Professional Documents
Culture Documents
Cyber Security CSA320 NOTES
Cyber Security CSA320 NOTES
Cyber Security CSA320 NOTES
UNIT-I
INTRODUCTION
Overview of Cyber Security
Cyber security is the practice of defending computers, servers, mobile devices,
electronic systems, networks, and data from malicious attacks. It's also known as
information technology security or electronic information security. The term applies in
a variety of contexts, from business to mobile computing, and can be divided into a
few common categories.
· Information security protects the integrity and privacy of data, both in storage
and in transit.
· Operational security includes the processes and decisions for handling and
protecting data assets. The permissions users have when accessing a network and the
procedures that determine how and where data may be stored or shared all fall under
this umbrella.
· Disaster recovery and business continuity define how an organization responds
to a cyber-security incident or any other event that causes the loss of operations or
data. Disaster recovery policies dictate how the organization restores its operations
and information to return to the same operating capacity as before the event. Business
continuity is the plan the organization falls back on while trying to operate without
certain resources.
Cyber Threats
A cyber or cyber security threat is a malicious act that seeks to damage data, steal data,
or disrupt digital life in general. Cyber threats include computer viruses, data
breaches, Denial of Service (DoS) attacks, and other attack vectors. Cyber threats also
refer to the possibility of a successful cyber-attack that aims to gain unauthorized
access, damage, disrupt, or steal an information technology asset, computer network,
intellectual property, or any other form of sensitive data. Cyber threats can come from
within an organization by trusted users or from remote locations by unknown parties.
1. Cyber Warfare
2. Cyber Crime
3. Cyber Terrorism
4. Cyber Espionage
2. Cyber Crime: Cybercrime is criminal activity that either targets or uses a computer,
a computer network or a networked device. Most cybercrime is committed by
cybercriminals or hackers who want to make money. However, occasionally
cybercrime aims to damage computers or networks for reasons other than profit. These
could be political or personal.
● Crypto jacking (where hackers mine crypto currency using resources they do not
own).
3. Cyber Terrorism: Cyber terrorism is often defined as any premeditated, politically
motivated attack against information systems, programs and data that threatens
violence or results in violence. Cyber Terrorist acts are carried out using computer
servers, other devices and networks visible on the public internet. Secured government
networks and other restricted networks are often targets.
Coding errors could introduce several types of vulnerabilities, which include the
following:
● Buffer overflows – These allow someone to put more data into an input field
than what the field is supposed to allow. An attacker can take advantage of this
by placing malicious commands into the overflow portion of the data field,
which would then execute.
● SQL Injection – This could allow an attacker to inject malicious commands into
the database of a web application. The attacker can do this by entering specially-
crafted Structured Query Language commands into either a data field of a web
application form, or into the URL of the web application. If the attack is
successful, the unauthorized and unauthenticated attacker would be able to
retrieve or manipulate data from the database.
System Administration
System administration refers to the management of one or more hardware and
software systems. The task is performed by a system administrator who monitors
system health, monitors and allocates system resources like disk space, performs
backups, provides user access, manages user accounts, monitors system security and
performs many other functions.
The system administrator’s responsibilities are diverse and involve many areas of an
organization’s technology systems. This IT professional may be responsible for some,
or all the areas listed below, depending on an organization’s structure and scope:
● Install and configure local area networks (LANs), wide area networks (WANs),
and network segments and servers, such as file servers, VPN gateways, and
intrusion detection systems.
● Ensure an uninterrupted internet connection and manage mail servers for
sending and receiving emails and file servers for saving and managing data.
● Peer-To-Peer network
● Client/Server network
Peer-To-Peer network:
together with equal privilege and responsibilities for processing the data.
computers.
this can lead to a problem if the computer with the resource is down.
● If one computer stops working, other computers will not stop working.
● In the case of the Peer-To-Peer network, it does not contain the centralized
system. Therefore, it cannot back up the data as the data is different in different
locations.
● Client/Server network is a network model designed for the end users called
clients, to access the resources such as songs, video, etc. from a central computer
known as Server.
● The central controller is known as a server while all other computers in the
● A server performs all the major operations such as security and network
management.
● A server is responsible for managing all the resources such as files, directories,
printer, etc.
shared resources.
● A server has a Network Operating System (NOS) to provide the resources to the
Weak Authentication
The more difficult an authentication mechanism is to defeat, the stronger it is. Clearly
the authentication strength of a system should correlate to the value of the assets it is
protecting. Two-Factor and Multi-Factor Authentication solutions are appropriate for
systems that deal with highly valued assets.
Password Strength:
The “strength” of a password is related to the potential set of combinations that would
need to be searched in order to guess it.
● Length: The number of characters in the password. The greater the length, the
greater the strength.
● Character Set: The range of possible characters that can be used in the password.
The broader the range of characters, the greater the strength. It is typical for
strong password schemes to require upper- and lower-case letters, digits, and
punctuation characters.
Password Policy:
Password Policy describes the rules that are enforced regarding password strength,
changes, and re-use. An effective password policy supports strong authentication. It
is generally accepted that the each of the following will increase the integrity of the
authentication process:
● Periodically changing the password for an account makes it less likely that a
Password Cracking:
There are countless hacking tools and frameworks available to help an attacker guess a
password through an automated sequence of attempts. This is called “brute forcing”
because such tools will attempt all possible password combinations given a set of
constraints in an attempt to authenticate. An application that does not protect itself
against password cracking in some manner may be considered as having a Weak
Authentication vulnerability depending the requirements and risk-level.
Dictionary Attacks:
In addition to brute force attacks, password cracking tools also typically have the
ability to test a file of candidate passwords. This is called a dictionary attack because
the file used may actually be a dictionary of words. Passwords that can be found in a
dictionary are considered weak because they can eventually be discovered using a
dictionary attack. An application that allows dictionary words as passwords may be
considered as having a Weak Authentication vulnerability depending the application
requirements and risk-level.
Popular Passwords:
Since passwords are usually freely chosen and must be remembered, and given that
humans are lazy, passwords that are easy to remember tend to be more popular than
those that are not. In fact, some passwords become very popular and are used far
more frequently than might be expected. Although the most popular entries change
over time, you can always find a “top-N” list somewhere, like here, or here, or here.
Clearly it is in the user’s best interest to avoid the most popular passwords.
⮚ Unsecure Wi-Fi
The two types of public networks are ones that are left open by businesses and ones
that are left open by individuals. An open network from a business allows customers
to use the Internet in the establishment -- such as patrons of a coffee shop using the
network to work. An open network in a home comes from a router that hasn't been
secured. Sometimes this is unintentional, if the owner doesn't know that her network is
open. However, an unsecured wireless connection isn't always bad. Some experienced
users opt to leave their Wi-Fi open for the public to access, with proper security
precautions to protect their data and bandwidth.
Every router has some wireless security features built into the settings. Log in to your
router's administration settings using your browser; if you've never done this before,
the IP address and default login details are usually on the bottom of the router. When
choosing wireless security, WPA2 is the most secure, while WEP is the easiest for
outside users to crack. Set a strong password, and only share the password with
people you trust. Some routers also offer a Guest Network setting, which allows you to
create a secure wireless network and another unsecure network, which offers you
home security and an open network for visitors or neighbors.
If you routinely access public networks, you can still browse safely. Avoid entering
anything sensitive, such as bank or credit card information. If you have to access this
data, consider using a virtual private network (VPN), which encrypts all the data you
send using an external server.
1. Outdated Software
Websites are not the only ways you can be hacked, either. Operating systems on your
computer, mobile devices or even software running your wireless network at home are
easy to compromise for hackers. Updates to software are more than just fixing
operational bugs. In many instances, these updates include fixes to vulnerabilities like
using that old copy of Windows 7 without security updates turned on could
compromise your personal data.
One of the most common reasons why cyber-attacks cause so much damage is because
of the lack of proper understanding. A lot of people believe themselves to be immune
from threats and don’t really put thought into how dangerous attacks can become.
Even something as simple as a web browser can lead to all kinds of problems in work
and personal lifestyles. According to Kaspersky Lab, a leader in antiviral software,
attackers used web browsers 62% of the time to spread mayhem.
3. Lack of Proper Protection
One of the leading causes to how hackers gain a foothold in your systems is due to
improper protection. Remember the comment earlier about not locking your door at
night? Essentially, a lack of security software on your computer or website would be
like removing that door entirely. More than 304 million cyber-attacks were recorded in
2015. Although most of these were thwarted, it puts it into perspective just how
virulent attacks are in the world. In fact, more than 27% of all malware pieces recorded
throughout history were produced that same year.
4. Effects of Ransomware
Ransomware has been around for quite some time, but it has grown exponentially
since 2015. Essentially, this is when someone gains control of a database or computer
system and blocks its use until a “ransom” is paid. However, these kinds of attacks
only happen less than one percent of the time. To put this into perspective, the
Hollywood Presbyterian Medical Center’s network in Los Angeles was held hostage in
2016 until a $17,000 Bitcoin ransom was paid. Because of the number of lives that are
held in the balance from attacks like this, it’s much easier to extort money.
5. Evolving Software
Some forms of attacks are extremely difficult to track down and stop, even for high-
end software. For example, a polymorphic virus delivers a new payload every time it
expands. This means it essentially mutates each time making it very difficult to spot.
As many as 32% of computers with antivirus protection are infected at any given time.
This is often from new viral variants as well as polymorphic wares. All it takes is a
minor change in coding to help a virus become something new and undetectable.
Cyber Security Safeguards
It is meant by Protective measures and controls prescribed to meet the security
requirements specified for an information system. Safeguards may include security
features, management constraints, personnel security, and security of physical
structures, areas, and devices. Some major cyber security safeguards are listed below:
5. Look Out for Fake Notification Emails from Social Media Sites
Access Control
Access control is a data security process that enables organizations to manage who is
authorized to access corporate data and resources. Secure access control uses policies
that verify users are who they claim to be and ensure appropriate control access levels
are granted to users.
1. Audit: Organizations can enforce the principle of least privilege through the access
control audit process. This enables them to gather data around user activity and
analyze that information to discover potential access violations.
3. Biometrics: A biometric access control system is one that determines whether or not
to let a person into a building or a specific room based on the individual's unique
physical biometric characteristics. It works by comparing something unique about the
person—such as face, fingerprint, and iris, palm, and hand geometry— to a database of
stored biometric templates about authorized users. If there is a match, the person is
allowed in; otherwise, the person is denied access. It provides significant physical
security benefits for protecting a wide variety of locations from intruders.
6. Denial of Service Filters: The DoS Filter window is used to enable or disable the
Denial of Service filter. The DoS filter automatically scans traffic passing through the
switch for well-known frames (based on packet signature) that are typically used to
conduct Denial of Service attacks to network devices. Once a frame is identified as a
threat, it is automatically dropped.
b. To disable DoS filtering, select Disable from the DoS Filtering drop-down list.
c. To enable DoS filtering, select Enable from the DoS Filtering drop-down list.
9. Response: It is a set of information security policies and procedures that you can
use to identify, contain, and eliminate cyber attacks. The goal of incident response is to
enable an organization to quickly detect and halt attacks, minimizing damage and
preventing future attacks of the same type. There are six steps to incident response.
These six steps occur in a cycle each time an incident occurs. The steps are:
10. Scanning: Security scanning, or vulnerability scanning, can mean many different
things, but it can be simply described as scanning the security of a website, web-based
program, network, or file system for either vulnerabilities or unwanted file changes.
The type of security scanning required for a particular system depends on what that
system is used for. The more complicated and intricate the system or network is, the
more in-depth the security scan has to be. Security scanning can be done as a one-time
check, but most companies who incorporate this into their security practices buy a
service that continually scans their systems and networks.
11. Security Policy: Cyber security procedures explain the rules for how employees,
consultants, partners, board members, and other end-users access online applications
and internet resources, send data over networks, and otherwise practice responsible
security. For large organizations or those in regulated industries, a cybersecurity policy
is often dozens of pages long. For small organizations, however, a security policy
might be only a few pages and cover basic safety practices. Such practices might
include:
● Rules for using email encryption
● Lower risk with faster threat detection, consistent investigations and faster
response
UNIT-II
SECURING WEB APPLICATIONS, SERVICES, SERVERS
AND INTRUSION DETECTION AND PREVENTION
In this, all the personal data of the user should be stored at the server in an encrypted
form.
HTTP cannot regulate the content of data that is transferred. HTTP cannot have any
prior method to determine the sensitivity of any particular part of the information within
the context of any request. Revealing any specific software version of the server might
allow the server machine to become more vulnerable to attacks against software which
contains security holes. The Proxies which serve as a portal through the firewall of the
network should take special precaution about the transfer of header information which
is used to identify the hosts behind the firewall.
3. Encoding Sensitive Information in URL's
The source of a link could be private information, so it is strongly recommended that the
user be able to select whether or not the field of the referrer is sent.
If the page that we refer to was transferred with a source protocol, clients should not
include a Referrer field in an HTTP request.
Accept request-headers can reveal the client's information to all servers which are
accessed.
On average, businesses lose $3.9 million in malware and ransomware attacks. SOAP
Security protects the sensitive data in companies’ charge from access by the wrong
hands. Basically, you integrate security into your API infrastructure to protect the
interests of your customers or clients.
SOAP Security Risks: There are several kinds of cyber-attacks and vulnerabilities, and
those uniquely targeting APIs make the bulk of SOAP security risks. Some of them
include:
1. Code Injections – in SOAP, XML code injections introduce malicious code into
You must ensure SOAP messages are shown to authorized users only.
3. (Distributed) Denial of Service – DoS or DDoS attacks overwhelm web
services with overly many or long messages. Limiting message length and
volume in SOAP security prevents these attacks.
4. Cross-Site Scripting – code injection, but happens from the web application
• An IDMS will close IT security gaps related to enrolling and terminating employees.
• Physical security can leverage the defined corporate roles by defining access control
privileges to match, aligning physical security more tightly with the organization's job
roles. This doesn't require the access control system to be integrated to any other
system.
WEB SERVICES:
Web services technology is being used to address business needs in following ways:
• Enterprise Application Integration (this is the category for PACS and IDMS
integration)
• Improved Application Development Efficiency Business Partner Integration
(suppliers, distributors, channels, etc.)
Authorization Patterns
These are security mechanisms that you can use to decide your client’s privileges
related to system resources. These system resources could be files, services, data, and
application features built on your client’s identity. One such is OAuth2.0.
Authorization Patterns are mentioned below:
1. Scattered data and scattered logic pattern: In this pattern, the data required to make
authorization decisions get scattered across the different micro services. In addition to
data, the logic behind deciding whether access is to be given to the requestor or not is
spread across the service.
The pattern given above works for a small number of micro services, but problems
start appearing when the number of services increases. The call to get data for making
authorization decisions is putting an unnecessary load on underline services, as shown
in the above diagram.
2. Centralized data and logic patterns: We can try putting all the authorization data
and logic in one place as a solution. We can then separate it from services that require
authorization. We can implement this pattern by following a common way of building
a dedicated authorization service. Another option could be to use an off-the-shelf
solution like Key cloak or Open Policy agent. Whenever services have to perform
permission checks, they turn around and ask for the authorization service.
Having a single system in charge of authorization is quite appealing. But we should
consider some essential points before finalizing the pattern as mentioned below:
● The entire authorization data is in a single place now. There could be one
possibility: either the authorization service turns into the data’s single source of
truth, or you can copy and synchronize the data from your applications to a
central place.
● The authorization data should understand the entire data model underlying
permissions related to groups, shares, folders, guests, and projects. The system
can become a bottleneck for new development if the models are constantly
changing. Any change in any micro service can ask for an update to the
authorization service. Thus, breaking the separation of concerns.
● A single service that has the responsibility for securing every type of request
needs high availability as well as low latency. Every request gets denied if the
system goes down, and every request gets slow if the system starts responding to
the queries slowly.
3. Scattered logic and central gateway data Pattern: We put all the data required for
authorization as part of every request in this pattern. Then each service will not have to
fetch data separately, which will reduce the load on underline services.
The advantage of this pattern is its architectural simplicity, and it gives them the
freedom to developers to not be concerned about the roles data or org data origin. We
can get the authorization data quickly on request, and you can also perform a
permission check instantly without any additional roundtrips.
Security Considerations
Data security consideration requires the security of data and system resources against
unauthorized access, disclosure, or corruption. Data breaches may be intentional or
unintentional but ultimately cause huge losses to the organization hence need to be
taken seriously.
1. Backing up Data
The purpose of data backup is to create extra copies of important files in a separate
storage location to act as a backup during any failure. Various factors like human
carelessness, malicious attack, or system faults trigger failure in an infrastructure.
Physical storage or cloud storage stores the backed-up data.
As a business grows, keeping track of huge amounts of data and managing them can
be tricky. Data archiving is the process of retaining inactive data at a secure place for a
long time. Such data may or may not be used in the future but are required to be stored
for its intended purpose. Archives have search facilities. Indexed makes the retrieval
fast and easy. Archives hold old information that is unnecessary for everyday tasks.
Storing such inactive information in primary storage can reduce its efficiency. Data
archive helps in reducing the load on primary storage by moving unused resources to
the archive.
3. Disposal of Data
An organization should wipe out data regularly, whether that’s cleaning inboxes or
getting rid of old databases that are no longer relevant. Data stored on physical storage
devices like hard drives, USBs, tapes must be purged before discarding.
The information stored in the cloud is destroyed to keep the organization’s private
data out of reach from criminals. Every company must do this whenever they get rid of
something that holds data.
4. Location Security
For example, the warehouse located in a disaster-prone area poses a huge risk of data
compromise during a calamity.
5. Redundant Utilities
The data center has critical data and facilities required to keep the business up and
running. To restrict unwanted intruders from entering the data center’s perimeter,
strong security barriers must be set up. These barriers can be two-factor authentication,
access control, or leveraging CCTV surveillance. But no matter how complex the
security is there will always be some data loss. This can be due to various reasons like
employee negligence or malicious activity. Hence duplication of critical components of
the system becomes necessary. This increases the reliability of the system, improves
performance, and provides a fail-safe backup.
Challenges
For security teams, the number of controls they can implement to secure a web
application in production is limited while for the attackers, there is no limit on the
number of attack vectors they can exploit. Five most common web application security
challenges faced are:
1. Injection: Injection or SQL injection is a type of security attack in which the malicious
attacker inserts or injects a query via input data (as simple as via filling a form on the
website) from the client-side to the server. If it is successful, the attacker can read data
from the database, add new data, update data, delete some data present in the database,
issue administrator commands to carry out privileged database tasks, or even issue
commands to the operating system in some cases.
4. XML External Entities: This type is common to web applications that parse XML
input. It is carried out when the input in the form of XML references an external entity
but is processed by a weak XML parser. It can cause a huge loss to the brand as it can in
turn allow distributed denial of service, port scanning, server-side request forgery,
disclosure of sensitive information, etc.
5. Broken Access Control: Access control specifies limits or boundaries in which a user
is allowed to operate. For example, the root privileges are usually given to the
administrator and not the actual users. Having a broken or leaking access control system
can result in unintended information leaks, modifying details of other user accounts,
manipulating metadata, acting as the admin, unauthorized API access, etc.
Physical Theft
A physical threat is a potential cause of an incident that can result in loss or physical
harm to the computer systems. Physical security is represented as the security of
personnel, hardware, programs, networks, and data from physical situations and
events that can support severe losses or harm to an enterprise, departments, or
organization. This contains security from fire, natural disasters, robbery, theft,
elimination, and terrorism.
Accidents − Accidental misuse or damage will be influenced over time by the attitude
and disposition of the staff in addition to the environment. Human errors have a higher
impact on information system security than do man made threats caused by purposeful
attacks. But most accidents that are serious threats to the security of information
systems can be diminished.
Abuse of Privileges
Privileged account abuse occurs when the privileges associated with a particular user
account are used inappropriately or fraudulently, either maliciously, accidentally or
through willful ignorance of policies. Privileged accounts are a gateway to critical
systems and data. Abuse of these powerful accounts can lead to the loss of sensitive
data and business intelligence, as well as downtime of systems and applications
essential for business operations.
Ask your friends whether they have ever accessed information they shouldn’t have
seen. I’m sure you’ll find that many of them have. This happens because privilege
assignment is often seen as a one-time task, which it shouldn’t be. Instead, on a regular
basis, you make sure to:
● Review access rights and remove excessive permissions in accordance with the
least-privilege principle.
● Review and update permissions whenever a user’s role in the organization
changes.
● Make sure your sensitive data is not overexposed by verifying that access to it is
Would you know if there were a suspiciously high number of failed attempts to access
a critical file or database, or an unauthorized modification to your security groups? If
not, this step is especially important to you. Without a thorough monitoring of all
changes and user activity in the IT environment, it is impossible to detect threats,
including privilege abuse, in their early stages.
It’s one thing to collect data. It’s totally another to get meaningful insights out of it.
Can you tell when your users exercise their privileges outside of normal working
hours? Do you know whether their current behavior deviates from the norm? User
behavior analysis will show you anomalies that are not always obvious if you just look
at event logs.
Unauthorized Access by Outsider
Unauthorized access is when a person gains entry to a computer network, system,
application software, data, or other resources without permission. Any access to an
information system or network that violates the owner or operator’s stated security
policy is considered unauthorized access. Unauthorized access is also when legitimate
users access a resource that they do not have permission to use. The most common
reasons for unauthorized entry are to:
Fraudulent use of access cards: Access cards that are lost, stolen, copied or shared
pose an unauthorized access risk.
Door propping: While incredibly simple, propping open a door or window is one of
the most effective ways for an insider to help a perpetrator gain unauthorized access to
restricted buildings or spaces.
Malware Infection
Malware (short for “malicious software”) is a file or code, typically delivered over a
network, that infects, explores, steals or conducts virtually any behavior an attacker
wants. And because malware comes in so many variants, there are numerous methods
to infect computer systems. Though varied in type and capabilities, malware usually
has one of the following objectives:
Web Application Firewall (WAF) – The Imperva cloud WAF is a cloud-based firewall
deployed on your network’s edge. It bolsters your existing IPS through signature,
reputational and behavioral heuristics that filter malicious incoming requests and
application attacks—including remote file inclusions and SQL injections.
Anti-Malware Software
Anti-malware is a type of software developed to scan, identify and eliminate malware,
also known as malicious software, from an infected system or network.
Benefits of Anti-Malware:
● Real-time protection
● Boot-time scan
● Scanning of individual files
● Protection of sensitive information
● Restoration of corrupted data
● Protection from spam and identity theft
● Provides robust web protection
● Provides quick scan of the removable device
The majority of NIPSs utilize one of the three detection methods as follows:
preconfigured. This detection method monitors the network traffic and compares
it with the preconfigured signatures so as to find a match. On successfully
locating a match, the NIPS take the next appropriate action. This type of
detection fails to identify zero-day error threats. However, it has proved to be
very good against single packet attacks.
● Anomaly-based detection: This method of detection creates a baseline on
average network conditions. Once a baseline has been created, the system
intermittently samples network traffic on the basis of statistical analysis and
compares the sample to the created baseline. If the activity is found to be outside
the baseline parameters, NIPS takes the necessary action.
● Protocol state analysis detection: This type of detection method identifies
HIPS settings can be found in Advanced setup (F5) > Detection engine > HIPS >
Basic. The HIPS state (enabled/disabled) is shown in the ESET Endpoint Security main
program window, in the Setup > Computer.
The SIM tool (system) acts as a software agent which sends the reports about the
events to the centralized server. By which admins are updated about the reports.
That’s all about Security Information Management.
Though we’ve advanced considerably from radio technology, the principle of traffic
analysis remains the same. Communication traffic patterns are scrutinized for
information that will help keep assets secure. By monitoring network traffic, abnormal
activity from threat actors can be detected early on, thwarting attackers before they
achieve their goal of destruction or theft.
Need of Network Session Analysis:
1. They shorten the dwell time of infections. Discovering threats as soon as possible
is the best way to minimize damage. The longer an infection lives in a network,
the more damage it can do. Swiftly detecting a threat can ensure that there is
minimal harm.
2. They improve efficiency. Most organizations do not have the resources to have
personnel devoted to actively monitoring for and investigating risk around the
clock. These solutions automated threat detection, allows organizations to do
more with less and ensures that security analysts are able to focus more on threat
removal.
3. They provide wide coverage. By monitoring traffic, NTA solutions can monitor
different types of devices. For example, many NTA solutions are OS agnostic,
monitoring traffic from both Linux servers and Windows workstations.
Countermeasures:
There are various countermeasures that can be used for effective security which include
physical security, logical security, and cryptographic security.
as files, network access, and so on. Logical controls help prevent unauthorized
or improper access to a computer system.
● Examples of logical controls are passwords, such as encryption algorithms
as limiting the ability of an authorized user to access data from another user.
● Physical security protects items by ensuring that physical intrusions are
properly locked down and that doors and windows are tightly secured.
● Cryptographic security controls ensure the proper transmission of
There are numerous cryptographic algorithms in use, but in general they can be
broken into three categories: symmetric cryptography, asymmetric cryptography, and
hash functions.
Asymmetric cryptography: Caesar may have been able to confer with his centurions in
person, but you don't want to go into your bank and talk to the teller just to learn what
the private key is for encrypting your electronic communication with the bank—that
would defeat the purpose of online banking. In general, in order to function securely,
the internet needs a way for communicating parties to establish a secure
communications channel while only talking to each other across an inherently insecure
network. The way this works is via asymmetric cryptography, which is sometimes
called public key cryptography.
Message Authentication
Message authentication ensures that the message has been sent by a genuine identity
and not by an imposter. The service used to provide message authentication is a
Message Authentication Code (MAC). A MAC uses a keyed hash function that
includes the symmetric key between the sender and receiver when creating the digest.
● Lower level: At this level, there is a need for a function that produces an
authenticator, which is the value that will further help in the authentication of
a message.
● Higher-level: The lower level function is used here in order to help receivers
Digital Signatures
A digital signature is a mathematical technique used to validate the authenticity and
integrity of a message, software, or digital document.
then message digest is encrypted using the private key of the sender to form
the digital signature. (Digital signature = encryption (private key of sender,
message digest) and message digest = message digest algorithm (message)).
2. Digital signature is then transmitted with the message.(message + digital
signature is transmitted)
3. Receiver decrypts the digital signature using the public key of sender.(This
assures authenticity, as only sender has his private key so only sender can
encrypt using his private key which can thus be decrypted by sender’s public
key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual
Applications of Cryptography
Applications of Cryptography in various fields are:
Blockchain technology has a lot to do with this application. Several nodes in the
blockchain are empowered with cryptography that enables the secure trade of a crypto
currency in a digital ledger system. These ledgers are protected, preserved, and cannot
be accessed by any other person or organization.
2. E-commerce: E-commerce startups enable us to shop items online and pay for them
online. These transactions are encrypted and perhaps cannot be altered by any third
party. Moreover, the passwords we set for such sites are also protected under keys to
ensure that no hacker gets access to our e-commerce details for harmful purposes.
Firewalls
A firewall is a network security device that monitors incoming and outgoing network
traffic and permits or blocks data packets based on a set of security rules. Its purpose is
to establish a barrier between your internal network and incoming traffic from external
sources (such as the internet) in order to block malicious traffic like viruses and
hackers.
Types of firewalls:
B. Proxy firewalls: It filters network traffic at the application level. Unlike basic
firewalls, the proxy acts as an intermediary between two end systems. The client
must send a request to the firewall, where it is then evaluated against a set of
security rules and then permitted or blocked. Most notably, proxy firewalls
monitor traffic for layer 7 protocols such as HTTP and FTP, and use both stateful
and deep packet inspection to detect malicious traffic.
C. Network address translation (NAT): These firewalls allow multiple devices with
independent network addresses to connect to the internet using a single IP
address, keeping individual IP addresses hidden. As a result, attackers scanning
a network for IP addresses can't capture specific details, providing greater
security against attacks. NAT firewalls are similar to proxy firewalls in that they
act as an intermediary between a group of computers and outside traffic.
● Delivered from the cloud: Even as most organizations continue to move away
from on-premises infrastructure, a centralized user management system needs to
be delivered from the cloud and connect users to resources both on-premises and
in the cloud. User management solutions of the next generation, often termed
Identity-as-a-service (IDaaS), are fully capable of functioning in any
environment, on-premises, in the cloud, and even in between.
● Multiprotocol: There are currently many varying systems that leverage different
products ranging from LDAP to SAML, SSH, and RADIUS, among others. For a
UM system in a modern network, it should be capable enough to handle various
protocols to connect users to resources.
1. Internet Protocol (IP) address leak prevention: The core purpose of a VPN is to
hide or disguise a user’s IP address and prevent anyone from tracking their
online activity. However, a VPN can sometimes include flaws that result in the
user’s IP location being leaked. It is therefore important to look for a provider
that actively prevents IP address leaks. Check reviews online to see if they have a
history of IP address leakage.
2. No information logging: No-log VPNs do not collect, or log, data that users
share on the network, such as login credentials, files they download, and their
search history. This is key to ensuring users’ online privacy and protecting their
anonymity from other internet users. It also ensures that a user’s information is
protected, even if an attacker gains unauthorized access to a VPN tool. When
considering a VPN, check whether it logs online activity, logs and periodically
purges data, or discloses user information in any other scenario.
3. VPN kill switch: In case a VPN connection drops, the user’s internet access will
switch to their regular connection. A VPN kill switch feature automatically exits
specific programs if an internet connection becomes unstable to reduce the risk of
sensitive data being leaked by applications.
Security Protocols
It is a sequence of operations that ensure protection of data. Used with a
communications protocol, it provides secure delivery of data between two parties. The
term generally refers to a suite of components that work in tandem (see below). For
example, the 802.11i standard provides these functions for wireless LANs.
Encryption Algorithm: The cryptographic cipher combined with various methods for
encrypting the text. See encryption algorithm, HTTPS and TLS.
Key Management: Create, distribute and maintain the keys. See key management.
Message Integrity: Ensures that the encrypted message has not been tampered with.
PGP stands for Pretty Good Privacy (PGP) which was invented by Phil Zimmermann.
It was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email. It uses a digital signature
(a combination of hashing and public key encryption) to provide integrity,
authentication, and non-repudiation. PGP uses a combination of secret key encryption
and public key encryption to provide privacy. Therefore, we can say that the digital
signature uses one hash function, one secret key, and two private-public key pairs.
PGP is an open source and freely available software package for email security, and
provides authentication through the use of Digital Signature. It provides
confidentiality through the use of symmetric block encryption.
on the internet. It assures that the information that is sent or received was not
modified in transmission and that files were not changed without your
knowledge.
● Information can be shared securely with others including groups of users and
entire departments.
● You can be certain who the email is from and who it is for. PGP verifies the
sender of the information to ensure that the email was not intercepted by a third
party.
email attacks.
● Others cannot recover sensitive messages or files once you have deleted them.
● PGP encryption software is very easy to learn how to use. With virtually no
➔ Check that the email you sent has not been tampered with by a third party.
➔ Create digital signatures to use when signing emails.
➔ Encrypt all emails.
➔ Check the email client you’re using.
Transport layer security (TLS for short) refers to a protocol that aims to offer
authentication, data integrity and privacy during the communication between two
different computer applications. It can be used for various platforms including web
browsers and a wide array of other applications that often necessitate the safe
exchange of data over networks. Moreover, VPN connections, voice over IP, file
transfers and remote desktop sessions as well can benefit greatly from transport layer
security solutions.
There are three main components to what the TLS protocol accomplishes:
Encryption, Authentication, and Integrity.
The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of
protocols between 2 communication points across the IP network that provide data
authentication, integrity, and confidentiality. It also defines the encrypted, decrypted
and authenticated packets. The protocols needed for secure key exchange and key
management are defined in it.
● To provide security for routers sending routing data across the public
internet.
● To provide authentication without encryption, like to authenticate that the
all data being sent between the two endpoints is encrypted, as with a Virtual
Private Network (VPN) connection.
Features of IPSec:
3. Integrity: IPSec provides integrity by ensuring that IP packets have not been
modified or corrupted during transmission.
After the publication of the book, the word Cyberspace became a mainstay in many
English dictionaries. The New Oxford Dictionary of English provides Cyberspace
definition as the notional environment used by the people to communicate over
networks of the computer.
expectations and beliefs about appropriate behavior that give the world
structure, order, and stability”.
2. People act toward an object and other actors, relying on the meanings that they
India's first-ever landmark cyber security law was the Information Technology Act of
2000. The IT Act of 2000 was enacted by the Parliament of India and administered by the
Indian Computer Emergency Response Team (CERT-In) to guide Indian cyber security
legislation, institute data protection policies, and govern cybercrime. It also protects e-
governance, e-banking, e-commerce, and the private sector, among many others.
Under the IT Act, another important segment of the cyber security legislation is the
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules 2011 (Privacy Rules). The most significant
amendments include provisions for the regulation of intermediaries, updated penalties
and violation fees for cybercrime, cheating, slander, and nonconsensual publishing of
private images, as well as censoring/restriction of certain speech. Both the Information
Technology Act (ITA) and the IT Rules are important for governing how Indian entities
and organizations process sensitive info, data protection, data retention, and collection
of personal data and other sensitive information. Other Indian sectors, like banking,
insurance, telecom, and healthcare, also include data privacy provisions as part of their
separate statutes.
4. Indian SPDI Rules, 2011 for Reasonable Security Practices
The IS/ISO/IEC 27001 regulations are identified by the Indian SPDI Rules, 2011, as
international standards. As such, Indian companies aren’t obligated — but are highly
advised — to implement these standards, which can help meet the “reasonable security
practices” under Indian jurisdiction. The rules can also give individuals the right to
correct their information and impose restrictions on disclosure, data transfer, and
security measures. They only apply to corporate entities, but they aren’t responsible for
the authenticity of sensitive personal data (SPD) like sexual orientation, medical records
and history, biometric information, and passwords.
In 2013, the Department of Electronics and Information Technology (DeitY) released the
National Cyber Security Policy 2013 as a security framework for public and private
organizations to better protect themselves from cyber attacks. The goal behind the
National Cyber Security Policy is to create and develop more dynamic policies to
improve the protection of India’s cyber ecosystem. The policy aims to create a workforce
of over 500,000 expert IT professionals over the following five years through skill
development and training.
Fraud: Cyber laws are there to protect consumers from online frauds. They exist to
prevent online crimes including credit card theft and identity theft. A person who
commits such thefts stands to face federal and state criminal charges.
Defamation: Defamation laws are the civil laws that give immunity to individuals from
publically made false statements or allegations that can prove to be damaging for the
reputation of a person or a business. When such a mala fide deed is done online, it falls
under the bracket of cyber laws.
1. ISO
2. IT Act
The Information Technology Act also known as ITA-2000 or the IT Act main aims is to
provide the legal infrastructure in India which deals with cybercrime and e-commerce.
The IT Act is based on the United Nations Model Law on E-Commerce 1996
recommended by the General Assembly of the United Nations. This act is also used to
check misuse of cyber networks and computers in India. It was officially passed in 2000
and amended in 2008. It has been designed to give the boost to Electronic commerce, e-
transactions and related activities associated with commerce and trade. It also facilitates
electronic governance by means of reliable electronic records.
3. Copyright Act
The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs the
subject of copyright law in India. This Act is applicable from 21 January 1958. Copyright
is a legal term which describes the ownership of control of the rights to the authors of
"original works of authorship" that are fixed in a tangible form of expression. An original
work of authorship is a distribution of certain works of creative expression including
books, video, movies, music, and computer programs. The copyright law has been
enacted to balance the use and reuse of creative works against the desire of the creators
of art, literature, music and monetize their work by controlling who can make and sell
copies of the work.
4. Patent Law
Patent law is a law that deals with new inventions. Traditional patent law protects
tangible scientific inventions, such as circuit boards, heating coils, car engines, or
zippers. As time increases patent laws have been used to protect a broader variety of
inventions such as business practices, coding algorithms, or genetically modified
organisms. It is the right to exclude others from making, using, selling, importing,
inducing others to infringe, and offering a product specially adapted for practice of the
patent.
5. IPR
● In 2017, moving up one place over the previous year, according to a report by
security solutions provider Symantec.
● As per the report, India continues to be second most impacted by spam and bots,
third most impacted by network attacks and fourth most impacted by ransom
ware.
● India constitutes the second most internet user population in the world.
Increasing digitization and rising activities through the internet and mobile
phones also increased the risk of cyber-attack.
● As per the information given in the Parliament, there was a 300% rise in cyber-
attacks during the Covid-19 Pandemic.
● Cyber-attack on the State Bank of India’s customer’s ATM cards a few years back
was an example of the level of threat of cyber attack.
● With a growing rivalry with Pakistan and China, cyber attacks on vital national
installations have become recurrent.
● Creating an assurance framework for the design of security policies and for the
promotion and enabling actions for compliance with global security standards
and best practices through conformity assessment.
Cyber Forensics
The science of collecting, inspecting, interpreting, reporting, and presenting computer-
related electronic evidence is known as cyber forensics. Evidence can be found on the
hard drive or in deleted files. It is the process of examining, acquiring, and analyzing
data from a system or device so that it can be transcribed into physical documentation
and presented in court. During the inspection, it is critical to create a digital or soft
copy of the system’s special storage cell. The purpose of carrying out a detailed cyber
forensics investigation is to determine who is to blame for a security breach. The entire
inquiry is carried out on the software copy while ensuring that the system is not
affected.
Controlling an Investigation
For those working in the field, there are five critical steps in computer forensics, all of
which contribute to a thorough and revealing investigation:
Evidence Assessment:
Evidence Acquisition:
Evidence Examination:
Investigating Information-Hiding
Information hiding is a research domain that covers a wide spectrum of methods that
are used to make (secret) data difficult to notice. Due to improvements in network
defenses such techniques are recently gaining an increasing attention from actors like
cybercriminals, terrorist and state-sponsored groups as they allow to store data or to
cloak communication in a way that is not easily discoverable. There are several real-
world cases that reached the attention of the public media, including the following:
● The arrest of one of al Qaeda's members in Berlin with video files containing
hidden information on ongoing and future terrorists' operations (2012)
● The exfiltration of confidential data from the U.S. to Moscow by Russian spies
(2010),b
● The planning of a terrorist attack after the September 11, 2001 attacks. A number
of articles suggested that al Qaeda members used steganography to coordinate
their actions (2001)
Scrutinizing Email
Email forensics is dedicated to investigating, extracting, and analyzing emails to collect
digital evidence as findings in order to crack crimes and certain incidents, in a
forensically sound manner.
The process of email forensics, it’s conducted across various aspects of emails, which
mainly includes:
✔ Email messages
✔ Email addresses (sender and recipient)
✔ IP addresses
✔ Date and time
✔ User information
✔ Attachments
✔ Passwords
✔ Logs (Cloud, server, and local computer)
1. Local Computer-based emails: For local computer-based email data files, such as
Outlook .pst or .ost files, it’s recommended to follow our following techniques directly.
2. (Cloud) Server-based emails: For (Cloud) Server based email data files, it’s not
possible to conduct complete forensic work until you obtain the electronic copies in the
(Cloud) server database under the consent of the service providers.
3. Web-based emails: For Web-based e-mail (e.g. Gmail,) investigations, it’s more likely
possible to just filter specific keywords to extract email address-related information
instead of the overall email data and information compared to local computer-based
emails.
❖ Cookies. Cookies are computer files that are stored on a user's computer
during a visit to a web site. When the user electronically enters the web site,
the host computer automatically loads the file(s) to the user's computer.The
cookie is a tracking device, which records the electronic movements made by
the user at the site, as well as identifiers such as a username and password.
❖ Chat rooms. Chat rooms are electronic forums where users can visit and
exchange views and opinions about a variety of issues. By piecing together the
electronic transcripts of the chat room conversations, enforcement officers can
track down the source of malicious activity.
Tracing Memory in Real Time
Memory forensics refers to the analysis of volatile data in a computer’s memory dump.
Memory forensics can provide unique insights into runtime system activity, including
open network connections and recently executed commands or processes. In many
cases, critical data pertaining to attacks or threats will exist solely in system memory –
examples include network connections, account credentials, chat messages, encryption
keys, running processes, injected code fragments, and internet history which are non-
cacheable.
● You need to first confirm that there is malware on the device before you can
capture a sample and begin reverse-engineering the malware with specialist
tools.
● Taking an image of a device can be time-consuming, and you then have the issue
of transferring the image which could be 100GB in size, to a location where it can
be analyzed. Then you have to take into consideration how long the analysis will
take by the team.
● This is where memory analysis can be a big win for the IR team. Whereas a
server hard drive may be over 100GB in size, the RAM of the device will be a lot
smaller, typically 16GB – 32GB. This means that capturing a RAM dump from a
device will be a lot quicker and smaller in size when transferring the output.
● By prioritizing RAM over a hard disk image when triaging an incident you can
begin analyzing the RAM dump for IOCs (Indicators of Compromise) while you
begin working on getting an image of the hard drive.