale, it can be widely used for declaring wars and
sending crucial messages without the involvement of a messenger. Unlike traditional
times, this technology can be precisely used to enhance the military strength of a
nation.
Firewalls
A firewall is a network security device that monitors incoming and outgoing network
traffic and permits or blocks data packets based on a set of security rules. Its purpose is
to establish a barrier between your internal network and incoming traffic from external
sources (such as the internet) in order to block malicious traffic like viruses and
hackers.
Types of firewalls:
A. Next-generation firewalls (NGFW): It combines traditional firewall technology

with additional functionality, such as encrypted traffic inspection, intrusion
prevention systems, anti-virus, and more. Most notably, it includes deep packet
inspection (DPI). While basic firewalls only look at packet headers, deep packet
inspection examines the data within the packet itself, enabling users to more
effectively identify, categorize, or stop packets with malicious data.
B. Proxy firewalls: It filters network traffic at the application level. Unlike basic
firewalls, the proxy acts as an intermediary between two end systems. The client
must send a request to the firewall, where it is then evaluated against a set of
security rules and then permitted or blocked. Most notably, proxy firewalls
monitor traffic for layer 7 protocols such as HTTP and FTP, and use both stateful
and deep packet inspection to detect malicious traffic.
C. Network address translation (NAT): These firewalls allow multiple devices with
independent network addresses to connect to the internet using a single IP
address, keeping individual IP addresses hidden. As a result, attackers scanning
a network for IP addresses can't capture specific details, providing greater
security against attacks. NAT firewalls are similar to proxy firewalls in that they
act as an intermediary between a group of computers and outside traffic.
D. Stateful multilayer inspection (SMLI): These firewalls filter packets at the

network, transport, and application layers, comparing them against known
trusted packets. Like NGFW firewalls, SMLI also examines the entire packet and
only allows them to pass if they pass each layer individually. These firewalls
examine packets to determine the state of the communication (thus the name) to
ensure all initiated communication is only taking place with trusted sources.
User Management
User management describes the ability for administrators to manage devices, systems,
applications, storage systems, networks, SaaS services, and user access to other various
IT resources. Controlling and managing user access to IT resources is a fundamental
security essential for any organization. A user management system enables admins to
control user access and on-board and off-board users to and from IT resources.
User Management Requirements:
There are a few requirements to be considered for organizations now seeking to

leverage cloud systems and web-based applications for a centralized user management
solution.
● Delivered from the cloud: Even as most organizations continue to move away
from on-premises infrastructure, a centralized user management system needs to
be delivered from the cloud and connect users to resources both on-premises and
in the cloud. User management solutions of the next generation, often termed
Identity-as-a-service (IDaaS), are fully capable of functioning in any
environment, on-premises, in the cloud, and even in between.
● Multiprotocol: There are currently many varying systems that leverage different
products ranging from LDAP to SAML, SSH, and RADIUS, among others. For a
UM system in a modern network, it should be capable enough to handle various
protocols to connect users to resources.
● High security: As digital identities turn into valuable technological assets, a

centralized UM system becomes a high-value target. Therefore, central UM
systems must employ the latest security measures to keep out unwanted users .
VPN Security
VPN security can protect from IP and encrypt internet history and is increasingly
being used to prevent snooping on by government agencies. VPN security enables
users to protect their online privacy and prevent their internet service provider (ISP)
from tracking their browsing activity. It works by connecting a user’s device to the
VPN server, then passing their internet traffic through the VPN provider’s internet
connection. This hides browsing information and makes it more difficult for bad actors
to gather or monitor the user’s online activity.
The best VPN tool or application contains the following features:
1. Internet Protocol (IP) address leak prevention: The core purpose of a VPN is to
hide or disguise a user’s IP address and prevent anyone from tracking their
online activity. However, a VPN can sometimes include flaws that result in the
user’s IP location being leaked. It is therefore important to look for a provider
that actively prevents IP address leaks. Check reviews online to see if they have a
history of IP address leakage.
2. No information logging: No-log VPNs do not collect, or log, data that users
share on the network, such as login credentials, files they download, and their
search history. This is key to ensuring users’ online privacy and protecting their
anonymity from other internet users. It also ensures that a user’s information is
protected, even if an attacker gains unauthorized access to a VPN tool. When
considering a VPN, check whether it logs online activity, logs and periodically
purges data, or discloses user information in any other scenario.
3. VPN kill switch: In case a VPN connection drops, the user’s internet access will
switch to their regular connection. A VPN kill switch feature automatically exits
specific programs if an internet connection becomes unstable to reduce the risk of
sensitive data being leaked by applications.
4. Multi-factor authentication (MFA): Any VPN program should be as secure as

possible to ensure that only authorized users can gain access to it. MFA enables a
user to prove their identity, that they are who they say they are, before they are
given access to the VPN.
Security Protocols
It is a sequence of operations that ensure protection of data. Used with a
communications protocol, it provides secure delivery of data between two parties. The
term generally refers to a suite of components that work in tandem (see below). For
example, the 802.11i standard provides these functions for wireless LANs.
Following are the primary components of a security protocol:
Access Control: Authenticates user identity. Authorizes access to specific resources

based on permissions level and policies. See access control and authentication.
Encryption Algorithm: The cryptographic cipher combined with various methods for
encrypting the text. See encryption algorithm, HTTPS and TLS.
Key Management: Create, distribute and maintain the keys. See key management.
Message Integrity: Ensures that the encrypted message has not been tampered with.
Security at the Application Layer

Application layer security refers to ways of protecting web applications at the
application layer (layer 7 of the OSI model) from malicious attacks.
Since the application layer is the closest layer to the end user, it provides hackers with
the largest threat surface. Poor app layer security can lead to performance and stability
issues, data theft, and in some cases the network being taken down.
Here, two core Protocols are there:
❖ PGP(PRETTY GOOD PRIVACY)
❖ S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSION)
PRETTY GOOD PRIVACY(PGP):
PGP stands for Pretty Good Privacy (PGP) which was invented by Phil Zimmermann.
It was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email. It uses a digital signature
(a combination of hashing and public key encryption) to provide integrity,
authentication, and non-repudiation. PGP uses a combination of secret key encryption
and public key encryption to provide privacy. Therefore, we can say that the digital
signature uses one hash function, one secret key, and two private-public key pairs.
PGP is an open source and freely available software package for email security, and
provides authentication through the use of Digital Signature. It provides
confidentiality through the use of symmetric block encryption.
Benefits of PGP Encryption
● Sensitive information is always protected. It cannot be stolen or viewed by others
on the internet. It assures that the information that is sent or received was not
modified in transmission and that files were not changed without your
knowledge.
● Information can be shared securely with others including groups of users and
entire departments.
● You can be certain who the email is from and who it is for. PGP verifies the
sender of the information to ensure that the email was not intercepted by a third
party.
● Your secure emails and messages cannot be penetrated by hackers or infected by
email attacks.
● Others cannot recover sensitive messages or files once you have deleted them.
● PGP encryption software is very easy to learn how to use. With virtually no
training, users are able to learn how to use it right away.
SECURE/MULTIPURPOSE INTERNET MAIL EXTENSION(S/MIME):
S/MIME or Secure/Multipurpose Internet Mail Extension is a technology widely used

by corporations that enhances email security by providing encryption, which protects
the content of email messages from unwanted access. It also adds digital signatures,
which confirm that you are the authentic sender of the message, making it a powerful
weapon against many email-based attacks.
S/MIME can be used to:
➔ Check that the email you sent has not been tampered with by a third party.
➔ Create digital signatures to use when signing emails.
➔ Encrypt all emails.
➔ Check the email client you’re using.
Security at the Transport Layer

In Transport layer security, two main protocols are there:
❖ TLS(TRANSPORT LAYER SECURITY)

❖ SSL(SECURED SOCKET LAYER)
TLS (TRANSPORT LAYER SECURITY):
Transport layer security (TLS for short) refers to a protocol that aims to offer
authentication, data integrity and privacy during the communication between two
different computer applications. It can be used for various platforms including web
browsers and a wide array of other applications that often necessitate the safe
exchange of data over networks. Moreover, VPN connections, voice over IP, file
transfers and remote desktop sessions as well can benefit greatly from transport layer
security solutions.
There are three main components to what the TLS protocol accomplishes:
Encryption, Authentication, and Integrity.
Encryption: It hides the data being transferred from third parties.

Authentication: It ensures that the parties exchanging information are who they claim
to be.
Integrity: It verifies that the data has not been forged or tampered with.
SSL (SECURE SOCKET LAYER):
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was

first developed by Netscape in 1995 for the purpose of ensuring privacy,
authentication, and data integrity in Internet communications. SSL is the predecessor
to the modern TLS encryption used today. provides security to the data that is
transferred between web browser and server. SSL encrypts the link between a web
server and a browser which ensures that all data passed between them remains private
and free from attack.
There are several different types of SSL certificates. One certificate can apply to a single
website or several websites, depending on the type:
● Single-domain: A single-domain SSL certificate applies to only one domain (a

"domain" is the name of a website).
● Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to

only one domain. However, it also includes that domain's subdomains. For
example, a wildcard certificate could cover www.cloudflare.com,
blog.cloudflare.com, and developers.cloudflare.com, while a single-domain
certificate could only cover the first.
● Multi-domain: As the name indicates, multi-domain SSL certificates can apply to

multiple unrelated domains.
Security at the Network Layer

The network layer is the third layer in the TCP/IP model – it provides host-to-host
communication services. Segments from the transport layer are received by the
network layer, which encapsulates them into packets to be sent to the nearest router.
Routers then forward the packets from their input links to output links on the path
towards the receiving system.
Network Layer Protocol is mentioned below:
The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of
protocols between 2 communication points across the IP network that provide data
authentication, integrity, and confidentiality. It also defines the encrypted, decrypted
and authenticated packets. The protocols needed for secure key exchange and key
management are defined in it.
Uses of IP Security – IPsec can be used to do the following things:

● To encrypt application layer data.
● To provide security for routers sending routing data across the public
internet.
● To provide authentication without encryption, like to authenticate that the
data originates from a known sender.

● To protect network data by setting up circuits using IPsec tunneling in which
all data being sent between the two endpoints is encrypted, as with a Virtual
Private Network (VPN) connection.
Features of IPSec:
1. Authentication: IPSec provides authentication of IP packets using digital

signatures or shared secrets. This helps ensure that the packets are not tampered
with or forged.
2. Confidentiality: IPSec provides confidentiality by encrypting IP packets,

preventing eavesdropping on the network traffic.
3. Integrity: IPSec provides integrity by ensuring that IP packets have not been
modified or corrupted during transmission.
4. Key management: IPSec provides key management services, including key

exchange and key revocation, to ensure that cryptographic keys are securely
managed.
5. Tunneling: IPSec supports tunneling; allowing IP packets to be encapsulated

within another protocol, such as GRE (Generic Routing Encapsulation) or L2TP
(Layer 2 Tunneling Protocol).
6. Flexibility: IPSec can be configured to provide security for a wide range of
network topologies, including point-to-point, site-to-site, and remote access
connections.
7. Interoperability: IPSec is an open standard protocol, which means that it is

supported by a wide range of vendors and can be used in heterogeneous
environments.
UNIT-IV
CYBERSPACE, CYBER LAW AND CYBER FORENSICS
Introduction to Cyberspace
Cyberspace refers to the virtual computer world, and more specifically, an electronic
medium that is used to facilitate online communication. Cyberspace typically involves
a large computer network made up of many worldwide computer subnetworks that
employ TCP/IP protocol to aid in communication and data exchange activities. The
word Cyberspace first made its appearance in Wiliam Gibson’s Science fiction book
Necromancer. The book described an online world filled with computers and
associated societal elements. In that book, the author described Cyberspace as a 3D
virtual landscape created by a network of computers. Although it looks like a physical
space, it is generated by a computer, representing abstract data.
After the publication of the book, the word Cyberspace became a mainstay in many
English dictionaries. The New Oxford Dictionary of English provides Cyberspace
definition as the notional environment used by the people to communicate over
networks of the computer.
State and Private Sector in Cyberspace

In cyberspace there’s a crisis of trust, and cyber-insecurity has become a growing
problem worldwide. This trust issue is present in three dimensions: mistrust among
states; mistrust between state and non-state actors; and users' mistrust of
technologies/ICTs.
When you face uncertainty and problems, the first thought that usually comes to your
mind is to check what has been said or done by others before. That’s why, in a search of
a possible solution – confidence and trust building measure.
We learned three things:
1. To push any transformations, we need ideational shifts – “shared ideas,
expectations and beliefs about appropriate behavior that give the world
structure, order, and stability”.
2. People act toward an object and other actors, relying on the meanings that they
perceive about those objects or actors.

3. To make a change/transformation, we need to reinterpret or frame the existing
meanings so the new frame resonates with broader public understanding.
States may take a variety of approaches, with varying levels of intervention, to

restrict engagement in self-help practices they view negatively:
● Prohibit—The state both formally prohibits an activity and actively

undertakes to monopolize its practice, whether by punishing private
actors for engaging in the activity or simply by exercising control
over the capabilities necessary to do so.
● Tolerate—The state expresses formal disapproval of an activity

while falling short of directly intervening to prevent its practice. It
may create barriers to entry or other constraints to limit engagement,
such as through licensing requirements. Or it may take a more
passive approach, creating disincentives, such as leveraging market
pressures to shape behavior.
States similarly intervene to various degrees to support and bring about certain self-
help practices they view favorably:
● Encourage—The state demonstrates its approval of certain activities

but largely leaves it to other forces, such as market pressures, to
induce them. It may remove barriers to action or create incentives to
nudge private actors to undertake an activity. More assertively, it
may actively facilitate certain practices and empower private actors
by providing legal authorization, building private sector capacities
through training or public-private partnerships, or offering other
forms of assistance.
● Require—The state mandates an activity and may even punish

actors for failing to undertake it. This may occur for entities whose
failure to exercise basic self-help could be broadly detrimental to the
public (for example, the security of nuclear facilities).
Cyber Security Regulations

Here are the current legislations regarding cyber security used in India today:
1. The Information Technology Act, 2000
India's first-ever landmark cyber security law was the Information Technology Act of
2000. The IT Act of 2000 was enacted by the Parliament of India and administered by the
Indian Computer Emergency Response Team (CERT-In) to guide Indian cyber security
legislation, institute data protection policies, and govern cybercrime. It also protects e-
governance, e-banking, e-commerce, and the private sector, among many others.
2. Information Technology (Amendment) Act 2008

The Information Technology Amendment Act 2008 (IT Act 2008) was passed in October
2008 and came into effect the following year as a substantial addition to the IT Act of
2000. These amendments helped improve the original bill, which originally failed to
pave the way for further IT-related development. It was hailed as an innovative and
long-awaited step towards an improved cyber security framework in India. IT Act 2008
added updated and redefined terms for current use, expanding the definition of
cybercrime and the validation of electronic signatures. It also strongly encourages
companies to implement better data security practices and makes them liable for data
breaches.
3. Information Technology Rules, 2011
Under the IT Act, another important segment of the cyber security legislation is the
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules 2011 (Privacy Rules). The most significant
amendments include provisions for the regulation of intermediaries, updated penalties
and violation fees for cybercrime, cheating, slander, and nonconsensual publishing of
private images, as well as censoring/restriction of certain speech. Both the Information
Technology Act (ITA) and the IT Rules are important for governing how Indian entities
and organizations process sensitive info, data protection, data retention, and collection
of personal data and other sensitive information. Other Indian sectors, like banking,
insurance, telecom, and healthcare, also include data privacy provisions as part of their
separate statutes.
4. Indian SPDI Rules, 2011 for Reasonable Security Practices
The IS/ISO/IEC 27001 regulations are identified by the Indian SPDI Rules, 2011, as
international standards. As such, Indian companies aren’t obligated — but are highly
advised — to implement these standards, which can help meet the “reasonable security
practices” under Indian jurisdiction. The rules can also give individuals the right to
correct their information and impose restrictions on disclosure, data transfer, and
security measures. They only apply to corporate entities, but they aren’t responsible for
the authenticity of sensitive personal data (SPD) like sexual orientation, medical records
and history, biometric information, and passwords.
5. National Cyber Security Policy, 2013
In 2013, the Department of Electronics and Information Technology (DeitY) released the
National Cyber Security Policy 2013 as a security framework for public and private
organizations to better protect themselves from cyber attacks. The goal behind the
National Cyber Security Policy is to create and develop more dynamic policies to
improve the protection of India’s cyber ecosystem. The policy aims to create a workforce
of over 500,000 expert IT professionals over the following five years through skill
development and training.
Roles of International Law

Cyber security and information protection have become the buzzwords of today’s post-
pandemic world. Organizations, governments, financial institutions, and other entities
remain under constant cyber threats. The means of cyber attacks that are executed by
cybercriminals are getting more sophisticated with each passing day, thereby increasing
the risk of any major cyber security breach. Therefore, it has become indispensable for
organizations that they understand cyber laws and legal nuances of cyber security.
Cyber laws serve a variety of purposes crucial to the usage of the internet. Some of these
laws protect internet users from becoming victims of any cybercrime. Whereas, some
other laws lay down rules for individuals to use the internet and the computer system.
Primary areas included under cyber laws are:
Fraud: Cyber laws are there to protect consumers from online frauds. They exist to
prevent online crimes including credit card theft and identity theft. A person who
commits such thefts stands to face federal and state criminal charges.
Copyright: Copyright is a legal area that defends the rights of an entity be it an

individual and/or a company to profit from their creative work. Individuals and
companies both need copyright laws to prevent copyright infringement and enforce
copyright protection.
Defamation: Defamation laws are the civil laws that give immunity to individuals from
publically made false statements or allegations that can prove to be damaging for the
reputation of a person or a business. When such a mala fide deed is done online, it falls
under the bracket of cyber laws.
Cyber Security Standards

A security standard is "a published specification that establishes a common language,
and contains a technical specification or other precise criteria and is designed to be used
consistently, as a rule, a guideline, or a definition." The goal of security standards is to
improve the security of information technology (IT) systems, networks, and critical
infrastructures. The Well-Written cyber security standards enable consistency among
product developers and serve as a reliable standard for purchasing security products.
Security standards are generally provided for all organizations regardless of their size
or the industry and sector in which they operate. This section includes information about
each standard that is usually recognized as an essential component of any cyber security
strategy.
1. ISO
ISO stands for International Organization for Standardization. International Standards

make things work. These standards provide a world-class specification for products,
services and computers, to ensure quality, safety and efficiency. They are instrumental
in facilitating international trade. ISO has published over 22336 International Standards
and its related documents which cover almost every industry, from information
technology, to food safety, to agriculture and healthcare.
2. IT Act
The Information Technology Act also known as ITA-2000 or the IT Act main aims is to
provide the legal infrastructure in India which deals with cybercrime and e-commerce.
The IT Act is based on the United Nations Model Law on E-Commerce 1996
recommended by the General Assembly of the United Nations. This act is also used to
check misuse of cyber networks and computers in India. It was officially passed in 2000
and amended in 2008. It has been designed to give the boost to Electronic commerce, e-
transactions and related activities associated with commerce and trade. It also facilitates
electronic governance by means of reliable electronic records.
3. Copyright Act
The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs the
subject of copyright law in India. This Act is applicable from 21 January 1958. Copyright
is a legal term which describes the ownership of control of the rights to the authors of
"original works of authorship" that are fixed in a tangible form of expression. An original
work of authorship is a distribution of certain works of creative expression including
books, video, movies, music, and computer programs. The copyright law has been
enacted to balance the use and reuse of creative works against the desire of the creators
of art, literature, music and monetize their work by controlling who can make and sell
copies of the work.
4. Patent Law
Patent law is a law that deals with new inventions. Traditional patent law protects
tangible scientific inventions, such as circuit boards, heating coils, car engines, or
zippers. As time increases patent laws have been used to protect a broader variety of
inventions such as business practices, coding algorithms, or genetically modified
organisms. It is the right to exclude others from making, using, selling, importing,
inducing others to infringe, and offering a product specially adapted for practice of the
patent.
5. IPR
Intellectual property rights is a right that allows creators, or owners of patents,

trademarks or copyrighted works to benefit from their own plans, ideas, or other
intangible assets or investment in a creation. These IPR rights are outlined in the Article
27 of the Universal Declaration of Human Rights. It provides for the right to benefit from
the protection of moral and material interests resulting from authorship of scientific,
literary or artistic productions. These property rights allow the holder to exercise a
monopoly on the use of the item for a specified period.
The INDIAN Cyberspace

According to India’s Cyber Security Policy 2013, cyberspace is a complex environment
involving people, software, and services, and backed by a global dispersion of
information and communication technology devices and networks. Cyberspace is a
complex ecosystem that consists of interactions between people, software, and services,
all of which are supported by a global network of ICT devices and networks.
● In 2017, moving up one place over the previous year, according to a report by
security solutions provider Symantec.
● As per the report, India continues to be second most impacted by spam and bots,
third most impacted by network attacks and fourth most impacted by ransom
ware.
● India constitutes the second most internet user population in the world.
Increasing digitization and rising activities through the internet and mobile
phones also increased the risk of cyber-attack.
● As per the information given in the Parliament, there was a 300% rise in cyber-
attacks during the Covid-19 Pandemic.
● Cyber-attack on the State Bank of India’s customer’s ATM cards a few years back
was an example of the level of threat of cyber attack.
● With a growing rivalry with Pakistan and China, cyber attacks on vital national
installations have become recurrent.
National Cyber Security Policy 2013

National Cyber Security Policy 2013 is a policy framework by Department of Electronics
and Information Technology (DeitY). It aims at protecting the public and private
infrastructure from cyber attacks. The policy also intends to safeguard “information,
such as personal information (of web users), financial and banking information and
sovereign data”.
National Cyber Security Policy Objectives:
● Encouraging the adoption of IT in all sectors of the economy by creating

adequate trust in IT systems by the creation of a secure cyber ecosystem.
● Creating an assurance framework for the design of security policies and for the
promotion and enabling actions for compliance with global security standards
and best practices through conformity assessment.
● Bolstering the regulatory framework for ensuring a secure cyberspace ecosystem.
● Enhancing and developing national and sectoral level 24 x 7 mechanisms for

obtaining strategic information concerning threats to ICT infrastructure, creating
scenarios for response, resolution and crisis management through effective
predictive, preventive, protective, response and recovery actions.
● Operating a 24×7 National Critical Information Infrastructure Protection Centre

(NCIIPC) to improve the protection and resilience of the country’s critical
infrastructure information.
● Developing suitable indigenous security technologies to address requirements in

this field.
Cyber Forensics
The science of collecting, inspecting, interpreting, reporting, and presenting computer-
related electronic evidence is known as cyber forensics. Evidence can be found on the
hard drive or in deleted files. It is the process of examining, acquiring, and analyzing
data from a system or device so that it can be transcribed into physical documentation
and presented in court. During the inspection, it is critical to create a digital or soft
copy of the system’s special storage cell. The purpose of carrying out a detailed cyber
forensics investigation is to determine who is to blame for a security breach. The entire
inquiry is carried out on the software copy while ensuring that the system is not
affected.
The Process Involved in Cyber Forensics
Handling Preliminary Investigations

There are some specific ways to track cybercrime or go to a solution for how
cybercrime took place. The steps are:
1. The incident occurred in any company or organization.

2. The employees or members contact the company's advocate for legal advice.
3. Advocate contact cyber forensics investigator (external or internal).
4. The forensic investigator will come and prepare the FRP, i.e., First Response
Procedure documentation.
5. The investigator then seizes the evidence and other assets related to the crime
scene and transports them to a forensics lab.
6. He/she will start analyzing the files and other assets.
7. Examine all the data one after another and further contact the person or group of
people associated with the incident.
Controlling an Investigation
For those working in the field, there are five critical steps in computer forensics, all of
which contribute to a thorough and revealing investigation:
Policy and Procedure Development:
Whether related to malicious cyber activity, criminal conspiracy or the intent to

commit a crime, digital evidence can be delicate and highly sensitive. Cyber security
professionals understand the value of this information and respect the fact that it can
be easily compromised if not properly handled and protected. For this reason, it is
critical to establish and follow strict guidelines and procedures for activities related to
computer forensic investigations.
Evidence Assessment:
A key component of the investigative process involves the assessment of potential

evidence in a cyber crime. Central to the effective processing of evidence is a clear
understanding of the details of the case at hand and thus, the classification of cyber
crime in question. For instance, if an agency seeks to prove that an individual has
committed crimes related to identity theft, computer forensics investigators use
sophisticated methods to sift through hard drives, email accounts, social networking
sites, and other digital archives to retrieve and assess any information that can serve as
viable evidence of the crime.
Evidence Acquisition:
Perhaps the most critical facet of successful computer forensic investigation is a

rigorous, detailed plan for acquiring evidence. Extensive documentation is needed
prior to, during, and after the acquisition process; detailed information must be
recorded and preserved, including all hardware and software specifications, any
systems used in the investigation process, and the systems being investigated. This
step is where policies related to preserving the integrity of potential evidence are most
applicable.
Evidence Examination:
In order to effectively investigate potential evidence, procedures must be in place for

retrieving, copying, and storing evidence within appropriate databases. Investigators
typically examine data from designated archives, using a variety of methods and
approaches to analyze information; these could include utilizing analysis software to
search massive archives of data for specific keywords or file types, as well as
procedures for retrieving files that have been recently deleted.
Documenting and Reporting:

In addition to fully documenting information related to hardware and software specs,
computer forensic investigators must keep an accurate record of all activity related to
the investigation, including all methods used for testing system functionality and
retrieving, copying, and storing data, as well as all actions taken to acquire, examine
and assess evidence.
Conducting Disk Based Analysis

It deals with extracting raw data from the primary or secondary storage of the device
by searching active, modified, or deleted files. It is the science of extracting forensic
information from digital storage media like Hard disk, USB devices, Firewire devices,
CD, DVD, Flash drives, Floppy disks etc. The process of Disk Forensics is:
1. Identify digital evidence

2. Seize & Acquire the evidence
3. Authenticate the evidence
4. Preserve the evidence
5. Analyze the evidence
6. Report the findings
7. Documenting
Investigating Information-Hiding
Information hiding is a research domain that covers a wide spectrum of methods that
are used to make (secret) data difficult to notice. Due to improvements in network
defenses such techniques are recently gaining an increasing attention from actors like
cybercriminals, terrorist and state-sponsored groups as they allow to store data or to
cloak communication in a way that is not easily discoverable. There are several real-
world cases that reached the attention of the public media, including the following:
● The arrest of one of al Qaeda's members in Berlin with video files containing
hidden information on ongoing and future terrorists' operations (2012)
● The exfiltration of confidential data from the U.S. to Moscow by Russian spies
(2010),b
● The transfer of child pornographic material by a group of pedophiles called

"Shadowz Brotherhood" (2002),c and
● The planning of a terrorist attack after the September 11, 2001 attacks. A number
of articles suggested that al Qaeda members used steganography to coordinate
their actions (2001)
In these cases, information-hiding techniques were used to hide the confidential or

illegal data into innocent-looking material, for example, digital pictures.
Scrutinizing Email
Email forensics is dedicated to investigating, extracting, and analyzing emails to collect
digital evidence as findings in order to crack crimes and certain incidents, in a
forensically sound manner.
The process of email forensics, it’s conducted across various aspects of emails, which
mainly includes:
✔ Email messages
✔ Email addresses (sender and recipient)
✔ IP addresses
✔ Date and time
✔ User information
✔ Attachments
✔ Passwords
✔ Logs (Cloud, server, and local computer)
Steps of Email Scrutiny are given below:
1. Local Computer-based emails: For local computer-based email data files, such as
Outlook .pst or .ost files, it’s recommended to follow our following techniques directly.
2. (Cloud) Server-based emails: For (Cloud) Server based email data files, it’s not
possible to conduct complete forensic work until you obtain the electronic copies in the
(Cloud) server database under the consent of the service providers.
3. Web-based emails: For Web-based e-mail (e.g. Gmail,) investigations, it’s more likely
possible to just filter specific keywords to extract email address-related information
instead of the overall email data and information compared to local computer-based
emails.
Validating Email Header Information

Email headers contain vital information about the path that the message has traversed
before reaching its final destination. This information includes recipients' and senders'
names, time of sending and receiving the email message, email client, internet service
provider (ISP), IP address of the sender, etc. This information and other email header
fields can help in determining the legitimacy of a suspicious or malicious email.
Following are the Email headers used in Gmail:

Tracing Internet Access
Tracing is a process that follows the Internet activity backwards, from the recipient to
the user. As well, a user's Internet activity on web sites can also be tracked on the
recipient site (i.e., what sites are visited and how often). Sometimes this tracking and
tracing ability is used to generate email to the user promoting a product that is related
to the sites visited.
Common Internet Access Tracking Tools are described below:
❖ Cookies. Cookies are computer files that are stored on a user's computer
during a visit to a web site. When the user electronically enters the web site,
the host computer automatically loads the file(s) to the user's computer.The
cookie is a tracking device, which records the electronic movements made by
the user at the site, as well as identifiers such as a username and password.
❖ Bugs or Beacons. A bug or a beacon is an image that can be installed on a web

page or in an email. Unlike cookies, bugs cannot be disabled. They can be
prominent or surreptitious. As examples of the latter, graphics that are
transparent to the user can be present, as can graphics that are only 1x1 pixels
in size (corresponding to a dot on a computer monitor). When a user clicks
onto the graphic in an attempt to view, or even to close the image, information
is relayed to the host computer.
❖ Active X, Java Script. These computer-scripting languages are automatically

activated when a site is visited. The mini-programs can operate within the
larger program, so as to create the "pop-up" advertiser windows that appear
with increasing frequency on web sites. When the pop-up graphic is visited,
user information such as described in the above sections can be gathered.
❖ Chat rooms. Chat rooms are electronic forums where users can visit and
exchange views and opinions about a variety of issues. By piecing together the
electronic transcripts of the chat room conversations, enforcement officers can
track down the source of malicious activity.
Tracing Memory in Real Time
Memory forensics refers to the analysis of volatile data in a computer’s memory dump.
Memory forensics can provide unique insights into runtime system activity, including
open network connections and recently executed commands or processes. In many
cases, critical data pertaining to attacks or threats will exist solely in system memory –
examples include network connections, account credentials, chat messages, encryption
keys, running processes, injected code fragments, and internet history which are non-
cacheable.
Benefits of Using Memory Forensics for Incident Response:
● You need to first confirm that there is malware on the device before you can
capture a sample and begin reverse-engineering the malware with specialist
tools.
● Taking an image of a device can be time-consuming, and you then have the issue
of transferring the image which could be 100GB in size, to a location where it can
be analyzed. Then you have to take into consideration how long the analysis will
take by the team.
● This is where memory analysis can be a big win for the IR team. Whereas a
server hard drive may be over 100GB in size, the RAM of the device will be a lot
smaller, typically 16GB – 32GB. This means that capturing a RAM dump from a
device will be a lot quicker and smaller in size when transferring the output.
● By prioritizing RAM over a hard disk image when triaging an incident you can
begin analyzing the RAM dump for IOCs (Indicators of Compromise) while you
begin working on getting an image of the hard drive.

Cyber Security CSA320 NOTES

Uploaded by

Copyright:

Available Formats

You might also like

Cyber Security CSA320 NOTES

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security CSA320 NOTES

Uploaded by

Copyright:

Available Formats

CYBER SECURITY (CSA320)

· Network security is the practice of securing a computer network from intruders,

· Application security focuses on keeping software and devices free of threats. A

Types of cyber threats:

1. Cyber Warfare: Cyber Warfare is typically defined as a set of actions by a nation or

This means cyber warfare may take several different shapes:

❖ Attacks on financial infrastructure

Cybercrime can be carried out by individuals or organizations. Some cybercriminals

Types of cybercrime include:

● Email and internet fraud.

● Identity fraud (where personal information is stolen and used).

● Theft of financial or card payment data.

● Theft and sale of corporate data.

● Cyber Extortion (demanding money to prevent a threatened attack).

● Ransomware attacks (a type of cyber extortion).

Examples of cyber terrorism include the following:

● Disruption of major websites. The intent here is to create public inconvenience

4. Cyber Espionage: Cyber espionage, or cyber spying, is a type of cyberattack in

Cyber spies most commonly attempt to access the following assets:

Cyber Security Vulnerabilities

Here are a few examples of cyber security vulnerabilities

● Missing data encryption

● Third-party libraries – Many programmers use third-party code libraries, rather

● Design, organize, modify, and support an organization’s computer systems,

including operating systems, business applications, security tools, web servers,

● Quickly resolve any system failures and troubleshoot issues.

● Upgrade and manage hardware and software.

● Oversee system performance and report generation.

and active directory administration.

Complex Network Architectures

Types of Networking Architecture

The two types of network architectures are used:

● Peer-To-Peer network is a network in which all the computers are linked

● Peer-To-Peer network is useful for small environments, usually up to 10

● Peer-To-Peer network has no dedicated server.

Advantages of Peer-To-Peer Network:

● It is less costly as it does not contain any dedicated server.

● It is easy to set up and maintain as each computer manages itself.

Disadvantages of Peer-To-Peer Network:

● It has a security issue as the device is managed itself.

network are called clients.

Advantages of Client/Server network:

● A Client/Server network contains the centralized system. Therefore, we can back

up the data easily.

● A Client/Server network has a dedicated server that improves the overall

performance of the whole system.

● It also increases the speed of sharing resources.

Disadvantages of Client/Server network:

● Client/Server network is expensive as it requires the server with large memory.

clients, but the cost of NOS is very high.

● It requires a dedicated network administrator to manage all the resources.

Open Access to Organizational Data

Research funders are playing an increasingly important role in accelerating the

Weak Authentication describes any scenario in which the strength of the

It also describes scenarios in which the authentication mechanism is flawed or

Thus, the following factors influence password strength:

password will be compromised, or that a compromised password will be used.

changed will prevent password expiration from being circumvented by users.